Introduction to Healthcare Informatics, Third Edition - Chapter 11: Security for Health Information PDF

Summary

This document provides an overview of security measures to protect electronic protected health information (ePHI). It covers topics like vulnerabilities, risks, and administrative, physical, and technical safeguards. The document also discusses identity theft prevention and operational recommendations, and essential concepts in protecting ePHI.

Full Transcript

EMPOWERING PEOPLE TO IMPACT HEALTH
®
EMPOWERING PEOPLE TO IMPACT HEALTH

Introduction to
Healthcare
Informatics,
Third Edition
Chapter 11: Security for
Health Information

®
©2023
1 | AHIMA.ORG
©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Type of Beaches Under Investigation

®
2 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Security

Concerned with ePHI
Created
Received
Maintained
Transmitted

®
3 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Security Rule

Required implementation specifications

Addressable implementation specifications

Security incident

®
4 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Security Risk Analysis

Full evaluation of the methods, operational
practices, and policies by the covered
entity to secure ePHI

®
5 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Vulnerabilities, 1

An inherent weakness or absence of a
safeguard that can be exploited by a
threat

Inappropriate protective methods
Technical
Inappropriate information system
Assault
Harm
Unauthorized corruption
National Vulnerability Database

®
6 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Vulnerabilities, 2
Nontechnical
Policy and procedure weaknesses

®
7 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Threats, 1

The potential for exploitation of a
vulnerability or potential danger to a
computer, network, or data

Natural
Storms
Earthquakes

®
8 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Threats, 2

Human
Intentional—hacking
Unintentional—forgetting to log off

Environmental
Power failure
Environmental agents

®
9 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Risks

Probability of incurring injury or loss

Probability compared to potential impact

Risk Analysis Methods
The entity can choose their own risk analysis
methods according to the specific situation of
the entity

®
10 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Administrative Safeguard
Standards
Security measures to protect ePHI
Administrative actions
Policies and procedures

®
11 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Administrative Safeguard
Standard: Security Management
Process, 1
Risk analysis

Risk management element
How identified risks will be managed
Communication
Leadership involvement

®
12 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Administrative Safeguard
Standard: Security Management
Process, 2
Sanctions policy—how noncompliance will
be addressed
Significance of noncompliance
Examples
Sliding scale of discipline

Information systems activity review
Audit logs, access reports, incident tracking reports

®
13 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Administrative Safeguard
Standard: Workforce Security
Addressable
Authorization and supervision—determining the level of access
for each workforce member
Workforce clearance procedures—determining that access to
ePHI is appropriate
Termination procedures—removal of access privileges when
employment ends

®
14 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Administrative Safeguard
Standard: Information Access
Management
Required
Isolating healthcare clearinghouse functions

Addressable
Access authorization
Access establishment and modification

®
15 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Administrative Safeguard
Standard: Security Awareness
and Training
Addressable
Existing workforce receive training and periodic training on
updates related to:

Security reminders
Protection from malicious software
Log-in monitoring
Password protection

®
16 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Administrative Safeguard
Standard: Security Incident
Procedures
Required
Response and reporting
Identify and respond to suspected or known security incidents
Mitigate the harmful effects
Document security incidents and their outcomes

®
17 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Administrative Safeguard
Standard: Contingency Plan
Required
Data backup plan
Disaster recovery plan
Emergency mode specification plan

Addressable
Testing and revision
Application and data criticality analysis

®
18 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Physical Safeguard Standard:
Facility Access Control
Requires:

Limit physical access to systems and facilities
Ensuring properly authorized access is allowed

Addressable
Contingency operations
Security plan
Access control
Validation procedures

®
19 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Physical Safeguard Standard:
Workstation Use
Required
Policies and procedures for proper function and manner to be
performed
Physical attributes surroundings of the workstation
For both onsite and offsite

Required:

Physical safeguards for all workstations that access e P H I to
restrict access to authorized users

®
20 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Physical Safeguard Standard:
Device and Media Controls
Required
Disposal
Media reuse

Addressable
Accountability
Data back-up and storage

®
21 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Technical Safeguards Standards

The technology and the policies and
procedures for its use that protect
electronic protected health information
and control access to it

®
22 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Technical Safeguard Standard:
Access Control
Required
Unique user identification
Emergency access procedure

Addressable
Automatic logoff
Encryption and decryption

®
23 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Technical Safeguard Standard:
Audit Control
Required
Implement hardware, software, and/or procedural mechanisms
that record and examine activity in information systems that
contains or uses electronic protected health information

®
24 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Technical Safeguard Standard:
Integrity
Addressable
Implement policies and procedures to protect electronic
protected health information from improper alteration or
destruction

®
25 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Technical Safeguard Standard:
Person or Entity Authentication
Required
Verify that a person or entity seeking access to ePHI is the one
claimed

®
26 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Technical Safeguard Standard:
Transmission Security
Required
Implement measures to guard against unauthorized access to e
P H I that is being transmitted over an electronic
communications network

Addressable
Integrity controls
Encryption

®
27 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Confidentiality, Integrity, and
Availability
Confidentiality—ePHI is accessible only by
authorized people and processes

Integrity—ePHI is not altered or destroyed
in an unauthorized manner

Availability—ePHI can be accessed as
needed by authorized users

®
28 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Risk Assessment

Assess potential risks and areas of
vulnerability related to the security of the
ePHI

Important in the event of audit or
investigation of a complaint

®
29 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Medical Identity Theft, 1

Personal information taken without the
victim’s knowledge to obtain medical care,
buy drugs or submit fake billing

Risks:
Disruption of patient’s life
Damage credit rating

®
30 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Medical Identity Theft, 2
Financial considerations for patient, providers, and 3rd party
payers

The damage may alter treatment or even be life threatening to
a victim of identity theft if the wrong information subsequently
ends up in the patient’s health records

®
31 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Identity Theft Prevention
Program, 1
Identify covered accounts

Identify relevant red flags

Detect red flags

Respond to red flags

Oversee the program
®
32 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Identity Theft Prevention
Program, 2
Train employees

Oversee service provider arrangements

Approve the Identity Theft Prevention
Program

Provide reports and periodic updates

®
33 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Identity Theft Operational
Recommendations, 1
Urge and educate consumers to adopt
preventive measures
Exercise caution when sharing personal information
Monitor EOB received from insurance companies
Maintain copies of healthcare records
Monitor credit reports for unexpected medical charges
Protect all health insurance and financial information

®
34 ©2023 | AHIMA.ORG
 EMPOWERING PEOPLE TO IMPACT HEALTH

Identity Theft Operational
Recommendations, 3
Data in the patient record
Policies and procedures to allow victims access to their patient
records
Establish mechanisms to correct inaccurate information
Keep current with medical identity theft legislation and
regulations
Provide victims with resources and tools for easier recovery

®
35 ©2023 | AHIMA.ORG