information security and privacy: hipaa’s potential impact gordon j. apple attorney at law, law...
TRANSCRIPT
![Page 1: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/1.jpg)
Information Security and Information Security and Privacy: HIPAA’s Potential Privacy: HIPAA’s Potential
Impact Impact
Gordon J. AppleAttorney at Law, Law Office of Gordon J. Apple, St. Paul, MN
Lee OlsonInformation Security Officer, Mayo Foundation, Rochester, MN
![Page 2: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/2.jpg)
Program ObjectivesProgram Objectives
Overview of data security/privacy issues Review of HIPAA security standards Review of HIPAA privacy standards Facing HIPAA challenges
![Page 3: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/3.jpg)
Existing Data Protection Existing Data Protection RequirementsRequirements
State law Federal law JCAHO Conditions of Participation Professional codes
![Page 4: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/4.jpg)
New HIPAA RequirementsNew HIPAA Requirements
Standards for electronic transactions and code sets
National standard health care provider identifier
National standard employer identifier Security and electronic signature standards
![Page 5: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/5.jpg)
New HIPAA Requirements New HIPAA Requirements cont’dcont’d
Standards for privacy of individually identifiable health information
National standard for health claims attachment
National standard identifiers for health plans
![Page 6: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/6.jpg)
I. Overview of Data Security I. Overview of Data Security and Privacy Issuesand Privacy Issues
![Page 7: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/7.jpg)
PrivacyPrivacy
“The right to privacy is an integral part of our humanity; one has a public persona, exposed and active, and a private persona, guarded and preserved. The heart of our liberty is choosing which parts of our lives shall become public and which parts we shall hold close.”
Minnesota Supreme Court 582 N.W.2d 231, 1998
![Page 8: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/8.jpg)
The Power of AnecdotesThe Power of Anecdotes
![Page 9: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/9.jpg)
Data MiningData Mining
Develop clinical pathways to improve patient care
Develop drug formularies Develop marketing opportunities?
![Page 10: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/10.jpg)
CVS CaseCVS Case
Pharmacy records Alleged misuse PR firestorm Class action litigation
![Page 11: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/11.jpg)
““It is only slightly facetious to It is only slightly facetious to say that digital information say that digital information lasts forever - or five years, lasts forever - or five years,
whichever comes first.”whichever comes first.”
Jeff Rothenberg
Scientific American, Jan. 1995
![Page 12: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/12.jpg)
Geek SpeakGeek Speak
Firewall Hacker Bandwidth Router Port Probes TTP
![Page 13: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/13.jpg)
Geek Speak IIGeek Speak II
CA PKI PKE PKE LAN ISP
![Page 14: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/14.jpg)
WetwareWetware
![Page 15: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/15.jpg)
II. General Review of HIPAA II. General Review of HIPAA Security StandardsSecurity Standards
![Page 16: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/16.jpg)
SecuritySecurity
“The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.”
Three aspects to consider– confidentiality– integrity– availability
![Page 17: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/17.jpg)
Security Standards: ApplicabilitySecurity Standards: Applicability
Applies to any health plan, provider or clearinghouse that electronically maintains or transmits any individually identifiable health information, internally or externally
![Page 18: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/18.jpg)
Security is Security is risk managementrisk management
![Page 19: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/19.jpg)
Risk Management ProcessRisk Management Process
Quantify assets, risks and threats– a mix of the objective and subjective– need not be complicated
Determine cost-effective security controls– protect what’s worth protecting & don’t worry
about the rest The government is big on this
– mainly because the government is big– approach statistical mean
![Page 20: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/20.jpg)
RisksRisks
Passive, always in the background
– fires, floods, power outages, equipment failure
– predictable on a large scale & statistical in nature
![Page 21: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/21.jpg)
ThreatsThreats
Active, evolving, never static
Goal: defeat security– people oriented
– hackers, viruses, insiders, disgruntled persons
– must be actively managed by security professionals
![Page 22: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/22.jpg)
1. Administrative Procedures 1. Administrative Procedures
Guard data confidentiality, integrity and availability
Policies and procedures– written– communicated– enforced
![Page 23: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/23.jpg)
Administrative RequirementsAdministrative Requirements
Certification
Chain of trust partner agreements
Organizational policies, practices and procedures
Access controls
Internal audit
Personnel security
Configuration management
Incident response
Termination procedures
Training
![Page 24: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/24.jpg)
2. Physical Safeguards2. Physical Safeguards
Appointment of security czar Physical access control Workstation usage Media & output controls Locks, keys, tokens… Termination procedures Backup
![Page 25: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/25.jpg)
3. Technical Security Services3. Technical Security Services
System Level Features System access
– user identification and authentication
Entity authentication Data authentication Authorization control
– discretionary access to data
– least privilege principle
Audit controls
![Page 26: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/26.jpg)
4. Technical Security 4. Technical Security MechanismsMechanisms
Communications & network controls– firewall management
– access controls
– alarms
– audit trail
– encryption
– event reporting
– integrity controls
![Page 27: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/27.jpg)
5. Electronic Signature5. Electronic Signature
Must implement three characteristic features:– message integrity
– non-repudiation
– user authentication
Digital signature provides these
![Page 28: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/28.jpg)
Board of TrusteesAudit Committee
Information PolicyCommittee
FoundationHIPAA
CoordinatingGroup
GOVERNANCE
OPERATIONALLEVEL
COORDINATION& PLAN
EXECUTION
•Compliance office•Accreditation office•Education/Research•Medical Records•Systems and Procedures•Information Security•Internal Audit•Information Technology•Legal•Finance•Health Plans
ScottsdaleCoordination Team
RochesterCoordination Team
Mayo Health System(Rochester)
Coordination Team
JacksonvilleCoordination Team
RemoteSites
Proposed HIPAA Project Structure
Foundation FinanceOversight Group
Foundation SecuritySubcommittee
Foundation PrivacyGroup
= New groups
![Page 29: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/29.jpg)
Getting Started:Getting Started:Gathering Current State Gathering Current State
InformationInformation Translate requirements
– 38 pages of single-spaced legalese-- don’t try this at home
HIPAA EarlyViewTM tool– developed by NC Information & Communication Alliance
– cost effective, uncomplicated, user friendly license
– saves lots of work
– generates reports useful for gap analysis
– http://www.nchica.org/activities/EarlyView/More_info.htm
![Page 30: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/30.jpg)
Organizational AssessmentOrganizational Assessment
Conduct survey in bite-sized chunks Different systems & applications have
different security attributes– Clinical systems– Clinical operations support– Finance & electronic commerce– Laboratory services– Business & HR systems, etc.
![Page 31: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/31.jpg)
Logistical ConsiderationsLogistical Considerations
Consider geography, complexities & capabilities
Who will collect & analyze the data?– Information Security Officer’s role– Stewards & Administrators’ roles
![Page 32: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/32.jpg)
Pitfalls to Avoid Pitfalls to Avoid
Overanalyzing the requirements & process– Leads to corporate constipation– Academics need to put on their operational hats
Garbage in, garbage out– Must understand the goal & process– Effective communication & buy-in essential
Don’t sweat the details…. for now– Use a top down approach, not Band Aids
![Page 33: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/33.jpg)
Develop Implementation PlanDevelop Implementation Plan
Strategy must address both administrative & technical levels– coordinate with e-commerce– awareness & education– initiate process changes– modify systems & applications – replace systems & applications
Final rule may necessitate minor course changes
![Page 34: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/34.jpg)
SourcesSources
Minnesota Health Data Institute
http://zen.mhdi.org/
North Carolina Healthcare Information and Communication Alliance http://www.nchica.org/
Massachussetts Health Data Consortium
http://www.mahealthdata.org
Workgroup for Electronic Data Interchange
http://www.wedi.org
HIPAAlert news briefs published by Phoenix Health Systems, Inc.
http://hipaalert.com
![Page 35: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/35.jpg)
III. General review of HIPAA III. General review of HIPAA Privacy StandardsPrivacy Standards
![Page 36: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/36.jpg)
Covered EntitiesCovered Entities
Health plans Health care providers who transmit PHI in
electronic form in connection with standard transactions
Health care clearinghouses Short list indirectly expanded through
business partner requirements
![Page 37: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/37.jpg)
HIPAA Data HIPAA Data
Heath information Individually identifiable health information
Protected health information
(PHI)
![Page 38: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/38.jpg)
Protected Health InformationProtected Health Information
Individually Identifiable Health Information that is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form (printout of electronic data)
45 CFR 164.504
![Page 39: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/39.jpg)
Uses and Disclosures of Uses and Disclosures of Protected Health InformationProtected Health Information
To carry out treatment, payment or health care operations
With patient consent No consent, but for public health, health
oversight, judicial/administrative proceedings, coroners/MEs, law enforcement, …. 45 CFR 164.510
![Page 40: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/40.jpg)
Uses and Disclosures Uses and Disclosures Requiring Patient ConsentRequiring Patient Consent
Requests by patient Request by CEs re: marketing, fundraising,
employers for employment determinations, non-health related divisions of the CE…
45 CFR 164.508
![Page 41: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/41.jpg)
Fair Information PracticesFair Information Practices
Series of individual rights
General rule on disclosure– “Minimum necessary”
![Page 42: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/42.jpg)
Minimum Necessary Minimum Necessary
To meet the purpose of the use or disclosure To limit access only to those people who
need access to the information to accomplish the use or disclosure.
![Page 43: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/43.jpg)
Notice of Information Notice of Information PracticesPractices
An individual has a right to adequate notice of the policies and procedures of a covered entity that is a health plan or a health care provider with respect to protected health information
45 CFR 164.512
![Page 44: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/44.jpg)
Access of Individuals to Access of Individuals to Protected Health InformationProtected Health Information
Right of access includes access to PHI with – Health plan– Health care provider– Business partner if records not a duplicate
Access as long as records maintained
45 CFR 164.514
![Page 45: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/45.jpg)
Accounting for Disclosures of Accounting for Disclosures of Protected Health InformationProtected Health Information
Right to full accounting of disclosures from CEs except for treatment, payment and health care operations and for certain disclosures to health oversight or law enforcement agencies.
Right of accounting also applies to business partners
45 CFR 164.515
![Page 46: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/46.jpg)
Right to Request Amendment Right to Request Amendment or Correctionor Correction
Requests will have to be either accepted or rejected within 60 days
Rejections will require an explanation in plain language
Patients can still file statement of disagreement - for the record
45 CFR 164.516
![Page 47: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/47.jpg)
Administrative RequirementsAdministrative Requirements
Privacy officer Training
– Everyone likely to obtain access to PHI Safeguards
– Administrative, technical and physical safeguards to protect privacy
Complaint process45 CFR 164.518
![Page 48: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/48.jpg)
Documentation, Compliance Documentation, Compliance and Enforcementand Enforcement
Documentation – Uses and disclosures– Individual rights– Administrative requirements– 6 years
Keep records of compliance activities, permit DHHS access and be nice!
45 CFR 164.520-522
![Page 49: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/49.jpg)
Penalties & ClaimsPenalties & Claims
Civil penalties Criminal penalties No private cause of action Third party beneficiary contract claims
![Page 50: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/50.jpg)
Business Partners?Business Partners?
![Page 51: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/51.jpg)
Business PartnersBusiness Partners
Insurance companies Law firms Accountants IT contractors Compliance consultants Insurance brokers
![Page 52: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/52.jpg)
Business PartnersBusiness Partners
How well do you know them? How well do you want to know them? How well should you know them? Business partners - winners and losers
![Page 53: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/53.jpg)
Satisfactory AssuranceSatisfactory AssuranceBP will….BP will….
Ensure that subcontractors are bound to HIPAA requirements
Make PHI available upon appropriate request Have an open door for DHHS Abide by contract termination req’s Be able to amend/correct PHI upon CE notice
![Page 54: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/54.jpg)
CE Responsibility for BP CE Responsibility for BP ViolationsViolations
Reasonable steps to ensure compliance– K due diligence
Tainted by BP breach if CE “knew or should have known” of BP breach and….DID NOTHING…AKA as “Ostrich Syndrome”
![Page 55: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/55.jpg)
Business PartnersBusiness Partners
Basic contract provisions– Follow HIPAA use and disclosure limits– Require technical and administrative safeguards
for security and privacy– Reps, warranties, indemnification and deep
pockets or certificate of insurance– Third party beneficiary language– Termination - give it back or destroy
![Page 56: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/56.jpg)
De-identified PHIDe-identified PHI
Issue of ownership– Sale– Licensing
Requires data be stripped of listed elements Protections against re-identification
![Page 57: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/57.jpg)
IV. Facing HIPAA ChallengesIV. Facing HIPAA Challenges
![Page 58: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/58.jpg)
Group Discussion of HIPAA Group Discussion of HIPAA ChallengesChallenges
What are facilities doing now? Will it be possible to develop uniformity
across complex systems? Should HIPAA standards be adopted for
DTM records?
![Page 59: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/59.jpg)
The Corporate Compliance The Corporate Compliance ModelModel
Who leads?– Compliance Officer– Security Officer– Privacy Officer
Gap analysis– Security standards– Privacy standards
![Page 60: Information Security and Privacy: HIPAA’s Potential Impact Gordon J. Apple Attorney at Law, Law Office of Gordon J. Apple, St. Paul, MN Lee Olson Information](https://reader036.vdocuments.us/reader036/viewer/2022062515/56649ce45503460f949b0184/html5/thumbnails/60.jpg)
The Corporate Compliance The Corporate Compliance Model cont’dModel cont’d
Defining areas of exposure– The Mayo model– Internal– External
Plan development, implementation and training– Integration with compliance program?