Evaluate data elements for compliance with the Specifications for the Joint Commission’s National Quality Measures.

Read Sayles Ch 12 in the textbook and research the Specifications Manual for Joint Commission National Quality Measures.

The Memorial Hospital has had some issues with rejected data due to formatting errors when reporting core measures to the Joint Commission. This has prompted an evaluation of the data elements to see if they comply with the Specifications for the Joint Commission’s National Quality Measures (Specifications). You are tasked with this evaluation. Use the data elements listed in the table below and evaluate if they are correct or if they need updating. Complete the missing fields in the table by indicating if the elements need updating. Additionally, solve the issue of incorrect data elements by modifying them to meet the Specifications.

Lastly, propose two strategies you would recommend to ensure data elements meet the Specifications moving forward.

Data Elements TableData Element Evaluated Current Description Is an Update Needed? (Yes/No) Updated Description Admission Date MM-DD-YY Birthdate MM-DD-YY Discharge Date MM-DD-YY Discharge Disposition

Select 1 of 7 options.

Hispanic Ethnicity Select Y for Yes or N for No  Race Select 1 of 5 options. 1 White, 2, Black or African American, 3. American Indian or Alaska Native, 4. Asian, 5. Native Hawaiian or Pacific Islander Sex

Select 1 of 2 options. Male (M) or Female (F)

Introduction to
Information Systems
for Health Information
Technology
Chapter 12: Security
© 2021 American Health Information Management Association
Learning Objectives
•
Educate staff on security issues.
•
Discuss federal security regulation.
•
Recommend security measures.
•
Develop policies and procedures on security practices.
•
Control access to protected health information.
•
Conduct audit for security violation.
2
© 2021 American Health Information Management Association
Introduction
• Data classification
– Clinical, administrative, financial
– PHI, sensitive, and public
3
© 2021 American Health Information Management Association
Introduction
• Three states of data
– Data at rest
– Data in motion
– Data in use
4
© 2021 American Health Information Management Association
Introduction
• State laws
• Federal laws
– Health Insurance Portability and
Accountability Act of 1996
5
© 2021 American Health Information Management Association
Introduction to HIPAA
• Administrative simplification
– Transaction and Code Sets Rule
– Privacy Rule
– Security Rule
• Protected health information
– Individually identifiable health
information that is transmitted or
maintained in any form or format by an
organization subject to HIPAA
6
© 2021 American Health Information Management Association
Introduction to HIPAA
• Covered entity
– Transmits any health information in
electronic form for one of the covered
transactions
– Includes:
• Health plan
• Healthcare provider
– Transmits health information
• Healthcare clearinghouse
7
© 2021 American Health Information Management Association
Introduction to HIPAA
• Covered Transactions
– Premium payments
– Eligibility
– Claims
– Claim status
– Payment and remittance advice
– And more
8
© 2021 American Health Information Management Association
Transaction and Code Sets Rule
• Standardize electronic transactions
• Designated standards maintenance
organizations:
– Accredited Standards Committee X12
– Dental Contact Committee of the American
Dental Association
– Health Level 7 (HL7)
– National Council for Prescription Drug
Programs
– National Uniform Billing Committee
– National Uniform Claim Committee
9
© 2021 American Health Information Management Association
Transaction and Code Sets Rule
• Allows for
– Electronic data interchange
– Data elements
– Format of data for claim submission
10
© 2021 American Health Information Management Association
Transaction and Code Sets Rule—
Code Sets
• HIPAA defines a code set as a set of
codes used to encode data elements
(45 CFR 2013, 160, 162, and 164).
11
© 2021 American Health Information Management Association
Transaction and Code Sets Rule—
Code Sets
• International Classification of Diseases, Tenth
Revision, Clinical Modification (ICD-10-CM)
• International Classification of Diseases, Tenth
Revision, Procedural Coding System (ICD-10PCS)
• Current Procedural Terminology, Fourth Edition
(CPT-4)
• Healthcare Financing Administration Common
Procedure Coding System (HCPCS)
• Code on Dental Procedures and Nomenclature,
Second Edition (CDT-2)
• National Drug Codes (NDC)
12
© 2021 American Health Information Management Association
HIPAA Privacy Rule
• Controls how PHI can be used
• Business associates
– Subject to HIPAA
– Examples include:
• Coding
• Disclosure of health information
• Billing
13
© 2021 American Health Information Management Association
Privacy Rule—Patient Rights
• Notice of privacy practices
• Inspect copy and obtain copy PHI
• Request amendment
• Request alternative method of
communication
• Report privacy violations
• Request restrictions on use of PHI
14
© 2021 American Health Information Management Association
Security Rule
• Definition of security
– The means to control access and protect
information from accidental or intentional
disclosure to unauthorized persons and from
unauthorized alteration, destruction, or loss
– The physical protection of facilities and
equipment from theft, damage, or unauthorized
access; collectively, the policies, procedures,
and safeguards designed to protect the
confidentiality of information, maintain the
integrity and availability of information systems,
and control access to the content of these
systems
15
© 2021 American Health Information Management Association
Security Rule
• Applies only to ePHI
– Not PHI in other media
• Technology neutral
• Scalable
16
© 2021 American Health Information Management Association
American Recovery and
Reinvestment Act of 2009—New
Requirements
• Certification of EHRs
– Office of the National Coordinator for
Health Information Technology–Authorized
Certification Bodies and Accredited Testing
Laboratories
• HIPAA audits
• Increased penalties
• Business associates subject to privacy
and security rules
17
© 2021 American Health Information Management Association
Security Threats and Safeguards
• Threats are the potential for a
vulnerability to be exploited
• Vulnerabilities are weaknesses that
could be exploited, thus creating a
breach of security
18
© 2021 American Health Information Management Association
Security Threats and Safeguards
• Internal
– Hardware
– Environment
– Employees
• Honest mistakes (human error)
• Employees who exploit access
• Employees who use access for malice or
gain
19
© 2021 American Health Information Management Association
Security Threats and Safeguards
• External
– External people who access data or
steal hardware
– Natural disasters
20
© 2021 American Health Information Management Association
Security Threats and Safeguards
• Goals of Security Rule (CIA Triad)
– Confidentiality
– Integrity
– Availability
21
© 2021 American Health Information Management Association
Security Threats and Safeguards
• Administrative safeguards
– People focused
– Training
– Policies
– Assignment of an individual responsible
for security
22
© 2021 American Health Information Management Association
Security Threats and Safeguards
• Physical safeguards
– Protect hardware, software, and data
• Fire
• Flood
• Unauthorized access
• Theft
23
© 2021 American Health Information Management Association
Security Threats and Safeguards
• Technical safeguards
– Use technology to protect data and
control access
24
© 2021 American Health Information Management Association
Security Threats and Safeguards
• Implementation specifications
– Required standards must be
implemented by all CEs to protect
the ePHI
– Addressable standards must be
evaluated by the entity to determine
whether or not the standard is
reasonable and appropriate.
25
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Risk Analysis
• Threats
– Natural disasters
– Fire
– Errors in data entry
– Viruses
– Unauthorized access
26
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Risk Analysis
• Vulnerabilities
• Technical
• Nontechnical
• Security controls
• Firewalls
• Employee termination procedures
• Virus protection software
27
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Risk Management
• Minimize potential for injuries
• Anticipate and respond to ensuring
liabilities for those injuries that do
occur
• Risk management plan
28
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Sanction Plan
• Outlines how employees will be
penalized for failing to follow security
policies and procedures
• Information system activity review
29
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Assigned Security Responsibility
• HIPAA requires someone to be in
charge of the security program
– Frequently known as chief security
officer (CSO)
30
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Assigned Security Responsibility
31
• Developing the security goals and objectives for
the CE
• Determining how the goals and objectives will
be met
• Advising administration regarding information
security
• Determining reporting procedures
• Conducting adequate risk assessment and
determining the appropriate level of risk
acceptance
• Developing and monitoring the overall security
program
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Workforce Security
• Information access management
involves implementing policies and
procedures to determine which
employees have access to what
information
• Separating non-health clearinghouse
functions from CE functions
32
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Workforce Security
• Workforce clearance procedure
ensures that each member of the
workforce’s level of access is
appropriate
• Termination process eliminates
access to the information systems by
a member of the workforce when that
person’s employment with the CE
ends
33
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Workforce Security
• Security awareness training
– Basic training
– Job specific training
34
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Workforce Security
• Training
– Orientation
– Periodic reminders
– Documentation—6 years retention
• Sign-in sheets
• Handouts
• Emails
• Training database
35
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Managing a Security Incident
• Security incident
– Attempted or successful access to PHI
– Includes unauthorized access, use,
disclosure, destruction or interference
with system
36
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Managing a Security Incident
• Identify and report incidents
– Policy and procedures
– Forensics
– Spoliation
– Mitigation
37
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Managing a Security Incident
• Security event
– Poor practices
– No harm
• Security incident
– Harm
– Significant risk of harm
38
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Ongoing Security Procedure
Evaluation
• Ongoing monitoring and evaluation
• Includes
– Technical processes
• Encryption, access controls and more
– Nontechnical processes
• Policies and procedures, training, and more
39
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Contingency and Business
Continuity Planning
• Business continuity plan
– Operate during computer downtime
• Contingency plan
– Reaction in IS emergency
• Back-ups
• Redundancy
• Emergency mode operation plan
40
© 2021 American Health Information Management Association
Administrative Safeguards and the
Security Management Process—
Data Recovery
• Recouping lost data
• Playing catch-up with data entry
• Hot site
41
© 2021 American Health Information Management Association
Business Associate Contracts or
Other Arrangements
• Organizations that conduct business
on behalf of the CE
– Must require access to PHI
• Subject to HIPAA Security Rule
• Business associate agreement
– Responsibilities
– How BA should protect PHI
– Terminate contract if BA fails to meet the
responsibilities in the BAA
42
© 2021 American Health Information Management Association
Technical Safeguards
• “The technology and the policy and
procedures for its use that protect
electronic protected health
information and control access to it”
(45 CFR 160, 162, and 164 2013).
• Includes:
– Technology
– Policies and procedures
43
© 2021 American Health Information Management Association
Technical Safeguards—Access
Control Systems and Authentication
• Access controls prevent unauthorized
use of an information resource
• Policies required on who can
– View data
– Create data
– Modify data
44
© 2021 American Health Information Management Association
Technical Safeguards—Types of
Authentication
• Role-based
• User-based
• Context-based
• Emergency access procedure
45
© 2021 American Health Information Management Association
Technical Safeguards—User
Authentication Methods
• Methods
– Something you know (password)
– Something you have (token)
– Something you are (biometrics)
• One-factor authentication
– Example: user name and password
• Two-factor authentication
– Example: password and token
46
© 2021 American Health Information Management Association
Technical Safeguards—User
Authentication Methods
• Passwords
– Strong passwords
– Should be changed periodically
– Should not be reused anytime soon
– Should not be shared with others
– Single sign-on systems
47
© 2021 American Health Information Management Association
Technical Safeguards—User
Authentication Methods
• Tokens
• Biometric identifiers
– Retinal scans, fingerprints, facial
recognition and voice prints
48
© 2021 American Health Information Management Association
Technical Safeguards
• Automatic log-off
49
© 2021 American Health Information Management Association
Technical Safeguards—Audit
Controls
• Record and examine user activity
– Audit trails
– Triggers
– Data stored on separate server
• Limited access
– Audit reduction tools
– Signature-detection tools
50
© 2021 American Health Information Management Association
Technical Safeguards—Integrity
• Protects data from inappropriate
modification or corruption
– Intentional
– Unintentional
• Example: Hardware failure
51
© 2021 American Health Information Management Association
Technical Safeguards—
Transmission Security
• Protect ePHI while being transmitted
between two points
– Encryption is used to protect data as
it moves across networks
• Symmetric
– Secret key
• Asymmetric
– Public key
» 2 keys: private and public
52
© 2021 American Health Information Management Association
Technical Safeguards—Network
Security
• Protect data on network
– Penetration testing
– Firewall
– Virtual private network
– Intrusion detection system
– Intrusion prevention systems
– Data loss prevention
53
© 2021 American Health Information Management Association
Malicious Software
• Also known as malware
• Designed to harm computer
– Email
– Downloading software
– Webpages
54
© 2021 American Health Information Management Association
Malicious Software—Medical Device
• “An article, instrument, apparatus or
machine that is used in the
prevention, diagnosis or treatment of
illness or disease, or for detecting,
measuring, restoring, correcting or
modifying the structure or function of
the body for some health purpose”
(WHO 2017).
55
© 2021 American Health Information Management Association
Malicious Software—Malware
• Virus
• Worms
• Trojans
• Bots
• Spyware
• Ransomware
56
© 2021 American Health Information Management Association
Social Engineering
• Baiting
• Phishing
• Email hacking and contacts
• Pretexting
• Quid pro quo
• Vishing
57
© 2021 American Health Information Management Association
Physical Safeguards
• Protect hardware, business and
equipment
– Natural disasters
– Tampering
– Theft
– Fire
58
© 2021 American Health Information Management Association
Physical Safeguards—Facility
Access Controls
• Limit access to data center and
software
– Card keys or access codes
– Business need
– Escort visits
– Cameras
59
© 2021 American Health Information Management Association
Physical Safeguards—Workstation
Use
• Includes PCs, laptops mobile
devices, and more
– Black-out screens
– Point away from public
– Policies and procedures
60
© 2021 American Health Information Management Association
Physical Safeguards—Device and
Media Controls
• Track media that stores ePHI
• Appropriate disposal
– Degaussing
– Reuse
61
© 2021 American Health Information Management Association
Physical Safeguards—Mobile
Security
• Tablets, smartphones, and more
– Track mobile devices
– Inventory devices
– Encryption
– Identifying who owns devices
– Identifying who owns data
– Bring Your Own Device (BYOD)
– Remote wipe
62
© 2021 American Health Information Management Association
Physical Safeguards—Fire and
Natural Disasters
• Restoration contracts
• Remote back-up site
63
© 2021 American Health Information Management Association
Penalties
• Office of Inspector General
– Civil Penalties
– Criminal penalties
64
© 2021 American Health Information Management Association
Certifications
• Certified in Healthcare Privacy and
Security (CHPS)
• Certified Information Security
Manager (CISM)
• Certified Information Systems
Security Professional (CISSP)
65
© 2021 American Health Information Management Association
References
• 45 CFR 160, 162, and 164. HIPAA
administrative simplification regulation
text. 2013 (unofficial version, as
amended through March 26).
https://www.hhs.gov/sites/default/files/hi
paa-simplification-201303.pdf.
• World Health Organization (WHO).
2017. Medical Devices.
http://www.who.int/medical_devices
/definitions/en/.
66
© 2021 American Health Information Management Association

Order an Essay Now & Get These Features For Free:

Turnitin Report

Formatting

Title Page

Citation

Outline

Place an Order