Chapter Nine
Privacy and Security
Health Care Information Systems: A Practical Approach for Health Care Management
Karen A. WagerIFrances Wickham LeeIJohn P. Glaser
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. GlaserDistinguish among privacy, confidentiality, and security as they relate to healthinformationIdentify the purpose of the Privacy Act of 1974 and 42 C.F.R. Part 2,Confidentiality of Substance Abuse Patient RecordsDescribe and discuss the impact of the HIPAA Privacy, Security, and BreachNotification rulesIdentify threats to health care information and information systems caused byhumans (intentional and unintentional), natural causes, and the environmentUnderstand the purpose and key components of the health care organizationsecurity program and the need to mitigate security risksDiscuss the increased need for and identify resources to improve cybersecurityin health care organizations
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. GlaserLearning Objectives
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
OutlinePrivacy, confidentiality, and securityLegal protectionHIPAA–Privacy Rule–Security Rule–Breach Notification RuleThreatsCybersecurityNIST
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. GlaserPrivacy–An individual’s right to be left alone and to limit access to his or her healthcare informationConfidentiality–Addresses the expectation that information shared with a health careprovider during the course of treatment will be used only for its intendedpurpose and not disclosed otherwiseSecurity–The systems in place to protect health information and the systems withinwhich it resides
Definitions
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. GlaserFederal HIPAA Privacy, Security, and Breach Notification rulesState privacy lawsFederal Trade Commission (FTC) Act consumer protectionThe Privacy Act of 1974–Protected patient confidentiality only infederally operatedhealth carefacilitiesConfidentiality and Substance Abuse Patient Records–Set stringent release of information standards, designed to protect theconfidentiality of patients seeking alcohol or drug treatment
Legal Protection
Health Care Information Systems: A Practical Approach for Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser1996: Signed into lawFirst comprehensive federal regulation to offer specific protection toprivate health information2003: HIPAA Privacy Rule2005: HIPAA Security RuleDefines covered entities (CE) to which these rules apply
HIPAA
Health Care Information Systems: A Practical Approach for Health Care ...
Chapter NinePrivacy and SecurityHealth Care Information Systems
1. Chapter Nine
Privacy and Security
Health Care Information Systems: A Practical Approach for
Health Care Management
Karen A. WagerIFrances Wickham LeeIJohn P. Glaser
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserDistinguish among privacy, confidentiality, and security
as they relate to healthinformationIdentify the purpose of the
Privacy Act of 1974 and 42 C.F.R. Part 2,Confidentiality of
Substance Abuse Patient RecordsDescribe and discuss the
impact of the HIPAA Privacy, Security, and BreachNotification
rulesIdentify threats to health care information and information
systems caused byhumans (intentional and unintentional),
natural causes, and the environmentUnderstand the purpose and
key components of the health care organizationsecurity program
and the need to mitigate security risksDiscuss the increased
need for and identify resources to improve cybersecurityin
health care organizations
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserLearning Objectives
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
OutlinePrivacy, confidentiality, and securityLegal
protectionHIPAA–Privacy Rule–Security Rule–Breach
Notification RuleThreatsCybersecurityNIST
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserPrivacy–An individual’s right to be left alone and to limit
access to his or her healthcare informationConfidentiality–
Addresses the expectation that information shared with a health
2. careprovider during the course of treatment will be used only
for its intendedpurpose and not disclosed otherwiseSecurity–
The systems in place to protect health information and the
systems withinwhich it resides
Definitions
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserFederal HIPAA Privacy, Security, and Breach
Notification rulesState privacy lawsFederal Trade Commission
(FTC) Act consumer protectionThe Privacy Act of 1974–
Protected patient confidentiality only infederally operatedhealth
carefacilitiesConfidentiality and Substance Abuse Patient
Records–Set stringent release of information standards,
designed to protect theconfidentiality of patients seeking
alcohol or drug treatment
Legal Protection
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
Glaser1996: Signed into lawFirst comprehensive federal
regulation to offer specific protection toprivate health
information2003: HIPAA Privacy Rule2005: HIPAA Security
RuleDefines covered entities (CE) to which these rules apply
HIPAA
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserDefines PHI–Relates to a person’s physical ormental
health, the provision ofhealth care, or the payment forhealth
care–Identifies the person who is thesubject of the information–
Is created or received by a coveredentity–Is transmitted or
maintained in anyform (paper, electronic, or oral)5major
components–Boundaries–Security–Consumer control–
Accountability–Public responsibility
Health Care Information Systems: A Practical Approach for
3. Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHIPAAPrivacy Rule
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserWritten authorization required forallnonroutineuses or
disclosureof PHI–School–RelativePHI can be released
withoutpatient authorization in someinstances –Presence of a
communicabledisease–Suspected child or adult abuse–Legal
duty to warn of a clear andimminent danger from a patient–
Bona fide medical emergency–Valid court order
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHIPAAPatient Authorization
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserElementsof a valid release formPatient identification
(name, DOB)Name of person/entity to whom theinformation is
being releasedDescription of specific healthinformation
authorized for disclosureStatement of reason/purpose of
thedisclosureDate, event, or condition which theauthorization
will expire, unlessrevoked earlierStatement that authorization
issubject to revocation by
patient/legalrepresentativePatient’s/legal
representative’ssignatureSignature date (must be after date
ofencounter that produced theinformation to be released)
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHIPAAPatient Authorization
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserGovernsePHIProtected health information maintained or
transmitted in electronic formMay be stored in any type of
electronicmediaHIPAA Security Administrative
SafeguardsSecurity management functionsAssigned security
responsibilityWorkforce securityInformation access
managementSecurity awareness andtraining
4. Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHIPAASecurity RuleSecurity incident
reportingContingency planEvaluationBusiness associate
contracts andother arrangements
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHIPAA Security PhysicalSafeguardsFacility access
controlsWorkstation useWorkstation securityDevice and media
controlsPolicies, Procedures, andDocume ntationHIPAA Security
TechnicalSafeguardsAccess controlAudit
controlsIntegrityPerson or entity authenticationTransmission
security
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHIPAASecurity Rule
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserRequires CEs and their business associates to provide
notificationfollowing a breach ofunsecuredprotected health
information–Unsecured: PHI that has not been rendered
unusable, unreadable, orindecipherable to unauthorized persons
through the use of a technologyor methodology specified by the
Secretary in guidance–Secured: encrypted using a valid
encryption process, or the media onwhich the PHI is sorted have
been destroyed
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHIPAABreach Notification Rule
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserWho is notified?–Individuals affected–Health and Human
Services Secretary (via the Office for Civil Rights)–Major
media outlets
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
5. GlaserHIPAABreach Notification Rule
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserOffice for Civil Rights–Responsible for enforcing the
HIPAA Privacy and Security rulesState attorneys general–Given
authority by HITECH to bring civil actions on behalf of the
residentsof their state for HIPAA violations
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHIPAAEnforcement
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserTiered scheduled (both civil and criminal penalties)Civil
penalties involve fines–Cannot be levied if resolved within a
specified period of timeCriminal penalties involve jail time
(anywhere from 1 to 10 years)
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHIPAAViolation Penalties
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHuman tampering threats–Intentional or unintentional–
Internal or externalNatural and environmental
threatsEnvironmental factors and technology malfunctions
Threats
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserGeneral term for software that is written to “infect” and
subsequentlyharm a host computer systemCommons forms of
malware–Viruses: infects the host system and spreads itself–
Trojans: designed to look like a safe program; steals personal
informationor takes over the resources of the host computer –
Spyware: tracks Internet activities assisting the hacker in
gatheringinformation without consent–Worms: replicates itself
and destroys files on the host computer –Ransomeware: encrypts
6. and locks folders; demands money to unlock
Malware
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserLead your culture, select your team, learnDocument your
process, findings, and actionsReview existing security
ofePHI/Perform security risk analysisDevelop an action
planManage and mitigate risksAttest for meaningful use
security related objectivesMonitor, audit, and update security on
an ongoing basis
Security Management Process
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserProtect mobile devicesMaintain good computer habitsUse
a firewallInstall and maintain antivirus softwarePlan for the
unexpected (i.e., create backups)Control access to PHIUse
strong passwordsLimit network accessControl physical access
Cybersecurity
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserNational Institute of Standards and Technology
(NIST)Developed a cybersecurity framework to reduce cyber
attack risks–Framework Core (identify, protect, detect, respond,
recover)–Framework implementation tiers–Framework profile
NIST
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
SummaryPrivacy, confidentiality, securityHIPAA Privacy Rule–
AuthorizationHIPAA Security Rule–Administrative safeguards–
Physical safeguards–Technical safeguards–Policies,
procedures,documentationHIPAA Breach Notification
7. RuleHIPAA Enforcement–Office of Civil Rights–State attorney
generalViolation penalties–Fines and jail timeThreats–Human–
Natural–Environmental
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
SummaryMalware–Viruses–Trojans–Spyware–Worms–
RansomwareSecurity management processTips for
cybersecurityNIST cybersecurity framework–Framework Core–
Framework Implementation Tiers–Framework Profile
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ. Glaser
Chapter Ten
Performance Standards and Measures
Health Care Information Systems: A Practical Approach for
Health Care Management
Karen A. WagerIFrances Wickham LeeIJohn P. Glaser
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserTo explain the significant role of health information in
national private andpublic quality improvement initiativesTo
compare and contrast licensure, certification, and accreditation
processesTo discuss the role of the Joint Commission and the
National Committee forQuality Assurance in ensuring the
quality of care in the USTo understand performance
measurement development in the USTo identify the roles of
specific public and private organizations in thedevelopment and
endorsement of national performance measuresTo understand
the origins and uses of major health care comparative data sets
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserLearning Objectives
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
8. GlaserLicensure, certification, and accreditationThe Joint
CommissionNational Committee for Quality Assurance
(NCQA)Data sources for quality measuresComparative health
care data setsQuality improvement–Federal initiatives–CMS
initiatives
Outline
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserLicensure–The process that gives a facility legal approval
to operate–State governments oversee the licensure of health
care facilitiesCertification–Gives a health care organization the
authority to participate in the federalMedicare and Medicaid
programs–CMS developed minimum standards, conditions of
participation (CoPs)Accreditation–Voluntary, external review
process–Financial and legal incentives for accredited
organizations
Definitions
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserAn independent, not-for-profit organizationBest-known
health care accrediting agency in the USSite-surveys every 3
years(2 years for laboratories)Standards manuals are
publishedannuallyCategories of accreditationPreliminary
accreditationAccreditationAccreditation with follow -up survey
The Joint CommissionContingent accreditationPreliminary
denial of accreditationDenial of accreditation
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserRecord of Care (RC), Treatment, and Services Standards –
Content needed for a complete health record, regardless of its
formatInformation Management (IM) Standards–Apply to
bothnoncomputerizedsystems and systems with the
latesttechnologies
9. StandardsThe Joint Commission
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserNational Committee for Quality Assurance
(NCQA)Leading accrediting body for health plans–Quality
management and improvement–Utilization management–
Credentialing andrecredentialing–Member’s rights and
responsibilities–Member connections–Medicaid benefits and
services–Health effectiveness data and information set (HEDIS)
NCQA
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserCrossing the Quality Chasm–Published in 2001 by
Institute of Medicine (IOM)–Outlined 6 aims for establishing
quality health careSafeEffectivePatient-
centeredTimelyEfficientEquitable
Quality of Care
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserAdministrative Data–Claims databasesDisease registries–
Data on patients with specific conditionsHealth records–
Detailed patient informationQualitative data–Patient surveys or
interviews
Quality CareData Sources for Measures
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserHEDIS–Set of health care performance measures–90% of
health plans in the US collect and report HEDIS
dataClinicalquality measures (CQMs)–Identified and updated by
CMS each year–Developed by private organizations, health care
societies,collaboratives,alliances, and government agencies –
Required for accreditation by the Joint Commission
10. Quality CareMeasurement Development
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserComparative health data sets–Benchmarking: comparing
one or more performance measures against astandardPatient
satisfaction data sets–Survey data–Agency for Healthcare
Research and Quality (AHRQ)Consumer Assessment of
Healthcare Providers and Systems (CAHPS) programPractice
patterns data set–Dartmouth Atlas: interactive, online tool
funded by the Dartmouth Institutefor Health Policy and Clinical
Practice
Data Sets
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserClinical data sets–Quality Check: established by the Joint
Commission–Hospital Compare: sponsored by CMSComparative
data for health plans–NCQA health care report cards–Accessible
athttp://reportcard.ncqa.org
Data Sets
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserPatient Safety Act–Patient safety organizations (PSOs):
responsible for the collection andanalysis of health information
that is referred to in the Final Rule as patientsafety work
product (PSWP)–PSWP: contains identifiable patient
information covered by specificprivilege and confidentiality
protectionsIncidentsNear misses (or close calls)Unsafe
conditions–Common formats: established by AHRQ to help
providers uniformly reportpatient safety events
Quality ImprovementFederal Initiatives
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
11. GlaserNational Quality Strategy (NQS)–Established by the
Affordable CareAct–3 broad aimsBetter careHealthy
people/healthycommunitiesAffordable care–“Levers” to ensure
alignment withthe NQSMeasurement and feedbackPublic
reportingLearning and technical assistanceCertification,
accreditation, regulationConsumer incentives & benefit
designsPaymentHealth information technologyInnovation and
diffusionWorkforce development
Quality ImprovementFederal Initiatives
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserOriginal value-based programs were an attempt to link
performance onendorsed quality measures to reimbursement–
Hospital value-based purchasing (HVBP)–Hospital readmissions
reduction (HRR)–Hospital-acquired conditions (HAC)–Value
modifier (VM) (or Physician value-based modifier [PVBM])The
Medicare Access and CHIP Reauthorization Act (MACRA)–
Enacted in 2015–Streamlines quality programs under the Merit-
based Incentive PaymentSystem (MIPS)
Quality ImprovementCMS Programs
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserLicensure, certification, andaccreditationThe Joint
CommissionNational Committee for QualityAssurance
(NCQA)Datasources for qualitymeasures–Administrative data–
Disease registries–Health records–Qualitative dataMeasurement
development–HEDIS–CQMsComparativehealth care datasets–
Benchmarking–Patient satisfaction–Practice patterns–Clinical
data–Comparative data for health plans
Summary
Health Care Information Systems: A Practical Approach for
Health Care Management, 4th editionK. WagerIF. LeeIJ.
GlaserQualityimprovement–FederalinitiativesPatient Safety