HCAD 650 UMDC HIT Audit System Cybersecurity Discussion

Hi, Please read and respond to peer discussions. 

Peer 1: Cybersecurity

Part 1: Critical Analysis of the Law

1. Evaluate HIPAA security requirements for a security risk assessment (SRA).
   • How would you complete a security risk assessment that meets HIPAA security requirements? Outline it. 
   • What physical, administrative, and technical safeguards would you recommend to keep data secure?

To complete a risk assessment that integrates HIPAA security requirements, first, there has to be a determination on what PHI is readily accessible. Secondly, the current security measures have to be accessed, starting with the documentation of the current efforts that safeguard PHI (Hofmann et al., 2020). Thirdly, identify whether there are vulnerable areas in the organization where risks may occur. Fourth, risk levels should be determined to identify the harm that they may bring (Rosenbloom et al., 2019). Lastly, documentation is done to document the levels of risks and threats as well as create corrective action to stop or reduce these risks.

First, for the part of administrative safeguards, policies and procedures are supposed to govern this space to ensure that an organization protects ePHI and ensure that there is compliance with all the individual security rules. Secondly, for the purpose of physical safeguards, both the physical structure and electronic equipment of an organization are mostly considered (Showalter, 2017). Lastly, technical safeguards can be achieved by audit controls, integrity controls, access control, and transmission control; all aimed to determine how technology will be used to protect EPHI and control access to individual data.

1. Evaluate HIT audits as a compliance tool. Describe an audit process you recommend that would meet the following criteria.
   • The audit is fair and unbiased and free from conflict of interest (1-2 points).
   • The audit results are effectively communicated to senior levels of the organization (1-2 strategies).
   • There is a process in place to correct any problems identified in the audit (1-2 actions).

HIT audit compliance tools are used to make sure that all the processes are followed and that the outcome is very sustainable. To recommend my ideal HIT audit, there should be a body that is independent so as to oversee all the audits to ensure fairness. The audit should be followed in a transparent manner, and all guidelines followed by qualified and professional auditors who should communicate the results on a regular basis to uphold good communication. Consequently, it is essential to ensure that the audit is reviewed on a regular basis to identify any issues and curb them.

1. How could a strong HIT audit system and the ACHE Code of Ethics serve to prevent the situation described in The Tracks We Leave: Chapter 9 Information Technology Setback:  Heartland Health care System? Be specific and demonstrate an understanding of the risks and how the compliance tool can be used specifically to control the risks.

The use of both a strong HIT audit system as well as an ACHE code of Ethics could be used to avoid any situation that could be described in chapter 9 of Information Technology Setback as a way of ensuring that each employee is adequately prepared and trained to use the system where the system should also be regularly audited with every single HIPAA regulation. The ACHE Code of Ethics could also be used in the prevention of the given adverse situation where all employees can be required to meet the required highest ethical code of conduct

Part 2: Strategic Compliance with the Law

1. Evaluate what you need to do to respond to the cyberattack.  Recommend a cyberattack response. Your response should include:
   • Methods to secure stolen data and mitigate harm (two).
   • Actions to correct the problem that allowed for the cyberattack (two).

The first measure to secure stolen data and mitigate harm is by investigating any cyberattacks and identifying attackers, as well as working with all departments to secure their patients’ data (Bowers et al., 2022).To correct problems, an organization must ensure that all individual systems are updated with all the latest security features, as well as train employees on how to use the EHR systems in the right way.

1. Evaluate the breach notification requirements under HIPAA. 
   • What breach notice actions do you recommend? (1-2)
   • When do they need to be completed?

The individual breach notification requirement under HIPAA is that an individual organization/company must be in a position to notify all the individuals who could be affected by a data breach without any delay, mostly before 60 days are over (Showalter, 2017). This notification should include a description of the nature of the breach as well as the date of the breach.

1. Evaluate the organization’s duty of privacy and security for HIV patients. 
   • What do you recommend to keep this information secure during future reporting? 
   • Are any additional protections required because of the HIV status?  Why or why not?

For future purposes, individual organizations securing information of HIV patients should regularly test their systems to ensure that they have the updated security features to secure patients’ data where every vulnerability should be eliminated. There is a requirement for additional protection for HIV patients’ privacy as HIV status is considered to be protected health information under HIPAA.

References: 

Bowers, G. M., Kleinpeter, M. L., & Rials, W. T. (2022). Securing Your Radiology Practice: Evidence-Based Strategies for Radiologists Compiled From 10 Years of Cyberattacks and HIPAA Breaches Involving Medical Imaging. Perspectives in Health Information Management, 19(3), 122-124.

Hofmann, P. B., Perry, F., & Gooch, B. E. (2020). Management mistakes in healthcare: identification, correction and prevention.

Rosenbloom, S. T., Smith, J. R., Bowen, R., Burns, J., Riplinger, L., & Payne, T. H. (2019). Updating HIPAA for the electronic medical record era. Journal of the American Medical Informatics Association, 26(10), 1115-1119.

Showalter, J. S. (2017). The law of healthcare administration. Health Administration Press. 

Peer 2: Medical Record in Court 

Part 1:  Critical Analysis of the Law

1. Usually, healthcare professionals can be requested by the court to provide patients’ therapeutic accounts under subpoenas. Typically, subpoena refers to a lawfully decree that usually is issued by a court of law to any associated individual as per the appeal of the involved party in a court happening
   (Fleming, 2021). Specifically, HIPAA does permit providers to disclose information to a party issuing a subpoena if the notification requirements of the confidentiality policy are met.

45 CFR 164.512 contains some very specific requirements with regard to use of subpoenas to obtain medical records. For a party in litigation to obtain medical records without written patient authorization, H.I.P.A.A. requires that the request be accompanied by either (a) a statement that the patient has been given notice of the request and has had an opportunity to object, or (b) a motion for a qualified “protective order.” {This is in accordance to 45 CFR 164.512e}. A qualified protective order requires that any protected health information can be disclosed only for the purposes of litigation, and that any protected health information disclosed must be returned to the provider at the end of litigation (Lynch, 2018, p. 4, para 6-7).

2. Measures should be taken to ensure that any printed or released patient information is only stored in work locations and isn’t accessible to the general public. Discussions about patient care should primarily be kept private to reduce the likelihood that people who are not interested in the material will access it (Greene & McGraw, 2020). Last but not least, passwords can be created to protect electronic information. Emailing and texting, in general, do not violate HIPAA, although there are several exceptions. For example, sending an email containing PHI to an incorrect recipient is obviously an unlawful disclosure and a violation of HIPAA.

Policies and practices that can regulate email and messaging in a hospital context include not sharing certified e-mail accounts with family members of patients.

It is critical to use encryption technology to protect all messages (Greene & McGraw, 2020). Guidelines should be set up to reduce unencrypted wireless communications connections containing patient-identifiable data. “(Electronic) PHI – whether at rest or in transit – must be encrypted to NIST standards once it travels beyond an organization´s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable” (HIPAA Journal, n.d., p. 5, para 1).

3.  A business’s management of its records, from creation to retention and disposal, is outlined in its record retention policy. Because they make it easier for organizations to retrieve documents for quick reference. While record destruction policies acknowledge that workers, unpaid staff, and executive members have basic record retention obligations to maintain, record, store, and destroy the institution’s documents and data (Herzig, 2020). Finally, litigation is involved in the process because it enables firms to make sure they uphold their obligations to preserve information, including automatically saved information, for use in legal proceedings. Medical record rules for release, destruction, and retention serve as important compliance tools. If medical records are well-detailed, they will aid medical professionals in maintaining treatment accuracy. In order to preserve patient information, medical record retention and destruction will offer a method for comprehending management principles and policies and for ensuring compliance (Herzig, 2020).

4. Defined policies and procedures will help in preserving the unethical and improper actions in The Tracks We Leave by giving instructions on how to adhere to pertinent laws. The rules and procedures will also show how to promote ethical behavior effectively, professionally, and consistently (Johnson, 2018) resulting in improved public perception and greater commercial partnerships. In general, the AHIMA code of ethics and guiding code will use the necessary professional values and ethical principles of service in dealing with the issues of misbehavior and discrimination in order to prevent further occurrences of this kind.

Part 2:  Strategic Compliance with the Law

1.Modern techniques for finding, collecting, and producing electronically stored information in response to a demand for production in an investigation or a lawsuit include e-discovery. The identification of privileged documents, the identification of medical records eligible for peer review immunity, and the identification of materials unrelated to the case are just a few requirements that must be completed in order to comply with such a request. In order to avoid the discovery of privileged information, I would work with my business partner to identify medical records that are shielded from disclosure by state, federal, or local legislation. In order to ensure that records covered by peer review immunity are not made public unless required by a federal court, I would also abide by the institution’s privacy policies and HIPAA standards. Additionally, I would use the e-discovery guidelines to identify the kinds of materials that are pertinent to the practice.

2. The federal court has the jurisdiction to order that the protection of records is not waived by giving information pertaining to existing litigation, in accordance with Court Order 502D. The agreement formed throughout the record disclosure process, however, is only enforceable by the parties to the agreement, according to court order 502E. I would advise using the 502E because it enables agreement between the parties and makes the task straightforward.

3. I would take the necessary legal action if the business associate ignores the request for records. I would also discuss the delay with the business partner to see what caused it and see if I could help prevent similar delays in the future. Additionally, I would implement management strategies to ensure that the process’ deadlines are met. These strategies include coordinating with interested parties, planning activities to be finished on time, and managing and supervising the process’ staff. This is done to guarantee the effectiveness of the e-discovery procedure and the security of protected data.