16 May 2011

Standards and Legal Issues
By Thomas Groshong

An audit of the Electronic Health Record (EHR) system reveals a lack of basic policies and standards to protect EHR data from misuse, abuse or theft. The He a l t h I n s u r a n c e P o r t a b i l i t y a n d
Accountability Act (HIPAA) require protection of EHR data and basic security guidance to adequately safeguard this data from threats of misuse and/or t h e f t . T h o m a s J . S m e d i n g h o f f q u o t e s H P A A l a w 42 USC Section 1320d-2(d)(2) t h a t establishes three

basic

security

principles

“maintain reasonable and appropriate

administrative, technical, and physical safeguard”. (Smedinghoff, T. (2008)) A r e a s o n a b l e a t t e m p t to provide safeguards and follow excepted standards for security can be found in the

HIPAA

Security

Guidance,

National

Institute

of

Standards

and

Technologies (NIST) documents, and the SANS Institute policies. The security goal is

to

provide

confidentiality,

integrity,

and

availability

of

EHR

i n f o r m a t i o n . (Smedinghoff, T. (2008)) The policies created below are to address weaknesses in the current system and provide direction on how to meet industry standards and legal requirements.

A. Create three organizational policy statements:
HIPAA suggests a three prone approach; physical security, technical security, and administrative security. This document will cover organizational policies for each of the three categories based on best practices and national standards such as NIST.
a.

Administrative security: A written policy stating procedures, standards, and guidelines to ensure honest and qualified people are granted access, provide levels of access, and steps to prevent unauthorized access. (U,S. Department of Health and Human Services,