Week 6 Journal Chapter 12

profileHeathersimf
AB102615_Ch12.pptx

Health IT and EHRs: Principles and Practice, Sixth Edition

Chapter 12: Health IT Privacy and Security

© 2017 American Health Information Management Association

© 2017 American Health Information Management Association

HIPAA Privacy and Security Rules

Privacy – right of an individual to be left alone.

Security – supports:

Confidentiality - the treatment of information that an individual has disclosed in a relationship of trust with the expectation that it will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure (such asNotice of Privacy Practices) unless the individual grants permission

Data integrity – improper alteration or destruction of data

Data availability – assurance that data will be able to be accessed when needed in accordance with Privacy provisions

© 2017 American Health Information Management Association

Privacy & Security Relationships

© 2017 American Health Information Management Association

Key Privacy & Security Terms

PHI

Covered entity

Business Associate

TPO

Disclosure

Use

Authorization

Consent

© 2017 American Health Information Management Association

HIPAA Enforcement Rule

Office for Civil Rights (OCR) responsible for enforcement of HIPAA

Penalties for violation of the Privacy, Security, or Breach Notification rules may include:

Corrective action plan (CAP)

Settlement agreement

Civil penalties may include civil monetary penalties (CMP)

Criminal penalties may result in imprisonment

Other lawsuit may also be filed for actions associated with privacy, security, and breach notification

© 2017 American Health Information Management Association

Technical & Other Solutions for Privacy Rule Management

Patient identification and matching

Master person index

Health record integration

Deidentification

Data sharing agreements

Genomic data sharing and GINA

Privacy and trust principles for precision medicine

Emergency uses of PHI

Criminal background checks

Right of access

Clarification of mental/ behavioral health record sharing

Data segmentation for privacy

© 2017 American Health Information Management Association

Risk Basis of Security Rule

© 2017 American Health Information Management Association

HIPAA Security Rule

© 2017 American Health Information Management Association

Authentication Types by Strength

Wet signature

Digitized signature

Image of a wet signature

Electronic signature

Password, biometric, or token

Digital signature

Process of encryption and non-repudiation to represent a signature

Public key infrastructure (PKI) is a set of policies, procedures, standards, and practices that enable a digital signature – but is not the only form of digital signature.

Requirements for digital signature, digital certificate, encryption

EPCS

CORE Phase IV operating rules

EHR MU incentive program

© 2017 American Health Information Management Association

Access Controls and Minimum Necessary and Audit Logs

Audit logs should provide the metadata for who did what to which information at what date and time and from what location

© 2017 American Health Information Management Association

Encryption

Encryption uses an algorithm to scramble the content of a file (for data at rest) or transmission (for data en route) so that only an equivalent algorithm can be used to decrypt the message

Nonrepudiation is substantial evidence of the identity of the signer of a message and of message integrity sufficient to prevent a party from successfully denying the origin, submission, or delivery of the message and integrity of its contents

HHS guidance specifies that if a file or transmission has been encrypted but has been lost or hacked, the loss or hack is not a notifiable breach

© 2017 American Health Information Management Association

Breach Discovery Process

© 2017 American Health Information Management Association

Breach Notification Process

© 2017 American Health Information Management Association

Identity Theft Controls

Fastest growing crime in the US

Misuse of credit cards = ½ of all identity theft

Payment Card Industry Data Security Standard

Medical identity theft

Inappropriate or unauthorized misrepresentation of personal information to obtain access to property (e.g. drugs) or services (e.g., health plan coverage)

Red Flags Rule

Use of patterns, practices, and specific activities, known as red flags, which could indicate identity theft

Some healthcare organizations must comply, others do so voluntarily as a best practice

© 2017 American Health Information Management Association

Administrative Factors to Reduce Risk

Risk analysis is the primary process that should be documented. Risk analysis follows the SDLC

© 2017 American Health Information Management Association

Physical and Technical Controls

Facility security controls

Storage management program

Virtualization

Reliability

Full redundancy

Fail over

Technical monitoring tools

© 2017 American Health Information Management Association

Addressing Emerging Threats

Unified threat management program

Management support

Threat intelligence

Policies and procedures

Everyone’s responsibility

Controls

Training

Auditing and monitoring

© 2017 American Health Information Management Association