iNFORMATION SYSTEMS
Chapter Nine
Privacy and Security
Health Care Information Systems: A Practical Approach for Health Care Management
Karen A. WagerIFrances Wickham LeeIJohn P. Glaser
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Distinguish among privacy, confidentiality, and security as they relate to healthinformation
- Identify the purpose of the Privacy Act of 1974 and 42 C.F.R. Part 2,Confidentiality of Substance Abuse Patient Records
- Describe and discuss the impact of the HIPAA Privacy, Security, and BreachNotification rules
- Identify threats to health care information and information systems caused byhumans (intentional and unintentional), natural causes, and the environment
- Understand the purpose and key components of the health care organizationsecurity program and the need to mitigate security risks
- Discuss the increased need for and identify resources to improve cybersecurityin health care organizations
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Learning Objectives
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Outline
- Privacy, confidentiality, and security
- Legal protection
- HIPAA
- –Privacy Rule
- –Security Rule
- –Breach Notification Rule
- Threats
- Cybersecurity
- NIST
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Privacy
- –An individual’s right to be left alone and to limit access to his or her healthcare information
- Confidentiality
- –Addresses the expectation that information shared with a health careprovider during the course of treatment will be used only for its intendedpurpose and not disclosed otherwise
- Security
- –The systems in place to protect health information and the systems withinwhich it resides
Definitions
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Federal HIPAA Privacy, Security, and Breach Notification rules
- State privacy laws
- Federal Trade Commission (FTC) Act consumer protection
- The Privacy Act of 1974
- –Protected patient confidentiality only infederally operatedhealth carefacilities
- Confidentiality and Substance Abuse Patient Records
- –Set stringent release of information standards, designed to protect theconfidentiality of patients seeking alcohol or drug treatment
Legal Protection
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- 1996: Signed into law
- First comprehensive federal regulation to offer specific protection toprivate health information
- 2003: HIPAA Privacy Rule
- 2005: HIPAA Security Rule
- Defines covered entities (CE) to which these rules apply
HIPAA
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Defines PHI
- –Relates to a person’s physical ormental health, the provision ofhealth care, or the payment forhealth care
- –Identifies the person who is thesubject of the information
- –Is created or received by a coveredentity
- –Is transmitted or maintained in anyform (paper, electronic, or oral)
- 5major components
- –Boundaries
- –Security
- –Consumer control
- –Accountability
- –Public responsibility
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
HIPAA
Privacy Rule
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Written authorization required forallnonroutineuses or disclosureof PHI
- –School
- –Relative
- PHI can be released withoutpatient authorization in someinstances
- –Presence of a communicabledisease
- –Suspected child or adult abuse
- –Legal duty to warn of a clear andimminent danger from a patient
- –Bona fide medical emergency
- –Valid court order
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
HIPAA
Patient Authorization
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Elementsof a valid release form
- Patient identification (name, DOB)
- Name of person/entity to whom theinformation is being released
- Description of specific healthinformation authorized for disclosure
- Statement of reason/purpose of thedisclosure
- Date, event, or condition which theauthorization will expire, unlessrevoked earlier
- Statement that authorization issubject to revocation by patient/legalrepresentative
- Patient’s/legal representative’ssignature
- Signature date (must be after date ofencounter that produced theinformation to be released)
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
HIPAA
Patient Authorization
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- GovernsePHI
- Protected health information maintained or transmitted in electronic form
- May be stored in any type of electronicmedia
- HIPAA Security Administrative Safeguards
- Security management functions
- Assigned security responsibility
- Workforce security
- Information access management
- Security awareness andtraining
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
HIPAA
Security Rule
- Security incident reporting
- Contingency plan
- Evaluation
- Business associate contracts andother arrangements
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- HIPAA Security PhysicalSafeguards
- Facility access controls
- Workstation use
- Workstation security
- Device and media controls
- Policies, Procedures, andDocumentation
- HIPAA Security TechnicalSafeguards
- Access control
- Audit controls
- Integrity
- Person or entity authentication
- Transmission security
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
HIPAA
Security Rule
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Requires CEs and their business associates to provide notificationfollowing a breach ofunsecuredprotected health information
- –Unsecured: PHI that has not been rendered unusable, unreadable, orindecipherable to unauthorized persons through the use of a technologyor methodology specified by the Secretary in guidance
- –Secured: encrypted using a valid encryption process, or the media onwhich the PHI is sorted have been destroyed
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
HIPAA
Breach Notification Rule
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Who is notified?
- –Individuals affected
- –Health and Human Services Secretary (via the Office for Civil Rights)
- –Major media outlets
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
HIPAA
Breach Notification Rule
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Office for Civil Rights
- –Responsible for enforcing the HIPAA Privacy and Security rules
- State attorneys general
- –Given authority by HITECH to bring civil actions on behalf of the residentsof their state for HIPAA violations
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
HIPAA
Enforcement
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Tiered scheduled (both civil and criminal penalties)
- Civil penalties involve fines
- –Cannot be levied if resolved within a specified period of time
- Criminal penalties involve jail time (anywhere from 1 to 10 years)
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
HIPAA
Violation Penalties
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Human tampering threats
- –Intentional or unintentional
- –Internal or external
- Natural and environmental threats
- Environmental factors and technology malfunctions
Threats
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- General term for software that is written to “infect” and subsequentlyharm a host computer system
- Commons forms of malware
- –Viruses: infects the host system and spreads itself
- –Trojans: designed to look like a safe program; steals personal informationor takes over the resources of the host computer
- –Spyware: tracks Internet activities assisting the hacker in gatheringinformation without consent
- –Worms: replicates itself and destroys files on the host computer
- –Ransomeware: encrypts and locks folders; demands money to unlock
Malware
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Lead your culture, select your team, learn
- Document your process, findings, and actions
- Review existing security ofePHI/Perform security risk analysis
- Develop an action plan
- Manage and mitigate risks
- Attest for meaningful use security related objectives
- Monitor, audit, and update security on an ongoing basis
Security Management Process
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- Protect mobile devices
- Maintain good computer habits
- Use a firewall
- Install and maintain antivirus software
- Plan for the unexpected (i.e., create backups)
- Control access to PHI
- Use strong passwords
- Limit network access
- Control physical access
Cybersecurity
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
- National Institute of Standards and Technology (NIST)
- Developed a cybersecurity framework to reduce cyber attack risks
- –Framework Core (identify, protect, detect, respond, recover)
- –Framework implementation tiers
- –Framework profile
NIST
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Summary
- Privacy, confidentiality, security
- HIPAA Privacy Rule
- –Authorization
- HIPAA Security Rule
- –Administrative safeguards
- –Physical safeguards
- –Technical safeguards
- –Policies, procedures,documentation
- HIPAA Breach Notification Rule
- HIPAA Enforcement
- –Office of Civil Rights
- –State attorney general
- Violation penalties
- –Fines and jail time
- Threats
- –Human
- –Natural
- –Environmental
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Summary
- Malware
- –Viruses
- –Trojans
- –Spyware
- –Worms
- –Ransomware
- Security management process
- Tips for cybersecurity
- NIST cybersecurity framework
- –Framework Core
- –Framework Implementation Tiers
- –Framework Profile
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser