JR - Health Care Compliance Association

More documents

Recommendations

Info

LEVERAGING HIPAA...continued from page 7 August 2002 8 The owner of the classification project should understand the determining factors and apply them to the business process of the organization to develop the appropriate classifications. The end result should be information classified into five or six simple categories (in addition to subcategories) that allow users to quickly understand the type of information with which they are working. Identifying the classifications For example, there are five classifications that would serve most health care organizations well. These classifications are: ■ Research:( Access granted only on an individual basis and not rolebased) This classification targets activities by researchers conducted within an organization. These include open as well as blinded studies. Access is provided after a matching of individuals to specific information and is never role-based. An example of the difference in treatment of this classification is that in some cases Independent Review Board members could have full access to certain information, while physicians, therapists, program administrators on certain studies would be more restricted. ■ PHI Restricted: This classification is for sensitive information that must be carefully controlled. An example is psychotherapy notes (HIPAA). In order to determine additional data that fit into this category, it will be necessary to consider the extent to which more stringent state laws relating to specific categories of health information, such as HIV test results, mental health records, and genetic information are not preempted by HIPAA. ■ PHI: This is the classification for most other patient-related information that does not fall within the “PHI Restricted” category. Examples might include regular physician visits, inpatient stays, personal history, etc. If the organization has developed methods for de-identifying PHI, processes must be developed to permit broader access to the PHI after, and only after, de-identification has been completed. ■ Internal Use: All organizations have information to which they must restrict access but is not PHI. This information may consist of financial information, real-estate market feasibility studies for clinic expansions or decision analysis documents. A subclassification of “Internal Use” could include an “Audit” or “Confidential Financial” category that is further restricted to employees in certain departments. Other information may constitute trade secrets of the organization under state law, such as proprietary protocols, business methods, and customer lists. In order to afford this information with legal protection as trade secrets, it is generally advisable to label the data as confidential and treat it as such. ■ Public: Some mistakenly believe that if the information does not fall into one of the above classifications, there are no restrictions. This is a dangerous assumption. First, often newly produced information has not yet been classified and identified. Therefore, the best practice is to identify all information, even that which is to be released to the public. Similarly, each organization should incorporate a policy in which unidentified information automatically defaults (at a minimum) to “Internal Use” classification until otherwise classified. The above categories are proposed as general guidelines without regard to organizational particularities. Once the classification development work is completed however, the owners of the specific information (i.e. business office or health information management) should begin to group their departmental information into the appropriate classifications that have been identified. Business unit participation At first glance this may appear overwhelming. The process is quite manageable however, given the appropriate set of tools employed in a reasonable order. One of the first steps should be to include the business unit managers and supervisors in the process. Although one department will be responsible for safeguarding and controlling the access to information ultimately, business unit participation in classifying the data is essential. A key aspect to the effective implementation of the classification process is facilitating the meetings with the business units. Since there are few business unit leaders with this type of experience, the classification process owner will need to take the lead. Individual meetings with the various business group managers and supervisors keep the meeting productive. It is ill advised to have too many groups present at once. Each department perceives its sit-
uation as unique. The divide and con- tion is classified based on each job during the classification quer method allows the individual “Confidentiality”, “Integrity” and process. attention necessary for efficient and “Availability”. All data not consid- effective results. ered “Public” should have at least There are obvious benefits to imple- Creating a collection tool These meetings should focus on collecting a description of the information created and used by the business units. A successful method used in other industries includes providing a fill-inthe-blank form with clear instructions for completion. Fields that should be included are: ■ Department: The group that owns the information. ■ Contact information of reviewer: The contact information for the business unit individual conducting the classification process ■ Date: The date that the review was conducted. This is an ongoing process that usually should be reviewed annually ■ Information name/description: This is an identifier and description of the specific information maintained by the business unit. This should be at a moderately high level; not a listing of each individual document ■ Storage method: Describe the method or medium in which the information is stored. For example: Paper, Hard Disk, Tape Drive, email archive, etc. ■ Classification: Each line item can only fall into ONE classification. The better practice is to err on the side of caution. If there is a question the more restrictive classification level should be used. The default for information that has no determination should be Internal Use ■ Determining factors: The informa- one determining factor selected Information marking After each business unit has appropriately analyzed and classified their information, the next step is information marking (IM). The goal of IM is to provide organizations with a common identification scheme that allows the employees to readily identify and appropriately handle any piece of information. Effort should be made to keep the scheme as simple as possible. For instance, PHI might be marked with one color, while more restricted information (PHI Restricted) is marked with another. Each color is identified with specific handling instructions (“faxing not allowed”). Other considerations include computer systems that are clearly identified as a PHI site as well as printers and faxes labeled as restricted where appropriate. In addition, many companies use electronic banners that present at system log-on. Managing access The final step in the information management process is managing access to the information once it has been classified. There are numerous approaches to achieve this goal depending on the size and complexity of the organization. One approach is role-based access control (RBAC). RBAC is a system of access management structured on a minimum necessary, need-to-know basis in order to fulfill a role within the organization. The business unit managers define the classification level for menting RBAC. The most notable of which is the prevention of “access creep”. Access creep occurs when employees are promoted or transferred within an organization. Often they are granted additional access with each move. Many times there is no systems for correcting corresponding prior levels. Another approach is Discretionary Access Control (DAC). DAC is primarily based on the discretion of the information owner and is not as uniform in creation and application. This approach may work appropriately for smaller organizations but in larger ones access creep is almost a certainty if not monitored closely. Additional benefits Additional possibilities materialize for leveraging this system into other departments, such as human resources. Employee badges might be marked in accordance with the classification scheme, providing a simple and effective method for visibly matching employees with appropriate access. For companies employing a higher level of technology, such as proximity cards, swipe badges, or tokens in their physical access or network controls, the access levels could be synchronized. This would allow for real-time low-level audit capabilities in the following scenario. An employee possesses one access card, provided by the human resources Continued on page 10 9 August 2002
Page 1 and 2: Volume Four/Number Eight August 200
Page 3 and 4: DON’T MISS OUT! ON THE CALENDAR U
Page 5 and 6: FOCUS ON ETHICS & COMPLIANCE Compli
Page 7: system. Other advantages include ea
Page 11 and 12: By Norman Radies Editor’s note: N
Page 13 and 14: feature article Editor’s note: Th
Page 15 and 16: there are so many issues that have
Page 17 and 18: 3. Have a witness! Do interviews wi
Page 19 and 20: leagues. Physicians can hear the me
Page 21 and 22: Alyse Hutchinson, Associate Complia
Page 23 and 24: many tasks forces as they deemed ap
Page 25: Editor and Publisher: Margaret R. D

JR - Health Care Compliance Association

Create successful ePaper yourself

Delete template?

Save as template?