Saturday, December 7, 2013

HIPAA Security Rule

HIPAA Security Rule and related readings
The importance of access controls in addition to audit controls:
The Audit controls are only one form of control.  The audit controls are a means of documenting system access and access attempts by users.   Keeping track of who has accessed data by using logs to keep track of access is part of audit control, however this type of control is not enough.  Access controls should be included to control and limit access to health information.  The access can be limited using special software programs.  The software would limit access to those given authorization to access the data they need for their job only.  This type of software can put limits by making information accessible by context-based, role-based, or user-based access schemes.

Emergency access procedures under the Access Control standard:
Procedures for accessing data under emergency conditions should be planned for.  Emergency access is defined as loss of data or systems containing protected health data in electronic form.  Emergencies could be anything from, fires, vandalism, terrorism,  natural disasters or system failures.  In an emergency situation being able to access information could be vital to a life or death situation.  There should be protocols in place for both backup storage and access of information in another area other than the original location.  The procedures should include ways for workforce members to be able to access that information.  If a special access or audit control needs to be added to the other location then that should be taken into consideration.

How role-based access controls meet the HIPAA Privacy Rule minimum necessary standard:
This standard requires that access to PHI by employees of covered entities must be limited to the minimum necessary to do their jobs. The rule specifies that covered entities must “develop role-based access rules” to carry out this minimum necessary requirement.  Role-based access is the mapping of data access for a user or a class of users to only those functions, activities, and action codes that they need to perform their duties. (optuminsight)
The privacy rule requires that a covered entity must identify several things under their policies and procedures.  These items include naming which persons or classes of persons need access to the protected healthcare data.  Another item includes listing categories of protected health information that the persons or classes will need to be able to access.  The other item is listing the conditions that would apply to the access where appropriate.  Covered entities must also have policies and procedures to limit access to those not needing access to the data.  

What form of authentication best meets the Person or Entity Authentication Standard for different healthcare applications:
Person or Entity Authentication Standard refers to those accessing e-PHI and requires that those individuals are identified and authenticated.  The Two-factor Authentication is the best method for meeting the standard.  This strong authentication requires that information be provided using two or three different types of authentication information.  Authentication could include passwords, smart cards and tokens, biometrics, CAPTCA or more.  The Two-factor means that two of more of these types would be needed to be able to access the healthcare information. 
Sayles; Health Information Management Technology: An Applied Approach

Saturday, November 30, 2013

Assignment 14 notes

Ohio does have a state immunization registry.  The ODH Immunization Program seeks to prevent 17 vaccine-preventable diseases with currently available vaccines. The diseases include:
Diphtheria, tetanus and pertussis
Haemophilus influenzae type b                
Hepatitis A
Hepatitis B
Human papillomavirus
Measles, mumps and rubella    
Meningococcal  (meningitis)
Pneumococcal  (pneumonia)  
Varicella  (chicken pox)
Zoster (shingles- adults only)

Diseases on the notifiable/reportable list can be found at:

They are classified as:

Class A
Report immediately by telephone

Class B1
Report by the end of the next business day

Class B2
Report by the end of the work week

Class C
Report outbreaks by the end of the next business day

Saturday, November 23, 2013

Assignment 13 Legal

Assignment 13- Legal
Five common categories of information on a medical staff application are:  Personal information (including residence status), medical education, formal medical training (residency/fellowship), licensure (active) and Certifications.  I believe these are the most important categories needed.  The personal information should include residence status because it will help determine where the candidate is located and if they would need to relocate for the position.  Medical education is important in researching the candidates degrees received for validity.  Formal medical training should include information on residency and fellowships.  This information will help in determining how much experience the candidate has received and in what type of settings they have worked in to get that experience.  Licensure and certifications both help provide the candidates medical credential validity for working in any specific specialty or practice.

Credentialing refers to the process of reviewing and validating the qualifications of physicians and other licensed practitioners for granting medical staff membership to provide patient services.  It serves as a form of protection to: 
1. Protect the public from professional incompetence
2. Protect the medical staff from working with incompetent professional
3. Protect the facility from liability due to providing inadequate care
4. Protect the rights of the medical staff from unfair restrictions on their practice
Professional incompetence can be avoided or at least lowered by assuring credentialing takes place.  A physician should have qualifying degrees, licenses, and other certifications.  Insuring the practitioner’s credentials protects the employees from having to work with unqualified individuals who would cause liability or incompetence for the organization. 
Brodnik:  Fundamentals of Law for Health Informatics and Information Management

Saturday, November 16, 2013

Personal Health Records

Week 11 Assignment PHR for patients use
I started my search for information on PHRs or Personal Health Records the same way an unknowledgeable patient would.  I began with an internet search for personal health record.  Unfortunately, the results can give information pertaining to practitioner as well as patient usage.  Changing my search words several times made similar results.  All of the sites I found were mainly for practitioner or clinical use.  The few links for patients required account sign-up with credit card even to get something as simple as basic information. 
I checked supplied by AHIMA.  Their site teaches you how to create your own PHR from scratch with a few simple directions and instructions. 
                The site suggests checking with your Healthcare Provider, Insuring company or Employer to see if they offer PHR software or website service.  I checked with my personal insurance provider who did not offer a PHR available on the internet.  I am not employed so I could not check an employer.  I then tried my medical provider and they only offer a Patient Portal that allows you to access basic information such as appointments and privacy rights.  I will mention that the only PHR I actually have knowledge of came about by accident.  My grandmother-in-law wanted a Medicare Alert Bracelet for safety as she is very ill.  I searched for M.A. Bracelets and found one that actually includes a built in memory computer mini drive.  The drive contains software PHR that you bring up on your computer and works as a Fill-in-the-blank system.  There are places for all the expected sections of a traditional PHR, areas to add all medications, and it is easily editable.  The software on the bracelet only cost the price of the bracelet purchase (20$).  It is portable, can be kept on the person, looks exactly like a traditional metal medical alert bracelet and is easily accessible by Ipad, laptop, or computer.  This is the easiest user friendly system I found.
                Some of the problems associated with electronic PHRs are security/privacy, acceptability, and accuracy.  Records that are internet based may not be accessible in times of power outages, locations without computer access, or just not easily accessed.  Most of the commercial systems are paid for by monthly charged payments.  A missed payment might mean limited or discontinued access.  Security can be a major issue with records kept on the internet.  Security access must be kept safe from hacking and identity theft, just signing-up with a Secured site may not be enough.  Accessibility must also be made safe and maintained by both the patient and company.  This would include password security and identity checks.  Another problem is acceptability.  Will a healthcare facility or hospital even be willing to accept information contained in a PHR?  The last problem would be accuracy.  If a patient has a PHR it may not necessarily contain accurate information.  Outdated information such as incorrect medication dosages or medical conditions could cause dangerous outcomes or delay medical treatment.
                A problem with PHRs in general is that there is a lack of standards for PHRs.  As technology has begun to make EHRs more accessible to patients as PHRs there will be an increase in patient usage, as a result, the government is beginning to take notice.  CCHIT or Certification Commission for Healthcare Information Technology was founded in 2004 and has certified EHRs since 2006.  The federal government recognized CCHIT as a certifying body; it established the first comprehensive, practical definition of what is needed in EHRs.  These national efforts are expected to have a trickle-down effect on organizations attempting to provide EHRs and PHRs for patients. (Brodnik)

Brodnick:  Fundamentals of Law for Health Informatics and Information Management

Monday, November 11, 2013

Patient Rights and Quality Improvement programs

Describe how patient rights and quality improvement programs are linked.

The Institute of Medicine published a report titled Crossing the Quality Chasm—A New Health System for the 21st Century.  This report identified six broad objectives that should be central to the US healthcare system.  The report stated that healthcare should be safe, patient-centered, efficient, effective, equitable, and timely.  The Joint Commission is using this information to focus activities for the onsite accreditation survey and is publishing measurement data on its website at  Consumers can search for an organization and check how the Joint Commission measures, and determines their accreditation status. 
Quality improvement processes are guided by the federal agencies such as CMS and AHRQ.  At the federal level, the Affordable Care Act established the National Strategy for Quality Improvement in Health Care, known as the National Quality Strategy.  
Patients’ Rights:  Central to providing quality healthcare is ensuring that patients are aware that they have rights related to clinical care and also to other aspects of healthcare, such as communication about their care and protection of privacy.  Specific patient rights are externally driven by both government and private standards and internally driven by organizational policies.
Some common sources of patient rights are:  American Hospital Association Patient Care Partnership, Medicare Conditions of Participation, HIPAA Privacy Rule Revisited, The Joint Commission Standards, Facility Policy Regarding Patient Rights, Right to Admission/Duty to Treat, Impact of Hill-Burton, EMTALA/Anti-Dumping, Right to Discharge, Safekeeping of Property, and Patient Obligations.

Brodnik: Fundamentals of Law for Health Informatics and Information Management