HCAD 650 UMDC HIT Audit System Cybersecurity Discussion

Hi, Please read and respond to peer discussions.

Peer 1: Cybersecurity

Part 1: Critical Analysis of the Law

Evaluate HIPAA security requirements for a security risk assessment (SRA).How would you complete a security risk assessment that meets HIPAA security requirements? Outline it. What physical, administrative, and technical safeguards would you recommend to keep data secure?

To complete a risk assessment that integrates HIPAA security requirements, first, there has to be a determination on what PHI is readily accessible. Secondly, the current security measures have to be accessed, starting with the documentation of the current efforts that safeguard PHI (Hofmann et al., 2020). Thirdly, identify whether there are vulnerable areas in the organization where risks may occur. Fourth, risk levels should be determined to identify the harm that they may bring (Rosenbloom et al., 2019). Lastly, documentation is done to document the levels of risks and threats as well as create corrective action to stop or reduce these risks.

First, for the part of administrative safeguards, policies and procedures are supposed to govern this space to ensure that an organization protects ePHI and ensure that there is compliance with all the individual security rules. Secondly, for the purpose of physical safeguards, both the physical structure and electronic equipment of an organization are mostly considered (Showalter, 2017). Lastly, technical safeguards can be achieved by audit controls, integrity controls, access control, and transmission control; all aimed to determine how technology will be used to protect EPHI and control access to individual data.

Evaluate HIT audits as a compliance tool. Describe an audit process you recommend that would meet the following criteria.The audit is fair and unbiased and free from conflict of interest (1-2 points).The audit results are effectively communicated to senior levels of the organization (1-2 strategies).There is a process in place to correct any problems identified in the audit (1-2 actions).

HIT audit compliance tools are used to make sure that all the processes are followed and that the outcome is very sustainable. To recommend my ideal HIT audit, there should be a body that is independent so as to oversee all the audits to ensure fairness. The audit should be followed in a transparent manner, and all guidelines followed by qualified and professional auditors who should communicate the results on a regular basis to uphold good communication. Consequently, it is essential to ensure that the audit is reviewed on a regular basis to identify any issues and curb them.

How could a strong HIT audit system and the ACHE Code of Ethics serve to prevent the situation described in The Tracks We Leave: Chapter 9 Information Technology Setback:  Heartland Health care System? Be specific and demonstrate an understanding of the risks and how the compliance tool can be used specifically to control the risks.

The use of both a strong HIT audit system as well as an ACHE code of Ethics could be used to avoid any situation that could be described in chapter 9 of Information Technology Setback as a way of ensuring that each employee is adequately prepared and trained to use the system where the system should also be regularly audited with every single HIPAA regulation. The ACHE Code of Ethics could also be used in the prevention of the given adverse situation where all employees can be required to meet the required highest ethical code of conduct

Part 2: Strategic Compliance with the Law

Evaluate what you need to do to respond to the cyberattack.  Recommend a cyberattack response. Your response should include:Methods to secure stolen data and mitigate harm (two).Actions to correct the problem that allowed for the cyberattack (two).

The first measure to secure stolen data and mitigate harm is by investigating any cyberattacks and identifying attackers, as well as working with all departments to secure their patients’ data (Bowers et al., 2022).To correct problems, an organization must ensure that all individual systems are updated with all the latest security features, as well as train employees on how to use the EHR systems in the right way.

Evaluate the breach notification requirements under HIPAA. What breach notice actions do you recommend? (1-2)When do they need to be completed?

The individual breach notification requirement under HIPAA is that an individual organization/company must be in a position to notify all the individuals who could be affected by a data breach without any delay, mostly before 60 days are over (Showalter, 2017). This notification should include a description of the nature of the breach as well as the date of the breach.

Evaluate the organization’s duty of privacy and security for HIV patients. What do you recommend to keep this information secure during future reporting? Are any additional protections required because of the HIV status?  Why or why not?

For future purposes, individual organizations securing information of HIV patients should regularly test their systems to ensure that they have the updated security features to secure patients’ data where every vulnerability should be eliminated. There is a requirement for additional protection for HIV patients’ privacy as HIV status is considered to be protected health information under HIPAA.

References:

Bowers, G. M., Kleinpeter, M. L., & Rials, W. T. (2022). Securing Your Radiology Practice: Evidence-Based Strategies for Radiologists Compiled From 10 Years of Cyberattacks and HIPAA Breaches Involving Medical Imaging. Perspectives in Health Information Management, 19(3), 122-124.

Hofmann, P. B., Perry, F., & Gooch, B. E. (2020). Management mistakes in healthcare: identification, correction and prevention.

Rosenbloom, S. T., Smith, J. R., Bowen, R., Burns, J., Riplinger, L., & Payne, T. H. (2019). Updating HIPAA for the electronic medical record era. Journal of the American Medical Informatics Association, 26(10), 1115-1119.

Showalter, J. S. (2017). The law of healthcare administration. Health Administration Press.

Peer 2: Medical Record in Court

Part 1:  Critical Analysis of the Law

Usually, healthcare professionals can be requested by the court to provide patients’ therapeutic accounts under subpoenas. Typically, subpoena refers to a lawfully decree that usually is issued by a court of law to any associated individual as per the appeal of the involved party in a court happening(Fleming, 2021). Specifically, HIPAA does permit providers to disclose information to a party issuing a subpoena if the notification requirements of the confidentiality policy are met.

45 CFR 164.512 contains some very specific requirements with regard to use of subpoenas to obtain medical records. For a party in litigation to obtain medical records without written patient authorization, H.I.P.A.A. requires that the request be accompanied by either (a) a statement that the patient has been given notice of the request and has had an opportunity to object, or (b) a motion for a qualified “protective order.” {This is in accordance to 45 CFR 164.512e}. A qualified protective order requires that any protected health information can be disclosed only for the purposes of litigation, and that any protected health information disclosed must be returned to the provider at the end of litigation (Lynch, 2018, p. 4, para 6-7).

2. Measures should be taken to ensure that any printed or released patient information is only stored in work locations and isn’t accessible to the general public. Discussions about patient care should primarily be kept private to reduce the likelihood that people who are not interested in the material will access it (Greene & McGraw, 2020). Last but not least, passwords can be created to protect electronic information. Emailing and texting, in general, do not violate HIPAA, although there are several exceptions. For example, sending an email containing PHI to an incorrect recipient is obviously an unlawful disclosure and a violation of HIPAA.

Policies and practices that can regulate email and messaging in a hospital context include not sharing certified e-mail accounts with family members of patients.

It is critical to use encryption technology to protect all messages (Greene & McGraw, 2020). Guidelines should be set up to reduce unencrypted wireless communications connections containing patient-identifiable data. “(Electronic) PHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable” (HIPAA Journal, n.d., p. 5, para 1).

3.  A business’s management of its records, from creation to retention and disposal, is outlined in its record retention policy. Because they make it easier for organizations to retrieve documents for quick reference. While record destruction policies acknowledge that workers, unpaid staff, and executive members have basic record retention obligations to maintain, record, store, and destroy the institution’s documents and data (Herzig, 2020). Finally, litigation is involved in the process because it enables firms to make sure they uphold their obligations to preserve information, including automatically saved information, for use in legal proceedings. Medical record rules for release, destruction, and retention serve as important compliance tools. If medical records are well-detailed, they will aid medical professionals in maintaining treatment accuracy. In order to preserve patient information, medical record retention and destruction will offer a method for comprehending management principles and policies and for ensuring compliance (Herzig, 2020).

4. Defined policies and procedures will help in preserving the unethical and improper actions in The Tracks We Leave by giving instructions on how to adhere to pertinent laws. The rules and procedures will also show how to promote ethical behavior effectively, professionally, and consistently (Johnson, 2018) resulting in improved public perception and greater commercial partnerships. In general, the AHIMA code of ethics and guiding code will use the necessary professional values and ethical principles of service in dealing with the issues of misbehavior and discrimination in order to prevent further occurrences of this kind.

Part 2:  Strategic Compliance with the Law

1.Modern techniques for finding, collecting, and producing electronically stored information in response to a demand for production in an investigation or a lawsuit include e-discovery. The identification of privileged documents, the identification of medical records eligible for peer review immunity, and the identification of materials unrelated to the case are just a few requirements that must be completed in order to comply with such a request. In order to avoid the discovery of privileged information, I would work with my business partner to identify medical records that are shielded from disclosure by state, federal, or local legislation. In order to ensure that records covered by peer review immunity are not made public unless required by a federal court, I would also abide by the institution’s privacy policies and HIPAA standards. Additionally, I would use the e-discovery guidelines to identify the kinds of materials that are pertinent to the practice.

2. The federal court has the jurisdiction to order that the protection of records is not waived by giving information pertaining to existing litigation, in accordance with Court Order 502D. The agreement formed throughout the record disclosure process, however, is only enforceable by the parties to the agreement, according to court order 502E. I would advise using the 502E because it enables agreement between the parties and makes the task straightforward.

3. I would take the necessary legal action if the business associate ignores the request for records. I would also discuss the delay with the business partner to see what caused it and see if I could help prevent similar delays in the future. Additionally, I would implement management strategies to ensure that the process’ deadlines are met. These strategies include coordinating with interested parties, planning activities to be finished on time, and managing and supervising the process’ staff. This is done to guarantee the effectiveness of the e-discovery procedure and the security of protected data.

1
CardioWear Inc.
Project Step #2: Requirements Definition Document and Entity Relationship Diagram
(ERD)
Mirabel Nambawarr
University of Maryland Global Campus
DBST 651 – Relational Database Systems
Dr. Gonzalez
September 27th, 2022
2
Requirements Definition Document
1. Entity and Attribute Description
This database will contain five different entities: Patient, Patient Data, Hospital,
Insurance, and Emergency Dispatch.
Entity #1
Entity name: PATIENT
Entity description: Individuals who receive healthcare services at healthcare institutions.
Main attributes of PATIENT:
Attribute name: P_NAME
Attribute description: Patient name.
Attribute name: P_ID
Attribute description: Patient ID (primary key).
Attribute name: P_DOB
Attribute description: Patient’s date of birth.
Attribute name: P_GEN
Attribute description: Gender.
Attribute name: P_ADD
Attribute description: Patient’s address.
Attribute name: H_NAME
3
Attribute description: Preferred hospital’s name (foreign key).
Entity #2
Entity name: HOSPITAL
Entity description: A place where patients seek healthcare services.
Main attributes of HOSPITAL:
Attribute name: H_NAME
Attribute description: Preferred hospital’s name.
Attribute name: H_ID
Attribute description: Hospital ID (primary key).
Attribute name: H_ADD
Attribute description: Hospital address.
Attribute name: I_NAME
Attribute description: Insurance name (foreign key).
Attribute name: H_CONT
Attribute description: Hospital contact details.
Entity #3
Entity name: INSURANCE
Entity description: Companies that provide coverage for patients’ healthcare services.
4
Main attributes of INSURANCE:
Attribute name: I_NAME
Attribute description: Name of insurance company.
Attribute name: I_ID
Attribute description: Insurance Company ID (primary key).
Attribute name: I_CL
Attribute description: Claim limit.
Attribute name: P_ID
Attribute description: Patient ID (foreign key).
Attribute name: I_CONT
Attribute description: Insurance company’s contact details.
Entity #4
Entity name: PATIENT DATA
Entity description: Healthcare data collected from patients via smart devices.
Main attributes of PATIENT DATA:
Attribute name: S_NO
Attribute description: Serial number of the patient (primary key).
Attribute name: P_ID
5
Attribute description: Patient ID (foreign key).
Attribute name: P_BP
Attribute description: Patient’s blood pressure, which describes the amount of
pressure that circulating blood imposes on the blood vessels.
Attribute name: P_HR
Attribute description: Patient’s heart rate, which is the number of times the
patient’s heart beats per minute.
Attribute name: P_O2SAT
Attribute description: Patient’s blood oxygen levels, which is the amount of
oxygen in circulating blood.
Entity #5
Entity name: EMERGENCY DISPATCH (EM_DISPATCH)
Entity description: A group of individuals who provide emergency medical services to
patients when needed.
Main attributes of EMERGENCY DISPATCH:
Attribute name: MIN_REQ
Attribute description: Minimum requirements for emergency services (primary
key).
Attribute name: H_CONT
6
Attribute description: Hospital contact details (foreign key).
Attribute name: PROX
Attribute description: Proximity of the patient to the hospital.
Attribute name: E_STAFF
Attribute description: Emergency staff on duty.
Attribute name: P_ID
Attribute description: Patient ID (foreign key).
2. Relationship and Cardinality Description
Relationship #1
Relationship: ‘SEEKS TREATMENT’ between PATIENT and HOSPITAL
Cardinality: M:N between PATIENT and HOSPITAL.
Business rule: Many patients may seek treatment from more than one hospital; several
hospitals may provide healthcare services to more than one patient.
Relationship #2
Relationship: ‘COVER’ between INSURANCE and PATIENT.
Cardinality: 1:M between INSURANCE and PATIENT.
Business rule: One insurance may cover several patients’ healthcare; all patients must
have at least one insurance cover.
Relationship #3
7
Relationship: ‘submit claim’ between HOSPITAL and INSURANCE.
Cardinality: M:N between HOSPITAL and INSURANCE.
Business rule: More than one hospital may submit their claims to several insurance
companies; more than insurance company can fulfil claims in more than one hospital.
Relationship #4
Relationship: ‘serve’ between EMERGENCY DISPATCH and HOSPITAL.
Cardinality: 1:M between HOSPITAL and EMERGENCY DISPATCH.
Business rule: One hospital has to have more than active emergency dispatch service;
several emergency dispatch services can serve one hospital.
Relationship #5
Relationship: ‘provide’ between PATIENT and PATIENT DATA.
Cardinality: M:N between PATIENT and PATIENT DATA.
Business rule: Many patients provide patient data via smart devices; a wide range of
patient data is collected using smart devices worn by several patients.
Relationship #6
Relationship: ‘accessed by’ between PATIENT DATA and HOSPITAL.
Cardinality: M:N between PATIENT DATA and HOSPITAL.
Business rule: A wide range of patient data is accessed by several distinguished hospitals;
a number of hospitals can access patient data collected by smart devices.
8
Relationship #7
Relationship: ‘make contact’ between EMERGENCY DISPATCH and PATIENT.
Cardinality: M:N between EMERGENCY DISPATCH and PATIENT.
Business rule: Several emergency dispatch teams are responsible for contacting patients
who are at risk of suffering cardiovascular attacks; patients who are at risk of suffering
cardiovascular attacks will be contacted by emergency dispatch teams.
3. Assumptions and Special Considerations
Specific assumptions made during this project include:
•
Multiple patients will be willing to allow their data to be accessed to fulfill the
functions of the project database.
•
Several hospitals will be willing to incorporate the project database into their
everyday procedures.
•
Little to no training of hospital staff will be required during the transition from
other databases.
•
The data collected by smart devices is accurate and objective.
•
Patients will use their smart wear for most part of their day.