1. 1 Healthcare Privacy and Security: Concepts and Challenges Dixie B. Baker, Ph.D. Chair, HIMSS Privacy and Security Advocacy Task Force

2. 2 Discussion Roadmap Clarification of Concepts Privacy Policy Considerations Legislative & Regulatory Needs Requests and Recommendations

3. 3 *Dictionary.com Unabridged (V1.1) Privacy – the state of being free from intrusion or disturbance in one’s private life or affairs;* in the US, the right to such a state – Implies a degree of individual control over personal intrusions Security – something that frees from danger or harm, or that makes safe;* defensive measures that protect the confidentiality, integrity, and availability of sensitive and safety-critical health information, and mechanisms for providing indisputable accountability Definitions

4. 4 need to provide Safe, High Quality Care Consumers have the right to want and need Health Care Providers Privacy and Security Context in the provision of Personal Privacy

5. 5 SECURITY MECHANISMS Security Policy SECURITY MECHANISMS in order to make restrict & enable Timely Access Complete, Accurate Health Information Safe, High Quality Care require resulting in Optimal Diagnostic & Treatment Decisions Consumers Data Integrity Measures Availability Measures Authenticity & Accountability Measures have the right to to help protect Confidentiality Measures help assureprotect & verify want and need help assure & verify Health Care Providers Privacy and Security Context Personal Privacy in the provision of

6. 6 Security Policy requires enforcement of establish enterprise policy The Delicate Balance: Private, Appropriate, and Safe Care Timely Access Complete, Accurate Health Information Safe, High Quality Care require resulting in Optimal Diagnostic & Treatment Decisions in order to make Consumers Data Integrity Measures Availability Measures Authenticity & Accountability Measures have the right to to help protect Confidentiality Measures want and need help assure & verify provide personal consent directives Governments Health Care Providers CAN IMPEDE CREATING RISK TO in the provision of Personal Privacy enact laws & regulations Consumers Health Care Providers Personal Privacy Safe, High Quality Care Privacy Rules restrict & enablehelp assureprotect & verify

7. 7 Privacy Policy Considerations The provision of safe, high-quality care to an individual is a collaborative process whose success is directly dependent upon the timely availability of complete and accurate health information As we review proposed legislation, we observe a trend toward including privacy provisions that enable consumers to deny providers access to their electronic health records, or to specific data elements – Such provisions will serve to deny providers availability to health information essential to providing safe, high quality care – and are beyond a reasonable expectation for healthcare privacy We have concerns with legislation that: – Assigns to consumers absolute control over who has access to their health information – Enables consumers to “opt-out” of electronic systems or health information exchanges (HIEs) We are supportive of legislation that enables consumers: – To participate in determining who has access to their health information, and – To know who has accessed their identifiable, electronic health information

8. 8 Legislative & Regulatory Needs 1. “Fixes” – problems that need to be addressed 2. “Challenges” – issues that need to be addressed, but for which we lack clarity about how to do so while minimizing cost and disruptions in health system operations 3. “Conundrums” – questions without obvious answers; need for further study

9. 9 “Fixes” Business Associates (BAs) Omission – BAs are not required to comply with HIPAA standards – need to bring into scope of compliance with HIPAA safeguards – Oversight & enforcement are challenging Need to minimize financial and operational impact to covered entities and service providers Need to consider BAs outside the US HIPAA Applicability Scope Tied to Administrative Transactions – HIEs and other provider organizations that do not participate in administrative transactions are not required to comply with HIPAA Privacy and Security Rules – Need to address all organizations that collect, receive, maintain, or use individually identifiable health information Inconsistent Applicability of Privacy and Security Rules – Privacy Rule applies to all individually identifiable health information – Security Rule applies only to electronic health information – Both need to apply to all identifiable health information, with appropriate provisions for electronic and non-electronic media

10. 10 “Challenges” Notification of “Security Breaches” – Lack definition – Public notification may encourage others to exploit vulnerabilities – Not always clear where breach occurred – How to measure severity, intention, potential harm – Over-notification effects Right to Anonymous Care – If patient pays cash for services and requests that health plan not be notified, provider should be required to comply with request – May present problems for integrated health environment – still will need to capture encounter in electronic medical record, which may trigger transaction to health plan – Particularly challenging for Health Maintenance Organizations (HMOs) Accounting for Disclosures – Consumer has right to know who has accessed his or her health information – Most systems are incapable of capturing this information today – Need to encourage health systems and IT vendors to move toward capability – Operational factors likely to continue to be challenging “Healthcare Operations” Scope – Health information may be released without patient’s consent for purposes of treatment, payment, and “healthcare operations” – Need to constrain definition of “healthcare operations”

11. 11 “Conundrums” Personal Health Records (PHRs) and Health Record Banks – Definitions and business models still evolving – Currently outside HIPAA; governed by Federal Trade Commission (FTC) Determining “Minimum Necessary” – Need to allow for context specificity “De-identification” of Health Information – Consumers with less common conditions, and consumers in sparsely populated areas are at higher risk of re-identification – Moving target – as systems become faster and more interconnected, “de-identification” becomes less feasible – In some cases, the ability to “re-link” health information to an individual is beneficial to the health and safety of that individual – but if information can be “re-linked,” can it be considered truly “de- identified?” Sale of Health Information – Who owns the information – and therefore stands to profit from its sale? – Is ownership permanently bound with the individual about whom the information originally was collected? In other words, can ownership change once information is “de-identified?” – Is an individual’s authorization required in order to sell his or her health information? Fraud Victim Recovery – If an individual’s identity is compromised and someone else’s health information is recorded in the victim’s medical record, need to provide safe way for the victim to correct the information contained in the compromised EMR

12. 12 Summary Absolute privacy is not possible Security protection is essential for assuring privacy “Security” and “privacy” are relative and ephemeral – products of a continuously evolving risk profile, operational and technical protective measures, and value systems The health industry and lawmakers must find ways to effectively manage the delicate balance between essential access to health information and risks to individual privacy – without imposing administrative and operational burdens that cripple the healthcare system; diminishing the quality and safety of patient care; and creating a distrustful consumer population