Unit 5: Privacy and Security of Health Information Flashcards
Privacy
The right of an individual to limit access to information about themselves unless it contradicts federal or state law
Confidentiality
The expectation that information shared with a healthcare provider will be used only for its intended purpose
Security
The protective measures and tools for safeguarding information in a system
ex: user names and passwords
2009 HITECH Act
made laws safeguarding patient information more stringent due to the increased use and access to patient healthcare information
Ohio Revised Code
more stringent than 1996 HIPAA
RED Flag Rules
for providers that collect credit card information. Laws regard suspicions of medical identity fraud
Covered Entity CE
Health plan, healthcare clearing house, or healthcare provider that transmits any health information in electronic form
Protected Health Information PHI
individually identifiable health information held or transmitted by a CE or its business associate, electronic, paper, or verbal
Designated Record Set DRS
a group of records maintained by the CE (typically a healthcare provider) that may include payment and medical information
Use
PHI is used internally; quality department determines whether appropriate care was given
Disclosure
PHI is disseminated from the CE (healthcare provider) and sent to an external source such as an attorney, insurance company, or another hospital
Minimum Necessary
Limit the PHI disclosed to the least amount required to accomplish the intended purpose for which the information was requested
PHI Identifiers subject to HIPAA
Name Postal address Telephone numbers Fax numbers Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers License numbers Vehicle identifiers (vin or plate) Medical device identifiers Biometrics Full face photographs
TPO Treatment, payment, operations
the times when PHI can be used
AARA Requirements
Certification of EHRs
Mandated HIPAA Audits
Increased penalty severity
Business associates also subject to privacy and security regulations
Internal security threats
hardware
Environment
Employees: human error, exploiting access, malice or gain
External security threats
External humans who access data or steal hardware
Natural disasters: necessitates use of backup servers in an alternate location
Confidentiality
only giving ePHI access to those who need it
Integrity
Making sure data isn’t altered during transmission or storage
Availability
Information must be available when needed for patient care and other uses to authorized users
Administrative safeguards
people focused: training, policies, assessment
Physical safeguards
mechanisms to protect hardware, software, and data
like locks on the door to the server room
should protect against fire, theft, etc
Technical safeguards
use technology to protect data and control access
Access controls
a computer software program designed to prevent unauthorized use of an information resource
Must have policies on who can view, create, and modify data
Types of authentication
Role-based
User-based
Context-based
Emergency access procedure
Role Based authentication
rights to read or edit are determined by role
Coders can read but not edit, wile nurses can add clinical information
User Based
more specific and tailored than role based, but can be more difficult to manage and program
Context based
combines role and context for data access
useful for nurses that may work in multiple unit with different data access needs
Emergency access procedure
“break the glass”
usually occurs during a medical emergency
Need to be able to track who activated emergency access and why
One factor authentication
like a user name and password, two things you know, one type of information
Two factor authentication
combines two categories of access, such as something you know and something you have
Token
physical device for security
Like an ID card
However these can be lost which is problematic
Biometrics
retina scan, finger prints, voice prints, etc.
Very secure and difficult to forge
Telephone callback
often used by remote employees to dial into the system with an approved phone number
Automatic logoff
logs the use off after a specified amount of inactivity
should be paired with quick acting screensaver to hide patient info from people passing by
Audit controls
mechanisms that record and examine activity in information systems
Hold users accountable for their actions
identify the causes of problems, extent, and how to fix
real time monitoring to identify breaches
Monitor for intrusions to prevent breaches
Audit trails
record of audit system activities
system activities: log in and out
application level: what systems are used, what was seen and done
user level: actions of the user, and resources accessed
Triggers
identify the need for a closer inspection
Breach
unauthorized use, access, or disclosure of private health information that compromises privacy and security
500 or more in breach
media is notified to increase patients awareness of potential medical fraud
Medical identity theft
someone steals your identity and receives healthcare services under your name
someones information could end up in your chart and eff up your care as well as use up your insurance