Home | Go to HealthPro
 

andithomas
pioneer: special projects director

W

HAT IS INFORMATION SECURITY? The age-old tradition of doctor-patient privilege is no longer enough to protect your most private information — your health records.  In the recent past, your personal health information (PHI) may have been shared for purposes other than providing care or billing your insurance company. You had little or no control over who received your PHI and how it was used.  That is…. until certain provisions required by “HIPAA” (the Health Insurance Portability and Accountability Act of 1996), became effective last year. 

Today, this Federal law:

  • Gives you rights over your health information

  • Sets rules and limits on who can look at and receive your health information

WHICH PROVIDERS MUST FOLLOW HIPAA?  

  • Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers
  • Health insurance companies, HMOs, most employer group health plans
  • Certain government programs that pay for health care, such as Medicare and Medicaid

WHAT INFORMATION IS PROTECTED?

  • Information your doctors, nurses, and other health care providers put in your medical record
  • Conversations your doctor has about your care or treatment with nurses and others
  • Information about you in your health insurer's computer system
  • Billing information about you at your clinic
  • Most other health information about you held by those who must follow this law

PATIENT INFORMATION RESOURCES:

Flyers from the Heath Privacy Project:

HOW we PROTECT YOUR PERSONAL HEALTH INFORMATION: 

Hep-C ALERT/ALERT Health is honored that clients trust us with their most personal information. The organization holds this trust sacred and does everything possible within its resources to protect your confidential information.   Even though Project ALERT is not considered a HIPAA “covered entity”, it does interact as a Business Associate with many HIPAA regulated agencies.  In addition, Project ALERT is a Florida Department of Health Registered Confidential HIV Testing Site. In both cases, Project ALERT is required to maintain specific procedural, physical and electronic  safeguards.  Project ALERT used these guiding principles in developing its  Information Security Policy: 

  • Ensure the confidentiality and integrity of PHI; 
  • Protect against any reasonably anticipated threats and unapproved uses or disclosures of PHI;
  • Periodically evaluate, recognize and respond to new or unanticipated security threats in a timely manner; and
  • Ensure compliance by Project ALERT’s workforce.

action plan:

Step 1:  Policy and Initial Implementation (Implemented December 2002)

  • Research, develop and implement a formal General Information Security Policy specifically for the organization. (Note: this is the actual policy. Your state or institution’s rules may vary. Use at your own risk.)
  • Identify staff with “need to know”. Restrict or deny  access to hardcopy and electronic information to all others.
  • Train workforce on new procedures.
  • Upgrade the facility to prevent unauthorized access to protected health information.
  • Enforce computer workstation security procedures,  including strong(er) passwords, restriction on hours of access, up-to-date anti-virus software and daily scans.
  • Prevent unauthorized electronic transfer or copying of PHI by locking or disabling all A\ and USB drives, limiting printing access, and disabling email capability on computers with access to confidential data.

Step 2:  Quality Improvement (Continuous)

  • Conduct periodic Security Audits and retrain the workforce at least annually. (Note: this link is the audit form used.  Use at your own risk.)
  • Identify and respond to unanticipated security threats. Take steps to mitigate.
  • Prepare for Step 3: Improve security of electronic information.
  • Assess Step 3 after implementation.

step 3:  Upgrade (Implemented January 2005)

  • Completely upgrade computer hardware and software. 
  • Change from PC-based network to a Thin Client network to improve security, reduce IT costs and increase productivity. 
  • Change from Windows NT 4.0 (server) and Windows 98 (PC clients) to Windows Server 2003 and Terminal Services, running on a Premio server and Premio Eros Windows CE Terminal Workstations
  • Physically secure the new server and external back-up devices with a locking Computer Security Cabinet
  • Procure discount / donated operating system, utility and office management software from Techsoup.org
  • Computer Upgrade/Configuration contract awarded to International Computer Maintenance.  
  • Donate used computer equipment to an 501(c)(3) organization / Microsoft Authorized Refurbisher.  Employ advanced wiping techniques to ensure all confidential and proprietary information is deleted beyond recovery from the old hard drive(s) and other storage media.

step 4:  reassessment

 
Home | Go to HealthPro