Chapter 13: Organizational Design Creating Effective Organizations.
Implementation of Organizational Practices to Protect Information in Health Organizations
description
Transcript of Implementation of Organizational Practices to Protect Information in Health Organizations
Implementation of Implementation of Organizational Practices to Organizational Practices to Protect Information in Health Protect Information in Health OrganizationsOrganizations
Ann J. Olsen
Director, Information Management Planning
Vanderbilt University Medical Center
November 10, 1998
Presented at:Presented at:1998 Annual Symposium of the American Medical 1998 Annual Symposium of the American Medical Informatics Association, Informatics Association, “A Paradigm Shift In Health Care Information Systems: “A Paradigm Shift In Health Care Information Systems: Clinical Infrastructures for the 21st Century,”Clinical Infrastructures for the 21st Century,”November 7-11, 1998, Lake Buena Vista, FLNovember 7-11, 1998, Lake Buena Vista, FL
Authors:Authors: Ann J. Olsen, M.B.A., M.A., Dario Giuse, Ann J. Olsen, M.B.A., M.A., Dario Giuse, Dr.Ing., Ruby B. Borden, B.S.N., R.N., Martha K. Dr.Ing., Ruby B. Borden, B.S.N., R.N., Martha K. Miers, MS, MBA, MT(ASCP), Mary G. Reeves, Miers, MS, MBA, MT(ASCP), Mary G. Reeves, R.R.A., William W. Stead, M.D.R.R.A., William W. Stead, M.D.Vanderbilt University Medical Center, Vanderbilt University Medical Center, Nashville, TennesseeNashville, Tennessee
See symposium proceedings for paper of same title.See symposium proceedings for paper of same title.
VUMC: Early 1997VUMC: Early 1997 IAIMS implementation
– widely used patient record repository and other patient care systems
– extensive use of networked PC’s throughout for research, patient care, education, management
Inadequate confidentiality policyVUMC-wide information policy team
with liaisons to major stakeholders
VUMC: Early 1997VUMC: Early 1997
Agreement on need for comprehensive information security program – not limited to electronic
information– not limited to patient information– enterprise wide
Initial drafts of three new policies
Policy Development ChallengePolicy Development Challenge
Vice Chancellor Health Affairs
Personnel & Communication
Space Management
Financial Management
Informatics Center
Research and Technology Transfer
Chancellor
Medical Group & Clinics
Hospital School of Medicine
School of Nursing Health Plans
No standard process for review and approval of Medical Center-wide policy
Major organizational units have long-standing policy-making bodies
VUMC Information VUMC Information Policy: Organizational Policy: Organizational RelationshipsRelationships
Information Policy
Advisory Committee
Information Policy Support
Team (IPST)
School of Nursing
Administrative Leadership Team
Patient Care Services Board
Vanderbilt Medical Group
Legal Financial
Risk Compliance
Human Resources
Vanderbilt Health
Services
- 9 members - key stakeholders
- 25+ members - broad participation
IPST Liaison
IPST Liaison
IPST Liaison
IPST Liaison
IPST Liaison
IPST Liaison
IPST Liaison
IPST Liaison
VUH/VMG: Policy &
Procedure Committee
Finance & Administration
Executive Faculty
School of Medicine
Other:
Emerging LandscapeEmerging LandscapeJCAHO standards require classification and
protection of informationHIPAA– Proposed security standard applies to all health
care information electronically maintained or used in an electronic transmission
S. 2609 introduced Oct. 9, 1998– Proposed Medical Information Protection Act
will be reintroduced in early 1999– Applies to all media
For the Record: Protecting For the Record: Protecting Electronic Health InformationElectronic Health InformationRecommendations:– Technical practices for immediate
implementation– Technical practices for future
implementation– Organizational practices for immediate
implementation
Organizational PracticesOrganizational PracticesSecurity & Confidentiality PoliciesSecurity & Confidentiality Committees Information Security OfficersEducation and TrainingSanctions Improved Authorization FormsPatient Access to Audit Logs
Confidentiality of Patient
Information
Security for Electronic
Information & Systems
Classification of Information
Information Security &
Confidentiality Agreements
Existing Policy: Confidentiality
Information Security,
Confidentiality, & Privacy
Information Security and Confidentiality Policies
Platform for Compliance with Current & Future Standards
Information Security, Information Security, Confidentiality, and PrivacyConfidentiality, and Privacy
Provides structure and process– Information Security, Confidentiality,
and Privacy (ISCP) Committee – Information Security Officer (ISO) – Information Security Managers (ISM)
Defines responsibilities– Enterprise, Unit, Individual
Security for Electronic Security for Electronic Information and Systems Information and Systems
Establishes requirement for enterprise standards
ISCP Committee sets standards – risk analysis – technical recommendations
Allows standards to evolve without changing policy
Confidentiality of Patient Confidentiality of Patient InformationInformation
Defines confidential patient information
Reinforces “need to know”Provides broad guidelines
for handling patient information
Classification of InformationClassification of Information
Sets requirement and process to identify and classify information based on need for protection
Three classifications – confidential, restricted,
unrestricted
Information Security and Information Security and Confidentiality AgreementsConfidentiality Agreements
Establishes requirements for faculty, staff, trainees, volunteers, contractors, vendors, partners …
Defines process for approving forms and implementation
Security and Confidentiality Security and Confidentiality CommitteesCommittees
Information Security, Confidentiality, and Privacy (ISCP) Committee– establishes standards & practices
based on recommendations of technical staff, ISO, and others
– oversees and promotes information security programs
– coordinates with other groups, e.g., Medical Records Committee
Security and Confidentiality Security and Confidentiality CommitteesCommittees
Subcommittee of ISCP and Medical Records Committees for Protection of and Access to Patient Electronic Records (PAPER)
Recommend procedures to control and document access and use of patient electronic records, e.g.,– Plan use of audit trails– Improve authorization forms– Review requests for access and proposals for use
of electronic records
Information Security OfficersInformation Security Officers
New position for VUMC Information Security Officer – Administrative– Policy
Coordinate with staff providing technical leadership and support
Information Security OfficersInformation Security Officers
Departmental Security Administrators to become Information Security Managers
Information security improvement– assess– plan– implement– evaluate
Education and TrainingEducation and Training
Information Security Managers– Information Security Guide– Templates for Information Security
Assessment and Plan– Initial orientation sessions with regular
follow-up– Periodic meetings for updates and
feedback– One-on-one sessions with ISO
Education and TrainingEducation and TrainingUniversal - embed in process
– Job descriptions rewritten– Agreements – Orientations– Performance goals– Systems training– Screen saver– Security assessments & plans
Compliance education program
SanctionsSanctions Coordination with related corporate
compliance effort Guidelines: appropriate & inappropriate
behavior Tiers of violations (e.g., unauthorized
access vs. unauthorized disclosure) Use existing disciplinary processes Violations may be reported to any of :
– ISO, Compliance Office, Employee Relations, Supervisor
ISCP Committee receives summary of violations and outcomes
Improved Authorization FormsImproved Authorization Forms
Have recently changed forms to increase options
Continuing effort involving Medical Records Committee, PAPER Subcommittee, and others
Patient Access to Audit LogsPatient Access to Audit Logs
Currently review audit log for medical record repository on request
On agenda of PAPER subcommittee
Expected ChallengesExpected Challenges
Consistent application of sanctionsConsistent adoption of standards
across departmentsAccountability of Information
Security ManagersAdequacy of resources for
communication, training, implementation
Expected BenefitsExpected Benefits
Platform for compliance with future requirements
Increase understanding of security issues
Reduce riskSupport desired culture
[email protected]@mcmail.Vanderbilt.edu