Hello again and welcome to the Hcs PP certification course with Sai Buri handling sensitive data.
I'm shelling Hutchins, your instructor today.
In this video, we will covered data classification and despair. It data
personal and health information protected by law
and categories of sensitive data.
The primary purpose of data classification is to indicate the level of confidentiality, integrity and availability that is required for each type of information
it involves. Recognising what information is critical toe, help your organization and assigning value to it.
The goal of classifying data organizes it according to its sensitivity, toe loss or disclosure.
Each sense of classification should have separate handling requirements and procedures pertaining to how data is access
To properly implement data classification, the health care organization must first decide upon the sensitivity scheme they're going to use.
Health care organizations generate an increasing amount of disparity data from heterogeneous sources provided on different platforms by different vendors. For example, through e prescribing, Elektronik medical records, digital imaging scans, pharmacy data
insurance claims, data and regional health information exchanges are all examples of disparity data.
Dispirit data can be categorized by three major problems.
The data exists in silos, meaning there is no single source of truth or single inventory for all of the data. The data is highly redundant throughout the organization, meaning the same data exists in several systems and files better not leave
and number three. The data is variable in format and content.
When information isn't standardized, the organization cannot combine data, sets or compare them, either internally or externally.
As previously discussed in regulatory requirements. The HIPAA privacy rule protects most individually identifiable health information held or transmitted by covered into T or its business associate in any former medium. Whether Elektronik
the privacy rule caused this information protected health information or pH.
Ph. I relates to the individuals past, present or future physical or mental health
The provision of health care to the individual
and the past, Present or future payment for the provision of health care to the individual and that identifies the individual or
for which there is a reasonable basis to believe
uh can be used to identify the individual.
Protected health information includes many common identify IRS as previously discussed in the regulatory module, the name, address, birth date Social Security number,
when they could be associate it with health information. Just mentioned earlier
hip addresses. Privacy Concerns of health information systems by enforcing data exchange standards as well as a guideline to analyze risk.
The overall objective of a hipper risk analysis is to document the potential risks and vulnerabilities related to confidentiality, integrity and availability of Elektronik ph. I.
And to determine the appropriate mitigation safeguards to bring the level of risk to an acceptable and manageable level.
Two. Methods for preventing unintentional disclosure ph i
are the identification
There are two methods for D identifying data.
The expert determination
Expert determination is used to identify the level of risk that the information can be used alone
or in combination with ever information toe. Identify an individual using very statistical methodologies.
Please note that on the issue of who is an expert, the OCR advises that there is no success specific or require professional degree or certification for a person to be an expert at determining whether pH. I is de identified.
Experts may come from statistical, mathematical or other scientific fields
and may begin through various means of education and experience.
The OCR will consider the relevant professional experience and academic training of the expert using the methodology.
Safe harbor is the removal of certain identifiers
of the individual or relatives, employees or household members of the individuals
where the covered into T does not have actual knowledge
that the information could be used alone or in combination with other information toe. Identify the individual
The OCR guidance state. That's the disclosure of parts or derivatives of the listed identify. IRS, such as the data set containing the patient's initials or the last four digits of a Social Security number, is not consistent with the safe harbor method.
dates that include the day month in any other form more specific than the year of uneven are not permitted under safe harbor
data. Demonisation is the process of destroying tracks or the electronic trail on the data that would lead an eavesdropper to its origins, and electronic trail is the information that is left behind. Once someone sends data over a network,
forensic experts can file the data to figure out who sent it.
This is often done in criminal cases but sometimes company used similar techniques in order to track user data.
This may be a concern to people who value their privacy and makes a good case for using data. A modernization techniques.
One aspect of a novelization that may worry individuals who value their privacy is that the process can be reversed.
Many current techniques associated with anonymous ation
can be bypassed is there are many ways to reveal strip pH. I from data sets. One way this information can be rebuild its with cross referencing any sets of records still available. This is called de anonymized.
There are limitations to a monetization approaches
data aggregation, data mining and predictive analysis.
All have their limitations. Um,
for data for data anonymous ization.
HIPPA has extended the medical information category to include mental health information from past, present or future mental or physical health, including all written any electronic record. It even extends to payment for services rendered.
Federal on regulations protect the confidentiality of alcohol and drug abuse, patient records maintained by a program
under HIPPA health insurance. Health insurers cannot consider pregnancy a preexisting condition, so health insurers cannot deny coverage when a pregnant woman goes from one job to another and switches health planes before the Affordable Care Act, or Obamacare.
Women in this situation could be denied help here.
The Ryan White Comprehensive AIDS Resource Emergency Act Care
grantees are funded in significant part by formula based grants that use disease data from the CDC to determine how the funds will be allocated.
The personal health information held by many Ryan like grantees has long been covered by a diversity of state confidentiality laws and in many cases is now covered by privacy protections of hip.
HIPPA covers air wide a range of services in support of health care, including information such as legal actuarial, accounting, consulting
In short, most everything can be tied to the business relationship of the health care
The most famous deal DNA database is Kotis.
A significant problem is that not all states and countries
have issued privacy legislation to protect teenage records.
On July 1st 2020 Florida became the first state to enact the DNA privacy law prohibiting insurers from genetic data.
The real concern is that individuals can be denied insurance or be charged increased premiums
and other costs based on DNA obtained or shared by popular companies like 23 Me or Ancestry DNA.
It's do analogy. Check.
What are the two methods for D Identifying data
An expert determination.
What is the process of destroying tracks or electronic trails that could lead to the origin of the date?
You guessed it anonymous ation.
Last question. True or false?
PH. I refers to an individual's past, present
or future physical or mental health or condition.
That answer is true.
So we talked about a lot today.
We talked about data classification and despair. It data
personal and health information protected by the law,
sensitivity, mitigation and categories of sensitive data.
Remember to review the supplemental materials and flashcards for further study.
Next up is Module six Enterprise Risk Management. See you soon.