Information Security Policy in the Health Care Delivery System

Information Security Policy in the Health Care Delivery System

The focus in this blog is on policies, plans, strategies, and guidelines across the healthcare delivery system, with emphasis on information security policy.

The headquarters of the World Health Organization in Geneva, Switzerland (Health Policy. Wikipedia.com)

Health policy can be defined as the "decisions, plans, and actions that are undertaken to achieve specific healthcare goals within a society” (Health Policy. Wikipedia.com). According to the World Health Organization, “an explicit health policy can achieve several things: it defines a vision for the future; it outlines priorities and the expected roles of different groups; and it builds consensus and informs people”. There are many categories of health policies, including personal healthcare policy, pharmaceutical policy, and policies related to public health such as vaccination policy, tobacco control policy or breastfeeding promotion policy. They may cover topics of financing and delivery of healthcare, access to care, quality of care, and health equity” (Health Policy. Wikipedia.com).

How is the U.S. Health Care Delivery System organized for high performance and the information security policy implication?×

 According to The Commonwealth Fund Commission (CFC), the fragmentation among the levels of national, state, community practice, and private network in our health care delivery system, particularly at the community level, is a fundamental contributor to the poor overall performance of the U.S. health care system, high-cost care, and this more or less influence the design and implementation of a standardized information security policy. In spite of the potential benefits of the CFC recommendations, the financial, regulatory, professional, and cultural environments act as barriers to organizing effective health care delivery and efficient information security policy. Policy interventions are needed for this critical component of health system reform (commonwealthfund.org).

Next, we look at the health information security policy put in place by the U.S. Centers for Medicare & Medical Services (CMS), Baltimore, for example. CMS Privacy Policy statement noted protecting client’s privacy is very important to them.  That “this privacy notice is for HealthCare.gov, CuidadoDeSalud.gov, and other Healthcare.gov subdomains such as Finder.HealthCare.gov. These sites are referred to as “HealthCare.gov” throughout the rest of this notice and are maintained and operated by the Centers for Medicare & Medicaid Services (CMS)”. The nature of information collected include, but not limited to, “Personally identifiable information (PII), defined by the Office of Management and Budget (OMB), refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” (CMS.healthcare.gov). Other information types collected automatically when a client browses the CMS site are “Domain (for example, comcast.com, if you are using a Comcast account) from which you accessed the Internet, IP addresses (an IP or internet protocol address is a number that is automatically assigned to a device connected to the Web), Operating system (which is software that directs a computer’s basic functions such as executing programs and managing storage) for the device that you are using and information about the browser you used when visiting the site, Date and time of your visit, Pages you visited, Address of the website that connected you to HealthCare.gov (such as google.com or bing.com), Device type (desktop computer, tablet, or type of mobile device), Screen resolution, Browser language, Geographic location, Time spent on page, Scroll depth – The measure of how much of a web page was viewed, User events (e.g. clicking a button)” (CMS.healthcare.gov). The importance of these data collection helps in quick response and mitigation in the event of data compromise or data breach. This will help ensure the confidentiality, integrity, and availability of information,

Further, the CMS asks from those who request information from them, to provide such personal information as email address or mobile phone number to deliver alerts or e-newsletters. For those that apply for health insurance coverage, they would be required to establish an account on HealthCare.gov by providing first and last name, email address and response to three questions for password authentication, identity and security. CMS have a contractual agreement with Experian and Symantec to effect malware and firewall protection from hackers, unauthorized intruders and phishers.

Finally, for information collected from children under the age of 13, CMS put in place the following health information security policy, “We believe in the importance of protecting the privacy of children online. The Children’s Online Privacy Protection Act (COPPA) governs information gathered online from or about children under the age of 13. The HealthCare.gov site is not intended to solicit information of any kind from children under age 13. If you believe that we have received information from a child under age 13, please contact us at 1-800-318-2596 (TTY: 1-855-889-4325)” Children and privacy on HealthCare.gov. And for social media sites, CMS information security policy states, “CMS uses Social Media Sites (listed below) in order to increase government transparency, enhance information sharing, promote public participation, and encourage collaboration with the agency.

Please note that Social Media Sites are not government websites or applications; they are controlled or operated by the Social Media Site. CMS does not own, manage, or control social media sites. In addition, CMS does not collect, maintain or disseminate information posted by visitors to those sites. If you choose to provide information to a Social Media Site through registration or other interaction with the site, the use of any information you provide is controlled by your relationship with the Social Media site. For example, any information that you provide to register on Facebook is voluntarily contributed and is not maintained by CMS. This information may be available to CMS Social Media Page Administrators in whole or part, based on a user's privacy settings on the Social Media site. Although you may voluntarily contribute to a Social Media Site with the intent to share the information with others on a CMS Social Media Page, to protect your privacy, please do not disclose personally identifiable information about yourself or others.

CMS does not keep separate records or accounting of any Social Media Site users or their interaction with the HealthCare.gov pages on Social Media Sites. CMS does not store or share this information. User information is retained by Social Media Sites in accordance with the Site’s policies. See each Social Media Site’s privacy policy to see how long user information is retained after an account has been deleted. Social Media Site users can learn more about how their information is used and maintained by each Social Media Site by visiting their privacy policy (see below)” (CMS.healthcare.gov).

References

Health Policy. Wikipedia. (2015-12-23). Retrieved (2016-1-14), from https://en.wikipedia.org/wiki/Health_policy

Organizing the U.S. Health Care Delivery System for High Performance. The Commonwealth Fund. (2008-8-1), Retrieved (2016-1-14), from http://www.commonwealthfund.org/publications/fund-reports/2008/aug/organizing-the-u-s--health-care-delivery-system-for-high-performance

 CMS Privacy Notice Policy for healthcare.gov (2015-10-7). Retrieved (2016-1-4) from https://www.healthcare.gov/privacy/