write a paper on the topic security, privacy and confidentiality as they relate to patient information and data integrity . sub topic ( threats to secuity privacy and confidentiality) .

Health Insurance Portability and Accountability Act (HIPAA): Data Communication and Security

Published in:CINAHL Nursing Guide, 2018 Jun 22,Nursing Reference Center Plus

By:Uribe, LM;Pravikoff D

Evidence-Based Care Sheet

By: Lydia M. Uribe, PharmD, MLIS
Tanja Schub, BS
Edited by: Diane Pravikoff, RN, PhD, FAAN

What We Know

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) safeguards the access of working Americans and their families to health insurance and protects patients’ right to privacy with regard to healthcare information by regulating the disclosure of protected health information (PHI; i.e., any information in paper or electronic form that can identify a patient, including documented payment information) by covered healthcare entities (e.g., healthcare providers, health insurance companies, health insurance clearinghouses) and business associates of covered entities ^{( 8 , 9 )}
  • The Health Information Technology for Economic and Clinical Health (HITECH) Act, a component of the American Recovery and Reinvestment Act of 2009 (ARRA), further strengthens regulations that are in place to safeguard the privacy and confidentiality of PHI and institutes mandatory fines for HIPAA violations and for PHI breaches (i.e., the impermissible disclosure, access, or use of PHI that poses a risk of financial or other harm to the person involved) ^{( 8 , 13 )}
• The 2002 HIPAA Privacy Rule establishes regulations safeguarding all PHI, whether written, oral, paper, or electronic; the 2003 HIPAA Security Rule establishes safeguards specifically regulating electronic PHI (ePHI), including electronic communications and electronic health records (EHRs) ^{( 9 , 13 )}
  • The HIPAA Security Rule requires covered entities and their business associates to develop administrative, technical, and physical policies and procedures to ^{( 13 )}
    • maintain the confidentiality, security, and integrity of ePHI
    • identify and prevent anticipated security threats
    • protect against impermissible use and disclosure of ePHI
    • maintain employee compliance
  • Administrative responsibilities of a covered entity with regard to Security Rule compliance include development of written policies and procedures that document ^{( 11 )}
    • the identity of employees or classes of employees who are allowed access to ePHI; access must be limited to employees requiring access to perform their job responsibilities
    • the use of business associate agreements (BAAs) to demonstrate business associate compliance with HIPAA regulations
    • employee training in HIPAA regulations
    • the performance of internal audits to verify compliance with HIPAA regulations
    • identifying and responding to violations and breaches
      • Healthcare organizations are responsible for having mechanisms in place in the event of a breach during a natural disaster ^{( 2 )}
    • designating a privacy officer
      • Healthcare organizations must maintain current HIPAA manuals that include up-to-date notices of privacy acts, privacy logs, authorization-and-request forms, and policies on breach notification and the release of PHI ^{( 7 )}
    • creating, changing, and safeguarding passwords
      • Two-factor authentication is recommended for compliance with HIPAA password requirements ^{( 5 )}
  • Technical responsibilities for HIPAA Security Rule compliance include controlling access to computer systems and protecting the communication of ePHI by ^{( 11 )}
    • using data encryption in certain circumstances
    • using data corroboration to promote data integrity
    • maintaining a written record of all network configuration settings
    • authenticating the entities with whom they communicate
  • Physical requirements for HIPAA Security Rule compliance include preventing unauthorized access to ePHI by ^{( 11 )}
    • controlling the installation and removal of hardware and software
    • limiting physical access to equipment that contains ePHI to employees requiring access to perform their job responsibilities
    • protecting workstations and verifying their appropriate use
    • requiring facility security plans, visitor logs and escorts, and maintenance records
  • The National Institute of Standards and Technology has developed the HIPAA Security Toolkit to assist covered entities in assessing for security risks in their organizations; this toolkit might be insufficient for all covered entities, and use of a HIPAA consultant might be necessary to maintain compliance with the security rule ^{( 12 )}
• Electronic methods of communication between healthcare providers and patients can be of special concern with regard to HIPAA Security Rule compliance ^{( 4 , 8 )}
  • Email can be used to communicate private patient information; the same safeguards should be in place that are used when communicating, storing, or accessing any ePHI ^{( 8 )}
  • Text messaging (also called SMS for s hort m essage s ervice) is an effective method of communicating small amounts of data, but text messages are not normally encrypted and are accessible to anyone with access to the sending or receiving device ^{( 3 , 4 )}
    • The Joint Commission (TJC) and the Centers for Medicare & Medicaid Services (CMS) do not allow the use of SMS for communicating patient orders ^{( 1 , 6 )}
• According to data from the Office of Civil Rights, the most-frequently investigated HIPAA compliance issue through April 2018 is impermissible uses/disclosures of PHI, followed by lack of safeguards, lack of patient access, lack of administrative safeguards, and use/disclosure of more than the minimum PHI necessary ^{( 10 )}

What We Can Do

• Learn about HIPAA and the HIPAA Security and Privacy Rules so you can accurately assess the ways in which your facility complies with HIPAA regulations; share this information with your colleagues
• Collaborate with members of your administrative team and your facility privacy officer to develop policies and procedures to safeguard ePHI

Diversity, Equity, and Inclusion

• Identify and accommodate, if possible, any specific cultural and religious beliefs that may enhance care.
• Be aware of any assumptions you may have, and separate your own beliefs and values from those of the patient to minimize bias.

References

1 . Centers for Medicare & Medicaid Services. (2017). Texting of patient information among healthcare providers. Retrieved June 8, 2018, from https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertificationGenInfo/Downloads/Survey-and-Cert-Letter-18-10.pdf ( G )

2 . Dybka, M. (2015). HIPAA and data breaches. Audiology Today , 27 (1), 60-61.( GI )

3 . Gonzalez, E. (2014). Complying with HIPAA. Long-Term Living: For The Continuing Care Professional , 63 (1), 16-19.( GI )

4 . Greene, A. H. (2012). HIPAA compliance for clinician texting. Journal of AHIMA: American Health Information Management Association , 83 (4), 34-36. ( GI )

5 . The HIPAA password requirements and the best way to comply with them. (2018). HIPAA Journal . Retrieved June 8, 2018, from https://www.hipaajournal.com/hipaa-password-requirements/ ( GI )

6 . The Joint Commission. (n.d.). Texting – use of secure text messaging for patient orders. Retrieved June 8, 2018, from https://www.jointcommission.org/standards_information/jcfaqdetails.aspx?StandardsFaqId=1616&ProgramId=46 ( G )

7 . Murphy, R. (2015). Evolving education. HIPAA a back breaker for chiropractic interns. For the Record , 27 (5), 10-11.( GI )

8 . Pun, M. H. J. (2012). Maintaining patient privacy: Is your email HIPAA-compliant? AGD Impact , 40 (4), 36-37. ( GI )

9 . United States Department of Human & Health Services. (2017). HIPAA for professionals. Retrieved June 8, 2018, from https://www.hhs.gov/hipaa/for-professionals/index.html ( GI )

10 . United States Department of Hum