Upload
natalie-crowley
View
219
Download
0
Tags:
Embed Size (px)
Citation preview
““Security and Privacy in Security and Privacy in Electronic Health Records”Electronic Health Records”
Peter P. SwirePeter P. SwireOhio State UniversityOhio State University
Consultant, Morrison & Foerster, LLPConsultant, Morrison & Foerster, LLPHospital Wireless ConferenceHospital Wireless Conference
July 25, 2005July 25, 2005
The Schedule Shift TodayThe Schedule Shift Today
Privacy meeting today with Homeland Privacy meeting today with Homeland Security Secretary ChertoffSecurity Secretary Chertoff
Planned privacy meeting with HHS Planned privacy meeting with HHS Secretary LeavittSecretary Leavitt
Privacy and security as strategic issues for Privacy and security as strategic issues for top leadershiptop leadership
Our Puzzle for TodayOur Puzzle for Today
Health IT Health IT MustMust Improve Considerably Improve Considerably Often a decade or more behind other sectorsOften a decade or more behind other sectors Manila folders behind the nurses’ stationManila folders behind the nurses’ station
• Other sectors – banks, travel, retail?Other sectors – banks, travel, retail?• Inconceivable in today’s marketInconceivable in today’s market
Perhaps a federal law – manila folders Perhaps a federal law – manila folders banned from health care providers?banned from health care providers?
The Gingrich version: “paper kills”The Gingrich version: “paper kills”
Our PuzzleOur Puzzle
Health IT is Health IT is HARDHARD to Improve to Improve Reimbursement reasonsReimbursement reasons
• Medicare, insurers usually do not pay more for Medicare, insurers usually do not pay more for good ITgood IT
• Customers don’t discipline providers on health IT, Customers don’t discipline providers on health IT, the way they would banks or travel providersthe way they would banks or travel providers
• Quality-of-care ROI is usually easier to show than Quality-of-care ROI is usually easier to show than financial ROI for health ITfinancial ROI for health IT
Our PuzzleOur Puzzle
Health IT is Health IT is HARDHARD to Improve to Improve Privacy and security reasonsPrivacy and security reasons Recent Westin/AHRQ pollRecent Westin/AHRQ poll
• More respondents worried about privacy & security More respondents worried about privacy & security than favored new use of electronic health recordsthan favored new use of electronic health records
Polls and focus groupsPolls and focus groups• Risks are top-of-mind to consumersRisks are top-of-mind to consumers• Benefits are much less evidentBenefits are much less evident
OverviewOverview
HIPAA and my backgroundHIPAA and my background Electronic Medical Records, Connecting Electronic Medical Records, Connecting
for Health & David Brailerfor Health & David Brailer National health IDs vs. a linking National health IDs vs. a linking
approachapproach IT progress together with security and IT progress together with security and
privacyprivacy
I. HIPAA and Health ITI. HIPAA and Health IT
HIPAA statute in 1996HIPAA statute in 1996 The political engine was transactionsThe political engine was transactions
Early 1990s and no agreement on standardsEarly 1990s and no agreement on standards One HIPAA client paid in > 2000 formatsOne HIPAA client paid in > 2000 formats Statute said standards for electronic Statute said standards for electronic
paymentspayments My sense – improvement, but harder to get My sense – improvement, but harder to get
standard implementation than was hopedstandard implementation than was hoped
HIPAA and Health ITHIPAA and Health IT
Privacy and security came with new health Privacy and security came with new health ITIT Political realization that patient records would Political realization that patient records would
be electronic for payment purposesbe electronic for payment purposes HIPAA statute said build in privacy and HIPAA statute said build in privacy and
security at the same time as ramp up the level security at the same time as ramp up the level of electronic paymentsof electronic payments
That makes sense – upgrade (for That makes sense – upgrade (for transactions) easiest time to upgrade for transactions) easiest time to upgrade for security and privacysecurity and privacy
HIPAA PrivacyHIPAA Privacy
Congress gave itself until summer, 1999 to Congress gave itself until summer, 1999 to write a medical privacy statutewrite a medical privacy statute
When it couldn’t, Administration required When it couldn’t, Administration required to issue a privacy ruleto issue a privacy rule
WH Coordinator for Oct. 99 proposed ruleWH Coordinator for Oct. 99 proposed rule 53,000 public comments53,000 public comments Final privacy rule Dec. 2000Final privacy rule Dec. 2000
HIPAA Privacy After 2000HIPAA Privacy After 2000
After Jan. 2001, political effort to cancel After Jan. 2001, political effort to cancel HIPAA privacyHIPAA privacy
President Bush overruled his advisors, President Bush overruled his advisors, and kept itand kept it
2002 final privacy rule mostly the same as 2002 final privacy rule mostly the same as 2000 privacy rule2000 privacy rule
HIPAA security was delayed, but now in HIPAA security was delayed, but now in placeplace
Looking Back on HIPAALooking Back on HIPAA
Much of it good practices that had not Much of it good practices that had not necessarily been built in previouslynecessarily been built in previously
Some was bureaucratic overkillSome was bureaucratic overkill One criticism since 2001 – much less One criticism since 2001 – much less
outreach and guidance than plannedoutreach and guidance than planned Another criticism – no enforcement yet, Another criticism – no enforcement yet,
with risk that those who comply will lose with risk that those who comply will lose faith in the systemfaith in the system
II. EMRs, Markle & BrailerII. EMRs, Markle & Brailer
Next, beyond electronic transactions to Next, beyond electronic transactions to electronic medical records (EMRs)electronic medical records (EMRs)
A great resource – Markle Foundation’s A great resource – Markle Foundation’s Connecting for Health ProjectConnecting for Health Project www.markle.orgwww.markle.org: Roadmap & other docs: Roadmap & other docs I’ve been involved in 3 working groups of itI’ve been involved in 3 working groups of it Currently, my focus is on authentication for Currently, my focus is on authentication for
patients and system userspatients and system users
Markle & HHSMarkle & HHS
Spring, 2004 – Pres. Bush announces Dr. Spring, 2004 – Pres. Bush announces Dr. David Brailer as “Health IT Czar”David Brailer as “Health IT Czar”
Brailer had been chair of a Markle Brailer had been chair of a Markle committeecommittee Great background on health care economics, Great background on health care economics,
health IThealth IT New HHS Sec. Leavitt was on Markle New HHS Sec. Leavitt was on Markle
committee, is making health IT one of his committee, is making health IT one of his signature issuessignature issues
Where We Are TodayWhere We Are Today
Markle and numerous stakeholdersMarkle and numerous stakeholders HHS – Leavitt & BrailerHHS – Leavitt & Brailer Congress – Newt and Hillary become best friendsCongress – Newt and Hillary become best friends BUT, some health care stakeholders are unconvinced:BUT, some health care stakeholders are unconvinced:
Doctors, reimbursement & data input challengesDoctors, reimbursement & data input challenges Consumers and fears on privacy/securityConsumers and fears on privacy/security Interconnection challenges and fear that early Interconnection challenges and fear that early
adopters won’t get paid for their effortsadopters won’t get paid for their efforts
III. Health ID v. LinkingIII. Health ID v. Linking
A key issue in EMRs is whether to have a A key issue in EMRs is whether to have a national health IDnational health ID Most doctors and techies initially assume that Most doctors and techies initially assume that
it is appropriate and necessaryit is appropriate and necessary My argument here is that it is a bad idea and My argument here is that it is a bad idea and
that a “linking” or “record locator service” that a “linking” or “record locator service” approach is feasible and better policyapproach is feasible and better policy
National Health IDsNational Health IDs
The attraction is the idea that records from The attraction is the idea that records from home, work, and travel all can be matched home, work, and travel all can be matched by tagging them with a unique identifier for by tagging them with a unique identifier for each patienteach patient
Most providers use a unique identifier, Most providers use a unique identifier, such as SSN, in their own system – why such as SSN, in their own system – why not use it across systems?not use it across systems?
Most plans have envisioned national ID Most plans have envisioned national ID and a central EMR repositoryand a central EMR repository
The Politics of Health IDsThe Politics of Health IDs
Unique patient IDs were actually Unique patient IDs were actually requiredrequired in the in the 1996 HIPAA statute1996 HIPAA statute Supported by many vendors and system Supported by many vendors and system
ownersowners By 1998, Clinton Administration said no health By 1998, Clinton Administration said no health
IDs unless strong privacy & security in placeIDs unless strong privacy & security in place Bush Administration has confirmed that there will Bush Administration has confirmed that there will
be no such IDs for patientsbe no such IDs for patients Moral – huge political opposition to the ideaMoral – huge political opposition to the idea Waiting for health IDs means to wait a long timeWaiting for health IDs means to wait a long time
The Markle Linking AlternativeThe Markle Linking Alternative
Create a Create a Record Locator ServiceRecord Locator Service (RLS), not (RLS), not an EMR central databasean EMR central database
The RLS authenticates based on The RLS authenticates based on demographic, not clinical, datademographic, not clinical, data
Federated – decision at the edges whether a Federated – decision at the edges whether a record is listed on the RLSrecord is listed on the RLS• E.g., substance abuse & HIV may not be listedE.g., substance abuse & HIV may not be listed
Advantages of RLS ApproachAdvantages of RLS Approach
Avoids single point of failure of central Avoids single point of failure of central EMR database – the data breach problemEMR database – the data breach problem
Control at edgesControl at edges Patients can opt outPatients can opt out Providers can decide what (not) to linkProviders can decide what (not) to link
Graceful transition from current systemGraceful transition from current system No required new data field for health IDsNo required new data field for health IDs No “rip and replace”No “rip and replace”
In sum, privacy & security built inIn sum, privacy & security built in
The State of Play on RLSThe State of Play on RLS
Current Markle work onCurrent Markle work on Model contract for participants (RHIOs) and Model contract for participants (RHIOs) and
their participants (such as small practice their participants (such as small practice groups)groups)
Policies and procedures – the big picture for Policies and procedures – the big picture for communities who are interestedcommunities who are interested
FAQs for deeper technical dives on hard FAQs for deeper technical dives on hard issuesissues• E.g., scoring & procedures for authenticationE.g., scoring & procedures for authentication
Test interchange: Indiana and BostonTest interchange: Indiana and Boston
IV. Privacy, Security & EMRsIV. Privacy, Security & EMRs
Must be credible on privacy & security or the Must be credible on privacy & security or the benefits of EMRs will be underminedbenefits of EMRs will be undermined
The architecture must be secureThe architecture must be secure Centralized databases, even for sophisticated Centralized databases, even for sophisticated
financial data, have been publicly breachedfinancial data, have been publicly breached Health care is unlikely to be (or to be seen as) Health care is unlikely to be (or to be seen as)
doing better than banks, who have centuries doing better than banks, who have centuries of practice in guarding the moneyof practice in guarding the money
Many consider medical data more sensitive Many consider medical data more sensitive than financial datathan financial data
Some Privacy BasicsSome Privacy Basics
Goal should be to improve patient privacy & Goal should be to improve patient privacy & security in shift to EMRssecurity in shift to EMRs
Safeguards must be explainable to publicSafeguards must be explainable to public Patient access to linking system (what’s in the Patient access to linking system (what’s in the
system?) and means to correct (those aren’t my system?) and means to correct (those aren’t my records)records) Access in HIPAA and FCRAAccess in HIPAA and FCRA
Patient opt-out from the system, working with Patient opt-out from the system, working with providersproviders
Mission Creep & EMRsMission Creep & EMRs
Many stakeholders will push for access to linked Many stakeholders will push for access to linked identities and records:identities and records: Health quality measurementsHealth quality measurements Cost controlsCost controls Bioterrorism & law enforcementBioterrorism & law enforcement Medical researchMedical research Marketing researchMarketing research
Not all those who want the data should get itNot all those who want the data should get it Model contract for linking will address these issuesModel contract for linking will address these issues
EnforcementEnforcement
Looking ahead, I believe that enforcement against bad Looking ahead, I believe that enforcement against bad actors should occur, while good faith efforts by data actors should occur, while good faith efforts by data holders should not receive enforcementholders should not receive enforcement
To date, 0 civil enforcement actions for 13,000 To date, 0 civil enforcement actions for 13,000 complaints to the Office of Civil Rightscomplaints to the Office of Civil Rights
Recently, DOJ opinion that criminal laws do not apply to Recently, DOJ opinion that criminal laws do not apply to most employees of covered entitiesmost employees of covered entities
The right level of enforcement is not zero The right level of enforcement is not zero The system should be credible, without chilling much-The system should be credible, without chilling much-
needed sharing of EMRs for legitimate usesneeded sharing of EMRs for legitimate uses
ConclusionConclusion
EMRs as the health IT challenge for the next EMRs as the health IT challenge for the next decade, following the ten-year cycle since decade, following the ten-year cycle since HIPAA was enactedHIPAA was enacted
Privacy & security concerns for consumers often Privacy & security concerns for consumers often outweigh the perceived benefitsoutweigh the perceived benefits
Strategic challenge for health IT professionals Strategic challenge for health IT professionals and the entire sector on how to use health IT and the entire sector on how to use health IT consistent with the public’s concernsconsistent with the public’s concerns
In ClosingIn Closing
As you build your health IT systems, imagine As you build your health IT systems, imagine your own records and those of your family being your own records and those of your family being in the infrastructurein the infrastructure
Can you say with confidence to your family that Can you say with confidence to your family that their records are secure and confidential?their records are secure and confidential?
For substance abuse, psychiatric records, HIV, For substance abuse, psychiatric records, HIV, and other extra-sensitive data?and other extra-sensitive data?
That’s the standard we should apply to our That’s the standard we should apply to our systems – that each patient’s data is held the systems – that each patient’s data is held the way we want out own data to be treatedway we want out own data to be treated
In ClosingIn Closing
That’s the high-tech version of the Golden That’s the high-tech version of the Golden RuleRule
Do unto other’s data as you would have Do unto other’s data as you would have them do unto youthem do unto you
Thank you.Thank you.
Contact InformationContact Information
Peter P. SwirePeter P. Swire Consultant, Morrison & Foerster, LLPConsultant, Morrison & Foerster, LLP Phone: (240) 994-4142Phone: (240) 994-4142 Email: Email: [email protected]@peterswire.net Web: Web: www.peterswire.netwww.peterswire.net