Literary Warrant for Functional Requirement #13

This requirement derives from the law, customs, standards and professional best practices accepted by society and codified in the literature of different professions concerned with records and recordkeeping. The warrant is as follows:
Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 6, Business Systems, 1991
Pages 6-40
Extract This section addresses the risk considerations and control features of an IHRIS that should be evaluated by the internal auditor. Because disbursement systems involve financial payments, they are prone to misuse. Consequently, it is critical to ensure that these systems are used properly and that payments are controlled, accurate, and timely. The risk considerations and consequences areas follows: * Privacy violation (e.g., salaries and personnel or medical data are not kept confidential)

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 4, Managing Computer Resources, 1991
Pages 4-49
Extract Report distribution procedures should be designed to protect the confidentiality of data on reports and to ensure that reports are accurately labeled and properly distributed. Computer operations staff must be aware of the sensitive nature of some of the information handled. In organizations where reports are not printed but are distributed electronically in "soft copy," care must be exercised when determining who can access the reports.

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 4, Managing Computer Resources, 1991
Pages 4-108
Extract Examine system logs of accesses to sensitive files or libraries to determine that access is restricted to appropriate individuals

Citation The Institute of Internal Auditors Research Foundation; Systems Auditability and Control, Module 8, Telecommunications, 1991
Pages 8-54,55
Extract The risk and control considerations relative to the scenarios described above are discussed in the following sections: * Reduced data confidentiality - An external user who is authorized for specific data may gain access to confidential databases or data files to which he/she is not authorized.

Citation EDI Security, Control, and Audit by Albert J. Marcella, Jr., and Sally Chan (Massachusetts: Artech House 1993)
Pages 127
Extract The most serious security failures include: * Disclosure of confidential data--more data is maintained in electronic form in EDI systems than in other systems, thus increasing the risk of disclosure; * Failure of computer hardware and software;

Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security; Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of Standards and Technology, 9 November 1994)
Pages 13
Extract As LANs are utilized throughout an agency or department, some of the data stored or processed on a LAN may require some level of confidentiality. The disclosure of LAN data or software occurs when the data or software is accessed, read and possibly released to an individual who is not authorized for the data.

Citation "Guideline for the Analysis of Local Area Network Security" Category: Computer Security; Subcategory: Risk Analysis and Contingency Planning. Federal Information Processing Standards Publication 191 (U.S. Department of Commerce/Technology Administration and National Institute of Standards and Technology, 9 November 1994)
Pages 9
Extract The following goals should be considered to implement effective LAN security. Maintain the confidentiality of data as it is stored, processed or transmitted on a LAN.

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 56
Extract [Medical] providers may release records to persons doing research or maintaining health statistics, provided the department established rules for the conduct of such research to ensures the anonymity of the patient. Arizona Revised Statutes 36-509 (A).

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 57
Extract Under Arkansas Code Annotated 20-9-304, all information, interviews, reports, statements, memoranda, or other data of the State Board of Health, Arkansas Medical Society, allied medical societies, or in-hospital staff committees of licensed hospitals, are strictly confidential. Such information is only for medical research. This provision does not apply to the original medical records of patients used in the course of medical studies for the purpose of reducing morbidity or mortality. Any authorized person, hospital, sanatorium, nursing home, rest home or other organization may provide such information relating to the condition and treatment of any person to the entities listed above for use in the course of studies for the purpose of reducing morbidity or mortality without incurring liability for damages or other relief. In any event, however, the patient's identity is confidential, and no researcher may release it under any circumstances.

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 57
Extract California's Confidentiality of Medical Information Act, California Civil Code 56.10, confirms patient's rights to privacy in their medical records by governing the release of patient-identifiable information by health care providers. The Health and Safety Code 1795.12 provides for patient or patient representative access upon request and payment of reasonable clerical costs. Violation of this section may result in disciplinary action by the licensing authority.

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 58
Extract California Health & Safety Code 199.21 provides for both civil and criminal liability for wrongful disclosure of AIDS test results.

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 59
Extract [California] Section 199.30 provides for confidentiality of research records of AIDS patients. Id. 199.32 states that audit personnel must protect such records in the course of conducting financial audits or program evaluations, and audit personnel shall not directly or indirectly identify any individual research subject in any report of a financial audit or program evaluations.

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 60
Extract Colorado Revised Statutes 25-1-120 specifies that among the rights of patients of nursing and intermediate care facilities is the right to have privacy in treatment including confidentiality in the handling of personal and medical records.

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 61
Extract Connecticut General Statute 19a-550, titled "Patient's Bill of Rights," provides for patients' rights to confidentiality generally. Section 19a-550 provides that a nursing home or chronic disease hospital must assure any patient confidential treatment of the patient's personal and medical records and may approve or refuse their release to anyone outside the facility, except in case of the patient's transfer to another health care institution or as required by law or third-party payment contract.

Citation Condition of Participation: Medical Records Services, Health Care Financing Administration, 42 CFR, Chapter 4, 482.24
Extract (3) The hospital must have a procedure for ensuring the confidentiality of patient records. Information from or copies of records may be released only to authorized individuals, and the hospital must ensure that unauthorized individuals cannot gain access to or alter patient records. Original medical records must be released by the hospital only in accordance with Federal or State laws, court orders, or subpoenas.

Citation American Medical Association Confidentiality Statement
Extract Confidentiality: Computers. The utmost effort and care must be taken to protect the confidentiality of all medical records. This ethical principle applies to computerized medical records as it applies to any other medical records. The confidentiality of physician-patient communications is desirable to assure free and open disclosure by the patient to the physician of all information needed to establish a proper diagnosis and attain the most desirable clinical outcome possible. Protecting the confidentiality of the personal and medical information in such medical records is also necessary to prevent humiliation, embarrassment, or discomfort of patients. At the same time, patients may have a legitimate desire to have medical information concerning their care and treatment forwarded to others. Both the protection of confidentiality and the appropriate release of information in records is the rightful expectation of the patient. A physician should respect the patient's expectations of confidentiality concerning medical records that involve the patient's care and treatment, but the physician should also respect the patient's authorization to provide information from the medical record to those whom the patient authorizes to inspect all or part of it for legitimate purposes.

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 53
Extract Alaska's constitution sets forth the right to privacy. In Gunnerud v. State, 611 P.2d 69 (Alaska 1980), the court held that granting access to the private medical records of a witness would be an unwarranted infringement of the privacy of the witness unless the material was relevant.

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 53
Extract Alaska law states that patients have the right to confidentiality of their medical records and treatments. Alaska Administrative Code title 7 12.890 (a).

Citation Compliance Guide to Electronic Health Records: A Practical Reference to Legislation, Codes, Regulations and Industry Standards" by Jonathan P. Tomes, J.D. (Washington, DC: Faulkner & Gray 1994-95)
Pages 54
Extract [Medical] providers may release patient records and information without consent for research projects authorized by the governing board if they preserve anonymity in the reported results. Alaska Administrative Code title 7, 13.130 (b)(3).

Citation 41 CFR Sec. 105 - 735.207 Misuse of information.
Extract For the purpose of furthering a private interest, GSA personnel shall not, except as provided in Sec. 105 - 735.204(c), directly or indirectly use, or allow the use of, official information obtained through or in connection with their GSA employment which has not been made available to the general public. Criminal penalties are imposed for disclosure of classified or confidential information.