MT 637 UNIT 7 Flashcards
The right to be left alone
The right to keep personal information secret
The right control to personal information
Privacy
Freedom from intrusion or invasion into one’s
private affairs
Privacy
Federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge
Health Insurance Portability and Accountability
Act of 1996
Sharing or dissemination data only to those with a “need to know”
Confidentiality
The status accorded to data or information indicating that is sensitive for some reason and therefore it needs to be protected against
- Theft
- Disclosure
- Improper use, or both, and must be disseminated only to authorized individuals or organizations with a need to know
Confidentiality
Information must be protected against
- Theft
- Disclosure
- Improper use
The means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration destruction or loss
Security
Mechanisms to ensure the safety of data and systems in which the data reside
Security
Challenges from Proliferation of Technologies & Applications
- Increased technology use by all care providers
- Health information exchange and data-sharing activities across multiple networks
- Cloud computing and third-party outsourcing
- Increased use by patients, families, and consumers of their devices (tablets, smartphones, etc.)
- New models of care require more care providers to access data across the patient care continuum
- Clinicians using their own devices - Personal laptops, tablet devices, smartphones, and so on
- Connected medical devices and implantable devices
- Computer profiling and mistakes
- Spamming
- Flaming
- Lacks privacy law
TRUE/FALSE: Computer profiling and mistakes in the computer matching of personal data are other controversial threats to privacy.
TRUE
Favorite tactic of mass mailers of unsolicited advertisements, or junk e-mail. It has also been used by cyber-criminals to spread computer viruses or infiltrate many compute systems
Spamming
practice of sending extremely critical, derogatory, and often vulgar e-mail messages (flame mail) or newsgroup postings to other users on the Internet or online services
Flaming
was enacted by the U.S congress in 1996. It is a broad piece of legislation intended to address a wide variety of issues related to individual health insurance.
Health Insurance Portability and Accountability Act (HIPPA )
The result of effective protection measures
Data Security
The sum of measures that safeguard data and computer programs from undesired occurrences
Data Security
DATA SECURITY
The sum of measures that safeguard data and computer programs from undesired occurrences and exposure to:
○ Accidental or intentional disclosure to unauthorized persons
○ Accidental or malicious alteration,
○ Unauthorized copying,
○ Loss by theft or destruction by hardware failures, software deficiencies, operating mistakes, or physical damage by fire, water, smoke, excessive temperature, electrical failure, or sabotage or combination thereof
Institute laws and govern these issues (privacy)
National Privacy Commission (NPC)
In 2012 the Philippines passed the comprehensive and strict privacy legislation “to protect the fundamental human right of privacy, of communication while ensuring free flow of information to promote innovation and growth.” Republic Act No. 10173, Ch.1, Sec. 2 .
Data Privacy Act of 2012
A subset of a security breach that actually leads to “accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Personal Data Breach
Requirements of Breach Notification
● The breached information must be sensitive personal information, or information that could be used for identity fraud, and
● There is a reasonable belief that unauthorized acquisition has occurred, and
● The risk to the data subject is real, and
● The potential harm is serious
Provider
Direct Patient Care
Clinic
Direct Patient Care
Hospital
Direct Patient Care
Payors
Support activity
Quality Reviews
Support activity
Administration
Support activity
Insurance eligibility
Social Uses
Public Health
Social Uses
Medical Research
Social Uses
Marketing
Commercial Uses
Managed Care
Commercial Uses
Drug Usage
Commercial Uses
The unauthorized use, access, modification, and destruction of hardware, software, data, or network resources
Association of Information Technology Professionals (AITP )
Computer Crime
The unauthorized release of information
Association of Information Technology Professionals (AITP )
Computer Crime
The unauthorized copying of software
Computer Crime
Denying an end user access to his or her own hardware, software, data, or network resource
Computer Crime
Using or conspiring to use computer or network resources to obtain information or tangible property illegally
Computer Crime
Key Features of A Secure System & Network
- Authentication
- Authorization & Access Control
- Data Integrity
- Accountability
- Availability
- Data Storage
- Data Transmission
Means of verifying the correct identity and/or group membership of individual or other entities
Authentication
Methods for authentication:
○ User name
○ Known only by the user (e.g., password)
○ Held only by the user (e.g., digital signature, secure ID )
○ Attribute only to the user (e.g., finger print, retinal scan)
Access control lists for predefined users
○ Reading
○ Writing
○ Modifications
○ Deletion of data
○ Deletion of program
Authorization & Access Control
Used to support information accuracy to ensure that data have not been altered or destroyed in an unauthorized manner
Data Integrity
Error detection and error correction protocols
Data Integrity
Ensures that the actions of any entity can be traced during the movement of data from its source to its recipient
Accountability
Audit trails
○ Identification of the users
○ Data source
○ Whose information
○ Data and time
○ Nature of the activity
Accountability
Ensures information is immediately accessible & usable by authorized entity
Availability
Methods for Availability
Backups
Protecting and restricting access
Protecting against viruses
Protecting and maintaining the physical location of the data and the data itself
Data Storage
Physical protection of processors, storage media, cables, terminals, and workstations
Data Storage
Retention of data for mandated period of time
Data Storage
Exchange of data between person and program or program and program when the sender and receiver are remote from one another
Data Transmission
Scrambles readable information
De-encrypt with proper key by recipient
Encryption
Filtering mechanism so that only authorized traffic is allowed to pass
Firewall
A program should undergo appropriate evaluation prior to use in clinical practice. It should perform efficiently at an acceptable financial and time frame cost.
Ethical Principles
Adequate training and instruction should be completed before proceeding to the implementation.
Ethical Principles
A qualified health professional should be assigned to handle concerns regarding uses, licenses, and other concerns. The software system’s applications should not replace functions as decision-making
Ethical Principles
Principles of Technology Ethics
- Proportionality
- Informed Consent
- Justice
- Minimized Risk
The good achieved by the technology must outweigh the harm or risk. Moreover, there must be no alternative that achieves the same or comparable benefits with less harm or risk
Proportionality
Those affected by the technology should
understand and accept the risks.
Informed consent
The benefits and burdens of the technology should be distributed fairly. Those who benefit should bear their fair share of risks, and those who do not benefit should not suffer a significant increase in risk
Justice
Even if judged acceptable by the other three guidelines, the technology must be implemented so as to avoid all unnecessary risk.
Minimized Risk
Disruptive innovations are a double-edged sword, bringing both opportunity and risk
The electronic health record EHR , for example, simultaneously facilitates and complicates the delivery of health care
Ethical Implications of the EHR in the Service of the Patient Issues
Respect for patient autonomy requires that patient encounters and information are kept confidential and private, fostering trust and improving communication
Breaches may occur accidentally
Patient Privacy
EHRs can increase participation and engagement in health care through patient access, empowerment, and improved communication. However, patients may not be aware that they can access their records
Access to Information
Policy bodies have recognized the potential for health information technology HIT to improve care, they have also cautioned that HIT does not effectively support the diagnostic process and may contribute to errors
Ethics on EHR
EHRs are tools that should facilitate high value patient centered care, strong patient physician relationships, and effective training of future physicians. Anything less… does not compute
Ethics on EHR
PCASSO
PATIENT CENTERED ACCESS TO SECURE SYSTEMS ONLINE
PCASSO Design Goals
● To enable secure use of the Internet to access sensitive patient information
● To enable providers and patients to view medical data online
● To develop a published, verifiable high assurance architecture
- Not proprietary
- No “black box” or trade secret security
PCASSO Function
● Protect healthcare information at multiple levels of sensitivity
● Authorize user actions based on familiar healthcare roles
● End to end user accountability
● Empower consumers to access their own medical records
● Patient viewable audit trails
● Automated email notification of records changes
● Security protection extended to user PC
