How Hospitals Protect Your Health Information. Your Health Information Privacy Rights. You can ask to see or get a copy of your medical record and other health information
An Image/Link below is provided (as is) to download presentationDownload Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.Content is provided to you AS IS for your information and personal use only. Download presentation by click this link.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.During download, if you can't get a presentation, the file might be deleted by the publisher.
E N D
Presentation Transcript
How Hospitals Protect Your Health Information
Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other health information You can ask to change any wrong information in your file or add information to your file if you think something is missing or incomplete Receive a notice that tells you how your health information may be used and shared
Your Health Information Privacy Rights Get a report on when and why your health information was shared for certain purposes If you believe your rights are being denied or your health information isn’t being protected, you can file a compliant with your provider or health insurer or file a compliant with the Office of Civil Rights within the Department of Health and Human Services
Privacy and Security Law In 1996 Congress passed the Health Insurance Portability and Accountability Act The Act created the “Privacy Rule” which developed standards of privacy of individually identifiable health information The Act created the “Security Rule” which developed administrative and security standards to keep your health information private and protected
The Privacy Versus Security Rule The Privacy rule sets standards who may access health information while the Security rule sets the standards for ensuring that only those who should have access to the health information only obtain access
Who Must Comply Covered Health Care Providers- Any provider of medical or other health care services or supplies who transmits any health information in electronic form Health Plans- Any individual or group plan that provides or pays the cost of health care Health Care Clearinghouses-Any entity that processes another entity’s health care transactions
Administrative Safeguards Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce
Administrative Safeguards Implement policies and procedures to prevent , detect, contain and correct security violations Conduct an accurate and through assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information Implement security measures sufficient to reduce risks and vulnerabilities
Administrative Safeguards Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures
Sanction Policy Does an organization require employees to sign a statement of adherence to security policy and procedures as a prerequisite to employment as part of an employee handbook or confidentiality statement Does the sanction policy provide examples of potential violations of policy and procedures Does the sanction policy adjust the disciplinary action based on the severity of the violation
Administrative Safeguards Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
Information System Activity Review What are the audit and activity review functions of the current system What logs or reports are generated by the information systems Is there a policy that establishes what reviews will be conducted Is there a procedure that describes specifics of the review
Administrative Safeguards Identify the security official who is responsible for the development and implementation of the policies and procedures required by the Security Rule
Security Official Would it serve the organization’s needs to designate the same individual as both the Privacy and Security Official Has the organization agreed upon, and clearly identified and documented, the responsibilities of the Security Official How are the roles and responsibilities of the Security Official crafted to reflect the size, complexity and technical capabilities of the organization
Administrative Safeguards Implement policies and procedures to ensure that all members of the workforce have appropriate access and to prevent those workforce members who do not have access from obtaining access Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends
Administrative Safeguards Implement a security awareness and training programs for all members of the workforce Security Reminders Protection from Malicious Software Log-In Monitoring Password Management
Security Awareness and Training Security Reminders- organizations must document the security reminders they implement Protection from Malicious Software-Organizations must implement procedures for guarding against, detecting, and reporting malicious software. The workforce must also be trained regarding its role in protecting against malicious software through programs downloaded from the internet or through email attachments
Security Awareness and Training Log-In Monitoring- The purpose of this is to make workforce members aware of log-in attempts that are not appropriate Password Management-Procedures for creating, changing, and safeguarding passwords must be developed. Are there policies in place that prevent workforce members from sharing passwords
Administrative Safeguards Implement policies and procedures to address security incidents Identify and respond to suspected or known security incidents, mitigate to the extent possible harmful effects of security that are known, and document security incidents and their outcomes
Administrative Safeguards Contingency Plan-Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information
Contingency Plan Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedures Applications and Data Criticality Analysis
Contingency Plan What data must be backed up What is the method of back up What data is going to be restored Does the workforce know where to find the back up plan How do you test the back up plan
Administrative Safeguards Business Associate Contracts-A covered entity may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity’s behalf ONLY if that business will appropriately safeguard the information
Physical Safeguards Implement policies and procedures to limit physical access to its electronic information systems and the facility in which they are housed Locked doors, signs of warning, surveillance cameras, alarms
Physical Safeguards Implement procedures to control and validate a person’s access to facilities based on their role or function Does management regularly review the lists of individuals with physical access to sensitive facilities
Physical Safeguards Implement physical safeguards for workstation use and access Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security, for example hardware, doors, locks
Physical Safeguards Implement policies and procedures that govern the receipt and removal of hardware and electronic media in and out of a facility and the movement within a facility Have all types of hardware and electronic media that must be tracked been identified, such as hard drives, magnetic tapes or disks, optical disks or digital memory cards
The Device and Media Controls Disposal Media Re-Use Accountability Data Backup and Storage
Technical Safeguards Assign a unique name and/or number for identifying and tracking user identity Establish procedures for obtaining necessary electronic protected health information during an emergency Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity Implement a mechanism to encrypt and decrypt information
Technical Safeguards Assure integrity of data Implement policies and procedures to protect electronic protected health information from improper alteration or destruction Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner
Conclusion Patients have privacy rights Healthcare organizations have the legal obligation to secure patients healthcare information