Presentation is loading. Please wait.

Presentation is loading. Please wait.

“How Broader Privacy Policy Issues Impact Healthcare” Professor Peter P. Swire Moritz College of Law The Ohio State University HIT Summit September 26,

Published byBaldric McLaughlin Modified over 8 years ago

Similar presentations

Presentation on theme: "“How Broader Privacy Policy Issues Impact Healthcare” Professor Peter P. Swire Moritz College of Law The Ohio State University HIT Summit September 26,"— Presentation transcript:

1 “How Broader Privacy Policy Issues Impact Healthcare” Professor Peter P. Swire Moritz College of Law The Ohio State University HIT Summit September 26, 2006

2 Overview  My background  Role of privacy & security in the development of the National Health Information Network  Three key issues, informed by non-health experiences: Preemption Preemption Enforcement Enforcement Consumer-centered approaches Consumer-centered approaches  Explain the consumer, industry, & political perspectives on these issues  Conclusion: the choice we face

3 Swire Background  Now law professor, based in D.C. Active in many privacy & security activities Active in many privacy & security activities  Chief Counselor for Privacy, 1999-2001 U.S. Office of Management & Budget U.S. Office of Management & Budget WH coordinator, HIPAA privacy rule WH coordinator, HIPAA privacy rule Financial, Internet, government agency privacy Financial, Internet, government agency privacy National security & FISA National security & FISA Computer security Computer security

4 Health Care Background  Health care since 2001: Written on health privacy & security topics, at www.peterswire.net Written on health privacy & security topics, at www.peterswire.net Consulted on HIPAA implementation Consulted on HIPAA implementation Morrison & Foerster, LLPMorrison & Foerster, LLP Markle, Connecting for Health Markle, Connecting for Health Deidentification white paper for IBM Deidentification white paper for IBM

5 Privacy, Security & the NHIN  As public policy matter, crucial to get the benefits of data flows (electronic health records) while minimizing the risks (privacy and security)  As political matter, privacy and security are the greatest obstacles to adoption Focus group – the emergency room while out of town as the only scenario that got substantial majority to favor EHRs Focus group – the emergency room while out of town as the only scenario that got substantial majority to favor EHRs Many individuals see risks > rewards of EHRs Many individuals see risks > rewards of EHRs

6 Implications of Public Concern  All those who support EHRs must have good answers to the privacy and security questions that will be posed at every step  “Trust us” not likely to be a winning strategy The need for demonstrable, effective protections The need for demonstrable, effective protections The system must be strong enough to survive the inevitable data breaches & resultant bad publicity The system must be strong enough to survive the inevitable data breaches & resultant bad publicity

7 Preemption  Industry perspective: Benefits of data sharing high – “paper kills” Benefits of data sharing high – “paper kills” Shift to electronic clinical records is inevitable; that shift has occurred in other sectors Shift to electronic clinical records is inevitable; that shift has occurred in other sectors Can only run a national system if have a national set of rules Can only run a national system if have a national set of rules Preemption is essential – a “no brainer” Preemption is essential – a “no brainer”

8 Preemption: Consumer View Janlori Goldman, Health Privacy Project Janlori Goldman, Health Privacy Project A lot of state privacy laws A lot of state privacy laws HIVHIV Other STDsOther STDs Mental health (beyond psychotherapy notes)Mental health (beyond psychotherapy notes) Substance abuse & alcoholSubstance abuse & alcohol Reproductive & contraceptive care (where states vary widely in policy)Reproductive & contraceptive care (where states vary widely in policy) Public health & other state agenciesPublic health & other state agencies HIPAA simply doesn’t have provisions for these topics – if preempt, then big drop in privacy protection HIPAA simply doesn’t have provisions for these topics – if preempt, then big drop in privacy protection

9 Consumers & Preemption  Link of reporting and privacy HIV and other public health reporting based on privacy promises HIV and other public health reporting based on privacy promises So, objections if do reporting w/out privacy So, objections if do reporting w/out privacy  Concrete problems of multi-state? Many RHIOs have only one or a few states Many RHIOs have only one or a few states Build out from there Build out from there State laws both as “burdens” (industry) and “protections” (consumers) State laws both as “burdens” (industry) and “protections” (consumers)

10 Preemption & Politics  Consumer and privacy advocates see states as the engine for innovation  Current example: data breach California went first, and now Congress is trying to catch up with a uniform standard California went first, and now Congress is trying to catch up with a uniform standard  Basic political dynamic – industry gets preemption in exchange for raising standards nationally

11 Preemption in Other Sectors  Gramm-Leach-Bliley: no preemption But, Fair Credit 2003 does some of that But, Fair Credit 2003 does some of that  Wiretap (ECPA): no preemption  Data breach: proposed preemption  FTC unfair/deceptive enforcement: no preemption  CAN-SPAM: significant preemption  Conclusion -- variation

12 Key Issues in Preemption  Scope of preemption matters & can vary  One policy baseline: scope of preemption matches the scope of the federal regime If the scope is for networked health IT, then preemption about that, not entire health system If the scope is for networked health IT, then preemption about that, not entire health system  Preserve state tort and contract law?  Preserve state unfair & deceptive enforcement?  Grandfather existing state laws? Some of them?

13 Summary on Preemption  Strong pressures for preemption in national, networked system  If simply preempt and apply HIPAA, then have a dramatic reduction in privacy & security  This is a major & complicated policy challenge that is not likely to have a simple outcome

14 Enforcement  The current “no enforcement” system  Key question for the NHIN: Can the current no-enforcement system be a credible basis for EHRs and the NHIN? Can the current no-enforcement system be a credible basis for EHRs and the NHIN?

15 The No Enforcement System  Imagine some other area of law that you care about – violations are serious.  Batting average: 0 enforcement actions for over 20,000 complaints  Enforcement policy: one free violation  Criminal enforcement: DOJ cut back scope of criminal penalties DOJ cut back scope of criminal penalties No prosecution for the > 300 criminal referrals No prosecution for the > 300 criminal referrals 3 cases brought by local federal prosecutors 3 cases brought by local federal prosecutors

16 Effects of No Enforcement  Signals work Surveys already showing lower efforts at HIPAA compliance and lower reported actual compliance by covered entities Surveys already showing lower efforts at HIPAA compliance and lower reported actual compliance by covered entities Contrast internal HIPAA efforts and budget (low enforcement) with compliance efforts on Medicare fraud & abuse (hi enforcement) Contrast internal HIPAA efforts and budget (low enforcement) with compliance efforts on Medicare fraud & abuse (hi enforcement)  Why should Congress and consumer groups trust compliance with HIPAA, much less with new rules for the NHIN?

17 Other Privacy Enforcement  Fair Credit, stored communications, video rentals, cable TV Federal plus private right of action Federal plus private right of action  Deceptive practices, CAN-SPAM, COPPA, proposed data breach Federal, plus state AG Federal, plus state AG  HIPAA as outlier, with federal-only enforcement If feds don’t do it, then have no enforcement of the HIPAA rules themselves If feds don’t do it, then have no enforcement of the HIPAA rules themselves

18 Customer-Centered Records  For other sectors, strong ability for customers to see & manage their own accounts Online banking Online banking Online insurance Online insurance Status of orders from retailers Status of orders from retailers  Integration of records into personal software E.g., all financial records feed into your tax records E.g., all financial records feed into your tax records  Access controls – rules on who gets the records, such as accountant but not former spouse

19 Patient-Centered Records  Huge lag, once again, for health records  HIPAA access rule an important step for patients to have a right to see their records  Importance of records for some groups: Chronic conditions Chronic conditions Parents for kids’ immunizations, etc. Parents for kids’ immunizations, etc. Care of elderly by remote relatives Care of elderly by remote relatives Anyone who sees multiple providers Anyone who sees multiple providers

20 Patient-Centered Records  Almost no public policy debates in past few years about how to ensure that patients have effective access to their own medical records  Such access is assumed in other sectors  What will it take for it to occur for health care?

21 What We Have Learned  Within health IT debates, consensus statements often sound like this: Need preemption to do the national network Need preemption to do the national network Should not punish/enforce against covered entities, when they are struggling in good faith to implement new HIPAA mandates Should not punish/enforce against covered entities, when they are struggling in good faith to implement new HIPAA mandates Of course, privacy and security should be part of the NHIN, but likely don’t go beyond HIPAA requirements Of course, privacy and security should be part of the NHIN, but likely don’t go beyond HIPAA requirements

22 What We Have Learned  That trio of conclusions, based on experience in other sectors, may face serious political obstacles: Preemption is likely to be partial and require new federal standards in some areas Preemption is likely to be partial and require new federal standards in some areas The “no-enforcement system” will be hard to sustain The “no-enforcement system” will be hard to sustain New privacy/security protections quite likely will accompany new NHIN data flows New privacy/security protections quite likely will accompany new NHIN data flows Customer-centered is the norm elsewhere Customer-centered is the norm elsewhere

23 Conclusion: Your Choice  Option 1: Play Hardball Decide the costs of privacy & security are too high to be built into the NHIN Decide the costs of privacy & security are too high to be built into the NHIN Push a strategy of high preemption and low enforcement Push a strategy of high preemption and low enforcement Grudgingly give only the bare minimum on privacy/security when the political system forces it onto industry Grudgingly give only the bare minimum on privacy/security when the political system forces it onto industry

24 The Better Choice  Option 2: A NHIN to Be Proud Of Incorporate the key values of state laws – especially for sensitive data – into the NHIN Incorporate the key values of state laws – especially for sensitive data – into the NHIN Support reasonable enforcement, so that bad actors are deterred and good actors within covered entities get support Support reasonable enforcement, so that bad actors are deterred and good actors within covered entities get support Build privacy & security into the fabric of new systems, not just as a patch later Build privacy & security into the fabric of new systems, not just as a patch later Connecting for Health as an exampleConnecting for Health as an example Customer-centered records Customer-centered records

25 The Better Choice  With the second option – A NHIN to Be Proud Of – the patients are not treated as the political enemies The risk of political backlash is less The risk of political backlash is less The quality of the NHIN for actual patients is higher The quality of the NHIN for actual patients is higher  That, I think, should be our goal  Thank you

26 Contact Information  Phone: (240) 994-4142  Email: peter@peterswire.net peter@peterswire.net  Web: www.peterswire.net www.peterswire.net

Download ppt "“How Broader Privacy Policy Issues Impact Healthcare” Professor Peter P. Swire Moritz College of Law The Ohio State University HIT Summit September 26,"

Similar presentations

Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.

Privacy and the Internet Professor Peter P. Swire Ohio State University National Press Foundation February 14, 2001.
HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.

HIPAA In Relation to Other Federal Laws Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster LLP Glasser LegalWorks/HIPAA Conference.
Privacy in America: Your Role as Guardians of the Publics Data Professor Peter P. Swire Moritz College of Law The Ohio State University Ohio Digital Government.

Privacy in America: Your Role as Guardians of the Publics Data Professor Peter P. Swire Moritz College of Law The Ohio State University Ohio Digital Government.
The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,

The Role of the Federal Government in Privacy Policy Professor Peter P. Swire The Ohio State University Center for American Progress The Privacy Symposium,
Trustwrap: The Importance of Legal Rules to E-Commerce and Internet Privacy Professor Peter P. Swire Moritz College of Law The Ohio State University Enforcing.

Trustwrap: The Importance of Legal Rules to E-Commerce and Internet Privacy Professor Peter P. Swire Moritz College of Law The Ohio State University Enforcing.
Privacy and Security: Lessons from Non-Health Sectors Professor Peter P. Swire Moritz College of Law The Ohio State University HIPAA Summit December 12,

Privacy and Security: Lessons from Non-Health Sectors Professor Peter P. Swire Moritz College of Law The Ohio State University HIPAA Summit December 12,
Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.

Mental Health Issues & Information Sharing Professor Peter P. Swire The Ohio State University NAAG Task Force on School Safety July 5, 2007.
The Need for Government-Wide Privacy Policy Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee.

The Need for Government-Wide Privacy Policy Professor Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP DHS Privacy Advisory Committee.
The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.

The Strategy of Using Security to Protect Privacy Peter P. Swire Ohio State University Consultant, Morrison & Foerster, LLP Data Protection Commissioner.
Opportunities & Dangers: Consumers and Electronic Health Records Paul Feldman, Health Privacy Project Deven McGraw, National Partnership for Women & Families.

Opportunities & Dangers: Consumers and Electronic Health Records Paul Feldman, Health Privacy Project Deven McGraw, National Partnership for Women & Families.
Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit.

Engineers and Lawyers in Privacy Protection Peter Swire Professor, Moritz College of Law Visiting Professor, Georgia Institute of Technology IAPP Summit.
March 29, 2012 Improving Health Outcomes for Children in Foster Care: the Role of Electronic Information Exchange.

March 29, 2012 Improving Health Outcomes for Children in Foster Care: the Role of Electronic Information Exchange.
HIPAA Training for Pharmaceutical Industry Representatives University of Utah Hospitals & Clinics.

HIPAA Training for Pharmaceutical Industry Representatives University of Utah Hospitals & Clinics.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Basics A Matter of Integrity. Introduction “A Matter of Integrity” defines HIPAA and protecting patient health information. Success depends on our.

HIPAA Basics A Matter of Integrity. Introduction “A Matter of Integrity” defines HIPAA and protecting patient health information. Success depends on our.
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,

Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
1 WHAT IT MEANS FOR YOU? April 2012. 2 Health Access is the leading voice for health care consumers in California. Founded in 1987, Health Access is the.

1 WHAT IT MEANS FOR YOU? April Health Access is the leading voice for health care consumers in California. Founded in 1987, Health Access is the.

Similar presentations

Ads by Google