How Broader Privacy Policy Issues Impact Healthcare

Similar documents
Privacy law overview. Engineering & Public Policy

My testimony today makes three points.

INFORMATION PRIVACY STATUTES AND REGULATIONS

AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)

What is Left of State Privacy Laws: Louisiana, New Mexico, Oklahoma & Texas

Selected Federal Data Security Breach Legislation

2015 Data Breach Litigation Report

Objectives (same as last class): Objectives (in addition): Administrative Law (REVIEW) Administrative Law

Approximately 4% of publicly reported data breaches led to class action litigation.

Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes

BREACHES OF INFORMATION SECURITY: A U.S. COMPANY S OBLIGATIONS

Who's in Charge Here? Information Privacy in a Social Networking World

Consent for Treatment of Minors in Idaho

Why the Federal Government Should Have a Privacy Policy Office

View from a Federal Prosecutor: Legal Pitfalls to Avoid. Medtrade Spring March 28, 2018 Mark Rush Josh Skora

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

Internet Governance and G20

HIPAA Compliance During Litigation and Discovery

What Keeps You Up at Night?

Right to Request Access to Designated Record Set

HIPAA -- Compliance and Enforcement Issues

Data Breach - Litigation Update

Conducting Internal Investigations: Gathering Evidence and Protecting Your Company

Approximately 672 data privacy complaints were filed during the Period. The volume of data privacy complaints rose each quarter.

An Overview of Privacy Law

GATHERING EVIDENCE AND

Written Testimony of Marc J. Zwillinger. Founder. ZwillGen PLLC. United States Senate Committee on the Judiciary. Hearing on

Chapter 6. Disparagement of Property 8/3/2017. Business Torts and Online Crimes and Torts. Slander of Title Slander of Quality (Trade Libel) Defenses

H.R./S. In the A BILL. To protect the privacy of personal information of consumers, the promotion

CRS Report for Congress

HIPAA Crimes: How the New Crime Wave Affects You. May 17, 2016

Executive Summary. 1 Google News Search for Data Breach Litigation conducted on March 22, 2016 (covers 30 days);

The Lawyer s Ethical and Legal Duties to protect Private Information

OFFICIAL RULES TO SUBMIT

Current Developments in Privacy and Security Rule Enforcement

Courts Plunge Into the Digital Age

Alternatives to Written Discovery

As Introduced. 132nd General Assembly Regular Session S. B. No

WHY THE FEDERAL GOVERNMENT SHOULD HAVE A PRIVACY POLICY OFFICE

BJB Motor Company Limited (BJB) - Data Protection Act 1998 Policy & Procedures

E. Andrew Keeney, Esq. Kaufman & Canoles, P.C. 150 West Main Street, Suite 2100 Norfolk, VA (757) kaufcan.

Regulation E: Dodd-Frank Provisions

Gottschlich & Portune, LLP

Terms and conditions of use

Litigation Forum: When You Face Your First CID Key Steps to Take When the FTC Investigates Your Company s Privacy Practices

H. R. 56. a Fintech Leadership in Innovation and Financial Intelligence

CPI Antitrust Chronicle February 2012 (1)

Breach Notification and Enforcement

OLS CLE Presentation

U.S. Department of Justice

Section 230, cntd. Professor Grimmelmann Internet Law Fall 2007 Class 10

KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.

Current Topics in Internet Law Data Breach Liability

Thank you for running for the Salt Lake City Council,

OHIO CRIMINAL SENTENCING LAWS

Site Access Agreement. (hereinafter referred to as the

State Attorney General Investigations and Litigation. Barry H. Boise November 3, 2011

Indiana Association of Professional Investigators November 16, 2017 Stephanie C. Courter

ACA 2011 Annual Conference New Orleans, Louisiana March Federal Policies Affecting Counselors: How Can They Be Changed?

Developing the Administration s Approach To Consumer Privacy (RIN XC043) (Docket # )

Security Breach Notification Chart

Business Method Patents on the Chopping Block?

Criminal Injuries Compensation Board

STAR Watch Statewide Technology Assistance Resources Project A publication of the Western New York Law Center,Inc.

Institute for Development of Freedom of Information Statistics on Telephone Surveillance and Secret Investigation in Georgia.

COMMENTS OF THE ELECTRONIC PRIVACY INFORMATION CENTER THE DEPARTMENT OF HOMELAND SECURITY. [Docket No. DHS ] February 27, 2012

Cops and Docs: Law Enforcement Access to Patients and Information

APES Chapter 10 Study Guide. 1. How can the population change in a particular year be calculated?

1 Guidance Notes to the Ofcom Approved Code of Practice for Complaints Handling

A Pivotal Political Moment on Health Care. July 31, 2012

Calif. Privacy Act Will Increase Data Breach Liability

Security Breach Notification Chart

State Wiretaps and Electronic Surveillance After September 11

H. R [Report No , Parts I and II]

Appendix B. State Wiretap Legislation (as of June 1, 2002)

TRANSPARENCY REPORTING FOR BEGINNERS: MEMO #1 *DRAFT* 2/26/14 A SURVEY OF

UAE Policy for the provision of Direct Support to Afghanistan

HARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT

TO APPLY: Submit application & required documentation to:

DATA COLLECTION AGREEMENT MASTER TERMS RECITALS

Chapter 2: Economic Systems Section 3

STATE OF LOUISIANA COURT OF APPEAL, THIRD CIRCUIT CW **********

PEW RESEARCH CENTER FOR THE PEOPLE & THE PRESS JUNE 2000 VOTER ATTITUDES SURVEY 21ST CENTURY VOTER FINAL TOPLINE June 14-28, 2000 N=2,174

Call for Proposals for IFTA s 2019 World Family Therapy Congress. March 28-30, 2019

Naturalizer Celebrate Together Instagram Contest

The USA Freedom Act: A Partial Response to European Concerns about NSA Surveillance Peter Swire

IRB RELIANCE EXCHANGE PORTAL AGREEMENT

WASA New Superintendent Workshop: Legal Issues Facing the Superintendent

Civil Liberties and the Internet. Timothy M. Donoughue July 16, 2004

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

No IN THE UNITED STATES COURT OF APPEALS FOR THE FIRST CIRCUIT UNITED STATES, Appellant, BRADFORD C. COUNCILMAN, Appellee.

Update on the SGR fix

BILL NO. 42. Health Information Act

LASIK MD Contest Rules

Spying on humanitarians: implications for organisations and beneficiaries

ORDINANCE NO WHEREAS, the CSA is the supreme law of the land and supersedes any conflicting State enactments; and

New Obstacles For VPPA Plaintiffs At 9th Circ.

Special Topics in Small Claims

Data, Social Media, and Users: Can We All Get Along?

GUARDIANSHIPS AND CONSERVATORSHIPS IN SOUTH CAROLINA

Transcription:

How Broader Privacy Policy Issues Impact Healthcare Professor Peter P. Swire Moritz College of Law The Ohio State University HIT Summit September 26, 2006

Overview My background Role of privacy & security in the development of the National Health Information Network Three key issues, informed by non-health experiences: Preemption Enforcement Consumer-centered approaches Explain the consumer, industry, & political perspectives on these issues Conclusion: the choice we face

Swire Background Now law professor, based in D.C. Active in many privacy & security activities Chief Counselor for Privacy, 1999-2001 U.S. Office of Management & Budget WH coordinator, HIPAA privacy rule Financial, Internet, government agency privacy National security & FISA Computer security

Health Care Background Health care since 2001: Written on health privacy & security topics, at www.peterswire.net Consulted on HIPAA implementation Morrison & Foerster, LLP Markle, Connecting for Health Deidentification white paper for IBM

Privacy, Security & the NHIN As public policy matter, crucial to get the benefits of data flows (electronic health records) while minimizing the risks (privacy and security) As political matter, privacy and security are the greatest obstacles to adoption Focus group the emergency room while out of town as the only scenario that got substantial majority to favor EHRs Many individuals see risks > rewards of EHRs

Implications of Public Concern All those who support EHRs must have good answers to the privacy and security questions that will be posed at every step Trust us not likely to be a winning strategy The need for demonstrable, effective protections The system must be strong enough to survive the inevitable data breaches & resultant bad publicity

Preemption Industry perspective: Benefits of data sharing high paper kills Shift to electronic clinical records is inevitable; that shift has occurred in other sectors Can only run a national system if have a national set of rules Preemption is essential a no brainer

Preemption: Consumer View Janlori Goldman, Health Privacy Project A lot of state privacy laws HIV Other STDs Mental health (beyond psychotherapy notes) Substance abuse & alcohol Reproductive & contraceptive care (where states vary widely in policy) Public health & other state agencies HIPAA simply doesn t t have provisions for these topics if preempt, then big drop in privacy protection

Consumers & Preemption Link of reporting and privacy HIV and other public health reporting based on privacy promises So, objections if do reporting w/out privacy Concrete problems of multi-state? Many RHIOs have only one or a few states Build out from there State laws both as burdens (industry) and protections (consumers)

Preemption & Politics Consumer and privacy advocates see states as the engine for innovation Current example: data breach California went first, and now Congress is trying to catch up with a uniform standard Basic political dynamic industry gets preemption in exchange for raising standards nationally

Preemption in Other Sectors Gramm-Leach Leach-Bliley: no preemption But, Fair Credit 2003 does some of that Wiretap (ECPA): no preemption Data breach: proposed preemption FTC unfair/deceptive enforcement: no preemption CAN-SPAM: significant preemption Conclusion -- variation

Key Issues in Preemption Scope of preemption matters & can vary One policy baseline: scope of preemption matches the scope of the federal regime If the scope is for networked health IT, then preemption about that, not entire health system Preserve state tort and contract law? Preserve state unfair & deceptive enforcement? Grandfather existing state laws? Some of them?

Summary on Preemption Strong pressures for preemption in national, networked system If simply preempt and apply HIPAA, then have a dramatic reduction in privacy & security This is a major & complicated policy challenge that is not likely to have a simple outcome

Enforcement The current no enforcement system Key question for the NHIN: Can the current no-enforcement system be a credible basis for EHRs and the NHIN?

The No Enforcement System Imagine some other area of law that you care about violations are serious. Batting average: 0 enforcement actions for over 20,000 complaints Enforcement policy: one free violation Criminal enforcement: DOJ cut back scope of criminal penalties No prosecution for the > 300 criminal referrals 3 cases brought by local federal prosecutors

Effects of No Enforcement Signals work Surveys already showing lower efforts at HIPAA compliance and lower reported actual compliance by covered entities Contrast internal HIPAA efforts and budget (low enforcement) with compliance efforts on Medicare fraud & abuse (hi enforcement) Why should Congress and consumer groups trust compliance with HIPAA, much less with new rules for the NHIN?

Other Privacy Enforcement Fair Credit, stored communications, video rentals, cable TV Federal plus private right of action Deceptive practices, CAN-SPAM, COPPA, proposed data breach Federal, plus state AG HIPAA as outlier, with federal-only enforcement If feds don t t do it, then have no enforcement of the HIPAA rules themselves

Customer-Centered Centered Records For other sectors, strong ability for customers to see & manage their own accounts Online banking Online insurance Status of orders from retailers Integration of records into personal software E.g., all financial records feed into your tax records Access controls rules on who gets the records, such as accountant but not former spouse

Patient-Centered Records Huge lag, once again, for health records HIPAA access rule an important step for patients to have a right to see their records Importance of records for some groups: Chronic conditions Parents for kids immunizations, etc. Care of elderly by remote relatives Anyone who sees multiple providers

Patient-Centered Records Almost no public policy debates in past few years about how to ensure that patients have effective access to their own medical records Such access is assumed in other sectors What will it take for it to occur for health care?

What We Have Learned Within health IT debates, consensus statements often sound like this: Need preemption to do the national network Should not punish/enforce against covered entities, when they are struggling in good faith to implement new HIPAA mandates Of course, privacy and security should be part of the NHIN, but likely don t t go beyond HIPAA requirements

What We Have Learned That trio of conclusions, based on experience in other sectors, may face serious political obstacles: Preemption is likely to be partial and require new federal standards in some areas The no-enforcement system will be hard to sustain New privacy/security protections quite likely will accompany new NHIN data flows Customer-centered is the norm elsewhere

Conclusion: Your Choice Option 1: Play Hardball Decide the costs of privacy & security are too high to be built into the NHIN Push a strategy of high preemption and low enforcement Grudgingly give only the bare minimum on privacy/security when the political system forces it onto industry

The Better Choice Option 2: A NHIN to Be Proud Of Incorporate the key values of state laws especially for sensitive data into the NHIN Support reasonable enforcement, so that bad actors are deterred and good actors within covered entities get support Build privacy & security into the fabric of new systems, not just as a patch later Connecting for Health as an example Customer-centered records

The Better Choice With the second option A NHIN to Be Proud Of the patients are not treated as the political enemies The risk of political backlash is less The quality of the NHIN for actual patients is higher That, I think, should be our goal Thank you

Contact Information Phone: (240) 994-4142 4142 Email: peter@peterswire.net Web: www.peterswire.net

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback