|
|
|
|
|
About the Information Assurance Division...
|
|
|
|
|
|
The Division of Information Assurance and Informatics integrates approaches from medical ethics, the social sciences and information technology to conduct basic and applied research about protecting the confidentiality, integrity and availability of computerized health information. Two major themes structure the division’s inquiry:
Information assurance as organizational error
The literature on “organizational error” provides the intellectual foundation for interpreting the process of protecting the confidentiality, integrity and availability of computerized information (information assurance). Vast computerized acquisition devices, data archives and communication networks share many properties of other high technology systems in that they function as complex and tightly coupled technological systems and require highly reliable management systems to avoid accidents. This literature focuses on the conditions under which organizations can or cannot safely manage such technologies without suffering major or catastrophic accidents. From this perspective, breaches of information security such as unauthorized disclosures of individually identifiable health information or large scale identity theft bear comparison with accidents such as Three Mile Island, the space shuttle accidents, the sinking of large, commercial ships and “friendly fire” incidents in warfare. The literature affirms that safe operation of high technologies including computerized health information systems requires comprehensible technical architectures, appropriate organizational structures and sustained, sound management as well as individual competence.
HIPAA compliance as sponsored social movement
Our analysis focuses on describing how formal organizations with established routines, bodies of knowledge and organizational relationships intentionally and effectively change in response to new mandates such as HIPAA. The concept of bureaucratic reform as “sponsored social movement” seems paradoxical. It implies “top down” reform with senior leadership attempting to mobilize change from within. It also implies “grassroots” activity with local groups organizing demands and means for organizational change. Although a minority in healthcare recognized the need for effective health information assurance programs as part of computerizing patient records, many others required the motivation of Federal regulations as embodied in the HIPAA privacy and security rules. Thus, once the HIPAA regulations were published and compliance dates set, most healthcare organizations faced the problem of mobilizing their compliance effort and, beyond that, achieving genuine changes in the activities, knowledge and social relationships through which they protected the confidentiality, integrity and availability of patient information. Much guidance emerged for healthcare organizations about what new policies, procedures and practices they should adopt. From a strategic perspective, however, this guidance does not address how healthcare organizations should envision the mobilization effort itself. We hypothesize that exploring the paradoxes of “sponsored social movements” will explain the relative success or failure and completeness or partiality as well as the developmental dynamics of bureaucratic reforms.
|
|
|
|