Chapter 8: Health Information Privacy and Security Brent Hutfless Learning Objectives After reviewing the presentation, viewers should be able to:  Describe privacy and security measures that are part of HIPAA, HITECH Act, and Meaningful Use and how they fit into the national health IT strategy  Recognize the importance of data security and privacy as related to public perception, particularly in regards to data breach and loss  Identify the benefits and pitfalls of local vs. Software-as-a-Service (SaaS) technical security solutions  List the definitions of confidentiality, availability and integrity  Discuss multiple ways to ensure authentication  Compare and contrast digital signature and certificate based encryption  Enumerate different types of security breaches and their causes  Discuss security standards and the laws intended to protect health data Introduction  Health Insurance Portability & Accountability Act (HIPAA - 1996)  Laid ground work for privacy and security measures in healthcare . Initial intent was to cover patients who switched physicians or insurers (portability)  Next important Act was the American Recovery and Reinvestment Act (ARRA - 2209) & HITECH Act Covered Entities or Those Who Must Follow HIPAA Privacy Rule  Health Plans: Health insurers, HMOs, Company health plans, Government programs such as Medicare and Medicaid  Health Care Providers who conduct business electronically: Most doctors, Clinics, Hospitals, Psychologists, Chiropractors, Nursing homes, Pharmacies, Dentists  Health care clearinghouses Organizations That Do Not Need To Follow HIPAA Privacy Rule      Life insurers Employers Workers compensation carriers Many schools and school districts Many state agencies like child protective service agencies  Many law enforcement agencies  Many municipal offices HIPAA  Protections apply to all personal health information (PHI), whether in hard copy records, electronic personal health information (ePHI) stored on computing systems, or even verbal discussions between medical professionals  Covered entities must put safeguards in place to ensure data is not compromised, and that it is only used for the intended purpose  The HIPAA rules are not designed to and should not impede the treatment of patients Consumer Rights Under HIPAA  Ask to see and get a copy of their health records  Have corrections added to their health information  Receive a notice that discusses how health information may be used and shared  Provide permission on whether health information can be used or shared for certain purposes, such as for marketing  Get reports on when and why health information was shared for certain purposes  File a complaint with a provider, health insurer, and/or the U.S. Government if patient rights are being denied or health information is not being protected Privacy Rule Mandates Removal of 18 Identifiers  Names  All geographic subdivisions smaller than a state  All elements of dates (except year)  Telephone numbers  Facsimile numbers  Electronic mail addresses  Social security numbers  Medical record numbers  Health plan beneficiary numbers  Account numbers  Certificate/license numbers  Vehicle identifiers and serial numbers, including license plate numbers  Device identifiers and serial numbers  Web universal resource locators (URLs)  Internet protocol (IP) address numbers  Biometric identifiers, including fingerprints and voiceprints  Full-face photographic images and any comparable images  Any other unique identifying number, characteristic, or code Permitted Uses and Disclosures of Patient Data  To the individual  For treatment, payment or health care operations  Uses and disclosures with opportunity to agree or object  Facility directories  For notification and other purposes  Incidental use and disclosure  Public interest and benefit activities  Required by law  Public health activities  Victims of abuse, neglect or domestic violence  Health oversight activities  Judicial and administrative proceedings  Law enforcement purposes  Decedents  Cadaveric organ, eye, or tissue donation  Research  Serious threat to health or safety  Essential government functions  Workers’ compensation Administrative Requirements for the Privacy Rule  Develop and implement written privacy policies and procedures  Designate a privacy official  Workforce training and management  Mitigation strategy for privacy breaches  Data safeguards administrative, technical, and physical  Designate a complaint official and procedure to file complaints  Establish retaliation and waiver policies and restrictions  Documentation and record retention - six years  Fully-insured group health plan exception HIPAA Security For Covered Entities  Must enact three safeguard categories noted in the next slides:  Administrative  Physical  Technical Administrative Safeguards  Administrative Safeguards  Security management processes to reduce risks and vulnerabilities  Security personnel responsible for developing and implementing security policies  Information access management-minimum access to perform duties  Workforce training and management  Evaluation of security policies and procedures Physical Safeguards  Physical Safeguards  Limit physical access to facilities  Workstation and device security policies and procedures covering transfer, removal, disposal, and re-use of electronic media Technical Safeguards  Technical Safeguards     Access control that restricts access to authorized personnel Audit controls for hardware, software, and transactions Integrity controls to ensure data is not altered or destroyed Transmission security to protect against unauthorized access to data transmitted on networks and via email Three Pillars of Data Security  Confidentiality refers to the prevention of data loss, and is the category most easily identified with HIPAA privacy and security within healthcare environments. Usernames, passwords, and encryption are common measures implemented to ensure confidentiality Three Pillars of Data Security  Availability refers to system and network accessibility, and often focuses on power loss or network connectivity outages. Loss of availability may be attributed to natural or accidental disasters such as tornados, earthquakes, hurricanes or fire, but also refer to man-made scenarios, such as a Denial of Service (DoS) attack or a malicious infection which compromises a network and prevents system use. To counteract such issues, backup generators, continuity of operations planning and peripheral network security equipment are used to maintain availability Three Pillars of Data Security  Integrity describes the trustworthiness and permanence of data, an assurance that the lab results or personal medical history of a patient is not modifiable by unauthorized entities or corrupted by a poorly designed process. Database best practices, data loss solutions, and data backup and archival tools are implemented to prevent data manipulation, corruption, or loss; thereby maintaining the integrity of patient data Organizational Roles  Policy regarding information security practices is often set by chief information officers (CIOs), chief technology officers (CTOs), information technology (IT) directors or similar; often with input from chief medical informatics officers (CMIOs), HIPAA compliance officers, or the like  Depending on resources, the information technology teams may consist of network, system administration, security and data personnel, or could be the very same technical staff relied upon for all office or clinic IT needs Authentication and Identity Management  Accomplished with photo identification, biometrics, smart card technologies, tokens, and the old standard; user name and password  Basic Authentication may vary depending on sensitivity of data, the capabilities of the systems, resource constraints both technical and monetary, and the frequency of access  Methods discussed here rely on what is known as two or multi-factor authentication: something one knows, something one has, or something that one is Authentication and Identity Management  Basic authentication:  Username and password combination still employed by a majority of users today, combining two things that a user knows  Another option is utilizing a grid card, smart card, USB token, one time password (OTP) token, or OTP service in combination with something a user knows, such as a passphrase or PIN  This is displayed in the next slide Various Authentication Tools Authentication and Identity Management  Single Sign On (SSO)  One set of credentials to easily access many of the resources one uses every day securely; example is Google  Smart Cards: Used in Healthcare in many countries  Vital information with a self-contained processor and memory  Low cost, ease of use, portability and durability, and ability to support multiple applications  Capable of encrypted patient information, biometric signatures and personal identification (PIN)  Drawbacks: lack of standardization and positive identification Smart Cards in Healthcare Digital Signatures  There must be assurance that the digital signature is valid and that it was placed by the person it is attributed to and in the case of patient records this digital signature also acts as the legal signature of the practitioner  Next slide demonstrates how digital signature works with secure email Authentication and Identity Management Authentication and Identity Management  Certificate Based Encryption  Encryption is intended to completely obscure the contents of a message, preventing compromise of sensitive information in the event that a message is intercepted  It is the recipient’s public key that is used by the sender to encrypt the message, not the sender’s. Since the recipient has the lone private key, only he or she will be able to decipher the message and view the contents  Example displayed on next slide Public Key Encryption Authentication and Identity Management  Biometric Authentication  When combined with passphrases or the tokens, cards, and OTP solutions discussed previously, a two or multifactor authentication solution can be employed  Physical user identifiers: fingerprint, retinal scan, voice imprint Cloud Security vs Traditional ClientServer  Traditionally, hospitals and practices maintained the IT system and equipment locally and work with vendors for troubleshooting, software change requests, and upgrades  More and more services are in the Cloud or software as a service (SaaS)  Each has unique security issues as shown in the next slide Feature Cloud Client/Server Solutions Integration with current systems Web browser reduces client integration issues Integration more difficult Software Seamless Requires testing, downtime Cost Less, but requires bandwidth and service contract Must have servers, storage, life cycle costs and support Reliability Dependent on vendor and Internet connection dependent on vendor and IT staff Availability 24/7 availability dependent upon Internet 24/7 availability Scalability Easy, but reliant on bandwidth Based on capability of servers, storage and network infrastructure Security Major sticking point (virtual security methods) Control network security Customization Costly and difficult Costly and difficult Ownership No ownership of solution, data on site Organization owns data Infrastructure Minimal (bandwidth) Hardware, network storage Support Vendor and service level agreement Dependent on local IT Security Breaches and Attacks  Identity theft on the rise  Physical Theft  Stolen laptops, computers, storage devices and servers  The HHS website lists all of the reported data breaches affecting over 500 users from 2009-2013. The site lists the covered entity, the number of breach victims, the type of breach and the location of data (laptop, server, paper, etc.)  The link is located at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnot ificationrule/breachtool.html Theft Countermeasures  Theft Countermeasures  Render data unusable to thieves  Encryption standards such as FIPS 140-2  Hardware and software encryption techniques  See encrypted USB device to the right Security Breaches and Attacks  Physical or Logical Access  Insider employees and staff may pose threat  Accidental or Negligent Disclosure  Inadequate control of paper records  Inadvertent release of sensitive information to unauthorized parties  Breach through overheard conversations  Poor housekeeping practices related to copiers, fax machines, and recycling bins Security Breaches and Attacks  Intrusions and Attacks  Attack on physical and wireless networks attempting to compromise machines and user accounts through disguised email messages, corrupted PDF files and exploited webpages and social networking sites such as Facebook Conclusions  Security of healthcare data is critical for future success of HIT  ARRA/HITECH supplement the administrative, physical and technical safeguards implemented by HIPAA  Security measures will continue to improve but so will the efforts of hackers and criminals who seek access to healthcare record data and identity theft Chapter 9: Health Informatics Ethics Ken Masters PhD Learning Objectives After reviewing the presentation, viewers should be able to:  Describe the 20th century medical and computing background to health informatics ethics  Identify the main sections of the IMIA Code of Ethics for Health Information Professionals  Describe the complexities in the relationship between ethics, law, culture and society  Describe different views of ethics in different countries  Summarize the most pertinent principles in health informatics ethics  Discuss the application of health informatics ethics to research into pertinent areas of health informatics  Discuss appropriate health informatics behavior by medical students Introduction  The Nuremberg Code  Related to the Holocaust (death of 11 million people by the Nazis)  Medical crimes against humanity were committed  Code established voluntary consent and right to withdraw from experiment and right to qualified medical experimenter  World Medical Associations (WMA) Declaration of Helsinki  Added the right to privacy and confidentiality of personal information of research subjects to the Nuremberg Code Informatics Ethics  International Medical Informatics Association’s (IMIA) Code of Ethics. Very expansive. Duties include:       Patient-centered Healthcare professionals centered Institution centered Society centered Self centered Profession centered International Considerations: Ethics, Laws and Culture  Influenced by a country’s laws and culture  The relationship between ethics, law, culture and society is unclear, is not fixed internationally, and may be fluid even within a given country over time Different Views of Ethics  Ethics does not exist outside the law, and exists only for the good of a properly ordered and legal society  Ethics is usually strongly informed by the law, society, and the prevailing culture, and are extensions of these  Ethics exists entirely outside of the law, and is a matter of personal conscience. Where there is conflict the ethical viewpoint must prevail Pertinent Ethical Principles            Right to privacy Guard against excessive personal data collection Security of data Integrity of data ; must be kept current and accurate Informed consent for patients Awareness of existing laws Medical ethics applies to health informatics ethics Sharing data only when appropriate Clinicians have broad responsibilities towards entire community Clinicians must practice beneficence This responsibility can not be transferred Difficulties Applying Medical Ethics in the Digital World  How to obtain informed consent for the use of patient data in large databases?  Obtain broad informed consent  One should guard against corporate ownership of databases  Research on electronic postings: privacy and disclosure depends on which model is adopted  Human subject model-extension of the medical view  Textual object model -only rules of plagiarism and copyright apply Challenges in Transferring Ethical Responsibility  Researchers must obey the law, but laws do not establish ethics  Submit a protocol to Ethics Committee or an Institutional Review Board (IRB) but members may not be familiar with subtleties of health informatics  Keep data secure by transferring responsibility to database manager takes full responsibility, but ultimately the researcher is still likely to be responsible Electronic Communication with Patients and Caregivers  American Medical Associations (AMA’s) guidelines provide medico-legal advice:     Make patient aware of who is reading the email Delineate types of email topics that are acceptable Use of appropriate language Provide tips for patients to ensure they can quickly reference relevant emails  Do not use email communication with new patients Measures to Ensure Documents Are Understood  Flesch Reading Ease Test  Assigns a value of 1 (most difficult) to 100 (easy)  Flesch-Kincaid Test  Assigns a number corresponds to US school grade (1 – 14)  Microsoft Office Word. Under Options >> Proofing  Provides readability score based on Flesch Reading Ease and Flesh-Kincaid Grade level Simple Data Protection  Encryption programs to encrypt hard drive, folders or files  TrueCrypt – free software www.truecrypt.org      Password and document encryption protection Anti-virus programs Anti-spyware and malware software Erase computer hard drives before discarding Consider using encrypted email with programs (plug ins) such as Mailvelope Limiting Collection of Visitor Data to Your Website  Most web sites use tracking cookies or tracking tools that are used without consent or even notification  Ideally should obtain consent and state clearly     What information will be gathered? How will it be stored and secured? With whom will it be shared? For how long will it be kept and then destroyed? Health Informatics Ethics and Medical Students  Students should be careful about online comments and photographs of themselves, colleagues and patients on social networks  Care in the use of mobile devices with cameras  For all research projects, big or small, follow IRB guidance  Avoid plagiarism  Avoid paper mills  Manipulation of electronic files. Ensure copyright is not violated  Avoid recording of lectures without consent  Avoid using pirated digital files  Avoid accessing documents illegally Conclusions  Health informatics ethics stems from medical ethics  The IMIA Code of Ethics contains guidelines for multiple categories  The relationship between ethics, law, culture and society is fluid and must be monitored  The pertinent ethical principles are: right to privacy, guarding against excess, security and integrity of data, informed consent, data sharing, beneficence and non-maleficence and non-transferability of responsibility
Purchase answer to see full attachment