iNFORMATION SYSTEMS

profileHeathersimf
ch09.html

Chapter Nine

Privacy and Security

Health Care Information Systems: A Practical Approach for Health Care Management

Karen A. WagerIFrances Wickham LeeIJohn P. Glaser

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Distinguish among privacy, confidentiality, and security as they relate to healthinformation
  • Identify the purpose of the Privacy Act of 1974 and 42 C.F.R. Part 2,Confidentiality of Substance Abuse Patient Records
  • Describe and discuss the impact of the HIPAA Privacy, Security, and BreachNotification rules
  • Identify threats to health care information and information systems caused byhumans (intentional and unintentional), natural causes, and the environment
  • Understand the purpose and key components of the health care organizationsecurity program and the need to mitigate security risks
  • Discuss the increased need for and identify resources to improve cybersecurityin health care organizations

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Learning Objectives

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Outline

  • Privacy, confidentiality, and security
  • Legal protection
  • HIPAA
  • –Privacy Rule
  • –Security Rule
  • –Breach Notification Rule
  • Threats
  • Cybersecurity
  • NIST

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Privacy
  • –An individual’s right to be left alone and to limit access to his or her healthcare information
  • Confidentiality
  • –Addresses the expectation that information shared with a health careprovider during the course of treatment will be used only for its intendedpurpose and not disclosed otherwise
  • Security
  • –The systems in place to protect health information and the systems withinwhich it resides

Definitions

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Federal HIPAA Privacy, Security, and Breach Notification rules
  • State privacy laws
  • Federal Trade Commission (FTC) Act consumer protection
  • The Privacy Act of 1974
  • –Protected patient confidentiality only infederally operatedhealth carefacilities
  • Confidentiality and Substance Abuse Patient Records
  • –Set stringent release of information standards, designed to protect theconfidentiality of patients seeking alcohol or drug treatment

Legal Protection

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • 1996: Signed into law
  • First comprehensive federal regulation to offer specific protection toprivate health information
  • 2003: HIPAA Privacy Rule
  • 2005: HIPAA Security Rule
  • Defines covered entities (CE) to which these rules apply

HIPAA

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Defines PHI
  • –Relates to a person’s physical ormental health, the provision ofhealth care, or the payment forhealth care
  • –Identifies the person who is thesubject of the information
  • –Is created or received by a coveredentity
  • –Is transmitted or maintained in anyform (paper, electronic, or oral)
  • 5major components
  • –Boundaries
  • –Security
  • –Consumer control
  • –Accountability
  • –Public responsibility

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Privacy Rule

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Written authorization required forallnonroutineuses or disclosureof PHI
  • –School
  • –Relative
  • PHI can be released withoutpatient authorization in someinstances
  • –Presence of a communicabledisease
  • –Suspected child or adult abuse
  • –Legal duty to warn of a clear andimminent danger from a patient
  • –Bona fide medical emergency
  • –Valid court order

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Patient Authorization

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Elementsof a valid release form
  1. Patient identification (name, DOB)
  2. Name of person/entity to whom theinformation is being released
  3. Description of specific healthinformation authorized for disclosure
  4. Statement of reason/purpose of thedisclosure
  5. Date, event, or condition which theauthorization will expire, unlessrevoked earlier
  6. Statement that authorization issubject to revocation by patient/legalrepresentative
  7. Patient’s/legal representative’ssignature
  8. Signature date (must be after date ofencounter that produced theinformation to be released)

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Patient Authorization

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • GovernsePHI
  • Protected health information maintained or transmitted in electronic form
  • May be stored in any type of electronicmedia
  • HIPAA Security Administrative Safeguards
  1. Security management functions
  2. Assigned security responsibility
  3. Workforce security
  4. Information access management
  5. Security awareness andtraining

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Security Rule

  1. Security incident reporting
  2. Contingency plan
  3. Evaluation
  4. Business associate contracts andother arrangements

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • HIPAA Security PhysicalSafeguards
  1. Facility access controls
  2. Workstation use
  3. Workstation security
  4. Device and media controls
  • Policies, Procedures, andDocumentation
  • HIPAA Security TechnicalSafeguards
  1. Access control
  2. Audit controls
  3. Integrity
  4. Person or entity authentication
  5. Transmission security

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Security Rule

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Requires CEs and their business associates to provide notificationfollowing a breach ofunsecuredprotected health information
  • –Unsecured: PHI that has not been rendered unusable, unreadable, orindecipherable to unauthorized persons through the use of a technologyor methodology specified by the Secretary in guidance
  • –Secured: encrypted using a valid encryption process, or the media onwhich the PHI is sorted have been destroyed

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Breach Notification Rule

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Who is notified?
  • –Individuals affected
  • –Health and Human Services Secretary (via the Office for Civil Rights)
  • –Major media outlets

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Breach Notification Rule

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Office for Civil Rights
  • –Responsible for enforcing the HIPAA Privacy and Security rules
  • State attorneys general
  • –Given authority by HITECH to bring civil actions on behalf of the residentsof their state for HIPAA violations

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Enforcement

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Tiered scheduled (both civil and criminal penalties)
  • Civil penalties involve fines
  • –Cannot be levied if resolved within a specified period of time
  • Criminal penalties involve jail time (anywhere from 1 to 10 years)

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

HIPAA

Violation Penalties

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • Human tampering threats
  • –Intentional or unintentional
  • –Internal or external
  • Natural and environmental threats
  • Environmental factors and technology malfunctions

Threats

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • General term for software that is written to “infect” and subsequentlyharm a host computer system
  • Commons forms of malware
  • –Viruses: infects the host system and spreads itself
  • –Trojans: designed to look like a safe program; steals personal informationor takes over the resources of the host computer
  • –Spyware: tracks Internet activities assisting the hacker in gatheringinformation without consent
  • –Worms: replicates itself and destroys files on the host computer
  • –Ransomeware: encrypts and locks folders; demands money to unlock

Malware

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  1. Lead your culture, select your team, learn
  2. Document your process, findings, and actions
  3. Review existing security ofePHI/Perform security risk analysis
  4. Develop an action plan
  5. Manage and mitigate risks
  6. Attest for meaningful use security related objectives
  7. Monitor, audit, and update security on an ongoing basis

Security Management Process

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  1. Protect mobile devices
  2. Maintain good computer habits
  3. Use a firewall
  4. Install and maintain antivirus software
  5. Plan for the unexpected (i.e., create backups)
  6. Control access to PHI
  7. Use strong passwords
  8. Limit network access
  9. Control physical access

Cybersecurity

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

  • National Institute of Standards and Technology (NIST)
  • Developed a cybersecurity framework to reduce cyber attack risks
  • –Framework Core (identify, protect, detect, respond, recover)
  • –Framework implementation tiers
  • –Framework profile

NIST

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Summary

  • Privacy, confidentiality, security
  • HIPAA Privacy Rule
  • –Authorization
  • HIPAA Security Rule
  • –Administrative safeguards
  • –Physical safeguards
  • –Technical safeguards
  • –Policies, procedures,documentation
  • HIPAA Breach Notification Rule
  • HIPAA Enforcement
  • –Office of Civil Rights
  • –State attorney general
  • Violation penalties
  • –Fines and jail time
  • Threats
  • –Human
  • –Natural
  • –Environmental

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser

Summary

  • Malware
  • –Viruses
  • –Trojans
  • –Spyware
  • –Worms
  • –Ransomware
  • Security management process
  • Tips for cybersecurity
  • NIST cybersecurity framework
  • –Framework Core
  • –Framework Implementation Tiers
  • –Framework Profile

Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser