Write a security report (4-5 pages) that identifies potential security and technical safeguard violations in a health care organization’s audit report. Include evidence-based recommendations to address these potential violations and prevent them from occurring in the future.

The shift from paper to electronic health records has created the need for organizations to design proper controls and auditing procedures. These controls and procedures must assure the appropriate handling of data in compliance with HIPAA security and privacy rules. At the same time, access to electronically stored health data can be a matter of life and death. Controls must include access to the data needed to manage emergency situations. 

Prior to the passage of the Health Insurance and Portability Accountability Act (HIPAA), national guidelines or legal security standards for protecting health information did not exist. Even so, technological advances continued, and organizations began to rely more heavily on electronic processes, creating an evident need for security standards. The HIPAA Security Rule is designed to protect the privacy of health information when using communication technologies and electronic processes. Privacy and security are intimately linked. Any organization that houses private data must also guard against its release so that information remains secure and private. 

For this assessment, you will continue your work as a HIM analyst at Valley City Regional Hospital. A quality control report released by risk management indicated potential security issues, including password protection. As a result, the risk management department completed a risk audit. The hospital’s risk management manager has provided additional information about the audit he conducted. You have been asked to evaluate the audit and compile a security report. 

Demonstration of Proficiency

By successfully completing this assessment, you will demonstrate your proficiency in the course competencies through the following assessment scoring guide criteria:

Competency 3: Analyze the relationship between privacy and security in health care. 

Describe access, authentication, and authorized use of health information.

• Compare/contrast the HIPAA Security Rule and the HIPAA Privacy Rule.

Distinguish between proper and improper parameters for physical safeguards.

• Recommend a list of evidence-based technical safeguards and security controls, including examples of types of uses and users. 
• Competency 5: Communicate effectively in a professional and ethical manner.
• Create a clear, well-organized, professional security report that is generally free of errors in grammar, punctuation, and spelling.
• Follow APA style and formatting guidelines for citations and references.
• Preparation

As part of your preparation for Assessment 3, please complete the following:

• View this media piece: Vila Health: Security | Transcript.  
• As you view the media piece, consider security requirements and the potential security violations presented. Based on your analysis of the media piece, you will prepare a security report that outlines the security issues you identified and presents recommendations to remedy the identified issues.

Revisit your previous assessments. Because of the close relationship between privacy and security, you may choose to incorporate elements of these previous assessments into this one.  

In Assessment 1, you prepared a SWOT analysis and a risk report, the narrative accompanying the SWOT analysis.

In Assessment 2, you analyzed potential privacy violations that occurred in Valley City Regional Hospital and prepared a compliance checklist. This checklist outlined for staff members the steps they need to follow when releasing patient information. Health care organizations often use checklists, such as the one you developed, as quality control measures.

• Instructions

For this assessment, you will continue your work as an HIM analyst at Valley City Regional Hospital. The quality control committee has released notification that potential issues with password protection exist within the organization. Computers containing patient information are not secure; passwords are openly displayed.

As a result, the risk management department completed a comprehensive risk audit. The hospital’s risk management manager has provided you with additional information about the audit he conducted. You will find this information in the Vila Health: Security media piece. The audit specifically addressed issues related to security and technical safeguards. Your task is to evaluate the audit, compile a master list of potential security violations, and then present recommendations to address these potential violations and prevent them from occurring in the future. 

Be sure to include all of the following headings in your 4–5 page security report and answer the questions underneath each heading: 

• Proper Access, Authentication, and Use of Health Information (1 page)
• What constitutes proper access, authentication, and authorized use of health information?

HIPAA Privacy Rule vs. HIPAA Security Rule (1 page)

• What are the HIPAA Privacy Rule’s requirements?
• What are the HIPAA Security Rule’s requirements?

How are these rules the same?

How are they different?

Note: Consider which elements from Assessment 1 might be appropriate to incorporate here. 

Proper vs. Improper Parameters for Physical Safeguards (1 page)

Note: The names of these safeguards come from the Security Rule. 

What are these safeguards?

• How do the security parameters for these safeguards vary by level of authority and job role?

Recommendations (1 to 1 1/2 pages)

What are the potential security violations you identified in the Vila Health: Security media piece?

• What evidence-based technical safeguards and security controls would you recommend to address and prevent the identified security violations from occurring?
• What are some examples of uses and users with your evidence-based recommendations?
• Transcript: IntroductionPrivacy and security are intimately linked. Any organization that houses private data — credit card numbers, bank account numbers, legal information — must guard against its release, and that includes keeping it secure as well as keeping it private.This is especially true of health care information. Patients’ private health information is often a target of hackers, and every health care organization must make sure to protect its patients’ PHI from their efforts.Scene 1Valley City Regional HospitalYou continue your work as an HIM analyst at Valley City Regional Hospital. Lawrence Wilkerson, the hospital’s risk management manager, has some more information for you about the risk audit he conducted.It looks like you have email from Lawrence. You’ll want to read that now.From: Lawrence WilkersonSubject: Security IssuesHey, I’ve got the data you asked for. Swing by my office and I’ll give you the details on what I saw in my audit that related to security.—LawrenceScene 2Meeting with Lawrence WilkersonOkay, there were some security issues that came up during the audit. Let’s start with the medical staff.Scene 3The Hospital FloorLeona DavisUgh, they want me to change my password again? I can never remember it. I guess I better write it down and put it where I can always find it. Leona2017 ought to do it.Rebecca Snyder EHR4/17/2014 : H&P: Mrs. Snyder is a pleasant 56 year old obese Orthodox Jewish women with a PMH of poorly controlled DM, HTN, hypercholesterolemia, anxiety, and obesity. She admits to the ED with c/o hyperglycemia ranging from 230 to 389 for over 10 days, frequent urination, malaise, and mild abdominal discomfort, dyspnea on exertion and HTN on admission.Family Hx.Mother: Alive. History of HTN, DM, Dementia.Father: Deceased. HX of MI, Colorectal CASister: Alive. HX of Breast CA. s/p right mastectomy.Meds on Adm: Metformin 1000 mg q hs., Lisinopril 20 mg QD. Prior to adm. Was prescribed anti-anxiety medication but self d/c’d without taper due to c/o fatigue.V/S: 36.7, 102, 171/93, 24. O2 Saturations 92%. On room air.Courtney Donovan and Kathryn ChapmanKathryn Chapman: Dr. Donovan, I noticed you’re a little behind on your charting. You need to set a good example for the other staff.Courtney Donovan: I know. I was doing better, but then I left my laptop in the coffee shop across the street a few days ago. I was hoping it would turn up, but I’ve called every day and no dice.Kathryn Chapman: What does IT say about a replacement?Courtney Donovan: I’ll know this afternoon when I tell them about it.Erica Copeland text messageDr. Bellefleur, Mr. Moskovitz’s temperature is back down to 99 but his bp is still elevated (140/99). CBC results were inconclusive, although Cr count is higher than I like. Thoughts?Gayle Slocum and Shauna DeanShauna Dean: Dr. Copeland sent over the results last night.Gayle Slocum: But that doesn’t make sense, she wasn’t on shift last night.Shauna Dean: She probably sent them from home, don’t you think?Gayle Slocum: Oh, sure. Can doctors do that? We’re not supposed to.Shauna Dean: Oh, doctors can do whatever they want.Scene 4The IT DepartmentLawrence WilkersonLet’s take a walk around the IT department.Email exchange between Wayne Peterson and Anthony MartinezFrom: Wayne PetersonTo: Anthony MartinezSubject: Re: CopiersDid anyone scrub its hard drive before it was returned?—WayneFrom: Anthony MartinezTo: Wayne PetersonSubject: CopiersRuby,Wayne,The copier you asked about has already been returned to the vendor. What’s the problem?—TonyBenjamin Mendoza phone callThat’s right, she lost the tablet on Tuesday. Yes, she just reported it today. Don’t get me started. The point is, there wasn’t any encryption software loaded on it. I don’t know if we can do a remote wipe, but we’ve got to do something quickly.Wayne Peterson and Ron BaileyWayne Peterson: What version of the firewall are we on?Ron Bailey: 3.6, isn’t it?Wayne Peterson: That sounds right. I’ll check later, but check this out: InfoVault is retiring 3.0. They’re not going to support it anymore.Ron Bailey: That was quick. Wasn’t it?Wayne Peterson: No, it’s about on schedule. Safe to say that we need to start thinking about upgrading.Ron Bailey: I’d rather see us get better malware detection.Wayne Peterson: Well, there’s no money in the budget for either next year, so I guess it’s a matter of prioritizing what we can’t have. [laughter]Wayne Peterson: So what was the other thing you wanted to talk about?Ron Bailey: I’ve got two instances of this security issue, and I think it’s time we pushed it up to corporate.Wayne Peterson: Corporate? We can’t handle it locally?Ron Bailey: I’m not sure, but I don’t think so. We’ve got one supervisor who accessed one of his employee’s health records. That’s an obvious no-no, but why was he able to do it in the first place? Another guy, a nurse, accessed his ex-wife’s record. She works at St. Anthony Medical Center in Minneapolis now, but we’re all on the same system so he was able to pull up her record. Again, why did the system let him do it?Wayne Peterson: Hm.Scene 5Follow Up with AndrewIt looks like you have email from Andrew about your findings. You’ll want to read that now.From: Andrew BarnesSubject: Security risksI hope Lawrence was helpful. The board wants to meet and talk about what we need to do to improve our security posture. Can you send me a summary of the risks you and he identified? It doesn’t have to be anything formal. I just want to know what I’ll be talking about so I don’t sound like an idiot.—AndrewYour response:This question has not been answered yet.ConclusionActivity complete!In this activity, you gathered information about potential security risks at Valley City Regional Hospital. You may download your summary of security risks as a PDF; it may be helpful in completing your assignment.CreditsSubject Matter Expert:Natasha CauleyInteractive Design:Kerry HansonInteractive Developer:Dre Allen, Matt TaylorInstructional Design:Carmen GarlandMedia Instructional Design:Holly DolezalekProject Management:Andrea Thompson