Download
1 / 27
290 likes | 427 Views
Julius S. Aronofsky Lecture in Health Care Information Systems:. Patient Confidentiality and Electronic Medical Records. Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning Vanderbilt University Medical Center June 19, 1999.
E N D
Julius S. Aronofsky Lecture in Health Care Information Systems: Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning Vanderbilt University Medical Center June 19, 1999
Presentation delivered at 3rd Annual “Enhancing Your Clinical Practice - Internet and New Technology Trends” Sponsored by: The Office of Continuing Education of The University of Texas Southwestern Medical Center at Dallas
Objectives: • Understand • basic context for information security and confidentiality • current practices and risks regarding confidentiality • impact of EMR on ability to protect privacy • needs for organizational practices as well as technical practices (policies, agreements, and continuous learning) • Learn about directions in Washington and upcoming requirements for your practices • HIPPA security standards • Proposed health information privacy legislation • Know key sources of information about this topic
Agenda • Key Concepts • Discussion: Current Practices & Concerns • Key Changes We Face • Expected Electronic Health Data Security Requirements • Questions & Discussion
Health Care Resources • Health Care Delivery Processes Depend on Acquisition, Utilization, and Management of Many Kinds of Resources
Financial Resources Human Resources Security Information & Knowledge Resources Physical Resources Health Care Delivery Depends On
Key Concept: Information Security Components • Confidentiality (Privacy) • Access control • Disclosure requires authorization • Need to know • Availability • Accessible when & where needed • Integrity • Records are complete • No unauthorized changes
Confidentiality Information Security Availability Health Information Security Information Systems Security Integrity Protection of Electronic Health Information
Discussion: Current Practices and Concerns (1) Share one of the biggest challenges or risks to health information privacy in your practice today OR a health information privacy issue you have faced recently (2) Share a practice that has improved protection of health information in your office or clinic
What Changes are We Facing? • Increased use of electronic medical records (EMR) and internet communications • Expectation that health records are on-line, with decision support • Information provided directly by health care consumers in on-line interactions with providers • Portable, hand-held computing
EMR and Confidentiality • EMR Risks • Easy to disclose vast quantities of information • Ability to link records across systems • Insufficient security & training in many EMR environments • Hackers keep pace with technology
EMR and Confidentiality • EMR Benefits • Audit trails • Encryption • Access controls • Can remove identifiers • Can share without making copies
What Changes are We Facing? • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • DHHS rules governing security of electronic health information • Apply to all individual health care information electronically maintained or used in an electronic transmission • Federal legislation on health information privacy
For the Record: Protecting Electronic Health Information • National Research Council Study of Current Best Practice (1997) • Recommendations: • Organizational practices • for immediate implementation • Technical practices • for immediate implementation • for future implementation • Basis for HIPAA Security Standard
Organizational Practices • Security & Confidentiality Policies* • Security & Confidentiality Committees • Information Security Officers* • Education and Training* • Sanctions* • Improved Authorization Forms** • Patient Access to Audit Logs**
Technical Practices • Individual authentication of users* • Access controls* • Audit trails* • Physical security & disaster recovery* • Protection of remote access points* • Protection of external electronic communications* • Software discipline* • System assessment*
Scenario for Security Standards • Proposed Security Standard includes “Small or Rural Provider Example” • Outlines how the requirements might be implemented • Expectation that software vendors will provide support • Excerpts ...
Joint Commission on Accreditation of Healthcare Organizations • Current JCAHO standards require classification and protection of information • Already at work to incorporate HIPAA standards
Information Resources • DHHS web site has rules proposed under HIPAA and other information: http://aspe.os.dhhs.gov/admnsimp • Computer-based Patient Records Institute has very useful publications on information security: http://www.cpri.org
Health Information Privacy Legislation • HIPAA required action by Congress by August 1999 on health information privacy or DHHS to issue final rules • None of bills introduced in 106th Congress likely to pass by HIPAA deadline • Expect amendment of HIPAA to extend deadline • For information on legislative proposals, see Library of Congress web site at http://thomas.loc.gov
Common Elements of Proposals • Requirements for patient authorization for most kinds of disclosures • Patient notice about rights and use of health information • Patient right to review and amend • Limit disclosure to minimum information needed • Requirement to track disclosures • Require safeguards for confidentiality, security, accuracy, integrity • Criminal and civil penalties
