Policy Manual Introduction
A policy manual is a general guideline that details the policies and best practices that an organization in a particular industry should follow. This is the case with health care in general and protecting patient data in particular. Starting from a manual system, an electronic or automated system has been found to enhance best practices in the field of health care (Hamilton, Jacob, Koch & Quammen, 2004).
Importance to Organization
It prepares a roadmap for daily administration. A policy manual is also a yardstick for performance. It can be used to train fresh recruits about the conduct desired. It can also be resorted to when disputes over best practices arise. It removes ambiguity of all kinds. It increases the reputation of the organization because of the high standards it upholds.
Legal Requirements
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted so that all types of patient information could be brought under the purview of protection. The HIPAA Privacy Rule overrides any state rule that runs contrary to it. It has two parts to it, both of which set national standards in terms of health information viz.
HIPAA Privacy Rule – safeguards the privacy of individuals
HIPAA Security Rule – provides security to electronically created patient information
HIPAA ordains that there should be procedures in place so that only authorised personnel can provide patient health information to the parties concerned.
Terms Used
Covered Entities – are a group that share health information and include health insurers, care providers and health plans. The HIPAA Privacy Rule is binding on these entities.
Individual Rights – An individual has a right to get information about his/her health and should be informed in case of any disclosure of health information to other parties.
Penalties – will be charged from the covered entities in case of violation of the HIPAA standards.
Risk Assessment
Risk to Records
According to Wager, Lee and Glaser (2009, p. 252), there are three types of risks to records viz. human, natural and technological;
Human – could be due to willful negligence or due to ignorance or oversight. It is on the part of humans like staff, patient himself or any third party.
Natural – calamities like floods, earthquakes, tornados etc. are examples where things are beyond the control of man, and
Technological – Computer viruses, power outages, no backup etc. are examples where technology rather than the individual has a say.
(Source: Wager, et al, 2009, p. 252).
Remedies to protect Records
Taitsman, Grimm and Agrawal (2013, p. 978) have mentioned three types of remedies to protect health information viz. physical, electronic and human;
Physical – The confidence of the patient can be boosted through private consulting rooms etc. Storage likewise should be secured through filing etc. Similarly, documents should be disposed of through the means of shredding.
Electronic – Users can be identified through passwords and biometric means. Systems likewise can be secured through anti-virus programs and firewalls. Hardware devices can be safely disposed of after erasing the hard drives.
Human – Background checks should be made before hiring personnel. Existing employees should be trained to perform their duties effectively.
(Source: Taitsman et al, 2913).
Given the widespread use of mobiles, it is advisable that safeguards be put on them too. It is always preferable to have passwords for mobiles. Apps should be checked before downloading and the mobile should be under one’s own control as far as possible. Stored health information should be removed before changing mobiles and file-sharing apps should be used with utmost care (Taitsman, Grimm & Agrawal, 2013, p. 979).
Policy Statement for Access and Disclosure
Only authorized personnel directly handling a particular patient should have the right to garner information regarding the patient’s health. Other extraneous elements belonging to the staff of the organization should not have any access whatsoever to the patient’s information.
Informed Consent is required before the information of a patient can be passed on to others irrespective of the reason. A written consent will stand the enquirer in good stead in case of a dispute. Annas (2003) vouches for a privacy notice to all types of patients.
The patient’s data should not be duplicated by any means for a profit motive. Unscrupulous elements could seek a customer’s details for personal gains which should be prohibited.
The time, place and mode of access even to authorized personnel should be restricted by the organization.
The formal levels of examination should be followed before access of information is permitted. Lack of communication at different levels in a hierarchy can compromise patient information.
The extent of information that can be divulged to a third party is also restricted based on HIPAA. The entire history of a patient should not be jeopardized by the information seeker. Only relevant and accessible information should be divulged.
Safety checks should always be performed while accessing patient information. If there are multiple levels of security, each of these should be adhered to. It is small lapses that are taken advantage of by unscrupulous elements to gain access to information.
One should diligently follow rules and emphasise the significance of privacy in all dealings (Koontz, 2015, p. 100).
Training Topics for Staff
The staff should be trained about which personnel has how much authority. In case of directing any member to a particular person, one should be aware that the person in question has the necessary authority for which he/she is being suggested.
Staff should be trained to inform the patient about the ramifications of disclosure of his/her information. The staff should have a written consent form at their disposal which they can use at the time of gathering information.
Staff should be trained about duplication procedures of patient data and also the authority concerned that has the privileges to do so.
The time, place and mode of access should be specified in the training provided. This is so that unsuspecting employees do not reveal important information without express instructions.
The hierarchy of authority should be clearly instructed to trainees. This is so that they can identify the right authority for a certain job.
The information that can be divulged should be included for training. The different types of information and the scenarios in which this is possible should also be clarified at the outset.
Safety checks may have multiple layers. All the layers need to be explained to fresh graduates who may be ignorant about their existence.
The importance of rules and what privacy actually means should be driven home.
Alignment with Regulatory Requirements
Breach of HIPAA Regulations
The number of instances of HIPAA violation is on the rise. This has resulted in penalties due to various reasons. HIPAA bought in new changes to it rules in 2013 (McDavid, 2013, p. 54).
1. Business Associates have been made directly responsible and should comply with privacy and security issues.
2. The use of Protected Health Information (PHI) has been restricted in case of marketing and other reasons. The patient’s consent for the same is required.
3. Information about immunization of a child can be intimated telephonically but should be noted down.
4. After 50 year of death, the PHI can be made available to anyone unless contrary to any express wish not to do so.
5. If there is willful neglect, then HIPAA rules can be made binding.
6. If an individual pays for a plan out of his pocket, then the information can be restricted from disclosure.
(Source: McDavid, 2013, p. 54).
There should be full control over access to data. The access of data should be audited for each and every person gaining access to it. Insurance should be taken in the cyber format to protect against any financial loss. External audit is preferable so that any point left out from HIPAA can be taken up. Unique passwords should be used in that they should contain alphabets, numbers and special symbols. They should be changed regularly. The patient must be intimated of a probable breach and must be encouraged to monitor his own identity and records. It is better to come clean on the steps taken as per HIPAA. One may come off with just a fine or penalty (McDavid, 2013, p. 55).
Policy statement for handling & disposal
Storage of Paper based Information
Such information can be stolen or destroyed. Similarly, there can be damage due to natural disasters like floods etc. and others such as fire, vermin etc. This information can be stored on-site or in secondary storages which mean that retrieval can be faster. However, those authorized with secondary storage must also be made responsible for storage.
Storage of Electronic Information
Such storage can be acceptable as long as the data is migrated when changes are made to software and hardware.
Portable Computer Storage
Apart from encryption of data, access controls should be used through screen savers and strong passwords. Digital wipe software ensures that the portable storage is wiped after transferring the data to permanent storage.
Cloud Computing
The rate of computing can be increased through this concept. Alternately, the idle resources on the computer can be sold. Though cloud computing leads to cost savings, it has its unique problems. When a customer takes a particular action, it affects many others who also share the common resources. Hence, complex solutions are required while sharing patient information over cloud computing (Gonzalez, Miers, Redígolo, Simplício, Carvalho, Näslund & Pourzandi, 2012).
Disposal of Information
Information that should not reach anyone should be destroyed permanently such that re-retrieval of information should be impossible.
Paper based Information should be disposed using shredders as far as possible. Incinerating the information is not a good option due to environmental reasons. Electronic information should be permanently deleted from the computer systems such that no hard- or softcopies exist anymore.
A disposal record should be maintained. This contains details of disposal such as date, time, type of data, extent to which destroyed, the person-in-charge of destruction etc. This is done for keeping a permanent account for future reference.
Training Topics for Staff
Handling data refers to the day to day management of data which include the use, storage and maintenance of data. Disposal on the other hand refers to discarding or destroying the patient data because it is no longer required. Whether it is the day to day handling or the final destruction of patient information, the staff needs to be trained on the aspect as mandated by HIPAA. If data is not handled properly, the current operations will be disrupted. If data is not destroyed in a correct manner, it can give rise to problems in future.
Person in charge of handling & Disposing
Only authorized persons should handle the data. The dissemination of data can be restricted depending on the level of authorization that the person handling the data has. The dissemination of data can be either for the purpose of reporting or for storage. Data can be moved from temporary to permanent storage only by authorized persons. This procedure should also be part of employee training. The manner in which paper based information is destroyed should also be taught failing which the privacy of an individual could be jeopardized. Moreover, failure to dispose data will allow redundant data to pile up and occupy much needed space.
Duration and Time
Maintenance can be done on a weekly basis or at longer intervals depending upon the scale of information stored. When maintenance is done, sometimes access to all or part of existing data may be restricted. Similarly data once destroyed should not be retrievable. Data disposal should also be scheduled at regular intervals and intimated to all concerned.
Managerial Oversight
Managerial oversight can sometimes cost the company dearly. There are HIPAA penalties which force the health care industry to stress on information security (Chaudhary & Ward, p. 2014).
Care should be taken so that merely accessing data should not lead to change in the data itself. This can be ensured by giving only read permissions on data. This contrasts with read-write permission where a person can do both the operations on the same data.
As far as possible, an employee with read-write permissions should be the only one to access that data. Such an employee would be able to keep a tab on mistakes committed during data access such as wrongful updation or deletion. In this case, undoing the error could be possible if done in time. Any other employee may not be aware of the implications of such errors. Hence, others should only have permission to view data and not modify it.
Data can be represented at various levels of abstraction. For instance, the data entry operator may have access to basic data. However, analytical information may be available to the manager who may or may not have the basic data as he may not be concerned with such data. Hence, each person gets to view only the data with which he is concerned.
Data should be periodically checked for anomalies or unusual patterns. Virus attacks typically cause such irregularities in data. An antivirus program which is regularly updated should be installed by default on computers. Firewalls should also be installed. This type of security is especially required when one is online.
Policy Statements for Role based security levels
Efficiency and Security do not go hand in hand. There is a tension between the two in organizations (Hoadley, Deibel, Kistner, Rice & Sokhey, 2012). If this tension can be mitigated, best practices originate which blend operational efficiency and patient privacy.
A role based security level is one which takes the role performed by the employee into consideration. On this basis an employee only gets to access that information which concerns him/her. Alternately no other person can access the information that he/she usually accesses with the exception of the administrator or a group head, which can have all privileges to the data.
1. Every user or role is to be created according to the activity performed by an employee and not on any other considerations.
2. There should be as little overlap between users as possible, failing which the security of the system may be jeopardized
3. Users and roles are not static entities. As a person’s role changes, the existing user changes to reflect the changes that have occurred.
4. Procedures should be created so that in the absence of any person, an alternative arrangement can be made on a temporary basis.
5. Documentation regarding the security levels should be made so that there is no ambiguity as it works as a ‘ready reckoner’.
6. Auditing should be envisaged so that data traffic movement can be tracked. Individual user activity can also be tracked for this purpose.
7. Entities can be authenticated by setting passwords and automatically logging off after a certain time (Wager, Lee & Glaser, 2013, p. 266).
8. Data should be encrypted so that it can be safely transferred from one location to the other (Wager, et al, 2013, p. 269).
Method to set security levels
1. Administrator:
The highest level of security in an organization is that of the administrator. The administrator gives permission to other users or roles. A network administrator gives access to files whereas a database administrator gives access to the database. The two can usually be clubbed into one or even maintained separately in large organizations.
The administrator receives the hierarchy of roles or users from the management, based on which they are created. The administrator can add or modify or delete existing users or roles. He specifies what data can be viewed or inserted or modified or removed by the lay users.
2. Users/Roles:
Users or Roles can view and insert or update or delete only information to which they have access. They may typically be provided interactive screens for data input, editing and output. Managers could be users who only have access to processed data in the form of reports.
Data Tracking:
Every manipulation done by the user is recorded for future reference and for the purpose of analysis. Each user is safeguarded by passwords which prevent unauthorized access.
Data Traffic:
At times, data is accessed at a particular time of the day and remains relatively idle for the rest of the time. The administrator should resort to fine tuning the database so that resources are evenly spread among the various constituents.
Other Issues:
Not only should safeguards be in place, loopholes also should be plugged, for instance systems should not be left unattended. A user who has not yet logged out can be easily accessed by an unauthorized person. The amount of damage that can be done in a matter of minutes could be great.
References
Annas, G. J., (2003). HIPAA regulations--a new era of medical-record privacy? The New England Journal of Medicine, 348(15), 1486-90. Retrieved from https://search.proquest.com/docview/223930472?accountid=1611
Chaudhary, R., & Ward, J. J. (2014). A practical approach to health care information security. Managed Care Outlook, 27(9), 1-9. Retrieved from https://search.proquest.com/docview/1525825131?accountid=1611
Gonzalez, N., Miers, C., Redígolo, F., Simplício, M., Carvalho, T., Näslund, M., & Pourzandi, M. (2012). A quantitative analysis of current security concerns and solutions for cloud computing. Journal of Cloud Computing, 1(1), 1-18.
Gonzalez, N., Miers, C., Redígolo, F., Simplício, M., Carvalho, T., Näslund, M., & Pourzandi, M., A. (2012). Quantitative analysis of current security concerns and solutions for cloud computing. Journal of Cloud Computing, 1/11. Springer-Verlag Berlin/Heidelberg.
Hamilton, C., Jacob, J. M., Koch, S., & Quammen, R. L. (2004). Automate best practices with electronic healthcare records. Nursing Management, 35(2), 40E-F. Proquest.
Hoadley, E. D., Deibel, J., Kistner, C., Rice, P., & Sokhey, S. (2012). Seeking best practices in the balancing act between data security and operational effectiveness. International Journal of Management & Information Systems (Online), 16(2),183. Retrieved from the Walden Library databases.
Koontz, L. (2015). Health information privacy in a changing landscape. Generations, 39(1), 97-104. Retrieved from the Walden Library databases.
McDavid, J. P. (2013). HIPAA risk is contagious: Practical tips to prevent breach. The Journal of Medical Practice Management: Management: MPM, 29(1), 53-55. Retrieved from the Walden Library databases.
Taitsman, J. K., Grimm, C. M., & Agrawal, S. (2013). Protecting patient privacy and data security. The New England Journal of Medicine, 368(11), 977-979. Retrieved from the Walden Library databases.
Wager, K. A., Lee, F. W., & Glaser, J. P. (2013). Health care information systems: A practical approach for health care management (2nd ed.). San Francisco, CA: Jossey-Bass.
