1 / 27

Implementation of Organizational Practices to Protect Information in Health Organizations

Implementation of Organizational Practices to Protect Information in Health Organizations. Ann J. Olsen Director, Information Management Planning Vanderbilt University Medical Center November 10, 1998.

hedda
Download Presentation

Implementation of Organizational Practices to Protect Information in Health Organizations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementation of Organizational Practices to Protect Information in Health Organizations Ann J. Olsen Director, Information Management Planning Vanderbilt University Medical Center November 10, 1998

  2. Presented at:1998 Annual Symposium of the American Medical Informatics Association, “A Paradigm Shift In Health Care Information Systems: Clinical Infrastructures for the 21st Century,”November 7-11, 1998, Lake Buena Vista, FLAuthors: Ann J. Olsen, M.B.A., M.A., Dario Giuse, Dr.Ing., Ruby B. Borden, B.S.N., R.N., Martha K. Miers, MS, MBA, MT(ASCP), Mary G. Reeves, R.R.A., William W. Stead, M.D.Vanderbilt University Medical Center, Nashville, TennesseeSee symposium proceedings for paper of same title.

  3. VUMC: Early 1997 • IAIMS implementation • widely used patient record repository and other patient care systems • extensive use of networked PC’s throughout for research, patient care, education, management • Inadequate confidentiality policy • VUMC-wide information policy team with liaisons to major stakeholders

  4. VUMC: Early 1997 • Agreement on need for comprehensive information security program • not limited to electronic information • not limited to patient information • enterprise wide • Initial drafts of three new policies

  5. Policy Development Challenge Chancellor Vice Chancellor Health Affairs Personnel & Communication Space Management Financial Management Informatics Center Research and Technology Transfer School of Medicine School of Nursing Hospital Medical Group & Clinics Health Plans Major organizational units have long-standing policy-making bodies No standard process for review and approval of Medical Center-wide policy

  6. VUMC Information Policy: Organizational Relationships

  7. Emerging Landscape • JCAHO standards require classification and protection of information • HIPAA • Proposed security standard applies to all health care information electronically maintained or used in an electronic transmission • S. 2609 introduced Oct. 9, 1998 • Proposed Medical Information Protection Act will be reintroduced in early 1999 • Applies to all media

  8. For the Record: Protecting Electronic Health Information • Recommendations: • Technical practices for immediate implementation • Technical practices for future implementation • Organizational practices for immediate implementation

  9. Organizational Practices • Security & Confidentiality Policies • Security & Confidentiality Committees • Information Security Officers • Education and Training • Sanctions • Improved Authorization Forms • Patient Access to Audit Logs

  10. Platform for Compliance with Current & Future Standards

  11. Information Security, Confidentiality, and Privacy • Provides structure and process • Information Security, Confidentiality, and Privacy (ISCP) Committee • Information Security Officer (ISO) • Information Security Managers (ISM) • Defines responsibilities • Enterprise, Unit, Individual

  12. Security for Electronic Information and Systems • Establishes requirement for enterprise standards • ISCP Committee sets standards • risk analysis • technical recommendations • Allows standards to evolve without changing policy

  13. Confidentiality of Patient Information • Defines confidential patient information • Reinforces “need to know” • Provides broad guidelines for handling patient information

  14. Classification of Information • Sets requirement and process to identify and classify information based on need for protection • Three classifications • confidential, restricted, unrestricted

  15. Information Security and Confidentiality Agreements • Establishes requirements for faculty, staff, trainees, volunteers, contractors, vendors, partners … • Defines process for approving forms and implementation

  16. Security and Confidentiality Committees • Information Security, Confidentiality, and Privacy (ISCP) Committee • establishes standards & practices based on recommendations of technical staff, ISO, and others • oversees and promotes information security programs • coordinates with other groups, e.g., Medical Records Committee

  17. Security and Confidentiality Committees • Subcommittee of ISCP and Medical Records Committees for Protection of and Access to Patient Electronic Records (PAPER) • Recommend procedures to control and document access and use of patient electronic records, e.g., • Plan use of audit trails • Improve authorization forms • Review requests for access and proposals for use of electronic records

  18. Information Security Officers • New position for VUMC Information Security Officer • Administrative • Policy • Coordinate with staff providing technical leadership and support

  19. Information Security Officers • Departmental Security Administrators to become Information Security Managers • Information security improvement • assess • plan • implement • evaluate

  20. Education and Training • Information Security Managers • Information Security Guide • Templates for Information Security Assessment and Plan • Initial orientation sessions with regular follow-up • Periodic meetings for updates and feedback • One-on-one sessions with ISO

  21. Education and Training • Universal - embed in process • Job descriptions rewritten • Agreements • Orientations • Performance goals • Systems training • Screen saver • Security assessments & plans • Compliance education program

  22. Sanctions • Coordination with related corporate compliance effort • Guidelines: appropriate & inappropriate behavior • Tiers of violations (e.g., unauthorized access vs. unauthorized disclosure) • Use existing disciplinary processes • Violations may be reported to any of : • ISO, Compliance Office, Employee Relations, Supervisor • ISCP Committee receives summary of violations and outcomes

  23. Improved Authorization Forms • Have recently changed forms to increase options • Continuing effort involving Medical Records Committee, PAPER Subcommittee, and others

  24. Patient Access to Audit Logs • Currently review audit log for medical record repository on request • On agenda of PAPER subcommittee

  25. Expected Challenges • Consistent application of sanctions • Consistent adoption of standards across departments • Accountability of Information Security Managers • Adequacy of resources for communication, training, implementation

  26. Expected Benefits • Platform for compliance with future requirements • Increase understanding of security issues • Reduce risk • Support desired culture

  27. Ann.Olsen@mcmail.Vanderbilt.edu

More Related