Explain What Measures Can Be Taken To Guarantee The Security Of EHR

The Health Insurance Portability and Accountability Act (HIPAA) is a set of national standards created for the protection of health information; it is also known as a “Privacy Rule”. This rule was employed in 1996 by the US Department of Health and Human Services (DHHS) to address the use and disclosure of an individual’s health information as well as the standards for the individual’s privacy rights to understand and control the manner in which their information is used.

| “Security controls are the management, operational, and technical safeguards or countermeasures employed within an organizational information system to protect the confidentiality, integrity, and availability of the system and its information” (NIST SP 800, 2009). The control allows the organization to efficiently mitigate the risk coming from the use of information System (IS) to conduct business operations and processes.

The new user policy section has been modified to require manager approval and validation of the user’s access request based upon the user’s role. Previously the policy only required manager approval for user’s requiring administrator privileges. In accordance with Health Insurance Portability and Accountability Act (HIPAA) standards on access controls, users will have the minimum access required to perform the functions of their job in order to protect against unnecessary access to electronic protected health information (ePHI).

Discuss what types of security measures are most important to ensure the Health Insurance Portability and Accountability Act (HIPPA) regulations are met.

Continuing with the protection of information, HIPAA also has a Security Rule that goes hand in hand with the Privacy Rule. This Security Rule differs from the Privacy Rule as it applies specifically to the safeguarding of information through the electronic protected health information (EPHI). Under this rule there are three types of safeguards mentioned: technical, administrative, and physical (Terry, 2015).

The third way is for employers to utilize the reporting/disclosure guide for employee benefit plans. This is a reference tool that employers can utilize for reporting and disclosure provisions under ERISA. The fourth way is for employers to utilize the understanding your fiduciary responsibilities under a group health plan which provides a summary of the rudimentary fiduciary responsibilities pertaining to health plans that fall under the ERISA mandates.

The hospital accounting department will also be off limits except only for those personnel that are authorized. Extra vigilance must be place on all medical record rooms, since the hospital still has paper medical records. All medical staff will receive training so that they understand the importance of HIPAA. This policy will guarantee that we have controls in place in regards to accessing patient information and staff access is monitored.

Lastly, establish an Employee Assistance Program, or EAP. The program is confidential and provides counseling, assessments, and referrals. This program can be operated either in-house or with other EAP providers. EAP programs also help by providing supervisors and managers with the tools they need to notice signs of drug abuse and to be familiar with the procedures regarding drug code. Signs can include,

Share current information or changes in privacy laws with staff and give and maintain an annual updated HIPAA signed form and release of information on record

Develop a training plan for new HIM employees that will ensure that they understand the HIPAA regulations and what their role is in maintaining them.

3.) Under HIPAA, covered entities (healthcare providers, health plans and healthcare clearinghouse) must comply with the privacy rules. A covered entity may develop its own privacy rules that would accommodate its own needs of protected health information (PHI) management but it most comply with the HIPAA guidelines. It is the responsibility of the entity to put in place a privacy official to oversee the policies, procedures and be on hand and available to be contacted in reference to the privacy rule. A patient should be given a privacy notice act at his/her health facility stating how their (PHI) is being used and to whom it will be shared. The covered entity should include in the notice their duty to assure the patients privacy as well as how and whom to contact if there is a complaint or they feel that their rights have been violated. As of 2009 the Office of Civil Rights (OCR) handles complaints that are made on privacy policies, procedure and practices of HIPAA covered entities.

Privacy policies can be particularly hard for an HIE to deal with .There are efforts such as the government's Connect project that provide

Requirements & Regulations that are needed for compliance: It is very important to meet the requirements of security standards and guidelines that are given out to be in compliance. For example, PCI-DSS requires networks to be secure and that credit card data if saved must be encrypted to meet compliance. Keeping this compliance up not only reduces overall costs and increases overall security, but also reduces the risks of penalties being placed against the business. A best practice would be for the security professionals to be pro-active and be always up to date on

The policy outlines the requirements established to maintain and protect the security for nonprofit organizations.

And all operations must comply with legal regulations and company policies to ensure that privacy is preserved and sensitive information protected. This requires centralized control for privacy and security issues.