Page 22 - Delaware Medical Journal - November 2017
P. 22
acknowledge, and comply with DHIN’s privacy, security, and data access to PHI expectations. Violations are sanctioned accordingly, up to and including criminal charges.
PRIVACY AND SECURITY COMPONENTS
Perhaps most critical to DHIN’s data protection efforts are the components that impact DHIN’s operations as a health information exchange.
Policy and Procedure Documentation
DHIN follows a comprehensive set of policies and procedures designed to safeguard patient data. These are reviewed annually and approved versions made available to all employees and contractors.
Employee Privacy and Security Education Oversight
Employee education and oversight is key to a privacy and security program. Each employee and contractor is responsible for reviewing and acknowledging DHIN’s policies and procedures related to protection of data.
Technology Software/Hardware Maintenance
The information technology business requires that DHIN’s technology partners and solutions meet the privacy and security requirements outlined above. Maintaining software and hardware technology includes embedded secure coding, with thorough
External protections include encryption, anti-viral, and anti- spyware monitoring. Multi-factor authentication is required for all external connections to DHIN’s network, and access to the internal network is restricted.
DHIN’s asset management inventory provides a comprehensive view of all software and hardware components, whether maintained by DHIN or its subcontractors.
Business Associates Oversight
Oversight of DHIN’s subcontractors is an expectation of privacy and security management. DHIN’s subcontractors are held to the same standards for protection of patient data as DHIN. Specialized agreements are put in place prior to DHIN granting access to data and are monitored and enforced by DHIN executive management.
DHIN Information Systems User Oversight
As outlined above, each Business Associate is required to sign a Data Use Agreement prior to accessing DHIN data.
registration and de-registration, and password management. Again, these agreements are monitored and enforced by DHIN executive management.
Business Continuity / Disaster Recovery
Data delivery timeliness and the ability to recover from disaster are critical to DHIN’s ability to serve as Delaware’s health information exchange. As such, DHIN developed and routinely tests our business continuity and disaster recovery plans, knowing that our services are imperative to the delivery of health care in the state.
document handling procedures, records retention, and safeguard policies follow federal guidelines and requirements.
Physical Environment
factored into security controls. 24/7 badge access, security system, additional safeguards in place for remote access.
Because safety never takes a holiday, as the saying goes, DHIN is ever-vigilant with monitoring cybersecurity threats and assessing our ability to both prevent and react to a threat. Currently, the team is in the process of hiring a dedicated privacy and security compliance manager and continuing to tighten access to and protocols pertaining to DHIN’s physical property.
To learn more about how DHIN protects patient data, as well as our free products designed to connect patients with their health care information, visit dhin.org.
Through DHIN’s secure Community Health Record, physicians’
information safely and effectively. Every acute care hospital in the state and nearly all Delaware’s physicians participate, ensuring the timely delivery of test results and records to speed medical care while saving money and time. Learn more at dhin.org.
CONTRIBUTING AUTHOR
■ STACEY HADDOCK SCHILLER is the Director of Marketing for the Delaware Health Information Network. She holds an MBA in Healthcare Administration.
342
Del Med J | November 2017 | Vol. 89 | No. 11