Information
Security Awareness Training is critical in the HealthCare Delivery System not
just because human lives are involved, but also security breaches are more
rampant and costly. Health Insurance Portability and Accountability Act (HIPAA)
health information security rule addresses the privacy protection of electronic
protected health information (e-PHI) and identifiable health information
(hipaa-101.com). HIPAA information security awareness rules include, but not
limited to: “Administrative Safeguards – usually assigned to the HIPAA security
compliance team; Physical Safeguards – this relate to protection of electronic
systems, equipment, devices and data access, and; Technical Safeguards – deals
with authentication, encryption, cryptography for data access control.”
Further,
these security rules define “confidentiality to mean that e-PHI is not
available or disclosed to unauthorized persons. The Security Rule’s
confidentiality requirements support the Privacy Rule’s prohibitions against
improper uses and disclosures of PHI. The Security rule also promotes the two
additional goals of maintaining the integrity and availability of e-PHI. Under
the Security Rule, integrity means that e-PHI is not altered or destroyed in an
unauthorized manner. Availability means that e-PHI is accessible and usable on
demand by an authorized person” (hhs.gov). It states also that “the Security Rule, like all of the
Administrative Simplification rules, applies to health plans, health care
clearinghouses, and to any health care provider who transmits health
information in electronic form in connection with a transaction for which the
Secretary of HHS has adopted standards under HIPAA”
However, the most effective and efficient
security awareness training program is an ongoing systematic approach that
maximizes learning, improves the level of retention, and is simple. For
example, HIPAA compliance requirement states clearly:
“Organizations should provide a training program to raise awareness of
HIPAA rights. Every individual in the organization must be trained on a regular
basis. Training should be provided to include employee awareness, password
safeguarding and changing, workstation access, software use, incident handling,
virus and malware, identification challenge and other mission critical
operations” (Studystruct
Inc). And a look at “General
Penalty for Failure to Comply with Requirements and Standards” of Public Law
104-191, the Health Insurance Portability and Accountability Act of 1996,
Section 1176 states that the Secretary can impose fines for noncompliance as
high as $100 per offense, with maximum of $25,000 per year on any person who
violates a provision of this part. Under “wrongful Disclosure of Individually
Identifiable Health Information.” Section 1177 says that “a person who
knowingly
- uses or causes to be used a unique health identifier
- obtains individually identifiable health information relating to an individual
- discloses individually identifiable health information to another person
shall be fined not more than $50,000, imprisoned not more than one year, or
both. If the offense is committed under false pretenses, be fined not more than
$100,000, imprisoned not more than five years, or both. If the offense is
committed with intent to sell, transfer, or use individually health information
for commercial advantage, personal gain, or malicious harm, be fined not more
than $25,000, imprisoned not more than 10 years, or both. Health Information” (Studystruct Inc). Health Information Technology for Economic
and Clinical Health Act (HITECH) deals with fines that are from $100/violation
to 500,000 in any calendar year.
In conclusion, it is
important to conduct information security awareness training program on a
regular basis in the healthcare delivery system so as to constantly update the
level of management and staff preparedness to detect and mitigate internal and
external threats to health information and enhance security of health
information. Healthcare personal are critical to achieving this protection and
defend PHI. Finally, this is necessary because of the consequences associated
with HIPAA and HITECH violation/noncompliance.
References
HIPAA 101 Guide to Compliance
Rules & Laws. (n. d). Retrieved (2016-21-1)
Summary of the HIPAA Security
Rule (n. d.) Retrieved (2016-21-1)
Information
Systems Security Awareness (2015). HHS Cybersecurity program
Retrieved (2016-20-1). http://www.hhs.gov/ocio/securityprivacy/awarenesstraining/issa.pdf
HIPAA Security
Awareness Training (2013-2014). Retrieved (2016-22-1)
http://hipaasecurityawareness.com/privacy-policy
No comments:
Post a Comment