Transcription of EMR Confidentiality and Information Security - Provider's …
1 FOCUS: Security . EMR. Confidentiality and Information Security A B S T R A C T. Healthcare is no longer one patient and one physician. Many people and services are involved, and they all need access to the same accurate, complete data to provide excellent onus is on healthcare providers to come up with Information Security solutions that don't hinder patient care while still providing the Confidentiality of patient Information . Gary Kurtz, FHIMSS. S ince the time of Hippocrates the need to maintain the Confidentiality of medical infor- mation has been recognized. A tenet of Information practices is that one cannot have Confidentiality without Information Security . In the case of medical infor- er the techniques might be different.
2 The onus is on health- care providers to come up with Information Security solu- tions that don't hinder patient care while still providing the Confidentiality of patient Information . The correct solution will probably be determined in your mation, a balancing act is always present between ease of organization by who defines service and how Information access for prompt medical care and that of Information Security is implemented. Security to maintain Confidentiality . There is no doubt that Information Security measures Definitions could be used to lock Information up so tightly that no one There are distinctions between the terms privacy, confi- could access it. What purpose would that serve? Physicians dentiality, and Information Security , and it is appropriate to and caregivers need to be able to easily access patient establish those definitions.
3 Information to provide care. What is the right mix to be 1. Privacy is the right of an individual to control disclo- able to do both? Information Security must be proportionate sure of his or her medical Information . to the risk and the value of the asset to be protected. It 2. Confidentiality is the understanding that medical infor- seems that the magic formula is elusive. mation will only be disclosed to authorized users at The solution will probably be different for each health- specific times of need. It entails holding sensitive data care organization depending in large part on specific poli- in a secure environment limited to an appropriate set cies and the culture. Some pieces will be the same, howev- of authorized individuals or organizations.
4 K E Y W O R D S. Electronic medical record (EMR) Confidentiality Information Security Privacy Journal of Healthcare Information Management Vol. 17, No. 3 41. FOCUS: Security . 3. Information Security includes the process- Figure 1. GHS HIPAA Compliance Development es and mechanisms used to control the Functional Organizational Chart disclosure of Information . It is the protec- tion of computer-based Information from unauthorized destruction, modification, HIPAA Coordination Team Program Review and Approval or HIPAA Program Management Office Iintial Compliance Plan Development and Coordination Electronic medical Record Project Third Party Contracted Resources Attention to Information Security and confi- (if required). dentiality started early in the electronic medical Program Development Task Forces Program Management Committees HIPAA Compliance Development On Going Functions record project with the formation of an Information Security Work Group.
5 The work- Operations Task Force Information Security and Confidentiality Committee Deliverables System Practices group knew that the patient/physician relation- medical Records Security Office ship is based on trust. Patients will share infor- Deliverables Information Security Monitoring and Policy Development mation only if they have this trust. It was Health Plan Information Security Council Deliverables Business Unit Based Security Officers important to be able to maintain this trust with EDI medical Information Practice Committee the introduction of electronic records. Deliverables System PHI Repository Many people are involved in the care of a Security Office medical Information Practice Committee Deliverables patient and we have an acute responsibility to Health Plan PHI Repository protect that Information and make sure it only Data Center, Networks and Desktops IRB Information Practice Committee Research PHI Respository gets into the hands of those authorized to see Deliverables Human Resources Training and Development Investigational Review Board it.
6 It is a trust issue with our patients. The Deliverables Staff Programs for Awareness and Education members of the workgroup were laying the Human Resources Information Technology Technology Evaluation and Approval Deliverables foundation for policies and procedures aimed Internal Audits Independent Internal Compliance Monitoring at ensuring the Confidentiality of patient-identi- Human Resources Awareness/Communications Patient Care Advocate fiable medical Information and thus maintain- Others To Be Named Patient Ombudsman ing trust. Deliverables Others To Be Named Standing Functions Members of the workgroup included profes- sionals from health Information management, medical informatics, physician ranks, internal audits, legal services, human resources, and Information technology.
7 Their charge was to identify issues and propose policy solutions in the areas of boxes (functions) are specific to HIPAA and will go Information Security , system Security , and patient confiden- away after the project, most will remain in effect into tiality. They did so, keeping in mind that some patients the future and constitute the functional Information would not be entirely comfortable having their records in Security and Confidentiality organizational structure. electronic form, which is Geisinger's strategy. 2. Access to patient identifiable Information should be on As a result of the workgroup's efforts, the following poli- a need to know basis. Role-based access was the cy recommendations were derived: order of the day.
8 Access would be granted based on 1. The establishment of an ongoing oversight group with the role of each person in the provision of patient care. responsibilities for managing Information Security , con- Furthermore, the caregivers should only access the fidentiality, and access; overseeing the provision of records of those patients for whom they were providing training and awareness; disaster recovery; ongoing care. (See Information Security Architecture, figure 2). monitoring of access; and keeping abreast of techno- 3. If the capability to tie physicians and patients together logical and regulatory changes. This area was further to control access is not implemented, then more strin- expanded with the impending Health Insurance gent audit controls and monitoring should be institut- Portability and Accountability Act of 1996 (HIPAA) to ed.
9 Geisinger restricts access on a need to know . include the appointment of a corporate privacy officer, basis through policy and education as opposed to soft- a much more robust privacy program, and an expand- ware features. Geisinger would rather err in regard to ed organizational structure defined to oversee the pro- Confidentiality than make a mistake where Information vision of Information Security and patient Confidentiality was withheld and treatment was compromised. (see GHS HIPAA Compliance Development Functional 4. The system should be designed with sufficient redun- Organizational Chart, figure 1). While some of the dancy to minimize the risk of system downtime or data 42 Journal of Healthcare Information Management Vol.
10 17, No. 3. FOCUS: Security . loss. Disaster recovery plans would be Figure 2. Information Security Architecture required. With the need to have access to patient Information 24 hours a day seven days a week for the provision of care, this aspect of the system is extremely impor- tant. Eventually, all of the records of the patients will be in electronic form and loss of access to this data could jeopardize patient care. Care should be taken to pro- vide the correct services for the risk involved. Backup copies of data and shad- ow copies of data with fail-over capabilities are some examples of how Geisinger pro- tects its data resources. Applications such as the electronic medical record (EMR) will have the most stringent mechanisms in place to ensure continued operation and data integrity, and to minimize risk.
