Implementing plan on EHR system
fogbankwa
IP2.docxRunning Head: HIPAA 1
HIPAA 7
Health Insurance Portability Accountability Act
Frances Ogbankwa
HCM 690 Healthcare Informatics Capstone
Health Insurance Portability and Accountability Act (HIPAA) recommends that the patient has the right to disclose or share his medical information with anyone. A patient has the full right to view his medical records, and that right is given to him by the HIPAA (Moore et al., 2019). When a patient asks for his medical records, the hospital or the staff cannot prohibit the patient from seeing its medical record. Patients often like to see their medical records, this it gives them an idea of having the knowledge to know what is wrong with them and examine how well the doctor has treated the presented health issue.
Although the patients have full right to their own medical records, there are still some situations where the doctors prohibit the patient from accessing their complete record. In such situations, the doctors find it best if the patient does not see their complete record. If there is some information in the record that could potentially be harmful to the patient if known, but in some cases it would be most beneficial to give them full information.
There are multiple situations where the information is harmful to the patients, especially in psychotherapy; the doctor notes are often not shared with patients as doctors think it may be injurious to a patient who is already contemplating suicide (Rapaport et al., 2016). In addition to that, sharing some information can also lead to patients self-diagnosing and going against the doctor's advice.
Medical Cyber-Physical Systems (MCPS) sets up a carefully organized framework for medical devices that are life-based, interactive, and considered to be combined with patient care. These framework conditions are gradually being used in the clinic to take patients in complex medical situations in the long run. The need to design a complex MCPS that is protected and executable varies, including framework programming, interoperability, setting up discrete decision support, and achieving key levels of validation in self-determination, security, and affirmation. It brought difficulties (Nair et al., 2019).
The two most important changes in medical devices are the deep reliance on software, the usefulness of networks, and the wide accessibility of organizational availability. Previous improvements mean that the product has always played a major role in the general safety of the device. The latter says that cyber medical gadgets do not act as an independent device that can be independently planned, validated, and used to treat patients as a distributed framework that simultaneously reviews and controls many parts of a patient's physiology. It comes from the facts. With a combination of embedded medical software and hardware, new systems management capabilities, and elements of the human body that are confused, today's medical cyber-physical systems are a special class of Cyber-Physical Framework (CPS) (Rahaman et al., 2018).
Medical Cyber-Physical System (MCPS) is a healthcare information system implemented in multiple organizations. It is easily one of the most popular healthcare information systems present right now. And this is the type of healthcare system implemented in my organization. This is the healthcare system we will apply to the HIPAA audit today. An audit is a process that includes evaluating any procedure or any tool, technology, or system to decide whether it is working properly or not. An audit tells you whether an organization is performing the job efficiently and whether it has allocated its resources properly in places where it will reap the maximum benefits for the organization.
An audit is a process that is carried to find faults, limitations, shortcomings, and wrongdoings in any process, organization, and technology. An audit is an official inspection of organization activities and processes which details how an activity should be carried out and how it is being carried out in real-time. It is used to showcase the stark differences between the set procedures and the real procedures being applied in the organization. An audit is a process that can be seen in any organization. And it is also seen in the medical and healthcare field. A medical audit is a process that reviews and details how well the medical procedures are being performed and how efficiently the procedures can be improved so that the results are made better. It is an inspection procedure used to improve the quality of healthcare.
HIPAA audit is carried out to analyse whether the healthcare and medical information systems comply with the HIPAA ordinance and how well these information systems are coping with securing the information and managing it properly. With increased risks and threats every day, patient information has become more sensitive with each passing day. Data leaks and privacy invasions are becoming a normal thing in healthcare. In such an aspect, it is becoming tremendously difficult for a healthcare information system to keep patient information safe and secured.
It is important to run a HIPAA audit on the Medical Cyber-Physical System (MCPS) system as well as these devices also store a lot of personal information about patients. Hence, it becomes tremendously important to apply HIPAA audits on MCPS devices. It is important to ensure that an information system follows HIPAA Title 2. This title 2 is a privacy rule which focuses on Protected Health Information (PHI). This rule indicates the protection and safety of personal health information stored in these information systems.
When performing the audit of the healthcare information system, it is important to ensure all the recent updates and changes made in HIPAA. The most recent change made in HIPAA policies and compliance rules is made through the Health Information Technology for Economic and Clinical Health Act (HITECH), which was a part of the American Recovery and Reinvestment Act (ARRA) of 2009. Under this recent change, the HIPAA right of access was updated and modified. Now HIPAA allows the patients to obtain a copy of their health records in an electronic format (Rosenbloom et al., 2019). Before this feature was not available to the patients, HIPAA only allowed for patient information to be given in a patient record file. But this recent change made it possible for HIPAA to allow patients to collect their data from their physicians and healthcare systems in the form of electronic data as well. This is how HITECH changed HIPAA with the new regulation.
To successfully pass a HIPAA audit, it is extremely necessary that an organization follows certain rules and fulfil some requirements to ensure that a company has all its healthcare systems secured and protected. Six basic steps prepared an organization for a HIPAA audit. The first step that an organization needs to follow to be successful in a HIPAA audit is to prepare the staff of that organization for HIPAA. These steps include training your staff about what HIPAA is, its compliance requirements, and how to achieve those requirements. If the staff is not properly trained, those requirements cannot be properly met, and the organization will fail the HIPAA audit compliance checklist. The organization can also document the training session it provides to its employees to show the Office of Civil Rights (OCR) that their organization is dedicated to ensuring HIPAA compliance (Dobran, 2018). The organization can also make special policies that only cater to the HIPAA compliance audit.
The next crucial step to be performed is risk management. That organization must perform risk analysis before a HIPAA audit. A HIPAA risk analysis is performed to analyse the system properly and to check whether there is any risk that the organization is exposed to. It discloses all the risks in the company, and the risk management process is then used to eradicate and handle those risks. Risk management is a process that details a plan to handle risk and ensure the organization is ensured. This step also ensures that the organization creates security documents and compliance rules state reports.
The next necessary step is to choose a security and privacy officer. It is one of the basic requirements of HIPAA that every business must have a dedicated security and privacy officer who should be responsible for securing and maintaining the privacy of PHI. This officer will be responsible for deciding on third-party vendors, and he will discuss the security management with an OCR. The fourth necessary step is to review policy implementation. As discussed above, companies need to make security and privacy policies in the organization. But making policies is not the only task; implementing those policies properly is also extremely important. The business must ensure that the employees follow those policies and whether they are according to needs.
Afterward comes the step of conducting an internal audit for the company. It is the best way to ensure that the company follows proper HIPAA compliance rules before the OCR audit. Taking assistance from a company that performs audits can be beneficial in finding out shortcomings in your organization. It is also important to check all your policies and see their impact on the organization. Finally, the last step is to create a remediation plan to ensure that the company keeps on finding risks and managing HIPAA compliance rules even after the audit. This plan will ensure that the HIPAA rules are always being followed and privacy and security are always maintained.
Gap analysis compares actual performance with the desired and predicted performance of an organization. This process is carried out to identify the lack of resource allocation, planning, capabilities, and structures that make the company fall behind on its desired goals and potential. The gap analysis is prepared to analyse and detect an organization's parts that need special attention and have multiple faults. This kind of analysis proves extremely helpful in the process of audit. This prepares the system for an extensive audit and can help find shortcomings in the system beforehand. It allows companies to see where they are now and where they want to be in the future.
References
Dobran, B. (2018). HIPAA Compliance Audit: Expert Security Guide to Stay Compliant. Retrieved from Pheonix Nap: https://phoenixnap.com/blog/hipaa-compliance-audit
Moore, W., & Frye, S. (2019). Review of HIPAA, Part 1: History, Protected Health Information, and Privacy and Security Rules. Journal of Nuclear Medicine Technology 47 (4), 269-272.
Nair, M. M., Tyagi, A. K., & Goyal, R. (2019). Medical Cyber-Physical Systems and Its Issues. Procedia Computer Science Volume 165, 647-655.
Rahaman, M. O., Shuvo, A., & Kashem, M. (2018). CYBER-PHYSICAL SYSTEMS FOR HEALTHCARE. International Journal of Advanced Research (IJAR).
Rapaport, L. (2016). Patients can't always access complete medical records, doctors say. Retrieved from Reuters: https://www.reuters.com/article/us-health-hipaa-charts-idUSKCN0YE2PY
Rosenbloom, S. T., Smith, J. R., Bowen, R., Burns, J., Riplinger, L., & Payne, T. (2019). Updating HIPAA for the electronic medical record era. Journal of the American Medical Informatics Association, Volume 26, Issue 10, 1115-1119.
