Introduction
The
purpose of this summary is to encourage a plan, promote information protection
and good business practices, point out your responsibilities, and to provide
standards and procedures for the management, protection, storage, recovery,
restoration and re-distribution of health care information.
A complete
information security program consists of policies, standards, training,
technical and procedural controls, risk assessment, auditing and monitoring,
and assigned responsibility for of the program. Information security policies
are the basis for all other aspects of effective information security
programs.
Computer-based patient records offer the potential for
achieving much greater protection of health information over paper-based
patient records and should be seriously considered as a standard operating
procedure. However, to comply with HIPAA regulations and to ensure an
appropriate and consistent level of information security for computer-based
patient records, both with individual health care providers, and within group
practice/organizations, and throughout the entire health care delivery system,
formal information security programs must be established by every health care
provider, practitioner or group practice/organization entrusted with health
care information.
The first component of an information security
program is information security policies which incorporate all HIPAA
regulations and which are designed by the health care provider, practitioner or
group practice/organization to meet HIPAA's specific needs.
 |
The Need for
Security Policies
Patients entrust
health care providers with their private health information. Most people
believe and expect that the privacy, security and integrity of their health
information will be preserved by all who use and maintain that information.
Every health care provider, practitioner or group practice/organization which
creates, uses, stores, and communicates health care information, has a legal
and ethical responsibility to honor this trust.
Health care providers,
practitioners or group practices/organizations are also required to protect
sensitive and private records about physicians, nurses, staff members and
employees, and other caregivers. These obligations and responsibilities to
protect information must be considered and fulfill the implementation of HIPAA
regulations.
The policies developed by health care providers,
practitioners or group practices/organizations within the health care industry
to protect the confidentiality, integrity, and availability of patient and
administrative information is significantly influenced by their unique mission,
culture, and management.
The foundation for a successful information
security program are comprehensive information security policies. These
policies must define every health care providers, practitioners or group
practices/organizations philosophy and direction for the protection of
information. The policies must be thoroughly documented and
promulgated.
While the majority of the information maintained by health
care providers, practitioners or group practices/organizations consists of
patient records, they also maintain sensitive and valuable business records.
The security, confidentiality, integrity, and availability of these business
records must be protected to enable the continued successful functioning of the
health care providers, practitioners or group practices/organizations.
Therefore, the recommendations in this summary apply to all information
created, maintained, and used by every health care provider, practitioner or
group practice/organization utilizing paper or computer-based patient records.
|
Objectives
The objectives of this summary are to:
- Encourage the facilitation of an effective
system for complying with HIPAA requirements for data security,
confidentiality, integrity, availability and privacy.
- Promote consistent
protection of information for all health care providers, practitioners or group
practices/organizations
- Communicate the
responsibilities for the protection of information and foster information
security awareness.
- Foster good business
practices related to protecting health care information.
- Provide the basis for
information security standards and procedures, and standards for the
management, storage, recovery, restoration and re-distribution of health care
information.
|
Scope
This summary is designed to be used
primarily in the establishment of information security policies for all health
care providers, practitioners or group practices/organizations implementing
HIPAA requirements. While it may be helpful in specifying security controls,
features, and functions, it is primarily intended to be used to define
management policies. These management policies will form the basis for the
development of the standards and procedures that dictate the specific security
controls to be implemented.
Every health care provider, and small and
medium size group practices in every discipline of health care with paper or
computer-based patient records should develop information security policies.
While, larger, multi-functional organizations with more diverse information
needs may require more extensive policies than individuals and smaller
organizations making more limited use of the information, basic information
security policies are required for every health care provider and
organization.
For maximum effectiveness in group practices, these
policies should be issued at the highest level of the organization and should
apply to all employees, independent contractors, and agents, and to all units
of the organization. The policies should define the obligations for protection
of information to be included in the agreements with all payers, contractors,
vendors, accreditation organizations, and all other outside agencies who will
be granted access to the information owned by, or in the custody of, the
organization.
Policies should be established for the release and use of
information for providing patient care, protecting the public health, ensuring
quality of care, managing the organization, supporting research activities,
paying for care, obtaining insurance coverage, and any other
purpose.
Because the security of the information maintained on
computer-based patient record systems is partially dependent upon the security
of information maintained in other forms, the information security policies
should apply to all information owned by, or in the custody of, the individual
practitioner or organization regardless of its form or storage media. The
policies established by individuals and organizations should be applicable to
all types of information used, including but not limited to:
- Patient health
information
- Patient demographic
information
- Patient financial
information
- Research information
- Information about
physicians, nurses, and other caregivers
- Peer review
information
- Information about
payers
- Business records
including financial records, personnel records, practice patterns, quality
assurance statistics, strategic plans, and similar information.
- Computer
software
Relationship to Legal and Regulatory
Requirements
The information security policies should specify
your practice or organization's complete policy for information protection. The
policies should include all measures necessary for the organization to comply
with all HIPAA regulatory requirements.
Distribution and Promulgation
The policies
must be made available to all employees, professional staff members, faculty,
students, volunteers, vendors, contractors, researchers, and others who may be
granted access to information by the organization. All persons being granted
access to the organizations information should formally acknowledge an
understanding of the policies and make a formal written commitment to comply
with those policies prior to being entrusted with access to the information.
Provisions should be made for periodic review and renewal of these
agreements.
The policies should not be confidential and may be made
available to the public. Policies may be distributed via computer-based systems
or as paper documents.
Policy
Subjects
The following sections identify the topics for which
the health care provider, practitioner or group practice/organization should
consider developing policies. Individual policy statements addressing these
subjects should be combined to comprise the contents of the organization's
information security policy document.
A.
Philosophy for the Protection of Information
Each health care provider, practitioner or group
practice/organization using a computer-based patent record system must define
its philosophy for the protection of information. Although much of the
information maintained represents patent information, most health care
providers, practitioners or group practices/organizations also create and
maintain business records. These business records are a primary asset and must
be protected in a manner commensurate with their value. Therefore the
philosophy statements for the protection of information should be applicable to
all information created, collected, stored, and processed. This includes all
information that is the property of the health care provider, practitioner or
group practice/organization, the patient, caregivers, researchers, or any other
party, and has been entrusted for use and safekeeping.
B. Patient Rights with Respect to Information
Security
The policies should define how
each health care provider, practitioner or group practice/organization will
respect the rights of the patient with regard to information. In addition to
the rights preserved by HIPAA regulatory law, health care providers,
practitioners and group practices/organizations may wish to grant additional
rights to the patient based on its mission and philosophy.
Areas for
consideration in developing the policies are:
- Right to be
informed of their rights. Responsibilities for
implementing procedures for ensuring that the patient is informed of the
policies related to patient information should be defined.
- Right to
privacy. Relevant patient information may only
be disclosed to those directly involved in the care of the patient, for the
protection of the public health as provided by law, for the payment of services
as authorized by the patient, to assist researchers as authorized by the
patient, or for any other purposes required by law or authorized by the
patient.
- Right to review
information. Patients are entitled to know
which information about them is in the possession of the health care provider,
practitioner or group practice/organization and are entitled to review that
information. Any category of information that may be withheld from the patient
in accordance with the law should be defined in the
policies.
- Right to clear
and complete presentation of information. Policies related to making information from the computer-based
patient record available to the patient in a clear, logical, understandable
format should be developed. Any policies for presenting information in a format
not maintained by the organization should be defined. Health care provider,
practitioner or group practice/organization policies related to the costs
associated with presentation of information should also be
defined.
- Right to append
correct information. Information cannot be
deleted, but erroneous information can be marked as such and correct
information appended. The rights of the patient to provide supplemental
information or an appendix should also be defined.
- Right to block
release of specific information. The patient's
rights to segment information and block the release of specific information
should be clearly stated. The rights of the health care provider, practitioner
or group practice/organization to identify and explain any consequences of such
blockage should also be included.
- Right to
notification of disclosure of information. The
patient's rights to know which individuals, organizations, and government
agencies have authority to access, and have actually gained access to, specific
information identified with the patient should be clearly defined in the
policies.
- Right to
protection of information released to third parties.
The policy should define the commitment for protection
required from a third party prior to the release of information to that
organization. The policy may also specify the responsibility for monitoring
these commitments.
- Right to
integrity and availability. Records must be
protected from unauthorized modification and destruction. The patient has the
right to expect that the health care provider, practitioner or group
practice/organization will take appropriate and reasonable precautions to
protect the information from destruction by accident or vandalism, and by fire,
flood, earthquake, or other disasters. Policies should require that provisions
be made for the patient records to survive in the event of mergers, bankruptcy,
catastrophic failures and similar events.
|
Protection of Caregiver
Information
The health care provider, practitioner or group
practice/organization policies should define how information related to
caregivers is to be protected. Because caregivers may be employees, independent
contractors, and agents of the organization, applicable good business practices
and laws pertaining to employee records and contractual agreements should be
considered in addition to the requirements for protecting health information.
Areas for consideration include:
- Privacy. The caregivers'
personal privacy should be preserved. Relevant caregiver information may only
be disclosed for the protection of the public health as provided by law, for
any other purposes as required by law, or as authorized by the caregiver.
- Review of
information. The caregiver is entitled to know
which information about the caregiver is in the possession of the health care
provider, practitioner or group practice/organization. Caregivers' are also
entitled to know which information they have a legal right to review.
Caregivers should have the right to review information they have placed in the
patient's record.
- Clear and complete
presentation of information. Information about
the caregiver and patient information authorized to the caregiver should be
made available in a clear, logical, understandable format.
- Appendment of
corrected information. The caregivers' rights
to identify erroneous information and append correct information pertaining to
their employment or contractual arrangements should be defined.
- Release of
specific information. The caregiver may be
granted the right to segment information and block the release of specific
information where permitted by law.
- Notification of
disclosure of information. The caregiver is
entitled to know which individuals, organizations, and government agencies have
authority to access and have actually gained access to information about the
caregiver.
- Protection of
information released to third parties. The
policy should define the commitment for protection required from a third party
prior to the release of information to that organization.
- Integrity and
availability of records. Records must be
protected from unauthorized modification and destruction. The caregiver has the
right to expect that the health care provider, practitioner or group
practice/organization protect the information from destruction by accident or
vandalism, and by fire, flood, earthquake, or other disasters. Provisions must
be made for the records to survive the organization in the event of closure,
mergers, bankruptcy, catastrophic failure and similar events.
- Responsibility to
protect information. The caregivers'
responsibility for the protection of the information to winch the caregiver has
access should be stated.
The Privileges and Obligations of
Researchers
Whether or not patient or caregiver identifiable
information will be made available for research, and how that access to
information will be authorized, should be included in the policies. The
policies should define the role of the institutional review board with respect
to information protection. Some of the topics to consider related to the use of
computer-based patient record information for research are:
- Opportunities for access to information. Policies
for granting access as authorized by the appropriate party or as permitted by
law should be established.
- Obligation to protect the information. Researchers'
responsibilities to protect the information in their custody should be included
in the policies. This includes information that may be removed from the health
care provider, practitioner or group practice/organization's premises. If
researchers are authorized to release information, the policies should define
researchers' responsibilities to notify recipients of information of the
protection requirements.
- The researchers expectation of accurate information.
The policy for ensuring that researchers are made aware of the sources and the
accuracy of information being provided should be considered.
- Right to control disclosure of information. The
researcher or health care provider, practitioner or group practice/organization
generally has the right to control which individuals and organizations have
authority to access information resulting from the research provided the
information does not identify specific patients or caregivers, and cannot
readily be used to do so.
- Right to integrity and availability. Records must be
protected from unauthorized modification and destruction. Within the provisions
of any agreements with the organization, the researcher has the right to expect
that the health care provider, practitioner or group practice/organization will
protect the information from destruction as a result of accidents, vandalism,
fire, flood, earthquake, catastrophic failure or other disasters. Provisions
must be made for the records to survive the organization in the event of
closure, mergers, bankruptcy, and similar events.
|
The Rights of Society
Although the
requirements for release of some patient information are defined by HIPAA,
health care providers, practitioners or group practices/organizations using the
computer-based patient records should develop policies addressing the
responsibilities and determining the methods of complying with these HIPAA
regulations.
The health care provider, practitioner or group
practice/organization policies related to complying withHIPAA for the release
of patient, caregiver, and institutional information to public health
authorities should be defined.
The policy for the release of information
for criminal proceedings, and civil and administrative litigation should also
be defined. The policies should state how the institution will resolve
conflicts in the rights of the patient, the caregiver, and
society.
Factors to consider in the release and sharing of information
include:
- Which information may be
released?
- To whom may information be
released?
- Who authorizes release or
is responsible for ensuring that the appropriate person has authorized release?
- Who is responsible for
developing procedures for release
- What responsibility does
the institution have regarding the protection of information it has released
from its custody?
- Who is responsible for
managing shared databases and networks?
Collection of Information
Each health care
provider, practitioner or group practice/organization should define its
policies for collection and authentication of information. The policy should
specify who is responsible for determining which information is to be collected
and retained. Responsibilities for the review of information collection
policies and retention periods should be specified. Responsibilities and
provisions for verifying the accuracy of information should be defined.
Retention and
Destruction
Business and patient records must be readable and
usable for the life span of the records. The policies should define the
necessity and responsibility for developing procedures to ensure that the
records are maintained and are accessible for the minimum lifetime of the
record as required by law or by business and patient care requirements.
Policies specifying the responsibilities for determining the time periods for
retention should be included.
Policies to ensure that the health care
provider, practitioner or group practice/organization provides for preservation
of the records during the migration to new technologies are essential. Policies
defining the responsibilities for destruction of information should be
included. Information
Security Program
Every health care provider, practitioner or
group practice/organization should, as a matter of policy, maintain a formal
information security program. The responsibility for management of the program
and the functions of the program should be described in the policy document.
Responsibilities for the periodic review and maintenance of the
information security policies should be specified.
Accountability and Responsibilities
Specific
responsibilities and accountability for information security should be defined
in the policies. Factors to consider are:
- Licensed
Professional/Owner/Health Care Provider/Organization responsibilities including
recognizing the importance of information security, establishing policies,
establishing the information security program, and authorizing funding.
- Owners/Partners/Managers/Security Officers responsibilities
including ensuring appropriate contracts are in order with all vendors, service
providers, contractors and temporary employees.
- Responsibility for
reporting of violations.
- Responsibility for
determining and administering discipline and penalties.
- Responsibility for
assessing and accepting risk.
- Patient
responsibilities.
Penalties and
sanctions for failure to comply with the policies and to fulfill
responsibilities should be specified.
Access to
Information
Access to information should be defined as a
matter of policy. Access should be limited to those entitled to access on the
basis of a specific patient care, business need, or research requirement for
access as authorized by the patient for patient information and as authorized
by the caregiver for caregiver information. Access to patient-specific
information, caregiver-specific information, and health care provider,
practitioner or group practice/organization information by those with authority
to protect the public health should be granted as provided by law, or to a
greater extent, as authorized by the patient or caregiver.
Access to
information for law enforcement, litigation, or other purposes not authorized
by the patient or caregiver should be granted only to the extent required by
law.
The health care provider, practitioner or group
practice/organization should establish policies specifying that access to the
health care provider, practitioner or group practice/organization business
records will be based on assigned job responsibilities.
Responsibility
for verifying the legitimacy of requests for access, granting access, and
revoking access should be specified. The responsibilities for establishing
procedures for resolving disagreements, and for actually resolving
disagreements, related to access to information should be defined.
The
extent and policy for enforcement of individual accountability for the
creation, modification, deletion, or disclosure of information should be
defined.
|
Classification
of Information
- Information which may be
made public.
- Information internal to
the health care provider, practitioner or group practice/organization which may
be disclosed to anyone within the organization.
- Information that must be
protected from disclosure to anyone other than those specifically authorized
access to the information by job function.
- Information that may be
disclosed only to certain identified individuals and for which a record of
disclosure is maintained.
Records of
Access
The policy of the health care provider, practitioner
or group practice/organization to maintain records of access to information
should be defined. Policies should specify in general how long records of
access should be maintained and who is responsible for determining which
records of access must be preserved. The policies should also be applicable to
third parties who have access to the health care provider, practitioner or
group practice/organization information or to which information has been
released.
Disaster Recovery/Business Resumption
Plan
This policy should specify the health care providers,
practitioners or group practice/organizations requirement for developing and
maintaining business resumption plans to ensure that the information remains
available for use in the event of a natural disaster, vandalism, system failure
or catastrophic failure. The policy should define the responsibility for
developing, maintaining, and testing the plans, and define responsibilities for
actual recovery.
Information Security Awareness
Training
The policies should define a formal information
security awareness-training program to be established by the health care
provider, practitioner or group practice/organization. Responsibilities for
determining training requirements and conducting training should be defined.
The content, frequency of training, and specific training programs and material
should be defined in the health care providers, practitioners or group
practice/organizations information security standards. Policies for
documentation of attendance at training sessions should be established.
Suggested Method for Policy
Development
Information security policy development should be
accomplished as a formal project, fully sanctioned, and supported by senior
management. The following are recommended steps for policy development:
Responsibilities and objectives for monitoring of the information
security program and for auditing for compliance with the information security
policies, standards, and procedures should be specified in the policy
document.
- Establish a formal, fully
funded project to develop the policies.
- Assign responsibility for
the project and appoint an information security manager.
- Use the topics in this
summary as the basis for writing policy statements.
- Submit the proposed
policies to the health care providers, practitioners or group
practice/organizations legal counsel for review.
- Submit the draft policies
to the management and owners of the health care provider, practitioner or group
practice/organization for review.
|
