Privacy, Confidentiality, and Security M8120 Fall 2001 Scope and Standards of Informatics Practice The informatics nurse develops policies, procedures, and guidelines based on research and analytical findings, which may include: – – – Ensuring the validity and integrity of data Ensuring the ethical use of informatics solution Ensuring the confidentiality and security of data and privacy for individuals Ensures that the informatics solution is in compliance with recognized standards from accrediting and regulatory agencies Informatics Competencies Beginning nurse – – Seeks available resources to help formulate ethical decisions in computing Describes patients’ rights as they pertain to computerized information management Experienced nurse – – – – Interprets copyright issues in computing Discusses features, capabilities and scope of user passwords Devises strategies to protect confidentiality of computerized information Differentiates issues surrounding confidentiality in computerized information management Staggers, Gassert, & Curran, 2001 Informatics Competencies Informatics specialist knowledge – – – – Interprets copyright issues in computing Discusses features, capabilities and scope of user passwords Devises strategies to protect confidentiality of computerized information Differentiates issues surrounding confidentiality in computerized information management Informatics specialist skills – – – Develops policies related to privacy, confidentiality, and security of patient and client data Recommends procedures for achieving data integrity and security Analyzes the capability of information technology to support programs of data integrity and security Staggers, Gassert, & Curran, 2001 Definitions Privacy - the right of individuals to be left alone and to be protected against physical or psychological invasion or the misuse of their property. It includes freedom from intrusion or invasion into one’s private affairs, the right to maintain control over certain personal information, and the freedom to act without outside interference. (ASTM E-31, 1997) A Balance Privacy rights Access needs – – – Treatment Public health National security Definitions Confidentiality – the status accorded to data or information indicating that it is sensitive for some reason and therefore it needs to be protected against theft, disclosure or improper use, or both, and must be disseminated only to authorized individuals or organizations with a need to know. (ASTM E-31, 1997) What are some examples of confidential data? Breaches of Confidentiality Accidental disclosures – inadvertent actions, unintensional mistakes Insider curiosity – insider’s accessing celebrities’ or friends’ information Insider subordination – insider revenge Uncontrolled secondary usage – for purposes other than intended without patient authorization Unauthorized access – hacking or use of another’s password Definitions Security – the means to control access and protect information from accidental or intentional disclosure to unauthorized persons and from alteration, destruction or loss (CPRI) Definitions Data security – the result of effective protection measures; the sum of measures that safeguard data and computer programs from undesired occurrences and exposure to: – – – – accidental or intentional disclosure to unauthorized persons accidental or malicious alteration, unauthorized copying, loss by theft or destruction by hardware failures, software deficiencies, operating mistakes, or physical damage by fire, water, smoke, excessive temperature, electrical failure, or sabotage or combination thereof. ASTM-E31, 1997 Definitions System security – the result of all safeguards including hardware, personnel policies, information practice policies, disaster preparedness, and oversight of these components. Security protects both the system and the information contained within from authorized access from without and misuse from within. ASTM E-31, 1997 Health Insurance Portability and Accountability Act of 1996 (HIPAA) AKA – Administrative Simplification, KennedyKasselbaum, K-2 Purposes – – Improved efficiency in healthcare delivery by standardizing electronic data exchange Protection of confidentiality and security of health data through setting and enforcing standards Health Insurance Portability and Accountability Act of 1996 (HIPAA) Includes: – – – Standardization of electronic patient health, administrative, and financial data Unique health identifiers for individuals, employers, health plans, and health care providers Security standards protecting the confidentiality and integrity of “individually identifiable health information”, past, present, or future Health Insurance Portability and Accountability Act of 1996 (HIPAA) Electronic health transactions standards Unique identifiers Security and electronic signature standards Privacy and confidentiality standards Definitions Individually identifiable health information – information that is a subset of health information, including demographic information collected from an individual, and that: – – Is created by or received from a health care provider, health plan, employer, or health care clearing house Relates to the past, present, or future physical or d health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and which identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual Definitions Protected health information – individually identifiable health information that is: – – – Transmitted by electronic media Maintained in electronic media Transmitted or maintained in any other form or medium Definitions De-identified information – information that is not individually identifiable HIPAA Privacy and Confidentiality Standards Limit the non-consensual use and release of personal health information Give patients new rights to access their medical records and to know who else has accessed them Restrict most disclosure of health information to the minimum needed for the intended purpose Establish new criminal and civil sanctions for improper use or disclosure Establish new requirements for access to records by researchers and others HIPAA Privacy and Confidentiality Standards: 5 Principles Consumer control – the regulation provides consumers with critical new rights to control their medical information Boundaries – with few exceptions, an individual’s health care information should be used for health purposes only, including treatment and payment Accountability – specific penalties if right to privacy is violated Public responsibility – balance privacy with national priorities such as public health protection, medical research, improving quality of care, and fight health care fraud and abuse Security – organizational responsibility HIPAA Security Standards Information systems security requiring the protection of all affected computers and data from compromise or loss Physical security requiring the protection of all buildings, facilities, and assets from compromise or threat Audit trails of access to patient-identifiable information Digital signature/data encryption requiring transmissions to be authenticated and protected from observation or change Key Features of a Secure System and Network Authentication Authorization and access control Data integrity Accountability Availability Data storage Data transmission Key Features of a Secure System and Network: Authentication Means of verifying the correct identity and/or group membership of individual or other entities Methods for authentication – – – – User name Known only by the user (e.g., password) Held only by the user (e.g., digital signature, secure ID) Attributable only to the user (e.g., finger print, retinal scan) Key Features of a Secure System and Network: Authorization and Access Control Access control lists for predefined users – – – – – Reading Writing Modifications Deletion of data Deletion of programs Key Features of a Secure System and Network: Data Integrity Used to support information accuracy to ensure that data have not been altered or destroyed in an unauthorized manner Error detection and error correction protocols Key Features of a Secure System and Network: Accountability Ensures that the actions of any entity can be traced during the movement of data from its source to its recipient Audit trails – – – – – Identification of the user Data source Whose information Date and time Nature of the activity Key Features of a Secure System and Network: Availability Ensures information is immediately accessible and usable by authorized entity Methods – – – Back ups Protecting and restricting access Protecting against viruses Key Features of a Secure System and Network: Data Storage Protecting and maintaining the physical location of the data and the data itself Physical protection of processors, storage media, cables, terminals, and workstations Retention of data for mandated period of time Key Features of a Secure System and Network: Data Transmission Exchange of data between person and program or program and program when the sender and receiver are remote from one another Encryption – – Scrambles readable information De-encrypt with proper key by recipient Firewall – Filtering mechanism so that only authorized traffic is allowed to pass Unique Identifiers Employer Identifier Number (EIN) National Provider Identifier (NPI) – individual, group, or organization that provides medical or other health care services or supplies Unique health identifier – on hold