Confidentiality, Privacy and Security - PowerPoint PPT Presentation

Loading...

PPT – Confidentiality, Privacy and Security PowerPoint presentation | free to download - id: 3d3497-NjBlZ



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Confidentiality, Privacy and Security

Description:

http://www.cs.princeton.edu/courses/archive/spr02/cs495/Confidentiality%20Privacy%20and%20Security.ppt Confidentiality, Privacy and Security C. William Hanson M.D. – PowerPoint PPT presentation

Number of Views:187
Avg rating:3.0/5.0
Slides: 118
Provided by: engrUcon67
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Confidentiality, Privacy and Security


1
Confidentiality, Privacy and Security
http//www.cs.princeton.edu/courses/archive/spr02/
cs495/Confidentiality20Privacy20and20Security.p
pt
  • C. William Hanson M.D.
  • Professor of Anesthesiology and Critical Care
  • CS Department
  • Princeton University

2
Privacy
  • The desire of a person to control the disclosure
    of personal health information

3
Confidentiality
  • The ability of a person to control release of
    personal health information to a care provider or
    information custodian under an agreement that
    limits further release of that information

4
Security
  • Protection of privacy and confidentiality through
    policies, procedures and safeguards.

5
Why do they matter?
  • Ethically, privacy and confidentiality are
    considered to be rights (in our culture)
  • Information revealed may result in harm to
    interests of the individual
  • The provision of those rights tends to ensure
    that the information is accurate and complete
  • Accurate and complete information from
    individuals benefits society in limiting spread
    of diseases to society (i.e. HIV)

6
Why do they matter?
  • The preservation of confidentiality assists
    research which in turn assists patients

7
Users of health information
  • Patient
  • Historical information for current and future
    care
  • Insurance claims
  • MDs
  • Patients medical needs
  • Documentation
  • Interface with other providers
  • Billing

8
Users
  • Health insurance company
  • Claims processing
  • Approve consultation requests
  • Laboratory
  • Process specimens
  • Results reporting
  • Billing

9
Users
  • Pharmacy
  • Fill prescription
  • Billing
  • Hospital
  • Care provision
  • Record of services
  • Billing
  • Vital statistics
  • Regulatory agencies

10
Users
  • State bureau
  • Birth statistics
  • Epidemiology
  • Accrediting organization
  • Hospital review
  • Employer
  • Request claims data
  • Review claims for reduction
  • Benefits package adjustments

11
Users
  • Life insurance companies
  • Process applications
  • Process claims
  • Risk assessment
  • Medical information bureau
  • Fraud reduction for life insurance companies
  • Managed care company
  • Process claims
  • Evaluate MDs

12
Users
  • Lawyers
  • Adherence to standard of practice
  • Malpractice claims
  • Researcher
  • Evaluate research program

13
Security
  • Availability
  • Accountability
  • Perimeter definition
  • Rule-limited access
  • Comprehensibility and control

14
Privacy solutions
  • Forbid the collection of data that might be
    misused
  • Allow the collection of health information within
    a structure, but with rules and penalties for
    violation pertaining to collecting organizations
  • Generate policies to which individual information
    handlers must adhere

15
Security controls
  • Management controls
  • Program management/risk management
  • Operational controls
  • Operated by people
  • Technical controls
  • Operated by the computer system

16
Management controls
  • Establishment of key security policies, i.e.
    policies pertaining to remote access
  • Program policy
  • Definition, scope, roles and responsibilities of
    the computer security program
  • Issue specific policy
  • Example Y2K
  • System specific policy
  • Who can access what functions where

17
Core security policies
  • Confidentiality
  • Email
  • System access
  • Virus protection
  • Internet/intranet use
  • Remote access
  • Software code of ethics
  • Backup and recovery
  • Security training and awareness

18
Biometrics
  • The scientific discipline of measuring relevant
    attributes of living individuals or populations
    to identify active properties or unique
    characteristics
  • Can be used to evaluate changes over time for
    medical monitoring or diagnosis
  • Can be used for security

19
Approaches to identification
  • Token based simple security
  • House key, security card, transponder
  • Knowledge based
  • SSN, password, PIN
  • Two-factor
  • Card PIN

ID
Authentication
Card
PIN
Access

20
Approaches to identification
  • Authoritative ID

Access
T
ID
Authent- ication
Policy
F
Audit
21
Identification
  • Certain and unambiguous
  • Deterministic
  • Certain with small probability of error
  • Probabilistic
  • Uncertain and ambiguous
  • Biometric schemes are probabilistic

22
Probabilistic
  • False acceptance rate (type I error)
  • Percentage of unauthorized attempts that will be
    accepted
  • Also relevant for medical studies
  • False rejection rate (type II error)
  • Percentage of authorized attempts that will be
    rejected
  • Also relevant for medical studies
  • Equal error rate
  • Intersection of the lowest FAR and FRR

23
Biometric ID
  • Acquire the biometric ID
  • How do you ensure that you got the right guy
  • Localize the attribute
  • Eliminate noise
  • Develop a template (reduced data set)
  • Check for duplicates

24
Biometric applications
  • Identification
  • Search the database to find out who the unknown
    is
  • Check entire file
  • Authentication
  • Verify that the person is who he says he is
  • Check his file and match

25
Biometric identifiers
  • Should be universal attribute
  • Consistent shouldnt change over time
  • Unique
  • Permanent
  • Inimitable (voice can be separated from the
    individual)
  • Collectible easy to gather the attribute
  • Tamper resistant
  • (Cheaply) comparable - template

26
Biometric technologies
  • Fingerprint
  • Automated fingerprint ID systems (law
    enforcement)
  • Fingerprint recognition derives template form
    features for ID
  • Validating temp and /or pulse
  • Optical vs. solid state (capacitance)
  • Low FAR and FRR

27
Fingerprint
28
Hand geometry
  • Dimensions of fingers and location of joints
    unique
  • Low FAR FRR

29
Retinal scan
  • Very reliable
  • More expensive than hand or fingerprint
  • Extremely low FAR FRR

30
Retinal scan
31
Voice recognition
  • Automatic speaker verification (ASV) vs.
    automatic speaker identification (ASI)
  • ASV authentication in a two-factor scheme
  • ASI who is speaker
  • Feature extraction and matching
  • Problems with disease/aging etc.

32
Iris scanning
  • Less invasive than retinal scanning
  • Technically challenging balancing optics, ambient
    light etc.
  • Can be verified (live subject) by iris response
    to light

33
Face recognition/thermography
  • Facial architecture and heat signature
  • Relatively high FAR/FRR
  • Useful in two factor scenarios

34
Hand vein
  • Infrared scanning of the architecture of the hand
    vessels

35
Signature
  • Architecture of the signature
  • Dynamics of the signature (pressure and velocity)

36
(No Transcript)
37
Biometric identification issues
  • Privacy, anonymity
  • Legal issues not defined

38
Security availability
  • Ensures that accurate, up-to-date information is
    available when needed at appropriate places

39
Security accountability
  • Ensures that users are responsible for their
    access to and use of information based on a
    documented need and right to know

40
Security perimeter definition
  • Allows the system to control the boundaries of
    trusted access to an information system both
    physically and logically

41
Security rule-limited access
  • Enables access for personnel to only that
    information essential to the performance of their
    jobs and limits the real or perceived temptation
    to access information beyond a legitimate need

42
Security comprehensibility and control
  • Ensures that record owners, data stewards and
    patients can understand and have effective
    control over appropriate aspects of information
    confidentiality and access

43
Availability
  • Backups with local and off-site copies of the
    data
  • Secure housing and power sources for CPU even
    during disasters (when system availability may be
    crucial)
  • Virus protection

44
Accountability
  • Audit trails and warnings
  • User
  • Authentication unique ID process
  • Authorization to perform set of actions, i.e.
    access only their own patients

45
Perimeter definition
  • System knows users and how they are using the
    system
  • Define the boundaries of the system (i.e. within
    the firewall) Princeton-Penn-HUP
  • How do you permit/monitor off-site access
  • Modems?
  • Tools
  • Cryptographic authentication

46
Perimeter definition
  • Public key-private key
  • Encryption
  • Privacy and confidentiality
  • Digital signatures
  • Prescription signature
  • Content validation
  • Message hasnt been messed with
  • Nonrepudiation
  • I didnt say that

47
Role limited access
  • Spheres of access
  • Patient list patients one has a role in the care
    of
  • Content specific billing clerk/billing info
  • Relevant data researcher on heart disease
    shouldnt be able to learn about HIV status

48
Taxonomy of organizational threats
  • Motive
  • Health records have economic value to insurers,
    employers, journalists, enemy states etc.
  • Curiosity about the health status of friends,
    romantic interests, coworkers or celebrities
  • Clandestine observation of employees (GE)
  • Desire to gain advantage in contentious
    situations (divorce)

49
Resources
  • Attackers may range from
  • Individuals
  • Small group (e.g. law firm)
  • Large group (e.g. insurer, employer)
  • Intelligence agency
  • Organized crime

50
Initial access
  • Site access
  • System authorization
  • Data authorization

Billing clerk
Site
System
Data
Worker
MD, RN
Computer vendor
51
Technical capability
  • Aspiring attacker (limited skills)
  • Research target
  • Masquerade as an employee
  • Guess password
  • Dumpster diving
  • Become temporary employee

52
Technical capability
  • Script runner
  • Acquire software from web-sites for automated
    attacks
  • Accomplished attacker
  • Able to use scripted or unscripted (ad-hoc)
    attacks

53
Levels of threat
  • Threat 1
  • Insiders who make innocent mistakes and cause
    accidental disclosure
  • Elevator discussion, info left on screen, chart
    left in hallway etc.
  • Threat 2
  • Insiders who abuse their privileges

54
Threat
  • Threat 3
  • Insiders who access information inappropriately
    for spite or profit
  • London Times reported that anyones electronic
    record could be obtained for 300
  • Threat 4
  • Unauthorized physical intruder
  • Fake labcoat

55
Threats
  • Threat 5
  • Vengeful employees or outsiders bent on
    destruction or degradation, e.g. deletion, system
    damage, DOS attacks
  • Latent problem

56
Countering threats
  • Deterrence
  • Create sanctions
  • Depends on identification of bad actors
  • Imposition of obstacles
  • Firewalls
  • Access controls
  • Costs, decreased efficiency, impediments to
    appropriate access

57
Countermeasures
58
Counter threat 1
  • Behavioral code
  • Screen savers, automated logout
  • ? Patient pseudonyms

59
Counter threat 2
  • Deterrence
  • Sanctions
  • Audit
  • Encryption (user must obtain access keys)

60
Counter threat 3
  • Audit trails
  • Sanctions appropriate to crime

61
Counter threat 4
  • Deterrence
  • Strong technical measures (surveillance tapes)
  • Strong identification and authentication measures

62
Counter threat 5
  • Obstacles
  • Firewalls

63
Issues with countermeasures
  • Internet interface
  • Legal and national jurisdiction
  • Best balance is relatively free internal
    environment with strong boundaries
  • Requires strong ID/auth

64
Recommendations
  • Individual user ID and authentication
  • Automated logout
  • Password discipline
  • Access controls
  • Role limited
  • Role definitions
  • Cardiologist vs. MD
  • Audit trails

65
Recommendations
  • Physical security and disaster recovery
  • Location of terminals
  • Handling of paper printouts
  • Remote access points
  • VPNs
  • Encrypted passwords
  • Dial-ins

66
Recommendations
  • External communications
  • Encrypt all patient related data over publicly
    available networks
  • Software discipline
  • Virus checking programs
  • System assessment
  • Run scripted attacks against ones own system

67
Recommendations
  • Develop security and confidentiality policies
  • Publish
  • Committees
  • ISOs
  • Sanctions
  • Patient access to audit logs
  • Who saw my record and why

68
Future recommendations
  • Strong authentication
  • Token based authentication (two factor)
  • Enterprise wide authentication
  • One-time login to authorized systems
  • Access validation
  • Masking
  • Expanded audit trails
  • Electronic signatures

69
Universal patient identifier
  • Methodology should have an explicit framework
    specifying linkages that violate patient privacy
  • Facilitate the identification of parties that
    make improper linkages
  • Unidirectional should facilitate helpful
    linkages of health records but prevents
    identification of patient from health records or
    the identifier

70
Implications of the Health Insurance Portability
and Accountability Act of 1996
http//www.cs.princeton.edu/courses/archive/spr02/
cs495/HIPAA-princeton.ppt
  • Mark Weiner, M.D.
  • Assistant Professor of Medicine
  • University of Pennsylvania
  • mweiner_at_mail.med.upenn.edu
  • Computer Science 495Special Topics in CS
    Medical Informatics
  • February 21, 2002

71
(No Transcript)
72
What is HIPAA
  • Health Insurance Portability and Accountability
    Act of 1996
  • proposed by Sen. Edward Kennedy (D-MA) and Nancy
    Kasselbaum (R-KS)
  • Focused on issues involving
  • obtaining new insurance at new job with
    pre-existing conditions
  • protection from fraud
  • administrative simplification
  • Electronic transmittal of data for billing
    purposes
  • Privacy issues related to transmission of
    clinical data

73
What Information is covered under HIPAA
  • Personal Health Information (PHI)
  • Anything that can potentially identify an
    individual

Name Zip code of more than 3 digits Dates (except
year) Telephone and fax numbers
Email addresses Social Security Numbers Medical
Record Numbers Health Plan Numbers License numbers
74
Privacy vs. Security
  • Privacy
  • Administrative mechanisms that govern the
    appropriate use and access to data
  • Not all hospital employees need to know
    everything about a patient
  • Security
  • Technical mechanisms to ensure privacy
  • dont have a fax machine that receives personal
    information in a public place
  • Encrypt electronic communications

75
Privacy before HIPAA
4th Amendment (secure in their persons, houses,
papers and effects against unreasonable searches
and seizures) Fair Credit Reporting Act
(1970) Privacy Act (1974) Family Educational
Rights and Privacy Act (1974) Right to Financial
Privacy Act (1978) Privacy Protection Act
(1980) Electronic Communications Privacy Act
(1986) Video Privacy Protection Act
(1988) Employee Polygraph Protection Act
(1988) Telephone Consumer Protection Act
(1991) Drivers Privacy Protection Act
(1994) Telecommunications Act (1996) Childrens
Online Privacy Protection Act (1998) Identity
Theft and Assumption Deterrence Act
(1998) Gramm-Leach-Bliley Act (1999)
76
Gaps in privacy protection
  • Most of the preceding laws protect aspects of
    personal information (mostly financial), but not
    Health Information
  • Inconsistent State laws exist for protection of
    information regarding certain health conditions
    -- HIV, Mental Illness, Cancer

77
Concern about loss of Privacy
  • 1998 National Survey
  • 33 concerned about the amount of information
    being requested from various sources
  • 55 VERY concerned
  • 1995 Survey
  • 80 agreed with statement that they had lost all
    control of their medical information

78
Concern About Loss of Privacy
  • 1999 Survey
  • What issues concerned them the most in the coming
    century?
  • 29 listed Loss of Personal Privacy as 1st or
    2nd concern
  • 23 or less selected terrorism, world war, global
    warming

79
Concern About Loss of Privacy
  • Internet usage (1999 survey)
  • 82 have used a computer
  • 64 have used the internet
  • 58 have sent e-mail
  • 59 worry that an unauthorized person will gain
    access to their information
  • 75 of people visiting health sites are concerned
    that information is being shared

80
Concern About Loss of Privacy
  • Electronic Medical Records/Data Banks
  • 75 express concern about insurance companies
    putting information about them in a database
    accessible by others
  • 35 of Fortune 500 companies look at medical
    records before making hiring or promotional
    decisions

81
Concern About Loss of Privacy
  • Genetic information
  • 85 concerned that insurers and employers may
    gain access to personal genetic information
  • 63 would not take genetic screening tests if the
    information was going to be shared with insurers
    and employers
  • 32 of eligible people refused to have genetic
    testing for breast cancer risk because of privacy
    concerns

82
Are These Privacy Concerns Unfounded?
  • 1999- A Michigan based Health System accidentally
    posted medical records of thousands of patients
    on the Internet
  • A Utah-based pharmacy benefits management company
    used patient data to solicit business for its
    parent company -- a drug store

83
Are These Privacy Concerns Unfounded?
  • Health Insurance Claims forms blew out of a truck
    on its way to a recycling center
  • A patient in a Boston-area hospital discovered
    that her medical record had been read by more
    than 200 hospital employees
  • A Nevada woman purchased a used computer that
    still had prescription records from the pharmacy
    that formerly owned the computer

84
Are These Privacy Concerns Unfounded?
  • Johnson and Johnson markets a list of 5 million
    names and addresses of elderly incontinent women
  • A few weeks after undergoing a blood test, an
    Orlando woman received a letter from a drug
    company promoting their treatment for high
    cholesterol

85
Are These Privacy Concerns Unfounded?
  • A banker who also sat on a county health board
    identified people with cancer and called in their
    mortgages!
  • A physician diagnosed with AIDS had his surgical
    privileges suspended (Medical Center of
    Princeton)
  • A newspaper published the history of psychiatric
    treatment and suicide attempt of congressional
    candidate

86
Why does electronic communication increase
privacy concerns?
  • Problems with paper charts - Messy, difficult to
    find, one physical copy - all make it harder to
    acquire and disseminate information
  • Electronic documents can be intentionally or
    unintentionally transmitted to thousands of
    people at once

87
What is HIPAA designed to do?
  • Give patients more control over use of data
  • Set boundaries on uses and disclosures of data
  • Establish safeguards to protect data
  • Establish accountability for privacy breaches
  • Balance privacy with social responsibility

88
HIPAA Timeline
  • 1996 - HIPAA Signed into law
  • Privacy regulations not specified
  • Congress was to enact laws and policy regarding
    privacy by 1999
  • If Congress failed to develop standards, task
    would fall to Department of Health and Human
    Services (DHHS)
  • 1999 - DHHS becomes responsible for developing
    privacy regulations

89
HIPAA Timeline
  • 1999 - DHHS proposes privacy standards and opens
    them up for public comment
  • 1999-2000 DHHS receives 50,000 comments on
    regulations
  • December 2000 - DHHS publishes Final Privacy
    Rule
  • February 2001 - Enactment of Final Rule delayed
    because of administrative difficulties.
    Further public comment requested

90
HIPAA Timeline
  • April 2001 - Privacy Rule implementation phase
    begins
  • April 2003 - Deadline for covered entities to
    complete implementation plan

91
HIPAA Stipulations for Using and Releasing
Information
  • Notification
  • Consent
  • Authorization

92
HIPAA Stipulations for Using and Releasing
Information
  • Notification
  • Informing patients in simple language regarding
    the manner in which their data is handled

93
HIPAA Stipulations for Using and Releasing
Information
  • Consent
  • one time, general agreement to use the patients
    information in treatment. For payment, or for
    healthcare operations
  • Lasts indefinitely, necessary for treatment
  • Sharing information between primary care
    physician and consulting specialist
  • Regulations allows provision of care to be
    conditioned on patients consent to use
    information for payment purposes.

94
HIPAA Stipulations for Using and Releasing
Information
  • Authorization
  • limited in time and scope
  • Non-routine purpose
  • Example Patient is actively participating in a
    research protocol and personal health information
    will be shared with a clinical service or
    university

95
Health-related activities covered by HIPAA
  • Health Care
  • Billing
  • Marketing
  • Fund Raising
  • Research

96
HIPAA In Health Care
  • Consent to release information to insurance
    carriers for billing purposes
  • Primary and consulting physicians given full
    access to record for treatment purposes
  • Hospital Staff provided minimum necessary
    information to conduct business
  • Laboratories and Radiology offices can use
    information for billing purposes
  • Stipulations about auditing of who has seen/used
    what information

97
HIPAA In Health Care
  • Fax machines
  • Hospital information networks
  • E-mail
  • Physical security of computer hardware

98
Research under HIPAA
  • Continues as before when appropriate informed
    consent is obtained from subjects.
  • Special consideration necessary when using data
    without explicit consent of subjects
  • Few restrictions when using de-identified data on
    populations of patients (no names, SSNs,
    addresses birthdates populations must have
    substantial size)
  • Oversight required to use identifiable data

99
Research under HIPAA
  • Patient consent NOT required with identifiable
    data when all of the following are true
  • IRB approves protocol and use of data
  • use or disclosure of data presents minimal risk
  • will not affect privacy and welfare of individual
  • consent process impractical
  • research could not be conducted without
    information
  • plan exists to protect identifiers from improper
    use and disclosure
  • Data will not be reused for other purposes
    without authorization from IRB

100
HIPAA in Research Summary
  • Little oversight needed for de-identified,
    population-based data
  • IRB authorization required to access identifiable
    patient information
  • Duty to inform patients regarding research uses
    of their data
  • Audit trails of information access for research
  • ??? Responsibilities when initiating patient
    contact based on knowledge of personal information

101
Accountability
  • Civil penalties
  • Violation of standards will be subject penalties
    of 100 per violation, up to 25,000 per person,
    per year for each requirement or prohibition
    violated.

102
Accountability
  • Federal criminal
  • up to 50,000 and one year in prison for
    obtaining or disclosing protected health
    information
  • up to 100,000 and up to five years in prison
    for obtaining protected health information under
    "false pretenses
  • up to 250,000 and up to 10 years in prison for
    obtaining or disclosing protected health
    information with the intent to sell, transfer or
    use it for commercial advantage, personal gain or
    malicious harm.

103
Penns High LevelApproach to HIPAA
  • Identify organizational components and
    communication links relevant to Health Care
  • Define which components of health information can
    be transmitted among which the components
  • Set up secure communication strategy among
    components (intranets, firewalls, encryption)

104
University of Pennsylvania Health System
  • 4 owned hospitals
  • Hospital of the University of Pennsylvania
  • Presbyterian Medical Center
  • Pennsylvania Hospital
  • Phoenixville Hospital
  • 65 owned primary care ambulatory practices
    (Community Care Associates)

105
University of Pennsylvania Health System
  • Owned by the University of Pennsylvania that also
    has other related health care entities
  • Nursing school
  • Dental School
  • Student Health Service
  • Counseling

106
The overlapping lines of communication
107
Penns Approach to Research Data Use
  • Research requires data!
  • Not all research requires personal identifiers
  • Personal identifiers are often necessary to
    validate and integrate data from different
    systems
  • Identifiers are often necessary to conduct
    retrospective research

108
Penn has a Research Database
  • Pennsylvania
  • Integrated
  • Clinical and
  • Administrative
  • Research
  • Database


The PICARD System
109
Data Integration and Access
HTML
FTP
IDX
Application Server (Apache)
Web Clients
Oracle SqlNet8
Data Warehouse (Oracle 8.1.5 on DEC Alpha DS20)
SMS
MSAccess
ODBC
Cerner
Dept system
Oracle Tools
110
Available Data
  • Ambulatory Data
  • Primary and subspecialty care data-- Jan 1997 -
    May 2001
  • Patient information
  • Location
  • Gender
  • Race
  • Birthdate
  • Insurance carrier

111
Available Data
  • Inpatient data
  • Patient information
  • Admission Detail - 1988-1999 for HUP and Presby
  • Admission, DC dates, LOS
  • Diagnoses
  • Procedures for recent admissions
  • Charges for procedures/room/medicine etc.

112
Available Data
  • Laboratory
  • 75 common chemistries, hematology and serology
    results since August, 1997
  • Cardiology testing
  • Stress test, cath, echo results
  • Pharmacy
  • Limited population
  • Pulmonary Function test data

113
Penns Approach to Research Data Use
  • Minimal oversight
  • Information regarding a providers own patients
  • Determination of numbers of patients meeting
    specified criteria
  • IRB approval
  • Release of Medical Record numbers for additional
    chart review
  • IRB and PAC review
  • Required before patient contact initiated

114
Administrative Issues in Data Use
  • Steps to contact patients through a targeted
    approach for potential enrollment in research
  • Our office generates lists of potentially
    eligible patients
  • Lists forwarded to primary care provider (PCP)
  • Discretion if provider needs to contact patient
  • PCP returns lists of authorized patients to our
    office
  • Investigator receives list of authorized patients
  • Investigator contacts patients in the context of
    the PCP

115
Research Data Use vs Patient Contact
  • Additional authorization from primary care
    provider required before contacting patients
  • Labor intensive process
  • Can we delegate responsibility for obtaining
    authorization to investigator?
  • Does patient have to be contacted by provider and
    affirm interest in study participation prior to
    being contacted by investigators?

116
Questions for discussion
  • Should we allow patients to opt out of allowing
    their data to be used in research, even without
    personal identifiers?
  • Do we allow patients to refuse directed contact
    regarding research participation? If so, for how
    long?
  • Federal law vs. 600 news law

117
Resources
  • HIPAA Administrative Simplification
  • http//aspe.hhs.gov/admnsimp/
  • HIPAA Privacy
  • http//www.hhs.gov/ocr/hipaa/
  • Workgroup on Electronic Data Interchange
    Strategic National Implementation Process
  • http//snip.wedi.org/
  • American Association of Medical Colleges
  • http//aamc.org/members/gir/gasp
About PowerShow.com