Presentation is loading. Please wait.

Presentation is loading. Please wait.

Medical Data: It’s Only Sensitive If It Hurts When You Touch It Daniel Masys, M.D. Director of Biomedical Informatics UCSD School of Medicine Professor.

Similar presentations


Presentation on theme: "Medical Data: It’s Only Sensitive If It Hurts When You Touch It Daniel Masys, M.D. Director of Biomedical Informatics UCSD School of Medicine Professor."— Presentation transcript:

1 Medical Data: It’s Only Sensitive If It Hurts When You Touch It Daniel Masys, M.D. Director of Biomedical Informatics UCSD School of Medicine Professor of Medicine dmasys@ucsd.edu PORTIA Sensitive Data Workshop

2 Topics A brief history of confidentiality and information security in healthcare: Hippocrates to HIPAAA brief history of confidentiality and information security in healthcare: Hippocrates to HIPAA Security vulnerabilities in healthcare settingsSecurity vulnerabilities in healthcare settings Why is this so hard to do?Why is this so hard to do? Models for medical information accessModels for medical information access

3 “What I may see or hear in the course of treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself holding such things shameful to be spoken about.” “What I may see or hear in the course of treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself holding such things shameful to be spoken about.” - Hippocrates

4 Professional Ethics AMA Principles of Medical Ethics (sect. 4, 1920 edition): “A physician shall respect the rights of patients…, and shall safeguard patient confidences within the constraints of the law”AMA Principles of Medical Ethics (sect. 4, 1920 edition): “A physician shall respect the rights of patients…, and shall safeguard patient confidences within the constraints of the law” Many state medical boards incorporated professional society ethics codes into medical practice actsMany state medical boards incorporated professional society ethics codes into medical practice acts

5 Legal Context Right to control one’s bodily integrityRight to control one’s bodily integrity Right to control one’s interpersonal relationshipsRight to control one’s interpersonal relationships Utility or instrumental value is trust between patient and physician.Utility or instrumental value is trust between patient and physician.

6 HIPAA Rules (Health Insurance Portability and Accountability Act of 1996) 1996 Health Privacy Legislation with 1999 Congressional action deadline1996 Health Privacy Legislation with 1999 Congressional action deadline Congress failed to enact legislationCongress failed to enact legislation Secretary of HHS required to issue regulations for medical data privacy and securitySecretary of HHS required to issue regulations for medical data privacy and security “Covered entities” compliance with Privacy Rule effective April, 2003, small health plans by April 2004“Covered entities” compliance with Privacy Rule effective April, 2003, small health plans by April 2004 Compliance with HIPAA Security Rule for electronic systems containing Protected Health Information (PHI) required April, 2005Compliance with HIPAA Security Rule for electronic systems containing Protected Health Information (PHI) required April, 2005

7 HIPAA, not HIPPA :-) “Misspelling is not a violation of the Rule” Director, US Office of Civil Rights Director, US Office of Civil Rights Speaking at UCSD, 2/5/03 Speaking at UCSD, 2/5/03

8 HIPAA Definitions Health information means any information, whether oral or recorded in any form or medium, that: 1) Is created or received by a health care provider…, and; 2) Relates to past, present, or future physical or mental health or condition of an individual…or provision of health care..or payment for provision of health care.Health information means any information, whether oral or recorded in any form or medium, that: 1) Is created or received by a health care provider…, and; 2) Relates to past, present, or future physical or mental health or condition of an individual…or provision of health care..or payment for provision of health care.

9 HIPAA definitions “Covered entity” - organization responsible for HIPAA compliance.“Covered entity” - organization responsible for HIPAA compliance. Protected Health Information (PHI) - information generated in the course of providing healthcare that can be uniquely linked to themProtected Health Information (PHI) - information generated in the course of providing healthcare that can be uniquely linked to them Information “use” = use within organizationInformation “use” = use within organization Information “disclosure” = release outside of organizationInformation “disclosure” = release outside of organization

10 Gives individuals the right to:Gives individuals the right to: –A written notice of information practices from health plans and providers –Inspect and copy their Protected Health Info –Obtain a record of disclosures –Request amendments to their medical records –Have reasonable requests for confidential communications accommodated –Request restrictions on uses and disclosures –Complain about violations to the covered entity and to HHS Overview of effects of HIPAA Privacy Rule

11 Requires covered entities to:Requires covered entities to: –Make a good faith effort to get signed acknowledgement of information practices related to Protected Health Information (PHI) used in treatment, payment and operations (TPO) –Obtain authorization for special additional uses of PHI –Designate a privacy official –Develop policies and procedures (including receiving complaints) –Provide privacy training to their workforce –Develop a system of sanctions for employees who violate the entity’s policies –Meet documentation requirements –Implement appropriate administrative, technical, & physical safeguards to protect privacy Overview of effects of HIPAA Privacy Rule

12 The ‘spirit’of HIPAA Protected Health Information (PHI = person identifiable) must be managed with the same attention to consent for use, access control, and documentation of actions performed as are currently applied to physical objects such as tissue.Protected Health Information (PHI = person identifiable) must be managed with the same attention to consent for use, access control, and documentation of actions performed as are currently applied to physical objects such as tissue. Access to PHI is based on the general principle of “need to know” and “minimum necessary” rather than professional roleAccess to PHI is based on the general principle of “need to know” and “minimum necessary” rather than professional role

13 HIPAA Round 2: the Security Rule

14 Overview Affects HIPAA Covered Entities that maintain Protected Health Information (PHI) in electronic formAffects HIPAA Covered Entities that maintain Protected Health Information (PHI) in electronic form Directs CE’s to ‘develop, implement, maintain, and document’ security measures, and keep them current.Directs CE’s to ‘develop, implement, maintain, and document’ security measures, and keep them current.

15 Security Rule: Basic Concepts Scalable: burden relative to size and complexity of healthcare organizationScalable: burden relative to size and complexity of healthcare organization Not linked to specific technologies, and anticipates future changes in technologyNot linked to specific technologies, and anticipates future changes in technology Unlike Privacy Rule, affects only electronic informationUnlike Privacy Rule, affects only electronic information Applies security principles well established in other industriesApplies security principles well established in other industries

16 HIPAA Security Rule Functional areas Information AvailabilityInformation Availability Protection against unauthorized:Protection against unauthorized: –Access –Alteration –Deletion –Transmission Monitoring (audit trails)Monitoring (audit trails)

17 Covered entities are required to: Assess potential risks and vulnerabilitiesAssess potential risks and vulnerabilities Protect against threats to information security or integrity, and against unauthorized use or disclosureProtect against threats to information security or integrity, and against unauthorized use or disclosure Implement and maintain security measures that are appropriate to their needs, capabilities and circumstancesImplement and maintain security measures that are appropriate to their needs, capabilities and circumstances Ensure compliance with these safeguards by all staffEnsure compliance with these safeguards by all staff

18

19

20 Security Vulnerabilities in Healthcare Settings Unintentional disclosuresUnintentional disclosures Well-intentioned but inappropriate employee behaviorWell-intentioned but inappropriate employee behavior Disgruntled employeesDisgruntled employees Self-insured employersSelf-insured employers ? Competitors? Competitors VIP patientsVIP patients HackersHackers Data miningData mining

21 Ethnicity Visit date Diagnosis Procedure Medication Total charge ZIP Birth date Sex Name Address Date registered Party affiliation Date last voted “Anonymous” Medicare Data Voter List Data mining as confidentiality threat Latanya Sweeney, MIT, 1997

22 Birth date includes month, day and year. Total 54,805 voters. Uniqueness in Cambridge voters

23 Information Security Elements Information Security Elements Availability - when and where neededAvailability - when and where needed Authentication -a person or system is who they purport to be (preceded by Identification)Authentication -a person or system is who they purport to be (preceded by Identification) Access Control - only authorized persons, for authorized usesAccess Control - only authorized persons, for authorized uses Confidentiality - no unauthorized information disclosureConfidentiality - no unauthorized information disclosure Integrity - Information content not alterable except under authorized circumstancesIntegrity - Information content not alterable except under authorized circumstances Attribution/non-repudiation - actions taken are reliably traceableAttribution/non-repudiation - actions taken are reliably traceable

24 Why is this so hard in healthcare contexts? 1.The nature of biomedical data

25 The nature of biomedical data Variable levels of sensitivity; “sensitive” is in the eye of multiple beholders, and highly context- dependentVariable levels of sensitivity; “sensitive” is in the eye of multiple beholders, and highly context- dependent No bright line between person-identifiable and “anonymous” dataNo bright line between person-identifiable and “anonymous” data –So inherently rich in attributes that re-identification potential never reaches zero Genome as Future Diary: An individual’s medical data may have implications for other family members who have much different values and preferences, and for future generationsGenome as Future Diary: An individual’s medical data may have implications for other family members who have much different values and preferences, and for future generations

26 Why is this so hard? 1.The nature of biomedical data 2.Complex interpersonal and organizational roles with respect to data

27 Complex roles: entities with justifiable (and variable) rights to medical data First order role definitions:First order role definitions: –Provider, Patient, Payer, “Society” Second order:Second order: –Providers: primary vs. consultant provider, ancillary support staff –Patient: self, family, legally authorized reps –Payer: billing staff and subcontractors, clearinghouses, insurers –Society: public health agencies, state medical boards, law enforcement agencies

28 Complex roles: entities with justifiable (and variable) rights to medical data Third order:Third order: –Providers: internal and external QA entities (peer review, JCAHO), sponsors of clinical research –Patient: community support groups, personal friends –Payers: fraud detection (Medical Information Bureau), business consultants –Society: national security, bioterrorism detection

29 Healthcare Information Access Roles ProviderPatient PayerSociety Primary care Specialists Ancillaries Immediate Family Extended Family Community Support Friends Legally Authorized Reps Admin. Staff Claims Processors Subcontractors Clearinghouses Insurers Public Health State Licensure Boards Law Enforcement Internal QA External accreditation orgs Clinical Trials Sponsors Fraud Detection Medical Information Bureau Business Consultants National Security Bioterrorism Detection

30

31 Why is this so hard? 1.The nature of biomedical data 2.Complex interpersonal and organizational roles with respect to data 3.Patients who wish to exercise control over access to their data seldom understand the implications of their decisions

32 Why is this so hard? 1.The nature of biomedical data 2.Complex interpersonal and organizational roles with respect to data 3.Patients who wish to exercise control over access to their data seldom understand the implications of their decisions 4.Personal preferences regarding data access change, sometimes suddenly

33 Why is this so hard? 1.The nature of biomedical data 2.Complex interpersonal and organizational roles with respect to data 3.Patients who wish to exercise control over access to their data seldom understand the implications of their decisions 4.Personal preferences regarding data access change, sometimes suddenly 5.“Privacy Fundamentalism” – irrational political forces (“Nothing about me without me”) block efficient systems approaches

34 Why is this so hard? 1.The nature of biomedical data 2.Complex interpersonal and organizational roles with respect to data 3.Patients who wish to exercise control over access to their data seldom understand the implications of their decisions 4.Personal preferences regarding data access change, sometimes suddenly 5.“Privacy Fundamentalism” – irrational political forces (“Nothing about me without me”) block efficient systems approaches 6.Differing perceptions of risk and benefit

35 $995 This wonderful video camera can be yours if you’ll just send us your Visa or MasterCard World Wide Web Dixie Baker, Ph.D. Chief Scientist Center for Information Security Technology Science Applications International Corp. Daniel R. Masys, M.D. Director of Biomedical Informatics University of California, San Diego Patient-Centered Access to Secure Systems Online Patient-Centered Access to Secure Systems Online A National Library of Medicine Telemedicine Research Contract Hb 13.2 Hct38.0 WBC 4.2

36 Patient-Centered Access to Secure Systems Online (PCASSO) Design Goals To enable secure use of the Internet to access sensitive patient informationTo enable secure use of the Internet to access sensitive patient information To enable providers AND patients to view medical data onlineTo enable providers AND patients to view medical data online To develop a published, verifiable high-assurance architectureTo develop a published, verifiable high-assurance architecture –Not proprietary –No “black box” or trade secret security

37 PCASSO functions Protect healthcare information at multiple levels of sensitivityProtect healthcare information at multiple levels of sensitivity Authorize user actions based on familiar healthcare rolesAuthorize user actions based on familiar healthcare roles End-to-end user accountabilityEnd-to-end user accountability Empower consumers to access their own medical recordsEmpower consumers to access their own medical records Patient viewable audit trailsPatient viewable audit trails Automated e-mail notification of records changesAutomated e-mail notification of records changes Security protection extended to user PCSecurity protection extended to user PC

38

39

40 PCASSO users 218 physicians enrolled (started January, 1999)218 physicians enrolled (started January, 1999) 53 patients enrolled as of 9/30/99 (started June, 1999)53 patients enrolled as of 9/30/99 (started June, 1999) Enrollment criteria:Enrollment criteria: –Age 18 or older –Receive health care from UCSD –One or more visits in past 6 months –Primary care physician co-signs consent

41 Differing user perceptions of multi-step login security Two-tailed P < 0.001 by Mann Whitney

42 Patient Comments on PCASSO “Love this program and really is super easy to use”“Love this program and really is super easy to use” “I was at the lab this morning and some results are posted already…very impressed”“I was at the lab this morning and some results are posted already…very impressed” “Thank you for this ‘peek’ into our own medical records. So often patients seem to feel at the mercy of the HMO’s and at least this may alieviate some of that distrust.”“Thank you for this ‘peek’ into our own medical records. So often patients seem to feel at the mercy of the HMO’s and at least this may alieviate some of that distrust.” “As one who has always been involved in my health care decisions, I value that I have access to this information. Great system, I find it very user friendly and feel very confident that my privacy is maintained at all times…”“As one who has always been involved in my health care decisions, I value that I have access to this information. Great system, I find it very user friendly and feel very confident that my privacy is maintained at all times…”

43 Provider Comments on PCASSO “The Kremlin is easier to get into.”“The Kremlin is easier to get into.” “I signed on once, and have suffered enough.”“I signed on once, and have suffered enough.” “Unfortunately it’s so cumbersome to use that it is virtually useless.”“Unfortunately it’s so cumbersome to use that it is virtually useless.” “…security is too tight…I will keep on using my cable modem and PC Anywhere to get into my office computer and then access labs that way.”“…security is too tight…I will keep on using my cable modem and PC Anywhere to get into my office computer and then access labs that way.” “It would be wonderful when patients call me in the evenings & weekends to be able to punch up their info on my home pc and have instant access to their lab results, X-rays, medications, etc.”“It would be wonderful when patients call me in the evenings & weekends to be able to punch up their info on my home pc and have instant access to their lab results, X-rays, medications, etc.” “...It’s incredibly handy to have this stuff available on the Internet. Nice work.”“...It’s incredibly handy to have this stuff available on the Internet. Nice work.”

44 Desiderata for electronic consent in healthcare 1.Permits access to health data by checking that patient consent exists for the information requests, using methods that check for explicit, inferred or implied consent 2.Should allow access to patient information to those who have been explicitly permitted by a patient E. Coiera et. al., J. Am Med Informatics Assoc, 2004

45 Desiderata for electronic consent in healthcare, cont’d 3.Should never allow access to patient information by those explicitly denied access by the patient 4.Should allow access to patient information to individuals determined to have inferred or implied consent based on their clinical roles, responsibilities, or clinical circumstance E. Coiera et. al., J. Am Med Informatics Assoc, 2004

46 Desiderata for electronic consent in healthcare, cont’d 5.Does not endanger patient safety by denying access to information by clinically approved individuals when consent is indeterminant 6.Does not impede clinical work by clinically approved individuals, when consent is indeterminant E. Coiera et. al., J. Am Med Informatics Assoc, 2004

47 Desiderata for electronic consent in healthcare, cont’d 7.Has security safeguards to prevent access by circumventing consent checking mechanism 8.Minimizes the number of requests made to clinicians and patients to avoid disruption of clinical care or the private lives of individuals E. Coiera et. al., J. Am Med Informatics Assoc, 2004

48 Desiderata for electronic consent in healthcare, cont’d 9.Does not require expensive or burdensome infrastructure E. Coiera et. al., J. Am Med Informatics Assoc, 2004 Author Observation: criteria are in conflict with one another, and no single model performs well against all 9 criteria

49 Models for e-consent 1.General consent = “opt in”. Patient accepts all provider policies (Notices of Information Practices). Most common current model. 2.General consent with specific denial. Patient accepts provider policies but denies consent for a) particular information or b) particular parties’ access or c) disclosure for particular purposes E. Coiera et. al., J. Am Med Informatics Assoc, 2004

50 Models for e-consent 3.General denial with specific consent = Paitent denies all access except for consent for a) particular information or b) particular parties’ access or c) disclosure for particular purposes 4.General denial = “opt out”. Each new episode of care requires explicit consent. (Likely scenarios for opt out: psychiatric care, drug rehab, sexually transmitted disease treatment). E. Coiera et. al., J. Am Med Informatics Assoc, 2004

51 Implementation: e-Consent objects Rights management wrappers associated with clinical information that record the assertion: Access to (information) by an (entity) for a (purpose) in a (context) is {consented to | denied } Could attach to specific facts, episodes of care, or complete medical record

52 Putting Health Information Security into Perspective The current fervor related to health information security is sometimes marked by “irrational exuberance”The current fervor related to health information security is sometimes marked by “irrational exuberance” Data available to date suggests that breaches of confidentiality in healthcare usually cause either no apparent harm or some personal psychological harm, while inaccessibility of healthcare data causes preventable medical errors, up to and including deathData available to date suggests that breaches of confidentiality in healthcare usually cause either no apparent harm or some personal psychological harm, while inaccessibility of healthcare data causes preventable medical errors, up to and including death

53 Kohn L, et al. Committee on Quality of Health Care in America. To Err is Human: Building a Safer Health System. Institute of Medicine, Dec 1999

54 Medical Errors Between 44,000-98,000 preventable deaths each year in hospitalsBetween 44,000-98,000 preventable deaths each year in hospitals Injury rates from 2.9% (general med-surg) to 46% (ICU settings)Injury rates from 2.9% (general med-surg) to 46% (ICU settings) 7th leading cause of death in US7th leading cause of death in US Likely underestimates due to:Likely underestimates due to: –Injury thresholds for reporting –Errors had to be documented in clinical record

55 Medical Errors Majority of errors do not result from individual recklessness, but from flaws in health system organization (or lack of organization).Majority of errors do not result from individual recklessness, but from flaws in health system organization (or lack of organization). Failures of information management are common:Failures of information management are common: –illegible writing in medical records –lack of integration of clinical information systems –inaccessibility of records –lack of automated allergy and drug interaction checking

56 Information Security Elements Information Security Elements Availability - when and where neededAvailability - when and where needed Authentication -a person or system is who they purport to beAuthentication -a person or system is who they purport to be Access Control - only authorized persons, for authorized usesAccess Control - only authorized persons, for authorized uses Confidentiality - no unauthorized information disclosureConfidentiality - no unauthorized information disclosure Integrity - Information content not alterable except under authorized circumstancesIntegrity - Information content not alterable except under authorized circumstances Attribution/non-repudiation - actions taken are reliably traceableAttribution/non-repudiation - actions taken are reliably traceable

57 Putting Health Information Security into Perspective If ‘keeping the bad guys out’ causes even a single additional death due to inaccessibility of information to authorized providers, we have failed to achieve a proper perspective on health information securityIf ‘keeping the bad guys out’ causes even a single additional death due to inaccessibility of information to authorized providers, we have failed to achieve a proper perspective on health information security From HIPAA back to Hippocrates: Primum non nocere - first do no harmFrom HIPAA back to Hippocrates: Primum non nocere - first do no harm

58


Download ppt "Medical Data: It’s Only Sensitive If It Hurts When You Touch It Daniel Masys, M.D. Director of Biomedical Informatics UCSD School of Medicine Professor."

Similar presentations


Ads by Google