Withtheir implementation of the PHIve program, the University of California Health System was applying “a practical methodology for protected personal health information to calculate the potential (or actual) cost of a data breach” (Fraser, et. al, 2015). Protected health information (PHI) is patient data that is protected under the HIPAA Privacy Rule (U.S. Department of Health & Human Services, 2015). Their overall approach to this project was to create a tool that could centralize the information already being collected across the organization into a data warehouse (Fraser, et. al, 2015). This was achieved by utilizing the 5 steps of the PHIive tool.
The 5 steps were accessing risk, security readiness scores, determine relevance, determine potential repercussions and to total the impacts associated with the risk (Fraser, et. al, 2015). UCHS utilized the tool as a guide to organize decision making but not actually make the decisions for you (Fraser, et. al, 2015). This was achieved by creating a centralized data source that when combined with policies and processes evaluated risk. The supporting dashboards, reports, emails and formalized meetings added the human element to fulfilling the PHIve program. By creating a risk aware culture where everyone is a risk manager and has the tool sand data they need to be successful, UCHS handled addressing their PHIve risk well.
Another avenue that UCHS could have explored in their analysis is the HIPAA Security Risk Assessment (SRA) Tool provided by the US Government. This tool is designed to assist small to medium size healthcare organizations in conducting a strategic risk assessment as is relates to PHI (U.S. Department of Health & Human Services, 2019). The results from this tool “can be used to determine risks in policies, processes and systems and methods to mitigate weakness” (U.S. Department of Health & Human Services, 2019).
While it is technically designed for smaller organizations, UCHS could have used this as a framework to jump start their application build. Another benefit to this tool is that it does not “receive collect, view, share or transmit any information entered” into the system (U.S. Department of Health & Human Services, 2019). This beneficial as it allows you to utilize the tool locally without fear of a data breach or reporting back to the government. The tool could still be used with PHIve as a checking device to make sure that their programs and tools meet the government’s recommended standards for PHI data protection.
1.Evaluate one pro and con above proposed description.
Response Requirements:
1. Be 2 paragraphs in length
2.Be supported by the required textbook and one additional reference
Points deducted if the submission:
Does not use the required textbook as one of the two reference sources
-
You CANNOT use Wikipedia, LinkedIn articles, blogs, paid vendors, certification websites, or similar sources in academic writing. You CAN use reputable industry articles from publications similar to ComputerWeekly, PCMag, Wall Street Journal, New York Times, or similar sources. Academic journals and popular industry articles are accessible in the university’s library databases and Google Scholar. All references should not have a publication date older than 2005.
-
Does not respond to the question(s) thoroughly meaning with more than 2 paragraphs
-
Primarily consists of bullet points
-
Uses statements such as “I have gone through your post,” “I have gone through your discussion,” “adding a few more points,” “based on my knowledge,” “according to me,” “as per my knowledge,” or similar
-
Contains contractual phrases, as an example “shouldn’t” “couldn’t” or “didn’t,” or similar
-
Uses vague words or phrases such as “proper,” “appropriate,” “adequate,” “it is obvious,” “it is clear,” “in fact,” or similar to describe a process, function, or procedure
-
As an example, “proper incident response plan,” “appropriate IT professional,” “adequate security,” or similar. These words are subjective because they have different meanings to different individuals.