Your SlideShare is downloading. ×
Ira Rothman - eHealth Privacy and Security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Ira Rothman - eHealth Privacy and Security


Published on

"eHealth Privacy and Security" was presented at the Center for Health Literacy Conference 2011: Plain Talk in Complex Times by Ira J. Rothman, MBA, CPHIMS, CIPP, Senior Vice President and Privacy …

"eHealth Privacy and Security" was presented at the Center for Health Literacy Conference 2011: Plain Talk in Complex Times by Ira J. Rothman, MBA, CPHIMS, CIPP, Senior Vice President and Privacy Official, MAXIMUS.

Description: This session will provide an overview of the principal eHealth privacy and security issues. Understand the basic privacy and security issues that impact Protected Health Information (PHI) and what you can do to protect yourself and your patients or clients.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. eHealth Privacy and SecurityPlain Talk in Complex Times
    By: Ira J. Rothman, MBA, CPHIMS, CIPP
    Senior Vice President – Privacy Official
    September 23, 2011
  • 2. Agenda
    eHealth Privacy in the News
    eHealth Privacy Concerns
    HIPAA – the Legal Basis for eHealth Privacy
    eHealth Security Concerns
    Privacy Actions You Should Take
    Security Actions You Should Take
    Sept 23, 2011
  • 3. eHealth Privacy in the News
    Privacy issues getting major attention by Congress and the media
    New York Times front page Friday, Sept 9, 2011
    Medical Data of Thousands Posted Online
    Billing Vendor Handled Leaked Records
    “Everyone with an electronic medical record is at risk, and that means everyone.”
    Sept 23, 2011
  • 4. eHealth Privacy in the News
    HHS Recently Sent Breach Report to Congress
    Department of Health and Human Services (HHS) reported to Congress that 5.4 million individuals were affected by breaches of protected health information (PHI) in 2010
    207 breaches involved over 500 individuals per breach
    5.4 million individuals notified
    25,000 breaches involved less than 500 individuals per breach
    50,000 individuals notified
    Five general causes in the report of large breaches
    Loss of electronic media or paper records containing PHI
    Unauthorized access to, use, or disclosure of PHI
    Human error
    Improper disposal
    Majority of small breaches involved misdirected communications and affected just one individual each on average.
    Sept 23, 2011
  • 5. eHealth Privacy Concerns
    What is privacy?
    The right to keep something confidential until the owner chooses to reveal it.
    E.g., sending an envelope with the contents not revealed. The information inside remains private until the addressee opens the envelope.
    What is Protected Health Information (PHI)?
    Who defines it?
    Who can look at it?
    Common concerns
    Medical staff and others looking at PHI they have no need or right to review
    Employers and others (e.g., government, police) reviewing PHI to make decisions
    Outsiders gaining access to private emails
    Sept 23, 2011
  • 6. HIPAA – the Legal Basis for eHealth Privacy
    HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
    HIPAA sets federal requirements for handling Protected Health Information (PHI). It gives individuals privacy rights and imposes requirements on health-related companies including providers, insurers, and government agencies on how to handle PHI.
    The HIPAA rules were modified by the American Recovery and Reinvestment Act (ARRA) effective February 18, 2009.
    Includes the Health Information Technology for Economic and Clinical Health (HITECH) Act
    Extends privacy and security coverage to business associates
    Establishes breach notification requirements
    Maximum penalty amount of $1.5 million
    Sept 23, 2011
  • 7. The HIPAA Privacy Rule and PHI
    The HIPAA Privacy Rule states that health care organizations must protect the privacy of individual's medical records and other personal health information. Individual's data must be protected from intentional or unintentional use or disclosure, except for legitimate medical or business reasons.
    Protected Health Information (PHI) is information that can be used to identify an individual or that relates to that individual's:
    Past, present or future physical or mental condition
    Health care provided to that individual
    Payment for health care
    PHI includes all individually identifiable health information. This includes:
    Name, address, phone numbers, date of birth
    Social Security Number
    Payment for health care
    Insurance coverage or enrollment/disenrollment
    Medical, dental, or prescription drug records
    Health plan beneficiary number
    Participation status in a government program
    Hospital admittance and discharge dates
    Sept 23, 2011
  • 8. State Privacy and Security Regulations
    45 states have laws governing privacy and security
    Most deal with electronic transmission of data on the internet or breaches of personal information
    Personal information can include name, social security number, credit card number, birth date and other identifying information
    Penalties often include civil fines
    Sept 23, 2011
  • 9. eHealth Security Concerns
    What is security?
    Security is the degree of protection against danger, damage and loss.
    E.g., Sending an envelope with the contents protected from prying eyes. Security is the ability to keep the envelope from being opened or see inside until it arrives at the addressee and they decide to open it.
    What are common eHealth Security concerns?
    Personal information including health and financial information being available on the internet for anyone to see
    Employers, contractors, vendors or others with personal information databases may inadvertently expose the data to search engines, e.g., Google, violating privacy.
    Information sent over the internet may be intercepted.
    Information on hard drives or other portable storage devices containing PHI being lost or stolen. Someone can then sell this information or use it for identity theft.
    PHI in electronic records being looked at by people that have no need or right to look at
    Sept 23, 2011
  • 10. Privacy Actions You Should Take
    Create strong privacy and security policies and procedures
    Enforce policies with sanctions
    Required by HIPAA
    Have a sanctions policy defining penalties for serious violations, e.g., removing PHI from the facility against policy, unauthorized access.
    Define who can look at PHI
    Only those with a need to know
    Define security policies and procedures to support the privacy policy
    Control and log access
    Privacy and security need to work together
    Educate staff concerning privacy and security
    HIPAA requires training appropriate to employee job responsibilities
    Deliver annual refresher
    Value staff who recognize privacy risks and correct or report them
    Sept 23, 2011
  • 11. Privacy Actions You Should Take
    Make sure subcontractors are following HIPAA privacy regulations
    Many subcontractors (also called business associates) that handle PHI may not have adequate privacy and security policies and procedures in place
    A legal agreement (business associate agreement) is required by HIPAA defining their responsibilities
    Conduct audits to verify compliance
    Frequent cause of breaches is subcontractor lack of attention to privacy and security
    Don’t forget to shred paper
    Cross cut shredder best for shredding documents containing PHI
    Perform a risk assessment
    Survey the environment with an open mind to identify risks
    Develop and implement a strategy to mitigate risks
    Sept 23, 2011
  • 12. Security Actions You Should Take
    Focus on reducing corporate and personal risks
    Use strong passwords
    8 digits consisting of upper and lower case letters and numbers and special characters.
    Don’t use easily guessed words
    Put a password on your smartphone or tablet
    Have the password automatically set after a short period of time, e.g., 10 minutes
    Don’t use wifi in a public place to access a website containing personal information
    Particularly be aware of web sites that don’t use https as part of the web address
    Wifi can be intercepted
    Don’t use email or text messages or Twitter to send personal information
    Only use encryption, if available for email.
    Sept 23, 2011
  • 13. Security Actions You Should Take
    Don’t post personal information on web sites that may be subject to breach, e.g., Facebook.
    Privacy policies change frequently with no notice
    Private information may be made public
    Use antivirus software
    Detects and removes malicious software
    Keep up to date with subscriptions
    Can detect and protect against new threats
    Use encryption
    Makes data unreadable to unauthorized viewers.
    Encrypt data on hard drives and other removable memory, e.g. USB sticks.
    Commercial software is available to encrypt entire hard drives.
    Make sure meets standard of FIPS 140-2 (i.e., standard set by Federal agency)
    Common cause of data breach is lack of appropriate encryption.
    Sept 23, 2011
  • 14. Security Actions You Should Take
    Educate staff and family
    Malware or malicious software includes
    Don’t open unsolicited attachments.
    Malware may be hidden in the attachment
    User should lock screens when not at desk.
    Set screen saver password
    Don’t click on popup ads while surfing the web.
    Another opportunity for malware to be installed.
    Report strange activity to network administration.
    Could reflect malware installed on computer
    Sept 23, 2011
  • 15. Questions?
    Contact information
    Ira J. Rothman
    Senior Vice President – Privacy Official
    MAXIMUS, Inc.
    Phone: 916-673-4152
    Sept 23, 2011