Evaluating the Security Safeguards in Hospital Information System According to the Health Insurance Portability and Accountability Act of University Hospitals in Shiraz University of Medical Sciences, Iran*

Document Type : Original Article

Authors
Roxana Sharifian 1
Mohtaram Nematollahi 2
Hossein Monem 3
Fatemeh Ebrahimi 4
1 Assistant Professor, Health Information Management, School of Management and Medical Information Sciences, Shiraz University of Medical Sciences, Shiraz, Iran (Corresponding Author) Email: sharifianr@sums.ac.ir
2 Assistant Professor, Health Information Management, School of Management and Medical Information Sciences, Shiraz University of Medical Sciences, Shiraz, Iran
3 PhD Student, Information System, School of Computer and Information System, University Technology Malaysia (UTM), KualaLumpur, Malaysia
4 Medical Records, Shiraz University of Medical Sciences, Shiraz, Iran
Abstract
Introduction: One of the main characteristics of a hospital information system (HIS) is confidentiality.
Studies have shown that the security requirements on electronic health records are not fully met in Iran.
This study was conducted to determine the percentage of HIPAA (health insurance portability and
accountability act) security safeguard application in university hospitals of Shiraz University of Medical
Sciences in 2010.
Methods: This was a cross-sectional descriptive study. The study population included university hospitals
of Shiraz University of Medical Sciences equipped with HIS. Data were collected by a checklist through
interview with the IT authorities of the hospitals. The checklist was in accordance with HIPAA security
standard rules. Tool validity was checked by the content validity method. Data were analyzed using
descriptive statistics.
Results: The risk management and data backup plan, two out of seven required administrative security
safeguards (i.e. risk analysis, risk management, sanction policy, information system activity review, data
backup plan, disaster recovery plan, and emergency mode operation plan), were fully applied in all the
hospitals. Both of two required physical security safeguards, disposal and media reuse, were applied in the
majority of the hospitals. Of the two required technical security safeguards, unique user identifications,
and emergency access procedure were applied only in one of the hospitals.
Conclusion: Operational planning must be implemented in order to increase the application of required
administrative security safeguards. Full application of the required physical security safeguards, which are
close to reach, and the required technical security safeguards could be the main steps in promoting
security of the HIS.

Keywords

1. Jantzen T. What is HIS [Online]. 2006; Available from: URL:
http://www.crwr.utexas.edu/gis/gishydro06/GISandHIS/WhatIsHIS.htm/
2. Ahmadi M. Electronic Health Record, Structure, Content, and Evaluation. Tehran, Iran: Jafari Publication; 2008.
[In Persian].
3. Huffman E. Electronic Medical Record. Trans. Langarizadeh M, Shahverdian N. Tehran, Iran: Dibagaran
Publication; 2006.
4. Farzandipour M, Sadoughi F, Ahmadi M, Karimi I. Designing a Confidentiality Principles Model of Electronic
Health Record for Iran 2007. J Health Adm 2008; 11(33): 33-46.
5. Torabi M, Safdari R. Electronic Medical Record. Tehran, Iran: Behineh Publication; 2004. [In Persian].
6. Sadoughi F, Khoshkam M, Behnam S. Acomparative investigation of the access levels and confidentiality of
medical documents in Iran and selected countries. J Health Adm 2007; 10(28): 49-56. [In Persian].
7. Sadoughi F, Ahmadi M, Karimi I, Farzandipour M. Safety Requirements for Health Electronic File; Comparison
between Selected Countries. Health Inf Manage 2007; 4(1): 1-10. [In Persian].
8. Hajavi A, Khoshgam M, Hatami M. A Comparative Study on regarding Rate of the Privacy Principles in legal
Issues by WHO Manual at Teaching Hospitals of Iran, Tehran and Shahid Beheshti Medical Sciences
Universities; 2007. J Health Adm 2008; 11(33): 7-16.                                                                                                                  9. University information technology services. What is electronic protected health information (ePHI) [Online].
2009; Available from: URL: http://kb.iu.edu/data/ayyz.html/
10.Mastane Z, Ali Pour J. Health Care Information Systems. Bandar Abbas, Iran: Rasool Publication; 2010.
[In Persian].
11.Wager KA, Lee FW, Glaser JP. Managing Health Care Information Systems: A Practical Approach for Health
Care Executives. New Jersey, NJ: John Wiley & Sons; 2005.
12.Kline JA, Johnson CL, Webb WB, Runyon MS. Prospective study of clinician-entered research data in the
Emergency Department using an Internet-based system after the HIPAA Privacy Rule. BMC Med Inform Decis
Mak 2004; 4: 17.
13.Kiel JM. HIPAA: SOP: HIPAA as standard operating procedures. Health Care Manag (Frederick) 2010; 29(1):
80-2.
14.HIPAA. Complimentary Webcast: Exec Brief on the HIPAA Final Rule [Online]. 2009; Available from: URL:
http://www.ecfirst.com/press/webcast_final_rule_feb2013.html/
15.HIPAA. Contingency Plan: Emergency Mode Operation Plan-What to Do and How to Do It [Online]. 2008;
Available from: URL: http://www.hipaa.com/2009/04/contingency-plan-emergency-mode-operation-plan-whatto-
do-and-how-to-do-it/. 2013.
16. Iranian Supreme Council of Information and Communication Technology report. Information Security System
Management [Online]. 2007; Available from: URL: http://www.scict.ir/ [In Persian]
17. Shajariat Z. Study of the Medical Information Accessibility methods in Medical Record department. Proceedings
of the 2nd Congress of Medical Record Students; 2006 Dec 23-24; Shiraz, Iran; 2006. [In Persian].
18.Ghazavi S. Health Information Systems Occupational Security. Proceedings of the 2nd Congress of Medical
Record Students; 2006 Dec 23-24; Shiraz, Iran; 2006. [In Persian].
19.Habibifard V. Operational Model for Information Security System. Proceedings of the 1st Congress of IT
Application in Health; 2011 Oct 19-20; Sari, Iran; 2011. [In Persian].
20.Wikham D. Information systems security policy. Information Governance [Online]. Available from: URL:
http://www.ruh.nhs.uk/about/policies/documents/non_clinical_policies/black_infoman/Black_320_Information_
Governance_Information_Security.pdf/.
Health Information Management
Volume 10, Issue 1
Spring 2014
Pages 35-46