16 May 2011
Standards and Legal Issues
By Thomas Groshong
An audit of the Electronic Health Record (EHR) system reveals a lack of basic policies and standards to protect EHR data from misuse, abuse or theft. The He a l t h I n s u r a n c e P o r t a b i l i t y a n d
Accountability Act (HIPAA) require protection of EHR data and basic security guidance to adequately safeguard this data from threats of misuse and/or t h e f t . T h o m a s J . S m e d i n g h o f f q u o t e s H P A A l a w 42 USC Section 1320d-2(d)(2) t h a t establishes three
basic
security
principles
“maintain reasonable and appropriate
administrative, technical, and physical safeguard”. (Smedinghoff, T. (2008)) A r e a s o n a b l e a t t e m p t to provide safeguards and follow excepted standards for security can be found in the
HIPAA
Security
Guidance,
National
Institute
of
Standards
and
Technologies (NIST) documents, and the SANS Institute policies. The security goal is
to
provide
confidentiality,
integrity,
and
availability
of
EHR
i n f o r m a t i o n . (Smedinghoff, T. (2008)) The policies created below are to address weaknesses in the current system and provide direction on how to meet industry standards and legal requirements.
A. Create three organizational policy statements:
HIPAA suggests a three prone approach; physical security, technical security, and administrative security. This document will cover organizational policies for each of the three categories based on best practices and national standards such as NIST.
a.
Administrative security: A written policy stating procedures, standards, and guidelines to ensure honest and qualified people are granted access, provide levels of access, and steps to prevent unauthorized access. (U,S. Department of Health and Human Services,