You are the HIT supervisor in a large, multidisciplinary ambulatory care clinic that has 3 family practice physicians, 1 internal medicine physician, 1 mid-level provider/nurse practitioner, and 2 pediatricians. The organization also has onsite radiology, laboratory, and wellness clinic.
You report directly to the administrator. Your primary responsibility is to oversee the functions of the electronic medical record (EMR), release of information (ROI), and handle loose paperwork that comes in/out of the clinic. Your secondary responsibilities are to provide operational oversight over privacy, security, and confidentiality in the EMR behind the administrator, who has strategic and executive control.
You have a new administrator who is reviewing organizational policies and procedures. She has called you into her office to discuss the clinic’s policy governing the privacy, security, and confidentiality of protected health information (PHI)—for both the EMR and paper medical records. You indicate there is no current policy. Your conversation then evolves to how new and existing employees are authorized access to the EMR, and what content is made available per their job responsibilities. How they are educated on protecting PHI, and the differences between administrative and clinical staff’s access and education. You indicate that there is not a formal education policy. New employees get an overview of the EMR, a short briefing on passwords, and then are appointed an account in that EMR with the same general access level as everyone other than yourself and the administrator.
Several days later, the administrator asks you to develop a PowerPoint presentation to establish an educational program on privacy, security, and confidentiality for all new and existing employees at the clinic. Specifically, she is asking that the content outline each of these topics with a principal objective of protecting PHI, and the organization, from breaches. She would also like for the education program to be broken down into content targeting two separate audiences:
• Administrative staff (business office including third party coding and billing staff, receptionists and patient registration, and supervisors)
• Clinical staff (physicians, nurses, medical assistants, and technicians).
While the intent is that the education will be presented to all regardless of their position for privacy confidentiality and security, it is essential there be a delineation between the two employee groups. Each has different roles and responsibilities requiring different levels of access in the EMR, and the use and disclosure of PHI, in their respective roles.
Three Major Tenets
Privacy: in healthcare, Privacy entails the safeguarding of Protected Health Information (PHI) derived from patients, while giving patients control over how that information is disclosed and disseminated. Under HIPAA’s Privacy Rule, which is federal legislation, every member of a healthcare organization must train on PHI policies and procedures, including protecting the rights of patients and their content in the medical record (electronic, hybrid, or paper). This training must be provided for new employees, be repeated annually for continuing employees, and be revised and re-delivered whenever policies and procedures change. All trainings must be documented within the organization, for compliance.
Confidentiality: In healthcare, Confidentiality refers to the legal requirement of healthcare providers to protect all medical records and PHI from unauthorized use or disclosure. It also pertains to the HITECH law (45 Public Law 111-5 2009) that outlines that additional privacy and security measures must be in place to protect all electronic health information and information exchanges (including PHI) between healthcare entities, such as healthcare organizations and third-party payers.
Healthcare organizations must also have health information technology (IT) safeguards in place to protect the data and information contained in any/all information systems from disclosure, interruption, modification, or destruction.
Security: In Healthcare, Security refers to the mechanisms controlling who has access to organizational content, as well as the mechanisms protecting PHI and the Health IT software and hardware used to convey and organize that PHI—such as the electronic medical record (EMR). Under HIPAA’s Security Rule, there are five categories of safeguards that a security policy should contain: administrative, physical, technical, organizational requirements, and documentation, including policies and procedures.
Assignment status: Solved by our experts