EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS.

Slides:



Advertisements
Similar presentations
Quality Data for a Healthy Nation by Mary H. Stanfill, RHIA, CCS, CCS-P.
Advertisements

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIT Toolkit How to Use the Toolkit Health Information Technology Toolkit for Critical Access and Small Hospitals
Security Controls – What Works
Hospitals and Health Systems: Negotiating the ROI for CPOE/ e-Prescribing Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS.
Bringing Technology to the Rural Hospital Rural Telecon ‘07 October 17, 2007.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
July 3, 2015 New HIE Capabilities Enable Breakthroughs In Connected And Coordinated Care Delivery. January 8, 2015 Charissa Fotinos.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 5 Personal Health Records Electronic Health Records for Allied.
ELECTRONIC HEALTH RECORD
Health Information Technology for Post Acute Care (HITPAC): Minnesota Project Overview Candy Hanson Program Manager Julie Jacobs HIT Consultant June 13,
HIE Implementation in Michigan for Improved Health As approved by the Michigan Health Information Technology Commission on March 4, 2009.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
NAPHSIS Annual Meeting 2009 Electronic Health Records: Why are they important? Linette T Scott, MD, MPH Deputy Director Health Information and Strategic.
HIT Toolkit How to Use the Toolkit Health Information Technology Toolkit for Physician Offices.
Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating.
Advanced Strategies in HIPAA Security Risk Analysis
0 Presentation to: Health IT HIPPA Workshop Presented by: Stacey Harris, Director of Health IT Innovation September 26, 2014 Division of Health Information.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Making Health Savings Accounts Work: Interoperable with Health Plans, Providers and Patients Steven S. Lazarus, PhD, CPEHR, CPHIT, FHIMSS September 27,
STEVEN S. LAZARUS, PHD, CPEHR, CPHIT, FHIMSS PRESIDENT, BOUNDARY INFORMATION GROUP AUGUST 20, – The Twelve Year Journey is Not Over.
Ohio Digital Government Summit Disease Surveillance (Homeland Security session) October 5, 2004 Rana Sen Deloitte Consulting LLP.
1 Visioning the 21 st Century Health System Kenneth I. Shine, MD National Health Information Infrastructure 2003: Developing a National Action Agenda for.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Transactions and Code Sets and the National Provider Identifier (NPI) By: Steven. Lazarus, PhD, CPEHR, CPHIT, FHIMSS Boundary Information Group December.
Chapter 6 – Data Handling and EPR. Electronic Health Record Systems: Government Initiatives and Public/Private Partnerships EHR is systematic collection.
PKI Forum Business Panel March 6, 2000 Dr. Ray Wagner Sr. Director, Technology Research.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
How to Use the Toolkit Health Information Technology Toolkit for Chiropractic Offices.
The Fifth National HIPAA Summit – October 30, 2002 What to Do Now: Operational Implementation of HIPAA Privacy and Security Training Presented by: Steven.
Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.
Santa Barbara County Care Data Exchange June 22, 2004 Sam Karp, Director Health Information Technology California HealthCare Foundation NHII 2004 Cornerstones.
Working with HIT Systems
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Component 3-Terminology in Healthcare and Public Health Settings Unit 16-Definitions and Concepts in the EHR This material was developed by The University.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Transactions and Code Sets and the National Provider Identifier (NPI) Steven S. Lazarus, PhD, CPEHR, CPHIT, FHIMSS September 25, 2006.
ORGANIZING IT SERVICES AND PERSONNEL (PART 1) Lecture 7.
Clinical Computing Secure, reliable technology that improves clinical workflow at the point of care.
Chapter 19 Manager of Information Systems. Defining Informatics Process of using cognitive skills and computers to manage information.
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Margret\A Consulting, LLC HIPAA and EMR Synergies Margret Amatayakul, RHIA, FHIMSS Margret\A Consulting, LLC The Sixth National HIPAA Summit Washington,
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 5 Personal Health Records Electronic Health Records for Allied.
March 19, 2003 Audioconference Approaches to Compliance with the HIPAA Privacy and Security Workforce Training Requirements Presented by: Steven S. Lazarus,
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
S ecure A rchitecture F or E xchanging Health Information in Central Massachusetts Larry Garber, M.D. Peggy Preusse, R.N. June 9 th, 2005.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
Terminology in Healthcare and Public Health Settings Electronic Health Records Lecture b – Definitions and Concepts in the EHR This material Comp3_Unit15.
© 2014 By Katherine Downing, MA, RHIA, CHPS, PMP.
Health Management Information Systems Unit 3 Electronic Health Records Component 6/Unit31 Health IT Workforce Curriculum Version 1.0/Fall 2010.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
© 2016 Chapter 6 Data Management Health Information Management Technology: An Applied Approach.
Moderated by: Steven S. Lazarus, PhD, FHIMSS President
Unit 5 Systems Integration and Interoperability
EMPLOYER HIPAA COMPLIANCE STRATEGIES HIPAA Summit Audio Conference
Managing Clinical Information: EHR Terms and Architecture
Transactions and Code Sets and the National Provider Identifier (NPI) – Getting Value From the HIPAA Standards Presented by: Steven S. Lazarus, PhD, CPEHR,
Building A Community of Trust to Transform Medicines Development
Electronic Health Records: Overview, Acquisition and Implementation
Final HIPAA Security Rule
INFORMATION SYSTEMS SECURITY and CONTROL
OVERVIEW OF CMS GUIDANCE
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
National HIPAA Audioconference: update on Crucial HIPAA Privacy and Security Developments – 5 Years After Implementation Steven S. Lazarus, PhD, CPEHR,
Steven S. Lazarus, PhD, CPEHR, CPHIT, FHIMSS President
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Strategies to Comply with the HPAA Privacy Rule Before the HIPAA Security and Enforcement Rules are Final Presented by: Steven S. Lazarus, PhD, FHIMSS.
Presentation transcript:

EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 2 Margret A. Margret\A Consulting, LLC Strategies for the digital future of healthcare information  Strategic IT planning  Compliance assessments  Work flow redesign  Project management and oversight  ROI/benefits realization  Training and education  Vendor selection  Product/ market analysis  Information management and systems consultant, focusing on electronic health records and their value proposition  Adjunct faculty, College of St. Scholastica; former positions with CPRI, AHIMA, Univ. of Ill., IEEI  Active participant in standards development  Speaker and author (Silver ASHPE Awards for “HIPAA on the Job” column in Journal of AHIMA)

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 3 Steve Lazarus. Boundary Information Group Strategies for workflow, productivity, quality and patient satisfaction improvement through health care information  Business process consultant focusing on electronic health records, and electronic transactions between organizations  Former positions with MGMA, University of Denver, Dartmouth College; advisor to national associations  Active leader in the Workgroup for Electronic Data Interchange (WEDI)  Speaker and author (two books on HIPAA Security and one forthcoming on electronic health record)  Strategic IT business process planning  ROI/benefits realization  Project management and oversight  Workflow redesign  Education and training  Vendor selection and enhanced use of vendor products  Facilitate collaborations among organizations to share/exchange health care information

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 4 Agenda  EHR NHII  EHR and NHII Security  EHR and Security  EHR, NHII, and Security  Clinical practice support  Connectivity  Personalized care  Population health

EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match Electronic Health Record

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 6 EHR Definition  System that... Collects data from multiple sources Is used by clinicians as the primary source of information at the point of care Provides evidence-based decision support

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 7 EHR Schematic EHR Ancillaries R-ADT Devices Imaging Billing Source Systems Clinical Data Warehouse Clinical Data Warehouse Human- Computer Interface Knowledge Sources Knowledge Sources Rules Engine Clinical Data Repository Clinical Data Repository Pharmacy Others Patient Access (PHR) Referral (CCR )

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 8 “System”  Hardware Computers, workstations, printers, other devices  Software Programs that provide instructions for how the computers should work  People Users, administrators, technicians, vendors, etc.  Policies How the system will be used, what benefits are to be achieved  Processes Procedures, screen designs, report layouts, workflow changes, etc.

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 9 Point of Care  Human- computer interface  Work flow  Customizable screens  Ergonomics  Value proposition

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 10 Decision Support  Reminders  Alerts  Structured data entry templates  Order sets  External resources Formulary Practice Guidelines

EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match National Health Information Infrastructure

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 12 NHII

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 13 Definition  An initiative set forth to improve effectiveness, efficiency, and overall quality of health care  Comprehensive knowledge-based network of interoperable systems of clinical, public health, and personal health information that would improve decision-making by making health information available when and where it is needed  Set of technologies, standards, applications, systems, values, and laws that support all facets of individual health, health care, and public health

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 14 What it is not  Not a centralized database of medical records  Not a government regulation  Not an EHR, PHR, CCR – but a framework within which those and other elements contribute

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 15 Local/Regional Initiatives  Santa Barbara County Care Data Exchange  Indianapolis Network for Patient Care  Different approaches, similar goals: Provide a simple and secure way to electronically access patient data across organizations Provide a public utility available to all physicians, caregivers, and consumers Construct an experiment to determine whether a community would share the cost of a regional IT infrastructure 1 1 The Santa Barbara Vision, Sam Karp, Director, June 22, 2004

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 16 LHII Security  Local security inoperability Encryption standard Public key administration  Use local “utility” Create and mange security standards May serve to provide security services to some participants (e.g., hardened data center)

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 17 NHII Security  Access and security Authentication Access controls to allowed data Monitors and records access requests  Identity correlation, using Centralized master person index Intelligent matching of similar records  Information locator service Links to patient records Demographic data of all patients

EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match EHR and Security

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 19 Balancing Act  EHRs can provide greater privacy and security, e.g., Access controls can be more granular Authentication mechanisms provide audit trails and non- repudiation Disaster recovery plans assure greater availability Encryption can provide confidentiality and data integrity  But,... Information flows more easily, risk of mishap is greater Collection of large volumes of data more feasible and risky Sharing of information for treatment, payment, and operations misunderstood New methods to attack data are continuously being developed

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 20 Weakest Links  The weakest links in the security chain are: People, e.g.,  Concerns about “restrictive” access controls  Reluctance to authenticate  Lack of patient education Policies, e.g.,  Widespread use of templates without understanding organization-specific risks  Inconsistent management responsibility and accountability Processes, e.g.,  Open campuses  “Emergency mode”  Ownership of record issues

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 21 EHR Security Issues  If an organization make a very large investment in EHR The organization needs to be prepared to make a commensurate investment in security  EHR is not one more stovepipe, with source documents or print outs as back up The vision of EHR is to use the technology for all aspects of patient care

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 22 Threat Sources  Accidental Acts Incidental disclosures Errors and omissions Proximity to risk areas Work stoppage Equipment malfunction  Deliberate Acts Inattention/inaction Misuse/abuse of privileges Fraud Theft/embezzlement Extortion Vandalism Crime  Environmental threats Contamination Fire Flood Weather Power HVAC

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 23 Vulnerabilities  Administrative Policy Accountability Management Resources Training Documentation  Physical Entrance/exit controls Supervision/monitoring Locks, barriers, routes Hardware Property Disposal  Technical New applications Major modifications Network reconfiguration New hardware Open ports Architecture Controls

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 24 Risk Analysis  Has the threat occurred before?  How frequently?  Does threat source have: Access, knowledge, motivation? Predictability, forewarning? Known speed of onset, spread, duration?  Are controls available to: Prevent? Deter? Detect? React? Recover?  What harm does the threat exploiting the vulnerability do to: Patient care? Confidentiality? Potential for complaint/lawsuit? Productivity? Revenue? Cost of remediation? Licensure/ accreditation? Public relations/ consumer confidence, goodwill, competitive advantage?

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 25 Risk Management

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 26 The Latest Apps  CPOE and e-Rx  Clinical messaging  EHR  Web portals  CCR  PHR  Critical data  Unknown viewers  Ties everything together  Entrée  Begins sharing  Patient access

EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match EHR, NHII, and Security

Security Identity Management Password Reset Access Management Software Bio- metrics Password Synchron- ization Single Sign-on Tokens & Smart Cards 28 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group

29 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group Local LAN Corporate WAN Proprietary Connectivity Supporting Systems Internet Gateway Security Event Management

Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 30 Transmission Protections  Access controls  Alarms  Audit trail  Encryption  Entity authentication  Event reporting  Integrity controls  Message authentication

References & Resources assn.org 31 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group

32 Contact Information  Margret Amatayakul, RHIA, CHPS, FHIMSS Margret\A Consulting, LLC Schaumburg, IL  Steven S. Lazarus, PhD, FHIMSS Boundary Information Group Denver, CO

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.