Developing Privacy and Security Standards Allen Briskin [email protected] Allen Briskin...
Transcript of Developing Privacy and Security Standards Allen Briskin [email protected] Allen Briskin...
![Page 2: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/2.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
OverviewOverview
What is HIE?Legal baselines
HIPAAState lawsCalifornia HISPC findings
Privacy and security principlesHow Can Lawyers Fit Into
Privacy/Security Rulemaking?
What is HIE?Legal baselines
HIPAAState lawsCalifornia HISPC findings
Privacy and security principlesHow Can Lawyers Fit Into
Privacy/Security Rulemaking?
![Page 3: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/3.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
What is HIE?What is HIE?
Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and
receive in context Consider: health information access as an alternative
Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions
What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and
secure method of access to the viewer Common method for user authentication and
authorization across entity boundaries HIE is going to take many forms in response to market
demand
Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and
receive in context Consider: health information access as an alternative
Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions
What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and
secure method of access to the viewer Common method for user authentication and
authorization across entity boundaries HIE is going to take many forms in response to market
demand
![Page 4: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/4.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Legal Baseline: HIPAA PrivacyLegal Baseline: HIPAA Privacy
It’s not really about privacy, it’s about facilitating disclosure
Patient consent not required for payment, treatment, health operations
Notice of Privacy PracticesThe kitchen sink of policiesLike drinking from a fire hose
It’s not really about privacy, it’s about facilitating disclosure
Patient consent not required for payment, treatment, health operations
Notice of Privacy PracticesThe kitchen sink of policiesLike drinking from a fire hose
![Page 5: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/5.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Legal Baseline: HIPAA SecurityLegal Baseline: HIPAA Security
The Privacy Rule sets the standards for who may have access to PHI
The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access
The security requirements were designed to be technology neutral and scalable
The Privacy Rule sets the standards for who may have access to PHI
The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access
The security requirements were designed to be technology neutral and scalable
![Page 6: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/6.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Legal Baseline: State lawsLegal Baseline: State laws
HISPC project disclosesa crazy-quilt of state laws
Sensitive informationHIV/AIDSMental healthSubstance abuseGenetic testing
“my own private HIPAA”
HISPC project disclosesa crazy-quilt of state laws
Sensitive informationHIV/AIDSMental healthSubstance abuseGenetic testing
“my own private HIPAA”
![Page 7: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/7.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Legal Baseline: California LawsLegal Baseline: California Laws
Highlights of California March 30, 2007 Report Stakeholders have varying perceptions
about the degree to which privacy laws are enforced
A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no
common standards for users accessing data and non-covered entities under HIPAA
Highlights of California March 30, 2007 Report Stakeholders have varying perceptions
about the degree to which privacy laws are enforced
A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no
common standards for users accessing data and non-covered entities under HIPAA
![Page 8: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/8.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Legal Baseline: California LawsLegal Baseline: California Laws
Privacy rules governing some public health issues are incomplete and unclear
It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security
The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information
Privacy rules governing some public health issues are incomplete and unclear
It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security
The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information
![Page 9: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/9.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Legal Baseline: California LawsLegal Baseline: California Laws The Problem: multiple interpretations and
applications of laws governing privacy and security result in different approaches to HIE –
Solutions: Establish a legal committee to include all
stakeholders and their legal counsel The legal committee would recommend solutions to
CPSAB concerning the legal issues among federal and state laws and state law pre-emption
Compile an index of applicable laws Analyze potential impacts of applying standards to
all HIE participants or to all individually identifiable health information, regardless of location
Barriers include “inability to agree on core principles, goals or laws”
The Problem: multiple interpretations and applications of laws governing privacy and security result in different approaches to HIE –
Solutions: Establish a legal committee to include all
stakeholders and their legal counsel The legal committee would recommend solutions to
CPSAB concerning the legal issues among federal and state laws and state law pre-emption
Compile an index of applicable laws Analyze potential impacts of applying standards to
all HIE participants or to all individually identifiable health information, regardless of location
Barriers include “inability to agree on core principles, goals or laws”
![Page 10: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/10.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Privacy and Security Principles (Thanks to Connecting for Health)Privacy and Security Principles (Thanks to Connecting for Health)
Openness and TransparencyThere should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides
Purpose Specification and MinimizationThe purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose
Collection LimitationPersonal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject
Openness and TransparencyThere should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides
Purpose Specification and MinimizationThe purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose
Collection LimitationPersonal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject
![Page 11: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/11.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Privacy and Security Principles (Thanks to Connecting for Health)Privacy and Security Principles (Thanks to Connecting for Health)
Use LimitationPersonal data should not be disclosed, made available, or otherwise used for purposes other than those specified
Individual Participation and ControlIndividuals should control access to their personal information:
Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them
Individuals should have the right to: Have personal data relating to them communicated within a
reasonable time (at an affordable charge, if any), and in a form that is readily understandable;
Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and
Challenge data relating to them and have it rectified, completed, or amended
Use LimitationPersonal data should not be disclosed, made available, or otherwise used for purposes other than those specified
Individual Participation and ControlIndividuals should control access to their personal information:
Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them
Individuals should have the right to: Have personal data relating to them communicated within a
reasonable time (at an affordable charge, if any), and in a form that is readily understandable;
Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and
Challenge data relating to them and have it rectified, completed, or amended
![Page 12: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/12.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Privacy and Security Principles (Thanks to Connecting for Health)Privacy and Security Principles (Thanks to Connecting for Health)
Data Integrity and QualityAll personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current
Security Safeguards and ControlsPersonal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure
Accountability and OversightEntities in control of personal health data must be held accountable for implementing these information practices
RemediesLegal and financial remedies must exist to address any security breaches or privacy violations
Data Integrity and QualityAll personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current
Security Safeguards and ControlsPersonal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure
Accountability and OversightEntities in control of personal health data must be held accountable for implementing these information practices
RemediesLegal and financial remedies must exist to address any security breaches or privacy violations
![Page 13: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/13.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Privacy Meets SecurityPrivacy Meets Security
Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information
Security rules are to ensure only those who should have access to personal health information will have access
Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information
Security rules are to ensure only those who should have access to personal health information will have access
![Page 14: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/14.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
How Can Lawyers Fit Into Privacy/Security Rulemaking?How Can Lawyers Fit Into Privacy/Security Rulemaking? Goal: reconciling the legal baselines and the
principles and removing roadblocks to create a socially accepted, legally sound set of rules
Why do we need lawyers? IT professionals generally do not know
what lawyers do The laws and regs are the specifications
for life and, since they are written down, they should be easy to figure out
Tell me what’s really important?
Goal: reconciling the legal baselines and the principles and removing roadblocks to create a socially accepted, legally sound set of rules
Why do we need lawyers? IT professionals generally do not know
what lawyers do The laws and regs are the specifications
for life and, since they are written down, they should be easy to figure out
Tell me what’s really important?
![Page 15: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/15.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Case Study – Common Framework for HIE – Model AgreementCase Study – Common Framework for HIE – Model Agreement
We were hired by Connecting for Health to prepare the model
We consulted with the client to get direction on relevant precedent and general scope of the project
We prepared a draft based on legal principles and precedent
We highlighted the legal issues and provided alternatives
We vetted the document with a small group and revised to reflect their input
The policy subcommittee then vetted with a large group
We made revisions The policy subcommittee finalized it
We were hired by Connecting for Health to prepare the model
We consulted with the client to get direction on relevant precedent and general scope of the project
We prepared a draft based on legal principles and precedent
We highlighted the legal issues and provided alternatives
We vetted the document with a small group and revised to reflect their input
The policy subcommittee then vetted with a large group
We made revisions The policy subcommittee finalized it
![Page 16: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/16.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
How Can Lawyers Fit Into Privacy/Security Rulemaking?How Can Lawyers Fit Into Privacy/Security Rulemaking? It is difficult and unproductive to address legal issues
in a vacuum It is not necessary to address all potential legal issues
just in case There needs to be a nexus between the expected
policy deliverables and legal advice Lawyers should highlight the legal issues and provide
alternatives Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with
It is difficult and unproductive to address legal issues in a vacuum
It is not necessary to address all potential legal issues just in case
There needs to be a nexus between the expected policy deliverables and legal advice
Lawyers should highlight the legal issues and provide alternatives
Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with
![Page 17: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/17.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted)
This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted)
![Page 18: Developing Privacy and Security Standards Allen Briskin allenbriskin@dwt.com Allen Briskin allenbriskin@dwt.com.](https://reader036.fdocuments.net/reader036/viewer/2022082516/56649d155503460f949eaa41/html5/thumbnails/18.jpg)
Davi
s W
rig
ht
Tre
main
e L
LP
Questions?Questions?