1 / 22

Health Care: Privacy in a Digital Age

Health Care: Privacy in a Digital Age. Concordia School of Management October 18, 2001 Chris Apgar, Data Security & HIPAA Compliance Officer Providence Health Plans. Presentation Overview. Electronic Records & You Risks & Valid Concerns Legal Protections

Download Presentation

Health Care: Privacy in a Digital Age

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Health Care: Privacy in a Digital Age Concordia School of Management October 18, 2001 Chris Apgar, Data Security & HIPAA Compliance Officer Providence Health Plans

  2. Presentation Overview • Electronic Records & You • Risks & Valid Concerns • Legal Protections • Providence Health Plan - Case Study • Tips for Protecting Privacy • Resources • Q&A Presenter - Chris Apgar

  3. Electronic Records & You • Health care information users • Providers (I.e., doctors, chiropractors, EAP, etc.) • Health insurance companies • Government & government contractors • Third parties (I.e., billing services, medical management, etc.) • How much control do you really have? • Marketing, research and other “hidden” uses Presenter - Chris Apgar

  4. Electronic Records & You • Moving information around • E-mail • FTP (file transfer protocol) • Other forms of magnetic media • US Postal Service and other carriers • Secure web sites & other forms of secure messaging • Storage and internal organization information transfer Presenter - Chris Apgar

  5. Risks & Valid Concerns • Unprotected Internet • Web browsing & cookies - tracking your travel • Authentication or who can look at my record • Networks, firewalls and the lack thereof • Inappropriate information use for marketing and other sales activities • Government, courts and data sharing Presenter - Chris Apgar

  6. Risks & Valid Concerns • Hackers and other illegal activity • Internal mischief or the disgruntled employee • Carelessness or “my record on the counter” • Lack of physical security (“it’s not locked up”) • Lack of defined policies, confidentiality practices, etc. Presenter - Chris Apgar

  7. Legal Protections • Oregon statute & rule • Health Information Portability & Accountability Act of 1996 (HIPAA) • Gram-Leach-Bliley Act • Children’s On-line Privacy Protection Rule • Other federal statute & rule • Litigation Presenter - Chris Apgar

  8. Legal Protections: HIPAA Example Privacy • Release of information • Consent form for treatment billing & healthcare operations • Only providers required to obtain consent • Consent revocation & what it means • Authorization for all other activities (I.e., some research activities, release to attorney, etc.) Presenter - Chris Apgar

  9. Legal Protections: HIPAA Example Privacy • Vendor & “business associate agreements” • Business associates definition (versus “covered entities” governed by HIPAA) • Business associate in practice covered by HIPAA Administrative Simplification privacy requirements • Required to assess compliance requirements and document • Statutory & rule limitations Presenter - Chris Apgar

  10. Legal Protections: HIPAA Example Privacy • Access tracking & “need to know” • Does not apply to treatment, billing & healthcare operations • Yours for the asking • “Minimum necessary” standard • Applies to internal & external data access • Access defined by role or permissions to use data • Appropriate access controls & documentation required Presenter - Chris Apgar

  11. Legal Protections: HIPAA Example Privacy • Member/patient record access & amendment • Who “owns” your medical records? • Business associates do not “own” records • Covered entities required to act on requests to amend records but not required to make amendments • Forms of data or media covered (electronic, paper, etc.) Presenter - Chris Apgar

  12. Risk Assessment Policy & procedure development Training & awareness Contingency Plan Information access control (“need to know”) Audit & certification Documentation Record access (release management & file access) Personnel security & authentication Chain of Trust/Business Associate Agreement Security & privacy management Security incident response Physical security Legal Protections: HIPAA Example Data Security Presenter - Chris Apgar

  13. Providence Health Plan - Case Study • Security & privacy officers appointed • Data security & privacy standards developed & implemented • Staff training & policies developed& communicated • Use of firewalls and other tools to protect information Presenter - Chris Apgar

  14. Providence Health Plan - Case Study • On-going network & other access point monitoring • Enforcement of secure transfer of information to authorized staff and external partners • All accessing confidential information legally bound to enforce privacy & security • Internal & external audit of policies, training plan & processes Presenter - Chris Apgar

  15. Providence Health Plan - Case Study • Collaboration with Providence Health System • On-going work with external partners (providers, plans, government, etc.) • Participation in local and national security/ privacy forums • Privacy & confidentiality - Providence strategic objective Presenter - Chris Apgar

  16. Tips for Protecting Privacy • Talk to your provider and insurance carrier - what is their privacy policy, how do they protect your confidential health information, etc.) • Check out web sites (I.e., security,privacy policies, etc.) • Cookies and what to do with them Presenter - Chris Apgar

  17. Tips for Protecting Privacy • Avoid sharing health information over unsecured web sites • Report on-line privacy violations as appropriate • Avoid unsecured e-mail (even with your provider) • Periodically request copies of your health record from provider and insurance carrier Presenter - Chris Apgar

  18. Tips for Protecting Privacy • Carefully read consent & authorization forms (I.e., information release, purpose of confidential data use, etc.) • Question if in doubt and avoid signing when transmission of your health information not clearly defined • Know your rights and exercise them Presenter - Chris Apgar

  19. Resources • Federal Trade Commission: http://www.ftc.gov • HIPAA Web Site: http://aspe.hhs.gov/admnsimp • National Institute of Health (regulatory information): http://list.nih.gov • “Defend Your Medical Data” (ACLU): http://www.aclu.org/action/medregs/readstories.html Presenter - Chris Apgar

  20. Resources • Health Privacy Project: http://www.healthprivacy.org • Department of Health & Human Services Office of Civil Rights: http://www.os.dhhs.gov/ocr/hipaa • American Medical Association “Domain of Privacy”: http://www.ama-assn.org/ama/pub/category/3653.html Presenter - Chris Apgar

  21. Resources • American Psychology Association on Privacy: http://helping.apa.org/dotcomsense • Providence (see privacy statement): http://www.providence.org • Google (search engine; advanced search on “privacy health): http://www.google.com Presenter - Chris Apgar

  22. Question & Answer Chris Apgar, Data Security & HIPAA Compliance Officer Providence Health Plan 3601 SW Murray Blvd., Suite 10 Beaverton, OR 97005 (503) 574-7927 (voice) (503) 574-8655 (fax) apgarc@providence.org Presenter - Chris Apgar

More Related