Laws for Health Information Systems

From a health information system perspective, there are federal laws relative to information management, data authentication, health exchange, standards, and end user needs. Additionally, organizations can choose to become accredited or certified. Accrediting organizations endorse, facilitate, and provide standards to protect patient health information. Meanwhile, laws are in place to ensure the safety and security of patient health information. The standards of patient’s health information safety and security within organizations are clearly outlined and widely adopted by all legitimate health care organizations.

Introduction to Standard IM.01.01.03
The primary goal of the information continuity process is to return the hospital to normal operations as soon as possible with minimal downtime and no data loss. The hospital needs to be prepared for events that could impact the availability of data and information regardless of whether interruptions are scheduled or unscheduled (due to a local or regional disaster or an emergency). Interruptions to an organization’s information system can potentially have a devastating impact on its ability to deliver quality care and continue its business operations. Planning for emergency situations helps the organization mitigate the impact that interruptions, emergencies, and disasters have on its ability to manage information. The hospital plans for interruptions by training staff on alternative procedures, testing the hospital’s Emergency Operations Plan, conducting regularly scheduled data backups, and testing data restoration procedures.

Justify two information management standards from the list below as outlined by The Joint Commission. You are required to expand upon the Elements of Performance.

  • The hospital plans for managing information.
  • The hospital plans for continuity of its information management process.

Regardless of whether an organization uses a paper-based system or an electronic system, a plan to address the process for information continuity, including knowledge-based information, should be in place. Hospitals that plan for maintaining access to electronic information systems by using various electronic backup and restoration procedures can quickly recover from interruptions with minimal downtime and data loss.

Chapter 11
Health Care Information System Standards

Throughout this text we have examined a variety of different types of standards that affect,
directly or indirectly, the management of health information systems. In Chapter Ten we
examined health care performance standards; Chapter Two looked at data quality standards,
Chapter Nine at security standards, and so on. In this chapter we will examine yet another
category of standards that affect healthcare data and information systems: health care
information system (HCIS) standards. In all cases the standards examined represent the
measuring stick or set of rules against which an entity, such as an organization or system, will
compare its structures, processes, or functions to determine compliance. In the case of the
HCIS standards discussed in this chapter the aim is to provide a common set of rules by which
health care information systems can communicate. Systems that conform to different standards
cannot possibly communicate with one another. Portability, data exchange, and interoperability
among different health information systems can be achieved only if they can “communicate.”
For a simple analogy, think about traveling to a country where you do not speak the language.
You would not be able to communicate with that country’s citizens without a common language
or translator. Think of the common language you adopt as the standard set of rules to which all
parties agree to adhere. Once you and others agree on a common language, you and they can
communicate. You may still have some problems, but generally these can be overcome.

By nature HCIS standards include technical specifications, which make it less easy for the
typical health care administrator to fully understand them. In addition, a complex web of public
and private organizations create, manage, and implement HCIS standards, resulting in
standards that are not always aligned, making the standards even more difficult to fully grasp. In
fact, some may actually compete with one another. In addition to the complex web of standards
specifically designed for HCIS, there are many general IT standards that affect healthcare
information systems. Networking standards, such as Ethernet and Wi-Fi, employed by health
care organizations are not specific to healthcare. Extensible markup language (XML) is widely
accepted as a standard for sharing data using web-based technologies in healthcare and other
industries. There are many other examples that are beyond the scope of this text. Our focus will
be on the standards that are specific to HCIS.

With HIPAA came the push for adoption of administrative transaction and data exchange
standards. This effort has been largely successful; claims are routinely submitted via standard
electronic transaction protocols. However, although real progress has been made in recent
years, complete interoperability among health care information systems remains elusive.
Chapter Three examined the need for interoperability among health care information systems to
promote better health of our citizens; Chapter Two discussed the lack of standardization in
EHRs as an issue with using EHR data in research; and Chapter Nine outlined problems
associated with misalignment of quality and performance measures, in part because of a lack of
interoperability and standardization in EHRs and other health care information systems.
Interoperability, as defined by the ONC (2015) in its publication Connecting Health Care for the
Nation: A Shared Nationwide Interoperability Roadmap, results from multiple initiatives, including

payment, regulatory, and other policy changes to support a collaborative and connected health
care system. The best political and social infrastructures, however, will not succeed in achieving
interoperability without supportive technologies.

This chapter is divided into three main sections. The first section is an overview of HCIS
standards, providing general information about the types of standards and their purposes. The
second section examines a few of the major initiatives, public and private, responsible for
creating, requiring, or implementing HCIS standards. Finally, the last section of the chapter
examines some of the most commonly adopted HCIS standards, including examples of the
standards when possible.
HCIS Standards Overview
Keith Boone, a prolific blogger and writer on all topics related to HIT standards, once wrote,
“Standards are like potato chips. You always need more than one to get the job done” (Boone,
2012b). In general, the health care IT community discusses HCIS standards in terms of their
specific function, such as privacy and security, EHRs, electronic prescribing (e-prescribing), lab
reporting, and so on, but the reality is that achieving one of these or other functions requires
multiple standards directed at different levels within the HCIS. For example, there is a need for
standards at the level of basic communication across the Internet or other network
(Transporting), standards for structuring the content of messages communicated across the
network (Data Interchange and Messaging), standards that describe required data elements for
a particular function, such as the EHR or clinical summary (Content), and standards for naming
or classifying the actual data, such as units of measure, lab tests, diagnoses, and so on
(Vocabulary/Terminology). Unfortunately, there is no universal model for categorizing the
plethora of HCIS standards. In this chapter we will look at standards described as Data
Interchange and Messaging, Content, and Vocabulary/Terminology standards.

Standards, as we have seen, are the sets of rules for what should be included for the needed
function and system level. This is only a portion of the challenge in implementing standards. The
other challenge is how are the standards used for a particular function or use case? Much of the
work today toward achieving interoperability of healthcare information systems is concerned
with the how. Organizations that develop standards may also create specific implementation
guides for using the standard in a particular use case. (To further complicate the already
complicated standards environment, these implementation guides are sometimes referred to as
standards.) Other organizations, such as the ONC, develop frameworks for implementing
standards, and several government initiatives, such as HIPAA and HITECH, have set
requirements for implementing specific standards or sets of standards.
Standards Development Process
When seeking to understand why so many different IT and health care information standards
exist, it is helpful to look first at the standards development process that exists in the United
States (and internationally). In general the methods used to establish healthcare IT standards
can be divided into four categories (Hammond & Cimino, 2006):

Ad hoc. A standard is established by the ad hoc method when a group of interested people or
organizations agrees on a certain specification without any formal adoption process. The Digital

Imaging and Communications in Medicine (DICOM) standard for health care imaging came
about in this way.
De facto. A de facto standard arises when a vendor or other commercial enterprise controls
such a large segment of the market that its product becomes the recognized norm. The SQL
database language and the Windows operating system are examples of de facto standards.
XML is becoming a de facto standard for health care and other types of industry messaging.
Government mandate. Standards are also established when the government mandates that the
healthcare industry adopt them. Examples are the transaction and code sets mandated by the
Health Insurance Portability and Accountability Act (HIPAA) regulations.
Consensus. Consensus-based standards come about when representatives from various
interested groups come together to reach a formal agreement on specifications. The process is
generally open and involves considerable comment and feedback from the industry. This
method is employed by the standards developing organizations (SDOs) accredited by the
American National Standards Institute (ANSI). Many health care information standards are
developed by this method, including Health Level Seven (HL7) standards and the health-related
Accredited Standards Committee (ASC) standards.
The relationships among standard-setting organizations can be confusing, to say the least. Not
only do many of the acronyms sound similar but also the organizations themselves, as
voluntary, member-based organizations, can set their own missions and goals. Therefore,
although there is a formally recognized relationship among the International Organization for
Standardization (ISO), ANSI, and the SDOs, there is also some overlap in activities. Table 11.1
outlines the relationships among the formal standard-setting organizations and for each one
gives a brief overview of important facts and a current website.

Table 11.1 Relationships among standards-setting organizations

Source: ANSI (n.d.a, n.d.b, n.d.c); ISO (n.d.).

Organizations Facts Website
International Organization for Standardization (ISO)
Members are national standards bodies from many different countries around the world.
Oversees the flow of documentation and international approval of standards development under
the auspices of the its member bodies
American National Standards Institute (ANSI)
US member of ISO
Accredits standards development organizations (SDOs) from a wide range of industries,
including health care
Does not develop standards but accredits the organizations that develop standards
Publishes more than ten thousand standards developed by accredited SDOs
Standards Developing Organizations (SDOs)
Must be accredited by ANSI
Develop standards in accordance with ANSI criteria

Can use the label “Approved American National Standard”
Approximately two hundred SDOs are accredited; twenty of these produce 90 percent of the
All the ANSI-accredited SDOs must adhere to the guidelines established for accreditation;
therefore, they have similar standard-setting processes. According to ANSI, this process
includes the following:

Consensus on a proposed standard by a group or “consensus body” that includes
representatives from materially affected or interested parties
Broad-based public review and comment on draft standards
Consideration of and response to comments submitted by voting members of the relevant
consensus body and by public review commenters
Incorporation of approved changes into a draft standard
Right to appeal by any participant that believes that due process principles were not sufficiently
respected during the standards development in accordance with the ANSI-accredited
procedures of the standards developer (ANSI, n.d.c)
The IT industry in general has experienced a movement away from the process of establishing
standards via the accredited SDOs. The Internet and World Wide Web standards, for example,
were developed by groups with much less formal structures. However, the accredited SDOs
continue to have a significant impact on the IT standards for the healthcare industry.

Boone (2012a) lists the following organizations as major developers of HIT standards in the
United States, which includes a mix of accredited SDOs and other developers. Each
organization’s specific areas for standard development are indicated in parentheses.
ANSI-accredited SDOs are indicated with an “*.”

International Standards Organization (ISO) [various]
ASTM International (ASTM) [various]*
Accredited Standards Committee (ASC) X12 [Insurance Transactions]*
Health Level Seven International (HL7) [various]*
Digital Imaging and Communication in Medicine (DICOM) [Imaging]
National Council for Prescription Drug Programs (NCPDP) [ePrescribing]
Regienstrief (LOINC) [Laboratory Vocabulary]

international Health Terminology SDO (IHTSDO) [Clinical Terminology]
In addition, Boone (2012a) identifies the following “other” organizations as having a major impact
on HIT:

World Wide Web Consortium (W3C) [XML, HTML]
Internet Engineering Task Force (IETF) [Internet]
Organization for the Advancement of Structured Information Standards (OASIS) [Business use
of XML]

He further identifies key groups known as “profiling bodies” (Boone, 2012a) that use existing
standards to create comprehensive implementation guides. Two examples of profiling bodies
are Integrating the Healthcare Enterprise (IHE) and the ONC, which focus on guidance for
implementing clinical interoperability standards.
European Committee for Standardization (CEN)
Although the focus of this chapter is standards developed within the United States, it is important
to recognize there are other standards organizations worldwide. For example, the European
Committee for Standardization (CEN) was created in Brussels in 1975. In 2010 CEN partnered
with another European standards developing organization, the European Committee for
Electrotechnical Standardization (CENELEC), to form the CEN-CENELEC Management Centre
(CCMC) in Brussels, Belgium. The CCMC current membership includes national standards
bodies from thirty-three European countries (CEN-CENELEC, n.d.).

The Technical Committee within CEN that oversees healthcare informatics standards is CEN
TC 251, which consists of two working groups:

WG1: Enterprise and Information
WG2: Technology and Applications
Source: CEN (n.d.).
Federal Initiatives Affecting Healthcare IT Standards
There are many federal initiatives that affect healthcare IT standards. In this section we look at
federal initiatives for healthcare IT standards as a part of HIPAA, CMS e-prescribing, CMS EHR
Incentive Program, and the Office of the National Coordinator for Health Information Technology
(ONC), including the Interoperability Roadmap.

In August 2000, the US Department of Health and Human Services published the final rule
outlining the standards to be adopted by health care organizations for electronic transactions
and announced the designated standard maintenance organizations (DSMOs). In publishing this
rule, which has been modified as needed, the federal government mandated that health care
organizations adopt certain standards for electronic transactions and standard code sets for
these transactions and identified the standards organizations that would oversee the adoption of
standards for HIPAA compliance. The DSMOs have the responsibility for the development,
maintenance, and modification of relevant electronic data interchange standards. HIPAA
transaction standards apply to all covered entities’ electronic data interchange (EDI) related to
claims and encounter information, payment and remittance advice, claims status, eligibility,
enrollment and disenrollment, referrals and authorizations, coordination of benefits, and
premiums payment. The current HIPAA transaction standards are ASC X12N version 5010
(which accommodates ICD-10) along with NCPDP D.0 for pharmacy transactions (CMS,
2016b). In addition to these transaction standards, several standard code sets were established
for use in electronic transactions, including ICD-10-CM, ICD-10-PCS, HCPCS, CPT, and Code
on Dental Procedures and Nomenclature (CDT) (CMS, 2016a).
Centers for Medicare and Medicaid E-prescribing

The Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA)
established a Voluntary Prescription Drug Benefit program. There is no requirement in this act
that providers write prescriptions electronically, but those who choose to do so must comply
with specific e-prescribing standards. The current published CMS e-prescribing standards
consist of three sets of existing healthcare IT standards as “foundation” standards, which
include NCPDP’s SCRIPT Standard for e-Prescribing, ASC X12N standard for Health Care
Eligibility Benefit and Response, and NCPDP’s telecommunications standard. In addition, the
final rule identifies three additional electronic tools to be used in implementing e-prescribing:

NCPDP Formulary and Benefit Standard Implementation Guide, which provides information
about drugs covered under the beneficiary’s benefit plan
NCPDP SCRIPT Medication History Transactions, which provides information about
medications a beneficiary has been taking
Fill Status Notification (RxFill), which allows prescribers to receive an electronic notice from the
pharmacy regarding the beneficiary’s prescription status (CMS, 2013)
Centers for Medicare and Medicaid EHR Incentive Programs
As discussed previously, the Medicare and Medicaid EHR Incentive Programs were
established as a part of the HITECH Act to encourage eligible providers (EPs) and eligible
hospitals (EHs) to demonstrate Meaningful Use of certified EHR technology. EHR certification
for Stage 1 and Stage 2 Meaningful Use requires EPs and EHs to meet specific criteria.
Certification requirements are organized according to objectives, measures, specific criteria,
and standards. Not all criteria include specific standards, but many do. Examples of standards
required by 2014 certification rules include using the HL7 Implementation Guide for CDA in
meeting the criteria for providing patients the ability to view online, download, and transmit
information about a hospital. Other standards include SNOMED CT, which is required for coding
a patient’s smoking status, RxNorm, which is required for medications, and LOINC, which is
required for laboratory tests, among others (, 2014).
Office of the National Coordinator for Health Information Technology
As discussed in previous chapters the Office of the National Coordinator for Health Information
Technology (ONC) was established in 2004 and charged with providing “leadership for the
development and nationwide implementation of an interoperable health information technology
infrastructure to improve the quality and efficiency of health care” (HHS, 2008). In 2009, the role
of the ONC was strengthened when the HITECH Act legislatively mandated ONC to provide this
leadership and oversight (HHS, 2012). Today, the ONC is “the principal federal entity charged
with coordination of nationwide efforts to implement and use the most advanced health
information technology and the electronic exchange of health information” (, n.d.).

Current ONC initiatives, in addition to implementing HITECH, include implementation of
healthcare IT standards for interoperability. In Chapter Three, the ONC Interoperability Roadmap
was introduced and key milestones related to payment reform and outcomes were outlined. The
Roadmap also outlines key milestones for the development and implementation of technologies
to support interoperability (ONC, 2015). Beginning in 2015, the ONC published its first
Interoperability Standards Advisory, which has been subsequently updated annually. This
Advisory document outlines the ONC-identified “best available” standards and implementation

specifications for clinical IT interoperability. The identified standards and specifications in the
2016 Advisory are grouped into three sections:

Best Available Vocabulary/Code Set/Terminology Standards and Implementation Specifications,
which address the “semantics,” or standard meanings of codes and terms needed for
Best Available Content/Structure Standards and Implementation Specifications, which address
the “syntax,” or rules by which the common data elements can be shared to achieve
Best Available Standards and Implementation Specification for Services, which address
infrastructure components needed to achieve interoperability (ONC, 2016)
Each specific standard is identified and defined by six characteristics: process maturity,
implementation maturity, adoption level, federal requirement status, cost, and whether a testing
tool is available. The Advisory also includes hyperlinks to the standards and implementation
guides cited. Exhibit 11.1 is an excerpt from the 2016 Advisory.
Exhibit 11.1 Excerpt from ONC 2016 Interoperability Standards Advisory
Section I: Best Available Vocabulary/Code Set/Terminology Standards and Implementation
I-A: Allergies

Interoperability Need: Representing patient allergic reactions
Type Standard/Implementation Specification Standards Process Maturity
Implementation Maturity Adoption Level Federally Required Cost Test Tool
Standard SNOMED CT Final Production No Free N/A
Limitations, Dependencies, and Preconditions for Consideration: Applicable Value Set(s):
SNOMED CT may not be sufficient to differentiate between an allergy or adverse reaction, or
the level of severity
Value Set Problem urn:oid:2.16.840.1.113883.
Interoperability Need: Representing patient allergens: medications
Type Standard/Implementation Specification Standards Process Maturity
Implementation Maturity Adoption Level Federally Required Cost Test Tool
Standard RxNorm Final Production Yes Free N/A
Standard NDF-RT Final Production Unknown No Free N/A
Source: ONC (2016).

Other Organizations Influencing Health Care IT Standards
The following organizations certainly do not represent the full list of bodies that are involved with
healthcare IT standards development and implementation. However, they do represent a few of
the most significant non government contributors. ASTM International and HL7 International are
accredited SDOs with standards specifically addressing health care information. IHE is a
recognized profiling body influencing the implementation of interoperability standards.

ASTM International
ASTM International was formerly known as the American Society for Testing and Materials.
ASTM International has more than thirty thousand members from across the globe, and they
are responsible for publishing more than twelve thousand standards. ASTM standards range
from those that dictate traffic paint to cell phone casings (ASTM, n.d.a, n.d.b). The ASTM
Standards for Healthcare Services, Products and Technology include medical device standards
and health information standards. The health information standards are managed by the ASTM
Committee E31, which focuses on “the development of standards that help doctors and health
care practitioners preserve and transfer patient information using EHR technologies” (ASTM,
2014). Of particular note, the E31 standards include the continuity of care record (CCR)
discussed further on in this chapter.

HL7 International
HL7 International was founded in 1987. It is an ANSI-accredited SDO “dedicated to providing a
comprehensive framework and related standards for the exchange, integration, sharing, and
retrieval of electronic health information that supports clinical practice and the management,
delivery and evaluation of health services” (HL7, n.d.). The HL7 standards related to
interoperability and listed on its website as “Primary Standards,” or most used, include the

Version 2 and 3 HL7 messaging standards, interoperability specifications for health and medical
transactions; these are the standards commonly referred to as HL7
Clinical Document Architecture (CDA), a document markup standard for clinical information
exchange among providers based on version 3 of HL7
Continuity of Care Document (CCD), a joint effort with ASTM providing complete guidance for
implementation of CDA in the United States
Clinical Context Object Workgroup (CCOW), interoperability standards for visually integrating
applications “at the point of use”
These primary standards are not the only ones developed by HL7 International. The
organization also publishes Functional EHR and PHR specifications; Arden Syntax, a markup
language for sharing medical information; and GELLO, a query language for medical records.
One of the most promising of the HL7 International standards is Fast Healthcare Interoperability
Resources (FHIR). FHIR is built on HL7 but is considered easier to implement because it uses
web-based technologies (Ahier, 2015). Several of the HL7 standards, including FHIR, will be
explained in greater detail further on in this chapter.

Integrating the Healthcare Enterprise (IHE) has developed a series of profiles to guide health
care documentation sharing. These profiles are not standards but rather include very specific
guidance for how existing standards can be implemented to meet clinical needs (IHE, n.d.b).
The current IHE profiles are organized as follows:

Anatomic Pathology

Eye Care
IT Infrastructure
Pathology and Laboratory Medicine
Patient Care Coordination
Patient Care Device
Quality, Research, and Public Health
Radiation Oncology
As an example, the IHE Patient Care Coordination Profile group includes twenty individual
profiles, and each profile is further identified by its current implementation stage (IHE, n.d.a).

Health IT Standards
The development and implementation of healthcare IT standards is complex and constantly
evolving. The preceding sections of this chapter are intended to provide some insight into the
processes of the organizations involved in standards development. The following sections
examine examples of the actual standards. This is by no means an exhaustive list of healthcare
IT standards but rather samplings of a few that are commonly used or significant in other ways.

Vocabulary and Terminology Standards
One of the most difficult problems in exchanging health care information and creating
interoperable EHRs is coordinating the vast amount of health information that is generated in
diverse locations for patients and populations. The vocabulary and terminology standards
discussed in this section serve similar purposes—to create a common language that enables
different information systems or vendor products to communicate unambiguously with one
another. In a very simplified example, a standard vocabulary would ensure that the medical term
myocardial infarction, for example, is mapped to the term heart attack and that both terms share
exactly the same attributes. An effective standard vocabulary must also standardize the very
complex hierarchy and syntax of the language used in the health industry. This is a complicated
and detailed endeavor to say the least. So it is not surprising that, to date, no single vocabulary
has emerged to meet all the information exchange needs of the health care sector.

The most widely recognized coding and classification systems—ICD, Current Procedural
Terminology (CPT), and diagnosis related groups (DRGs)—were discussed in Chapter Two.
Although these systems and the other coding systems discussed in this section do not meet the
criteria for full clinical vocabularies, they are used to code diagnoses and procedures and are
the basis for information retrieval in healthcare information systems. Most were originally
developed to facilitate disease and procedure information retrieval, but they have been adopted
to code for billing services as well. Several of the most commonly used classification systems
are actually incorporated across more robust standard vocabularies such as SNOMED CT and

The code sets required by HIPAA include the following:

HCPCS (ancillary services or procedures) (see Chapter Two)
CPT-4 (physicians procedures) (see Chapter Two)
CDT (dental terminology)
ICD-10 (see Chapter Two)
NDC (national drug codes)
The HITECH Meaningful Use final rule also includes ICD-10 as its classification standard.

The National Committee on Vital and Health Statistics (NCVHS) has the responsibility, under a
HIPAA mandate, to recommend uniform data standards for patient medical record information
(PMRI). Although no single vocabulary has been recognized by NCVHS as the standard, they
have recommended the following as a core set of PMRI terminology standards:

Systematized Nomenclature of Medicine—Clinical Terms (SNOMED CT)
Logical Observation Identifiers Names and Codes (LOINC) laboratory subset
Several federal drug terminologies, including RxNorm (NCVHS, 2003)
The HITECH Meaningful Use final rule and the ONC Advisory include these standards and the
standard for clinical vaccines administered (CVX).

In this section we will describe SNOMED CT, LOINC, CVX, and RxNorm, along with the
National Library of Medicine’s Unified Medical Language (UMLS) (of which RxNorm is one
component), which has become the standard for bibliographic searches in health care and has
the potential for other uses as well.

Code on Dental Procedures and Nomenclature
The American Dental Association (ADA) publishes the CDT, Code on Dental Procedures and
Nomenclature. This set of codes is designed to support accurate recording and reporting of
dental treatments. The ADA strives to maintain an up-to-date set of codes that reflect actual
practice (ADA, n.d.). The code set is divided into twelve sections, as follows (Washington Dental
Service, 2012):

Diagnostic (D0000–D0999)
Preventative (D1000–D1999)
Restorative (D2000–D2999)
Endodontics (D3000–D3999)
Periodontics (D4000–D4999)
Prosthodontics (D5000–D5899)
Maxillofacial prosthetics (D5900–D5999)
Implant services (D6000–D6199)
Prosthodontics (D6200–D6999)
Oral and maxillofacial surgery (D7000–7999)

Orthodontics (D8000–8999)
General Services (D9000–D9999)

National Drug Codes
The National Drug Code (NDC) is the universal product identifier for all human drugs. The Drug
Listing Act of 1972 requires registered drug companies to provide the Food and Drug
Administration (FDA) a current listing of all drugs “manufactured, prepared, propagated,
compounded, or processed by it for commercial distribution” (FDA, 2016). The FDA, in turn,
assigns the unique, three-segment NDC (listed as package code in the following example) and
maintains the information in the National Drug Code Directory. The NDC Directory is updated
twice each month. Data maintained for each drug include up to sixteen fields. The information for
the common over-the-counter drug Tylenol PM (Extra Strength), for example, is as follows:

Product NDC: 50580–176
Product Type Name: Human OTC Drug Proprietary Name: Tylenol PM (Extra Strength)
Non-proprietary Name: Acetaminophen and Diphenhydramine Hydrochloride
Dosage Formulation: Tablet, Coated Route Name: Oral
Start Marketing Date: 12–01–1991 End Marketing Date: <blank field>
Marketing Category Name: OTC Monograph Final Application Number: part338
Labeler Name: McNeil Consumer Healthcare Div. McNeil-PPC, Inc Substance Name:
Acetaminophen; Diphenhydramine Hydrochloride Strength Number/Unit: 500 mg/1, 25 mg/1
Pharm Class: Histamine H1 Receptor Antagonists [MoA], Histamine-1 Receptor Antagonist
Package Code: 50580–176–10
Package Description: 1 Bottle, Plastic in 1 Carton (50580–176–10) > 100 tablet, coated in 1
Bottle, Plastic
DEA classification: <blank> (US FDA, 2016)
Systematized Nomenclature of Medicine—Clinical Terms
Systematized Nomenclature of Medicine—Clinical Terms (SNOMED CT) is a comprehensive
clinical terminology developed specifically to facilitate the electronic storage and retrieval of
detailed clinical information. It is the result of collaboration between the College of American
Pathologists (CAP) and the United Kingdom’s National Health Service (NHS). SNOMED CT
merges CAP’s SNOMED Reference Terminology, an older classification system used to group
diseases, and the NHS’s Clinical Terms Version 3 (also known as Read Codes), an established
clinical terminology used in Great Britain and elsewhere. As a result, SNOMED CT is based on
decades of research. As of April 2007 SNOMED is owned, maintained, and distributed by the
International Health Terminology Standards Development Organization (IHTSDO), a nonprofit
association based in Denmark. The National Library of Medicine is the US member of the
IHTSDO and distributes SNOMED CT at no cost within the United States (IHTSDO, n.d.; NLM,

Logical Observation Identifiers Names and Codes
The Logical Observation Identifiers Names and Codes (LOINC) system was developed to
facilitate the electronic transmission of laboratory results to hospitals, physicians, third-party
payers, and other users of laboratory data. Initiated in 1994 by the Regenstrief Institute at
Indiana University, LOINC provides a standard set of universal names and codes for identifying

individual laboratory and clinical results. These standard codes enable users to merge clinical
results from disparate sources (Regenstrief Institute, n.d.).
LOINC codes have a fixed length field of seven characters. Current codes range from three to
seven characters long. There are six parts in the LOINC name structure: component/analyte,
property, time aspect, system, scale type, and method. The syntax for a name follows this
pattern (Case, 2011):

LOINC Code: Component: Property Measured: Timing: System: Scale: Method
5193–8:Hepatitis B virus surface Ab: ACnc:Pt:Ser:Qn:EIA
Clinical Vaccines Administered
The Centers for Disease Control and Prevention (CDC) National Center of Immunization and
Respiratory Diseases (NCIRD) developed the Clinical Vaccines Administered (CVX) as
standard codes and terminology for use with HL7 messaging standards. Table 11.2 is an
excerpt from the full CVX table.

Table 11.2 Excerpt from CVX (clinical vaccines administered)

Short Description Full Vaccine Name CVX Code Status Last Date Updated Notes
adenovirus types 4 and 7 adenovirus, type 4 and type 7, live, oral 143 Active
3/20/2011 This vaccine is administered as two tablets.
anthrax anthrax vaccine 24 Active 5/28/2010
BCG Bacillus Calmette-Guerin vaccine 19 Active 5/28/2010
DTaP, IPV, Hib, HepB Diphtheria and Tetanus Toxoids and Acellular Pertussis Absorbed,
Inactivated Poliovirus, Haemophilus b Conjugate (Meningococcal Outer Membrane Protein
Complex), and Hepatitis B (Recombinant) Vaccine 146 Pending 9/21/2015 Note
that this vaccine is different from CVX 132.
influenza, seasonal, injectable influenza, seasonal, injectable 141 Active
7/17/2013 This is one of two codes replacing CVX 15, which is being retired.
influenza, live, intranasal influenza virus vaccine, live, attenuated, for intranasal use 111
Inactive 5/28/2010
The National Library of Medicine (NLM) produces RxNorm, which serves two purposes: as “a
normalized naming system for generic and brand name drugs and as a tool for supporting
semantic interoperation between drug terminologies and pharmacy knowledge–based systems”
(NLM, 2016a). The goal of RxNorm is to enable disparate health information systems to
communicate with one another in an unambiguous manner.

There are twelve separate RxNorm data files that are released on a monthly basis. The files
show this information:

Drug names and unique identifiers

Semantic types
Data history (three files)
Obsolete data (three files)
Metadata (two files)
The following example from the first RxNorm data file represents the “concept,” Azithromycin
250 MG Oral Capsule, with the unique identifier 141962 (NLM, 2016a):

Azithromycin 250 MG Oral Capsule||N||
Unified Medical Language System
The NLM began the Unified Medical Language System (UMLS) project in 1986, and it is ongoing
today. The purpose of the UMLS project is “to facilitate the development of computer systems
that behave as if they ‘understand’ the meaning of the language of biomedicine and health. The
UMLS provides data for system developers as well as search and report functions for less
technical users” (NLM, 2016b).

The UMLS has three basic components, called knowledge sources:

UMLS Metathesaurus, which contains concepts from more than one hundred source
vocabularies. All the common health information vocabularies, including SNOMED CT, ICD, and
CPT, along with approximately one hundred other vocabularies, including RxNorm, are
incorporated into the metathesaurus. The metathesaurus project’s goal is to incorporate and
map existing vocabularies into a single system.
UMLS Semantic Network, which defines 133 broad categories and dozens of relationships
between categories for labeling the biomedical domain. The semantic network contains
information about the categories (such as “Disease or Syndrome” and “Virus”) to which
metathesaurus concepts are assigned. The semantic network also outlines the relationships
among the categories (for example, “Virus” causes “Disease or Syndrome”).
SPECIALIST Lexicon and Lexical Tools. The SPECIALIST lexicon is a dictionary of English
words, common and biomedical, which exist to support natural language processing.
The UMLS products are widely used in NLM’s own applications, such as PubMed, and they are
available to other organizations free of charge, provided the users submit a license agreement
(NLM, 2016b). Currently, components of UMLS are incorporated into other standards and
profiles for health care IT interoperability.
Data Exchange and Messaging Standards
The ability to exchange and integrate data among health care applications is critical to the
success of any overall health care information system, whether an organizational, regional, or
national level of integration is desired. Although there is some overlap, these standards differ
from the vocabulary standards because their major purpose is to standardize the actual
“messaging” between health care information systems. Messaging standards are key to
interoperability. In this section we will look at a few of the standards that have been developed
for this purpose. There are others, and new needs are continually being identified. However, the
following groups of standards are recognized as important to the health care sector, and

together they provide examples of broad standards addressing all types of applications and
specific standards addressing one type of application:

Health Level Seven Messaging standards (HL7)
Digital Imaging and Communications in Medicine (DICOM)
National Council for Prescription Drug Programs (NCPDP)
ANSI ASC X12N standards
Two other groups of standards discussed in this section actually combine some features of
messaging standards and content standards:

Continuity of Care Document (CCD)
Fast Health Interoperability Resources (FHIR)
HIPAA specifically requires covered entities to comply with specific ANSI X12N and NCPCP.
HITECH and the ONC Advisory also cite specific messaging standards and the CCD. FHIR is
currently under development by HL7 International and is being cited by health care IT
professionals as a major advancement toward true interoperability.

Health Level Seven Standards
Two versions of HL7 messaging standards, Version 2 and Version 3, are listed by HL7
International as “primary,” or commonly used. HL7 v2 remains popular in spite of the
development of HL7 v3. HL7 v2 was first introduced in 1987 and has become the “workhorse of
electronic data exchange” (HL7, n.d.). HL7 v3 incorporates the root elements of XML and, as
such, is a significant change from early versions. See the HL7 Perspective for an example of
HL7 v3.
Digital Imaging and Communications in Medicine Standards
The growth of digital diagnostic imaging (such as CT scans and MRIs) gave rise to the need for
a standard for the electronic transfer of these images between devices manufactured by
different vendors. The American College of Radiology (ACR) and the National Electrical
Manufacturers Association (NEMA) published the first standard, a precursor to the current
Digital Imaging and Communications in Medicine (DICOM) standard, in 1985. The goals of
DICOM are to “achieve compatibility and to improve workflow efficiency between imaging
systems and other information systems in healthcare environments worldwide.” It is used by all
of the major diagnostic medical imaging vendors, which translates to its use in nearly every
medical profession that uses images (DICOM, 2016).

National Council for Prescription Drug Program Standards
The National Council for Prescription Drug Programs (NCPDP), an ANSI-accredited SDO with
more than 1,600 members representing the pharmacy services industry, has developed a set of
standards for the electronic submission of third-party drug claims (NCPDP, 2012). These
standards not only include the telecommunication standards and batch standards required by
HIPAA but also the SCRIPT standard required for e-prescribing, among others. Of note, the
SCRIPT standard currently incorporates the RxNorm as its standardized medication
nomenclature. The NCPDP Provider Identification Number is a unique identifier of more than
seventy-five thousand pharmacies. Table 11.3 presents excerpts from the NCPDP Data

Dictionary, which outlines a few of the Transmission Header Segment requirements. The entire
data dictionary table is more than seventy pages long (CMS, 2002).

Table 11.3 Excerpt from NCPDP data dictionary

NCPDP Data Dictionary Name Field Number NCPDP Definition of Field Version D.0
Format Valid Values per the Standard
Service Provider ID Qualifier 202-B2 Code qualifying the Service Provider ID X(02)
Blank=Not Specified
01=National Provider Identifier (NPI)
02=Blue Cross
03=Blue Shield
07=NCPDP Provider ID
08=State License
10=Health Industry Number (HIN)
11=Federal Tax ID
12=Drug Enforcement Administration (DEA)
13=State Issued
14=Plan Specific
15=HCID (HC IDea)
Service Provider ID 201-B1 ID assigned to pharmacy or provider X(15) N/A
Date of Service 401-D1 Identifies the date the prescription was filled or professional
service rendered or subsequent payer began coverage following Part A expiration in a long-term
care setting only 9(08) Format=CCYYMMDD
HL7 Laboratory Results Use Case
The following object identifiers (OIDs) are used within the Good Health Hospital (GHH):

GHH Placer Order IDs: 2.16.840.1.113883.19.1122.14
GHH Lab Filler Order IDs: 2.16.840.1.113883.19.1122.4
The code system for the observation within the GHH is LOINC: 2.16.840.1.113883.6.1
The HL7 Confidentiality Code system: 2.16.840.1.113883.5.25
The HL7 v3 Message: Domain Content Excerpt
The “Domain Content” starts with its own root element: observationEvent. The elements within
specify the type of observation, the ID, the time of the observation, statusCode, and the results.
The value for the actual result is shown in the value element. The interpretationCode element
shows that the value has been interpreted as high (H), while referenceRange provides the
normal values for this particular observation.

<id root=“2.16.840.1.113883.19.1122.4” extension=“1045813”
assigningAuthorityName=“GHH LAB Filler Orders”/>
<code code=“1554–5” codeSystemName=“LN” codeSystem=“2.16.840.1.113883.6.1”
<statusCode code=“completed”/>
<effectiveTime value=“200202150730”/>
<priorityCode code=“R”/>
<confidentialityCode code=“N” codeSystem=“2.16.840.1.113883.5.25”/>
<value xsi_type=“PQ” value=“182” unit=“mg/dL”/>
<interpretationCode code=“H”/>
<value xsi_type=“IVL_PQ”>
<low value=“70” unit=“mg/dL”/>
<high value=“105” unit=“mg/dL”/>
<interpretationCode code=“N”/>
Source: Spronk (2007). Used under CC BY-SA 3.0, Used with permission.
ANSI ASC X12N Standards
The ANSI Accredited Standards Committee (ASC) X12 develops standards in X12 and XML
formats for the electronic exchange of business information. One ASC X12 subcommittee,
X12N, has been specifically designated to deal with electronic data interchange (EDI) standards
in the insurance industry, and this subcommittee has a special health care task group, known as
TG2. According to the X12 TG2 website, “the purpose of the Health Care Task group shall be
the development and maintenance of data standards (both national and international) which shall
support the exchange of business information for healthcare administration. Health care data
includes, but is not limited to, such business functions as eligibility, referrals and authorizations,
claims, claim status, payment and remittance advice, and provider directories” (ASC X12, n.d.).
To this end ASC X12N has developed a set of standards that are monitored and updated
through ASC X12N work groups.

Table 11.4 lists the current X12 work group areas. A portion of the X12 5010 Professional Claim
standard is shown in Exhibit 11.2. The standard for Professional Claim alone is more than ninety
pages in length.

Table 11.4 X12 TG2 work groups

Source: ASC X12 (n.d.).

Work Group Number Work Group Name
WG1 Health Care Eligibility
WG2 Health Care Claims
WG3 Claim Payments
WG4 Enrollments
WG5 Claims Status
WG9 Patient Information
WG10 Health Care Services Review
WG15 Provider Information
WG20 Insurance—824 Implementation Guide
WG21 Health Care Regulation Advisory/Collaboration
Exhibit 11.2 X12 5010 Professional Claim Standard
Element Identifier Description ID Min. Max. Usage Reg. Loop Loop Repeat
837-P 5010
ISA01 Authorization Information Qualifier ID 2-2 R 00, 03
ISA02 Authorization Information AN 10-10 R
ISA03 Security Information Qualifier ID 2-2 R 00, 01
ISA04 Security Information AN 10-10 R
ISA05 Interchange ID Qualifier ID 2-2 R 01, 14, 20, 27, 28, 29,
30, 33, ZZ
ISA06 Interchange Sender ID AN 15-15 R
ISA07 Interchange ID Qualifier ID 2-2 R 01, 14, 20, 27, 28, 29,
30, 33, ZZ
ISA08 Interchange Receiver ID AN 15-15 R
ISA09 Interchange Date DT 6-6 R YYMMDD
ISA10 Interchange Time TM 4-4 R HHMM
ISA11 Interchange Control Standards ID 1-1 R
ISA12 Interchange Control Version Number ID 5-5 R 00501
ISA13 Interchange Control Number N0 9-9 R
ISA14 Acknowledgement Requested ID 1-1 R 0, 1
ISA15 Usage Indicator ID 1-1 R P, T
ISA16 Component Element Separator AN 1-1 R
GS01 Functional Identifier Code ID 2-2 R
GS02 Application Sender Code AN 2-15 R
GS03 Application Receiver Code AN 2-15 R
GS05 Time TM 4-8 R HHMM
GS06 Group Control Number N0 1-9 R
GS07 Responsible Agency Code ID 1-2 R X

GS08 Version Identifier Code AN 1-12 R 005010X222
Continuity of Care Document (CCD)
The Continuity of Care Document (CCD) is a standard for the electronic exchange of patient
summary information, so-called transportable patient care information. The current CCD
standard is actually a merger of two other standards: the HL7 Clinical Document Architecture
(CDA) standard and the ASTM Continuity of Care Record (CCR). There has been some
discussion among experts about the CCR and CCD being competing standards, but HL7 has
taken the position that CCD is an implementation of CCR and simply an evolution of the CCR
(Rouse, 2010). Although discussed in this section, the CCD standard is not solely a content
standard; it includes elements of a data exchange standard. It has an XML-based specification
for exchanging patient summary data, but it also includes a standard outline of the summary
content. The content sections of the CCD include the following:
Advance Directives
Functional Status
Family History
Social History
Medical Equipment
Vital Signs
Plan of Care (Dolin, 2011)

Fast Health Interoperability Resources (FHIR)
Fast Health Interoperability Resources (FHIR) is currently being tested (as of this text’s
publication date) by a range of healthcare IT professionals. So far, the testing has led to
predominantly positive results, with many citing FHIR as having the potential to truly accelerate
healthcare IT interoperability. The difference between FHIR and other standards is that it goes
beyond the function of a traditional messaging system and includes modern web services to
exchange clinical information. FHIR builds on the HL7 Clinical Document Architecture (CDA)
and HL7 messaging, However, unlike CDA, FHIR enables granular pieces of information rather
than an entire summary document to be shared (Ahier, 2015). According to Ahier (2015), FHIR
offers easy-to-use tools not only to build faster and more efficient data exchange mechanisms
but also to use personal health care information to create “innovative new apps” with the
potential to create a “plug and play platform . . . similar to the Apple app store.”

Health Record Content and Functional Standards

Health record content and functional standards are not the same as messaging or data
exchange standards. These standards outline what should be included in an EHR or other
clinical record. They do not include technical specifications but rather the EHR content
requirements. As mentioned previously, the CCD and FHIR have content standards within
them, along with messaging standards. HL7 EHR-S (Electronic Health Record-System)
Functional Model is an example of a comprehensive EHR content and functional standard that
does not include technical specifications.
HL7 EHR-S Functional Model
The HL7 Health Record-System (EHR-S) Functional Model, Release 2 was published by Health
Level Seven International in 2014. The purpose of this functional model is to outline important
features and functions that should be contained in an EHR. Targeted users of the functional
model include vendors and care providers, and it has been recognized by the ISO as an
international standard (ISO 10781). The stated benefits of the functional model are as follows:

Provide an international standard for global use.
Enable a consistent framework for the development of profiles that are conformant to the base
Support the goal of interoperability.
Provide a standard that is easily readable and understandable to an “everyday person,” which
enables a user to articulate his or her business requirements (HL7, 2014).
The EHR-S Functional Model is divided into seven sections:

Overarching (OV)
Care Provision (CP)
Care Provision Support (CPS)
Population Health Support (POP)
Administrative Support (AS)
Record Infrastructure (RI)
Trust Infrastructure (TI)
Each function within the model is identified by section and described by specific elements. Table
11.5 is an example of the function list for managing a problem list. Note: The list type indicates
Header (H), Function (F), or Conformance Criteria (C).

Table 11.5 Excerpt from the HL7 EHR-S Functional Model

ID Type Name Statement Description Conformance Criteria
CP.1 H Manage Clinical History Manage the patient’s clinical history lists used to
present summary or detailed information on patient health history. Patient Clinical History lists
are used to present succinct snapshots of critical health information including patient history,
allergy intolerance and adverse reactions, medications, problems, strengths, immunizations,
medical equipment/devices, and patient and family preferences.
CP.1.4 F Manage Problem List Create and maintain patient-specific problem lists. A
problem list may include but is not limited to chronic conditions, diagnoses, or symptoms,

injury/poisoning (both intentional and unintentional), adverse effects of medical care (e.g., drugs,
surgical), functional limitations, visit or stay-specific conditions, diagnoses, or symptoms . . .
CP.1.4 C 1. The system SHALL provide the ability to manage, as
discrete data, all active problems associated with a patient.
CP.1.4 C 2. The system SHALL capture and render a history of all
problems associated with a patient.
CP.1.4 C 3. The system SHALL provide the ability to manage
relevant dates including the onset date and resolution date of the problem.
Multiple standard-setting organizations have roles in standards development, leading to a
somewhat confusing array of current healthcare IT standards that address code sets,
vocabularies and terminology, data exchange and messaging, and content and function. The
standards developing organizations and standards discussed in this chapter, along with other
general IT standards, enable health care information systems to be interoperable, portable, and
to exchange data. The future of our healthcare system relies on having interoperable EHRs and
other health care information systems. Clearly, this will not be realized without standards. The
government, as well as the private sector, is actively engaged in promoting the development of
best practices for implementing health care IT standards. HIPAA and CMS, for example, have
had a significant impact on the adoption of specific health care information standards that focus
on code set, terminology, and transactions. The ONC is charged with coordinating the national
efforts for achieving interoperability among health care information systems, which has led to
their publication of the Interoperability Roadmap and annual Interoperability Standards
Advisories. Both of these tools will likely have a significant impact on the direction of national
standards development and cooperation among the many standards developing organizations.

Accredited Standards Committee X12 (ASC X12). (n.d.). X12N/TG2: Health care purpose and
scope. Retrieved September 6, 2016, from
Ahier, B. (2015, Jan. 6). FHIR and the future of interoperability. Retrieved November 10, 2016,
American Dental Association (ADA). (n.d.). Code on dental procedures and nomenclature (CDT
code). Retrieved September 7, 2016, from
American National Standards Institute (ANSI). (n.d.a). About ANSI. Retrieved September 7,
2016, from
American National Standards Institute (ANSI). (n.d.b). Resources: Standards developing
organizations (SDOs). Retrieved September 7, 2016, from
American National Standards Institute (ANSI). (n.d.c). Standards activities overview. Retrieved
September 7, 2016, from
ASTM International. (2014, Nov.). ASTM standards for healthcare services, products and
technology. Retrieved September 5, 2016, from

ASTM International. (n.d.a). ASTM video. Retrieved September 5, 2016, from
ASTM International. (n.d.b). Standards & publications. Retrieved September 6, 2016, from
Boone, K. W. (2012a, April 9). Health IT standards 101. Retrieved September 7, 2016, from
Boone, K. W. (2012b, March 26). An informatics model for HealthIT standards [Web log post].
Retrieved September 22, 2016, from
Case, J. (2011). Using RELMA or . . . In search of the missing LOINC [PowerPoint]. Retrieved
March 2012 from
CEN CENELEC. (n.d.). About us. Retrieved September 7, 2016, from
Centers for Disease Control and Prevention (CDC). (2016, June 21). IIS: HL7 standard code set
CVX—Vaccines administered. Vaccines and Immunizations. Retrieved September 6, 2016,
Centers for Medicare and Medicaid (CMS). (2002). NCPDP flat file format. NCPDP reference
manual. Retrieved September 6, 2016, from
Centers for Medicare and Medicaid (CMS). (2013, April 2). Adopted standard and transactions,
adopted part D: E-prescribing standards. Retrieved September 5, 2016, from
Centers for Medicare and Medicaid (CMS). (2016a, June 23). Adopted standards and operating
rules. Retrieved September 5, 2016, from
Centers for Medicare and Medicaid (CMS). (2016b, June 21). Standards-setting and related
organizations. Retrieved September 5, 2016, from
Department of Health and Human Services (HHS). (2008). The ONC-coordinated federal health
information technology strategic plan: 2008–2012. Retrieved August 2008 from
Department of Health and Human Services (HHS). (2012). About ONC. The Office of the
National Coordinator for Health Information Technology. Retrieved March 2012 from
DICOM. (2016). Strategic document. DICOM: Digital Imaging and Communications in Medicine.
Retrieved September 6, 2016, from
Dolin, B. (2011). CDA and CCD for patient summaries. Retrieved November 10, 2016, from
European Committee for Standardization (CEN). (n.d.). CEN/TC 251: Health informatics.
Retrieved September 7, 2016, from,FSP_LANG_ID:6232,25&cs=
Food and Drug Administration (FDA). (2016, April 22). National drug code directory. Retrieved
September 7, 2016, from
Hammond, W., & Cimino, J. (2006). Standards in biomedical informatics. In E. Shortliff & J.
Cimino (Eds.), Biomedical informatics (pp. 265–311). New York, NY: Springer-Verlag. (2014). Meaningful use table series. Retrieved September 22, 2016, from (n.d.). About ONC. Retrieved September 5, 2016, from
Health Level Seven International (HL7). (2014). HL7 EHR-System Functional Model, release 2.
Retrieved September 6, 2016, from
Health Level Seven International (HL7). (n.d.). HL7 version 2 product suite. Retrieved
September 6, 2016, from
Integrating the Healthcare Enterprise (IHE). (n.d.a.). IHE patient care coordination profiles.
Retrieved November 10, 2016, from
Integrating the Healthcare Enterprise (IHE). (n.d.b.). Profiles. Retrieved November 10, 2016,
International Health Terminology Standards Development Organization (IHTSDO). (n.d.).
History of SNOMED CT. Retrieved September 7, 2016, from
International Organization for Standardization (ISO). (n.d.). About ISO. Retrieved September 7,
2016, from
National Committee on Vital and Health Statistics (NCVHS). (2003, Nov. 5). Letter to the
secretary: Recommendations for PMRI terminology standards. Retrieved March 2012 from
National Council for Prescription Drug Programs (NCPDP). (2012). About. Retrieved March
2012 from
National Library of Medicine (NLM). (2016a, Jan. 4). RxNorm overview. Unified Medical
Language System (UMLS). Retrieved September 6, 2016, from
National Library of Medicine (NLM). (2016b, July 13). SNOMED CT. Retrieved September 7,
2016, from

Office of the National Coordinator for Health Information Technology (ONC). (2015). Connecting
health and care for the nation: A shared nationwide interoperability roadmap. Retrieved August
3, 2016, from
Office of the National Coordinator for Health Information Technology (ONC). (2016). 2016
interoperability standards advisory: Best available standards and implementation specifications.

Retrieved September 5, 2016, from
Regenstrief Institute, Inc. (n.d.). About LOINC. Retrieved September 7, 2016, from
Rouse, M. (2010, May). Continuity of care document. SearchHealthIT. Retrieved March 2012
Spronk, R. (2007). HL7 message examples: Version 2 and version 3. Retrieved from
United States Food & Drug Administration (US FDA). (2016). National drug code directory.
Retrieved November 10, 2016, from
Washington Dental Service. (2012). CDT procedure code information. Retrieved March 2012

Chapter 10
Performance Standards and Measures

This chapter examines public and private organizations and processes that establish standards
for ensuring that health records are maintained accurately and completely and that they contain
the data and information needed to define and report a wide range of measures to determine the
quality and efficiency of health care. These activities are very important and have a significant
influence on providers and HIT capabilities, significant enough for us to devote an entire chapter
to them.

Health care organizations and health plans use data and information to measure performance
against internal and external standards; to compare performance to other like organizations; to
demonstrate performance to licensing, certifying, and accrediting bodies; and to demonstrate
performance for reimbursement purposes. This chapter begins with an examination of the
licensure, certification, and accreditation of health care facilities and health plans, followed by an
overview of key comparative data sets often used by health care organizations in benchmarking
performance. The chapter concludes with a description of the national initiatives using
performance measures to improve the quality and safety of health care, including those affecting
provider reimbursement.

In the section titled “Licensure, Certification, and Accreditation,” we define these processes, list
the accrediting organizations recognized by CMS, and examine the missions and general
functions of the Joint Commission and the National Committee for Quality Assurance (NCQA).
These discussions focus on how the licensure, certification, and accreditation processes not
only use health information to measure performance but also how they influence the health care
information that is collected.

“Measuring the Quality of Care” begins with a historical perspective of major milestones in the
national agenda for health care quality improvement, followed by a discussion of the current
efforts to improve health care quality and patient safety, focusing on the efforts that involve using
health care data and information to measure performance. Quality measures are created and
validated by a range of organizations, private and public. However, in the recent years significant
progress has been made in aligning these measures across organizations. Another significant
movement related to quality measurement in the United States is implementation of value-based
reimbursement programs, which are based on established performance criteria. The
government plans for significant growth in these programs over the next decade.

Licensure, Certification, and Accreditation
Health care organizations, such as hospitals, nursing homes, home health agencies, and the
like, must be licensed to operate. If they wish to file Medicare or Medicaid claims, they must
also be certified, and if they wish to demonstrate quality performance, they will undergo an
accreditation process. What are these processes, and how are they related? If a health care
organization is licensed, certified, and accredited, how will this affect the health care information

that it creates, uses, and maintains? In this section we will examine each of these processes,
their impact on the health care organizations, and their relationships with one another.

Licensure is the process that gives a facility legal approval to operate. As a rule, state
governments oversee the licensure of health care facilities, and each state sets its own
licensure laws and regulations. All facilities must have a license to operate, and it is generally
the state department of health or a similar agency that carries out the licensure function.
Licensure regulations tend to emphasize areas such as physical plant standards, fire safety,
space allocations, and sanitation. They may also contain minimum standards for equipment and
personnel. A few states tie licensure to professional standards and quality of care, but not all. In
their licensure regulations, states generally set minimum standards for the content, retention,
and authentication of patient medical records. Exhibit 10.1 is an excerpt from the South Carolina
licensure regulations for hospitals. This excerpt governs patient medical record content (with the
exception of newborn patient records, which are addressed in a separate section of the
regulations). Although each state has its own set of medical record content standards, these are
fairly typical in scope and content.

Exhibit 10.1 Medical Record Content: Excerpt from South Carolina Standards for Licensing
Hospitals and Institutional General Infirmaries
601.5 Contents:

A. Adequate and complete medical records shall be written for all patients admitted to the
hospital and newborns delivered in the hospital. All notes shall be legibly written or typed and
signed. Although use of initials in lieu of licensed nurses’ signatures is not encouraged, initials
will be accepted provided such initials can be readily identified within the medical record. A
minimum medical record shall include the following information:

Admission Record: An admission record must be prepared for each patient and must contain
the following information, when obtainable: Name; address, including county; occupation; age;
date of birth; sex; marital status; religion; county of birth; father’s name; mother’s maiden name;
husband’s or wife’s name; dates of military service; health insurance number; provisional
diagnosis; case number; days of care; social security number; the name of the person providing
information; name, address and telephone number of person or persons to be notified in the
event of emergency; name and address of referring physician; name, address and telephone
number of attending physician; date and hour of admission;
History and physical within 48 hours after admission;
Provisional or working diagnosis;
Pre-operative diagnosis;
Medical treatment;
Complete surgical record, if any, including technique of operation and findings, statement of
tissue and organs removed and post-operative diagnosis;
Report of anesthesia;
Nurses’ notes;

Progress notes;
Gross pathological findings and microscopic;
Temperature chart, including pulse and respiration;
Medication Administration Record or similar document for recording of medications, treatments
and other pertinent data. Nurses shall sign this record after each medication administered or
treatment rendered;
Final diagnosis and discharge summary;
Date and hour of discharge summary;
In case of death, cause and autopsy findings, if autopsy is performed;
Special examinations, if any, e.g., consultations, clinical laboratory, x-ray and other
Source: South Carolina Department of Health and Environmental Control, Standards for
Licensing Hospitals and Institutional General Infirmaries, Regulation 61–16 § 601.5 (2010).
An initial license is required before a facility opens its doors, and this license to operate must
generally be renewed annually. Some states allow organizations with the Joint Commission or
other accreditation to forgo a formal licensure survey conducted by the state; others require the
state survey regardless of accreditation status. As we will see in the section on accreditation,
the accrediting bodies’ standards are more detailed and more stringent than the typical state
licensure regulations. Also, most accreditation standards are updated annually; most licensure
standards are not.

Certification gives a health care organization the authority to participate in the federal Medicare
and Medicaid programs. Legislation passed in 1972 mandated that hospitals had to be reviewed
and certified to receive reimbursement from Medicare and Medicaid programs (CMS, n.d.a). At
that time the Health Care Financing Administration, now the Centers for Medicare and Medicaid
Services (CMS), developed a set of minimum standards known as the conditions of
participation (CoPs). CMS contracts with state agencies to inspect facilities to make sure they
meet these minimum standards, organized by facility functions and services. See Exhibit 10.2
for the CoP standards section governing medical record content.

Exhibit 10.2 Medical Record Content: Excerpt from the Conditions of Participation for Hospitals
Sec. 482.24 Condition of participation: Medical record services.

(c) Standard: Content of record. The medical record must contain information to justify
admission and continued hospitalization, support the diagnosis, and describe the patient’s
progress and response to medications and services.
(1) All entries must be legible and complete, and must be authenticated and dated promptly
by the person (identified by name and discipline) who is responsible for ordering, providing, or
evaluating the service furnished.
(i) The author of each entry must be identified and must authenticate his or her entry.
(ii) Authentication may include signatures, written initials or computer entry.
(2) All records must document the following, as appropriate:

(i) Evidence of a physical examination, including a health history, performed no more than 7
days prior to admission or within 48 hours after admission.
(ii) Admitting diagnosis.
(iii) Results of all consultative evaluations of the patient and appropriate findings by clinical
and other staff involved in the care of the patient.
(iv) Documentation of complications, hospital acquired infections, and unfavorable reactions
to drugs and anesthesia.
(v) Properly executed informed consent forms for procedures and treatments specified by
the medical staff, or by Federal or State law if applicable, to require written patient consent.
(vi) All practitioners’ orders, nursing notes, reports of treatment, medication records,
radiology, and laboratory reports, and vital signs and other information necessary to monitor the
patient’s condition.
(vii) Discharge summary with outcome of hospitalization, disposition of case, and provisions
for follow-up care.
(viii) Final diagnosis with completion of medical records within 30 days following discharge.
Source: Conditions of Participation: Medical Record Services, 42 C.F.R. §§ 482.24c et seq.

Accreditation is an external review process that an organization elects to undergo; it is voluntary
and has fees associated with it. The accrediting agency grants recognition to organizations that
meet its predetermined performance standards. The review process and standards are devised
and regulated by the accrediting agency. By far the best-known health care accrediting agency
in the United States is the Joint Commission, but there are others. The National Committee for
Quality Assurance (NCQA) is a leading accrediting agency for health plans.

Although accreditation is voluntary, there are financial and legal incentives for health care
organizations to seek accreditation. In order to eliminate duplicative processes, Section 1865 of
the Social Security Act “permits providers and suppliers ‘accredited’ by an approved national
accreditation organization (AO) to be exempt from routine surveys by State survey agencies to
determine compliance with Medicare conditions” (CMS, 2015). This is often referred to as
deemed status. Table 10.1 lists the 2015 approved AOs with corresponding program types and
Table 10.1 2015 approved CMS accrediting organizations

Accrediting Organization Program Types Website
Accreditation Association for Ambulatory Health Care (AAAHC) ASC (ambulatory surgery
Accreditation Commission for Health Care, Inc. (ACHC) HHA (home health agency)
American Association for Accreditation of Ambulatory Surgery Facilities (AAAASF) ASC
OPT (outpatient physical therapy)
RHC (rural health clinics)
American Osteopathic Association/Healthcare Facilities Accreditation Program (HFAP) ASC

CAH (critical access hospital)
Center for Improvement in Healthcare Quality (CIHQ) Hospital
Community Health Accreditation Program (CHAP) HHA
DNV GL—Healthcare (DNV GL) CAH
The Compliance Team (TCT) RHC
The Joint Commission (TJC) ASC
Psychiatric hospital
Similar to CMS, many states also recognize accreditation in lieu of their own licensure surveys.
Other benefits for an organization are that accreditation

May be required for reimbursement from payers (including CMS)
Validates the quality of care within the organization
May favorably influence liability insurance premiums
May enhance access to managed care contracts
Gives the organization a competitive edge over nonaccredited organizations
The Joint Commission
The Joint Commission’s stated mission is “to continuously improve health care for the public, in
collaboration with other stakeholders, by evaluating health care organizations and inspiring them
to excel in providing safe and effective care of the highest quality and value” (The Joint
Commission, n.d.). The Joint Commission on Accreditation of Hospitals (as the Joint
Commission was first called) was formed as an independent, not-for-profit organization in 1951,
as a joint effort of the American College of Surgeons, American College of Physicians,
American Medical Association, and American Hospital Association. The Joint Commission has
grown and evolved to set standards for and accredit nearly twenty-one thousand health care
organizations and programs in the United States. In addition to hospitals, the Joint Commission
has accreditation programs for health care organizations that offer ambulatory care, behavioral
health care, home care, long-term care, and office-based surgery. They also provide an
accreditation program for organizations that offer laboratory services (The Joint Commission,
2016, n.d.).

In order to maintain accreditation, a health care organization must undergo an on-site survey by
a Joint Commission survey team every three years. Laboratories must be surveyed every two
years. This survey is conducted to ensure that the organization continues to meet the
established standards. The standards themselves are the result of an ongoing, dynamic
process that incorporates the experience and perspectives of health care professionals and
others throughout the country. New standards manuals are published annually and health care
organizations are responsible for knowing and incorporating any changes as they occur.

Categories of accreditation (The Joint Commission, 2016) that an organization can achieve are
the following:

Preliminary accreditation: for organizations that demonstrate compliance with selected
standards under the Early Survey Policy, which allows organizations to undergo a survey prior
to having the ability to demonstrate full compliance. Organizations that receive preliminary
accreditation will be required to undergo a second on-site survey.
Accreditation: for organizations that demonstrate compliance with all standards.
Accreditation with follow-up survey: for organizations that are not in compliance with specific
standards and require a follow-up survey within thirty days to six months.
Contingent accreditation: for organizations that fail to address all requirements in an
accreditation with follow-up survey decision or for organizations that do not have the proper
license or other similar issue at the time of the initial survey. A follow-up survey is generally
required within thirty days.
Preliminary denial of accreditation: for organizations for which there is justification for denying
accreditation. This decision is subject to appeal.
Denial of accreditation: for organizations that fail to meet standards and that have exhausted all
The Joint Commission focus on quality of care provided in health care facilities dates back to
the early 1900s, when the American College of Surgeons began surveying hospitals and
established a hospital standardization program. With the program came the question, how is
quality of care measured? One of the early concerns of the standardization program was the
lack of documentation in patient records. The early surveyors found that documentation was so
poor that they had no way to judge the quality of care provided. The Joint Commission’s
emphasis on health care information and the documentation of care has continued to the
present. Not only do the Joint Commission reporting requirements rely heavily on patient
information but also the current survey process uses “tracer methodology,” through which the
surveyors analyze the organization’s systems by tracing the care provided to individual patients.
Patient records provide the road maps for the tracer methodology. The absence of quality health
records would have a direct impact on the accreditation process. The following sections discuss
Joint Commission standards that directly influence the creation, maintenance, and use of health
care information. These sections further illustrate how the overall accreditation process relies on
the availability of high-quality health care information (The Joint Commission, 2016).

The Joint Commission Record of Care (RC), Treatment, and Services Standards
The Joint Commission Record of Care (RC), Treatment, and Services standards provide
information about the requirements for the content of a complete health record, regardless of its
format. The RC standards for an ambulatory care program dictate that the organization will do
the following:

Maintain complete and accurate clinical record.
Ensure clinical record entries are authenticated appropriately by authorized persons.
Ensure documentation in clinical records is timely.

Audit their clinical records.
Retain their clinical records according to relevant laws and regulations.
Ensure clinical records contain specific information that reflects the patient’s care, treatment, or
Ensure clinical records accurately reflect operative and high-risk procedures and use of
sedation and anesthesia.
Ensure documentation of proper use of restraints and seclusion.
Ensure ambulatory care records contain a summary list.
Ensure qualified staff members receive and record verbal orders.
(The Joint Commission, 2014b)
Each RC standard has specific elements that must be addressed. For more information, refer to
the most recent edition of the appropriate Comprehensive Accreditation Manual. All Joint
Commission–accredited organizations have access to the complete manual.

The Joint Commission Information Management Standards
The Joint Commission Information Management (IM) standards reflect the Joint Commission’s
belief that quality information management influences quality care. In the overview of the IM
standards, the Joint Commission states, “Every episode of care generates health information
that must be managed systematically” (emphasis is the authors’). Information is a resource that
must be managed similar to any other resource within the organization. Whether the information
management systems employed by the organization are basic or sophisticated, the functions
should include features that allow for the following:

Categorizing, filing, and maintaining all data and information used by the organization
Accurately capturing health information generated by delivery of care, treatment, and services
Accessing information by those authorized users who need the information to provide safe,
quality care (The Joint Commission, 2014a)
The IM standards apply to noncomputerized systems and systems employing the latest
technologies. The first standard within the IM chapter focuses on information planning. The
organization’s plan for IM should consider the full spectrum of data generated and used by the
organization as well as the flow of information within and to and from external organizations.
Identifying and understanding the flow of information is critical to meeting the organization’s
needs for data collection and distribution while maintaining the appropriate level of security (The
Joint Commission, 2014a). The remaining IM standards address the requirements for health
care organizations:

Provide continuity of the information management process, including managing system
interruptions and maintaining backup systems.
Ensure the privacy, security, and integrity of health information.
Manage data collection, including use of standardized data sets and terminology and limiting the
use of abbreviations.
Manage health information retrieval, dissemination, and transmission.
Provide knowledge-based information resources twenty-four hours a day, seven days a week.
Ensure the accuracy of the health information. (The Joint Commission, 2011, 2014a)

National Committee for Quality Assurance
The National Committee for Quality Assurance (NCQA) is the leading accrediting body for
health plans, including health maintenance organizations (HMOs), Preferred Provider
Organizations (PPOs), and Point of Service (POS) plans in the United States. In addition, the
NCQA also accredits the following programs:

Disease management
Case management
Wellness and health promotion
Accountable care organizations
Wellness and health promotion
Managed behavioral health care organizations (NCQA, n.d.a)
The full list of NCQA accreditation requirements are published on its website at
The 2015 Health Plan Accreditation Program requirements include specific criteria divided into
the following sections:

Quality management and improvement (QI)
Utilization management (UM)
Credentialing and recredentialing (CR)
Members’ rights and responsibilities (RR)
Member connections (MEM)
Medicaid benefits and services (MED)
Health Effectiveness Data and Information Set (HEDIS) performance measures (see the
“Measuring the Quality of Care” section for more information about HEDIS) (NCQA, 2015).
Measuring the Quality of Care
Two landmark Institute of Medicine (IOM) reports, To Err Is Human: Building a Safer Health
System, published in 2000 (Kohn, Corrigan, & Donaldson), and Crossing the Quality Chasm: A
New Health System for the 21st Century, published in 2001, are often cited as marking the
beginning of the modern era of national health care quality and patient safety initiatives. The two
reports led to increased awareness of the severity of patient safety and quality issues and
helped frame the national landscape of improvement efforts. To Err Is Human estimated that as
many as ninety-eight thousand people died in hospitals each year as a result of preventable
medical errors. The report found that most errors could be traced to poor processes and
systems and recommended development and implementation of improved performance
standards, including those associated with licensure, certification, and accreditation. Crossing
the Quality Chasm specifically outlined six aims for establishing quality health care, stating that
health care in the United States should be (CMSS, 2014; Kohn, Corrigan, & Donaldson, 2000;
IOM, 2001):


One of the challenges to meeting these aims was determining how to measure success in each
area. What are the standards and performance measures associated with these important

Types of Measures
Whether at the local organizational level or at a national level, quality improvement requires the
identification of standards that define quality care and measurement of performance to
determine whether or not the identified standards are met. Quality measures are used across
the full continuum of care, from individual physicians to health plans. As we will examine in this
chapter, there are literally hundreds of different health care quality measures in use today. These
existing quality measures can generally be categorized into four types: structure, process,
outcome, and patient experience. Table 10.2 summarizes the types of measures, descriptions,
and examples of each.

Table 10.2 Major types of quality measures

Source: Morris (2014).

Type Description Example
Structure Assesses the characteristics of a care setting, including facilities, personnel, and
policies related to care delivery Does an intensive care unit (ICU) have a critical care
specialist on staff at all times?
Process Determines if the services provided to patients are consistent with routine clinical
care Does a doctor ensure that his or her patients receive recommended cancer screenings?
Outcome Evaluates patient health as a result of the care received What is the survival
rate for patients who experience a heart attack?
Patient Experience Provides feedback on patients’ experiences of care Do patients report that
their provider explains their treatment options in ways that are easy to understand?
Data Sources for Measures
Whether quality measures are applied by an individual physician or by a federal agency, they
rely on valid and reliable data. A few of the common sources of health care data used in
performance measurement are listed in the following sections.

Administrative Data
Administrative data submitted to private and government payers have the advantage of being
easy to obtain. Private and public payers have very large claims databases.

Disease Registries
Public health agencies, including state and federal agencies collect data on patients with specific
conditions. These disease registries often go beyond administrative claims data.
Health Records
The EHR is recognized as a rich source of detailed patient information. However, the full
potential of the EHR as an easy-to-use source of reliable data has not been reached. More work

on standardization and tools for data extraction is needed. Data extraction from paper records is
labor intensive and, therefore, expensive to implement. As you have seen in previous chapters,
Meaningful Use criteria address the need for EHR data extraction and sharing.

Qualitative Data
Qualitative data from patient surveys or interviews are often used for patient experience
measures (Morris, 2014).

Measurement Development
Regardless of the data source, the resulting measures must not only be reliable and valid but
also feasible to collect (CMSS, 2015). There are dozens of public and private organizations that
develop health care–related performance measures. The following paragraphs identify a few of
the key players and their respective role in the development of recognized measures.

The NCQA is responsible for the HEDIS measures, one of the oldest and most widely used
sets of health care performance measures in the United States. More than 90 percent of health
plans in the United States collect and report HEDIS data. HEDIS data is not only used for
accreditation of health plans but also for the basis of health plan comparison and quality

The Joint Commission also has a long history of developing and using performance measures
as a component of accreditation. In 1987, the Joint Commission revamped its accreditation
process with the goal of incorporating standardized performance measures. This initiative led to
the development of ORYX program. The current ORYX program is closely aligned with CMS
quality initiatives, using many of the same measures. Hospitals seeking Joint Commission
Accreditation in 2016 were required to report on six of nine sets of chart (paper)-abstracted
clinical quality measures (CQMs) or six of eight electronic clinical quality measures (eCQMs)
(The Joint Commission, 2015b).

CQMs are identified and updated by CMS each year. Selected CQMs are used in the EHR
Incentive Programs for eligible professionals and other CMS quality initiatives (discussed
following in this chapter). The CMS does not develop all of the CQMs but rather relies on private
organizations, such as NCQA, the Joint Commission, the American Medical Association
Physician Consortium for Performance Improvement (AMA-PCPI), and a host of other health
care societies, collaboratives, and alliances, as well as government agencies, such as AHRQ,
Centers for Disease Control and Prevention (CDC), and Health Resources and Services
Administration (HRSA) for most of them. Table 10.3 is an excerpt from the CQMs for the 2014
EHR Incentive Programs. Note that each measure is defined by a unique identifier, National
Quality Forum (NQF) number, a measure description, numerator and denominator statements,
measure steward, and Physicians Quality Reporting System (PQRS) number. Note: The PQRS
role in quality improvement and performance measurement is discussed in more detail following
in this chapter.

Table 10.3 Excerpt of CQMs for 2014 EHR Incentive Programs

Source: CMS (n.d.f).

CMS eMeasure ID NQF No. Measure Title and NQS Domain Measure Description
Numerator Statement Denominator Statement Measure Steward PQRS No.
CMS69v5 0421 Preventive Care and Screening: Body Mass Index (BMI) Screening and
Follow-Up Plan
Domain: Population/Public Health Percentage of patients aged eighteen years and older with
a BMI documented during the current encounter or during the previous six months AND with a
BMI outside of normal parameters, a follow-up plan is documented during the encounter or
during the previous six months of the current encounter
Normal Parameters:
Age eighteen years and older BMI = > 18.5 and < 25 kg/m2 Patients with a documented
BMI during the encounter or during the previous six months, AND when the BMI is outside of
normal parameters, a follow-up plan is documented during the encounter or during the previous
six months of the current encounter All patients eighteen and older on the date of the encounter
with at least one eligible encounter during the measurement period Centers for Medicare &
Medicaid Services 128
CMS132v5 0564 Cataracts:
Complications within Thirty Days Following Cataract Surgery Requiring Additional Surgical
Domain: Patient Safety Percentage of patients aged eighteen years and older with a
diagnosis of uncomplicated cataract who had cataract surgery and had any of a specified list of
surgical procedures in the thirty days following cataract surgery which would indicate the
occurrence of any of the following major complications: retained nuclear fragments,
endophthalmitis, dislocated or wrong power IOL, retinal detachment, or wound dehiscence
Patients who had one or more specified operative procedures for any of the following major
complications within thirty days following cataract surgery: retained nuclear fragments,
endophthalmitis, dislocated or wrong power IOL, retinal detachment, or wound dehiscence
All patients aged eighteen years and older who had cataract surgery and no significant ocular
conditions impacting the surgical complication rate PCPI(R)
(PCPI[R]) 192
CMS133v5 0565 Cataracts: 20/40 or Better Visual Acuity within Ninety Days Following
Cataract Surgery
Domain: Clinical Process/Effectiveness Percentage of patients aged eighteen years and
older with a diagnosis of uncomplicated cataract who had cataract surgery and no significant
ocular conditions impacting the visual outcome of surgery and had best-corrected visual acuity
of 20/40 or better (distance or near) achieved within 90 days following the cataract surgery
Patients who had best-corrected visual acuity of 20/40 or better (distance or near) achieved
within ninety days following cataract surgery All patients aged eighteen years and older who had
cataract surgery PCPI(R)

Foundation (PCPI[R]) 191
CMS158v5 N/A Pregnant Women That Had HBsAg Testing
Domain: Clinical Process/Effectiveness This measure identifies pregnant women who had a
HBsAg (hepatitis B) test during their pregnancy Patients who were tested for hepatitis B
surface antigen (HBsAg) during pregnancy within 280 days prior to delivery All female
patients aged twelve and older who had a live birth or delivery during the measurement period
Optum 369
CMS159v5 0710 Depression Remission at Twelve Months
Domain: Clinical Process/Effectiveness Patients age eighteen and older with major
depression or dysthymia and an initial Patient Health Questionnaire (PHQ-9) score greater than
nine who demonstrate remission at twelve months (+/- 30 days after an index visit) defined as a
PHQ-9 score less than five. This measure applies to both patients with newly diagnoses and
existing depression whose current PHQ-9 score indicates a need for treatment. Patients who
achieved remission at twelve months as demonstrated by a twelve month (+/- 30 days grace
period) PHQ-9 score of less than five Patients age eighteen and older with a diagnosis of
major depression or dysthymia and an initial PHQ-9 score greater than nine during the index
visit MN Community Measurement
The NQF is a nonprofit, member organization whose mission is “to lead national collaboration to
improve health and healthcare quality through measurement” (NQF, n.d.). It was created in 1999
and includes board members from private and public sectors, including providers, purchasers,
and representatives from AHRQ, CDC, CMS, and HRSA. The NQF maintains a large,
searchable database of performance measures. Measures can be searched on the NQF
website ( by any combination of the following dimensions:

Endorsement Status (e.g. Endorsed, Not Endorsed)
Measure Status (Time Limited, Reserved)
Measure Format (eMeasure, Measure)
Measure Steward (e.g., NCQA, CMS, The Joint Commission)
Use in Federal Program (e.g., Meaningful Use, Medicare Shared Savings Program)
Clinical Condition/Topic Area (e.g., Cancer, Infectious Disease)
Cross-Cutting Area (e.g., Overuse, Safety, Disparities)
Care Setting (e.g., Ambulatory Care, Home Health, Hospital)
National Quality Strategy Priorities (e.g., Affordable Care, Patient Safety)
Actual/Planned Use (e.g., Public Reporting, Payment Program)
Data Source (e.g., Administrative Data, Electronic Clinical Data, Healthcare Provider Survey)
Level of Analysis (e.g., Clinician, Facility, Health Plan)
Target Population (Children’s Health)
Comparative Health Care Data Sets
Comparative health care data sets and information are often aligned with organizations’ quality
improvement efforts. An organization might collect data on one or more of the specific
performance measures, such as those previously identified, and then use this information to
compare its performance to other similar organizations or state average results, for example.
The process of comparing one or more performance measures against a standard is called

benchmarking. Benchmarking may be limited to internally set standards; however, frequently it
employs one or more externally generated benchmark or standard.

Providers may select from many publicly and privately available health care data sets for
benchmarking purposes. Many of the organizations identified in the previous section not only
develop standards but also provide searchable websites that enable consumers and providers
to compare results of their measures across multiple organizations. Although each comparative
data set is unique, they can be loosely categorized by purpose: patient satisfaction, practice
patterns, or clinical data. The following paragraphs identify some of the more well-known and
frequently used comparative data sets and list their associated searchable website when

Patient Satisfaction Data Sets
Patient satisfaction data generally come from survey data. Several private organizations, such
as NRC+Picker, Press Ganey, and the health care division of Gallup, provide extensive
consulting services to health care organizations across the country. One of these services is to
conduct patient satisfaction surveys. Some health care organizations undertake patient
satisfaction surveys on their own. The advantage of using a national organization is the
comparative database it offers, which organizations can use for benchmarking purposes.

Some of the most widely used groups of patient experience surveys in the public arena were
developed under the Agency for Healthcare Research and Quality (AHRQ) Consumer
Assessment of Healthcare Providers and Systems (CAHPS) program. CAHPS originated in
1995 to assess participants’ perspectives on their health plans. Since that time the program has
evolved to include the following surveys:

Health Plan
Clinician & Group
Home Health Care
In-Center Hemodialysis
Nursing Home
Surgical Care
American Indian
Dental Plan
Experience of Care and Health Outcomes (for mental health and substance abuse services)
CAHPS surveys are available to any organization. Federal agencies, such as CMS, use the
CAHPS survey results, but the results are also used by health systems, physician practices,
hospitals, and other health care providers in their quality improvement efforts (AHRQ, 2016).
The Hospital CAHPS (HCAHPS) results are available to consumers as a part of CMS Hospital
Compare (discussed under “Clinical Data Sets”) and from the AHRQ website. Information about
the CAHPS comparative data and access to the database and chart books is located at (AHRQ, 2016).

Practice Patterns Data Set
The Dartmouth Atlas is a widely used, interactive, online tool that enables health care
organizations to compare data across a wide variety of parameters. The project is a privately
funded program through the Dartmouth Institute for Health Policy and Clinical Practice, which
primarily uses Medicare data to document variations in the use of medical resources across the
United States. To access the Dartmouth Atlas, go to (The
Dartmouth Institute, n.d.).
Clinical Data Sets
The Joint Commission and CMS are committed to the improvement of clinical outcomes, and
as a part of that commitment they provide consumers with comparative data that encompasses
clinical measures. The Joint Commission’s Quality Check has evolved since its introduction in
1994 to become a comprehensive guide to health care organizations in the United States.
Visitors to can search for health care organizations by a variety of
parameters, identify accreditation status, and compare hospital performance measures in terms
of the Joint Commission’s (2015a) National Patient Safety Goals. The 2016 National Patient
Safety Goals for Hospitals describes sixteen specific goals, including these:

Identifying patients correctly
Improving staff member communication
Using medicines safely
Using alarms safely
Preventing infection
Identifying patient safety risks
Preventing mistakes in surgery (The Joint Commission, 2016)
Hospital Compare is the CMS-sponsored interactive, online comparative data set. Located at, this data set contains information about the quality of care
at over four thousand Medicare-certified hospitals. The interactive tool enables consumers to
compare clinical and patient satisfaction data. The purpose of the tool is to promote informed
decision making by consumers of hospital care and to encourage hospitals to improve the
quality of care they provide (CMS, n.d.b). In addition to Hospital Compare, CMS sponsors public
reporting of other health care organizations, such as nursing homes, home health agencies, and
kidney dialysis facilities (CMS, n.d.d).

Comparative Data for Health Plans
In addition to data sets used by providers, the NCQA website enables consumers to have
access to comparative data for health plans through a variety of report cards. The majority of
the comparative data is derived from HEDIS and CAHPS. NCQA health care report cards are
found at NCQA also offers a subscription service for a more detailed
interactive tool, Quality Compass (NCQA, n.d.b, n.d.c).

Federal Quality Improvement Initiatives
As stated at the beginning of the chapter, the publication of the IOM reports addressing serious
quality concerns marked a new era of government initiatives to improve the quality of patient
care. Multiple new programs were established and new efforts to link Medicare and Medicaid

reimbursement to quality care were undertaken. In this section we will examine the Patient
Safety Act, the National Quality Strategy, and a selection of related government programs aimed
at improving the quality of health care through performance measurement including the related
aspects of the Medicare Access & CHIP Reauthorization Act of 2015 (MACRA).

The Patient Safety Act
The IOM To Err Is Human: Building a Safer Health System (Kohn, Corrigan, & Donaldson, 2000)
outlined serious concerns about and the need to improve the safety and quality of health care in
the United States. Despite the ongoing efforts by voluntary accrediting bodies to ensure
high-quality care, this report identified a critical need for reporting and analyzing individual facility
and aggregate data related to adverse events. To address the need to capture information to
improve health care quality and prevent harm to patients, the Patient Safety and Quality
Improvement Act of 2005 (Patient Safety Act) was passed by Congress “to promote shared
learning to enhance quality and safety nationally.” To implement the act, the Department of
Health and Human Services issued the Patient Safety Rule (effective January 2009), which
authorized the identification of Patient Safety Organizations (PSOs). As of August 2016, there
were eighty-two PSOs in twenty-eight states. PSOs are responsible for the collection and
analysis of health information that is referred to in the Final Rule as patient safety work product
(PSWP). The PSWP contains identifiable patient information that is covered by specific privilege
and confidentiality protections (AHRQ, n.d.a).
The types of patient safety events that are reported under these protections include the

Incidents: patient safety events that reached the patient, whether or not there was harm involved
Near misses (or close calls): patient safety events that did not reach the patient
Unsafe conditions: circumstances that increase the probability of a patient safety event
To facilitate these activities, AHRQ has created Common Formats, which are “common
definitions and reporting formats to help providers uniformly report patient safety events”
(AHRQ, n.d.b).

National Quality Strategy
The requirement for a National Strategy for Quality Improvement in Health Care (National
Quality Strategy) was established by the Affordable Care Act and subsequently published in
2011. More than three hundred groups and individuals representing all aspects of the health care
industry and public provided input. It has subsequently been updated on an annual basis, but the
three broad aims and six priorities have remained consistent. The three broad aims used to
“guide and assess national efforts to improve health and the quality of health care” (AHRQ,
2011) are as follows:

Better care: Improve the overall quality by making health care more patient-centered, reliable,
accessible, and safe.

Healthy people/healthy communities: Improve the health of the US population by supporting
proven interventions to address behavioral, social, and environmental determinants of health in
addition to delivering higher-quality care.
Affordable care: Reduce the cost of quality health care for individuals, families, employers, and
To achieve these aims, the National Quality Strategy identifies the following six priorities:

Making care safer by reducing harm caused in the delivery of care
Ensuring that each person and family are engaged as partners in their care
Promoting effective communication and coordination of care
Promoting the most effective prevention and treatment practices for the leading causes of
mortality, starting with cardiovascular disease
Working with communities to promote wide use of best practices to enable healthy living
Making quality care more affordable for individuals, families, employers, and governments by
developing and spreading new health care delivery models
The strategy goes further by recommending that all sectors of the health care system
(individuals, families, payers, providers, employers, and communities) employ one or more of
the following “levers” to “align” with the National Quality Strategy (NQS)(AHRQ, 2011):
Measurement and feedback: Provide performance feedback to plans and providers to improve
Public reporting: Compare treatment results, costs, and patient experience for consumers.
Learning and technical assistance: Foster learning environments that offer training, resources,
tools, and guidance to help organizations achieve quality improvement goals.
Certification, accreditation, and regulation: Adopt or adhere to approaches to meet safety and
quality standards.
Consumer incentives and benefit designs: Help consumers adopt healthy behaviors and make
informed decisions.
Payment: Reward and incentivize providers to deliver high-quality, patient-centered care.
Health information technology: Improve communication, transparency, and efficiency for better
coordinated health and health care.
Innovation and diffusion: Foster innovation in health care quality improvement, and facilitate
rapid adoption within and across organizations and communities.
Workforce development: Invest in people to prepare the next generation of health care
professionals and support lifelong learning for providers.
CMS Quality Programs
The Centers for Medicare and Medicaid (CMS) released its specific Quality Strategy in 2016,
which is based on the NQS. Adhering to the same broad aims in the NQS, CMS developed a
strategy to improve health care delivery by the following means:

Using incentives to improve care
Tying payment to value through new payment models
Changing how care is given through
Better teamwork
Better coordination across health care settings

More attention to population health
Putting the power of health care information to work (CMS, 2016)
Since 2001, CMS has engaged in a variety of Quality Initiatives, including initiatives that result in
public reporting of performance measures as previously discussed. The Physician Quality
Reporting System (PQRS) encourages individual “eligible professionals” (EPs) (e.g.,
physicians) and group practices to assess and report the quality of care provided to their
patients. EPs and group practices that do not report on quality measures as outlined for
Medicare Part B covered services risk a negative payment adjustment. There are several
mechanisms for reporting PQRS data, including EHRs (CMS, n.d.g).

Using PQRS reporting to determine reimbursement for Medicare Part B is one of many
mechanisms through which CMS incentivizes improved quality of care. CMS has multiple
value-based or pay-for-performance programs aimed at tying reimbursements to demonstration
of quality. CMS’s original value-based programs were an attempt to link performance on
endorsed quality measures to reimbursement. These programs included the following:

Hospital Value-Based Purchasing (HVBP) program rewards acute care hospitals for quality care
using incentives.
Hospital Readmissions Reduction (HRR) program rewards acute care hospitals that reduce
unnecessary hospital readmissions for certain conditions, such as acute myocardial infarction,
health failure, pneumonia, chronic obstructive pulmonary disease, elective hip or knee
replacement, and coronary artery bypass surgery.
Hospital-Acquired Conditions (HAC) program determines whether or not an acute care hospital
should be paid a reduced amount based on performance across health-acquired infections and
unacceptable adverse events.
Value Modifier (VM) program (also known as Physician Value-Based Modifier or PVBM)
rewards physicians (and, beginning in 2018, other primary care professionals, for example,
physician assistants and nurse practitioners) for high-quality, lower-cost performance using an
adjustment (modifier) for each claim.
Three other value-based programs are applied to end-stage renal disease programs, skilled
nursing facilities, and home health programs.

Beyond these traditional value-based programs, CMS encourages innovative, alternative
models of care through the CMS Innovation Center. These models are designed to promote
lower-cost, higher-quality care. All depend on appropriate reporting of performance measures
(CMS, n.d.h).
The Medicare Access and CHIP Reauthorization Act (MACRA)
The Medicare Access and CHIP Reauthorization Act (MACRA) was enacted in 2015. MACRA
is one aspect of CMS’s push toward improving quality and value. In January 2015, the
Department of Health and Human Services announced two goals for value-based payments
and alternative payment models (APMs):

Goal 1: 30 percent of Medicare payments are tied to quality or value through APMs by the end
of 2016; 50 percent by the end of 2018.

Goal 2: 85 percent of Medicare fee-for-service payments are tied to quality or value by the end
of 2016; 90 percent by the end of 2018.
They also invited private sector payers to match or exceed these same goals.

MACRA affects physician providers, moving HHS closer to meeting these goals. Key elements
to MACRA are the following:

Changes the way Medicare rewards physicians and practitioners for value over volume
Streamlines multiple quality programs directed at physicians and practitioners under the new
Merit-based Incentive Payment System (MIPS)
Provides bonus payments for physician and practitioners participation in eligible APMs (see
Chapter One for examples of APMs)
MIPS will incorporate aspects of three existing quality and value programs: PQRS, Value-based
Modifier, and the Medicare EHR Incentive Program. The resulting set of performance measures
will be divided into the following categories to calculate a score (between 0 and 100) for eligible
professionals. Each category of performance will be weighted as shown in Table 10.4.
Table 10.4 MIPS performance categories

Category Weight (%)
Quality 50
Advancing care information 25
Clinical practice improvement activities 15
Resource use 10
Health care providers meeting the established threshold score will receive no adjustment to
payment; those scoring below will receive a negative adjustment and those above, a positive
adjustment. Exceptional performers may receive bonus payments (CMS, n.d.c, n.d.e).

The exact implementation dates for MACRA were not set by the publication date for this
textbook; however, the projected timetable for implementation of the various aspects of the law
is shown in Figure 10.2 (CMS, n.d.c).

Figure 10.2 Projected timetable for implementation of MACRA

Source: CMS (n.d.e).

In this chapter we examined how health care organizations and health plans use data and
information to demonstrate performance to licensing, certifying, and accrediting bodies; to
measure performance against internal and external standards; to compare performance to other
similar organizations; and to demonstrate performance for reimbursement purposes. This
chapter began with an examination of the licensure, certification, and accreditation of health care
facilities and health plans, followed by an overview of key comparative data sets often used by
health care organizations in benchmarking performance. The chapter further explored major

milestones in the national agenda for health care quality improvement, followed by a discussion
of the current efforts to improve health care quality and patient safety, focusing on the efforts that
involve using health care data and information to measure performance. The private and public
organizations responsible for developing and endorsing national quality measures were
introduced, and the progress that has been made in aligning these measures across these
organizations was discussed. The chapter concluded with an overview of the significant
movement toward value-based reimbursement programs and plans for significant growth in
these programs over the next decade.

Clearly, there is a bewildering and complex set of measures with many organizations involved.
Consequently, many measures being collected are inconsistent across the organizations
requiring them. There are differences of opinion about which measures to be collected and the
specific definitions of these measures. Efforts are under way, largely driven by CMS, to align
measures to ease the collection burden for health care providers. However, today’s reality
remains an overwhelmingly complex web of standards and measurement requirements.

EHRs have been cited as the solution for easing the collection burden for health care
organizations and providers. However, the most current EHR systems are limited in their ability
to collect the required measures. The result is that organizations and providers must resort to
manual data collection. In other chapters in this text we have explored reasons for the current
limitations of EHRs in this area, including provider resistance because of the time burden. There
is a largely unresolved tension in the health care community and HIT industry between the
desire to collect accurate and timely measures and the provider resistance to entering the data
into the EHR in a standard, retrievable format.

Agency for Healthcare Research and Quality (AHRQ). (2011). National quality strategy (NQS).
Retrieved August 31, 2016, from
Agency for Healthcare Research and Quality (AHRQ). (2016, July). Comparative data.
Retrieved August 31, 2016, from
Agency for Healthcare Research and Quality (AHRQ). (n.d.a). About the PSO program.
Retrieved August 31, 2016, from
Agency for Healthcare Research and Quality (AHRQ). (n.d.b). Common formats. Retrieved
August 31, 2016, from
Centers for Medicare and Medicaid (CMS). (2015, Sept.). CMS-approved accrediting
organizations contacts for prospective clients. Retrieved August 30, 2016, from
Centers for Medicare and Medicaid (CMS). (2016). CMS quality strategy 2016. Retrieved
August 31, 2016, from

Centers for Medicare and Medicaid (CMS). (n.d.a). Accreditation of Medicare-certified providers
& suppliers. Retrieved August 21, 2016, from
Centers for Medicare and Medicaid (CMS). (n.d.b). Hospital compare. Retrieved August 31,
2016, from
Centers for Medicare and Medicaid (CMS). (n.d.c). MACRA. Retrieved August 31, 2016, from
Centers for Medicare and Medicaid (CMS). (n.d.d). Medicare. Retrieved August 31, 2016, from
Centers for Medicare and Medicaid (CMS). (n.d.e). The Medicare Access & CHIP
Reauthorization Act of 2015: Path to value. Retrieved August 31, 2016, from
Centers for Medicare & Medicaid Services (n.d.f). The merit-based incentive payment system:
MIPS scoring methodology overview. Retrieved August 4, 2016, from
Centers for Medicare and Medicaid (CMS). (n.d.g). Physician quality reporting system.
Retrieved August 31, 2016, from
Centers for Medicare and Medicaid (CMS). (n.d.h). Value-based programs. Retrieved August
31, 2016, from
Council of Medical Specialty Societies (CMSS). (2014, Nov.). The measurement of health care
performance (3rd ed.). Retrieved August 21, 2016, from
The Dartmouth Institute (n.d.) Understanding of the efficiency and effectiveness of the health
care system. Retrieved August 31, 2016, from
Institute of Medicine Committee (IOM) on Quality in America. (2001). Crossing the quality
chasm: A new health system for the 21st century. Washington, DC: National Academy Press.
The Joint Commission. (2011). Comprehensive accreditation manual for hospitals. Oakbrook
Terrace, IL: Author.
The Joint Commission. (2014a, Aug.). Program: Ambulatory. Chapter: information management
(e-dition). Retrieved August 21, 2016, from
The Joint Commission. (2014b, Aug.). Program: Ambulatory. Chapter: Record of care,
treatment and services (e-dition). Retrieved August 21, 2016, from
The Joint Commission. (2015a, Nov. 5). Hospital: 2016 national patient safety goals. Retrieved
August 31, 2016, from

The Joint Commission. (2015b, Sept. 2). Joint Commission measure sets effective January 1,
2016. Retrieved August 21, 2016, from
The Joint Commission. (2016, April 27). Accreditation process overview. Retrieved August 21,
2016, from
The Joint Commission. (n.d.). About the Joint Commission. Retrieved August 21, 2016, from
Kohn, L. T., Corrigan, J., & Donaldson, M. S. (2000). To err is human: Building a safer health
system. Washington, DC: National Academy Press.
Morris, C. (2014, May). Measuring health care quality: An overview of quality measures (Issue
brief). FamiliesUSA. Retrieved August 21, 2016, from
National Committee for Quality Assurance (NCQA). (2015). 2015 NCQA health plan
accreditation standards. Retrieved August 21, 2016 from
National Committee for Quality Assurance (NCQA). (n.d.a). About NCQA. Retrieved August 21,
2016, from
National Committee for Quality Assurance (NCQA). (n.d.b). Quality compass. Retrieved August
21, 2016, from
National Committee for Quality Assurance (NCQA). (n.d.c). Report cards. Retrieved August 21,
2016, from
National Quality Forum (NQF). (n.d.). About us. Retrieved August 31, 2016, from

Chapter 9
Privacy and Security

Privacy is an individual’s constitutional right to be left alone, to be free from unwarranted
publicity, and to conduct his or her life without its being made public. In the healthcare
environment, privacy is an individual’s right to limit access to his or her health care information.
In spite of this constitutional protection and other legislated protections discussed in this chapter,
approximately 112 million Americans (a third of the United States population) were affected by
breaches of protected health information (PHI) in 2015 (Koch, 2016). Three large
insurance-related corporations accounted for nearly one hundred million records being exposed
(Koch, 2016). In one well-publicized security breach at Banner Health, where hackers gained
entrance through food and beverage computers, approximately 3.7 million individuals’
information was accessed, much of it health information (Goedert, 2016).

Health information privacy and security are key topics for healthcare administrators. In today’s
ever-increasing electronic world, where the Internet of Things is on the horizon and nearly every
health care organization employee and visitor has a smart mobile device that is connected to at
least one network, new and more virulent threats are an everyday concern. In this chapter we
will examine and define the concepts of privacy, confidentiality, and security as they apply to
health information. Major legislative efforts, historic and current, to protect health care
information are outlined, with a focus on the Health Insurance Portability and Accountability Act
(HIPAA) Privacy, Security, and Breach Notification rules. Different types of threats, intentional
and unintentional, to health information will be discussed. Basic requirements for a strong health
care organization security program will be outlined, and the chapter will conclude with the
cybersecurity challenges in today’s environment of mobile and cloud-based devices, wearable
fitness trackers, social media, and remote access to health information.
Privacy, Confidentiality, and Security Defined
As stated, privacy is an individual’s right to be left alone and to limit access to his or her health
care information. Confidentiality is related to privacy but specifically addresses the expectation
that information shared with a health care provider during the course of treatment will be used
only for its intended purpose and not disclosed otherwise. Confidentiality relies on trust. Security
refers to the systems that are in place to protect health information and the systems within
which it resides. Health care organizations must protect their health information and health
information systems from a range of potential threats. Certainly, security systems must protect
against unauthorized access and disclosure of patient information, but they must also be
designed to protect the organization’s IT assets—such as the networks,hardware, software, and
applications that make up the organization’s health care information systems—from harm.

Legal Protection of Health Information
There are many sources for the legal and ethical requirements that healthcare professionals
maintain the confidentiality of patient information and protect patient privacy. Ethical and
professional standards, such as those published by the American Medical Association and
other organizations, address professional conduct and the need to hold patient information in
confidence. Accrediting bodies, such as the Joint Commission, state facility licensure rules, and

the government through Centers for Medicare and Medicaid, dictate that health care
organizations follow standard practice and state and federal laws to ensure the confidentiality
and security of patient information.

Today, legal protection specially addressing the unauthorized disclosure of an individual’s health
information generally comes from one of three sources (Koch, 2016):

Federal HIPAA Privacy, Security, and Breach Notification rules
State privacy laws. These laws typically apply more stringent protections for information related
to specific health conditions (HIV/AIDS, mental or reproductive health, for example).
Federal Trade Commission (FTC) Act consumer protection, which protects against unfair or
deceptive practices. The FTC issued the Health Breach Notification Rule in 2010 to require
certain businesses not covered by HIPAA, including PHR vendors, PHR-related entities, or
third-party providers for PHR vendors or PHR-related entities to notify individuals of a security
However, there are two other major federal laws governing patient privacy that, although they
have been essentially superseded by HIPAA, remain important, particularly from a historical

The Privacy Act of 1974 (5 U.S.C. §552a; 45 C.F.R. Part 5b; OMB Circular No. A-108 [1975])
Confidentiality of Substance Abuse Patient Records (42 U.S.C. §290dd- 2, 42 C.F.R. Part 2)
The Privacy Act of 1974
In 1966, the Freedom of Information Act (FOIA) was passed. This legislation provides the
American public with the right to obtain information from federal agencies. The act covers all
records created by the federal government, with nine exceptions. The sixth exception is for
personnel and medical information, “the disclosure of which would constitute a clearly
unwarranted invasion of personal privacy.” There was, however, concern that this exception to
the FOIA was not strong enough to protect federally created patient records and other health
information. Consequently, Congress enacted the Privacy Act of 1974. This act was written
specifically to protect patient confidentiality only in federally operated health care facilities, such
as Veterans Administration hospitals, Indian Health Service facilities, and military health care
organizations. Because the protection was limited to those facilities operated by the federal
government, most general hospitals and other non government health care organizations did not
have to comply. Nevertheless, the Privacy Act of 1974 was an important piece of legislation, not
only because it addressed the FOIA exemption for patient information but also because it
explicitly stated that patients had a right to access and amend their medical records. It also
required facilities to maintain documentation of all disclosures. Neither of these things was
standard practice at the time.

Confidentiality of Substance Abuse Patient Records
During the 1970s, people became increasingly aware of the extra-sensitive nature of drug and
alcohol treatment records. This led to the regulations currently found in 42 C.F.R. (Code of
Federal Regulations) Part 2, Confidentiality of Substance Abuse Patient Records. These
regulations have been amended twice, with the latest version published in 1999. They offer

specific guidance to federally assisted health care organizations that provide referral, diagnosis,
and treatment services to patients with alcohol or drug problems. Not surprisingly, they set
stringent release of information standards, designed to protect the confidentiality of patients
seeking alcohol or drug treatment.

HIPAA is the first comprehensive federal regulation to offer specific protection to private health
information. Prior to the enactment of HIPAA there was no single federal regulation governing
the privacy and security of patient-specific information, only the limited legislative protections
previously discussed. These laws were not comprehensive and protected only specific groups
of individuals.

The Health Insurance Portability and Accountability Act of 1996 consists of two main parts:

Title I addresses health care access, portability, and renewability, offering protection for
individuals who change jobs or health insurance policies. (Although Title I is an important piece
of legislation, it does not address health care information specifically and will therefore not be
addressed in this chapter.)
Title II includes a section titled, “Administrative Simplification.”
The requirements establishing privacy and security regulations for protecting individually
identifiable health information are found in Title II of HIPAA. The HIPAA Privacy Rule was
required beginning April 2003 and the HIPAA Security Rule beginning April 2005. Both rules
were subsequently amended and the Breach Notification Rule was added as a part of the
HITECH Act in 2009.

The information protected under the HIPAA Privacy Rule is specifically defined as PHI, which is
information that

Relates to a person’s physical or mental health, the provision of health care, or the payment for
health care
Identifies the person who is the subject of the information
Is created or received by a covered entity
Is transmitted or maintained in any form (paper, electronic, or oral)
Unlike the Privacy Rule, the Security Rule addresses only PHI transmitted or maintained in
electronic form. Within the Security Rule this information is identified as ePHI.

The HIPAA rules also define covered entities (CEs), those organizations to which the rules

Health plans, which pay or provide for the cost of medical care
Health care clearinghouses, which process health information (for example, billing services)
Health care providers who conduct certain financial and administrative transactions
electronically (These transactions are defined broadly so that the reality of HIPAA is that it
governs nearly all health care providers who receive any type of third-party reimbursement.)

If any CE shares information with others, it must establish contracts to protect the shared
information. The HITECH Act amended HIPAA and added “Business Associates” as a category
of CE. It further clarified that certain entities, such as health information exchange organizations,
regional health information organizations, e-prescribing gateways, or a vendor that contracts
with a CE to allow the CE to offer a personal health record as a part of its EHR, are business
associates if they require access to PHI on a routine basis (Coppersmith, Gordon, Schermer, &
Brokelman, PLC, 2012).
HIPAA Privacy Rule
Although the HIPAA Privacy Rule is a comprehensive set of federal standards, it permits the
enforcement of existing state laws that are more protective of individual privacy, and states are
also free to pass more stringent laws. Therefore, health care organizations must still be familiar
with their own state laws and regulations related to privacy and confidentiality.

The major components to the HIPAA Privacy Rule in its original form include the following:

Boundaries. PHI may be disclosed for health purposes only, with very limited exceptions.
Security. PHI should not be distributed without patient authorization unless there is a clear basis
for doing so, and the individuals who receive the information must safeguard it.
Consumer control. Individuals are entitled to access and control their health records and are to
be informed of the purposes for which information is being disclosed and used.
Accountability. Entities that improperly handle PHI can be charged under criminal law and
punished and are subject to civil recourse as well.
Public responsibility. Individual interests must not override national priorities in public health,
medical research, preventing health care fraud, and law enforcement in general.
With HITECH, the Privacy Rule was expanded to include creation of new privacy requirements
for HIPAA-covered entities and business associates. In addition, the rights of individuals to
request and obtain their PHI are strengthened, as is the right of the individual to prevent a
healthcare organization from disclosing PHI to a health plan, if the individual paid in full out of
pocket for the related services. There were also some new provisions for accounting of
disclosures made through an EHR for treatment, payment, and operations (Coppersmith et al.,

The HIPAA Privacy Rule attempts to sort out the routine and nonroutine use of health
information by distinguishing between patient consent to use PHI and patient authorization to
release PHI. Health care providers and others must obtain a patient’s written consent prior to
disclosure of health information for routine uses of treatment, payment, and health care
operations. This consent is fairly general in nature and is obtained prior to patient treatment.
There are some exceptions to this in emergency situations, and the patient has a right to
request restrictions on the disclosure. However, health care providers can deny treatment if they
feel that limiting the disclosure would be detrimental. Health care providers and others must
obtain the patient’s specific written authorization for all nonroutine uses or disclosures of PHI,
such as releasing health records to a school or a relative.

Exhibit 9.1 is a sample release of information form used by a hospital, showing the following
elements that should be present on a valid release form:

Patient identification (name and date of birth)
Name of the person or entity to whom the information is being released
Description of the specific health information authorized for disclosure
Statement of the reason for or purpose of the disclosure
Date, event, or condition on which the authorization will expire, unless it is revoked earlier
Statement that the authorization is subject to revocation by the patient or the patient’s legal
Patient’s or legal representative’s signature
Signature date, which must be after the date of the encounter that produced the information to be
Health care organizations need clear policies and procedures for releasing PHI. A central point
of control should exist through which all nonroutine requests for information pass, and all
disclosures should be well documented.

In some instances, PHI can be released without the patient’s authorization. For example, some
state laws require disclosing certain health information. It is always good practice to obtain a
patient authorization prior to releasing information when feasible, but in state-mandated cases it
is not required. Some examples of situations in which information might need to be disclosed to
authorized recipients without the patient’s consent are the presence of a communicable disease,
such as AIDS and sexually transmitted diseases, which must be reported to the state or county
department of health; suspected child abuse or adult abuse that must be reported to designated
authorities; situations in which there is a legal duty to warn another person of a clear and
imminent danger from a patient; bona fide medical emergencies; and the existence of a valid
court order.

The HIPAA Security Rule
The HIPAA Security Rule is closely connected to the HIPAA Privacy Rule. The Security Rule
governs only ePHI, which is defined as protected health information maintained or transmitted in
electronic form. It is important to note that the Security Rule does not distinguish between
electronic forms of information or between transmission mechanisms. ePHI may be stored in
any type of electronic media, such as magnetic tapes and disks, optical disks, servers, and
personal computers. Transmission may take place over the Internet or on local area networks
(LANs), for example.

The standards in the final rule are defined in general terms, focusing on what should be done
rather than on how it should be done. According to the Centers for Medicare and Medicaid
Services (CMS, 2004), the final rule specifies “a series of administrative, technical, and physical
security procedures for covered entities to use to assure the confidentiality of electronic
protected health information (ePHI). The standards are delineated into either required or
addressable implementation specifications.” A required specification must be implemented by a

CE for that organization to be in compliance. However, the CE is in compliance with an
addressable specification if it does any one of the following:

Implements the specification as stated
Implements an alternative security measure to accomplish the purposes of the standard or
Chooses not to implement anything, provided it can demonstrate that the standard or
specification is not reasonable and appropriate and that the purpose of the standard can still be
met; because the Security Rule is designed to be technology neutral, this flexibility was granted
for organizations that employ nonstandard technologies or have legitimate reasons not to need
the stated specification (AHIMA, 2003)
The standards contained in the HIPAA Security Rule are divided into sections, or categories, the
specifics of which we outline here. You will notice overlap among the sections. For example,
contingency plans are covered under both administrative and physical safeguards, and access
controls are addressed in several standards and specifications.

The HIPAA Security Rule
The HIPAA Security Administrative Safeguards section of the Final Rule contains nine

1. Security management functions. This standard requires the CE to implement policies and
procedures to prevent, detect, contain, and correct security violations. There are four
implementation specifications for this standard:
Risk analysis (required). The CE must conduct an accurate and thorough assessment of the
potential risks to and vulnerabilities of the confidentiality, integrity, and availability of ePHI.
Risk management (required). The CE must implement security measures that reduce risks and
vulnerabilities to a reasonable and appropriate level.
Sanction policy (required). The CE must apply appropriate sanctions against workforce
members who fail to comply with the CE’s security policies and procedures.
Information system activity review (required). The CE must implement procedures to regularly
review records of information system activity, such as audit logs, access reports, and security
incident tracking reports.
Assigned security responsibility. This standard does not have any implementation
specifications. It requires the CE to identify the individual responsible for overseeing
development of the organization’s security policies and procedures.
Workforce security. This standard requires the CE to implement policies and procedures to
ensure that all members of its workforce have appropriate access to ePHI and to prevent those
workforce members who do not have access from obtaining access. There are three
implementation specifications for this standard:
Authorization and/or supervision (addressable). The CE must have a process for ensuring that
the workforce working with ePHI has adequate authorization and supervision.
Workforce clearance procedure (addressable). There must be a process to determine what
access is appropriate for each workforce member.

Termination procedures (addressable). There must be a process for terminating access to ePHI
when a workforce member is no longer employed or his or her responsibilities change.

Information access management. This standard requires the CE to implement policies and
procedures for authorizing access to ePHI. There are three implementation specifications within
this standard. The first (not shown here) applies to health care clearinghouses, and the other two
apply to healthcare organizations:
Access authorization (addressable). The CE must have a process for granting access to ePHI
through a workstation, transaction, program, or other process.
Access establishment and modification (addressable). The CE must have a process (based on
the access authorization) to establish, document, review, and modify a user’s right to access a
workstation, transaction, program, or process.
Security awareness and training. This standard requires the CE to implement awareness and
training programs for all members of its workforce. This training should include periodic security
reminders and address protection from malicious software, log-in monitoring, and password
management. (These items to be addressed in training are all listed as addressable
implementation specifications.)
Security incident reporting. This standard requires the CE to implement policies and procedures
to address security incidents.
Contingency plan. This standard has five implementation specifications:
Data backup plan (required)
Disaster recovery plan (required)
Emergency mode operation plan (required)
Testing and revision procedures (addressable); the CE should periodically test and modify all
contingency plans
Applications and data criticality analysis (addressable); the CE should assess the relative
criticality of specific applications and data in support of its contingency plan
Evaluation. This standard requires the CE to periodically perform technical and nontechnical
evaluations in response to changes that may affect the security of ePHI.
Business associate contracts and other arrangements. This standard outlines the conditions
under which a CE must have a formal agreement with business associates in order to
exchange ePHI.
The HIPAA Security Physical Safeguards section contains four standards:

Facility access controls. This standard requires the CE to implement policies and procedures to
limit physical access to its electronic information systems and the facilities in which they are
housed to authorized users. There are four implementation specifications with this standard:
Contingency operations (addressable). The CE should have a process for allowing facility
access to support the restoration of lost data under the disaster recovery plan and emergency
mode operation plan.
Facility security plan (addressable). The CE must have a process to safeguard the facility and
its equipment from unauthorized access, tampering, and theft.
Access control and validation (addressable). The CE should have a process to control and
validate access to facilities based on users’ roles or functions.

Maintenance records (addressable). The CE should have a process to document repairs and
modifications to the physical components of a facility as they relate to security.
2. Workstation use. This standard requires the CE to implement policies and procedures that
specify the proper functions to be performed and the manner in which those functions are to be
performed on a specific workstation or class of workstation that can be used to access ePHI
and that also specify the physical attributes of the surroundings of such workstations.
Workstation security. This standard requires the CE to implement physical safeguards for all
workstations that are used to access ePHI and to restrict access to authorized users.
Device and media controls. This standard requires the CE to implement policies and procedures
for the movement of hardware and electronic media that contain ePHI into and out of a facility
and within a facility. There are four implementation specifications with this standard:
Disposal (required). The CE must have a process for the final disposition of ePHI and of the
hardware and electronic media on which it is stored.
Media reuse (required). The CE must have a process for removal of ePHI from electronic media
before the media can be reused.
Accountability (addressable). The CE must maintain a record of movements of hardware and
electronic media and any person responsible for these items.
Data backup and storage (addressable). The CE must create a retrievable, exact copy of ePHI,
when needed, before movement of equipment.
The HIPAA Security Technical Safeguards section has five standards:

Access control. This standard requires the CE to implement technical policies and procedures
for electronic information systems that maintain ePHI in order to allow access only to those
persons or software programs that have been granted access rights as specified in the
administrative safeguards. There are four implementation specifications within this standard:
Unique user identification (required). The CE must assign a unique name or number for
identifying and tracking each user’s identity.
Emergency access procedure (required). The CE must establish procedures for obtaining
necessary ePHI in an emergency.
Automatic log-off (addressable). The CE must implement electronic processes that terminate an
electronic session after a predetermined time of inactivity.
Encryption and decryption (addressable). The CE should implement a mechanism to encrypt
and decrypt ePHI as needed.
Audit controls. This standard requires the CE to implement hardware, software, and procedures
that record and examine activity in the information systems that contain ePHI.
Integrity. This standard requires the CE to implement policies and procedures to protect ePHI
from improper alteration or destruction.
Person or entity authentication. This standard requires the CE to implement procedures to verify
that a person or entity seeking access to ePHI is in fact the person or entity claimed.
Transmission security. This standard requires the CE to implement technical measures to guard
against unauthorized access to ePHIbeing transmitted across a network. There are two
implementation specifications with this standard:
Integrity controls (addressable). The CE must implement security measures to ensure that
electronically transmitted ePHI is not improperly modified without detection.

Encryption (addressable). The CE should encrypt ePHI whenever it is deemed appropriate.
The Policies, Procedures, and Documentation section has two standards:

Policies and procedures. This standard requires the CE to establish and implement policies and
procedures to comply with the standards, implementation specifications, and other
Documentation. This standard requires the CE to maintain the policies and procedures
implemented to comply with the Security Rule in written form. There are three implementation
Time limit (required). The CE must retain the documentation for six years from the date of its
creation or the date when it was last in effect, whichever is later.
Availability (required). The CE must make the documentation available to those persons
responsible for implementing the policies and procedures.
Updates (required). The CE must review the documentation periodically and update it as
HIPAA Breach Notification Rule
The HIPAA Breach Notification Rule requires CEs and their business associates to provide
notification following a breach of unsecured protected health information. “‘Unsecured’ PHI is
PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized
persons through the use of a technology or methodology specified by the Secretary in guidance”
(US Department of Health and Human Services, n.d.c). To meet the requirement of “secured”
PHI, it must have been encrypted using a valid encryption process, or the media on which the
PHI is stored have been destroyed. Paper or other hard copy media, such as film, must be
shredded or otherwise destroyed so that it cannot be read or reconstructed. Electronic media
must be “sanitized” according to accepted standards so that PHI cannot be retrieved (US
Department of Health and Human Services, n.d.c).

The notification requirements include, depending on the circumstances, notification to these

Individuals affected
The Health and Human Services Secretary (via the Office for Civil Rights [OCR])
Major media outlets
All individuals affected by breaches of unsecured PHI must be notified within a reasonable
length of time—less than sixty days—after the breach is discovered. If the CE does not have
sufficient information to contact ten or more individuals directly, the notification must be made on
the home page of its website for at least ninety days or by a major media outlet. A CE that
experiences a breach involving five hundred or more individuals must, in addition to sending
individual notices, provide notice to a major media outlet serving the area. This notification must
also be made within sixty days. All breaches must also be reported to the secretary of HHS; the
breaches involving more than five hundred individuals must be reported within sixty days; all
others may be reported on an annual basis (US Department of Health and Human Services,

HIPAA Enforcement and Violation Penalties
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is
responsible for enforcing HIPAA Privacy and Security rules. In addition, HITECH gave state
attorneys general the authority to bring civil actions on behalf of the residents of their states for
HIPAA violations. From April 2003 until May 2016, OCR has received over 134,000 HIPAA
complaints and has initiated 879 compliance reviews. The resolution of the complaints and
reviews is as follows (US Department of Health and Human Services, 2016):

Settled thirty-five cases resulting in $36,639,200 in penalties
Resolved 24,241 cases by requiring a change in privacy practices and corrective actions by, or
providing technical assistance to, CEs or business associates
Identified 11,018 cases as no violation and 79,865 cases as non-eligible
HIPAA criminal and civil penalties for noncompliance are applied using a tiered schedule that
ranges from $100 for a single violation, when the individual did not know he or she was not in
compliance, to $1,500,000 for multiple violations because of willful neglect. It is important to note
that civil penalties cannot be levied in situations when the violation is corrected within a specified
period of time.

The structure for HIPAA violations reflects four categories of violations and associated penalties.
Table 9.1 outlines the categories and penalties.
Table 9.1 HIPAA violation categories

Source: What are the penalties for HIPAA violations? (2015).

Violation Category Category Fine*
Category 1: A violation that the CE was unaware of, and could not have realistically avoided,
had a reasonable amount of care been taken to abide by HIPAA rules Minimum fine of $100
per violation up to $50,000
Category 2: A violation that the CE should have been aware of but could not have avoided even
with a reasonable amount of care (but falling short of willful neglect of HIPAA rules)
Minimum fine of $1,000 per violation up to $50,000
Category 3: A violation suffered as a direct result of “willful neglect” of HIPAA rules, in cases in
which an attempt has been made to correct the violation Minimum fine of $10,000 per
violation up to $50,000
Category 4: A violation of HIPAA rules constituting willful neglect, and no attempt has been
made to correct the violation Minimum fine of $50,000 per violation
*The fines are issued per violation category, per year that the violation was allowed to persist.
The maximum fine per violation category, per year, is $1,500,000.
In addition to these civil penalties, a HIPAA violation may result in criminal charges. The criminal
penalties are divided into the following three tiers (What are the penalties for HIPAA violations,

Tier 1: Reasonable cause or no knowledge of violation—Up to one year in jail
Tier 2: Obtaining PHI under false pretenses—Up to five years in jail

Tier 3: Obtaining PHI for personal gain or with malicious intent—Up to ten years in jail
As stated, most HIPAA violations are resolved with corrective action. In 2015 six financial
penalties were issued. However, a serious violation can cost a healthcare organization a
significant amount of money. One such case resulting in a substantial financial settlement is
outlined in the Perspective. The top ten largest fines levied for HIPAA violations as of August
2016 are listed in Table 9.2.

Table 9.2 Top ten largest fines levied for HIPAA violations as of August 2016

Source: Bazzoli (2016).

Organization Individuals Affected Fine Awarded ($ million) Data Awarded
Advocate Health Care: Lacked appropriate safeguards, including an unencrypted laptop was left
in a vehicle overnight 4 million 5.55 August 2016
New York Presbyterian Hospital and Columbia University: PHI accessible on Google and other
search engines 6,800 4.8 May 2014
Cignet Health: Did not allow patients access to medical records and refused to cooperate with
OCR 41 4.3 February 2011
Feinstein Institute for Medical Research: Lacked appropriate safeguards leading to theft
Unknown 3.9 March 2016
Triple-S Management Corp (Blue Cross/Blue Shield licensee in Puerto Rico): Did not deactivate
user IDs and passwords, allowing previous employees to access PHI 398,000 3.5
November 2015
University of Mississippi Medical Center: Did not manage risks appropriately, although aware of
risks and vulnerabilities 10,000 2.75 July 2016
Oregon Health & Science University: Lacked safeguards with regards to stolen laptop and used
cloud storage without a business associate agreement in place 7,000 2.7 July 2016
CVS Pharmacy: Improperly disposed of PHI such as prescription labels Unknown 2.25
January 2009
New York Presbyterian Hospital: Allowed filming of two patients for a TV series creating the
potential for PHI to be compromise. (Note: Hospital continues to maintain it was not a violation.)
Unknown 2.2 April 2016
Concentra Health Services: Failed to remediate an identified lack of encryption after an
unencrypted laptop was stolen 870 1.73 April 2014
$750,000 HIPAA Settlement Underscores the Need for Organization-Wide Risk Analysis
The University of Washington Medicine (UWM) has agreed to settle charges that it potentially
violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule
by failing to implement policies and procedures to prevent, detect, contain, and correct security
violations. UWM is an affiliated covered entity, which includes designated health care
components and other entities under the control of the University of Washington, including
University of Washington Medical Center, the primary teaching hospital of the University of
Washington School of Medicine. Affiliated covered entities must have in place appropriate
policies and processes to assure HIPAA compliance with respect to each of the entities that are

part of the affiliated group. The settlement includes a monetary payment of $750,000, a
corrective action plan, and annual reports on the organization’s compliance efforts.

The US Department of Health and Human Services Office for Civil Rights (OCR) initiated its
investigation of the UWM following receipt of a breach report on November 27, 2013, which
indicated that the electronic protected health information (e-PHI) of approximately 90,000
individuals was accessed after an employee downloaded an email attachment that contained
malicious malware. The malware compromised the organization’s IT system, affecting the data
of two different groups of patients: (1) approximately 76,000 patients involving a combination of
patient names, medical record numbers, dates of service, and/or charges or bill balances; and
(2) approximately 15,000 patients involving names, medical record numbers, other
demographics such as address and phone number, dates of birth, charges or bill balances,
Social Security numbers, insurance identification or Medicare numbers.

OCR’s investigation indicated UWM’s security policies required its affiliated entities to have
up-to-date, documented system-level risk assessments and to implement safeguards in
compliance with the Security Rule. However, UWM did not ensure that all of its affiliated entities
were properly conducting risk assessments and appropriately responding to the potential risks
and vulnerabilities in their respective environments.

Source: (2015). Used with permission.

Threats to Health Care Information
What are the threats to health care information systems? In general, threats to health care
information systems fall into one of these three categories:

Human tampering threats
Natural and environmental threats, such as floods and fire
Environmental factors and technology malfunctions, such as a drive that fails and has no
backup or a power outage
Threats to health care information systems from human beings can be intentional or
unintentional. They can be internal, caused by employees, or external, caused by individuals
outside the organization.

Intentional threats include knowingly disclosing patient information without authorization, theft,
intentional alteration of data, and intentional destruction of data. The culprit could be a computer
hacker, a disgruntled employee, or a prankster. Cybercrime directed at health information
systems has increased significantly in recent years. In the 2014–2015 two-year period, more
than 90 percent of health care organizations reported a health information security breach, and
of these reports, nearly half were because of criminal activity (Koch, 2016). Intentional
destruction or disruption of health care information is generally caused by some form of
malware, a general term for software that is written to “infect” and subsequently harm a host
computer system. The best-known form of malware is the computer virus, but there are others,
including the particularly virulent ransomware, attacks from which are on the rise in health care.

The following list includes common forms of malware with a brief description of each (Comodo,

Viruses are generally spread when software is shared among computers. It is a “contagious”
piece of software code that infects the host system and spreads itself.
Trojans (or Trojan Horses) are a type of virus specifically designed to look like a safe program.
They can be programmed to steal personal information or to take over the resources of the host
computer making it unavailable for its intended use.
Spyware tracks Internet activities assisting the hacker in gathering information without consent.
Spyware is generally hidden and can be difficult to detect.
Worms are software code that replicates itself and destroys files that are on the host computer,
including the operating system.
Ransomware is an advanced form of malware that hackers use to cripple the organization’s
computer systems through malicious code, generally launched via an e-mail that is opened
unwittingly by an employee, a method known as phishing. The malicious code then encrypts
and locks folders and operating systems. The hacker demands money, generally in the form of
bitcoins, a type of digital currency, to provide the decryption key to unlock the organization’s
systems (Conn, 2016).
Some of the causes of unintentional health information breaches are lack of training in proper
use of the health information system or human error. Users may unintentionally share patient
information without proper authorization. Other examples include users sharing passwords or
downloading information from nonsecure Internet sites, creating the potential for a breach in
security. Some of the more common forms of internal breaches of security across all industries
are the installation or use of unauthorized software, use of the organization’s computing
resources for illegal or illicit communications or activities (porn surfing, e-mail harassment, and
so forth), and the use of the organization’s computing resources for personal profit. Losing or
improperly disposing of electronic devices, including computers and portable electronic devices,
also constitute serious forms of unintentional health information exposure. In 2015, the OCR
portal, which lists breach incidents potentially affecting five hundred or more individuals, reported
more than seventy-five thousand individuals’ data were breached either because of loss or
improper disposal of a device containing PHI (OCR, n.d.).

Threats from natural causes, such as fire or flood, are less common than human threats, but
they must also be addressed in any comprehensive health care information security program.
Loss of information because of environmental factors and technical malfunctions must be
secured against by using appropriate safeguards.

The Health Care Organization’s Security Program
The realization of any of the threats discussed in the previous section can cause significant
damage to the organization. Resorting to manual operations if the computers are down for days,
for example, can lead to organizational chaos. Theft or loss of organizational data can lead to
litigation by the individuals harmed by the disclosure of the data and HIPAA violations. Malware
can corrupt databases, corruption from which there may be no recovery. The function of the

health care organization’s security program is to identify potential threats and implement
processes to remove these threats or mitigate their ability to cause damage. The primary
challenge of developing an effective security program in a health care organization is balancing
the need for security with the cost of security. An organization does not know how to calculate
the likelihood that a hacker will cause serious damage or a backhoe will cut through network
cables under the street. The organization may not fully understand the consequences of being
without its network for four hours or four days. Hence, it may not be sure how much to spend to
remove or reduce the risk.

Another challenge is maintaining a satisfactory balance between health care information system
security and health care data and information availability. As we saw in Chapter Two, the major
purpose of maintaining health information and health records is to facilitate high-quality care for
patients. On the one hand, if an organization’s security measures are so stringent that they
prevent appropriate access to the health information needed to care for patients, this important
purpose is undermined. On the other hand, if the organization allows unrestricted access to all
patient-identifiable information to all its employees, the patients’ rights to privacy and
confidentiality would certainly be violated and the organization’s IT assets would be at
considerable risk.

The ONC (2015) publication Guide to Privacy and Security of Electronic Health Information for
health care providers includes a chapter describing a seven-step approach for implementing a
security management process. The guidance is directed at physician practices or other small
health care organizations, and it does not include specific technical solutions. Specific solutions
for security protection will be driven by the organization’s overall plan and will be managed by
the organization’s IT team. Larger organizations must also develop comprehensive security
programs and will follow the same basic steps, but it will likely have more internal resources for
security than smaller practices.

Each step in the ONC security management process for health care providers is listed in the
following section.

Step 1: Lead Your Culture, Select Your Team, and Learn
This step includes six actions:

Designate a security officer, who will be responsible for developing and implementing the
security practices to meet HIPAA requirements and ensure the security of PHI.
Discuss HIPAA security requirements with your EHR developer to ensure that your system can
be implemented to meet the security requirements of HIPAA and Meaningful Use.
Consider using a qualified professional to assist with your security risk analysis. The security
risk analysis is the opportunity to discover as much as possible about risks and vulnerabilities to
health information within the organization.
Use tools to preview your security risk analysis. Examples of available tools are listed within
Step 3.
Refresh your knowledge base of the HIPAA rules.

Promote a culture of protecting patient privacy and securing patient information. Make sure to
communicate that all members of the organization are responsible for protecting patient
Step 2: Document Your Process, Findings, and Actions
Documenting the processes for risk analysis and implementation of safeguards is very
important, not to mention a requirement of HIPAA. The following are some examples cited by
the ONC of records to retain:

Policies and procedures
Completed security checklists (ESET, n.d.)
Training materials presented to staff members and volunteers and any associated certificates of
Updated business associate (BA) agreements
Security risk analysis report
EHR audit logs that show utilization of security features and efforts to monitor users’ actions
Risk management action plan or other documentation that shows appropriate safeguards are in
place throughout your organization, implementation timetables, and implementation notes
Security incident and breach information
Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)
Risk analysis assesses potential threats and vulnerabilities to the “confidentiality, integrity and
availability” (ONC, 2015, p. 41) of PHI. Several excellent government-sponsored guides and
toolsets available for conducting a comprehensive risk analysis are listed in Table 9.3 with a
corresponding web address.

Table 9.3 Resources for conducting a comprehensive risk analysis

OCR’s Guidance on Risk Analysis Requirements under the HIPAA Rule
OCR Security Rule Frequently Asked Questions (FAQs)
ONC SRA (Security Risk Assessment) Tool for small practices
National Institute of Standards and Technology (NIST) HIPAA Security Rule Toolkit
The three basic actions recommended for the organization’s first comprehensive security risk
analysis are as follows:

Identify where ePHI exists.
Identify potential threats and vulnerabilities to ePHI.
Identify risks and their associated levels.
Step 4: Develop an Action Plan
As discussed, the HIPAA Security Plan provides flexibility in how to achieve compliance, which
allows an organization to take into account its specific needs. The action plan should include five

components. Once in place, the plan should be reviewed regularly by the security team, led by
the security officer.

Administrative safeguards
Physical safeguards
Technical safeguards
Organizational standards
Policies and procedures
Table 9.4 lists common examples of vulnerabilities and mitigation strategies that could be

Table 7.4 Common examples of vulnerabilities and mitigation strategies

Source: ONC (2015).

Security Component Examples of Vulnerabilities Examples of Security Mitigation Strategies
Administrative safeguards No security officer is designated.
Workforce is not trained or is unaware of privacy and security issues. Security officer is
designated and publicized.
Workforce training begins at hire and is conducted on a regular and frequent basis.
Security risk analysis is performed periodically and when a change occurs in the practice or the
Physical safeguards Facility has insufficient locks and other barriers to patient data access.
Computer equipment is easily accessible by the public.
Portable devices are not tracked or not locked up when not in use. Building alarm systems are
Offices are locked.
Screens are shielded from secondary viewers.
Technical safeguards Poor controls enable inappropriate access to EHR.
Audit logs are not used enough to monitor users and other HER activities.
No measures are in place to keep electronic patient data from improper changes.
No contingency plan exists.
Electronic exchanges of patient information are not encrypted or otherwise secured. Secure
user IDs, passwords, and appropriate role-based access are used.
Routine audits of access and changes to EHR are conducted.
Anti-hacking and anti-malware software is installed.
Contingency plans and data backup plans are in place.
Data is encrypted.
Organizational standards No breach notification and associated policies exist.
BA agreements have not been updated in several years. Regular reviews of agreements are
conducted and updates made accordingly.
Policies and procedures Generic written policies and procedures to ensure HIPAA security
compliance were purchased but not followed.

The manager performs ad hoc security measures. Written policies and procedures are
implemented and staff members are trained.
Security team conducts a monthly review of user activities.
Routine updates are made to document security measures.
Step 5: Manage and Mitigate Risks
The security plan will reduce risk only if it is followed by all employees in the organization. This
step has four actions associated with it.

Implement your plan.
Prevent breaches by educating and training your workforce.
Communicate with patients.
Update your BA contracts.
Step 6: Attest for Meaningful Use Security Related Objective
Organizations can attest to the EHR Incentive Program security-related objective after the
security risk analysis and correction of any identified deficiencies.

Step 7: Monitor, Audit, and Update Security on an Ongoing Basis
The security officer, IT administrator, and EHR developer should work together to ensure that
the organization’s monitoring and auditing functions are active and configured appropriately.
Auditing and monitoring are necessary to determine the adequacy and effectiveness of the
security plan and infrastructure, as well as the “who, what, when, where and how” (ONC, 2015,
p. 54) patients’ ePHI is accessed.

Beyond HIPAA: Cybersecurity for Today’s Wired Environment
Clearly, HIPAA is an important legislative act aimed at protecting health data and information.
However, in today’s increasingly wired environment, health care organizations face threats that
were not present when HIPAA was enacted. In June 2016, 41 percent of all data breaches were
because of cybercrime—hacking. In July of the same year a single hacker was responsible for
30 percent of the health care data breached (Sullivan, 2016). Experts argue that health care
organizations are easy targets for cybercriminals because they are inadequately prepared. The
average health care provider spends less than 6 percent of its total IT budget on security,
compared to the government, which spends 16 percent, and the banking industry, which spends
between 12 and 15 percent. By one estimate the increase in cybercrime against health care
organizations is because of, at least in part, PHI’s value on the black market, estimating that
PHI is fifty times more valuable than financial information (Koch, 2016; Siwicki, 2016).

The reality of today’s environment is that there are more entry points into health care information
networks and computers than ever before. Mobile devices, cloud use, the use of smart
consumer products, health care devices with Internet connectivity, along with more employees
connecting to health care networks from remote locations create an increased need for
cybersecurity in health care organizations. One recent survey found that among medical
students and physicians 93.7 percent owned smartphones and 82.9 percent had used them in a
clinical setting. Perhaps the most surprising aspect of the survey was that none of respondents

believed using the devices increased risk of breaching patient information (Buchholz, Perry,
Weiss, & Cooley, 2016).

So-called mHealth technologies, which include entities that support personal health records and
cloud-based or mobile applications that collect patient information directly from patients or allow
uploading of health-related data from wearable devices, are also on the rise, as is the use of
health-related social media sites. These technologies were not addressed in HIPAA and,
therefore, do not meet the criteria as a CE (DeSalvo & Samuels, 2016).

To provide assistance to healthcare organizations to combat cyber attacks and improve
cybersecurity, the ONC (n.d.) published the Top 10 Tips for Cybersecurity in Health Care. The
first tip reminds health care organizations to establish a security culture, the same initial tip in
their guidance for developing a security plan, clearly emphasizing the importance of this aspect
of any security program. The other tips in the publication contain some more specific ways to
mitigate the threat from cyber attacks. These tips are listed with specific checkpoints to ensure
security (ONC, n.d.). The full version of the top-ten document is available at

Protect Mobile Devices
Ensure your mobile devices are equipped with strong authentication and access controls.
Ensure laptops have password protection.
Enable password protection on handheld devices (if available). Take extra physical control
precautions over the device if password protection is not provided.
Protect wireless transmissions from intrusion.
Do not transmit unencrypted PHI across public networks (e.g., Internet, Wi-Fi).
When it is absolutely necessary to commit PHI to a mobile device or remove a device from a
secure area, encrypt the data.
Do not use mobile devices that cannot support encryption.
Develop and enforce policies specifying the circumstances under which devices may be
removed from the facility.
Take extra care to prevent unauthorized viewing of the PHI displayed on a mobile device.
Maintain Good Computer Habits
Uninstall any software application that is not essential to running the practice (e.g., games,
instant message clients, photo-sharing tools).
Do not simply accept defaults or “standard” configurations when installing software.
Find out whether the EHR developer maintains an open connection to the installed software (a
“back door”) in order to provide updates and support.
Disable remote file sharing and remote printing within the operating system (e.g., Windows
Operating System).
Automate software updates to occur weekly (e.g., use Microsoft Windows Automatic Update).
Monitor for critical and urgent patches and updates that require immediate attention and act on
them as soon as possible.
Disable user accounts for former employees quickly and appropriately.
If an employee is to be involuntarily terminated, close access to the account before the notice of
termination is served.

Prior to disposal, sanitize computers and any other devices that have had data stored on them.
Archive old data files for storage if needed or clean them off the system if not needed, subject to
applicable data retention requirements.
Fully uninstall software that is no longer needed (including trial software and old versions of
current software).
Work with your IT team or other resources to perform malware, vulnerability, configuration, and
other security audits on a regular basis.
Use a Firewall
Unless your electronic health record (EHR) and other systems are totally disconnected from the
Internet, you must install a firewall to protect against intrusions and threats from outside
Larger health care organizations that use a local area network (LAN) should consider a
hardware firewall.
Install and Maintain Antivirus Software
Use an antivirus product that provides continuously updated protection against viruses,
malware, and other code that can attack your computers through web downloads, CDs, e-mail,
and flash drives.
Keep antivirus software up-to-date.
Most antivirus software automatically generates reminders about these updates, and many are
configurable to allow for automated updating.
Plan for the Unexpected
Create data backups regularly and reliably.
Begin backing up data from day one of a new system.
Ensure the data are being captured correctly.
Ensure the data can be quickly and accurately restored.
Use an automated backup system, if possible.
Consider storing the backup far away from the main system.
Protect backup media with the same type of access controls described in the next section.
Test backup media regularly for their ability to restore data properly, especially as the backups
Have a sound recovery plan. Know the following:
What data was backed up (e.g., databases, pdfs, tiffs, docs)
When the backups were done (time frame and frequency)
Where the backups are stored
What types of equipment are needed to restore them
Keep the recovery plan securely at a remote location where someone has responsibility for
producing it in the event of an emergency.
Control Access to PHI
Configure your EHR system to grant PHI access only to people with a “need to know.”
This access control system might be part of an operating system (e.g., Windows), built into a
particular application (e.g., an e-prescribing module), or both.
Manually set file access permissions using an access control list.
This can only be done by someone with authorized rights to the system.

Prior to setting these permissions, identify which files should be accessible to which staff
Configure role-based access control as needed.
In role-based access, a staff member’s role within the organization (e.g., physician, nurse,
billing specialist, etc.) determines what information may be accessed.
Assign staff members to the correct roles and then set the access permissions for each role
correctly on a need-to-know basis.
The following case on access control provides additional examples of access control.

Case Study
Access Control
Mary Smith is the director of the health information management department in a hospital. Under
a user-based access control scheme, Mary would be allowed read-only access to the hospital’s
laboratory information system because of her personal identity—that is, because she is Mary
Smith and uses the proper log-in and password(s) to get into the system. Under a role-based
control scheme, Mary would be allowed read-only access to the hospital’s lab system because
she is part of the health information management department and all department employees
have been granted read-only privileges for this system. If the hospital were to adopt a
context-based control scheme, Mary might be allowed access to the lab system only from her
own workstation or another workstation in the health information services department, provided
she used her proper log-in and password. If she attempted to log in from the emergency
department or another administrative office, she might be denied access. The context control
could also involve time of day. Because Mary is a daytime employee, she might be denied
access if she attempted to log in at night.

Use Strong Passwords
Choose a password that is not easily guessed. Following are some examples of strong
password characteristics:
At least eight characters in length (the longer the better)
A combination of uppercase and lowercase letters, one number, and at least one special
character, such as a punctuation mark
Strong passwords should not include personal information:
Birth date
Names of self, family members, or pets
Social Security number
Anything that is on your social networking sites or could otherwise be discovered easily by
Use multifactor authentication for more security. Multi Factor authentication combines multiple
authentication methods, such as a password plus a fingerprint scan; this results in stronger
security protections. If you e-prescribe controlled substances, you must use multifactor
authentication for your accounts.
Configure your systems so that passwords must be changed on a regular basis.
To discourage staff members from writing down their passwords, develop a password reset
process to provide quick assistance in case of forgotten passwords.

Limit Network Access
Prohibit staff members from installing software without prior approval.
When a wireless router is used, set it up to operate only in encrypted mode.
Prohibit casual network access by visitors.
Check to make sure file sharing, instant messaging, and other peer-to-peer applications have
not been installed without explicit review and approval.

Control Physical Access
Limit the chances that devices (e.g., laptops, handhelds, desktops, servers, thumb drives, CDs,
backup tapes) may be tampered with, lost, or stolen.
Document and enforce policies limiting physical access to devices and information:
Keep machines in locked rooms.
Manage keys to facilities.
Restrict removal of devices from a secure area.
National Institute of Standards and Technology (NIST) Cybersecurity Framework
Recognizing the severity of the rise in cybercrime, President Obama issued an executive order
in February 2013 to “enhance the security and resilience of the Nation’s critical infrastructure”
(Executive Order 13636). As a result the National Institute of Standards and Technology (NIST)
was directed to develop, with help of stakeholder organizations, a voluntary cybersecurity
framework to reduce cyber-attack risks. The resulting NIST cybersecurity framework consists
of three components (NIST, n.d.):

The Framework Core consists of “five concurrent and continuous Functions—Identify, Protect,
Detect, Respond, Recover.” The functions provide “the highest level, strategic view of an
organization’s management of cybersecurity risk” (NIST, n.d., p. 4). The functions are divided
into categories and subcategories as shown in Exhibit 9.2.
The Framework Implementation Tiers characterize an organization’s actual cybersecurity
practices compared to the framework, using a range of tiers from partial (Tier 1) to adaptive (Tier
The Framework Profile documents outcomes obtained by reviewing all of the categories and
subcategories and comparing them to the organization’s business needs. Profiles can be
identified as “current,” documenting where the organization is now, or as “target,” where the
organization would like to be in the future.
Since its initial publication in 2014, the HHS, OCR, and the ONC have cited the framework as
an important tool for health care organizations to consider when developing a comprehensive
security program. In 2016, OCR published a crosswalk that maps the HIPAA Security Rule to
the NIST framework, which can be found at (US Department of Health and
Human Services, n.d.a).

In this chapter we gained insight into why health information privacy and security are key topics
for healthcare administrators. In today’s ever-increasing electronic world with new and more
virulent threats, the security of health information is an ongoing concern. In this chapter we
examined and defined the concepts of privacy, confidentiality, and security and explored major

legislative efforts, historical and current, to protect health care information, with a focus on the
HIPAA Privacy, Security, and Breach Notification rules. Different types of threats, human,
natural and environmental, intentional and unintentional, were identified, with a focus on the
increase in cybercrime. Basic requirements for a strong health care organization security
program were outlined and the chapter ended with a discussion of the cybersecurity challenges
within the current healthcare environment.

American Health Information Management Association (AHIMA). (2003). Final Rule for HIPAA
security standards. Chicago, IL: Author.
Bazzoli, F. (2016, Aug. 9). 12 largest fines levied for HIPAA violations. Health Data
Management. Retrieved August 9, 2016, from
Buchholz, A., Perry, B., Weiss, L. B., & Cooley, D. (2016). Smartphone use and perceptions
among medical students and practicing physicians. Journal of Mobile Technology in Medicine,
5(1), 27–32. doi:10.7309/jmtm.5.1.5
Centers for Medicare and Medicaid Services (CMS). (2004). HIPAA administrative
simplification: Security—Final Rule. Retrieved November 2004 from
Comodo. (2014, Aug. 4). Malware versus viruses: What’s the difference? Retrieved August 10,
2016, from

Malware vs Viruses: What Is the Difference Between Malware and a Virus?

Conn, J. (2016, Feb. 18). Hospital pays hackers $17,000 to unlock EHRs frozen in
“ransomware” attack. Retrieved November 11, 2016, from
Coppersmith, Gordon, Schermer, & Brockelman, PLC. (2012). HITECH Act expands HIPAA
privacy and security rules. Retrieved March 2012 from
DeSalvo, K. B., & Samuels, J. (2016, July 19). Examining oversight of the privacy & security of
health data collected by entities not regulated by HIPAA. Health IT Buzz. Retrieved August 10,
2016, from
Goedert, J. (2016, Aug. 8). Hack of Banner systems highlights the need for more firewalls.
Retrieved August 10, 2016, from
more-firewalls?utm_medium=email (2015). $750,000 HIPAA settlement underscores the need for organization-wide risk
analysis. Retrieved from
ESET. (n.d.). HIPAA security checklist [Brochure]. Retrieved August 8, 2016, from

Koch, D. D. (2016, Spring). Is HIPAA Security Rule enough to protect electronic personal health
information (PHI) in the cyber age? Journal of Health Care Finance. Retrieved August 8, 2016,
National Institute of Standards and Technology (NIST). (2016). Framework for improving critical
infrastructure cybersecurity. Retrieved from
National Institute of Standards and Technology (NIST). (n.d.). Cybersecurity framework.
Retrieved August 10, 2016, from
ONC. (2015). Guide to privacy and security of electronic health information. Retrieved from
ONC. (n.d.). Top 10 tips for cybersecurity in health care [Brochure]. Retrieved August 8, 2016,
Siwicki, B. (2016, May 17). Cybersecurity special report: Ransomware will get worse, hackers
targeting whales, medical devices and IoT trigger new vulnerabilities. Healthcare IT News.
Retrieved August 10, 2016, from
Sullivan, T. (2016, Aug. 9). “DarkOverLord” ransomware accounts for nearly 30 percent of
health data breaches in July. Healthcare IT News. Retrieved August 10, 2016, from
Office for Civil Rights (OCR). (n.d.). HHS Breach Portal. Retrieved August 8, 2016, from
US Department of Health and Human Services. (2016, Sept. 30). Enforcement highlights.
Retrieved August 8, 2016, from
US Department of Health and Human Services. (n.d.a). Addressing gaps in cybersecurity: OCR
releases crosswalk between HIPAA Security Rule and NIST cybersecurity framework.
Retrieved August 10, 2016, from
US Department of Health and Human Services. (n.d.b). Breach Notification Rule. Retrieved
August 8, 2016, from
US Department of Health and Human Services. (n.d.c). Guidance to render unsecured
protected health information unusable, unreadable, or indecipherable to unauthorized individuals.
Retrieved August 8, 2016, from
What are the penalties for HIPAA violations? (2015, June 14). HIPAA Journal. Retrieved from

8/16/22, 7:35 PM CMS Crosswalk

https://e– 1/1

The Joint Commission July 1, 2022 Requirements


Information Management


The hospital follows a written plan for
managing interruptions to its
information processes (paper-based,
electronic, or a mix of paper-based and

CMS Medicare Requirements


§482.15 Condition of Participation: Emergency

The hospital must comply with all applicable
Federal, State, and local emergency
preparedness requirements. The hospital must
develop and maintain a comprehensive
emergency preparedness program that meets
the requirements of this section, utilizing an all-
hazards approach. The emergency
preparedness program must include, but not be
limited to, the following elements:

(b) Policies and procedures. The hospital
must develop and implement emergency
preparedness policies and procedures,
based on the emergency plan set forth in
paragraph (a) of this section, risk
assessment at paragraph (a)(1) of this
section, and the communication plan at
paragraph (c) of this section. The policies
and procedures must be reviewed and
updated at least every 2 years. At a
minimum, the policies and procedures must
address the following:

TAG: E-0023
(5) A system of medical
documentation that preserves
patient information, protects
confidentiality of patient
information, and secures and
maintains the availability of records.

8/16/22, 7:34 PM CMS Crosswalk

https://e– 1/1

The Joint Commission July 1, 2022 Requirements


Information Management


The hospital’s plan for managing
interruptions to information processes
addresses the following:- Scheduled
and unscheduled interruptions of
electronic information systems –
Training for staff and licensed
independent practitioners on
alternative procedures to follow when
electronic information systems are
unavailable- Backup of electronic
information systems (See also
IM.03.01.01, EP 1)

CMS Medicare Requirements


§482.15 Condition of Participation: Emergency

The hospital must comply with all applicable
Federal, State, and local emergency
preparedness requirements. The hospital must
develop and maintain a comprehensive
emergency preparedness program that meets
the requirements of this section, utilizing an all-
hazards approach. The emergency
preparedness program must include, but not be
limited to, the following elements:

(b) Policies and procedures. The hospital
must develop and implement emergency
preparedness policies and procedures,
based on the emergency plan set forth in
paragraph (a) of this section, risk
assessment at paragraph (a)(1) of this
section, and the communication plan at
paragraph (c) of this section. The policies
and procedures must be reviewed and
updated at least every 2 years. At a
minimum, the policies and procedures must
address the following:

TAG: E-0023
(5) A system of medical
documentation that preserves
patient information, protects
confidentiality of patient
information, and secures and
maintains the availability of records.

Calculate Price

Price (USD)