Implementation of Implementation of Organizational Practices to Organizational Practices to Protect Information in Health Protect Information in Health OrganizationsOrganizations

Ann J. Olsen

Director, Information Management Planning

Vanderbilt University Medical Center

November 10, 1998

Presented at:Presented at:1998 Annual Symposium of the American Medical 1998 Annual Symposium of the American Medical Informatics Association, Informatics Association, “A Paradigm Shift In Health Care Information Systems: “A Paradigm Shift In Health Care Information Systems: Clinical Infrastructures for the 21st Century,”Clinical Infrastructures for the 21st Century,”November 7-11, 1998, Lake Buena Vista, FLNovember 7-11, 1998, Lake Buena Vista, FL

Authors:Authors: Ann J. Olsen, M.B.A., M.A., Dario Giuse, Ann J. Olsen, M.B.A., M.A., Dario Giuse, Dr.Ing., Ruby B. Borden, B.S.N., R.N., Martha K. Dr.Ing., Ruby B. Borden, B.S.N., R.N., Martha K. Miers, MS, MBA, MT(ASCP), Mary G. Reeves, Miers, MS, MBA, MT(ASCP), Mary G. Reeves, R.R.A., William W. Stead, M.D.R.R.A., William W. Stead, M.D.Vanderbilt University Medical Center, Vanderbilt University Medical Center, Nashville, TennesseeNashville, Tennessee

See symposium proceedings for paper of same title.See symposium proceedings for paper of same title.

VUMC: Early 1997VUMC: Early 1997 IAIMS implementation

– widely used patient record repository and other patient care systems

– extensive use of networked PC’s throughout for research, patient care, education, management

Inadequate confidentiality policyVUMC-wide information policy team

with liaisons to major stakeholders

VUMC: Early 1997VUMC: Early 1997

Agreement on need for comprehensive information security program – not limited to electronic

information– not limited to patient information– enterprise wide

Initial drafts of three new policies

Policy Development ChallengePolicy Development Challenge

Vice Chancellor Health Affairs

Personnel & Communication

Space Management

Financial Management

Informatics Center

Research and Technology Transfer

Chancellor

Medical Group & Clinics

Hospital School of Medicine

School of Nursing Health Plans

No standard process for review and approval of Medical Center-wide policy

Major organizational units have long-standing policy-making bodies

VUMC Information VUMC Information Policy: Organizational Policy: Organizational RelationshipsRelationships

Information Policy

Advisory Committee

Information Policy Support

Team (IPST)

School of Nursing

Administrative Leadership Team

Patient Care Services Board

Vanderbilt Medical Group

Legal Financial

Risk Compliance

Human Resources

Vanderbilt Health

Services

- 9 members - key stakeholders

- 25+ members - broad participation

IPST Liaison

IPST Liaison

IPST Liaison

IPST Liaison

IPST Liaison

IPST Liaison

IPST Liaison

IPST Liaison

VUH/VMG: Policy &

Procedure Committee

Finance & Administration

Executive Faculty

School of Medicine

Other:

Emerging LandscapeEmerging LandscapeJCAHO standards require classification and

protection of informationHIPAA– Proposed security standard applies to all health

care information electronically maintained or used in an electronic transmission

S. 2609 introduced Oct. 9, 1998– Proposed Medical Information Protection Act

will be reintroduced in early 1999– Applies to all media

For the Record: Protecting For the Record: Protecting Electronic Health InformationElectronic Health InformationRecommendations:– Technical practices for immediate

implementation– Technical practices for future

implementation– Organizational practices for immediate

implementation

Organizational PracticesOrganizational PracticesSecurity & Confidentiality PoliciesSecurity & Confidentiality Committees Information Security OfficersEducation and TrainingSanctions Improved Authorization FormsPatient Access to Audit Logs

Confidentiality of Patient

Information

Security for Electronic

Information & Systems

Classification of Information

Information Security &

Confidentiality Agreements

Existing Policy: Confidentiality

Information Security,

Confidentiality, & Privacy

Information Security and Confidentiality Policies

Platform for Compliance with Current & Future Standards

Information Security, Information Security, Confidentiality, and PrivacyConfidentiality, and Privacy

Provides structure and process– Information Security, Confidentiality,

and Privacy (ISCP) Committee – Information Security Officer (ISO) – Information Security Managers (ISM)

Defines responsibilities– Enterprise, Unit, Individual

Security for Electronic Security for Electronic Information and Systems Information and Systems

Establishes requirement for enterprise standards

ISCP Committee sets standards – risk analysis – technical recommendations

Allows standards to evolve without changing policy

Confidentiality of Patient Confidentiality of Patient InformationInformation

Defines confidential patient information

Reinforces “need to know”Provides broad guidelines

for handling patient information

Classification of InformationClassification of Information

Sets requirement and process to identify and classify information based on need for protection

Three classifications – confidential, restricted,

unrestricted

Information Security and Information Security and Confidentiality AgreementsConfidentiality Agreements

Establishes requirements for faculty, staff, trainees, volunteers, contractors, vendors, partners …

Defines process for approving forms and implementation

Security and Confidentiality Security and Confidentiality CommitteesCommittees

Information Security, Confidentiality, and Privacy (ISCP) Committee– establishes standards & practices

based on recommendations of technical staff, ISO, and others

– oversees and promotes information security programs

– coordinates with other groups, e.g., Medical Records Committee

Security and Confidentiality Security and Confidentiality CommitteesCommittees

Subcommittee of ISCP and Medical Records Committees for Protection of and Access to Patient Electronic Records (PAPER)

Recommend procedures to control and document access and use of patient electronic records, e.g.,– Plan use of audit trails– Improve authorization forms– Review requests for access and proposals for use

of electronic records

Information Security OfficersInformation Security Officers

New position for VUMC Information Security Officer – Administrative– Policy

Coordinate with staff providing technical leadership and support

Information Security OfficersInformation Security Officers

Departmental Security Administrators to become Information Security Managers

Information security improvement– assess– plan– implement– evaluate

Education and TrainingEducation and Training

Information Security Managers– Information Security Guide– Templates for Information Security

Assessment and Plan– Initial orientation sessions with regular

follow-up– Periodic meetings for updates and

feedback– One-on-one sessions with ISO

Education and TrainingEducation and TrainingUniversal - embed in process

– Job descriptions rewritten– Agreements – Orientations– Performance goals– Systems training– Screen saver– Security assessments & plans

Compliance education program

SanctionsSanctions Coordination with related corporate

compliance effort Guidelines: appropriate & inappropriate

behavior Tiers of violations (e.g., unauthorized

access vs. unauthorized disclosure) Use existing disciplinary processes Violations may be reported to any of :

– ISO, Compliance Office, Employee Relations, Supervisor

ISCP Committee receives summary of violations and outcomes

Improved Authorization FormsImproved Authorization Forms

Have recently changed forms to increase options

Continuing effort involving Medical Records Committee, PAPER Subcommittee, and others

Patient Access to Audit LogsPatient Access to Audit Logs

Currently review audit log for medical record repository on request

On agenda of PAPER subcommittee

Expected ChallengesExpected Challenges

Consistent application of sanctionsConsistent adoption of standards

across departmentsAccountability of Information

Security ManagersAdequacy of resources for

communication, training, implementation

Expected BenefitsExpected Benefits

Platform for compliance with future requirements

Increase understanding of security issues

Reduce riskSupport desired culture

Ann.Olsen@mcmail.Vanderbilt.eduAnn.Olsen@mcmail.Vanderbilt.edu