Question

 

HCI112

Q: Dr. Buthainah is a family physician who refuses the use of EHR in her clinic because she believes that her patients' health information is not secure in the EHR. As a health informatics specialist, write a 150-200 words letter explaining to her actions that have been taken by governments and professional bodies to safeguard EHR data.

Answer 1

The most effective way of protecting patient's health record is made possible by the following:

ONC-ATCB Certification: The software must be tested and approved by an Authorized Testing and Certification Body recognized by the Office of the National Coordinator.

Patient information should be released to others only with the patient’s permission or as allowed by law. Under the HIPAA Privacy and Security Rules, employers are held accountable for the actions of their employees. Additional security measures such as extensive training and strong privacy and security policies and procedures are essential to securing patient information.

Not only does the NIST provide guidance on securing data, but federal legislations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act mandate doing so. Violating these regulations has serious consequences, including criminal and civil penalties for clinicians and organizations.

Computer workstations are rarely lost, but mobile devices can easily be misplaced, damaged, or stolen. Encrypting mobile devices that are used to transmit confidential information is of the utmost importance.

Some security measures that protect data integrity include firewalls, antivirus software, and intrusion detection software. Regardless of the type of measure used, a full security program must be in place to maintain the integrity of the data, and a system of audit trails must be operational.

Providers and organizations designate a security officer to work with a team of health information technology experts who can inventory the system’s users, and technologies; identify the security weaknesses and threats;

Audit trails: With the advent of audit trail programs, organizations can precisely monitor who has had access to patient information. The HIPAA Security Rule requires organizations to conduct audit trails, requiring that they document information systems activity and have the hardware, software, and procedures to record and examine activity in systems that contain protected health information. HIPAA requires that audit logs be maintained for a minimum of 6 years.

Password Protection: EHRs should offer additional access controls such as: Lockout capabilities that will forbid access if the wrong password is entered too many times., Complex password requirements, Regular password resets, Security questions to help further validate users beyond a password. and Two-factor authentication to provide an additional layer of security.

Data Encryption: By coding the information in a way that can only be deciphered by authorized programs or users in possession of the access code, EHRs can make transferring patient data (such as test results or diagnoses to patients via patient portals or medical histories to referrals) safer. Additionally, encryption can minimize damage in the event the data is stolen.

Security risk assessment: HIPAA requires all “covered entities” to conduct one of these security risk assessments at least once a year, or any time changes are made to security protocols: A summary of all the protected health information (PHI) the practice creates, receives or transmits; An overview of possible threats/vulnerabilities in the protocols; An evaluation of the impacts of any potential threats.