Essay Instructions: Please write a 2 page paper using the material below and please remember to include a reference page.
Security of Health Care Records
With the increase of health information technology used to store and access patient information, the likelihood of security breaches has also risen. In fact, according to the Canadian Medical Association Journal (CMAJ):
In the United States, there was a whopping 97% increase in the number of health records breached from 2010 to 2011… The number of patient records accessed in each breach has also increased substantially, from 26,968 (in 2010) to 49,394 (in 2011). Since August 2009, when the US government regulated that any breach affecting more than 500 patients be publicly disclosed, a total of 385 breaches, involving more than 19 million records, have been reported to the Department of Health and Human Services.
A large portion of those breaches, 39%, occurred because of a lost, stolen, or otherwise compromised portable electronic device??"a problem that will likely only get worse as iPads, smartphones, and other gadgets become more common in hospitals. (CMAJ, 2012, p. E215).
Consider your own experiences. Does your organization use portable electronic devices? What safeguards are in place to ensure the security of data and patient information? For this Discussion you consider ethical and security issues surrounding the protection of digital health information.
To prepare:
• Review the Learning Resources dealing with the security of digital health care information. Reflect on your own organization or one with which you are familiar, and think about how health information stored electronically is protected.
• Consider the nurse’s responsibility to ensure the protection of patient information. What strategies can you use?
• Reflect on ethical issues that are likely to arise with the increased access to newer, smaller, and more powerful technology tools.
• Consider strategies that can be implemented to ensure that the use of HIT contributes to an overall culture of safety.
Post on or before Day 3 an analysis of the nurse’s responsibility to protect patient information and the extent that HIT has made it easier or more difficult to protect patient privacy. Comment on any security or ethical issues related to the use of portable devices to store information. Assess the strategies your organization uses to safeguard patient information and how these promote a culture of safety. Describe an area where improvement is needed and one strategy that could address the situation.
HIPAA
Improving the Privacy and Security of Personal Health Records
BOB BROWN
Bob Brown, PhD, is the director?of Health Information Technology, Michigan State University Kalamazoo Center for Medical Studies.
Two New Initiatives May Help Improve the Privacy and Security of Online PHI Not Currently Protected by HIPAA
In my HIPAA article published in the May-June 2007 issue of the Journal of Health Care Compliance, I re- ported on the spread of online personal health record (PHR) systems and the lack of any consistent mandato- ry or voluntary standards for protecting the privacy and security of individually identifiable health information contained in these systems. Since the publication of that article, the use of PHRs has accelerated, especially with the introduction of PHRs by such experienced Internet technology companies as Google and Microsoft.
With millions more people signing up for PHRs, the lack of standards for protecting the sensitive personal data contained in these systems has become even more wor- risome. Two recent developments, however, may help to significantly improve the privacy and security of PHRs.
On December 15, 2008, the Office of the National Co- ordinator for Health Information Technology (ONC) re- leased a document entitled “Nationwide Privacy and Se- curity Framework for Electronic Exchange of Individu- ally Identified Health Information”. The Framework is a short document containing eight principles designed to establish a consistent approach to addressing the pri- vacy and security challenges of online PHRs and elec- tronic health information exchanges (HIEs), regardless of whether or not the organization operating the PHR or HIE service is an entity covered by the Health Insurance Portability and Accountability Act (HIPAA) standards.
In keeping with the voluntary self-regulation and pub- lic-private partnership models encouraged by the Bush administration, these principles are not required stan- dards but are rather “principles...expected to guide the actions of all health-related persons and entities that par-
Journal of Health Care Compliance ??" March ??" April 2009
39
HIPAA
ticipate in a network for the purpose of elec- tronic exchange of individually identifiable health information.” (p. 6) The principles were developed after an ONC review of a variety of privacy and security standards, best practices, guidelines, and other docu- ments from authoritative sources such as the Organization for Economic Cooperation and Development, the International Secu- rity Trust and Privacy Alliance, the Federal Trade Commission, and the HIPAA privacy and security standards.
The eight principles are (1) individual access; (2) correction; (3) openness and transparency; (4) individual choice; (5) col- lection, use, and disclosure limitation; (6) data quality and integrity; (7) safeguards; and (8) accountability.
INDIVIDUAL ACCESS
Individuals should be provided with easy access to their online individually identifi- able health information. This principle em- phasizes that one of the main purposes of a PHR or an HIE should be to provide the information to individuals that they need to manage their health and health care. Even though HIPAA granted the individu- al the right to access his or her individual- ly identifiable health information, covered entities typically make access difficult and rarely provide online access. This principle comes down clearly in favor of providing easy electronic access to the full range of individually identifiable health informa- tion to patients.
CORRECTION
Individuals should have access to a straight- forward process for correcting what they believe are mistakes in their individually identifiable health information. There also should be a clear record of what was cor- rected and by whom. In cases in which the individual believes that the individually identifiable health information is incorrect and the clinician who created the infor- mation does not agree to change it, there should be a process for documenting, dis-
playing, and transmitting the individual’s disagreement with the individually identi- fiable health information in question.
OPENNESS AND TRANSPARENCY
All policies, procedures, and technologies that are employed to collect and dissemi- nate individually identifiable health infor- mation should be made available to the in- dividual in an understandable form. Indi- viduals should be able to learn how their information is collected, who collects it, who sees it, how it is used, and what con- trol they have over the information. The policies and procedures governing the use and disclosure of individually identifiable health information should be available be- fore any uses and disclosures occur.
INDIVIDUAL CHOICE
Individuals should be provided with maxi- mum reasonable control over the use and disclosure of their individually identifiable health information. If possible, individuals should be allowed to control which specific types or specific items of individually iden- tifiable health information are disclosed to specific types of recipients or specific indi- vidual recipients.
COLLECTION, USE, AND DISCLOSURE LIMITATION
Individually identifiable health information should be collected, used, and disclosed only to the extent required to accomplish the pur- pose as specified in the policies and proce- dures associated with the use or disclosure.
DATA QUALITY AND INTEGRITY
Persons and entities collecting and trans- mitting data should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up- to-date and that it has not been altered or destroyed in an unauthorized manner.
SAFEGUARDS
Persons and entities collecting and transmit- ting individually identifiable health informa-
CONTINUED ON PAGE 68
40
Journal of Health Care Compliance ??" March ??" April 2009
ELECTRONIC RESOURCES
CONTINUED FROM 38
Adverse Events in Hospitals: Case Study of Incidence Among Medicare Benefi- ciaries in Two Selected Counties (PDF) (OEI-06-08-00220): www.oig.hhs.gov/ oei/reports/oei-06-08-00220.pdf. Adverse Events in Hospitals: Overview of Key Issues (PDF) (OEI-06-07-00470): www.oig.hhs.gov/oei/reports/oei-06-07- 00470.pdf.
Adverse Events in Hospitals: State Re- porting Systems (PDF) (OEI-06-07- 00471): www.oig.hhs.gov/oei/reports/ oei-06-07-00471.pdf.
HIPAA
CONTINUED FROM 40
tion should implement reasonable adminis- trative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
ACCOUNTABILITY
Implementation and adherence to these principles should be verified through ap- propriate auditing, monitoring, and other procedural and technical processes. Ro- bust comprehensive compliance monitor- ing systems should be in place to detect and correct problems and to mitigate harm caused by breaches.
Because the Framework is a guidance document, there is no statutory requirement for PHR vendors and others involved in the collection and transmission of individually identifiable health information to follow the principles outlined in the document. Like- wise, there are no sanctions or enforcement mechanisms that can be applied to those who do not follow the principles, but there are other factors in the PHR environment that will likely help ensure that these prin- ciples will be incorporated into PHRs.
The Certification Commission for Healthcare Information Technology
(CCHIT) is an independent, voluntary, private-sector initiative that has been des- ignated by the Department of Health and Human Services (HHS) as a recognized certification body for electronic health re- cords (EHRs) and their networks. CCHIT hasannouncedthatstartingin2009itwill certify PHRs. CCHIT has published a draft of the criteria it proposes to use to certi- fy PHRs. While the current draft incorpo- rates most of the principles contained in the Framework, CCHIT has announced that it will review and revise the current criteriatomakesuretheyareconsistent withtheeightFrameworkprinciples.
In the EHR market, CCHIT certifica- tion has established itself as a require- ment in the marketplace; for the most part providers will not accept any EHR that is not CCHIT certified. Thus, it is likely that CCHIT certification will become a de facto requirement for PHRs as well.
The report “Nationwide Privacy and Se- curity Framework for Electronic Exchange of Individually Identified Health Informa- tion” is available at www.hhs.gov/health- it/documents/NationwidePS_Framework. pdf. Certification Commission for Health- care Information Technology draft stan- dards for PHRs is available at www.cchit. org/files/comment/09/02/CCHITCriteri- aPHR09Draft02.pdf.
HEALTH INFORMATION MANAGEMENT
CONTINUED FROM 44
claims transactions. Intensive education of HIM coders should be in the final stages, and monitoring of coding accuracy and re- imbursement also can be completed.
Testing of claims with payers can begin up to six months prior to implementation and can include all components of ICD-10. As part of this testing, evaluate potential di- agnosis-related group (DRG) shifts, changes in case mix index, and potential changes in reimbursement. The estimated amount of
68
Journal of Health Care Compliance ??" March ??" April 2009