HIPAA and IT Audits

docx

School

University of Nairobi *

*We aren’t endorsed by this school

Course

495

Subject

Information Systems

Date

Nov 24, 2024

Type

docx

Pages

8

Uploaded by AdmiralSardineMaster445

Report
1 Assignment 4 - HIPAA and IT Audits . Your name Institutional affiliation Course Date
2 Section 1. Create an overview of the HIPAA security and privacy rules . The Health Insurance and Accountability Act of 1996 (HIPAA) requires the Secretary of the United States Department of Health and Human Services to come up with rules and regulations to protect the confidentiality and security of personal identifiable health information (Enforcement Highlights, n.d). The primary objective of this rule is to protect personal health information against external or unauthorized access. These regulations are designed to improve the quality of patient care with the aid of technology. All organizations that deal with healthcare are required by the HIPAA Act of 1996 to comply with all specifications (Drolet et al., 2017). Some of the major components of HIPAA includes the administrative simplifications provision, risk assessment and management, electronic protected information, and several administrative safeguards i.e. information access management, security persons, workforce training and information security evaluation. HIPAA Act’s objective is to streamline patient and health agency information security. Major types of incidents and breaches that occur based on the cases reported . Part of the major data breach incidences recorded within the United States concerns infringement of private medical records. This kind of compromise has had a significant rise with the modern advancement to full adoption of electronic medical record. Some of the common incidences include hacking, compromise of employee credentials, third party faults, improper disposal of data after use, disgruntled employee, and misplacement/theft of mobile devices. All these issues expose healthcare organizations to the risk of loss of data, manipulation, or access by
3 unauthorized persons. Failure to observe minimum requirements per for system users leaves a gap that could be misused by hazardous to exploit patient information. This gap can be used to disclose sensitive medical information. Third parties utilizing medical records such as insurance companies making compensations to patients may also be victims of medical record data loss. Submission of medical information by health care organizations to insurance possess a significant risk to the patient’s information, however, it is a requirement for compensation claims. This is why third-party organizations utilizing medical records are required to meet minimum information security requirement and provided with the least usable medical information for compensation purposes. Technical controls and the nontechnical controls that are needed to mitigate the identified risks and vulnerabilities . The aspect of risk management is not new in health care sector, however, coming up with a comprehensive risk management report can be challenging. There are several technical and non-technical controls that are designed to mitigate the identified risks and vulnerabilities. Ensuring that integrity and security of electronic PHI is paramount. Regulations demands healthcare organizations to put in place the best security measures to prevent security breaches and unauthorized access to sensitive patient information. Risk analysis and management is the basis for any initiative designed to mitigate risks associated with information security. This process constitutes comprehensive analysis of possible risks of e-PHI, enactment of appropriate security measures, maintenance of rational and indomitable security protection measures within the organization. Access to medical information should also managed properly while providing different users information based on their use (minimum required information). Employee
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
4 information security training, installation of access control measures, and physical security for devices constitutes measures that can be utilized to evert possible risks. Other technical measures that can be utilized to evert the above risks include audit controls, encryption and transmission control, and leveraging on the best employee integrity control. Analyze and describe the network architecture . HIPAA IT infrastructure should be designed in compliance with the evolving information security standards (Reynolds et al., 2019). Minimum requirements for a data center to hold medical data should be set and continuous audit control measures should be done under the supervision of an external assessor. The transmission of medical information should also be done with EDI transmission protocol. Medical records should be accessible only through a dedicated network layer within the organization. Access to data center should be with the aid of an identification document and log in credentials at every instance of signing in and out. Other measures could be enforced with the aid of Biometric, real time access tracking and security network sockets, and installation of antivirus/antimalware programs. Analyze how a hospital is similar to and different from other organizations in regard to HIPAA compliance . Healthcare organizations utilize evidence-based health care practices to accord patients with the most effective form of care. Just like every other organization utilizing information technology for service provision, health care organizations utilize electronic health record system to enhance delivery of services (Chen & Benusa , 2017). However, HIPAA compliance makes health care organization a unique entity. Health care organizations is where patient records are
5 stored, accessed, and updated in accordance with patient needs. e-PHI is under the protection of the hospital. IT audit steps . IT auditing ensures compliance with HIPAA rules and regulations which includes the need for a privacy and security officer, assessment of risks, coming up with privacy and information security policies, business association agreements, and employee training. Significant IT audit steps includes preparation, implementation, reporting, and making follow ups. The process of auditing must be comprehensive to ensure that it addresses every gap in information security. This requires the organization to conduct a thorough auditing to identify every possible risk. Planning IT audit is the major component of the first step towards ensuring that organization has policies and statutes in place that will guarantee compliance with HIPAA requirements. The CIO should therefore notify all stakeholders of the emerging internal audit process. The CIO should also supervise internal administrative meetings across the process before the actual event of internal audit. Once the auditing has been carried out, the CIO should also supervise or come up with a report detailing all the key findings and recommendations to rectify the identified issues. The process of drafting the report is a significant part of IT audit. This step is preceded by the response by the top-level organizational management. The management will review the arears audited and the recommendations. The management will also okay the action plan while correcting some specific parts. The final audit distribution is aimed at creating awareness on the
6 present state of the IT systems. External audit is also a significant component of the auditing process. External auditors constitute persons with interest in the organization i.e. government agencies. They will provide a professional opinion of what must be done in order to ensure that the organization is compliant to HIPAA.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
7 Section 2.
8 References Chen, J. Q., & Benusa, A. (2017). HIPAA security compliance challenges: The case for small healthcare providers. International Journal of Healthcare Management , 10 (2), 135-146. Drolet, B. C., Marwaha, J. S., Hyatt, B., Blazar, P. E., & Lifchez, S. D. (2017). Electronic communication of protected health information: privacy, security, and HIPAA compliance. The Journal of hand surgery , 42 (6), 411-416. Enforcement Highlights. U.S. Department of Health & Human Services. Available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/data/enforcement- highlights/index.html Reynolds, R. A., Stack, L. B., & Bonfield, C. M. (2019). Medical photography with a mobile phone: useful techniques, and what neurosurgeons need to know about HIPAA compliance. Journal of neurosurgery , 132 (1), 260-264.

Related Documents

Assignment 8-Dawood-OpX.doc
WGU C838 (21).pdf
original.docx
100i.pptx
BSBFIM601 Assessment Task 1-10.pdf
BUS201DISC8.docx
Week 8 - Final Project.doc
Screenshot 2023-04-10 200502.png
Sphere-online-training-pack-Feb-22.pdf
Which enhancing characteristic of useful information includes the ability for independent and knowle
Introductio1.docx
Week 4 Assignment startegic.docx