Y khoa, y dược - Chapter 6: The privacy and security of electronic health information

Chapter 6The Privacy and Security of Electronic Health InformationElectronic Health Records for Allied Health CareersCover goes here when readyLearning OutcomesAfter studying this chapter, you should be able to:Describe the purpose of the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA).Discuss how the HIPAA Privacy Rule protects patient health information.Describe when protected health information can be released without patients’ authorization.List three categories of threats to the security of electronic information.Describe the safeguards outlined in the HIPAA Security Rule.Learning OutcomesAfter studying this chapter, you should be able to:Discuss the ways that increased use of information technology places protected health information at greater risks.Explain why the existing HIPAA laws may not be adequate in today’s health care environment.Explain why public trust is key to the development of electronic health records and a nationwide health information network.Key Termsadministrative safeguardsAdministrative Simplificationantivirus softwareaudit trailsauthenticationauthorizationavailabilitybusiness associatesclearinghousesconfidentialitycovered entities (CEs)de-identified health informationdesignated record set (DRS)disclosureelectronic protected health information (ePHI)encryptionfirewallKey Termshealth information exchangehealth planHIPAA Privacy RuleHIPAA Security Ruleintegrityintrusion detection system (IDS)minimum necessary standardNotice of Privacy Practices (NPP)passwordsphysical safeguardsprotected health information (PHI)providersrole-based authorizationtechnical safeguardstreatment, payment, and operations (TPO)The Health Insurance Portability and Accountability Act of 1996 (HIPAA)HIPAA is the most significant legislation affecting health care since Medicare and Medicaid in 1965.Title I of HIPAA = Health Insurance ReformTitle II of HIPAA = Administrative Simplification StandardsThe Privacy RuleCovered entities Health plans Providers ClearinghousesThe privacy RuleBusiness Associates not covered entities, but use PHI for business purposescovered entities must have contracts with Business Associates stating that they will abide by HIPAA Privacy RuleThe Privacy RuleProtected Health InformationIndividually identifiable health information Privacy Rule applies to PHI in any form whether it is communicated and/or maintained verbally, on paper, or electronically.The Privacy RuleMinimum Necessary StandardLimiting information to minimum PHI necessary for intended purpose.Designated Record Set (DRS)A group of records that contains PHI; contents depend on the role of the organization or provider.10The Privacy RuleDisclosure of Personal Health Information (PHI)Release of Information for Purposes Other Than TPOAn authorization (special permission) must be obtained from the patient for uses and disclosures other than for TPO.Disclosures must be documented and provided to the patient if requested.Use and disclosure rules do not apply to de-identified health information which is information that neither identifies nor provides a reasonable basis for identification of an individual.The Privacy RuleNotice of Privacy Practices (NPP)Rights of IndividualsHIPAA EnforcementThreats to the Security of Electronic Health InformationThe Actions of IndividualsEnvironmental HazardsComputer Hardware, Software, or Network ProblemsThe Security RuleProtects the confidentiality, integrity, and availability of electronic protected health information (ePHI) of covered entitiesThe Security RuleAdministrative SafeguardsPolicies and procedures to protect ePHI.Physical SafeguardsMechanisms to physically protect electronic systems, equipment, and data.Technical SafeguardsAutomated processes that protect and control access to ePHI.15Privacy and Security Risks of Electronic Health Information ExchangeClinical Data Available in Electronic FormPortable Computers and Storage DevicesProblems Not Adequately Addressed by Existing Privacy LawsPrivate Sector Electronic NetworksPersonal Health Records (PHRs)Overseas Business AssociatesMultistate Exchange of Data with Different LawsThe Importance of Public TrustIf people don’t trust that their personal information will be kept confidential, they won’t disclose it; this can lead to a lack of appropriate care.The Importance of Public TrustPublic Attitudes Toward the Electronic Use of Health InformationMost people believe that the confidentiality of their medical records is very importantThe majority of people express concern about the privacy of their information.Regional or nationwide health information networks will have to be proven to be safe to gain the public’s trust.18