Privacy, Security, and Ethics Privacy, Security, and Ethics Electronic Medical RecordsElectronic Medical Records

HLTH 2115 AAWCHLTH 2115 AAWCHealth InformaticsHealth Informatics

ContentsContents

• What is a medical record?What is a medical record?

• Security and PrivacySecurity and Privacy

• Archiving and disaster preventionArchiving and disaster prevention

• Accountabilty, Confidentiality, and Accountabilty, Confidentiality, and EthicsEthics

• Workplace considerationsWorkplace considerations

What is a medical record?What is a medical record?

• Everything about you performed by a Everything about you performed by a care providercare provider• Doctor, nurse, phlebotomist, radiology Doctor, nurse, phlebotomist, radiology

techniciantechnician

• Every activityEvery activity• Exams, meds, lab tests, x-raysExams, meds, lab tests, x-rays

• Paper formPaper form• ElectronicElectronic

Security, Privacy, ConfidentialitySecurity, Privacy, Confidentiality• Privacy – The RightPrivacy – The Right

• Right of the individual to have anonymityRight of the individual to have anonymity

• Confidentiality – The ExpectationConfidentiality – The Expectation• Obligation of the user of an individual’s information to Obligation of the user of an individual’s information to

respect and uphold that individual’s privacyrespect and uphold that individual’s privacy

• Security – The MechanismSecurity – The Mechanism• Policies, procedures, mechanisms, tools, technologies, and Policies, procedures, mechanisms, tools, technologies, and

accountability methods to support Privacyaccountability methods to support Privacy

PrivacyPrivacy

• Consent is requiredConsent is required• Patient RightsPatient Rights

• Inspection, Proposing Amendment, Inspection, Proposing Amendment, Disclosure AccountingDisclosure Accounting

• ExceptionsExceptions• Public Health, Legal Obligations for Public Health, Legal Obligations for

DisclosureDisclosure

PrivacyPrivacy

• Consent + Minimum NecessaryConsent + Minimum Necessary• Your data will not be presented in a way Your data will not be presented in a way

where you can be identifiedwhere you can be identified• If we mask your name, but leave your If we mask your name, but leave your

address, age, and gender, you can be address, age, and gender, you can be identifiedidentified

Security – The Three “A”sSecurity – The Three “A”s

• AuthenticationAuthentication• You are who you say you areYou are who you say you are

• AuthorizationAuthorization• You can see and do what you are You can see and do what you are

permitted by policy to see and dopermitted by policy to see and do

• AccountabilityAccountability• You are held responsible for what you see You are held responsible for what you see

and doand do

AuthenticationAuthentication

• Passwords – simplest form of Passwords – simplest form of authenticationauthentication

• Can be very secure, but one breach can Can be very secure, but one breach can spread rapidlyspread rapidly

• Can be too secure – if you forget your Can be too secure – if you forget your passwordpassword

Biometric AuthenticationBiometric Authentication

• Identify who you are by a physical Identify who you are by a physical attributeattribute

• SignatureSignature

• Facial PointsFacial Points

• Voice PrintVoice Print

• Typing StyleTyping Style

Biometric AuthenticationBiometric Authentication

• FingerprintFingerprint• Optical, DigitalOptical, Digital• Hmmm… would someone in Hmmm… would someone in

a hospital have access to a a hospital have access to a severed finger?severed finger?

• Iris/retinaIris/retina• Highly accurateHighly accurate• Same issue as with a dead Same issue as with a dead

fingerfinger• Requires a cameraRequires a camera

Authorization ModelsAuthorization Models

• User BasedUser Based• I have certain authorization rights based on who I I have certain authorization rights based on who I

am as an individualam as an individual• Role BasedRole Based

• I have authority based on my role e.g. doctor vs. I have authority based on my role e.g. doctor vs. nurse vs. lab technologistnurse vs. lab technologist

• Context BasedContext Based• Who you are + Where you are + What you are + Who you are + Where you are + What you are +

When you are What you areWhen you are What you are

AccountabilityAccountability

• Security can help ensure accountabilitySecurity can help ensure accountability• Audit Logging – “We know where you’ve Audit Logging – “We know where you’ve

been”been”• Password policiesPassword policies• Alert capabilitiesAlert capabilities

Ethics and MoralsEthics and Morals

• One definitionOne definition• Morals – choice between right and wrongMorals – choice between right and wrong• Ethics – choice between right and rightEthics – choice between right and right• Example Example

• Famous person in hospital, and you’re curious Famous person in hospital, and you’re curious about their lab resultsabout their lab results

Workplace EthicsWorkplace Ethics

• Many people may have access to patient Many people may have access to patient datadata

• TrustTrust

• Knowledge of RulesKnowledge of Rules

• Awareness of ConsequencesAwareness of Consequences

• Whistle-blowingWhistle-blowing

• Can someone look up information about a Can someone look up information about a family member or a celebrity?family member or a celebrity?

A ProblemA Problem

• FAXing a document to a FAXing a document to a remote locationremote location• Anyone in the office can Anyone in the office can

potentially see patient datapotentially see patient data

Other Means of SecurityOther Means of Security• Physical AccessPhysical Access

• Secured Areas – locked Secured Areas – locked roomsrooms

• Location of computer screenLocation of computer screen

• Technology SolutionsTechnology Solutions• Restrict levels of access to Restrict levels of access to

programsprograms• Time out functionTime out function

Technology SolutionsTechnology Solutions

• Data Encryption eg Data Encryption eg KHDOWK

• Data Aging – remove data after a Data Aging – remove data after a certain timecertain time

• Data Transmission Security – can’t Data Transmission Security – can’t move what isn’t authorizedmove what isn’t authorized

• Local AuthenticationLocal Authentication• Includes time-out functionIncludes time-out function

ArchivingArchiving

• Paper-based files may need Paper-based files may need to be kept for a number of to be kept for a number of years for legal reasonsyears for legal reasons

• Dead patients and inactive Dead patients and inactive patientspatients

• Archive paper-based files Archive paper-based files electronically by scanning and electronically by scanning and storing on secure hardwarestoring on secure hardware

Disaster controlDisaster control

• What happens when What happens when something goes wrong something goes wrong eg fire, flood, eg fire, flood, earthquake?earthquake?

Questions?Questions?