270 likes | 362 Views
Implementation of Organizational Practices to Protect Information in Health Organizations. Ann J. Olsen Director, Information Management Planning Vanderbilt University Medical Center November 10, 1998.
E N D
Implementation of Organizational Practices to Protect Information in Health Organizations Ann J. Olsen Director, Information Management Planning Vanderbilt University Medical Center November 10, 1998
Presented at:1998 Annual Symposium of the American Medical Informatics Association, “A Paradigm Shift In Health Care Information Systems: Clinical Infrastructures for the 21st Century,”November 7-11, 1998, Lake Buena Vista, FLAuthors: Ann J. Olsen, M.B.A., M.A., Dario Giuse, Dr.Ing., Ruby B. Borden, B.S.N., R.N., Martha K. Miers, MS, MBA, MT(ASCP), Mary G. Reeves, R.R.A., William W. Stead, M.D.Vanderbilt University Medical Center, Nashville, TennesseeSee symposium proceedings for paper of same title.
VUMC: Early 1997 • IAIMS implementation • widely used patient record repository and other patient care systems • extensive use of networked PC’s throughout for research, patient care, education, management • Inadequate confidentiality policy • VUMC-wide information policy team with liaisons to major stakeholders
VUMC: Early 1997 • Agreement on need for comprehensive information security program • not limited to electronic information • not limited to patient information • enterprise wide • Initial drafts of three new policies
Policy Development Challenge Chancellor Vice Chancellor Health Affairs Personnel & Communication Space Management Financial Management Informatics Center Research and Technology Transfer School of Medicine School of Nursing Hospital Medical Group & Clinics Health Plans Major organizational units have long-standing policy-making bodies No standard process for review and approval of Medical Center-wide policy
Emerging Landscape • JCAHO standards require classification and protection of information • HIPAA • Proposed security standard applies to all health care information electronically maintained or used in an electronic transmission • S. 2609 introduced Oct. 9, 1998 • Proposed Medical Information Protection Act will be reintroduced in early 1999 • Applies to all media
For the Record: Protecting Electronic Health Information • Recommendations: • Technical practices for immediate implementation • Technical practices for future implementation • Organizational practices for immediate implementation
Organizational Practices • Security & Confidentiality Policies • Security & Confidentiality Committees • Information Security Officers • Education and Training • Sanctions • Improved Authorization Forms • Patient Access to Audit Logs
Information Security, Confidentiality, and Privacy • Provides structure and process • Information Security, Confidentiality, and Privacy (ISCP) Committee • Information Security Officer (ISO) • Information Security Managers (ISM) • Defines responsibilities • Enterprise, Unit, Individual
Security for Electronic Information and Systems • Establishes requirement for enterprise standards • ISCP Committee sets standards • risk analysis • technical recommendations • Allows standards to evolve without changing policy
Confidentiality of Patient Information • Defines confidential patient information • Reinforces “need to know” • Provides broad guidelines for handling patient information
Classification of Information • Sets requirement and process to identify and classify information based on need for protection • Three classifications • confidential, restricted, unrestricted
Information Security and Confidentiality Agreements • Establishes requirements for faculty, staff, trainees, volunteers, contractors, vendors, partners … • Defines process for approving forms and implementation
Security and Confidentiality Committees • Information Security, Confidentiality, and Privacy (ISCP) Committee • establishes standards & practices based on recommendations of technical staff, ISO, and others • oversees and promotes information security programs • coordinates with other groups, e.g., Medical Records Committee
Security and Confidentiality Committees • Subcommittee of ISCP and Medical Records Committees for Protection of and Access to Patient Electronic Records (PAPER) • Recommend procedures to control and document access and use of patient electronic records, e.g., • Plan use of audit trails • Improve authorization forms • Review requests for access and proposals for use of electronic records
Information Security Officers • New position for VUMC Information Security Officer • Administrative • Policy • Coordinate with staff providing technical leadership and support
Information Security Officers • Departmental Security Administrators to become Information Security Managers • Information security improvement • assess • plan • implement • evaluate
Education and Training • Information Security Managers • Information Security Guide • Templates for Information Security Assessment and Plan • Initial orientation sessions with regular follow-up • Periodic meetings for updates and feedback • One-on-one sessions with ISO
Education and Training • Universal - embed in process • Job descriptions rewritten • Agreements • Orientations • Performance goals • Systems training • Screen saver • Security assessments & plans • Compliance education program
Sanctions • Coordination with related corporate compliance effort • Guidelines: appropriate & inappropriate behavior • Tiers of violations (e.g., unauthorized access vs. unauthorized disclosure) • Use existing disciplinary processes • Violations may be reported to any of : • ISO, Compliance Office, Employee Relations, Supervisor • ISCP Committee receives summary of violations and outcomes
Improved Authorization Forms • Have recently changed forms to increase options • Continuing effort involving Medical Records Committee, PAPER Subcommittee, and others
Patient Access to Audit Logs • Currently review audit log for medical record repository on request • On agenda of PAPER subcommittee
Expected Challenges • Consistent application of sanctions • Consistent adoption of standards across departments • Accountability of Information Security Managers • Adequacy of resources for communication, training, implementation
Expected Benefits • Platform for compliance with future requirements • Increase understanding of security issues • Reduce risk • Support desired culture