Introduction – My role as an attorney at MDCH is to advise staff on privacy issues across all of the Department’s programs, which include the Medicaid program, public health activities and programs, as well as behavioral health, substance abuse, and developmental disabilities programs. MDCH is one of the largest state government agencies, and is responsible for health policy and management of the state's publicly-funded health service systems.About 2 million Michigan residents will receive services this year that are provided with total or partial support from MDCH.MDCH has 2013 total funding of $15 billion and approximately 3,100 employees. Working on HIE issues is one small subset of the work I do for the Department.
A quick disclaimer - I’m an attorney and DCH is my client. I advise DCH on how it might share information through its data hub to MiHIN and on other legal issues. But I can’t advise other individuals or organizations outside of DCH because they are not my clients. But I can share with you my perspective on privacy issues.
Figuring out the relationship between entities that want to share data and the technical infrastructure supporting that data sharing can get really abstract and complicated. I try to simplify things with the following analysis:Asking “who” helps identify the obligations that entity might have. For example, under HIPAA, DCH is a hybrid covered entity. So HIPAA applies to some offices within DCH when sharing protected health information and HIPAA doesn’t apply to other offices within DCH when sharing information.Asking “what information” is the key question because that question leads us to what laws might protect the confidentiality of the information. And those laws also describe how that information might be shared and what authorization might be needed. Asking “with whom” allows us to discover whether we can share the information with that entity given the confidential protections. The information might be used internally and therefore there might be few if any limits how it might be shared. Under HIPAA, we know that info can be shared without patient authorization by a covered entity to another covered entity or a provider if the information is disclosed for treatment, payment, or health care operations. On the other hand, if the protected health information is disclosed to a business associate of a covered entity, then there are other legal obligations on the business associate for protecting the confidentiality of the information.Asking “for what purpose” allows me to determine whether the information can be shared consistent with any applicable confidentiality laws. For example, HIPAA has specific exceptions, like public health, research, and others, that allow for the disclosure of PHI.
HIPAA & Other Compliance:As many of you probably know, the Office for Civil Rights has been ramping up its HIPAA enforcement and audit activities. It’s really important now to properly document your organization’s compliance so that you do not face millions of dollars in penalties from OCR. I was at a conference earlier this year, and one of the speakers from OCR discussed the results of recent HIPAA compliance audits. OCR audited a range of entities – from large hospitals to small providers. Only 11% of the 115 entities audited as of Dec 2012 had no findings. By compliance I mean the proper legal agreements in place, documenting business flows and processes, documenting policies and procedures regarding information privacy and security, and training of staff members. Given the culture of enforcement at OCR, it is extremely important to evaluate internally compliance with HIPAA on a periodic basis. By other compliance, I mean that it is also important to take similar steps to document policies, procedures, training, etc for other confidentiality laws that may apply to your practice or organization – for example, HIV/AIDS data, mental health, substance abuse, and so on.Mobile Devices:The increased use of mobile devices – laptops, smart phones, and even jump drives – allows us to have more flexibility in where and when we work, but it also increases the potential for an unauthorized use or disclosure of PHI or other confidential information. For example, OCR has published a list of the top five compliance issues over the last decade, and from 2004-2010 (last year published) the number one compliance issue was impermissible uses and disclosures. Mobile devices increase the risk of an unauthorized disclosure because they are out and about with us, and they can easily be lost or stolen, creating additional opportunities for unauthorized access to confidential information. Coordination with Security:To me, privacy and security are separate but interrelated concepts and functions. I agree with the errors that Dan identified, especially the one about basing security on systems rather than on the critical data. Privacy laws can help identify the critical data elements that have to be protected from use or disclosure in some way, and security, from a technological standpoint, can provide the solution to accomplish protecting the data (encryption, role-based access, authentication, etc.). Security solutions may go further than what HIPAA or other privacy laws require for compliance. The point is that privacy and security staff within an organization need to work together to accomplish protecting the privacy rights of individual’s information, as well as the security and integrity of the data itself.
Mental Health & Substance Abuse:I participate in MiHIN’s privacy work group, and one of the issues we are working through is how mental health and substance abuse information, both of which have more stringent privacy protections than HIPAA, will be utilized through HIE technology. How is consent managed? Where are documents stored? Who is liable? This is also an issue for any information that is protected by laws that are more stringent than HIPAA.Public Trust & Buy-in:I heard another speaker at the conference I mentioned that I attended earlier this year who spoke about privacy as an “enabler” to the flow of information. What I think she meant by this is that if the public does not trust the HIE system, they might engage in “privacy-protective” behavior. For example, they might opt-out altogether or they might not allow all of their health information to be disclosed to a provider. This could have real consequences in terms of the quality of medical care – just like withholding information from a doctor about drug use or prescriptions can compromise that providers ability to treat you. Public education and knowledge about how the HIE functions, how their information might be shared, the privacy and security protections in place will help to build the public’s trust and minimize “privacy-protective” behavior.
Carrie Waggoner Cyber Security Panel
Health Information Privacy
Connecting Michigan For Health, June 6, 2013
To identify what requirements must be
met to share information, ask:
• Who is sharing
• With whom
• For what purpose
Important Privacy Issues:
• HIPAA & Other Compliance
• Mobile Devices
• Coordination with Security
Important Privacy Issues in the HIE
• Mental Health & Substance Abuse
• Public Trust & Buy-in