Security and privacy issues in hospital information systems play a fundamental role in the adoption of the systems. A Hospital Management system can only be adopted if proper security is ensured to protect the patients and the information that is found in their records.
The Health Insurance Portability and Accountability Act (HIPAA) were enacted by the US congress in 1996. It protects the Health Insurance coverage for workers and their families when they change or lose their jobs. It established new standards for the movement and uses of the healthcare information. (Armstrong, et al 2005) There are three types of standards which are created by the HIPAA. They include; Privacy rule, Security rule and Administrative simplification. The HIPAA Privacy rule is enforced by the office for Civil Rights which protect the privacy of health information. (Armstrong, et al 2005) The HIPAA security rule sets national standards for the security of electronic protected health information. It also provides for the confidentiality of Patient Safety Rule which is responsible for protecting information being used to analyze patient safety events and improving patient safety. (Armstrong, et al 2005) The three regulations have a great impact on the day-day functioning of the nation’s hospitals and affect virtually every department of every entity that provides or pays for health care. (Wilson, 2006)
The Privacy rule
This establishes national standards which help in protecting an individual’s medical records and other personal health information. It applies to health plans, health care clearing houses and the healthcare providers who conduct some health care transactions electronically. . (Wilson, 2006)This rule requires appropriate safeguards so as to protect the privacy of personal health information. It also helps in setting limits and conditions on the uses and disclosures which may be made on such information without the authorization of the patient. This rule also gives the patients rights over their health information. The rights include; rights to examine and obtain a copy of their health records and also request for corrections to be made incase there is an entry entered wrongly into the database. . (Wilson, 2006)
Transactions and Code Sets Rule
This is also called administrative Simplification. Under this rule we have:
i. EDI Health Care Claim Transaction which is used for providing healthcare claim billing information and encounter information. It can also be used for transmitting health care claims and the billing payment information. (Wafa, 2010)
ii. EDI Retail Pharmacy Claim Transaction: This is used to transmit retail pharmacy claims to payers by the healthcare professional who are charged with the responsibility of dispensing medications either directly or indirectly to billers and claims clearinghouses. (Wafa, 2010)
iii. EDI Healthcare Claim Payment: Used for making payments from a health insurer to a health care provider. (Wafa, 2010)
iv. EDI Benefit Enrollment and Maintenance Set: They are used by the employers or unions to enroll members to a payer. (Wafa, 2010)
v. EDI Payroll deducted and other group premiums payment for Insurance products: this is a transaction set which can be used for making premium payments for insurance products. (Wafa, 2010)
vi. EDI Care Eligibility/Benefit Inquiry: This is used for making inquiries about the health care benefits.
This rule identifies the standards and implementation specifications that organizations must meet in order to become compliant. This rule complements the privacy rule. This rule deals with only the Electronic Protected Health Information. The rule ensures the following:
i. Confidentiality, integrity and availability of all the electronc protected health information.
ii. Protects the information against any risk or hazard.
iii. Protects from the disclosure of any confidential information
iv. Ensures that the workforce is compliant.
The security rule has three types of security safeguards which are required for compliance. They include:
Administrative safeguards – they are policies and procedures which are designed to show how the entity will comply with the Act.
Physical safeguards – These are physical measures, policies and procedures which are used to protect a covered entity’s electronic information systems from natural hazards and unauthorized intrusion. (Wolf, 2006)They help in controlling the physical access to protect against inappropriate access to protected data.
Technical safeguards – they help in controlling access to computer systems and enable the covered entities to protect the electronically transmitted information.
Armstrong D, Kline-Rogers E, Jani S, Goldman E, Fang J, Mukherjee D, Nallamothu B, Eagle K (2005). "Potential impact of the HIPAA privacy rule on data collection in a registry of patients with acute coronary syndrome". Arch Intern Med 165 (10): 1125–9.
Tim Wafa (J.D.). "How the Lack of Prescriptive Technical Granularity in HIPAA Has Compromised Patient Privacy". Northern Illinois University Law Review, Volume 30, 2010.
Wilson J (2006). "Health Insurance Portability and Accountability Act Privacy rule causes ongoing concerns among clinicians and researchers". Ann Intern Med 145 (4): 313–6.
Wolf M, Bennett C (2006). "Local perspective of the impact of the HIPAA privacy rule on research". Cancer 106 (2): 474–9.