Chapter 9: Patient Safety, Quality and Value
Harry Burke MD PhD
Learning Objectives
After reviewing the presentation, viewers should be able to:
Define safety, quality, near miss, and unsafe action
List the safety and quality factors that justified the clinical implementation of electronic health record systems
Discuss three reasons why the electronic health record is central to safety, quality, and value
List three issues that clinicians have with the current electronic health record systems and discuss how these problems affect safety and quality
Describe a specific electronic patient safety measurement system and a specific electronic safety reporting system
Describe two integrated clinical decision support systems and discuss how they may improve safety and quality
Patient Safety-Related Definitions
Safety: minimization of the risk and occurrence of patient harm events
Harm: inappropriate or avoidable psychological or physical injury to patient and/or family
Adverse Events: “an injury resulting from a medical intervention”
Preventable Adverse Events: “errors that result in an adverse event that are preventable”
Overuse: “the delivery of care of little or no value” e.g. widespread use of antibiotics for viral infections
Underuse: “the failure to deliver appropriate care” e.g. vaccines or cancer screening
Misuse: “the use of certain services in situations where they are not clinically indicated” e.g. MRI for routine low back pain
Introduction
Medical errors are unfortunately common in healthcare, in spite of sophisticated hospitals and well trained clinicians
Often it is breakdowns in protocol and communication, and not individual errors
Technology has potential to reduce medical errors (particularly medication errors) by:
Improving communication between physicians and patients
Improving clinical decision support
Decreasing diagnostic errors
Unfortunately, technology also has the potential to create unique new errors that cause harm
Medical Errors
Errors can be related to diagnosis, treatment and preventive care. Furthermore, medical errors can be errors of commission or omission and fortunately not all errors result in an injury and not all medical errors are preventable
Most common outpatient errors:
Prescribing medications
Getting the correct laboratory test for the correct patient at the correct time
Filing system errors
Dispensing medications and responding to abnormal test results
5
While many would argue that treatment errors are the most common category of medical errors, diagnostic errors accounted for the largest percentage of malpractice claims, surpassing treatment errors in one study
Diagnostic errors can result from missed, wrong or delayed diagnoses and are more likely in the outpatient setting. This is somewhat surprising given the fact that US physicians tend to practice “defensive medicine”
Over-diagnosis may also cause medical errors but this has been less.
Chapter 9 Patient Safety, Quality and ValueHarry Burke MD P.docx
1. Chapter 9: Patient Safety, Quality and Value
Harry Burke MD PhD
Learning Objectives
After reviewing the presentation, viewers should be able to:
Define safety, quality, near miss, and unsafe action
List the safety and quality factors that justified the clinical
implementation of electronic health record systems
Discuss three reasons why the electronic health record is central
to safety, quality, and value
List three issues that clinicians have with the current electronic
health record systems and discuss how these problems affect
safety and quality
Describe a specific electronic patient safety measurement
system and a specific electronic safety reporting system
Describe two integrated clinical decision support systems and
discuss how they may improve safety and quality
2. Patient Safety-Related Definitions
Safety: minimization of the risk and occurrence of patient harm
events
Harm: inappropriate or avoidable psychological or physical
injury to patient and/or family
Adverse Events: “an injury resulting from a medical
intervention”
Preventable Adverse Events: “errors that result in an adverse
event that are preventable”
Overuse: “the delivery of care of little or no value” e.g.
widespread use of antibiotics for viral infections
Underuse: “the failure to deliver appropriate care” e.g.
vaccines or cancer screening
Misuse: “the use of certain services in situations where they are
not clinically indicated” e.g. MRI for routine low back pain
3. Introduction
Medical errors are unfortunately common in healthcare, in spite
of sophisticated hospitals and well trained clinicians
Often it is breakdowns in protocol and communication, and not
individual errors
Technology has potential to reduce medical errors (particularly
medication errors) by:
Improving communication between physicians and patients
Improving clinical decision support
Decreasing diagnostic errors
Unfortunately, technology also has the potential to create
unique new errors that cause harm
Medical Errors
Errors can be related to diagnosis, treatment and preventive
care. Furthermore, medical errors can be errors of commission
or omission and fortunately not all errors result in an injury and
not all medical errors are preventable
Most common outpatient errors:
Prescribing medications
Getting the correct laboratory test for the correct patient at the
correct time
Filing system errors
Dispensing medications and responding to abnormal test results
4. 5
While many would argue that treatment errors are the most
common category of medical errors, diagnostic errors accounted
for the largest percentage of malpractice claims, surpassing
treatment errors in one study
Diagnostic errors can result from missed, wrong or delayed
diagnoses and are more likely in the outpatient setting. This is
somewhat surprising given the fact that US physicians tend to
practice “defensive medicine”
Over-diagnosis may also cause medical errors but this has been
less well studied
Medical Errors
Unsafe healthcare lowers quality but safe medicine is not
always high quality
From the National Academy of Medicine’s perspective, quality
is a set of six aspirational goals: medical care should be safe,
effective, timely, efficient, patient-centered, and equitable
Value relates to how important something is to use
Cost-effective?
5. Necessary?
Affect morbidity, mortality or quality of life?
Quality, Safety and Value
Most adverse events result from unsafe actions or inactions by
anyone on the healthcare team, including the patient
Missed care is “any aspect of required care that is omitted either
in part or in whole or delayed”
Many of the above go unreported
Unsafe Actions
Most near-miss events are not reported. Many are not witnessed
The tendency is the blame the individual, but healthcare is
complex and there are often “system errors”
Most safety systems are retrospective; we need to move to be
proactive
We need good data, such as the ratio of detected unsafe actions
divided by the opportunity of an unsafe action, over a specified
6. time interval
Reporting Unsafe Actions
9
Patient Safety Reporting System: event is recorded and if it is a
sentinel event, it is investigated.
Most systems are not integrated with the EHR
Root Cause Analysis: common approach to determine the cause
of an adverse event. This has limitations
HEDIS measures can help track quality issues
Patient Safety Systems
Current reimbursement models mandate quality measures, e.g.
Medicare Patient Safety Monitoring System, now operated by
AHRQ. The new system is known as the Quality and Safety
Review System. Still labor intensive and manual
Global Trigger Tool: evaluates hospital safety. Said to detect
90% of adverse events. Select 10 discharge records and two
7. reviewers review the chart for any of the 53 “triggers”
Patient Safety Systems
Paper records have multiple disadvantages, as pointed out in the
EHR chapter
Expectations have been very high regarding the EHR’s impact
on safety, quality and value
Unfortunately, results have been mixed and there has not been a
prospective study conducted to prove the EHR’s benefit towards
safety and quality
Using the EHR to Improve Safety, Quality and Value
High expectations that CDS that is part of EHRs will improve
safety
As per multiple chapters in the textbook, CDS has mixed
reviews, in terms of safety and quality
8. Adverse events regarding CDS, includes ”alert fatigue”
The FDA will regulate software that is related to treatment and
decision making
Clinical Decision Support
Results in altered workflow and decreased efficiency.
Physicians are staying late to complete notes in the EHR
In an effort to save time physicians may “cut and paste” old
histories into the EHR, creating new problems
EHRs may create new safety issues “e-iatrogenesis”
Because of the multiple issues, it is very common to see offices
and hospitals change EHRs, not always solving the problem
Clinician’s Issues with EHRs
Roughly 2/3 of EHR data is unstructured (free text) so it is not
computable.
While natural language processing (NLP) may help solve this,
we are a long ways away from resolution
9. Multiple open source and commercial NLP programs exist but
they require a great deal of time and expertise to match the
results a manual chart review would produce
Clinician’s Issues with EHRs
Governmental Organizations Involved with Patient Safety
US Federal Agencies:
Department of Health and Human Services (HHS)
Agency for Healthcare Research and Quality (AHRQ)
Centers for Medicare and Medicaid Services (CMS)
Non-reimbursable complications: (3 examples)
Objects left in a patient during surgery and blood
incompatibility
Catheter-associated urinary tract infections
Pressure ulcers (bed sores)
Hospitals must assemble, analyze and trend clinical and
administrative data to capture baseline data and measure
improvement over time
Health IT-based interventions are expected to assist
10. Governmental Organizations
Office of the National Coordinator for HIT
Learn: “Increase the quantity and quality of data and knowledge
about health IT safety.”
Improve: “Target resources and corrective actions to improve
health IT safety and patient safety”
Safety goals will be aligned with meaningful use objectives.
Lead: “Promote a culture of safety related to health IT”
Governmental Organizations
The Food and Drug Administration
MedWatch: posts drug alerts and offers online reporting area
Center for Devices and Radiological Health (CDRH)
Plan to regulate mobile medical applications designed for use
on smartphones
State Patient Safety Programs: By 2010, 27 states and the
District of Columbia passed legislation or regulation related to
hospital reporting of adverse events to a state agency
11. Meaningful Use Objectives and Potential Impact on Patient
Safety
Objective: Use computerized provider order entry (CPOE) for
medication, laboratory, and radiology orders directly entered by
any licensed healthcare professional who can enter orders into
the medical record per state, local, and professional guidelines
Objective: Use clinical decision support to improve
performance on high-priority health conditions
Meaningful Use Objectives and Potential Impact on Patient
Safety
Objective: Automatically track medications from order to
administration using assistive technologies in conjunction with
an electronic medication administration record (eMAR)
Objective: Generate and transmit discharge prescriptions
electronically (eRx)
12. Non-Governmental Organizations and Patient Safety
National Patient Safety Foundation (NPSF) Goals:
Identifying and creating a core body of knowledge
Identifying pathways to apply the knowledge
Developing and enhancing the culture of receptivity to patient
safety
Raising public awareness and fostering communication around
patient safety
National Academy of Medicine (was the Institute of Medicine
or IOM)
Institute of Medicine (IOM) Recommendations
Congress should create a Center for Patient Safety within the
Agency for Healthcare Research and Quality
A nationwide reporting system for medical errors should be
established
Volunteer reporting should be encouraged
Congress should create legislation to protect internal peer
review of medical errors
Performance standards and expectations by healthcare
organizations should include patient safety
FDA should focus more attention on drug safety
Healthcare organizations and providers should make patient
safety a priority goal
Healthcare organizations should implement known medication
13. safety policies
IOM Report - 2003
Patient safety must be linked to medical quality
A new healthcare system must be developed that will prevent
medical errors in the first place
New methods must be developed to acquire, study and share
error prevention among physicians, particularly at the point of
care
The IOM recommended specific data standards so patient
safety-related information can be recorded, shared and analyzed
IOM Report - 2011
Report focused exclusively on health IT and patient safety and
quality
Publish an “action and surveillance plan”
Push health IT vendors to support the free exchange of
information about health IT experiences and issues
14. Public and private sectors should make comparative user
experiences public
Health IT Safety Council should assess and monitor safe use of
health IT
Specify quality and risk management processes health IT
vendors must adopt
Establish an independent federal entity to investigate patient
safety deaths, serious injuries, or potentially unsafe conditions
associated with health IT
Support cross-disciplinary research toward the use of health IT
as part of a learning system
Non-Governmental Organizations and Patient Safety
The National Quality Forum
The Joint Commission:
Published the 2018 National Patient Safety Goals
They also published an alert about the potential for HIT to
create new patient safety issues
LeapFrog Group
HealthGrades
Institute for Safe Medication Practice (IMSP)
15. HealthGrades 2017 Patient Safety
Excellence Awards
Award recognizes hospitals with the lowest occurrences of 14
preventable patient safety events, placing the hospitals in the
top 10% in the nation for patient safety
This organization reviews the data from inpatient Medicare and
Medicaid cases each year and rates hospitals, in terms of patient
safety
They estimate that the top ranking hospitals represent, on
average, a 43% lower risk of a patient safety adverse event
compared to the lowest ranking hospitals
Quality Care Finder
www.hospitalcompare.hhs.gov
Allows consumers to review quality metrics e.g. morbidity and
mortality making decisions
16. Technologies with Potential to Decrease Medication Errors
Computerized provider order entry (CPOE) Benefits:
Improved handwriting identification
Reduced time to arrive in the pharmacy
Fewer errors related to similar drug names
Easier to integrate with other IT systems
Easier to link to drug-drug interactions
More likely to identify the prescriber
Available for immediate analysis
Can link to clinical decision support to recommend drugs of
choice
Jury still out on actual reduction of serious ADEs
Technologies with Potential to Decrease Medication Errors
Health Information Exchange (HIE):
Improve patient safety by better communication between
disparate healthcare participants
Automated Dispensing Cabinets (ADCs): like ATM machines
for medications on a ward
Home Electronic Medication Management System: home
dispensing, particularly for the elderly or non-compliant patient
Pharmacy Dispensing Robots: bottles are filled automatically
17. Electronic Medication Administration Record (eMAR):
electronic record of medications that is integrated with the EHR
and pharmacy
Intravenous (IV) Infusion Pumps: regulate IV drug dosing
accurately
Bar Coding Medication Administration: the patient, drug and
nurse all have a barcoded identity
These must all match for the drug to be given without any alerts
Bar codes are inexpensive but the software and other
components are expensive
Some healthcare systems have shown a significant reduction in
medication administrative errors, but many of these were minor
and would not have resulted in serious harm
Technologies with Potential to Decrease Medication Errors
Technologies with Potential to Decrease Medication Errors
Medication Reconciliation
18. When patients transition from hospital-to-hospital, from
physician-to physician or from floor-to-floor, medication errors
are more likely to occur
Joint Commission mandated hospitals must reconcile a list of
patient medications on admission, transfer and discharge
Task may be facilitated with EHR but still confusion may exist
if there are multiple physicians, multiple pharmacies, poor
compliance or dementia
Barriers to Improving
Patient Safety through Technology
Organizational: health systems leadership must develop a strong
“culture of safety”
Financial: Cost for multiple sophisticated HIT systems is
considerable
Error reporting: is voluntary and inadequate and usually “after
the fact”
19. Unintended Consequences
Technology may reduce medical errors but create new ones:
Medical alarm fatigue
Infusion Pump errors
Distractions related to mobile devices
Electronic health records: data can be missing and/or incorrect,
there can be typographical entry errors, and older information is
sometimes copied and pasted into the current record
Patient safety continues to be an ongoing problem with too
many medical errors reported yearly
Multiple organizations are reporting patient safety data
transparently to hopefully support change
There is a great expectation that HIT will improve patient
quality which in turn will decrease medical errors
There is some evidence that clinical decision support reduces
errors, but studies overall are mixed
Leadership must establish a “culture of safety” to effectively
achieve improvement in patient safety
Conclusions
20. Chapter 10: Health Information Privacy and Security
John Rasmussen MBA
Learning Objectives
After reviewing the presentation, viewers should be able to:
Explain the importance of confidentiality, integrity, and
availability
Describe the regulatory environment and how it drives
information privacy and security programs within the health
care industry
Recognize the importance of data security and privacy as
related to public perception, particularly regarding data breach
and loss
Identify different types of threat actors and their motivations
Identify different types of controls used and how they are used
21. to protect information
Describe emerging risks and how they impact the health care
sector
Confidentiality refers to the prevention of data loss, and is the
category most easily identified with HIPAA privacy and
security within healthcare environments. Usernames,
passwords, and encryption are common measures implemented
to ensure confidentiality
Three Pillars of Data Security
Availability refers to system and network accessibility, and
often focuses on power loss or network connectivity outages.
Loss of availability may be attributed to natural or accidental
disasters such as tornados, earthquakes, hurricanes or fire, but
also refer to man-made scenarios, such as a Denial of Service
(DoS) attack or a malicious infection which compromises a
22. network and prevents system use. To counteract such issues,
backup generators, continuity of operations planning and
peripheral network security equipment are used to maintain
availability
Three Pillars of Data Security
Integrity describes the trustworthiness and permanence of data,
an assurance that the lab results or personal medical history of a
patient is not modifiable by unauthorized entities or corrupted
by a poorly designed process. Database best practices, data loss
solutions, and data backup and archival tools are implemented
to prevent data manipulation, corruption, or loss; thereby
maintaining the integrity of patient data
Three Pillars of Data Security
Data must be classified to determine its risk
Healthcare organizations must develop a set of controls to
protect confidentiality, integrity and availability of data
23. One layer of defense is not likely to be adequate
Healthcare organizations will need technical, administrative and
physical safeguards
Defense in Depth for Healthcare
Administrative Safeguards
Administrative Safeguards
Security management processes to reduce risks and
vulnerabilities
Security personnel responsible for developing and implementing
security policies
Information access management-minimum access to perform
duties
Workforce training and management
Background checks, drug screens, etc. for new employees
Evaluation of security policies and procedures
Physical Safeguards
24. Limit physical access to facilities
Workstation and device security policies and procedures
covering transfer, removal, disposal, and re-use of electronic
media
Badge with photo
Physical Safeguards
Technical Safeguards
Access control that restricts access to authorized personnel
Audit controls for hardware, software, and transactions
Integrity controls to ensure data is not altered or destroyed
Transmission security to protect against unauthorized access to
data transmitted on networks and via email
Unique usernames and passwords, encrypted software, anti-
virus software, secure email, firewalls, etc.
Technical Safeguards
25. Healthcare Regulatory Environment
Health Insurance Portability & Accountability Act (HIPAA -
1996)
Laid ground work for privacy and security measures in
healthcare . Initial intent was to cover patients who switched
physicians or insurers (portability)
Next important Act was the American Recovery and
Reinvestment Act (ARRA - 2209) & HITECH Act that imposed
new requirements for breach notification and stiffer penalties
Health Plans: Health insurers, HMOs, Company health plans,
Government programs such as Medicare and Medicaid
Health Care Providers who conduct business electronically:
Most doctors, Clinics, Hospitals, Psychologists, Chiropractors,
Nursing homes, Pharmacies, Dentists
Health care clearinghouses
Covered Entities or Those Who Must Follow HIPAA Privacy
Rule
26. Request and receive a copy of their health records
Request an amendment to their health record
Receive a notice that discusses how health information may be
used and shared, the Notice of Privacy Practices
Request a restriction on the use and disclosure of their health
information
Receive a copy of their “accounting of disclosures”
Restrict disclosure of the health information to an insurer if the
encounter is paid for out of pocket
File a complaint with a provider, health insurer, and/or the U.S.
Government if patient rights are being denied or health
information is not being protected.
Covered Entities: Patient Rights
Life insurers
Employers
Workers compensation carriers
Many schools and school districts
Many state agencies like child protective service agencies
Many law enforcement agencies
Many municipal offices
27. Organizations That Do Not Need To Follow HIPAA Privacy
Rule
Individually identifiable health information:
Information created by a covered entity
And “relates to the past, present, or future physical or mental
health or condition of an individual”
Or identifies the individual or there is a reasonable basis to
believe that the individual can be identified from the
information.
Protected Health Information (PHI)
HIPAA
Protections apply to all personal health information (PHI),
whether in hard copy records, electronic personal health
information (ePHI) stored on computing systems, or even verbal
discussions between medical professionals
28. Covered entities must put safeguards in place to ensure data is
not compromised, and that it is only used for the intended
purpose
The HIPAA rules are not designed to and should not impede the
treatment of patients
Privacy Rule Mandates Removal of 18 Identifiers
Names
All geographic subdivisions smaller than a state
All elements of dates (except year)
Telephone numbers
Facsimile numbers
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plate
numbers
Device identifiers and serial numbers
Web universal resource locators (URLs)
Internet protocol (IP) address numbers
Biometric identifiers, including fingerprints and voiceprints
Full-face photographic images and any comparable images
29. Any other unique identifying number, characteristic, or code
Permitted Uses and Disclosures of Patient Data
To the individual
For treatment, payment or health care operations
Uses and disclosures with opportunity to agree or object
Facility directories
For notification and other purposes
Incidental use and disclosure
Public interest and benefit activities
Required by law
Public health activities
Victims of abuse, neglect or domestic violence
Health oversight activities
Judicial and administrative proceedings
Law enforcement purposes
Decedents
Cadaveric organ, eye, or tissue donation
Research
Serious threat to health or safety
Essential government functions
Workers’ compensation
30. BAs are related to the covered entity (CE), such as an EHR
vendor or a transcription service
They must have a BA agreement with the CE
This forces the BA to comply with all security requirements
The BA can be penalized for violating HIPAA requirements
Business Associate (BA)
Unauthorized acquisition, access or use. Exceptions:
Data is encrypted. This is considered a safe harbor; or
“Any unintentional acquisition, access, or use of protected
health information by a workforce member or person acting
under the authority of a covered entity or a business associate,
if such acquisition, access, or use was made in good faith and
within the scope of authority and does not result in further use
or disclosure”; or
“Any inadvertent disclosure by a person who is authorized to
access protected health information at a covered entity or
business associate to another person authorized to access
protected health information at the same covered entity or
business associate, or organized health care arrangement in
which the covered entity participates, and the information
31. received as a result of such disclosure is not further used or
disclosed”; or
“A disclosure of protected health information where a covered
entity or business associate has a good faith belief that an
unauthorized person to whom the disclosure was made would
not reasonably have been able to retain such information.”
Breach Requirements under HIPAA
If a breach is determined, the covered entity must notify the
individual(s) impacted by the breach. They must inform them
within 60 days of when the breach is identified. The
notification must include:
A description of what happened
A description of the type of PHI that was breached
Steps the individual can take to protect themselves
What the covered entity is doing to investigate the breach and
mitigate harm
Contact information for the individual to contact the covered
entity 23
If a breach exceeds 500 individuals, the covered entity must
notify the media and must report the breach to the Office for
Civil Rights (OCR).
Regardless of the number of individuals impacted by a breach,
all breaches must be reported to the OCR annually
Breach Notification
32. Administrative Requirements for the Privacy Rule
Develop and implement written privacy policies and procedures
Designate a privacy official
Workforce training and management
Mitigation strategy for privacy breaches
Data safeguards - administrative, technical, and physical
Designate a complaint official and procedure to file complaints
Establish retaliation and waiver policies and restrictions
Documentation and record retention - six years
Fully-insured group health plan exception
Policy regarding information security practices is often set by
chief information officers (CIOs), chief technology officers
(CTOs), information technology (IT) directors or similar; often
with input from chief medical informatics officers (CMIOs),
33. HIPAA compliance officers, or the like
Depending on resources, the information technology teams may
consist of network, system administration, security and data
personnel, or could be the very same technical staff relied upon
for all office or clinic IT needs
Organizational Roles
Insiders
Hackivists
Organized crime
Nation states
Threat Actors
Social Engineering: most common
Phishing: via email or text messaging
Shoulder surfing: attacker looks over the shoulder
Tailgating: attacker uses someone else's ID
Free software: USB drive is found and plugged into a computer,
34. introducing a virus
Types of Attacks
Denial of Service (DOS): website is flooded with traffic,
shutting it down
Brute Force: random credential are rapidly thrown at website
hoping to gain access
Doxing: gathers info about a victim and publishes that to harass
or embarrass the individual.
Types of Attacks
Security Breaches and Attacks
Identity theft on the rise
Physical Theft
Stolen laptops, computers, storage devices and servers
The HHS website lists all of the reported data breaches
affecting over 500 users. The site lists the covered entity, the
number of breach victims, the type of breach and the location of
35. data (laptop, server, paper, etc.)
Breaches: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
The next slides will list some of the recognized
countermeasures employed by healthcare organizations
Threat Countermeasures
Authentication and
Identity Management
Accomplished with photo identification, biometrics, smart card
technologies, tokens, and the old standard; user name and
password
Basic Authentication may vary depending on sensitivity of data,
the capabilities of the systems, resource constraints - both
technical and monetary, and the frequency of access
Methods discussed here rely on what is known as two or multi-
factor authentication: something one knows, something one has,
or something that one is
36. Basic authentication:
Username and password combination still employed by a
majority of users today, combining two things that a user knows
Another option is utilizing a grid card, smart card, USB token,
one time password (OTP) token, or OTP service in combination
with something a user knows, such as a passphrase or PIN
Authentication and
Identity Management
Authentication and
Identity Management
Single Sign On (SSO)
One set of credentials to easily access many of the resources
one uses every day securely; example is Google
Smart Cards: Used in Healthcare in many countries
Vital information with a self-contained processor and memory
37. Low cost, ease of use, portability and durability, and ability to
support multiple applications
Capable of encrypted patient information, biometric signatures
and personal identification (PIN)
Drawbacks: lack of standardization and positive identification
Smart Cards in Healthcare
Authentication and
Identity Management
Biometric Authentication
When combined with passphrases or the tokens, cards, and OTP
solutions discussed previously, a two or multi-factor
authentication solution can be employed
Physical user identifiers: fingerprint, retinal scan, voice imprint
38. 32
Theft Countermeasures
Render data unusable to thieves
Encryption standards such as FIPS 140-2
Hardware and software encryption techniques
See encrypted USB device to the right
Theft Countermeasures
Security of healthcare data is critical for future success of HIT
ARRA/HITECH supplement the administrative, physical and
technical safeguards implemented by HIPAA
Security measures will continue to improve but so will the
efforts of hackers and criminals who seek access to healthcare
record data and identity theft
Conclusions