Jan 04, 2016
Patient Confidentiality and Patient Confidentiality and Electronic Medical RecordsElectronic Medical Records
Ann J. Olsen, MBA, MA
Information Security Officer and
Director, Information Management Planning Vanderbilt University Medical Center
June 19, 1999
Julius S. Aronofsky Lecture Julius S. Aronofsky Lecture in Health Care Information Systems:in Health Care Information Systems:
Presentation delivered at 3rd Annual Presentation delivered at 3rd Annual “Enhancing Your Clinical Practice - “Enhancing Your Clinical Practice - Internet and New Technology Trends” Internet and New Technology Trends” Sponsored by: Sponsored by: The Office of Continuing Education of The Office of Continuing Education of The University of Texas Southwestern The University of Texas Southwestern Medical Center at DallasMedical Center at Dallas
http://www.mc.vanderbilt.edu/infocntrhttp://www.mc.vanderbilt.edu/infocntr
Objectives:Objectives:
Understand – basic context for information security and
confidentiality – current practices and risks regarding confidentiality– impact of EMR on ability to protect privacy– needs for organizational practices as well as technical
practices (policies, agreements, and continuous learning)
Learn about directions in Washington and upcoming requirements for your practices– HIPPA security standards– Proposed health information privacy legislation
Know key sources of information about this topic
AgendaAgenda
Key ConceptsDiscussion: Current Practices &
ConcernsKey Changes We FaceExpected Electronic Health Data
Security RequirementsQuestions & Discussion
Health Care ResourcesHealth Care Resources
Health Care Delivery Processes Depend on Acquisition, Utilization, and Management of Many Kinds of Resources
Security
Health Care Delivery Depends OnHealth Care Delivery Depends On
Financial Resources
HumanResources
PhysicalResources
Information &KnowledgeResources
Key Concept: Key Concept: Information Security Information Security ComponentsComponents
Confidentiality (Privacy)– Access control– Disclosure requires authorization– Need to know
Availability– Accessible when & where needed
Integrity– Records are complete– No unauthorized changes
Information Security
Integrity
Availability
Confidentiality
InformationSystemsSecurity
HealthInformation Security
Protection of Electronic Health Information
Discussion: Current Practices Discussion: Current Practices and Concernsand Concerns
(1) Share one of the biggest challenges or risks to health information privacy in your practice today OR a health information privacy issue you have faced recently
(2) Share a practice that has improved protection of health information in your office or clinic
What Changes are We Facing?What Changes are We Facing?Increased use of electronic medical
records (EMR) and internet communications– Expectation that health records are on-
line, with decision support– Information provided directly by health
care consumers in on-line interactions with providers
– Portable, hand-held computing
EMR and ConfidentialityEMR and ConfidentialityEMR Risks
– Easy to disclose vast quantities of information
– Ability to link records across systems– Insufficient security & training in many
EMR environments– Hackers keep pace with technology
EMR and ConfidentialityEMR and Confidentiality
EMR Benefits– Audit trails– Encryption– Access controls– Can remove identifiers– Can share without making copies
What Changes are We Facing?What Changes are We Facing?
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– DHHS rules governing security of electronic health information
– Apply to all individual health care information electronically maintained or used in an electronic transmission
Federal legislation on health information privacy
For the Record: Protecting For the Record: Protecting Electronic Health InformationElectronic Health InformationNational Research Council Study of
Current Best Practice (1997)Recommendations:
– Organizational practices • for immediate implementation
– Technical practices • for immediate implementation• for future implementation
Basis for HIPAA Security Standard
Organizational PracticesOrganizational PracticesSecurity & Confidentiality Policies*Security & Confidentiality Committees Information Security Officers*Education and Training*Sanctions* Improved Authorization Forms**Patient Access to Audit Logs**
Technical PracticesTechnical Practices Individual authentication of users*Access controls*Audit trails*Physical security & disaster recovery*Protection of remote access points*Protection of external electronic
communications*Software discipline*System assessment*
Scenario for Security Standards Scenario for Security Standards
Proposed Security Standard includes “Small or Rural Provider Example”
Outlines how the requirements might be implemented
Expectation that software vendors will provide support
Excerpts ...
Joint Commission on Joint Commission on Accreditation of Healthcare Accreditation of Healthcare Organizations Organizations Current JCAHO standards require
classification and protection of information
Already at work to incorporate HIPAA standards
Information ResourcesInformation Resources
DHHS web site has rules proposed under HIPAA and other information: http://aspe.os.dhhs.gov/admnsimp
Computer-based Patient Records Institute has very useful publications on information security: http://www.cpri.org
http://aspe.os.dhhs.gov/admnsimphttp://aspe.os.dhhs.gov/admnsimp
http://www.cpri.orghttp://www.cpri.org
Health Information Privacy Health Information Privacy LegislationLegislation HIPAA required action by Congress by August
1999 on health information privacy or DHHS to issue final rules
None of bills introduced in 106th Congress likely to pass by HIPAA deadline
Expect amendment of HIPAA to extend deadline
For information on legislative proposals, see Library of Congress web site at http://thomas.loc.gov
Common Elements of ProposalsCommon Elements of Proposals Requirements for patient authorization for most
kinds of disclosures Patient notice about rights and use of health
information Patient right to review and amend Limit disclosure to minimum information needed Requirement to track disclosures Require safeguards for confidentiality, security,
accuracy, integrity Criminal and civil penalties
http://thomas.loc.govhttp://thomas.loc.gov
[email protected]@mcmail.Vanderbilt.edu