Chapter NinePrivacy and SecurityHealth Care Information Systems

Chapter Nine
Privacy and Security
Health Care Information Systems: A Practical Approach for
Health Care Management
Karen A. WagerIFrances Wickham LeeIJohn P. Glaser
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserDistinguish among privacy, confidentiality, and security
as they relate to healthinformationIdentify the purpose of the
Privacy Act of 1974 and 42 C.F.R. Part 2,Confidentiality of
Substance Abuse Patient RecordsDescribe and discuss the
impact of the HIPAA Privacy, Security, and BreachNotification
rulesIdentify threats to health care information and information
systems caused byhumans (intentional and unintentional),
natural causes, and the environmentUnderstand the purpose and
key components of the health care organizationsecurity program
and the need to mitigate security risksDiscuss the increased
need for and identify resources to improve cybersecurityin
health care organizations
GlaserLearning Objectives
Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
OutlinePrivacy, confidentiality, and securityLegal
protectionHIPAA–Privacy Rule–Security Rule–Breach
Notification RuleThreatsCybersecurityNIST
GlaserPrivacy–An individual’s right to be left alone and to limit
access to his or her healthcare informationConfidentiality–
Addresses the expectation that information shared with a health

careprovider during the course of treatment will be used only
for its intendedpurpose and not disclosed otherwiseSecurity–
The systems in place to protect health information and the
systems withinwhich it resides
Definitions
GlaserFederal HIPAA Privacy, Security, and Breach
Notification rulesState privacy lawsFederal Trade Commission
(FTC) Act consumer protectionThe Privacy Act of 1974–
Protected patient confidentiality only infederally operatedhealth
carefacilitiesConfidentiality and Substance Abuse Patient
Records–Set stringent release of information standards,
designed to protect theconfidentiality of patients seeking
alcohol or drug treatment
Legal Protection
Glaser1996: Signed into lawFirst comprehensive federal
regulation to offer specific protection toprivate health
information2003: HIPAA Privacy Rule2005: HIPAA Security
RuleDefines covered entities (CE) to which these rules apply
HIPAA
GlaserDefines PHI–Relates to a person’s physical ormental
health, the provision ofhealth care, or the payment forhealth
care–Identifies the person who is thesubject of the information–
Is created or received by a coveredentity–Is transmitted or
maintained in anyform (paper, electronic, or oral)5major
components–Boundaries–Security–Consumer control–
Accountability–Public responsibility

GlaserHIPAAPrivacy Rule
GlaserWritten authorization required forallnonroutineuses or
disclosureof PHI–School–RelativePHI can be released
withoutpatient authorization in someinstances –Presence of a
communicabledisease–Suspected child or adult abuse–Legal
duty to warn of a clear andimminent danger from a patient–
Bona fide medical emergency–Valid court order
GlaserHIPAAPatient Authorization
GlaserElementsof a valid release formPatient identification
(name, DOB)Name of person/entity to whom theinformation is
being releasedDescription of specific healthinformation
authorized for disclosureStatement of reason/purpose of
thedisclosureDate, event, or condition which theauthorization
will expire, unlessrevoked earlierStatement that authorization
issubject to revocation by
patient/legalrepresentativePatient’s/legal
representative’ssignatureSignature date (must be after date
ofencounter that produced theinformation to be released)
GlaserHIPAAPatient Authorization
GlaserGovernsePHIProtected health information maintained or
transmitted in electronic formMay be stored in any type of
electronicmediaHIPAA Security Administrative
SafeguardsSecurity management functionsAssigned security
responsibilityWorkforce securityInformation access
managementSecurity awareness andtraining

GlaserHIPAASecurity RuleSecurity incident
reportingContingency planEvaluationBusiness associate
contracts andother arrangements
GlaserHIPAA Security PhysicalSafeguardsFacility access
controlsWorkstation useWorkstation securityDevice and media
controlsPolicies, Procedures, andDocume ntationHIPAA Security
TechnicalSafeguardsAccess controlAudit
controlsIntegrityPerson or entity authenticationTransmission
security
GlaserHIPAASecurity Rule
GlaserRequires CEs and their business associates to provide
notificationfollowing a breach ofunsecuredprotected health
information–Unsecured: PHI that has not been rendered
unusable, unreadable, orindecipherable to unauthorized persons
through the use of a technologyor methodology specified by the
Secretary in guidance–Secured: encrypted using a valid
encryption process, or the media onwhich the PHI is sorted have
been destroyed
GlaserHIPAABreach Notification Rule
GlaserWho is notified?–Individuals affected–Health and Human
Services Secretary (via the Office for Civil Rights)–Major
media outlets

GlaserHIPAABreach Notification Rule
GlaserOffice for Civil Rights–Responsible for enforcing the
HIPAA Privacy and Security rulesState attorneys general–Given
authority by HITECH to bring civil actions on behalf of the
residentsof their state for HIPAA violations
GlaserHIPAAEnforcement
GlaserTiered scheduled (both civil and criminal penalties)Civil
penalties involve fines–Cannot be levied if resolved within a
specified period of timeCriminal penalties involve jail time
(anywhere from 1 to 10 years)
GlaserHIPAAViolation Penalties
GlaserHuman tampering threats–Intentional or unintentional–
Internal or externalNatural and environmental
threatsEnvironmental factors and technology malfunctions
Threats
GlaserGeneral term for software that is written to “infect” and
subsequentlyharm a host computer systemCommons forms of
malware–Viruses: infects the host system and spreads itself–
Trojans: designed to look like a safe program; steals personal
informationor takes over the resources of the host computer –
Spyware: tracks Internet activities assisting the hacker in
gatheringinformation without consent–Worms: replicates itself
and destroys files on the host computer –Ransomeware: encrypts

and locks folders; demands money to unlock
Malware
GlaserLead your culture, select your team, learnDocument your
process, findings, and actionsReview existing security
ofePHI/Perform security risk analysisDevelop an action
planManage and mitigate risksAttest for meaningful use
security related objectivesMonitor, audit, and update security on
an ongoing basis
Security Management Process
GlaserProtect mobile devicesMaintain good computer habitsUse
a firewallInstall and maintain antivirus softwarePlan for the
unexpected (i.e., create backups)Control access to PHIUse
strong passwordsLimit network accessControl physical access
Cybersecurity
GlaserNational Institute of Standards and Technology
(NIST)Developed a cybersecurity framework to reduce cyber
attack risks–Framework Core (identify, protect, detect, respond,
recover)–Framework implementation tiers–Framework profile
NIST
SummaryPrivacy, confidentiality, securityHIPAA Privacy Rule–
AuthorizationHIPAA Security Rule–Administrative safeguards–
Physical safeguards–Technical safeguards–Policies,
procedures,documentationHIPAA Breach Notification

RuleHIPAA Enforcement–Office of Civil Rights–State attorney
generalViolation penalties–Fines and jail timeThreats–Human–
Natural–Environmental
SummaryMalware–Viruses–Trojans–Spyware–Worms–
RansomwareSecurity management processTips for
cybersecurityNIST cybersecurity framework–Framework Core–
Framework Implementation Tiers–Framework Profile
Chapter Ten
Performance Standards and Measures
Health Care Management
Karen A. WagerIFrances Wickham LeeIJohn P. Glaser
GlaserTo explain the significant role of health information in
national private andpublic quality improvement initiativesTo
compare and contrast licensure, certification, and accreditation
processesTo discuss the role of the Joint Commission and the
National Committee forQuality Assurance in ensuring the
quality of care in the USTo understand performance
measurement development in the USTo identify the roles of
specific public and private organizations in thedevelopment and
endorsement of national performance measuresTo understand
the origins and uses of major health care comparative data sets
GlaserLearning Objectives

GlaserLicensure, certification, and accreditationThe Joint
CommissionNational Committee for Quality Assurance
(NCQA)Data sources for quality measuresComparative health
care data setsQuality improvement–Federal initiatives–CMS
initiatives
Outline
GlaserLicensure–The process that gives a facility legal approval
to operate–State governments oversee the licensure of health
care facilitiesCertification–Gives a health care organization the
authority to participate in the federalMedicare and Medicaid
programs–CMS developed minimum standards, conditions of
participation (CoPs)Accreditation–Voluntary, external review
process–Financial and legal incentives for accredited
organizations
Definitions
GlaserAn independent, not-for-profit organizationBest-known
health care accrediting agency in the USSite-surveys every 3
years(2 years for laboratories)Standards manuals are
publishedannuallyCategories of accreditationPreliminary
accreditationAccreditationAccreditation with follow -up survey
The Joint CommissionContingent accreditationPreliminary
denial of accreditationDenial of accreditation
GlaserRecord of Care (RC), Treatment, and Services Standards –
Content needed for a complete health record, regardless of its
formatInformation Management (IM) Standards–Apply to
bothnoncomputerizedsystems and systems with the
latesttechnologies

StandardsThe Joint Commission
GlaserNational Committee for Quality Assurance
(NCQA)Leading accrediting body for health plans–Quality
management and improvement–Utilization management–
Credentialing andrecredentialing–Member’s rights and
responsibilities–Member connections–Medicaid benefits and
services–Health effectiveness data and information set (HEDIS)
NCQA
GlaserCrossing the Quality Chasm–Published in 2001 by
Institute of Medicine (IOM)–Outlined 6 aims for establishing
quality health careSafeEffectivePatient-
centeredTimelyEfficientEquitable
Quality of Care
GlaserAdministrative Data–Claims databasesDisease registries–
Data on patients with specific conditionsHealth records–
Detailed patient informationQualitative data–Patient surveys or
interviews
Quality CareData Sources for Measures
GlaserHEDIS–Set of health care performance measures–90% of
health plans in the US collect and report HEDIS
dataClinicalquality measures (CQMs)–Identified and updated by
CMS each year–Developed by private organizations, health care
societies,collaboratives,alliances, and government agencies –
Required for accreditation by the Joint Commission

Quality CareMeasurement Development
GlaserComparative health data sets–Benchmarking: comparing
one or more performance measures against astandardPatient
satisfaction data sets–Survey data–Agency for Healthcare
Research and Quality (AHRQ)Consumer Assessment of
Healthcare Providers and Systems (CAHPS) programPractice
patterns data set–Dartmouth Atlas: interactive, online tool
funded by the Dartmouth Institutefor Health Policy and Clinical
Practice
Data Sets
GlaserClinical data sets–Quality Check: established by the Joint
Commission–Hospital Compare: sponsored by CMSComparative
data for health plans–NCQA health care report cards–Accessible
athttp://reportcard.ncqa.org
Data Sets
GlaserPatient Safety Act–Patient safety organizations (PSOs):
responsible for the collection andanalysis of health information
that is referred to in the Final Rule as patientsafety work
product (PSWP)–PSWP: contains identifiable patient
information covered by specificprivilege and confidentiality
protectionsIncidentsNear misses (or close calls)Unsafe
conditions–Common formats: established by AHRQ to help
providers uniformly reportpatient safety events
Quality ImprovementFederal Initiatives

GlaserNational Quality Strategy (NQS)–Established by the
Affordable CareAct–3 broad aimsBetter careHealthy
people/healthycommunitiesAffordable care–“Levers” to ensure
alignment withthe NQSMeasurement and feedbackPublic
reportingLearning and technical assistanceCertification,
accreditation, regulationConsumer incentives & benefit
designsPaymentHealth information technologyInnovation and
diffusionWorkforce development
Quality ImprovementFederal Initiatives
GlaserOriginal value-based programs were an attempt to link
performance onendorsed quality measures to reimbursement–
Hospital value-based purchasing (HVBP)–Hospital readmissions
reduction (HRR)–Hospital-acquired conditions (HAC)–Value
modifier (VM) (or Physician value-based modifier [PVBM])The
Medicare Access and CHIP Reauthorization Act (MACRA)–
Enacted in 2015–Streamlines quality programs under the Merit-
based Incentive PaymentSystem (MIPS)
Quality ImprovementCMS Programs
GlaserLicensure, certification, andaccreditationThe Joint
CommissionNational Committee for QualityAssurance
(NCQA)Datasources for qualitymeasures–Administrative data–
Disease registries–Health records–Qualitative dataMeasurement
development–HEDIS–CQMsComparativehealth care datasets–
Benchmarking–Patient satisfaction–Practice patterns–Clinical
data–Comparative data for health plans
Summary
GlaserQualityimprovement–FederalinitiativesPatient Safety

ActPatient safety workproduct (PSWP)National Quality
Strategy (NQS)–CMSinitiativesValue-based programsMACRA–
MIPS
Summary

Chapter NinePrivacy and SecurityHealth Care Information Systems

Recommended

Recommended

More Related Content

Similar to Chapter NinePrivacy and SecurityHealth Care Information Systems

Similar to Chapter NinePrivacy and SecurityHealth Care Information Systems (20)

More from JinElias52

More from JinElias52 (20)

Recently uploaded

Recently uploaded (20)

Chapter NinePrivacy and SecurityHealth Care Information Systems