The Sample Privacy and Security Policies, Term Paper Example

Introduction

The privacy and security policies of hospitals are vitally important to operations. Indeed, not only do such policies outline what measures should be taken to preserve security, but they also help to calibrate operations to ensure that they are met. This paper will look at the privacy and security policies of three major hospitals in the United States: Georgetown University Hospital, Mayo Hospital, and Beth Israel Hospital. These three hospitals have many similarities, and also differences in how they approach these important issues.

Analysis

A strong emphasis on regulations and protections is a similarity found in all of the hospitals’ policies. However, all three hospitals adopt a different strategy in explaining how their policies serve to meet the goal. Indeed, some of the same themes for the three hospitals can be seen throughout the three policies: how and when to access personal health information, communications security, standards security, authorization information, etc. The three hospitals, however, all take a different conceptual strategy to explain how these compliance items are met and reached through different policy measures. All hospitals also have a fairly robust definition section where terminology and verbiage that is used throughout the document is explained at the beginning. While all hospitals have this section, some give it more weight than others.

Georgetown provides the most complete and thorough security policies of all the hospitals examined in this study with a document that is 134 pages long. Of all the hospitals, Georgetown also puts the most emphasis on linking their hospitals’ privacy and security policies with larger compliance to HIPAA. Indeed, Georgetown starts with an explanation of what HIPAA is, the basic requirements of the law, and then explains how the hospital meets those criteria for a number of different components. For example, after describing the HIPAA compliance rules generally, the hospital then breaks down the law concept-by-concept in order to explain how HIPAA regulations (and other federal and state regulations) play a key role in how the hospital writes policies to protect privacy and information.

Mayo, on the other hand, is far more prescriptive on what should be accomplished, but gives far less detail on the thinking underlying the reason for the principles. The document is only 17 pages long, and after giving a brief definition of the terms used in the policies, enumerates on eight main policy areas: Information Security, Security Administration, Standards for Information Use, Information Access Control, Communication Security, Information Integrity, Back-up procedures. Of all the areas, the policy spends the most room detailing communication security procedures and what transmission procedures should be used when trying to access information. Other than that, the document does not provide any keen insight into how Mayo is using the information procedures, or what it views as particularly important.

While Beth Israel’s privacy and security document is the shortest of all three hospitals, it does provide initial guidance on how the document should be used. The initial section of the document spells out the use of the policies regarding the use of computer and telecommunication resources for all employees. The document has a total of 13 sections; in addition to the usual sections on privacy and the use of hospital electronic resources, there are also sections on passwords, viruses, and security. Thus, this is a more technical document in the sense that it is dealing with potential problems arising from the use of technology, and it is prescriptive in how the hospital and user should deal with them. In this sense, the main user for the policies is not the consumer and how the hospital will protect their information; rather, it is directly aimed at employees and their use of information in the course of work.

Overall, I would have liked to see three things in each of the hospital’s security and privacy policy. First, while some hospitals did take the opportunity to state who the policies were aimed at, there was not a common approach: some hospitals, such as Beth Israel, dedicated their policies to employees of the hospital, while Georgetown directed the document at the protection of consumer information. Each hospital should provide an introduction enumerating who the principles are directed at.

Second, HIPAA, at least to some extent, should be mentioned and a part of each hospital’s privacy and security policy. HIPAA serves as the basis of many hospital’s privacy and security efforts. Although hospitals may have other policies that is not connected to HIPAA, from a compliance perspective a link to HIPAA would be useful and might help each hospital better conceptualize where the lacuna are in the different policies.

Third, each policy should also address technical concepts related to privacy and security such as back-up plans and mitigation strategies for hacking and stolen information. It is certainly relevant to include topics on password and virus management; however as part of the broader thinking on privacy and security, hospitals should know what the policies are (and announce them) regarding a public lost of information through either hacking or theft- this may help to focus efforts on how to prevent such activities.

References:

Beth Israel Hospital Privacy and Security Policies. HIMSS

Georgetown Hospital Privacy and Security Policies. HIMSS

Mayo Hospital Privacy and Security Policies. HIMSS

Privacy and Security Policies. HIMSS