This presentation addresses in brief questions about the US health care data privacy security and data breach notification regulatory scheme known as HIPAA, its application to the Medicine 2.0 environment, and how it might be re-imagined -- to give you a glimpse of what works, what doesn't - what's broken, what can be fixed, and how it might be fixed in a way that makes sense for the health care system and for patients.
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Notas del editor
Good morning. My name is David Harlow. I am a health care attorney and consultant based here in Boston. You can find me online as HealthBlawg. I'm going to discuss in brief this morning questions about the US health care data privacy security and data breach notification regualtory scheme known as HIPAA, its application to the Medicine 2.0 environment, and how it might be re-imagined -- to give you a glimpse of what works, what doesn't - what's broken, what can be fixed, and how it might be fixed in a way that makes sense for the health care system and for patients. Some of these observations will apply to the relevant EU directives as well ... but don't hold me to it ....
When it comes to health care privacy and security ... we are caught betwixt and between -pulled in different directions. The initial HIPAA regulations have been revised under the HITECH Act, but the final consolidated HIPAA regulation is now in the final stage of regulatory review -- ONC -- the Office of the National Coordinator for Health IT has signed off on it, and now OMB - the Office of Management and Budget - has the regulation for review . . .and apparently has had it for several months already.
on the one hand we have organizations such as the Center for democracy & technology - and even the US GAO - government accountability Office - telling us that privacy and security protections under HIPAA are inadequate, that rules need to be changed to ensure adequate protection of health , or at the very least that guidance and oversight efforts need to be improved. on the other, many patients would rather be able to share more than they can now --- folks who have shared data through websites such as patients like me, who want to share personal information about themselves, their conditions, in order to seek out help, management of their conditions, helping others,
I think we can all agree that the laws and regulations in quesiton are essentially out of date, because the pace of change in the technology of health IT easily outstrips our ability to regulate it. For example, in order to be considered deidentified, a patient record must have 18 specific types of information stripped out noame, address, etc. Know what # 18 is ? ... Anything else that may be used to re-identify the de-identified data ... thus, since more and more data is published on line every day, it becomes easier to reidentify every day
Example: TX recently adopted a more aggressive privacy law that covers more categories of records and people, and has higher fines than the feral rules. This law also requires any business associate of any Texas-based covered entitity to conduct training to the TX stds
In addition, Our whole concept of privacy has evolved in the age of social media, but our legal system governing privacy o f health data has not.Though there are situations where health care proivder organizations could be doing a better job of prtecting the provacy and security of health inforamtion --- eg one of our local health care systems was in the paper recently because psych records were available to all clinicians in the system -- some folks don't want the rules tightedned up too mych, becasue them it makes dialytakss harder to comlpete.
And frankly, many -- not all, but many -- of the data breaches reported under HIPAA/HITECH, and posted on the HHS/OCR 'wall of shame' have had no real world effect on patients -- the laptop stolen from a rental car is going to be fenced by a junkie and sold for parts, not hacked by a data thief who's going to sell identities on the black market,
Though there are situations where health care proivder organizations could be doing a better job of prtecting the provacy and security of health inforamtion --- eg one of our local health care systems was in the paper recently because psych records were available to all clinicians in the system -- some folks don't want the rules tightedned up too mych, becasue them it makes dialytakss harder to comlpete.
In other contexts we share so much information: photoswhere am I right nowbut in health care it's a small vanguard of patients, epatients, engaged, empowered, enabled patients, who are doing this sort of sharing. ... but numbers are growing.casting aside concerns about privacy can pay off by yielding informaiton --
> If we are serious abt Medicine 2.0 helping patients and helping populations, we need to systematize the ability to share on a customized basis.address this either with better protections, clearer permission to share openly - controlled by pt
what one researcher call'context-relative informatonal norms' what i tell me doctor I don't tell ny banker n vice versaNissenbaum argues that the real problem "is the inappropriateness of the flow of information due to the mediation of technology." In her scheme, there are senders and receivers of messages, who communicate different types of information with very specific expectations of how it will be used. Privacy violations occur not when too much data accumulates or people can't direct it, but when one of the receivers or transmission principles change. The key academic term is "context-relative informational norms." Bust a norm and people get upset. >> So/ Plant a carrot,/ Get a carrot, Not a Brussels sprout./ That's why I love vegetables./ You know what you're about!
So lets talk about modes of sharing-blue buttion VA flat ascii
--- green button, rainbow bttin-blue buttion VA flat ascii- green button - concept discussesd on e-patients.net ... patient controls sharing of data- rainbow button - – [turn around – rainbow-friendship-bracelet] - an individual should be bale to dial in a customized approach to sharing his or her own health data -- make it all open - like the harvard researcher who postted his medical record on line make part of it open, give part of it to a data repository that allows data to be mined --- donate the data, or sell the data ... thoird parties are monetizing the data, so why not patients?
I'd like to see a robust market for personal health data with the pateitn at the center
This approach lets the patient choose between the lockdown and the open door
Thank you for your attention , and I will be happy to turn to questions and discussion.