Module IV

HEALTHCARE PRIVACY AND SECURITY

Relevant general privacy terms applicable to healthcare, role of and requirement for the healthcare
privacy officers and Requirements for notifying affected individuals.

1. Privacy concepts and terms.

2. Security definitions.
3. Privacy Principles.
1. Privacy concepts and terms
• Data privacy or information privacy is a branch of data security concerned with the proper handling of data –
consent, notice, and regulatory obligations.

• Practical data privacy:

o Whether or how data is shared with third parties.
o How data is legally collected or stored.
o Regulatory restrictions.

Various frameworks and regulations terms:

o Health Insurance Portability and Accountability Act (HIPAA)

o Asia-Pacific Economic Cooperation (APEC)
o European Union’s Data Protection Directive (DPD)
o Fair Credit Reporting Act (FCRA)
o Organisation for Economic Co-operation and Development (OECD)
o Generally Accepted Privacy Principles (GAPP)
o Personal Information Protection and Electronic Documents Act (PIPEDA)
Privacy officer
• Many of countries require that organizations appoint a privacy officer.
• Main role of privacy officer:
o Facilitate compliance with the health privacy law.
o Respond to inquiries from the public about their information practices.
o Respond to requests of an individual for access to or correction of their health information.
o Receive complaints from the public about privacy breaches.
Confidentiality, Integrity and Availability Accountability
• CIA are essential components of any effective information security program.
• CIA are guiding principles for healthcare organizations to tailor their compliance with the HIPAA Security Rule.
• The HIPAA Security Rule sets national standards that HIPAA-beholden entities must implement in their organizations.
• PHI is any demographic information that can be used to identify a patient.
• Demographic Information which are: names, addresses, telephone numbers, Social Security numbers, email
addresses, financial information, insurance ID numbers, and medical records.
• When PHI is stored in electronic form it is known as ePHI.

i. Confidentiality
• Confidentiality is about ensuring the privacy of PHI.
• According to the CIA every organizations must have the physical, technical, and administrative safeguards in place.
• Physical: Through people or devices.
• Technical: network and data security
• Administrative: internal policies and procedures and proper employee training
• These safeguards ensure that PHI is not made available or disclosed to unauthorized individuals.
• Confidentiality is a function of compliance with HIPAA administrative safeguards.
ii. Integrity
• How PHI is handled to ensure that it is not altered or destroyed in an unauthorized manner.
• Data should be closely monitored with systems to detect any improper or unauthorized changes in PHI.
• Maintaining the integrity of PHI, will give your patients and clients a higher quality of care and protect.

iii. Availability
• Availability is about keeping systems and hardware that store and access PHI functioning properly.
• Keeping all systems up-to-date and protected against threats such as ransomware and threaten access.
• Keeping data backed-up and encrypted.
• Availability is a function of HIPAA technical and physical safeguards.

iii. Accountability
• Accountability is responsibility and the capability of proving proper data use.
• Mechanism for tracing or tracking actions to information security.
• Access logging by a computer system helps trace and track users of a system.
• Auditing information disclosure reports allows us to view and remediate any disclosures that may have been
unauthorized.
2. Security definitions

Understand the approaches and practices of information security.

• Access Control: viewing, storing, copying, modifying, transferring, and deleting information.

• Access Control Models: Mandatory Access Control, Discretionary Access Control, Role-Based Access Control.

• Data Encryption: technical control or solution to protect information confidentiality.

• Training and Awareness: Training and awareness can help prevent the breaches caused by employee mistakes.

• Logging and Monitoring: a log is a record for store and collect events, network, applications, and end user devices.

• Segregation of Duties: Administrative job sharing.

• Least Privilege: permissions, rights, and privileges necessary to perform your assigned duties.

• System Recovery: A process for bringing the systems back after a power outage or malware attack.