Developing Privacy and Security Standards

Allen Briskin

allenbriskin@dwt.com

Davi

s W

rig

ht

Tre

main

e L

LP

OverviewOverview

What is HIE?Legal baselines

HIPAAState lawsCalifornia HISPC findings

Privacy and security principlesHow Can Lawyers Fit Into

Privacy/Security Rulemaking?

What is HIE?Legal baselines

HIPAAState lawsCalifornia HISPC findings

Privacy and security principlesHow Can Lawyers Fit Into

Privacy/Security Rulemaking?

Davi

s W

rig

ht

Tre

main

e L

LP

What is HIE?What is HIE?

Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and

receive in context Consider: health information access as an alternative

Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions

What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and

secure method of access to the viewer Common method for user authentication and

authorization across entity boundaries HIE is going to take many forms in response to market

demand

Common notion: Moving data, context and knowledge on an individual’s health from application to application, repository to repository without loss of meaning Requires everyone to be fully equipped to give and

receive in context Consider: health information access as an alternative

Perhaps the most significant benefit from having access to a patient’s health records is the integrated workflow and compilation of information in meaningful ways to improve diagnosis and treatment decisions

What’s needed for access: Data use / data sharing agreement Restricted (1-patient) quarantined portal viewer and

secure method of access to the viewer Common method for user authentication and

authorization across entity boundaries HIE is going to take many forms in response to market

demand

Davi

s W

rig

ht

Tre

main

e L

LP

Legal Baseline: HIPAA PrivacyLegal Baseline: HIPAA Privacy

It’s not really about privacy, it’s about facilitating disclosure

Patient consent not required for payment, treatment, health operations

Notice of Privacy PracticesThe kitchen sink of policiesLike drinking from a fire hose

It’s not really about privacy, it’s about facilitating disclosure

Patient consent not required for payment, treatment, health operations

Notice of Privacy PracticesThe kitchen sink of policiesLike drinking from a fire hose

Davi

s W

rig

ht

Tre

main

e L

LP

Legal Baseline: HIPAA SecurityLegal Baseline: HIPAA Security

The Privacy Rule sets the standards for who may have access to PHI

The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access

The security requirements were designed to be technology neutral and scalable

The Privacy Rule sets the standards for who may have access to PHI

The Security Rule sets the standards for ensuring that only those who should have access to ePHI will actually have access

The security requirements were designed to be technology neutral and scalable

Davi

s W

rig

ht

Tre

main

e L

LP

Legal Baseline: State lawsLegal Baseline: State laws

HISPC project disclosesa crazy-quilt of state laws

Sensitive informationHIV/AIDSMental healthSubstance abuseGenetic testing

“my own private HIPAA”

HISPC project disclosesa crazy-quilt of state laws

Sensitive informationHIV/AIDSMental healthSubstance abuseGenetic testing

“my own private HIPAA”

Davi

s W

rig

ht

Tre

main

e L

LP

Legal Baseline: California LawsLegal Baseline: California Laws

Highlights of California March 30, 2007 Report Stakeholders have varying perceptions

about the degree to which privacy laws are enforced

A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no

common standards for users accessing data and non-covered entities under HIPAA

Highlights of California March 30, 2007 Report Stakeholders have varying perceptions

about the degree to which privacy laws are enforced

A potential deterrent to exchange Detracts from credibility of HIE Privacy is at risk because there are no

common standards for users accessing data and non-covered entities under HIPAA

Davi

s W

rig

ht

Tre

main

e L

LP

Legal Baseline: California LawsLegal Baseline: California Laws

Privacy rules governing some public health issues are incomplete and unclear

It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security

The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information

Privacy rules governing some public health issues are incomplete and unclear

It is not feasible for one person to understand the complexity resulting from the convergence of law that affect privacy and security

The complex interaction of federal and State laws and differences in stakeholders’ level of knowledge and interpretation results in restrictive sharing of information

Davi

s W

rig

ht

Tre

main

e L

LP

Legal Baseline: California LawsLegal Baseline: California Laws The Problem: multiple interpretations and

applications of laws governing privacy and security result in different approaches to HIE –

Solutions: Establish a legal committee to include all

stakeholders and their legal counsel The legal committee would recommend solutions to

CPSAB concerning the legal issues among federal and state laws and state law pre-emption

Compile an index of applicable laws Analyze potential impacts of applying standards to

all HIE participants or to all individually identifiable health information, regardless of location

Barriers include “inability to agree on core principles, goals or laws”

The Problem: multiple interpretations and applications of laws governing privacy and security result in different approaches to HIE –

Solutions: Establish a legal committee to include all

stakeholders and their legal counsel The legal committee would recommend solutions to

CPSAB concerning the legal issues among federal and state laws and state law pre-emption

Compile an index of applicable laws Analyze potential impacts of applying standards to

all HIE participants or to all individually identifiable health information, regardless of location

Barriers include “inability to agree on core principles, goals or laws”

Davi

s W

rig

ht

Tre

main

e L

LP

Privacy and Security Principles (Thanks to Connecting for Health)Privacy and Security Principles (Thanks to Connecting for Health)

Openness and TransparencyThere should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides

Purpose Specification and MinimizationThe purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose

Collection LimitationPersonal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject

Openness and TransparencyThere should be a general policy of openness about developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, the purpose of its use, who can access and use it, and where it resides

Purpose Specification and MinimizationThe purposes for which personal data are collected should be specified at the time of collection, and the subsequent use should be limited to those purposes or others that are specified on each occasion of change of purpose

Collection LimitationPersonal health information should only be collected for specified purposes, should be obtained by lawful and fair means and, where possible, with the knowledge or consent of the data subject

Davi

s W

rig

ht

Tre

main

e L

LP

Privacy and Security Principles (Thanks to Connecting for Health)Privacy and Security Principles (Thanks to Connecting for Health)

Use LimitationPersonal data should not be disclosed, made available, or otherwise used for purposes other than those specified

Individual Participation and ControlIndividuals should control access to their personal information:

Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them

Individuals should have the right to: Have personal data relating to them communicated within a

reasonable time (at an affordable charge, if any), and in a form that is readily understandable;

Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and

Challenge data relating to them and have it rectified, completed, or amended

Use LimitationPersonal data should not be disclosed, made available, or otherwise used for purposes other than those specified

Individual Participation and ControlIndividuals should control access to their personal information:

Individuals should be able to obtain from each entity that controls personal health data information about whether or not the entity has data relating to them

Individuals should have the right to: Have personal data relating to them communicated within a

reasonable time (at an affordable charge, if any), and in a form that is readily understandable;

Be given reasons if a request (as described above) is denied, and to be able to challenge such denial; and

Challenge data relating to them and have it rectified, completed, or amended

Davi

s W

rig

ht

Tre

main

e L

LP

Privacy and Security Principles (Thanks to Connecting for Health)Privacy and Security Principles (Thanks to Connecting for Health)

Data Integrity and QualityAll personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current

Security Safeguards and ControlsPersonal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure

Accountability and OversightEntities in control of personal health data must be held accountable for implementing these information practices

RemediesLegal and financial remedies must exist to address any security breaches or privacy violations

Data Integrity and QualityAll personal data collected should be relevant to the purposes for which they are used and should be accurate, complete, and current

Security Safeguards and ControlsPersonal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure

Accountability and OversightEntities in control of personal health data must be held accountable for implementing these information practices

RemediesLegal and financial remedies must exist to address any security breaches or privacy violations

Davi

s W

rig

ht

Tre

main

e L

LP

Privacy Meets SecurityPrivacy Meets Security

Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information

Security rules are to ensure only those who should have access to personal health information will have access

Privacy rules protect the individual’s interest in maintaining confidentiality of and directing the use and disclosure of his/her personal health information

Security rules are to ensure only those who should have access to personal health information will have access

Davi

s W

rig

ht

Tre

main

e L

LP

How Can Lawyers Fit Into Privacy/Security Rulemaking?How Can Lawyers Fit Into Privacy/Security Rulemaking? Goal: reconciling the legal baselines and the

principles and removing roadblocks to create a socially accepted, legally sound set of rules

Why do we need lawyers? IT professionals generally do not know

what lawyers do The laws and regs are the specifications

for life and, since they are written down, they should be easy to figure out

Tell me what’s really important?

Goal: reconciling the legal baselines and the principles and removing roadblocks to create a socially accepted, legally sound set of rules

Why do we need lawyers? IT professionals generally do not know

what lawyers do The laws and regs are the specifications

for life and, since they are written down, they should be easy to figure out

Tell me what’s really important?

Davi

s W

rig

ht

Tre

main

e L

LP

Case Study – Common Framework for HIE – Model AgreementCase Study – Common Framework for HIE – Model Agreement

We were hired by Connecting for Health to prepare the model

We consulted with the client to get direction on relevant precedent and general scope of the project

We prepared a draft based on legal principles and precedent

We highlighted the legal issues and provided alternatives

We vetted the document with a small group and revised to reflect their input

The policy subcommittee then vetted with a large group

We made revisions The policy subcommittee finalized it

We were hired by Connecting for Health to prepare the model

We consulted with the client to get direction on relevant precedent and general scope of the project

We prepared a draft based on legal principles and precedent

We highlighted the legal issues and provided alternatives

We vetted the document with a small group and revised to reflect their input

The policy subcommittee then vetted with a large group

We made revisions The policy subcommittee finalized it

Davi

s W

rig

ht

Tre

main

e L

LP

How Can Lawyers Fit Into Privacy/Security Rulemaking?How Can Lawyers Fit Into Privacy/Security Rulemaking? It is difficult and unproductive to address legal issues

in a vacuum It is not necessary to address all potential legal issues

just in case There needs to be a nexus between the expected

policy deliverables and legal advice Lawyers should highlight the legal issues and provide

alternatives Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with

It is difficult and unproductive to address legal issues in a vacuum

It is not necessary to address all potential legal issues just in case

There needs to be a nexus between the expected policy deliverables and legal advice

Lawyers should highlight the legal issues and provide alternatives

Lawyers should assist in the initial drafting The policymaking body should then vet the proposals Lawyers provide advice The policymaking body then decides what to go with

Davi

s W

rig

ht

Tre

main

e L

LP

This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted)

This is a publication of the Health Information Technology Group of Davis Wright Tremaine LLP with a purpose to inform and comment upon recent developments in health law. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations.Copyright 2008, Davis Wright Tremaine LLP (reprints with attribution permitted)

Davi

s W

rig

ht

Tre

main

e L

LP

Questions?Questions?