| The Joint Commission (TJC) is an independent, | | | | - Plan for interruptions of electronic information |
| not-for-profit organization. The Joint Commission | | | | systems |
| accredits and certifies more than 17,000 health | | | | - Provide training for staff and licensed |
| care organizations and programs in the United | | | | independent practitioners on alternate procedures |
| States. | | | | to follow when electronic information systems are |
| The TJC has recently updated and expanded its | | | | unavailable |
| information management (IM) accreditation | | | | - Establish a plan to handle interruptions to |
| standards for healthcare organizations. New | | | | information processes is tested for effectiveness |
| readiness standards for information management | | | | according to time frames defined by the hospital |
| and IT risk management are requiring hospitals to | | | | - Implement its plan for managing interruptions to |
| rethink how they protect and secure sensitive | | | | information processes to maintain access to |
| information, audit, and improve continuity of | | | | information needed for patient care |
| operations and disaster recovery planning. | | | | Protect Privacy of Health Information (IM.02.01.01) |
| To maintain and earn accreditation, organizations | | | | - Use health information only for purposes as |
| must have an extensive on-site review by a | | | | required by law and regulation or further limited |
| team of Joint Commission healthcare | | | | by its policy on privacy |
| professionals, at least once every three years. | | | | - Disclose health information only by authorization |
| The purpose of the review is to evaluate the | | | | from the patient or as otherwise consistent with |
| organization's performance in areas that affect | | | | law and regulation |
| care. Accreditation may then be awarded based | | | | - Monitor compliance with its policy on the privacy |
| on how well the organizations met Joint | | | | of health information |
| Commission standards. | | | | Maintain Security & Integrity of Health |
| A hospital's IT infrastructure is at the foundation | | | | Information (IM.02.01.03) |
| of delivering quality care. TJC recognizes this in | | | | - Protect against unauthorized access, use, and |
| the enhanced information management readiness | | | | disclosure of health information |
| standards. Among numerous other topics, TJC | | | | - Protect health information against loss, damage, |
| specifically addresses three key areas of IT risk | | | | unauthorized alteration, unintentional change, and |
| management in the new IM standards. These | | | | accidental destruction |
| include: | | | | - Control the intentional destruction of health |
| | | | information |
| 1. Patient record security | | | | - Monitor compliance with its policies regarding the |
| 2. System security from intrusion and data | | | | security and integrity of health information |
| tampering | | | | TJC's move to enhance its information |
| 3. Continuity of operations and disaster recovery | | | | management readiness standards is consistent |
| capabilities | | | | with the growing number of ID theft incidents and |
| Three Key Readiness Standards. | | | | regulatory pressures from many government and |
| Plan for Continuity of IM Processes (IM.01.01.03) | | | | private sources. A typical hospital, for example, is |
| The organization must have a written plan for | | | | subject to HIPAA regulations, PCI compliance |
| managing interruptions to its information | | | | (credit card), and often Sarbanes Oxley. |
| processes (paper-based, electronic, or a mix of | | | | The Common Denominator |
| paper-based and electronic). The hospital's plan for | | | | Common among these regulations and other |
| managing interruptions to information processes | | | | information security best practice standards is the |
| must address the following: | | | | need to protect all patient, credit card and other |
| - Have a back-up of electronic information | | | | confidential data from intrusion, tampering, and |
| systems | | | | theft - at all times. |