chapter seven privacy, security, confidentiality, and legal issues

chapter seven

Privacy, Security, Confidentiality, and Legal Issues

© 2015 McGraw-Hill Education. All rights reserved.

Learning Outcomes

When you finish this chapter, you will be able to:– 7.1 Identify the HIPAA privacy and security

standards.– 7.2 Evaluate an EHR system for HIPAA

compliance.– 7.3 Describe the role of certification in EHR

implementation.– 7.4 Apply procedures to set up security measures

in PrimeSUITE.– 7.5 Follow proper procedures to access sensitive

or restricted-access records.

7-2


Learning Outcomes (cont)

– 7.6 Apply procedures to ensure data integrity.– 7.7 Apply procedures to release health information

using PrimeSUITE.– 7.8 Account for data disclosures using PrimeSUITE.– 7.9 Exchange information with outside healthcare

providers for continuity of care using PrimeSUITE.– 7.10 Outline the content of compliance plans.– 7.11 Appraise the importance of disaster recovery

planning.

7-3


Key Terms • Access report• Accounting of

disclosures• American Health

Information Management Association (AHIMA)

• Audit trail• Blog• Breach of

confidentiality• Computer Virus

7-4

• Confidentiality• Covered entity• Data Integrity• Disaster recovery plan• Directory information• Encryption• Firewall• Hardware• Health Information

Management & Systems Society (HIMSS)


Key Terms (cont)

• Malware• Minimum necessary

information• National Alliance for

Health Information Technology (NAHIT)

• Notice of Privacy Practices

7-5

• Password• Privacy• Social media• User rights


7.1 HIPAA Privacy & Security Standards

• HIPAA passed in 1996• Contains, privacy and security rules, among

others• The Health Information Technology for

Economic and Clinical Health Act ( HITECH ) made HIPAA rules more stringent

• Gave government authorities power to enforce privacy and security rules

7-6


7.1 HIPAA Privacy & Security Standards (cont)

• March 26, 2013 - Omnibus Final Rule of HITECH

• September, 2013 – compliance required as of this date

• Enhanced HIPAA privacy regulations• Increased individual patient rights• Strengthened government’s ability to enforce

the law• More coverage over business associates

7-7



• Notice of Privacy Practices (NPP) was expanded

• Maximum penalty for violation of the law was increased to $1.5 million per violation

• Enhanced breach notification requirements• Upon request, patients must be given an

electronic form of their record(s) (if EHR is used in that office or hospital)

• Patients may instruct provider not to bill insurance, if paying in cash

7-8



• Intent is to ensure Protected Health Information (PHI) is private and secure

• Covered entities include healthcare facilities, health plans, clearinghouses, and/or other businesses that handle PHI

• Only minimum necessary information may be released

7-9



• Privacy & confidentiality policies should address:– Release (disclosure) of information– Release of directory information– Written guidelines regarding minimum necessary

information– Faxing of documentation– Computer access and lockdown– Password sharing– Computer screens– Shredding of hard-copy documents– Notice of Privacy Practices– Requirement for staff to sign confidentiality statement

7-10



• Privacy & confidentiality policies (cont):– Password Protection– Appointment of a security and/or privacy officer– Log-in attempts lock-out– Protection from computer viruses and malware– Security audits– Off-site access– Printing policies– Policies and procedures to address privacy or security

incidents– Staff education– E-mail

7-11



• Firewalls should deter access to the system• Policies should exist to govern the security of

hardware devices– Lock-down the devices.– Never store passwords on the computer.– Back up your files & store backup files off-site.– Encrypt PHI.– Use portable devices in secure areas.– Wipe hard drives for computers taken out of use

before recycling.

7-12


7.2 Evaluating an EHR System for HIPAA Compliance

• Password protection• Use of unique identifier for each user

– Strength of passwords• Access to PHI only for those who have a

need to know• Accounting of all disclosures (internal and

external)• Security policy that addresses back-up of

data, storage, and restoration data

7-13


7.2 Evaluating an EHR System for HIPAA Compliance (cont)

• Ability to audit who accessed a record, and which area(s) were viewed, edited, or deleted

7-14


7.2 Evaluating an EHR System for HIPAA Compliance (cont)

• Researching, selecting, and implementing an EHR must take into consideration:– required components of a compliant EHR– needs of the office or facility– budget for acquiring a system– budget requirements– staff and training needs– intent of the EHR– target date for implementation

7-15


7.3 The Role of Certification in EHR Implementation

• CCHIT organized by AHIMA, HIMSS, and NAHIT in 2004– Non-governmental; non-profit organization

• Mission is to accelerate the use of an interoperable health information technology

• Role is to certify EHR systems that meet all requirements of HIPAA and HITECH

7-16


7.4 Applying Security MeasuresHands-on exercise to apply security measures: • Adding new clinical users• Assigning password to new clinical users• Setting up provider’s user rights• Assigning user rights for other healthcare

professionals• Assigning user rights for an office manager• Creating a group• Setting general system-wide security

requirements• Running an audit trail report

7-17


7.5 Apply Procedures to Handle Sensitive and Restricted Access Records

• Records may contain information that is more of a personal nature than clinical.

• There may be something that happened in the past that is embarrassing or highly sensitive to the patient.

• Records can be flagged as being sensitive or restricted access.

7-18


7.6 Data Integrity

• The integrity of data can be ensured only if it is complete, accurate, consistent, timely, and has not been altered, destroyed or accessed by unauthorized individuals.

• Strict organization-wide policies must be in place.

7-19


7.6 Data Integrity (cont)

• Integrity also applies to the addition, amendment, or omission of documentation already recorded.

• Proper chart correction:– Amending chart entries– Hiding chart entries– Recovering hidden chart entries

7-20


7.7 Apply Policies & Procedures to ReleaseHealth Information Using PrimeSUITE

• Release of information is necessary for many reasons, including continuation of care.

• Authorizations to release information may be required and must be addressed in written policies.

• Must account for all disclosures to comply with HITECH– Breach of confidentiality is releasing

information without authorization.

7-21


7.8 Accounting of Information Disclosures

• Accounting for the release of medical information is necessary in order to comply with regulations and as best practice for record keeping.

• It is mportant to understand how to run a report of information disclosures from a patient’s chart.

7-22


7.9 Information Exchange

• Meaningful Use standards require exchange of information between providers for smooth continuation of care.

• Sharing of electronic information must be through a secure environment.

• There are regulations that address telecommunications and networking security.

7-23


7.9 Information Exchange (cont)

• Policy to address use of social media should include:– When employees may/may not access social

media sites during work hours– Tone used in posts to social media sites– PHI of patients should never be posted– Identity of patients should never be posted– No copyrighted materials should be posted– No information about the organization may be posted– Actions for failure to comply

7-24


7.10 Compliance Plans

• Healthcare organizations must have written compliance plans to address how organization ensures compliance with regulations:– Privacy– Security– Meaningful Use– General health information regulations

• Written policies must be kept and made available to all staff at all times.

7-25


7.10 Compliance Plans (cont)

• Compliance plan should include:– Name of the compliance officer– Policies that cover:

• Routine daily operations• File back-up• Computer access• Release of patient information• Breach of confidentiality• Security breaches, internal and external• Coding and billing

7-26


7.11 Safeguarding Your System& Disaster Recovery Planning

• A contingency plan is equivalent to a back-up plan, should the system fail or a natural or other disaster occur.

• Potential security concerns should be addressed with a detailed back-up plan.

7-27


7.11 Safeguarding Your System& Disaster Recovery Planning (cont)

• Written Disaster Recovery Plans should include:– An accounting of all functions that are performed

within the office– List of computer hardware, software, and data

related to each function– Location of back-up files and the format used– Step-by-step procedures for restoring backed-up data– An alert system to notify personnel of the disaster– Required security training for all personnel

• Importance of keeping functions safe, confidential, and secure cannot be overstated

7-28


Summary• HIPAA privacy and security standards• HIPAA regulations and the HER• Omnibus Final Rule of HITECH• The role of certification in EHR implementation• Procedures to set up security measures• Sensitive and restricted access records • Procedures to ensure data integrity• Procedures to release health information• Accounting for data disclosures

7-29


Summary (cont)

• Exchanging information with outside healthcare providers for continuity of care

• Content of compliance plans• Importance of disaster recovery planning

7-30

chapter seven privacy, security, confidentiality, and legal issues

Documents

mcgrawhill education

hipaa rules

security rules

hipaa compliance

exchange information

health plans

security measures

individual patient rights