Difference between revisions of "Healthcare Code of Conduct"

From MgmtWiki
Jump to: navigation, search
(Norwegian)
(Norwegian)
Line 17: Line 17:
 
** Procedures must be inlace before processing PHI.
 
** Procedures must be inlace before processing PHI.
 
** Security Audits shall be conducted at least annually.
 
** Security Audits shall be conducted at least annually.
** Rich assessments must be carried out prior to operations, including any change that may impact security.
+
** Risk assessments must be carried out prior to operations, including any change that may impact security.
 
** External data processors must agree to follow and report on compliance with regulations.
 
** External data processors must agree to follow and report on compliance with regulations.
 
** Access control appears to be granted based on the purpose of access. It seems to be up to each organization to create the purposes or roles. (RBAC?)
 
** Access control appears to be granted based on the purpose of access. It seems to be up to each organization to create the purposes or roles. (RBAC?)

Revision as of 22:27, 2 August 2021

Full Title or Meme

In Healthcare Identity Management a Code of Conduct applies to those software elements that handle the Patient Health Information.

Context


Examples

CARIN

Norwegian

  • There are two categories, large and small organizations. The small guys get series of passes.
  • There are a series of fact sheets as summarized below. These all include something that looks like assessment criteria except for the first.
    • the actors in a healthcare covered entity.
    • There shall be a security management system where PHI is present.
    • Procedures must be inlace before processing PHI.
    • Security Audits shall be conducted at least annually.
    • Risk assessments must be carried out prior to operations, including any change that may impact security.
    • External data processors must agree to follow and report on compliance with regulations.
    • Access control appears to be granted based on the purpose of access. It seems to be up to each organization to create the purposes or roles. (RBAC?)
    • Incident registration and followup shall be inlace before PHI is collected and patient shall have access. Notice does not appear to be required.
    • Message communications are subject to national standards - which might be HL7 formats. not clear. It is called ebXML (which goes back to ANSI X12 EDI) and utilized a national ID.
    • Agreeing to research
    • Remote Acces to suppliers must respect confidentiality and integrity, etc.
    • Security seems to be homegrown. No international standards.
    • Infosec in rearch.
    • If its an accident, its not our fault?

References