Chapter 14 introduced you the importance of security and safety for your practice, your staff, and your patients. Security was defined and the types of camera systems and security camera system access was discussed. We explored federal wiretap laws, and discussed various forms of cyber security for the practice, the staff, and the patients. We then discussed different requirements necessary for cyber security. We discuss security concerns related to Internet usage. We discussed topics staff should be trained in, and methods to accomplish that training. We reviewed general office safety measures. Finally, we explored emergency preparedness. The following exercises will help reinforce the concepts presented in the
Key Terms
2015 Edition Test Method
provides the structure for evaluating conformance of the Health IT Module to the certification criteria defined in 45 CFR Part 170 Subpart II of the 2015 Edition Health Information
Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic
Health Record (EHR) Definition, and ONC Health IT Certification Program
Modifications final rule as published in the Federal Register on October
16, 2015.
Federal Wiretap Law
The Wiretap Act, codified by 18 U.S. Code ß 2511, is a federal law aimed at protecting privacy in communications with other persons. The law prohibits intentionally or purposefully intercepting, disclosing, or using the contents of any wire, oral, or electronic communication through the use of any device.
PHI
Protected Health Information is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as adiagnosis or treatment.
PHI: Protected Health Information
any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.
PCI DSS: Payment Card Industry Data Security Standard
an information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security
Standards Council.
CCTV: Closed Circuit Television
The use of video cameras to transmit a signal to a specific place, on a limited set of monitors within a single system
with no ability to have information transmitted into or out of the system.
Fps
Frames per second is a measurement for how many unique consecutive images a camera can handle each second. Low-end digital still cameras typically have a frame rate of 1fps. High end digital video cameras typically have a frame rate of 30fps.
AHIMA: American Health Information Management Association
a professional association for health professionals involved in the health information management needed to deliver quality health care to the public.
NIST: National Institute of Standards and Technology
a unit of the U.S. Commerce Department. Its purpose is to maintain measurement standards. It also has active programs for encouraging and assisting industry and science to develop and use these standards.
ONC-ATCB Certified
(Office of the National Coordinator Authorized
Testing and Certification Bodies) Certified organizations that have been
authorized by the ONC to perform complete EHR and/or EHR Module testing and certification. ONC-ATCBs are required to test and certify EHRs to the applicable certification criteria adopted by the Secretary under subpart C of Part 170 Part II and Part III as stipulated in the Standards and Certification Criteria Final Rule. ONC-ATCB is the main certification authority for electronic health record (EHR) technology, namely EHR vendors and consultants within the United States.
ONC-ATCB Certified
(Office of the National Coordinator Authorized
Testing and Certification Bodies) Certified organizations that have been
authorized by the ONC to perform complete EHR and/or EHR Module testing and certification.
RxPATROL
is a database and information clearinghouse initiative that promotes collaboration efforts between industry and law enforcement that
are designed to collect, collate, analyze and disseminate pharmacy theft
information.
SOC 1: System and Organization Control
SOC 1 reports are for businesses that handle financial information for their clients, also known as service organizations. The SOC 1 reports address a company’s internal control over financial reporting, which pertains to the application of checks-and-limits. By its very definition, as mandated by SSAE 18, SOC 1 is the audit of a third-party vendor’s accounting and financial controls. It is the metric of how well they keep up their books of accounts.
SOC 2: System and Organization Control
A SOC 2 report, similar to a SOC 1 report, evaluates internal controls, policies, and procedures. However, the difference is that a SOC 2 reports on controls that directly relate to the security, availability, processing integrity, confidentiality, and privacy at a service organization. SOC 2 deals with the examination of the controls of a service organization over, one or more of the ensuing Trust Service Criteria (TSC) as developed by the American Institute of CPAs (AICPA).
SSAE 16
Statement on Standards for Attestation Engagements no. 16 is an auditing standard used for service organizations that issues two types of reports: SOC 1 and SOC 2.
TLS
Transport Layer Security is a protocol that provides communication security between client/server applications that communicate with each other over the Internet. It enables privacy, integrity and protection for the data that’s transmitted between different nodes on the Internet.
EAP
Emergency Action Plan is intended to facilitate and organize employer and worker actions during workplace emergencies to increase safety and minimize harm.
Expected Outcomes
Understand different aspects of security
Know the types of camera systems and how to access the system you use
Understand Federal Wiretap Laws
Understand various forms of cyber security for the practice, the staff,and the patients
Understand the different requirements necessary for cyber security
Recognize security concerns related to Internet usage
Recognize topics staff should be trained in and methods to accomplish that training
Know general office safety measures
Understand emergency preparedness practices and know the ones specific to your office
Key Concepts
Office security is necessary for any business.Certain specific requirements are needed for different states and different departments.
There is physical security, electronic security, and cyber security.
CCTV is the most effective and most common form of camera security.
Frames per second (fps) determines the smoothness of video recording. The higher the fps, the better.
It is a federal crime to wiretap or to use a machine to capture the communications of others without court approval, unless one of the parties has given their prior consent. It is likewise a federal crime to use or disclose any information acquired by illegal wiretapping or electronic eavesdropping.
When setting up security in your office, surveillance CCTV cameras are not the only form of security you will need. Depending on which services you are offering, which state you reside, and which employees are accessing areas or items, you will need different types of security.
Any vendor you partner with should have security measures in place to protect you and your customers’ information.
An Internet usage policy provides employees with rules and guidelines about the appropriate use of company equipment, network and Internet access.
Staff training regarding security and safety should begin at new employee orientation and be reinforced at annual refresher trainings
Workplace safety should be a team effort, and the staff should look out for each other as well a their own personal safety.
A workplace emergency is a situation that threatens workers,customers, or the public; disrupts or shuts down operations; or causes physical or environmental damage.
An EAP should describe how workers will respond to different types of emergencies
Chapter Slogans
Safety is a team effort!
Safety is everyone’s responsibility.
You spent hundreds of thousands of dollars on equipment & supplies – protect it!
THINGS TO CONSIDER
What level of security do you want in your office?
What value of equipment and supplies are in your office?
What is the crime rate in your office’s location? What types of crimes are committed?
What measures would you want as an employee to feel safe in your workplace?
What security measures do other offices in the building have?
POUND THE PAVEMENT
Go to any location – an office, a restaurant, a grocery store –
and stand in one place and look around. Where are there potential
security breaches? How easy would it be to walk in unnoticed? To
walk out with something and not pay? To slip into the back area
designated “Employees Only”? Start looking at places you visit and
consider what security measures are taken by the establishment and
where there are security gaps that you as a layperson can see.
Considering security gaps that you can see, just think what a burglar
or other vandal might see.
