The continued growth of healthcare information systems (HCIS) promises to improve quality of care, reduce harmful medical errors, and streamline the entire healthcare system. But the resulting dependence on electronic medical records (EMRs) has kindled patient concern about who has access to sensitive medical records. Healthcare organizations are obliged to protect patient medical records under the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the economic stimulus bill of 2009. The purpose of this study is to develop a formal privacy policy for safeguarding the privacy of EMRs. This study describes the impact of EMRs and HIPAA on patient privacy. It proposes access control and audit logs policies to protect patient privacy. To illustrate the best practices in the healthcare industry, this chapter presents the case of the University of Texas M. D. Anderson Cancer Center. The case demonstrates that it is critical for a healthcare organization to have a formal privacy policy in place.
TopIntroduction
The strategic utilization of information systems/information technologies (IS/IT) has played a central role in enabling organizations across many industry segments to address many business challenges and achieve a level of sustainable competitive advantage (Croasdell, 2001; Hammond, 2001; Holt et al., 2000). Healthcare is noted for embracing new scientific discoveries and using leading edge technologies to enable better cures for diseases and better means to enable early detection of most life threatening diseases. Ironically, the healthcare industry in the US, which has a greater need for more accurate and timely information, has experienced less development of IS/IT than have other industries such as banks or airlines. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the largest governmental law in healthcare since Medicare. HIPAA mandates new federal standards for electronic transactions, such as payment processing, patient’s medical information privacy, and security procedures that secure the privacy protections. Currently healthcare organizations are contending with relentless pressures not only to implement IS/IT technologies but also to become compliant with the HIPAA regulatory.
The growing use of healthcare information systems (HCIS) has provided healthcare organizations with tremendous benefits, including significantly reduced costs, reduced harmful medical errors, and improved quality of care. But the resulting dependence on electronic medical records (EMRs) has also kindled patient concern about the privacy and security of patient medical records. EMRs often contain some of the most sensitive information who and what we are, such as mental and physical illness. Perhaps more than any other type of data, the confidentiality of EMRs is absolutely essential. When doctors’ file cabinets held the bulk of medical records, the employees working in those practices had access to them. As hospitals and clinics switch to electronic record keeping, however, access to private medical records will soon be very easy for anyone with a computer and information systems access. Under HIPAA, new healthcare privacy provisions designed to protect data transmitted and stored electronically went into effect April 14, 2003. The requirements of HIPAA and compliance issues are getting the attention of top executives in the healthcare industry.
Having a formal privacy policy is a key step in implementing any HIPAA compliance program. It should expressly cover how a health organization is protecting EMRs; the rules and limits on who can use and need access to EMRs; and the capability to track who has disclosed sensitive data and the circumstances of disclosure. A positive, formal, and continually practiced privacy policy by all employees can establish rules and limits on who can gain access to EMRs and thus minimize the possibilities of privacy breaches. On the other hand, a poorly defined and improperly implemented and managed privacy policy can make EMRs ripe for privacy abuse. The HIPAA privacy rule puts an emphasis on access control and audit trails to protect patient data. This study investigates the use of access control and audit policies for protecting the privacy of EMRs.
The objective of this study is to develop formal access control and audit policies for safeguarding the privacy of EMRs. The development of HIPAA compliance program and security policies has been addressed by several studies (Li and Shaw, 2004; Kieke, 2003; Messmer, 2003; Anonymous, 2001; DeMuro, 2001). There are also several papers addressing the issue of the privacy of EMRs (Miller and Tucker, 2009; Runy, 2008; Swartz, 2004; Ateniese and Medeiros, 2002). The closely related works to this study include the following. Zunkel (2005) studied how to use biometric technology to protect personal information and found that biometric technology does not endanger personal information; it protects it. Borrowing the principles of reporting and auditing from the accounting sector, Stevens (2002) found that through comprehensive reports of network activity logs and regular auditing of security measures and devices, healthcare organizations could generate the proof of HIPAA compliance. While these studies are devoted to technical aspects and particular access control and audit technologies, this study takes a management-oriented approach to develop access control and audit logs policies for protecting the privacy of EMRs strategically.