Presentation is loading. Please wait.

Presentation is loading. Please wait.

EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS.

Published byBrendan Lloyd Modified over 9 years ago

Similar presentations

Presentation on theme: "EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS."— Presentation transcript:

1 EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS

2 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 2 Margret A. Margret\A Consulting, LLC Strategies for the digital future of healthcare information  Strategic IT planning  Compliance assessments  Work flow redesign  Project management and oversight  ROI/benefits realization  Training and education  Vendor selection  Product/ market analysis  Information management and systems consultant, focusing on electronic health records and their value proposition  Adjunct faculty, College of St. Scholastica; former positions with CPRI, AHIMA, Univ. of Ill., IEEI  Active participant in standards development  Speaker and author (Silver ASHPE Awards for “HIPAA on the Job” column in Journal of AHIMA)

3 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 3 Steve Lazarus. Boundary Information Group Strategies for workflow, productivity, quality and patient satisfaction improvement through health care information  Business process consultant focusing on electronic health records, and electronic transactions between organizations  Former positions with MGMA, University of Denver, Dartmouth College; advisor to national associations  Active leader in the Workgroup for Electronic Data Interchange (WEDI)  Speaker and author (two books on HIPAA Security and one forthcoming on electronic health record)  Strategic IT business process planning  ROI/benefits realization  Project management and oversight  Workflow redesign  Education and training  Vendor selection and enhanced use of vendor products  Facilitate collaborations among organizations to share/exchange health care information

4 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 4 Agenda  EHR NHII  EHR and NHII Security  EHR and Security  EHR, NHII, and Security  Clinical practice support  Connectivity  Personalized care  Population health

5 EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match Electronic Health Record

6 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 6 EHR Definition  System that... Collects data from multiple sources Is used by clinicians as the primary source of information at the point of care Provides evidence-based decision support

7 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 7 EHR Schematic EHR Ancillaries R-ADT Devices Imaging Billing Source Systems Clinical Data Warehouse Clinical Data Warehouse Human- Computer Interface Knowledge Sources Knowledge Sources Rules Engine Clinical Data Repository Clinical Data Repository Pharmacy Others Patient Access (PHR) Referral (CCR )

8 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 8 “System”  Hardware Computers, workstations, printers, other devices  Software Programs that provide instructions for how the computers should work  People Users, administrators, technicians, vendors, etc.  Policies How the system will be used, what benefits are to be achieved  Processes Procedures, screen designs, report layouts, workflow changes, etc.

9 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 9 Point of Care  Human- computer interface  Work flow  Customizable screens  Ergonomics  Value proposition

10 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 10 Decision Support  Reminders  Alerts  Structured data entry templates  Order sets  External resources Formulary Practice Guidelines

11 EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match National Health Information Infrastructure

12 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 12 NHII

13 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 13 Definition  An initiative set forth to improve effectiveness, efficiency, and overall quality of health care  Comprehensive knowledge-based network of interoperable systems of clinical, public health, and personal health information that would improve decision-making by making health information available when and where it is needed  Set of technologies, standards, applications, systems, values, and laws that support all facets of individual health, health care, and public health

14 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 14 What it is not  Not a centralized database of medical records  Not a government regulation  Not an EHR, PHR, CCR – but a framework within which those and other elements contribute

15 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 15 Local/Regional Initiatives  Santa Barbara County Care Data Exchange  Indianapolis Network for Patient Care  Different approaches, similar goals: Provide a simple and secure way to electronically access patient data across organizations Provide a public utility available to all physicians, caregivers, and consumers Construct an experiment to determine whether a community would share the cost of a regional IT infrastructure 1 1 The Santa Barbara Vision, Sam Karp, Director, June 22, 2004

16 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 16 LHII Security  Local security inoperability Encryption standard Public key administration  Use local “utility” Create and mange security standards May serve to provide security services to some participants (e.g., hardened data center)

17 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 17 NHII Security  Access and security Authentication Access controls to allowed data Monitors and records access requests  Identity correlation, using Centralized master person index Intelligent matching of similar records  Information locator service Links to patient records Demographic data of all patients

18 EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match EHR and Security

19 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 19 Balancing Act  EHRs can provide greater privacy and security, e.g., Access controls can be more granular Authentication mechanisms provide audit trails and non- repudiation Disaster recovery plans assure greater availability Encryption can provide confidentiality and data integrity  But,... Information flows more easily, risk of mishap is greater Collection of large volumes of data more feasible and risky Sharing of information for treatment, payment, and operations misunderstood New methods to attack data are continuously being developed

20 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 20 Weakest Links  The weakest links in the security chain are: People, e.g.,  Concerns about “restrictive” access controls  Reluctance to authenticate  Lack of patient education Policies, e.g.,  Widespread use of templates without understanding organization-specific risks  Inconsistent management responsibility and accountability Processes, e.g.,  Open campuses  “Emergency mode”  Ownership of record issues

21 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 21 EHR Security Issues  If an organization make a very large investment in EHR The organization needs to be prepared to make a commensurate investment in security  EHR is not one more stovepipe, with source documents or print outs as back up The vision of EHR is to use the technology for all aspects of patient care

22 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 22 Threat Sources  Accidental Acts Incidental disclosures Errors and omissions Proximity to risk areas Work stoppage Equipment malfunction  Deliberate Acts Inattention/inaction Misuse/abuse of privileges Fraud Theft/embezzlement Extortion Vandalism Crime  Environmental threats Contamination Fire Flood Weather Power HVAC

23 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 23 Vulnerabilities  Administrative Policy Accountability Management Resources Training Documentation  Physical Entrance/exit controls Supervision/monitoring Locks, barriers, routes Hardware Property Disposal  Technical New applications Major modifications Network reconfiguration New hardware Open ports Architecture Controls

24 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 24 Risk Analysis  Has the threat occurred before?  How frequently?  Does threat source have: Access, knowledge, motivation? Predictability, forewarning? Known speed of onset, spread, duration?  Are controls available to: Prevent? Deter? Detect? React? Recover?  What harm does the threat exploiting the vulnerability do to: Patient care? Confidentiality? Potential for complaint/lawsuit? Productivity? Revenue? Cost of remediation? Licensure/ accreditation? Public relations/ consumer confidence, goodwill, competitive advantage?

25 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 25 Risk Management

26 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 26 The Latest Apps  CPOE and e-Rx  Clinical messaging  EHR  Web portals  CCR  PHR  Critical data  Unknown viewers  Ties everything together  Entrée  Begins sharing  Patient access

27 EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match EHR, NHII, and Security

28 Security Identity Management Password Reset Access Management Software Bio- metrics Password Synchron- ization Single Sign-on Tokens & Smart Cards 28 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group

29 29 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group Local LAN Corporate WAN Proprietary Connectivity Supporting Systems Internet Gateway Security Event Management

30 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group 30 Transmission Protections  Access controls  Alarms  Audit trail  Encryption  Entity authentication  Event reporting  Integrity controls  Message authentication

31 References & Resources www.brownstone.com www.hcpro.com https://catalog.ama- assn.org www.ahima.org 31 Copyright © 2004, Margret\A Consulting, LLC and Boundary Information Group

32 32 Contact Information  Margret Amatayakul, RHIA, CHPS, FHIMSS Margret\A Consulting, LLC Schaumburg, IL MargretCPR@aol.com www.margret-a.com  Steven S. Lazarus, PhD, FHIMSS Boundary Information Group Denver, CO SSLazarus@aol.com www.boundary.net

Download ppt "EHRs/NHII: HIPAA Security and EHRs, a Near Perfect Match Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS."

Similar presentations

Quality Data for a Healthy Nation by Mary H. Stanfill, RHIA, CCS, CCS-P.

Quality Data for a Healthy Nation by Mary H. Stanfill, RHIA, CCS, CCS-P.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.

CHAPTER © 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2 The Use of Health Information Technology in Physician Practices.
HIT Toolkit How to Use the Toolkit Health Information Technology Toolkit for Critical Access and Small Hospitals

HIT Toolkit How to Use the Toolkit Health Information Technology Toolkit for Critical Access and Small Hospitals
Security Controls – What Works

Security Controls – What Works
Hospitals and Health Systems: Negotiating the ROI for CPOE/ e-Prescribing Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS.

Hospitals and Health Systems: Negotiating the ROI for CPOE/ e-Prescribing Margret Amatayakul, RHIA, CHPS, FHIMSS Steven S. Lazarus, PhD, FHIMSS.
Bringing Technology to the Rural Hospital Rural Telecon ‘07 October 17, 2007.

Bringing Technology to the Rural Hospital Rural Telecon ‘07 October 17, 2007.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
July 3, 2015 New HIE Capabilities Enable Breakthroughs In Connected And Coordinated Care Delivery. January 8, 2015 Charissa Fotinos.

July 3, 2015 New HIE Capabilities Enable Breakthroughs In Connected And Coordinated Care Delivery. January 8, 2015 Charissa Fotinos.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 5 Personal Health Records Electronic Health Records for Allied.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 5 Personal Health Records Electronic Health Records for Allied.
ELECTRONIC HEALTH RECORD

ELECTRONIC HEALTH RECORD
Health Information Technology for Post Acute Care (HITPAC): Minnesota Project Overview Candy Hanson Program Manager Julie Jacobs HIT Consultant June 13,

Health Information Technology for Post Acute Care (HITPAC): Minnesota Project Overview Candy Hanson Program Manager Julie Jacobs HIT Consultant June 13,
HIE Implementation in Michigan for Improved Health As approved by the Michigan Health Information Technology Commission on March 4, 2009.

HIE Implementation in Michigan for Improved Health As approved by the Michigan Health Information Technology Commission on March 4, 2009.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
NAPHSIS Annual Meeting 2009 Electronic Health Records: Why are they important? Linette T Scott, MD, MPH Deputy Director Health Information and Strategic.

NAPHSIS Annual Meeting 2009 Electronic Health Records: Why are they important? Linette T Scott, MD, MPH Deputy Director Health Information and Strategic.
HIT Toolkit How to Use the Toolkit Health Information Technology Toolkit for Physician Offices.

HIT Toolkit How to Use the Toolkit Health Information Technology Toolkit for Physician Offices.
Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating.

Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating Efficiencies Empowering Citizens Transforming Services Creating.
Advanced Strategies in HIPAA Security Risk Analysis

Advanced Strategies in HIPAA Security Risk Analysis
0 Presentation to: Health IT HIPPA Workshop Presented by: Stacey Harris, Director of Health IT Innovation September 26, 2014 Division of Health Information.

0 Presentation to: Health IT HIPPA Workshop Presented by: Stacey Harris, Director of Health IT Innovation September 26, 2014 Division of Health Information.

Similar presentations

Ads by Google