Week 6 Journal Chapter 12
Using the attached form, complete this weeks reflections related to your readings, assignments, and implications for current or future practice.
Health IT and EHRs: Principles and Practice, Sixth Edition
Chapter 12: Health IT Privacy and Security
© 2017 American Health Information Management Association
© 2017 American Health Information Management Association
HIPAA Privacy and Security Rules
Privacy – right of an individual to be left alone.
Security – supports:
Confidentiality – the treatment of information that an individual has disclosed in a relationship of trust with the expectation that it will not be divulged to others in ways that are inconsistent with the understanding of the original disclosure (such asNotice of Privacy Practices) unless the individual grants permission
Data integrity – improper alteration or destruction of data
Data availability – assurance that data will be able to be accessed when needed in accordance with Privacy provisions
© 2017 American Health Information Management Association
Privacy & Security Relationships
© 2017 American Health Information Management Association
Key Privacy & Security Terms
PHI
Covered entity
Business Associate
TPO
Disclosure
Use
Authorization
Consent
© 2017 American Health Information Management Association
HIPAA Enforcement Rule
Office for Civil Rights (OCR) responsible for enforcement of HIPAA
Penalties for violation of the Privacy, Security, or Breach Notification rules may include:
Corrective action plan (CAP)
Settlement agreement
Civil penalties may include civil monetary penalties (CMP)
Criminal penalties may result in imprisonment
Other lawsuit may also be filed for actions associated with privacy, security, and breach notification
© 2017 American Health Information Management Association
Technical & Other Solutions for Privacy Rule Management
Patient identification and matching
Master person index
Health record integration
Deidentification
Data sharing agreements
Genomic data sharing and GINA
Privacy and trust principles for precision medicine
Emergency uses of PHI
Criminal background checks
Right of access
Clarification of mental/ behavioral health record sharing
Data segmentation for privacy
© 2017 American Health Information Management Association
Risk Basis of Security Rule
© 2017 American Health Information Management Association
HIPAA Security Rule
© 2017 American Health Information Management Association
Authentication Types by Strength
Wet signature
Digitized signature
Image of a wet signature
Electronic signature
Password, biometric, or token
Digital signature
Process of encryption and non-repudiation to represent a signature
Public key infrastructure (PKI) is a set of policies, procedures, standards, and practices that enable a digital signature – but is not the only form of digital signature.
Requirements for digital signature, digital certificate, encryption
EPCS
CORE Phase IV operating rules
EHR MU incentive program
© 2017 American Health Information Management Association
Access Controls and Minimum Necessary and Audit Logs
Audit logs should provide the metadata for who did what to which information at what date and time and from what location
© 2017 American Health Information Management Association
Encryption
Encryption uses an algorithm to scramble the content of a file (for data at rest) or transmission (for data en route) so that only an equivalent algorithm can be used to decrypt the message
Nonrepudiation is substantial evidence of the identity of the signer of a message and of message integrity sufficient to prevent a party from successfully denying the origin, submission, or delivery of the message and integrity of its contents
HHS guidance specifies that if a file or transmission has been encrypted but has been lost or hacked, the loss or hack is not a notifiable breach
© 2017 American Health Information Management Association
Breach Discovery Process
© 2017 American Health Information Management Association
Breach Notification Process
© 2017 American Health Information Management Association
Identity Theft Controls
Fastest growing crime in the US
Misuse of credit cards = ½ of all identity theft
Payment Card Industry Data Security Standard
Medical identity theft
Inappropriate or unauthorized misrepresentation of personal information to obtain access to property (e.g. drugs) or services (e.g., health plan coverage)
Red Flags Rule
Use of patterns, practices, and specific activities, known as red flags, which could indicate identity theft
Some healthcare organizations must comply, others do so voluntarily as a best practice
© 2017 American Health Information Management Association
Administrative Factors to Reduce Risk
Risk analysis is the primary process that should be documented. Risk analysis follows the SDLC
© 2017 American Health Information Management Association
Physical and Technical Controls
Facility security controls
Storage management program
Virtualization
Reliability
Full redundancy
Fail over
Technical monitoring tools
© 2017 American Health Information Management Association
Addressing Emerging Threats
Unified threat management program
Management support
Threat intelligence
Policies and procedures
Everyone’s responsibility
Controls
Training
Auditing and monitoring
© 2017 American Health Information Management Association
Reflective Journal Rubric
20 pts
Discussion Criteria
Exemplary
10 Points
Developing
7 Points
Needs Improvement
4 Points
Faculty Comments
Application of Course Knowledge
Journal contributes reflections and unique perspectives or insights gleaned from weekly objectives or examples from the healthcare field.
Journal entry has limited application of course knowledge and demonstration of perspectives.
Journal does not reflect application of course knowledge and personal insights or examples from healthcare.
Grammar, Syntax, APA Format
APA format, grammar, spelling, and/or punctuation are accurate, or with zero to three errors.
Four to six errors in APA format, grammar, spelling, and syntax noted.
Journal entry contains greater than six errors in APA format, grammar, spelling, and/or punctuation or repeatedly makes the same errors after faculty feedback.
Reflective Journal
Name:
Date:
1. Summarize and reflect on this week’s, readings and learning activities.
2. How will these concepts impact your own professional practice now or in the future?