Literary Warrant for Functional Requirement #13
This requirement derives from the law, customs, standards and
professional best practices accepted by society and codified in the literature of different professions concerned with records and
recordkeeping. The warrant is as follows:
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
6, Business Systems, 1991
Pages 6-40
Extract This section addresses the risk considerations and control features of an IHRIS that should be
evaluated by the internal auditor. Because disbursement systems involve financial payments, they are
prone to misuse. Consequently, it is critical to ensure that these systems are used properly and that
payments are controlled, accurate, and timely. The risk considerations and consequences areas follows:
* Privacy violation (e.g., salaries and personnel or medical data are not kept confidential)
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-49
Extract Report distribution procedures should be designed to protect the confidentiality of data on reports
and to ensure that reports are accurately labeled and properly distributed. Computer operations staff
must be aware of the sensitive nature of some of the information handled. In organizations where
reports are not printed but are distributed electronically in "soft copy," care must be exercised when
determining who can access the reports.
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
4, Managing Computer Resources, 1991
Pages 4-108
Extract Examine system logs of accesses to sensitive files or libraries to determine that access is restricted
to appropriate individuals
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module
8, Telecommunications, 1991
Pages 8-54,55
Extract The risk and control considerations relative to the scenarios described above are discussed in the
following sections: * Reduced data confidentiality - An external user who is authorized for specific data
may gain access to confidential databases or data files to which he/she is not authorized.
Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts:
Artech House 1993)
Pages 127
Extract The most serious security failures include: * Disclosure of confidential data--more data is
maintained in electronic form in EDI systems than in other systems, thus increasing the risk of
disclosure; * Failure of computer hardware and software;
Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security;
Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards
Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of
Standards and Technology, 9 November 1994)
Pages 13
Extract As LANs are utilized throughout an agency or department, some of the data stored or processed on
a LAN may require some level of confidentiality. The disclosure of LAN data or software occurs when
the data or software is accessed, read and possibly released to an individual who is not authorized for
the data.
Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security;
Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards
Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of
Standards and Technology, 9 November 1994)
Pages 9
Extract The following goals should be considered to implement effective LAN security. Maintain the
confidentiality of data as it is stored, processed or transmitted on a LAN.
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 56
Extract [Medical] providers may release records to persons doing research or maintaining health statistics,
provided the department established rules for the conduct of such research to ensures the anonymity of
the patient. Arizona Revised Statutes 36-509 (A).
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 57
Extract Under Arkansas Code Annotated 20-9-304, all information, interviews, reports, statements,
memoranda, or other data of the State Board of Health, Arkansas Medical Society, allied medical
societies, or in-hospital staff committees of licensed hospitals, are strictly confidential. Such information
is only for medical research. This provision does not apply to the original medical records of patients
used in the course of medical studies for the purpose of reducing morbidity or mortality. Any authorized
person, hospital, sanatorium, nursing home, rest home or other organization may provide such
information relating to the condition and treatment of any person to the entities listed above for use in
the course of studies for the purpose of reducing morbidity or mortality without incurring liability for
damages or other relief. In any event, however, the patient's identity is confidential, and no researcher
may release it under any circumstances.
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 57
Extract California's Confidentiality of Medical Information Act, California Civil Code 56.10, confirms
patient's rights to privacy in their medical records by governing the release of patient-identifiable
information by health care providers. The Health and Safety Code 1795.12 provides for patient or
patient representative access upon request and payment of reasonable clerical costs. Violation of this
section may result in disciplinary action by the licensing authority.
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray
1994-95)
Pages 58
Extract California Health & Safety Code 199.21 provides for both civil and criminal liability for
wrongful disclosure of AIDS test results.
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 59
Extract [California] Section 199.30 provides for confidentiality of research records of AIDS patients. Id.
199.32 states that audit personnel must protect such records in the course of conducting financial audits
or program evaluations, and audit personnel shall not directly or indirectly identify any individual
research subject in any report of a financial audit or program evaluations.
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 60
Extract Colorado Revised Statutes 25-1-120 specifies that among the rights of patients of nursing and
intermediate care facilities is the right to have privacy in treatment including confidentiality in the
handling of personal and medical records.
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 61
Extract Connecticut General Statute 19a-550, titled "Patient's Bill of Rights," provides for patients' rights
to confidentiality generally. Section 19a-550 provides that a nursing home or chronic disease hospital
must assure any patient confidential treatment of the patient's personal and medical records and may
approve or refuse their release to anyone outside the facility, except in case of the patient's transfer to
another health care institution or as required by law or third-party payment contract.
Citation Condition of Participation: Medical Records Services, Health Care Financing Administration, 42
CFR, Chapter 4, 482.24
Extract (3) The hospital must have a procedure for ensuring the confidentiality of patient records.
Information from or copies of records may be released only to authorized individuals, and the hospital
must ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical
records must be released by the hospital only in accordance with Federal or State laws, court orders, or
subpoenas.
Citation American Medical Association Confidentiality Statement
Extract Confidentiality: Computers. The utmost effort and care must be taken to protect the confidentiality
of all medical records. This ethical principle applies to computerized medical records as it applies to any
other medical records. The confidentiality of physician-patient communications is desirable to assure
free and open disclosure by the patient to the physician of all information needed to establish a proper
diagnosis and attain the most desirable clinical outcome possible. Protecting the confidentiality of the
personal and medical information in such medical records is also necessary to prevent humiliation,
embarrassment, or discomfort of patients. At the same time, patients may have a legitimate desire to
have medical information concerning their care and treatment forwarded to others. Both the protection
of confidentiality and the appropriate release of information in records is the rightful expectation of the
patient. A physician should respect the patient's expectations of confidentiality concerning medical
records that involve the patient's care and treatment, but the physician should also respect the patient's
authorization to provide information from the medical record to those whom the patient authorizes to
inspect all or part of it for legitimate purposes.
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 53
Extract Alaska's constitution sets forth the right to privacy. In Gunnerud v. State, 611 P.2d 69 (Alaska
1980), the court held that granting access to the private medical records of a witness would be an
unwarranted infringement of the privacy of the witness unless the material was relevant.
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 53
Extract Alaska law states that patients have the right to confidentiality of their medical records and
treatments. Alaska Administrative Code title 7 12.890 (a).
Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes,
Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner &
Gray 1994-95)
Pages 54
Extract [Medical] providers may release patient records and information without consent for research
projects authorized by the governing board if they preserve anonymity in the reported results. Alaska
Administrative Code title 7, 13.130 (b)(3).
Citation 41 CFR Sec. 105 - 735.207 Misuse of information.
Extract For the purpose of furthering a private interest, GSA personnel shall not, except as provided in
Sec. 105 - 735.204(c), directly or indirectly use, or allow the use of, official information obtained
through or in connection with their GSA employment which has not been made available to the general
public. Criminal penalties are imposed for disclosure of classified or confidential information.