0 penilaian0% menganggap dokumen ini bermanfaat (0 suara)
12 tayangan22 halaman
The Health IT Workforce Curriculum was developed for U.S. community colleges to enhance workforce training programmes in health information technology. The curriculum consist of 20 courses of 3 credits each. Each course includes instructor manuals, learning objectives, syllabi, video lectures with accompanying transcripts and slides, exercises, and assessments. The materials were authored by Columbia University, Duke University, Johns Hopkins University, Oregon Health & Science University, and University of Alabama at Birmingham. The project was funded by the U.S. Office of the National Coordinator for Health Information Technology. All of the course materials are available under a Creative Commons Attribution Noncommercial ShareAlike (CC BY NC SA) License. The course description, learning objectives, author information, and other details may be found at http://archive.org/details/HealthITWorkforce-Comp02Unit09. The full collection may be browsed at http://knowledge.amia.org/onc-ntdc or at http://www.merlot.org/merlot/viewPortfolio.htm?id=842513.
The Health IT Workforce Curriculum was developed for U.S. community colleges to enhance workforce training programmes in health information technology. The curriculum consist of 20 courses of 3 credits each. Each course includes instructor manuals, learning objectives, syllabi, video lectures with accompanying transcripts and slides, exercises, and assessments. The materials were authored by Columbia University, Duke University, Johns Hopkins University, Oregon Health & Science University, and University of Alabama at Birmingham. The project was funded by the U.S. Office of the National Coordinator for Health Information Technology. All of the course materials are available under a Creative Commons Attribution Noncommercial ShareAlike (CC BY NC SA) License. The course description, learning objectives, author information, and other details may be found at http://archive.org/details/HealthITWorkforce-Comp02Unit09. The full collection may be browsed at http://knowledge.amia.org/onc-ntdc or at http://www.merlot.org/merlot/viewPortfolio.htm?id=842513.
The Health IT Workforce Curriculum was developed for U.S. community colleges to enhance workforce training programmes in health information technology. The curriculum consist of 20 courses of 3 credits each. Each course includes instructor manuals, learning objectives, syllabi, video lectures with accompanying transcripts and slides, exercises, and assessments. The materials were authored by Columbia University, Duke University, Johns Hopkins University, Oregon Health & Science University, and University of Alabama at Birmingham. The project was funded by the U.S. Office of the National Coordinator for Health Information Technology. All of the course materials are available under a Creative Commons Attribution Noncommercial ShareAlike (CC BY NC SA) License. The course description, learning objectives, author information, and other details may be found at http://archive.org/details/HealthITWorkforce-Comp02Unit09. The full collection may be browsed at http://knowledge.amia.org/onc-ntdc or at http://www.merlot.org/merlot/viewPortfolio.htm?id=842513.
Security Lecture a This material (Comp2_Unit9a) was developed by Oregon Health and Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. Privacy, Confidentiality, and Security Learning Objectives Define and discern the differences between privacy, confidentiality, and security (Lecture a) Discuss the major methods for protecting privacy and confidentiality, including through the use of information technology (Lecture b) Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy Rule (Lecture c) Describe and apply privacy, confidentiality, and security under the tenets of the HIPAA Security Rule (Lecture d) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Privacy, Confidentiality, and Security Definitions Concerns Privacy Security Tools for protecting health information HIPAA Privacy Rule Security Rule Enhancements in HITECH Implications
3 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Definitions Privacy The right to be left alone The right to keep personal information secret The right to control personal information Confidentiality Sharing or disseminating data only to those with a need to know Security Mechanisms to assure the safety of data and systems in which the data reside 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Definitions (continued) Individually identifiable health information (IIHI) any data that can be correlated with an individual Protected health information IIHI as defined by HIPAA Privacy Rule Consent (in context of privacy) written or verbal permission to allow use of your IIHI 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Concerns about Privacy Personal privacy vs. common good Continued disclosures Concerns of public De-identified data 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Personal Privacy vs. the Common Good Concerns expressed in ACLU video (ACLU, nd.) http://www.aclu.org/ordering-pizza There is a spectrum of views One end holds that while personal privacy is important, there are some instances when the common good of society outweighs it, such as in biosurveillance (Gostin, 2002; Hodge, 1999) The other end holds that personal privacy trumps all other concerns (Privacy Rights Clearinghouse, 2009; see also Deborah Peel, MD and www.patientprivacyrights.org) More balanced views? (CHCF, 2008; Detmer, 2010; ACP, 2011) Where do your views fit? 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Patient Information Disclosures Continue Some high-profile earlier instances Portland, OR Thieves broke into a car with back-up disks and tapes containing records of 365,000 patients (Rojas-Burke, 2006) Several episodes from VA, e.g., laptop with data of >1 million veterans, recovered without apparent access (Lee, 2006) Recent data documents continuing instances Privacy Rights Clearinghouse provides searchable Chronology of Data Breaches not limited to medical http://www.privacyrights.org/data-breach HHS must post list of breaches of unsecured protected health information affecting 500 or more individuals (wall of shame) http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationru le/breachtool.html By end of 2011, 380 incidents posted affecting 18,059,831 individuals 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Breaches adversely impact organizations (Ponemon, 2011) Number increased by 32% in 2011 over 2010 Average cost per breach to organization was $2.2 million, taking 1-6 months to resolve Significant part of cost was lost business 41% discovered as result of patient complaint Top causes of data breaches Unintentional employee action Lost or stolen computing devices Third-party problem Most organizations believe EHR makes data more secure 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Newer Challenges from Proliferation of Technologies and Applications Growing use of electronic data in clinical workflows Health information exchange (HIE) moves data across networks Cloud computing changes perimeter of data protection New models of care (e.g., accountable care organizations) require more members of team to access information Clinicians want to use their own devices (e.g., personal laptops, tablet devices, smartphones, etc.) 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Some Technologies Can Worsen the Problem USB (thumb) drives run programs when plugged into USB port; can be modified to extract data from computer (Wright, 2007) Personal health records based on Microsoft Access can easily have encryption compromised (Wright, 2007) 10% of hard drives sold by a second-hand retailer in Canada had remnants of personal health information (El Emam, 2007) Peer-to-peer (P2P) file sharing 0.5% of all US IP addresses have PHI (El Emam, 2010) Digital photocopiers store all copies made (Keteyian, 2010) 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Healthcare Organizations are not Well- Prepared for Security Deloitte, 2009 Data leakage is a primary threat Identity and access management is a top priority Trend towards outsourcing raises many third-party security concerns Role of Chief Information Security Officer (CISO) has taken on greater significance As security environment becomes more complex and regulation continues to grow, security budgets not keeping pace HIMSS Analytics annual security readiness survey (2010) Healthcare organizations not keeping pace with security threats and readiness for them 85% of organizations share electronic data but only 61% perform a risk analysis annually or more frequently 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a What is the Role of Governments? National Center for Vital & Health Statistics (NCVHS) recommendations 26 recommendations for policy concerning health privacy for the Nationwide Health Information Network (NHIN) (Cohn, 2006) Further elaborated recommendations for personal control and call for consistent and coherent policy (Cohn, 2008) Health Information Security and Privacy Collaboration (HISPC) assessed 42 states and territories, finding diverse approaches and laws, making nationwide approaches difficult (HHS, 2010) ONC has established Privacy & Security Tiger Team to develop policies and vet with other policy and standards committees 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a What Do Other Governments Do? European Commission Directive 95/46/EC (EC, 2007) Stringent rules allow data processing only with consent or highly specific circumstances (legal obligation, public necessity) Countries that implement Directive 95/46/EC provide examples for how consent for use of information on Nationwide Health Information Network (NHIN) may proceed in US (Pritts, 2007) 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Related Issues for Medical Privacy Who owns medical information? Easier to answer with paper systems, but growing view is the patients own it, which has economic implications (Hall, 2009; Rodwin, 2009) Compelled disclosures (Rothstein, 2006) We are often compelled to disclose information for non-clinical care reasons The ultimate personal identifier may be ones genome (McGuire, 2006) Even de-identified data may compromise privacy (Malin, 2005) Genome of family members can identify siblings (Cassa, 2008) Data from genome-wide association studies can reveal individual level information (Lumley, 2010) 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Health Information Rights Declaration of Health Data Rights from a group of (mostly) PHR vendors (HealthDataRights.org) Have the right to our own health data Have the right to know the source of each health data element Have the right to take possession of a complete copy of our individual health data, without delay, at minimal or no cost; if data exist in computable form, they must be made available in that form Have the right to share our health data with others as we see fit AHIMA Health Information Bill of Rights (2009) Slightly more detailed but with similar provisions 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Is de-identified data more secure? Not necessarily Sweeney, 1997; Sweeney, 2002 87% of US population uniquely identified by five-digit zip code, gender, and date of birth Identified William Weld, governor of Massachusetts, in health insurance database for state employees by purchasing voter registration for Cambridge, MA for $20 and linking zip code, gender, and date of birth to de-identified medical database Genomic data can aid re-identification in clinical research studies (Malin, 2005; Lumley, 2010) Social security numbers can be predicted from public data (Acquisti, 2009) 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a How Governor Weld was Identified 9.1 Figure. The overlapping data enabled identification of the Governor. (Adapted from Sweeney, 1997). 18 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Privacy, Confidentiality, and Security Summary Lecture a Privacy is the right to keep information to ones self, whereas confidentiality is the right to keep information about ones self from being disclosed to others For many reasons, breaches and disclosures of patient information are increasing De-identified information is not necessarily more secure 19 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Privacy, Confidentiality, and Security References Lecture a References ACLU. (nd.). Video depicting a pizza company having access to a customers medical records. http://www.aclu.org/ordering-pizza. Last accessed Jan 2012. Acquisti, A., & Gross, R. (2009). Predicting Social Security numbers from public data. Proceedings of the National Academy of Sciences, 106, 10975-10980. Anonymous. (2005). National Consumer Health Privacy Survey 2005. Oakland, CA: California Health Care Foundation. Retrieved from http://www.chcf.org/topics/view.cfm?itemID=115694 Anonymous. (2007). Data Protection in the European Union. Brussels, Belgium: European Commission. Retrieved from http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm Anonymous. (2010c). The Health Information Security and Privacy Collaboration (HISPC). Washington, DC: Department of Health and Human Services. Retrieved from http://healthit.hhs.gov/portal/server.pt?open=512&mode=2&cached=true&objID=1240 Anonymous. (2011a). Health Information Technology & Privacy. Philadelphia, PA: American College of Physicians. Retrieved from http://www.acponline.org/advocacy/where_we_stand/policy/hit_privacy.pdf Anonymous. (2011b). Second Annual Benchmark Study on Patient Privacy and Data Security. Traverse City, MI: Ponemon Institute. Retrieved from http://www2.idexpertscorp.com/ponemon-study-2011/ Cassa, C., Schmidt, B., Kohane, I., & Mandl, K. (2008). My sister's keeper?: genomic research and the identifiability of siblings. BMC Medical Genomics, 1, 32. Retrieved from http://www.biomedcentral.com/1755- 8794/1/32 Cohn, S. (2006). Privacy and Confidentiality in the Nationwide Health Information Network. Washington, DC: National Committee for Vital and Health Statistics. Retrieved from http://www.ncvhs.hhs.gov/060622lt.htm
20 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Privacy, Confidentiality, and Security References Lecture a (continued) References (continued) Cohn, S. (2008). Individual control of sensitive health information accessible via the Nationwide Detmer, D. (2010). Activating a full architectural model: improving health through robust population health records. Journal of the American Medical Informatics Association, 17, 367-369. ElEmam, K., Neri, E., Jonker, E., Sokolova, M., Peyton, L., Neisa, A., & Scassa, T. (2010). The inadvertent disclosure of personal health information through peer-to-peer file sharing programs. Journal of the American Medical Informatics Association, 17, 148-158. Gostin, L., & Hodge, J. (2002). Personal privacy and common goods: a framework for balancing under the national health information privacy rule. Minnesota Law Review, 86, 1439-1479. Retrieved from http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID346506_code021104630.pdf Hall, M., & Schulman, K. (2009). Ownership of medical information. Journal of the American Medical Association, 301, 1282-1284. Hodge, J., Gostin, L., & Jacobson, P. (1999). Legal issues concerning electronic health information: privacy, quality, and liability. Journal of the American Medical Association, 282, 1466-1471. Keteyian, A. (2010, April 15, 2010). Digital Photocopiers Loaded With Secrets. CBS News. Retrieved from http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml Lee, C., & Goldfarb, Z. (2006, June 30, 2006). Stolen VA Laptop and Hard Drive Recovered, Washington Post, p. A01. Retrieved from http://www.washingtonpost.com/wp-dyn/content/article/2006/06/29/AR2006062900352.html Lumley, T., & Rice, K. (2010). Potential for revealing individual-level information in genome-wide association studies. Journal of the American Medical Association, 303, 859-860. McGuire, A., & Gibbs, R. (2006). No longer de-identified. Science, 312, 370-371. Malin, B., & Sweeney, L. (2005). How (not) to protect genomic data privacy in a distributed network: using trail re- identification to evaluate and design anonymity protection systems. Journal of Biomedical Informatics, 37, 179- 192.
21 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a Privacy, Confidentiality, and Security References Lecture a (continued) References (continued) Ponemon, L., & Kam, R. (2010). Benchmark Study on Patient Privacy and Data Security. Traverse City, MI: Ponemon Institute. Retrieved from http://www2.idexpertscorp.com/ponemonstudy Pritts, J., & Connor, K. (2007). The Implementation of E-consent Mechanismsin Three Countries: Canada, England, and the Netherlands. Washington, DC: Substance Abuse and Mental Health Services Administration. Retrieved from http://ihcrp.georgetown.edu/pdfs/prittse-consent.pdf Rodwin, M. (2009). The case for public ownership of patient data. Journal of the American Medical Association, 302, 86-88. Rojas-Burke, J. (2006, January 27, 2006). Providence critics push for safer records, The Oregonian. Retrieved from http://www.oregonlive.com/news/oregonian/index.ssf?/base/news/1138334121232950.xml&coll=7 Rothstein, M., & Talbott, M. (2006). Compelled disclosure of health information: protecting against the greatest potential threat to privacy. Journal of the American Medical Association, 295, 2882-2885. Sweeney, L. (1997). Guaranteeing anonymity when sharing medical data, the Datafly System. Proceedings of the 1997 AMIA Annual Fall Symposium, Nashville, TN, 51-55. Wright, A., & Sittig, D. (2007a). Encryption characteristics of two USB-based personal health record devices. Journal of the American Medical Informatics Association, 14, 397-399. Wright, A., & Sittig, D. (2007b). Security threat posed by USB-based personal health records. Annals of Internal Medicine, 146, 314-315.El Emam, 2007
Figure 9.1 Figure 1 Adapted from Sweeney, L. (1997). Guaranteeing anonymity when sharing medical data, the Datafly System. Proceedings of the 1997 AMIA Annual Fall Symposium, Nashville, TN, 51-55.
22 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture a