Difference between revisions of "Privacy, Confidentiality, and Electronic Medical Records"

From Clinfowiki
Jump to: navigation, search
(Comments)
(Comments)
Line 43: Line 43:
  
 
== Comments ==
 
== Comments ==
As a security analyst in my current employment, I have seen firsthand my organization implement the recommendations mentioned in the article. Privacy and confidentiality is always in question when granting users access to EMRs. As a security analyst, I find myself asking users when granting access, "What type of access do you need?" "Why do you need access?" Therefore, in my opinion I feel that privacy, confidentiality and security should be considered core fundamental principles in which organizations must define and establish prior to granting users access to their EMRs.
+
As a security analyst in my current employment, I have seen firsthand my organization implement the recommendations mentioned in the article. Privacy and confidentiality is always in question when granting users' access to EMRs. As a security analyst, I find myself asking users when granting access, "What type of access do you need?" "Why do you need access?" Therefore, in my opinion I feel that privacy, confidentiality and security should be considered core fundamental principles in which organizations must define and establish prior to granting users access to their EMRs.
  
 
= References =
 
= References =

Revision as of 22:00, 8 April 2015

This is a review on Barrows, R., & Clayton, P. (1996) article, Privacy, Confidentiality, and Electronic Medical Records. [1]


Goals of Informational Security in Health Care

Although health information is becoming more readily available in health care settings to improve quality and save on health care costs, there is concern for privacy and confidentiality. An electronic medical record (EMR) allows providers and clinicians to access and share a patient's medical health information among authorized individuals. The increase in number of authorized users, including remote access and from multiple sites, to access patient electronic medical records (EMRs) can reduce privacy. Because there is a risk of a potential breach of privacy and confidentiality, healthcare organizations should establish security measures to protect their data.

To assist organizations, the goals of informational security in health care should be considered.

  • Ensure the privacy of patients and confidentiality of health care data
  • Ensure the integrity of health care data
  • Ensure the availability of health data for authorized persons


Security Policy

A cohesive security policy for securing health data should be in place to reduce vulnerability [2]. Organizations should define a policy that will not only protect their patients but also their personnel who are authorized to view data and outside vendors such as insurance companies and managed care organizations.

Organizations should define their security policy based on the following factors:

  • Functional requirements of an information system
  • Security requirements for the system
  • A threat model

Privacy and Confidentiality in Health Care

In addition to a security policy, privacy and confidentiality should also be established between clinicians and patients. When patients "trust" clinicians with their medical data, privacy and confidentiality is established. There are different measures organizations can implement to protect privacy and confidentiality.

  • Establishing data ownership and legal accountability
  • Implementing informed consent to disclosure
  • Establish primary uses of medical records
  • Create user authentication and access control [3]
    • Password security
    • User-specific or role-specific views
  • Implement encryption software -- often referred to as cryptography
  • Implement protocols and mechanisms that will test and verify data --- referred to as data integrity
  • Create firewalls between EMR sites and internal networks
  • Recommend implementation of audit trail software

A Comparison of the Paper and Electronic Record Environments

Electronic records are more secure than paper records if and when the right policies are in place. For instance, with paper records organizations are unable to access audit trails and secure information based on user roles. In a paper record, all data is accessible to all viewers. In addition, paper records can be potentiality be misplaced and altered.

Conclusion

In conclusion, as EMR adoption increases healthcare organizations need to ensure that although they are allowing users to view and share patient data among one another, security should always be a top priority. Protocols involving electronic security features should be put in place for EMRs safety during the creation of these EMRs applications. There are many barriers organizations will encounter with security but if they follow the recommendations above it will be beneficial to themselves, users and their patients.

Comments

As a security analyst in my current employment, I have seen firsthand my organization implement the recommendations mentioned in the article. Privacy and confidentiality is always in question when granting users' access to EMRs. As a security analyst, I find myself asking users when granting access, "What type of access do you need?" "Why do you need access?" Therefore, in my opinion I feel that privacy, confidentiality and security should be considered core fundamental principles in which organizations must define and establish prior to granting users access to their EMRs.

References

  1. Privacy, Confidentiality, and Electronic Medical Records Randolph C. Barrows , Paul D. Clayton Journal of the American Medical Informatics Association Mar 1996, 3 (2) 139-148; DOI: 10.1136/jamia.1996.96236282 Retrieved from http://jamia.oxfordjournals.org/content/3/2/139
  2. Curran WJ, Steams B, Kaplan H. Privacy, confidentiality and other legal considerations in the establishment of a centralized health-data system. N Engl J Med. 1968;281:241-8.
  3. Orr GA, Brantley BA. Development of a model of information security requirements for enterprise-wide medical information systems. In Frisse ME, ed. Proceedings of the Sixteenth Annual Symposium for Computer Applications in Medical Care. New York: McGraw-Hill, 1992:287-91.