The policies and procedures you create will be the basis for
all aspects of your programs to protect and ensure the confidentiality,
integrity security, and availability of your patient's protected health
information.
Computer-based patient records offer the potential for
achieving much greater protection of health information over paper-based
patient records and should be seriously considered as a standard operating
procedure. However, to comply with HIPAA regulations and to ensure an
appropriate and consistent level of information security for computer-based
patient records, both with individual health care providers, and within group
practices, and throughout the entire health care delivery system, formal
information security programs must be established by every health care
provider, practitioner and group practice entrusted with health care
information.
The essential fundamental components of a privacy and
information security program are effective policies and procedures which
incorporate all HIPAA regulations and which are designed to meet HIPAA's
specific needs.
The Need for
Privacy and Security Policies
Patients
entrust health care providers with their private health information. Most
people believe and expect that the privacy, security and integrity of their
health information will be preserved by all who use and maintain that
information. Every health care provider, practitioner and group practice which
creates, uses, stores, and communicates health care information, has a legal
and ethical responsibility to honor this trust.
Health care providers,
practitioners and group practices are also required to protect sensitive and
private records about physicians, nurses, staff members and employees, and
other caregivers. These obligations and responsibilities to protect information
must be considered when implementing the HIPAA regulations.
The policies
developed by health care providers, practitioners and group practices within
the health care industry to protect the confidentiality, integrity, and
availability of patient and administrative information is significantly
influenced by their unique mission, culture, and management.
The
foundation for a successful information security program are comprehensive
information security policies. These policies must define every health care
providers, practitioners and group practices philosophy and direction for the
protection of information. The policies must be thoroughly documented and
promulgated.
While the majority of the information maintained by health
care providers, practitioners and group practices consists of patient records,
they also maintain sensitive and valuable business records. The security,
confidentiality, integrity, and availability of these business records must be
protected to enable the continued successful functioning of the health care
providers, practitioners and group practices. Therefore, the recommendations in
this summary apply to all information created, maintained, and used by every
health care provider, practitioner and group practice utilizing paper or
computer-based patient records.
Objectives
The objectives of this summary are to:
- Encourage the facilitation of an effective
system for complying with HIPAA requirements for data security,
confidentiality, integrity, availability and privacy.
- Promote consistent
protection of information for all health care providers, practitioners and
group practices.
- Communicate the
responsibilities for the protection of information and foster information
security awareness.
- Foster good business
practices related to protecting health care information.
- Provide the basis for
information security standards and procedures, and standards for the
management, storage, recovery, restoration and re-distribution of health care
information.
Scope
This summary is designed to be used
primarily in the establishment of information security policies for all health
care providers, practitioners and group practices implementing HIPAA
requirements. While it may be helpful in specifying security controls,
features, and functions, it is primarily intended to be used to define
management policies. These management policies will form the basis for the
development of the standards and procedures that dictate the specific security
controls to be implemented.
Every health care provider and small and
medium size group practices in every discipline of health care with paper or
computer-based patient records should develop information security policies.
While, larger, multi-functional organizations with more diverse information
needs may require more extensive policies than individual practitioners and
group practices making more limited use of the information, basic information
security policies are required for every health care provider regardless of
size.
For maximum effectiveness in group practices, these policies
should be issued at the highest level of the organization and should apply to
all employees, independent contractors, and agents, and to all units of the
organization. The policies should define the obligations for protection of
information to be included in the agreements with all payers, contractors,
vendors, accreditation organizations, and all other outside agencies who will
be granted access to the information owned by, or in the custody of, the
organization.
Policies should be established for the release and use of
information for providing patient care, protecting the public health, ensuring
quality of care, managing the organization, supporting research activities,
paying for care, obtaining insurance coverage, and any other
purpose.
Because the security of the information maintained on
computer-based patient record systems is partially dependent upon the security
of information maintained in other forms, the information security policies
should apply to all information owned by, or in the custody or possession of,
the individual practitioner, group practice or organization regardless of its
form or storage media. The policies established by individuals and
organizations should be applicable to all types of information used, including
but not limited to:
- Patient health
information
- Patient demographic
information
- Patient financial
information
- Research information
- Information about
physicians, nurses, and other caregivers
- Peer review
information
- Information about
payers
- Business records
including financial records, personnel records, practice patterns, quality
assurance statistics, strategic plans, and similar information.
- Computer
software
Relationship to Legal and Regulatory
Requirements
The information security policies should specify
your practice or organizations complete policy for information protection. The
policies should include all measures necessary for the organization to comply
with all HIPAA regulatory requirements.
Distribution and Promulgation
The policies
must be made available to all employees, professional staff members, faculty,
students, volunteers, vendors, contractors, researchers, and others who may be
granted access to information by the organization. All persons being granted
access to the practice or organizations information should formally acknowledge
an understanding of the policies and make a formal written commitment to comply
with those policies prior to being entrusted with access to the information.
Provisions should be made for periodic review and renewal of these
agreements.
The policies should not be confidential and may be made
available to the public. Policies may be distributed via computer-based systems
or as paper documents.
Policy
Subjects
The following sections identify the topics for which
individual health care providers, practitioners and group practices should
consider developing in their policies. Individual policy statements addressing
these subjects should be combined to comprise the contents of the practice or
organizations information security policy document.
A.
Philosophy for the Protection of Information
Each health care provider, practitioner and group practice
using a computer-based patent record system must define its philosophy for the
protection of information. Although much of the information maintained
represents patent information, most will also create and maintain business
records. These business records are a primary asset and must be protected in a
manner commensurate with their value. Therefore the philosophy statements for
the protection of information should be applicable to all information created,
collected, stored, and processed. This includes all information that is the
property of the health care provider, practitioner or group practice, the
patient, caregivers, researchers, or any other party, and has been entrusted
for use and safekeeping.
B. Patient
Rights with Respect to Information Security
The policies should define how each health care provider,
practitioner and group practice will respect the rights of the patient with
regard to information. In addition to the rights preserved by HIPAA regulatory
law, health care providers, practitioners and group practices may wish to grant
additional rights to the patient based on its mission and
philosophy.
Areas for consideration in developing the policies are:
- Right to be
informed of their rights. Responsibilities for
implementing procedures for ensuring that the patient is informed of the
policies related to patient information should be defined.
- Right to
privacy. Relevant patient information may only
be disclosed to those directly involved in the care of the patient, for the
protection of the public health as provided by law, for the payment of services
as authorized by the patient, to assist researchers as authorized by the
patient, or for any other purposes required by law or authorized by the
patient.
- Right to review
information. Patients are entitled to know
which information about them is in the possession of the health care provider,
practitioner or group practice and are entitled to review that information. Any
category of information that may be withheld from the patient in accordance
with the law should be defined in the policies.
- Right to clear
and complete presentation of information. Policies related to making information from the computer-based
patient record available to the patient in a clear, logical, understandable
format should be developed. Any policies for presenting information in a format
not maintained by the organization should be defined. Health care provider,
practitioner or group practice policies related to the costs associated with
presentation of information should also be defined.
- Right to append
correct information. Information cannot be
deleted, but erroneous information can be marked as such and correct
information appended. The rights of the patient to provide supplemental
information or an appendix should also be defined.
- Right to block
release of specific information. The patient's
rights to segment information and block the release of specific information
should be clearly stated. The rights of the health care provider, practitioner
or group practice to identify and explain any consequences of such blockage
should also be included.
- Right to
notification of disclosure of information. The
patient's rights to know which individuals, organizations, and government
agencies have authority to access, and have actually gained access to, specific
information identified with the patient should be clearly defined in the
policies.
- Right to
protection of information released to third parties.
The policy should define the commitment for protection
required from a third party prior to the release of information to that
organization. The policy may also specify the responsibility for monitoring
these commitments.
- Right to
integrity and availability. Records must be
protected from unauthorized modification and destruction. The patient has the
right to expect that the health care provider, practitioner or group practice
will take appropriate and reasonable precautions to protect the information
from destruction by accident or vandalism, and by fire, flood, earthquake, or
other disasters. Policies should require that provisions be made for the
patient records to survive in the event of mergers, bankruptcy, catastrophic
failures and similar events.
Protection of Caregiver
Information
The health care provider, practitioner and group
practice policies should define how information related to caregivers is to be
protected. Because caregivers may be employees, independent contractors, and
agents of the organization, applicable good business practices and laws
pertaining to employee records and contractual agreements should be considered
in addition to the requirements for protecting health information. Areas for
consideration include:
- Privacy. The caregivers'
personal privacy should be preserved. Relevant caregiver information may only
be disclosed for the protection of the public health as provided by law, for
any other purposes as required by law, or as authorized by the caregiver.
- Review of
information. The caregiver is entitled to know
which information about the caregiver is in the possession of the health care
provider, practitioner or group practice. Caregivers' are also entitled to know
which information they have a legal right to review. Caregivers should have the
right to review information they have placed in the patient's
record.
- Clear and complete
presentation of information. Information about
the caregiver and patient information authorized to the caregiver should be
made available in a clear, logical, understandable format.
- Appendment of
corrected information. The caregivers' rights
to identify erroneous information and append correct information pertaining to
their employment or contractual arrangements should be defined.
- Release of
specific information. The caregiver may be
granted the right to segment information and block the release of specific
information where permitted by law.
- Notification of
disclosure of information. The caregiver is
entitled to know which individuals, organizations, and government agencies have
authority to access and have actually gained access to information about the
caregiver.
- Protection of
information released to third parties. The
policy should define the commitment for protection required from a third party
prior to the release of information to that organization.
- Integrity and
availability of records. Records must be
protected from unauthorized modification and destruction. The caregiver has the
right to expect that the health care provider, practitioner or group practice
protect the information from destruction by accident or vandalism, and by fire,
flood, earthquake, or other disasters. Provisions must be made for the records
to survive the organization in the event of closure, mergers, bankruptcy,
catastrophic failure and similar events.
- Responsibility to
protect information. The caregivers'
responsibility for the protection of the information to winch the caregiver has
access should be stated.
The Privileges and Obligations of
Researchers
Whether or not patient or caregiver identifiable
information will be made available for research, and how that access to
information will be authorized, should be included in the policies. The
policies should define the role of the institutional review board with respect
to information protection. Some of the topics to consider related to the use of
computer-based patient record information for research are:
- Opportunities for access to information. Policies
for granting access as authorized by the appropriate party or as permitted by
law should be established.
- Obligation to protect the information. Researchers'
responsibilities to protect the information in their custody should be included
in the policies. This includes information that may be removed from the health
care provider, practitioner or group practice's premises. If researchers are
authorized to release information, the policies should define researchers'
responsibilities to notify recipients of information of the protection
requirements.
- The researchers expectation of accurate information.
The policy for ensuring that researchers are made aware of the sources and the
accuracy of information being provided should be considered.
- Right to control disclosure of information. The
researcher or health care provider, practitioner or group practice generally
has the right to control which individuals and organizations have authority to
access information resulting from the research provided the information does
not identify specific patients or caregivers, and cannot readily be used to do
so.
- Right to integrity and availability. Records must be
protected from unauthorized modification and destruction. Within the provisions
of any agreements with the organization, the researcher has the right to expect
that the health care provider, practitioner or group practice will protect the
information from destruction as a result of accidents, vandalism, fire, flood,
earthquake, catastrophic failure or other disasters. Provisions must be made
for the records to survive the organization in the event of closure, mergers,
bankruptcy, and similar events.
Patient Rights
Although the requirements for
release of some patient information are defined by HIPAA, health care
providers, practitioners or group practices/organizations using the
computer-based patient records should develop policies addressing the
responsibilities and determining the methods of complying with these HIPAA
regulations.
The health care provider, practitioner or group
practice/organization policies related to complying withHIPAA for the release
of patient, caregiver, and institutional information to public health
authorities should be defined.
The policy for the release of information
for criminal proceedings, and civil and administrative litigation should also
be defined. The policies should state how the institution will resolve
conflicts in the rights of the patient, the caregiver, and
society.
Factors to consider in the release and sharing of information
include:
- Which information may be
released?
- To whom may information be
released?
- Who authorizes release or
is responsible for ensuring that the appropriate person has authorized release?
- Who is responsible for
developing procedures for release
- What responsibility does
the institution have regarding the protection of information it has released
from its custody?
- Who is responsible for
managing shared databases and networks?
Collection of Information
Each health care
provider, practitioner or group practice/organization should define its
policies for collection and authentication of information. The policy should
specify who is responsible for determining which information is to be collected
and retained. Responsibilities for the review of information collection
policies and retention periods should be specified. Responsibilities and
provisions for verifying the accuracy of information should be defined.
Retention and
Destruction
Business and patient records must be readable and
usable for the life span of the records. The policies should define the
necessity and responsibility for developing procedures to ensure that the
records are maintained and are accessible for the minimum lifetime of the
record as required by law or by business and patient care requirements.
Policies specifying the responsibilities for determining the time periods for
retention should be included.
Policies to ensure that the health care
provider, practitioner or group practice/organization provides for preservation
of the records during the migration to new technologies are essential. Policies
defining the responsibilities for destruction of information should be
included. Information
Security Program
Every health care provider, practitioner or
group practice/organization should, as a matter of policy, maintain a formal
information security program. The responsibility for management of the program
and the functions of the program should be described in the policy document.
Responsibilities for the periodic review and maintenance of the
information security policies should be specified.
Accountability and Responsibilities
Specific
responsibilities and accountability for information security should be defined
in the policies. Factors to consider are:
- Licensed
Professional/Owner/Health Care Provider/Organization responsibilities including
recognizing the importance of information security, establishing policies,
establishing the information security program, and authorizing funding.
- Owners/Partners/Managers/Security Officers/Privacy Officers
responsibilities including ensuring appropriate contracts are in order with all
vendors, service providers, contractors and temporary employees.
- Responsibility for
reporting of violations.
- Responsibility for
determining and administering discipline and penalties.
- Responsibility for
assessing and accepting risk.
- Patient
responsibilities.
Penalties and
sanctions for failure to comply with the policies and to fulfill
responsibilities should be specified.
Access to
Information
Access to information should be defined as a
matter of policy. Access should be limited to those entitled to access on the
basis of a specific patient care, business need, or research requirement for
access as authorized by the patient for patient information and as authorized
by the caregiver for caregiver information. Access to patient-specific
information, caregiver-specific information, and health care provider,
practitioner or group practice information by those with authority to protect
the public health should be granted as provided by law, or to a greater extent,
as authorized by the patient or caregiver.
Access to information for law
enforcement, litigation, or other purposes not authorized by the patient or
caregiver should be granted only to the extent required by law.
The
health care provider, practitioner or group practice should establish policies
specifying that access to the health care provider, practitioner or group
practice business records will be based on assigned job
responsibilities.
Responsibility for verifying the legitimacy of
requests for access, granting access, and revoking access should be specified.
The responsibilities for establishing procedures for resolving disagreements,
and for actually resolving disagreements, related to access to information
should be defined.
The extent and policy for enforcement of individual
accountability for the creation, modification, deletion, or disclosure of
information should be defined.
Classification
of Information
- Public - Information which
may be made public.
- Office - Information
internal to the health care provider, practitioner or group practice which may
be disclosed to anyone within the organization.
- Confidential - Information
that must be protected from disclosure to anyone other than those specifically
authorized access to the information by job function.
- Restricted Confidential -
Information that may be disclosed only to certain identified individuals and
for which a record of disclosure is maintained.
Records of
Access
The policy of the health care provider, practitioner
or group practice to maintain records of access to information should be
defined. Policies should specify in general how long records of access should
be maintained and who is responsible for determining which records of access
must be preserved. The policies should also be applicable to third parties who
have access to the health care provider, practitioner or group practice
information or to which information has been released.
Disaster Recovery/Business Resumption
Plan
This policy should specify the health care providers,
practitioners or group practices requirement for developing and maintaining
business resumption plans to ensure that the information remains available for
use in the event of a natural disaster, vandalism, system failure or
catastrophic failure. The policy should define the responsibility for
developing, maintaining, and testing the plans, and define responsibilities for
actual recovery.
Information Security Awareness
Training
The policies should define a formal information
security awareness training program to be established by the health care
provider, practitioner or group practice. Responsibilities for determining
training requirements and conducting training should be defined. The content,
frequency of training, and specific training programs and material should be
defined in the health care providers, practitioners or group practices
information security standards. Policies for documentation of attendance at
training sessions should be established.
Suggested Method for Policy
Development
Information security policy development should be
accomplished as a formal project and supported by management. The following are
recommended steps for policy development:
Responsibilities and
objectives for monitoring of the information security program and for auditing
for compliance with the information security policies, standards, and
procedures should be specified in the policy document.
- Establish a formal, fully
funded project to develop the policies.
- Assign responsibility for
the project and appoint an information security manager.
- Use the topics in this
summary as the basis for writing policy statements.
- Submit the proposed
policies to legal counsel for review.
- Submit the draft policies
to management and owners of the health care provider, practitioner or group
practice for review.
|
