Safeguarding Healthcare Information. By:

Similar documents
Chapter 9 Legal Aspects of Health Information Management

Information Privacy and Security

Security Risk Analysis

Emergency Medical Services Division Policies Procedures Protocols

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

Joint Base Lewis-McChord (JBLM), WA Network Enterprise Center (NEC) COMPUTER-USER AGREEMENT Change 1 (30 Jun 2008)

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

I. PURPOSE DEFINITIONS. Page 1 of 5

A Deep Dive into the Privacy Landscape

CENTRAL TEXAS MEDICAL CENTER

PRIVACY IMPACT ASSESSMENT (PIA) For the

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

Telecommuting Policy - SAMPLE

HIPAA Education Program

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

PRIVACY IMPACT ASSESSMENT (PIA) For the

Navigating HIPAA Regulations. Michelle C. Stickler, DEd Director, Research Subjects Protections

Student Orientation: HIPAA Health Insurance Portability & Accountability Act

The Privacy & Security of Protected Health Information

PRIVACY AND ANTI-SPAM CODE FOR OUR DENTAL OFFICE Please refer to Appendix A for a glossary of defined terms.

HIPAA and HITECH: Privacy and Security of Protected Health Information

PRIVACY IMPACT ASSESSMENT (PIA) For the

DUTIES OF A CUSTODIAN

PRIVACY IMPACT ASSESSMENT (PIA) For the

PRIVACY IMPACT ASSESSMENT (PIA) For the

Section: Medical Staff Office Page: 1 of 2

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

Privacy and Security For Teammates

PRIVACY IMPACT ASSESSMENT (PIA) National Language Service Corps (NLSC) Records

VCU Health System PatientKeeper Connect. Request Instructions

Supply Chain Risk Management

Health Information Privacy Policies and Procedures

DEPARTMENT OF THE NAVY OFFICE OF THE CHIEF OF NAVAL OPERATIONS 2000 NAVY PENTAGON WASHINGTON, D,C,

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Notre Dame College Website Terms of Use

CODE OF CONDUCT (Regarding Legal and Ethical Conduct) PERFORMED BY: All Staff

STANDARDS OF CONDUCT A MESSAGE FROM THE CHANCELLOR INTRODUCTION COMPLIANCE WITH THE LAW RESEARCH AND SCIENTIFIC INTEGRITY CONFLICTS OF INTEREST

PRIVACY IMPACT ASSESSMENT (PIA) For the

NORTHWEST TERRITORIES INFORMATION AND PRIVACY COMMISSIONER Review Recommendation File: July 13, 2015

TELECOMMUTING POLICY

FCSRMC 2017 HIPAA PRESENTATION

Technology Standards of Practice

HIPAA THE PRIVACY RULE

HIPAA Privacy Training for Non-Clinical Workforce

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

PRIVACY AND ANTI-SPAM CODE FOR OUR ORGANIZATION

INCOMPLETE APPLICATIONS WILL NOT BE PROCESSED

2514 Stenson Dr Cedar Park TX Fax

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

General Eligibility Requirements

THIS AGREEMENT made effective this day of, 20. BETWEEN: NOVA SCOTIA HEALTH AUTHORITY ("NSHA") AND X. (Hereinafter referred to as the Agency )

Nationwide Job Opportunity ANG Active Guard/Reserve AGR Vacancy

Protecting Patient Privacy It s Everyone s Responsibility

STEP BY STEP SCHOOL. Data Protection Policy and Privacy Notice

PRIVACY IMPACT ASSESSMENT (PIA) For the

Managing Towards Compliance

Staff member: an individual in an employment relationship with CYM or a contractor who is paid for services to CYM.

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

Report of the Information & Privacy Commissioner/Ontario. Review of Cancer Care Ontario:

System of Records Notice (SORN) Checklist

Executive Job Codes and Descriptions

GATEWAY BEHAVIORAL HEALTH SERVICES VOLUNTEER/INTERNSHIP APPLICATION

PREVENTION OF VIOLENCE IN THE WORKPLACE

Valley Regional Medical Center HIPAA AND HITECH EDUCATION

HIPAA Privacy & Security

Failure to comply may result in WU being liable for civil and criminal penalties under the HIPAA regulations.

PRIVACY IMPACT ASSESSMENT (PIA) For the

Department of Defense INSTRUCTION. SUBJECT: Security of Unclassified DoD Information on Non-DoD Information Systems

2018 Employee HIPAA Orientation (EHO) Handbook

This policy applies to all employees.

PRIVACY BREACH MANAGEMENT POLICY

PRIVACY IMPACT ASSESSMENT (PIA) For the

Duties of a Principal

PERSONAL HEALTH INFORMATION PROTECTION ACT (PHIPA) Frequently Asked Questions (FAQ s) Office of Access and Privacy

Title 10 DEPARTMENT OF HEALTH AND MENTAL HYGIENE

UCLA HEALTH SYSTEM CODE OF CONDUCT

PRIVACY IMPACT ASSESSMENT (PIA) For the

2018 IATA Ground Handling Conference Innovator Competition (IGHC Innovator 2018) Terms & Conditions

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

PRIVACY IMPACT ASSESSMENT (PIA) For the

Investigation Report H2017-IR-02 Investigation into multiple alleged unauthorized accesses of health information at South Health Campus

Security Risk Analysis and 365 Days of Meaningful Use. Rodney Gauna & Val Tuerk, Object Health

HIPAA 201: Student Self-Learning Module & Test

DESK OPERATIONS COORDINATOR HIRING DOCUMENT

PRIVACY IMPACT ASSESSMENT (PIA) For the

Reporting and Investigating Privacy Breaches and Complaints Approval: Original Signed by R. Cloutier. Date: September 2017

REVISED NOTICE OF PRIVACY PRACTICES ORIGINAL DATE: JANUARY 1, 2003 REVISED: JANUARY 16, 2014 REVISED: NOVEMBER 27, 2017 PLEASE REVIEW IT CAREFULLY

AUSTRALIAN RESUSCITATION COUNCIL PRIVACY STATEMENT

COMMISSION ON DENTAL ACCREDITATION REPORTING PROGRAM CHANGES IN ACCREDITED PROGRAMS

POLICY STATEMENT PRIVACY POLICY

HIPAA Training

Code of Conduct. at Stamford Hospital

HIPAA Privacy Rule. Best PHI Privacy Practices

PRIVACY IMPACT ASSESSMENT (PIA) For the

Transcription:

Safeguarding Healthcare Information By: Jamal Ibrahim Enterprise Info Security ICTN 4040-602 Spring 2015 Instructors: Dr. Phillip Lunsford & Mrs. Constance Bohan

Abstract Protection of healthcare information is a fundamental practice for all healthcare professionals. Previously, when paper charts were widely used, the concern was to protect patient information from theft or displacement. Recently, the goal has changed since health care professionals shifted to the use of digital information to serve and store information. Access, Authorization, and Validation Access control, authorization, integrity, accountability, and authenticity are the essence of protecting healthcare information. Risk Analysis and Management Evaluation, setting up a plan, reviewing, and modifying policies will prepare the facility and the staff from disasters and offer ways to recover. Staff Training and Awareness Humans are the weakest link in information security. They must be trained and made aware of potential threats and how to avoid them. Social engineering can be used to gain access by unauthorized personnel. Thorough and continuous training can help prevent disasters. Associated risk with healthcare information cannot be entirely avoided. But, certainly, good planning and preparedness can go a long way in protecting and maintaining that information.

Ibrahim 1 Safeguarding Healthcare Information Ideally, healthcare facilities process, store, and disseminate large amounts of confidential information. Healthcare information is not limited to patient s records, but includes: Internal communication, marketing material, policies, procedures, protocols, financial data, banking information, details concerning affiliates, personal information concerning employees, training materials, business plans, strategies, trade secrets, quality and risk management,, computer information, details regarding Electronic Medical Records, and computer system. The loss, damage, or disclosure of such information could result in a significant harm to the customers, facility, and healthcare providers and professionals. It is imperative to insure the integrity, accuracy, availability, and confidentiality of these information resources through the use of effective security controls. Therefore, it is the responsibility of each healthcare member to guard against unauthorized use, destruction, or disclosure of the information resources to protect the facility s information and information resources. Members in this context include: providers, professionals, employees, partners, vendors, contractors, staff member, and any other individuals who have been granted access control to the facility s computers and network. This document will illustrate the best practices to safeguard healthcare information in a simple, yet reasonable, practical, and thorough format that can be implemented by any healthcare facility, its entire staff members, and affiliates.

Ibrahim 2 Access, Authorization, and Validation Staff members receive authorization to access healthcare protected information to use workstations, conduct transactions, and run software applications based on their job responsibilities. Users will be granted the right to access health protected information resources consistent with access policies and procedures. Users should not access information for other members who lack appropriate authorization. A unique user ID and password are required to use the information system. When access authorization needs to be changed, a formal request should be submitted to the Security Official, who then reviews the request and authorizes the revised access privileges if request meets the authorization requirement. The ability of staff members and other users to use workstations or computer programs, to conduct specific transactions, or to perform various functions, tasks, or procedures, is determined by the access authorization of each individual. These tasks include installation of new software, backing up data, and maintaining and configuring computer hardware and software. All components of the information system must be housed in a secure location. Visitors must be accompanied by a staff member when in a position to access information resources. Consultants and contractors responsible for installing, maintaining, or testing computer equipment and software are to register with the receptionist and sign the visitor log. Contractors, consultants, and maintenance personnel are given a unique user ID and password if their work involves using computer systems to monitor their access of the information system. They are authorized to access the information system in the same manner as though

Ibrahim 3 they were staff members authorized to perform similar tasks or functions provided that all requirements for visitors are met. All installed hardware and equipment must be recorded in a hardware inventory and maintained by the security officer. The log should include detail information about the entire inventory. The removal of any equipment and storage media must be logged in a maintained record. This also applies to the transfer of storage media to off-site storage locations. However, this policy does not apply to routine shifting of equipment during ordinary operation or maintenance. Providers and other health professionals may access any information contained in a patient s record (other than the information that has been restricted by the patient s provider) for the purpose of treating the patient, including consulting with other professionals concerning the patients treatment. Clerical staff responsible for preparing and submitting claims and processing payment information may access any information contained in a patient s records needed to meet requirements for submission and adjudication of a claim for services. Management members may access any information contained in patient records when required for the purpose of supervising staff or complying with licensing and other regulatory requirements. IT management staff may access information needed to configure security features of computer hardware and software. A member who requires access to information that he or she is authorized to access should request the assistance of an appropriately authorized staff member. Housekeeping and maintenance staff that may have physical access to information should be supervised closely enough to reasonably ensure that the security policies are not violated. All members who are authorized to access information must complete

Ibrahim 4 security and privacy training, and must review the limitations on their access to information and any other resources. Risk Analysis and Management All staff members responsible for the implementation of contingency plans have keys, passwords, and other information or devices needed to gain access to information system components during emergencies. Staff members responsible for implementing contingency plans may take whatever actions they determine necessary to obtain back-up data sets and restore system function. All actions taken by staff members to restore system functions during an emergency are to be documented and reviewed with the security officer upon the conclusion of the emergency. The security officer establishes policies and procedures that protect the security of protected healthcare information during and emergency caused by fire, vandalism, system failure, natural disaster, or other contingencies. Security includes the availability, integrity, and confidentiality of the information. Every three years, the security officer develops a comprehensive contingency plan based on a comprehensive examination of the impact of natural, human, and environmental contingencies to secure information and information resources. The plan identifies the major natural and man-made disasters that could adversely affect the availability, integrity, and confidentiality of information maintained in electronic or physical form. The plan also identifies the actions that will be taken to compensate for the disasters to protect the affected information. The plan assigns specific responsibilities to members of the staff. These responsibilities specifically address failures in normal security safeguards that are likely to occur

Ibrahim 5 during and emergency. The security officer reviews, tests, and updates the contingency plan annually. The security officer develops a comprehensive plan to back up protected information and critical applications, or implements fault-tolerant systems that reduce the likelihood that equipment failure or disasters will adversely affect the integrity and availability of information. If an emergency condition exposes any components of the information system to theft or unauthorized removal, the security officer or a designated staff member is present to prevent loss of information or essential system components. A complete inventory of any damage to information system components is conducted after the resolution of the emergency condition. Staff Training and Awareness The security officer is responsible for developing and implementing comprehensive security awareness and training program for all members of the workforce, including staff, partners, and management. All members, including management and professional staff, are required to complete security training before they can access or use the information systems. Every staff member authorized to use the information system is given a unique user name and selects a password know only to the staff member. Staff members must use their name and password when using information systems and accessing protected health information. Passwords should not be written down or disclosed to other members of the staff, friends, family, or anyone else. A staff member may not use another staff member s user name and password to access the information system. Passwords should consist of between six to ten characters and should not be any word that can be easily guessed such as the name of a child, a pet, a sports team, a school name, or a hobby. Users must change their passwords at least once

Ibrahim 6 a year, but not so frequently that they are likely to be forgotten. To be able to access information, a staff member must meet the minimum professional or technical qualifications for the position they occupy; and a staff member must have not been disciplined for serious infarctions of security in previous jobs. Users must observe the guidelines on use of workstations. Users must log off all workstations than leaving them unattended. Screens should be positioned within workstations so that they are visible only to the persons who use them. Staff members should not access patient information when visitors can view the information that is displayed on a screen. Antivirus software shall be installed and regularly updated on all computer workstations and servers to protect form attacks by malicious software. Staff members must not disable antivirus software and must immediately take actions to report virus infections. Staff should not open e-mail messages or e-mail attachments from unknown senders. They should not visit suspicious website and must restrict internet access for official use only. All storage devices and media are to be given to the security officer for disposal. Storage devices and media may be disposed of only by an authorized staff member. Prior to disposal, the storage media are sanitized either by means of triple overwriting or physically dismantling and destroying the storage media. All CD-ROMs, including rewritable CD-ROMs, are rendered unreadable by abrading the data storage surface before disposal. To sum, each user of the information system is responsible for safeguarding the integrity, accuracy, availability, and confidentiality of the information resources to which they have access. Users include: providers, professionals, employees, partners, vendors, contractors, staff member, and any other individuals who have been granted access control to the facility s

Ibrahim 7 computers and network. The loss, damage, or disclosure of such information could result in a significant harm to customers, facility, healthcare providers, and professionals. This goal can be achieved by developing and implementing a comprehensive plan that limits information access to the authorized and authenticated users. In addition, a plan that also identifies the major natural and man-made disasters that could adversely affect the availability, integrity, and confidentiality of information maintained in electronic or physical form. The plan further, identifies the actions that will be taken to compensate for the disasters to protect the affected information. Furthermore, the plan will satisfy the need to train, re-train and make the staff aware of the substantial harm that could occur as a result of the loss, damage, or disclosure of protected healthcare information.

Ibrahim 8 REFERENCES "How Do I Ensure Security in Our System?" U.S. Department of Health and Human Services Health Information Technology. Health Resources and Services Administration. Web. 17 Mar. 2015. <http://www.hrsa.gov/healthit/toolbox/hivaidscaretoolbox/securityandprivacyissues/howdoiensure sec.html>. Jerrold, Laurance. "Safeguarding Protected Health Information." American Journal of Orthodontics and Dentofacial Orthopedics 140.1 (2011): 133-35. Sciencedirect. Elsevier. Web. 30 Mar. 2015. <http://www.sciencedirect.com.jproxy.lib.ecu.edu/science/article/pii/s08895406110034 53>. * Proctor, Deborah. "Protecting the Heart of Health Care." Marketing Health Services 31.2 (2011): 32. American Marketing Association. Web. 2 Apr. 2015. <http://jw3mh2cm6n.search.serialssolutions.com/?ctx_ver=z39.88-2004&ctx_enc=info:ofi/enc:utf- 8&rfr_id=info:sid/summon.serialssolutions.com&rft_val_fmt=info:ofi/fmt:kev:mtx:journal& rft.genre=article&rft.atitle=protecting the heart of health care.(executive Perspective)&rft.jtitle=Marketing Health Services&rft.au=Proctor, Deborah&rft.date=2011-03-22&rft.pub=American Marketing Association&rft.issn=1094-1304&rft.volume=31&rft.issue=2&rft.spage=32&rft.externalDBID=BKMMT&rft.externalDo cid=263301153&paramdict=en-us>. *

Ibrahim 9 "Protecting Patient Confidentiality." Measures to Protect Patient Confidentiality. Centers for Disease Control and Prevention, 1 Sept. 2012. Web. 27 Mar. 2015. <http://www.cdc.gov/tb/education/ssmodules/module7/ss7reading4.htm>. "Protecting Your Privacy & Security." Www.healthit.gov. U. S. Department of Health & Human Services, 3 Mar. 2014. Web. 22 Mar. 2015. <http://www.healthit.gov/patients-families/protectingyour-privacy-security>. Trossman, Susan. "Protecting Patient Information." The American Journal of Nursing 103.2 (2003): 65. Lippincott Williams & Wilkins. Web. <http://jw3mh2cm6n.search.serialssolutions.com/?ctx_ver=z39.88-2004&ctx_enc=info:ofi/enc:utf- 8&rfr_id=info:sid/summon.serialssolutions.com&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=arti cle&rft.atitle=protecting patient information: health care facilities gear up for privacy regulations&rft.jtitle=american Journal of Nursing&rft.au=Trossman, Susan&rft.date=2003-02- 01&rft.pub=Lippincott Williams & Wilkins, WK Health&rft.issn=0002-936X&rft.eissn=1538-7488&rft.volume=103&rft.issue=2&rft.spage=65&rft.externalDBID=BKMMT&rft.externalDocID=1036 12750 mdict=en-us>. *

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback