August 21-24, 2007

Privacy and Security Leaders as Partners in Patient-Centered Care

Presented by Samuel P. Jenkins, FACHE

Director, Defense Privacy Office

The Privacy Symposium – Summer 2007Cambridge, MA

2

Agenda

• Military Health System (MHS) Background

• Patient-Centered Privacy and Security Landscape

• The Case for Privacy and Security Leaders as Partners in Patient-Centered Care

3

MHS is a leader in the healthcare industry as a government provider and payor

4

What Makes the Military Health System Unique?

Characteristics Description

Size of staff Support staff of 132,500+ individuals (more for HIPAA training)

Mobile and relocating Reach a highly mobile workforce with frequent changes in work location

Global locations Serve facilities and beneficiaries stationed in many countries and the battlefield

Distinct Branches of Service

Integrate large organizational units with distinct business processes (Army, Navy, Air Force and Coast Guard)

Multiple time zones Conduct business in almost every time zone

Diverse patient and employee population

Require knowledge of many diverse cultures

Foreign language requirements

Perform work in multiple languages

Patient-Centered Privacy and Security Landscape

6

Privacy and security leaders can be powerful and effective partners in protecting patient data

• "While comprehensive data do not exist, available evidence suggests that breaches of sensitive personal information have occurred frequently and under widely varying circumstances. – For example, more than 570 data breaches were reported in the news media

from January 2005 through December 2006, according to lists maintained by private groups that track reports of breaches. These incidents varied significantly in size and occurred across a wide range of entities, including federal, state, and local government agencies; retailers; financial institutions; colleges and universities; and medical facilities.

– The extent to which data breaches have resulted in identity theft is not well known, largely because of the difficulty of determining the source of the data used to commit identity theft."

Source: GAO-07-737, June 4, 2007

7

The potential for identity theft presents a challenge to patient confidence and adoption of EHRs and PHRs

• More dangerous than financial identity theft, medical identity theft may also harm its victims by creating false entries in their health records at hospitals, doctors' offices, pharmacies, and insurance companies

• Rising healthcare costs are driving instances of medical identity theft, in which individuals use the names and medical records of others to obtain healthcare

8

Responding consumers indicate that loss of their personal healthcare information ranks among their top five concerns

*Source: 2007 Survey on Consumer Privacy, June 2007

9

Responding consumers express most concern about potential data loss by healthcare organizations

*Source: 2007 Survey on Consumer Privacy, June 2007

10

The Department of Health and Human Services (HHS) is working to address data protection challenges

11

HHS has engaged a range of U.S. healthcare industry stakeholders to support widespread EHR/PHR adoption

12

The AHIC Confidentiality, Privacy and Security (CPS) Workgroup recommends data protection measures to HHS

• Current working hypothesis under consideration– All persons and entities that participate in an electronic health information

exchange network, at a local, state, regional or nationwide level, through which individually identifiable electronic health information is stored, compiled, transmitted, or accessed, should be required to meet privacy and security criteria at least equivalent to relevant HIPAA requirements.

• Potential Impacts– The working hypothesis, if adopted, would extend the HIPAA regulations and

codify requirements to business associates and other non-covered entities.

– This may impact structure and content of Business Associate Agreements, Data Use Agreements, Memoranda of Understanding between some healthcare partners.

13

Data protection interests are appearing in federal privacy and security legislation

Key Privacy Legislation Proposed*

• Leahy-Spector Personal Data Privacy and Security Act of 2007 – S 495.IS

• Data Accountability and Trust Act – HR 958.IH

• Cyber Security Enhancement and Consumer Data Protection Act of 2007 – HR 836.IH

• Notification of Risk to Personal Data Act of 2007 – S 239.IS

• VIP Act – HR 1307.IH (applies to victims of the 2006 VA breach only)

• Prevention of Fraudulent Access to Phone Records – HR 936.IH

Data Protection Issues

• Close watch on government “databanks”

• Review underway of present laws

– DHS, Data Privacy and Integrity Advisory Committee

– NIST, Information Security Privacy Advisory Board

• Recent security breaches

– Increased sense of urgency

– Covered personal information

– Credit file freeze rules

– Social security numbers usage

• Trigger notification

– Acquisition or access?

– “Reasonable” or significant risk of identity theft?

– Actual harm?

– When to notify regulators?

– When to notify individuals at risk?

• Spyware inhibiting routine business process*As of June 2007

The Case for Privacy and Security Leaders as Partners in Patient-Centered Care

15

The movement from paper to electronic healthcare data is changing the landscape

• Governance issues are paramount in ensuring patient-centered privacy and security is implemented

• Roles and responsibilities and lines of authority must be clearly defined

• Policy requirements overlap privacy and security areas requiring collaboration

• Training messages can be consolidated to address both privacy and security concerns

16

The shifting threat requires privacy and security leaders to act together to prevent potential intrusions

**Source: Electronic Privacy Information Center, http://www.epic.orgSource: Electronic Privacy Information Center, http://www.epic.org

17

Privacy and security leaders can partner to implement controls to protect against probable causes

Source: The Business Impact of Data Breach survey by Ponemon Institute, May 2007

18

Proactive measures must be taken to protect healthcare information from most frequent failures

Source: The Business Impact of Data Breach survey by Ponemon Institute, May 2007

19

Privacy and security professionals can combine skills and resources to address threats to healthcare data

• Most serious threat to an organization is sometimes overlooked – that is, the formal and informal organizational boundaries erected between privacy and security

• Privacy and security must work hand in hand for true compliance in healthcare settings– Is it reflected in policies? – In organizational structure? – In roles and responsibilities? – In lines of authority?

• We must strive to build partnerships and a shared vision between the privacy and security leaders – focus on protecting patient data

20

What we have learned – there are risks that must be managed

21

Thank You

• 2007 Consumer Survey on Data Security by Ponemon Institute -http://www.vontu.com/consumersurvey/

• Centers for Medicare and Medicaid Services (CMS) - http://www.cms.hhs.gov/HIPAAGenInfo/

• HHS Health IT Efforts - http://www.hhs.gov/healthit/

• HHS Office for Civil Rights (OCR) - http://www.hhs.gov/ocr/hipaa/

• TMA Privacy Office - www.tricare.osd.mil/tmaprivacy/HIPAA.cfm

• TMA Privacy Office Contact - privacymail@tma.osd.mil

• The Business Impact of Data Breach survey by Ponemon Institute http://www.scottandscottllp.com/resources/data_breach.pdf