Question

Business and Data Management

Module 3

Case Study One Instructions

Scenario:

You have been hired as a security analyst for Garbo Rheumatology Research Center. This lab is producing cutting edge treatments for rheumatology and similar autoimmune diseases. Despite being cutting edge, this research is not top secret. Funding is provided by government grants and sponsored by a major research university in the area.

While there is not an intense amount of security required, the data being researched does include medical and laboratory data taken from human and animal subjects. This information comes from a small, attached, on-site clinic and several small animal labs on university premise. Currently, accessibility to the facilities employ appropriate physical controls to ensure that only authorized individuals are permitted within the given facilities; via a combination of security badges and pin codes.

Laboratory

The labs are dedicated to research materials. Lab technicians utilize three shared desktops located in the rear of the labs to register their data. They use separate logins and are required to log out after they complete their work. Many of these technicians are Ph.D. candidates or post doctorate students who, also, utilize these computers to correspond with their advisors. Some of these advisors are the researchers who work on projects within the labs, while others are professors on the university’s main campus.

The actual data itself is stored in a server room, which also functions as the office of the systems administrator. Access to this room is available only to the systems administrator and the Primary investigator (PI) of the project. The medical doctors/researchers, who work on site, each have a private office where they review and analyze the research data. Each office is accessible only to the occupant and building maintenance. These researchers deal with patient medical records, student coursework, and research data produced by the lab.

Data held in the database -

• Medical patient profile
• Medical test results
• Demographic information of Individual patients
• Clinical visits organized by patient

Paperwork spread around the office -

• Physical version of patient’s medical chart
• Printouts of test results and biological samples from both human patients and animal subjects
• Student assignments with and without grades

Medical Clinic

The medical clinic is permanently staffed with receptionists, office staff, and nurses. The medical doctors/researchers rotate shifts seeing patients and do not have permanent office space in this area. Instead they share desks and computers, while the nurses and office staff have permanent space and computers assigned to them individually. There is a shared workspace at the front desk which is utilized for patient booking, patient sign-in, and processing patient payments. Patients pay for appointments with credit and debit cards.

Data found in the Clinic –

• Patient logs (sign-in sheets)
• Printouts of credit card transactions
• Receipts left by patients
• Medical records of patients being seen that day
• New patient profiles

Assignment:

Part of evaluating the security of an organization is understanding the environment which the business operates. It is important not to just identify the data being handled, but, also, to understand what laws and regulations protect the data. This information might force us to handle and protect the data in ways that we would not otherwise have planned to in order to comply with the regulations.

• Based on the above scenario, list in “table format” the laws and regulations that this organization should consider in terms of welfare and data privacy best practices? There are numerous laws and regulations available to research.
• Based on these standards (i.e., HIPAA), what best practices would you suggest for healthcare compliance requirements?

Answer 1

Let's discuss the laws and regulations that the organization should consider in terms of welfare and data privacry best practices:

• Basically, the privacy standards are followed to protect certain health information.
• The HIPAA ( Health Insurance Portability and Accountability Act) was implemented by the US Department of Health and Human Services in 1996 as privacy rule that every hospital has to follow.
• The major goal of HIPAA is to protected health information by organizations subject to the Privacy Rule. This act mainly deals with without the permission of an individual patient, no one should use the patient information for any kind of research.
  

Below table give us a idea of laws and regulations that any act can cover related to Patient Data Privacy:

Laws and Regulations	Purpose or Objective
Privacy Rule	According to various acts like HIPAA, the patient details should not be used at anycost without permission. This is the most important regulation that every hospital has too follow.
Security Regulations	The Electronic Medical Records(EMR) has to be protected correctly and there should not be any shared desktops. This should addresses the technical aspects of protecting electronic health information (majorly administrative security, physical security and Technical security)
Transaction and Code Set Rules	This rule mainly talks about the predefined transaction standards for communications and transactions in the health-care industry (Standards 5010 and ICT-10 are examples for this one)
Unique Identifiers	By following the unique identifiers laws and regulations, we can achieve standardization, efficiency and consistency
Enforcement Law	If some orgranizations are not following the above rules, then they have to pay the penalities for not following the rules.
Breach Notification Rule	organizations have up to 60 days to notify patients according the data usage, once it is crossed then it will be treated as data breach.
Final Omnibus Rule	It further tightens and clarifies provisions to the privacy, security laws.
Permitted Uses and Disclosures	The patient information should not be shared with any individual, organization or other hospitals etc., as per this rule.
Authorization Law	Only the authorized individual has to deal with data, other then the person no one is allowed to the data laboratory for any data.

Best practices for healthcare compliance requirements:

• Establish the laws and regulations and inform about the same to larger audience.
• Make sure everyone in the organization are following the standards and warn if someone is not following.
• Data handling should be as per the rules and standards. Any misuse of patient information by anyone has to be reported and the organization should take appropriate action.
• Develop policies and laws to enforce the standards of conduct.
• Follow the National and International health organization standards.
• Identify and appoint someone to make sure the data is handled correctly.
• Establish the complaint systems in the organization where an individual can complaint about the data frauds.

Note: Current situation is like getting a patient data is easy through physical and virtual. So it is very important to know all possible ways of misusing data and implement the system such that patient data is protected and properly used.

PLEASE GIVE A THUMBS UP, IF THIS ANSWER IS HELPFUL

THANK YOU!