HIPAA Timeline

advertisement
http://www.cs.princeton.edu/courses/archive/spr02/cs495/Confidentiality%20Privacy%20and%20Security.ppt
Confidentiality, Privacy and
Security
C. William Hanson M.D.
Professor of Anesthesiology and Critical Care
CS Department
Princeton University
Privacy
• The desire of a person to control the
disclosure of personal health information
Confidentiality
• The ability of a person to control release of
personal health information to a care
provider or information custodian under an
agreement that limits further release of that
information
Security
• Protection of privacy and confidentiality
through policies, procedures and
safeguards.
Why do they matter?
• Ethically, privacy and confidentiality are
considered to be rights (in our culture)
• Information revealed may result in harm to
interests of the individual
• The provision of those rights tends to ensure that
the information is accurate and complete
• Accurate and complete information from
individuals benefits society in limiting spread of
diseases to society (i.e. HIV)
Why do they matter?
• The preservation of confidentiality assists
research which in turn assists patients
Users of health information
• Patient
– Historical information for current and future care
– Insurance claims
• MD’s
–
–
–
–
Patient’s medical needs
Documentation
Interface with other providers
Billing
Users
• Health insurance company
– Claims processing
– Approve consultation requests
• Laboratory
– Process specimens
– Results reporting
– Billing
Users
• Pharmacy
– Fill prescription
– Billing
• Hospital
–
–
–
–
–
Care provision
Record of services
Billing
Vital statistics
Regulatory agencies
Users
• State bureau
– Birth statistics
– Epidemiology
• Accrediting organization
– Hospital review
• Employer
– Request claims data
– Review claims for $ reduction
– Benefits package adjustments
Users
• Life insurance companies
– Process applications
– Process claims
– Risk assessment
• Medical information bureau
– Fraud reduction for life insurance companies
• Managed care company
– Process claims
– Evaluate MD’s
Users
• Lawyers
– Adherence to standard of practice
– Malpractice claims
• Researcher
– Evaluate research program
Security
•
•
•
•
•
Availability
Accountability
Perimeter definition
Rule-limited access
Comprehensibility and control
Privacy solutions
• Forbid the collection of data that might be
misused
• Allow the collection of health information
within a structure, but with rules and
penalties for violation pertaining to
collecting organizations
• Generate policies to which individual
information handlers must adhere
Security controls
• Management controls
– Program management/risk management
• Operational controls
– Operated by people
• Technical controls
– Operated by the computer system
Management controls
• Establishment of key security policies, i.e.
policies pertaining to remote access
– Program policy
• Definition, scope, roles and responsibilities of the
computer security program
– Issue specific policy
• Example: Y2K
– System specific policy
• Who can access what functions where
Core security policies
•
•
•
•
•
•
•
Confidentiality
Email
System access
Virus protection
Internet/intranet use
Remote access
Software code of
ethics
• Backup and recovery
• Security training and
awareness
Biometrics
• The scientific discipline of measuring
relevant attributes of living individuals or
populations to identify active properties or
unique characteristics
– Can be used to evaluate changes over time for
medical monitoring or diagnosis
– Can be used for security
Approaches to identification
• Token based simple security
– House key, security card, transponder
• Knowledge based
– SSN, password, PIN
• Two-factor
– Card + PIN
ID
Card
Authentication
+
PIN
Access
Approaches to identification
• Authoritative ID
T
ID
Authentication
Policy
Access
F
Audit
Identification
• Certain and unambiguous
– Deterministic
• Certain with small probability of error
– Probabilistic
• Uncertain and ambiguous
• Biometric schemes are probabilistic
Probabilistic
• False acceptance rate (type I error)
– Percentage of unauthorized attempts that will be
accepted
– Also relevant for medical studies
• False rejection rate (type II error)
– Percentage of authorized attempts that will be rejected
– Also relevant for medical studies
• Equal error rate
– Intersection of the lowest FAR and FRR
Biometric ID
• Acquire the biometric ID
– How do you ensure that you got the right guy
• Localize the attribute
– Eliminate noise
– Develop a template (reduced data set)
• Check for duplicates
Biometric applications
• Identification
– Search the database to find out who the
unknown is
– Check entire file
• Authentication
– Verify that the person is who he says he is
– Check his file and match
Biometric identifiers
•
•
•
•
•
Should be universal attribute
Consistent – shouldn’t change over time
Unique
Permanent
Inimitable (voice can be separated from the
individual)
• Collectible – easy to gather the attribute
• Tamper resistant
• (Cheaply) comparable - template
Biometric technologies
• Fingerprint
– Automated fingerprint ID systems (law
enforcement)
– Fingerprint recognition – derives template form
features for ID
– Validating temp and /or pulse
– Optical vs. solid state (capacitance)
– Low FAR and FRR
Fingerprint
Hand geometry
• Dimensions of fingers and location of joints
unique
• Low FAR FRR
Retinal scan
• Very reliable
• More expensive than hand or fingerprint
• Extremely low FAR FRR
Retinal scan
Voice recognition
• Automatic speaker verification (ASV) vs.
automatic speaker identification (ASI)
–
–
–
–
ASV = authentication in a two-factor scheme
ASI = who is speaker
Feature extraction and matching
Problems with disease/aging etc.
Iris scanning
• Less invasive than retinal scanning
• Technically challenging balancing optics,
ambient light etc.
• Can be verified (live subject) by iris
response to light
Face recognition/thermography
• Facial architecture and heat signature
• Relatively high FAR/FRR
• Useful in two factor scenarios
Hand vein
• Infrared scanning of the architecture of the
hand vessels
Signature
• Architecture of the signature
• Dynamics of the signature (pressure and
velocity)
Biometric identification issues
• Privacy, anonymity
• Legal issues not defined
Security: availability
• Ensures that accurate, up-to-date
information is available when needed at
appropriate places
Security: accountability
• Ensures that users are responsible for their
access to and use of information based on a
documented need and right to know
Security: perimeter definition
• Allows the system to control the boundaries
of trusted access to an information system
both physically and logically
Security: rule-limited access
• Enables access for personnel to only that
information essential to the performance of
their jobs and limits the real or perceived
temptation to access information beyond a
legitimate need
Security: comprehensibility and
control
• Ensures that record owners, data stewards
and patients can understand and have
effective control over appropriate aspects of
information confidentiality and access
Availability
• Backups with local and off-site copies of
the data
• Secure housing and power sources for CPU
even during disasters (when system
availability may be crucial)
• Virus protection
Accountability
• Audit trails and warnings
• User
– Authentication – unique ID process
– Authorization – to perform set of actions, i.e.
access only their own patients
Perimeter definition
• System knows users and how they are using
the system
– Define the boundaries of the system (i.e. within
the firewall) Princeton-Penn-HUP
– How do you permit/monitor off-site access
– Modems?
• Tools
– Cryptographic authentication
Perimeter definition
• Public key-private key
– Encryption
• Privacy and confidentiality
– Digital signatures
• Prescription signature
– Content validation
• Message hasn’t been messed with
– Nonrepudiation
• “I didn’t say that”
Role limited access
• Spheres of access
– Patient list: patients one has a role in the care of
– Content specific: billing clerk/billing info
– Relevant data: researcher on heart disease
shouldn’t be able to learn about HIV status
Taxonomy of organizational
threats
• Motive
– Health records have economic value to insurers,
employers, journalists, enemy states etc.
– Curiosity about the health status of friends,
romantic interests, coworkers or celebrities
– Clandestine observation of employees (GE)
– Desire to gain advantage in contentious
situations (divorce)
Resources
• Attackers may range from
–
–
–
–
–
Individuals
Small group (e.g. law firm)
Large group (e.g. insurer, employer)
Intelligence agency
Organized crime
Initial access
• Site access
• System authorization
• Data authorization
Billing clerk
Site
System
Worker
Data
MD, RN
Computer vendor
Technical capability
• Aspiring attacker (limited skills)
–
–
–
–
–
Research target
Masquerade as an employee
Guess password
Dumpster diving
Become temporary employee
Technical capability
• Script runner
– Acquire software from web-sites for automated
attacks
• Accomplished attacker
– Able to use scripted or unscripted (ad-hoc)
attacks
Levels of threat
• Threat 1
– Insiders who make “innocent” mistakes and
cause accidental disclosure
– Elevator discussion, info left on screen, chart
left in hallway etc.
• Threat 2
– Insiders who abuse their privileges
Threat
• Threat 3
– Insiders who access information
inappropriately for spite or profit
– London Times reported that anyone’s electronic
record could be obtained for $300
• Threat 4
– Unauthorized physical intruder
– Fake labcoat
Threats
• Threat 5
– Vengeful employees or outsiders bent on
destruction or degradation, e.g. deletion, system
damage, DOS attacks
– Latent problem
Countering threats
• Deterrence
– Create sanctions
– Depends on identification of bad actors
• Imposition of obstacles
– Firewalls
– Access controls
– Costs, decreased efficiency, impediments to
appropriate access
Countermeasures
Type System Data Site Threat
Counter
Mistake
Org and technical
measures
N/A
Improper use of
access privileges
Authentication and
auditing
N
N/A
Unauthorized for
spite of money
Authentication and
auditing
Y
N
Y
Unauthorized
physical intrusion
Physical security
and access control
Y
N
N
Technical breakin
Authentication,
access and crypto
1
Y
Y
Y
2
Y
Y
3
Y
4
5
Counter threat 1
• Behavioral code
• Screen savers, automated logout
• ? Patient pseudonyms
Counter threat 2
•
•
•
•
Deterrence
Sanctions
Audit
Encryption (user must obtain access keys)
Counter threat 3
• Audit trails
• Sanctions appropriate to crime
Counter threat 4
• Deterrence
• Strong technical measures (surveillance
tapes)
• Strong identification and authentication
measures
Counter threat 5
• Obstacles
• Firewalls
Issues with countermeasures
• Internet interface
• Legal and national jurisdiction
• Best balance is relatively free internal
environment with strong boundaries
– Requires strong ID/auth
Recommendations
• Individual user ID and authentication
– Automated logout
– Password discipline
• Access controls
– Role limited
– Role definitions
• Cardiologist vs. MD
• Audit trails
Recommendations
• Physical security and disaster recovery
– Location of terminals
– Handling of paper printouts
• Remote access points
– VPN’s
– Encrypted passwords
– Dial-ins
Recommendations
• External communications
– Encrypt all patient related data over publicly
available networks
• Software discipline
– Virus checking programs
• System assessment
– Run scripted attacks against one’s own system
Recommendations
• Develop security and confidentiality
policies
–
–
–
–
Publish
Committees
ISO’s
Sanctions
• Patient access to audit logs
– Who saw my record and why
Future recommendations
• Strong authentication
– Token based authentication (two factor)
• Enterprise wide authentication
– One-time login to authorized systems
• Access validation
– Masking
• Expanded audit trails
• Electronic signatures
Universal patient identifier
• Methodology should have an explicit framework
specifying linkages that violate patient privacy
• Facilitate the identification of parties that make
improper linkages
• Unidirectional – should facilitate helpful linkages
of health records but prevents identification of
patient from health records or the identifier
http://www.cs.princeton.edu/courses/archive/spr02/cs495/HIPAA-princeton.ppt
Implications of
the Health Insurance Portability
and Accountability Act of 1996
Mark Weiner, M.D.
Assistant Professor of Medicine
University of Pennsylvania
mweiner@mail.med.upenn.edu
Computer Science 495
Special Topics in CS: Medical Informatics
February 21, 2002
What is HIPAA
• Health Insurance Portability and Accountability
Act of 1996
• proposed by Sen. Edward Kennedy (D-MA) and
Nancy Kasselbaum (R-KS)
– Focused on issues involving
• obtaining new insurance at new job with preexisting conditions
• protection from fraud
• administrative simplification
– Electronic transmittal of data for billing purposes
– Privacy issues related to transmission of clinical data
What Information is covered
under HIPAA
• Personal Health Information (PHI)
– Anything that can potentially identify an
individual
Name
Email addresses
Zip code of more
than 3 digits
Social Security Numbers
Dates (except year)
Telephone and fax
numbers
Medical Record Numbers
Health Plan Numbers
License numbers
Privacy vs. Security
• Privacy
– Administrative mechanisms that govern the
appropriate use and access to data
• Not all hospital employees need to know everything
about a patient
• Security
– Technical mechanisms to ensure privacy
• don’t have a fax machine that receives personal
information in a public place
• Encrypt electronic communications
Privacy before HIPAA
4th Amendment (…secure in their persons, houses, papers
and effects against unreasonable searches and
seizures…)
Fair Credit Reporting Act (1970)
Privacy Act (1974)
Family Educational Rights and Privacy Act (1974)
Right to Financial Privacy Act (1978)
Privacy Protection Act (1980)
Electronic Communications Privacy Act (1986)
Video Privacy Protection Act (1988)
Employee Polygraph Protection Act (1988)
Telephone Consumer Protection Act (1991)
Driver’s Privacy Protection Act (1994)
Telecommunications Act (1996)
Children’s Online Privacy Protection Act (1998)
Identity Theft and Assumption Deterrence Act (1998)
Gaps in privacy protection
• Most of the preceding laws protect aspects
of personal information (mostly financial),
but not Health Information
• Inconsistent State laws exist for protection
of information regarding certain health
conditions -- HIV, Mental Illness, Cancer
Concern about loss of Privacy
• 1998 National Survey
– 33% concerned about the amount of
information being requested from various
sources
– 55% VERY concerned
• 1995 Survey
– 80% agreed with statement that they had lost all
control of their medical information
Concern About Loss of Privacy
• 1999 Survey
– What issues concerned them the most in the
coming century?
• 29% listed “Loss of Personal Privacy” as 1st or 2nd
concern
• 23% or less selected terrorism, world war, global
warming
Concern About Loss of Privacy
• Internet usage (1999 survey)
–
–
–
–
82% have used a computer
64% have used the internet
58% have sent e-mail
59% worry that an unauthorized person will
gain access to their information
– 75% of people visiting health sites are
concerned that information is being shared
Concern About Loss of Privacy
• Electronic Medical Records/Data Banks
– 75% express concern about insurance
companies putting information about them in a
database accessible by others
– 35% of Fortune 500 companies look at medical
records before making hiring or promotional
decisions
Concern About Loss of Privacy
• Genetic information
– 85% concerned that insurers and employers
may gain access to personal genetic information
– 63% would not take genetic screening tests if
the information was going to be shared with
insurers and employers
– 32% of eligible people refused to have genetic
testing for breast cancer risk because of privacy
concerns
Are These Privacy Concerns
Unfounded?
• 1999- A Michigan based Health System
accidentally posted medical records of
thousands of patients on the Internet
• A Utah-based pharmacy benefits
management company used patient data to
solicit business for its parent company -- a
drug store
Are These Privacy Concerns
Unfounded?
• Health Insurance Claims forms blew out of
a truck on its way to a recycling center
• A patient in a Boston-area hospital
discovered that her medical record had been
read by more than 200 hospital employees
• A Nevada woman purchased a used
computer that still had prescription records
from the pharmacy that formerly owned the
computer
Are These Privacy Concerns
Unfounded?
• Johnson and Johnson markets a list of 5
million names and addresses of elderly
incontinent women
• A few weeks after undergoing a blood test,
an Orlando woman received a letter from a
drug company promoting their treatment for
high cholesterol
Are These Privacy Concerns
Unfounded?
• A banker who also sat on a county health
board identified people with cancer and
called in their mortgages!
• A physician diagnosed with AIDS had his
surgical privileges suspended (Medical
Center of Princeton)
• A newspaper published the history of
psychiatric treatment and suicide attempt of
congressional candidate
Why does electronic communication
increase privacy concerns?
• Problems with paper charts - Messy,
difficult to find, one physical copy - all
make it harder to acquire and disseminate
information
• Electronic documents can be intentionally
or unintentionally transmitted to thousands
of people at once
What is HIPAA designed to do?
• Give patients more control over use of data
• Set boundaries on uses and disclosures of
data
• Establish safeguards to protect data
• Establish accountability for privacy
breaches
• Balance privacy with social responsibility
HIPAA Timeline
• 1996 - HIPAA Signed into law
– Privacy regulations not specified
– Congress was to enact laws and policy
regarding privacy by 1999
– If Congress failed to develop standards, task
would fall to Department of Health and Human
Services (DHHS)
• 1999 - DHHS becomes responsible for developing
privacy regulations
HIPAA Timeline
• 1999 - DHHS proposes privacy standards and
opens them up for public comment
• 1999-2000 DHHS receives 50,000 comments on
regulations
• December 2000 - DHHS publishes “Final Privacy
Rule”
• February 2001 - Enactment of Final Rule delayed
because of “administrative difficulties.” Further
public comment requested
HIPAA Timeline
• April 2001 - Privacy Rule implementation phase
begins
• April 2003 - Deadline for covered entities to
complete implementation plan
HIPAA Stipulations for Using
and Releasing Information
• Notification
• Consent
• Authorization
HIPAA Stipulations for Using
and Releasing Information
• Notification
– Informing patients in simple language regarding
the manner in which their data is handled
HIPAA Stipulations for Using
and Releasing Information
• Consent
– one time, general agreement to use the patient’s
information in treatment. For payment, or for
“healthcare operations”
– Lasts indefinitely, necessary for treatment
– Sharing information between primary care
physician and consulting specialist
– Regulations allows provision of care to be
conditioned on patient’s consent to use
information for payment purposes.
HIPAA Stipulations for Using
and Releasing Information
• Authorization
– limited in time and scope
– Non-routine purpose
– Example : Patient is actively participating in a
research protocol and personal health
information will be shared with a clinical
service or university
Health-related activities covered
by HIPAA
•
•
•
•
•
Health Care
Billing
Marketing
Fund Raising
Research
HIPAA In Health Care
• Consent to release information to insurance
carriers for billing purposes
• Primary and consulting physicians given
full access to record for treatment purposes
• Hospital Staff provided “minimum
necessary” information to conduct business
• Laboratories and Radiology offices can use
information for billing purposes
• Stipulations about auditing of who has
seen/used what information
HIPAA In Health Care
•
•
•
•
Fax machines
Hospital information networks
E-mail
Physical security of computer hardware
Research under HIPAA
• Continues as before when appropriate
informed consent is obtained from subjects.
• Special consideration necessary when using
data without explicit consent of subjects
– Few restrictions when using de-identified data
on populations of patients (no names, SSNs,
addresses; birthdates; populations must have
substantial size)
– Oversight required to use identifiable data
Research under HIPAA
• Patient consent NOT required with identifiable
data when all of the following are true:
–
–
–
–
–
–
IRB approves protocol and use of data
use or disclosure of data presents minimal risk
will not affect privacy and welfare of individual
consent process impractical
research could not be conducted without information
plan exists to protect identifiers from improper use and
disclosure
– Data will not be reused for other purposes without
authorization from IRB
HIPAA in Research Summary
• Little oversight needed for de-identified,
population-based data
• IRB authorization required to access identifiable
patient information
• Duty to inform patients regarding research uses of
their data
• Audit trails of information access for research
• ??? Responsibilities when initiating patient contact
based on knowledge of personal information
Accountability
• Civil penalties
– Violation of standards will be subject penalties
of $100 per violation, up to $25,000 per person,
per year for each requirement or prohibition
violated.
Accountability
• Federal criminal
– up to $50,000 and one year in prison for obtaining or
disclosing protected health information
– up to $100,000 and up to five years in prison for
obtaining protected health information under "false
pretenses”
– up to $250,000 and up to 10 years in prison for
obtaining or disclosing protected health information
with the intent to sell, transfer or use it for commercial
advantage, personal gain or malicious harm.
Penn’s High Level
Approach to HIPAA
• Identify organizational components and
communication links relevant to Health
Care
– Define which components of health information
can be transmitted among which the
components
– Set up secure communication strategy among
components (intranets, firewalls, encryption)
University of Pennsylvania
Health System
• 4 owned hospitals
–
–
–
–
Hospital of the University of Pennsylvania
Presbyterian Medical Center
Pennsylvania Hospital
Phoenixville Hospital
• 65 owned primary care ambulatory
practices (Community Care Associates)
University of Pennsylvania
Health System
• Owned by the University of Pennsylvania
that also has other related health care
entities
–
–
–
–
Nursing school
Dental School
Student Health Service
Counseling
The overlapping lines of communication
University
(Hybrid Entity)
“Health Care Component”
Covered Entity within Hybrid
__ - Hybrid
__ - ACEs
__ - OHCAs
HUP
PAH
CHOP
SODM
ORA
(IRBs)
Wistar
SOM
PMC
CPUP
PHX
Others
CCA
Cancer Network
Holy Redeemer
Athletics
Student Health
Counseling
Wharton LDI
CTT
School of Social
Work
SON
St. Luke’s
VA
Independent Medical Staffs –
PAH, PMC, PHX
Penn Friends
Penn’s Approach to Research
Data Use
• Research requires data!
• Not all research requires personal identifiers
• Personal identifiers are often necessary to
validate and integrate data from different
systems
• Identifiers are often necessary to conduct
retrospective research
Penn has a Research Database
•
•
•
•
•
•
Pennsylvania
Integrated
Clinical and
Administrative
Research
Database
}
The PICARD System
Data Integration and Access
HTML
FTP
IDX
Oracle
Sql*Net8
SMS
Data
Warehouse
Cerner
(Oracle 8.1.5
on DEC
Alpha DS20)
Dept system
ODBC
Application
Server
(Apache)
MSAccess
Oracle Tools
Web
Clients
Available Data
• Ambulatory Data
– Primary and subspecialty care data-- Jan 1997 May 2001
– Patient information
•
•
•
•
•
Location
Gender
Race
Birthdate
Insurance carrier
Available Data
• Inpatient data
– Patient information
– Admission Detail - 1988-1999 for HUP and
Presby
•
•
•
•
Admission, DC dates, LOS
Diagnoses
Procedures for recent admissions
Charges for procedures/room/medicine etc.
Available Data
• Laboratory
– 75 common chemistries, hematology and
serology results since August, 1997
• Cardiology testing
– Stress test, cath, echo results
• Pharmacy
– Limited population
• Pulmonary Function test data
Penn’s Approach to Research
Data Use
• Minimal oversight
– Information regarding a provider’s own patients
– Determination of numbers of patients meeting
specified criteria
• IRB approval
– Release of Medical Record numbers for
additional chart review
• IRB and “PAC” review
– Required before patient contact initiated
Administrative Issues in Data Use
• Steps to contact patients through a targeted
approach for potential enrollment in research
– Our office generates lists of potentially eligible
patients
– Lists forwarded to primary care provider (PCP)
• Discretion if provider needs to contact patient
– PCP returns lists of authorized patients to our
office
– Investigator receives list of authorized patients
– Investigator contacts patients in the context of the
PCP
Research Data Use vs
Patient Contact
• Additional authorization from primary care provider
required before contacting patients
– Labor intensive process
– Can we delegate responsibility for obtaining
authorization to investigator?
– Does patient have to be contacted by provider and
affirm interest in study participation prior to being
contacted by investigators?
Questions for discussion
• Should we allow patients to opt out of allowing their
data to be used in research, even without personal
identifiers?
• Do we allow patients to refuse directed contact
regarding research participation? If so, for how long?
• Federal law vs. “6:00 news” law
Resources
• HIPAA Administrative Simplification:
– http://aspe.hhs.gov/admnsimp/
• HIPAA Privacy:
– http://www.hhs.gov/ocr/hipaa/
• Workgroup on Electronic Data Interchange
Strategic National Implementation Process:
– http://snip.wedi.org/
• American Association of Medical Colleges
– http://aamc.org/members/gir/gasp
Download