Presentation is loading. Please wait.

Presentation is loading. Please wait.

Healthcare Data Privacy & Security Real World Enforcement and Why Confusion Reigns Supreme Dec. 10, 2007 Dennis Melamed Editor/Publisher Health Information.

Similar presentations


Presentation on theme: "Healthcare Data Privacy & Security Real World Enforcement and Why Confusion Reigns Supreme Dec. 10, 2007 Dennis Melamed Editor/Publisher Health Information."— Presentation transcript:

1 Healthcare Data Privacy & Security Real World Enforcement and Why Confusion Reigns Supreme Dec. 10, 2007 Dennis Melamed Editor/Publisher Health Information Privacy/Security Alert

2 Dec. 10, 2007Melamedia, LLC © Why Has It Been So Difficult? The Privacy Rule Governs the Most Common Conversation We Have as Human Beings Aunt Bee's busybody best friend,Clara Edwards

3 Dec. 10, 2007Melamedia, LLC © Key Moments in the History of HIPAA Privacy Rule August HIPAA Becomes The Law… August Congress Fails to Enact Legislation. Newt Gingrich Allows Bill Clinton To Write the Privacy Rule Abortion, State’s Rights, Minor’s Right to Privacy (Meaning Abortion) Stall Senate Action. House Never Really Got Off the Dime Everyone Now Convinced That There Is No Medical Privacy Protection The Long & Winded Road

4 Dec. 10, 2007Melamedia, LLC © Key Moments in the History of HIPAA Privacy Rule Nov. 3, HHS Issues 600-page Proposal Generating Thousands of Comments. Comment Period Extended Another 45 Days. Dec. 28, HHS Issues 500,000 Words In Rule and Accompanying Explanations.. March 27, HHS Issues 7,000-word modification requiring 93,000 words of explanation Aug. 14, Second Final Rule Issued.  CMS Punts on Claims Attachment Standard The Long & Winded Road Part 2

5 Dec. 10, 2007Melamedia, LLC © s of Kinks In The Winded Road  A Lot of People Believed Congress in the 1990s When It Said There Was Uneven Or No Medical Privacy Protection  The States Go On A Rampage  NAIC and State Legislatures  HIPAA  Gramm-Leach-Bliley  Indiana Jones & The Lost Laws

6 Dec. 10, 2007Melamedia, LLC © Now That We’ve Straightened That Out, Lets Preempt State Law  IOM Report on Medical Errors Prompts New Federal Effort To Create Electronic Health Records  HIPAA Doesn’t Count  CMS Continues to Punt on Claims Attachment Standard

7 Dec. 10, 2007Melamedia, LLC © Let’s Play “Pretend HIPAA…”  Efforts to Create EHRs, EMRs (or whatever you want to call them) Gathers Steam  Ooops. State Laws Pose Obstacles on Privacy and Security  Let’s Create A New Record Called a Personal Health Record

8 Dec. 10, 2007Melamedia, LLC © The Berlin Wall Came Down, But We’re Still Manning The Silos  EHR/EMR Proponents Continue to Ignore HIPAA  CMS Continues to Punt on Claims Attachment Standard  CMS Comes Out in July With New Policy To Pay For Some Clinical Trial Services for Medicare Beneficiaries.

9 Dec. 10, 2007Melamedia, LLC © To Recuperate  Congress Fails To Act on HIPAA  States Act on Medical Privacy  Feds Move on Electronic Records  Personal Health Records Appear  The Future Looks Now More Mysterious and Unknowable. But We Know It Won’t Be Orderly And We Know We Will Continue To Muddle Through

10 Dec. 10, 2007Melamedia, LLC © Trends in Medical Privacy Enforcement  OCR  CMS  FTC  State Courts  Federal Courts

11 Dec. 10, 2007Melamedia, LLC © OCR Enforcement Trends Complaints from April 14, 2003 through 10/31/07  Total Complaints: 31,194  Complaints Investigated: 7,882  Investigations Resulting In Changed Behavior: 5,299  Investigations In Which There Was No Violation: 2,583

12 Dec. 10, 2007Melamedia, LLC © Most Common Privacy Complaints Issues Most Commonly Investigated  Impermissible Uses And Disclosures Of Protected Health Data  Lack Of Safeguards Of Protected Health Information  Lack Of Patient Access To Their Protected Health Information  Uses Or Disclosures Of More Than The Minimum Necessary Protected Health Information  Lack Of Or Invalid Authorizations For Uses And Disclosures Of Protected Health Information Most Common Covered Entities Required To Take Corrective Action  Private Practices  General Hospitals  Outpatient Facilities  Health Plans (Group Health Plans And Health Insurance Issuers)  Pharmacies

13 Dec. 10, 2007Melamedia, LLC © What Happens To OCR Complaints? Or My Son Is on The 7-Year Plan at College  No Civil Penalties  More Than 415 Criminal Referrals To Department Of Justice  More Than 216 Referrals To CMS

14 Dec. 10, 2007Melamedia, LLC © CMS Enforcement Trends (We could use a few consultants)  Questions Over Technical Expertise  Questions Over Any Capability Given OESS Budget

15 Dec. 10, 2007Melamedia, LLC © Most Common Security Complaints And Outcomes  Information Access Management  Security Awareness And Training  Access Controls  No Civil Penalties  No Data on Referrals  CMS Hires PWC

16 Dec. 10, 2007Melamedia, LLC © FTC: We Don’t Do HIPAA, But…  FCRA  Consumer Protection

17 Dec. 10, 2007Melamedia, LLC © State Courts: Where the Action Is  State Courts Rarely Invoke HIPAA. They Have Their Own Laws….Remember? They Even Have Constitutions.  When Courts Do Invoke HIPAA, The Issue Typically Revolves Around Technical Legal Issues that Invoke Latin Words like ex parte  Judges Actually Insist on Relevancy

18 Dec. 10, 2007Melamedia, LLC © Federal Courts Not Very Active  No Way for Patients to Sue Under HIPAA  Gyrations Needed to Invoke HIPAA Even on Employees of Covered Entities  One Caution on Definition of Individual

19 Dec. 10, 2007Melamedia, LLC © A Word on De-Identification HIPAA Was One Of The First Attempts To Make A Person Functionally Invisible – At Least On Paper…Or In A Computer Database  HHS should issue guidance on the specific threshold of statistical de-identification that ensures information is rendered not individually identifiable.  HHS should define allowable uses of HIPAA de-identified data, and provide guidance to covered entities regarding what uses of HIPAA de-identified data are not permitted without authorization by the individual so that covered entities may be guided in development of their business associate contracts. NCVHS Draft Recommendations 10/21/07

20 Dec. 10, 2007Melamedia, LLC © The Forecast  Partly Cloudy  Followed by More Clouds Coming In from the South, North, East and West  Temperatures Rising

21 Dec. 10, 2007Melamedia, LLC © Done! Now That Wasn’t So Painful… Dennis Melamed Editor/Publisher Health Information Privacy/Security Alert To get HIPAA enforcement stats for free, visit


Download ppt "Healthcare Data Privacy & Security Real World Enforcement and Why Confusion Reigns Supreme Dec. 10, 2007 Dennis Melamed Editor/Publisher Health Information."

Similar presentations


Ads by Google