Security and information privacy have been in the limelight for quite a while with no clear solutions in sight. In the US, information privacy and data protection laws have been limited to some sectors, with a focus on healthcare and finance. The digitization of health records and new interoperability mandates have raised the profile of security and privacy issues in healthcare.

Given the scarcity of published guidelines in the domain, this new book is a welcome addition to the healthcare professional’s bookshelf or the healthcare information technology (HIT) consultant’s knowledge base. The book is divided into four well-organized parts and three short appendices. Each chapter includes a compendium of useful references leading the readers to deeper investigations. After an introduction defining the problem, the audience, and the goal, the author sets the stage for the inevitable electronic medical record (EMR) rush. In chapter 3, the Health Insurance Portability and Accessibility Act (HIPAA) and its sibling, Health Information Technology for Economic and Clinical Health (HITECH), with increased enforcement power, are introduced. Similarly, the Omnibus Rule of 2013, extending the rules of HIPAA to associated entities, implies concerted efforts to educate healthcare employees about their new electronic information-handling responsibilities.

Part 2 addresses a strategy of divide and conquer, defining ownership to develop solutions. Chapter 4 gives sound advice on how to assemble an action-oriented interdisciplinary team. Chapter 5 poses thoughtful questions about the planning steps for an audit. In the following chapter, policies are reviewed and a plan is developed.

Part 3 advocates sustainable solutions. Security is covered in an identity and access management section, and the importance of health level seven (HL7) is briefly mentioned. Chapter 8 goes through issues of application design, discussing staffing; information sensitivity; and a build, review, and approval incremental approach to system development. Chapter 9 validates the design and proposes a transition to a committee to handle future changes to the system. Chapter 10 moves to physical security and associated safeguards. The next two chapters extend to system-wide security and the safeguarding of patient data.

Part 4 transitions from a project to a sustainable support model. Starting from internal staff to business associates, policy outlines are suggested. Chapter 15 questions how EMRs are being used, and the necessity for integration and change management. Chapter 16 reminds us that security is an ongoing process and there will be a need for maintenance and rebaselining once the environment and its variables have changed.

Part 5 includes the appendices, which contain samples for business associate agreements, rules of behavior for privileged user accounts, and breach notification processes.

The book is not extensively technical and does not try to be encyclopedic, but it is highly suitable for multiple constituencies. The developer coming from another field often lacks domain intelligence or awareness of healthcare privacy issues. This book can be an eye-opener for such an audience. The healthcare practitioner could have limited information technology awareness or interest in the underlying system. Here again, the book can bridge some gaps and lead to better communication. For the healthcare security and privacy policy-maker, this reading, in association with the references, will generate better plans and decisions.

More reviews about this item: Amazon