TJC IM Readiness Standards 101
The Joint Commission (TJC) is an independent, not-for-profit organization.
The Joint Commission accredits and certifies more than 17,000 health care organizations and programs in the United States.
The TJC has recently updated and expanded its information management (IM) accreditation standards for healthcare organizations.
New readiness standards for information management and IT risk management are requiring hospitals to rethink how they protect and secure sensitive information, audit, and improve continuity of operations and disaster recovery planning.
To maintain and earn accreditation, organizations must have an extensive on-site review by a team of Joint Commission healthcare professionals, at least once every three years.
The purpose of the review is to evaluate the organization's performance in areas that affect care.
Accreditation may then be awarded based on how well the organizations met Joint Commission standards.
A hospital's IT infrastructure is at the foundation of delivering quality care.
TJC recognizes this in the enhanced information management readiness standards.
Among numerous other topics, TJC specifically addresses three key areas of IT risk management in the new IM standards.
These include:
Plan for Continuity of IM Processes (IM.
01.
01.
03) The organization must have a written plan for managing interruptions to its information processes (paper-based, electronic, or a mix of paper-based and electronic).
The hospital's plan for managing interruptions to information processes must address the following:
02.
01.
01)
02.
01.
03)
A typical hospital, for example, is subject to HIPAA regulations, PCI compliance (credit card), and often Sarbanes Oxley.
The Common Denominator Common among these regulations and other information security best practice standards is the need to protect all patient, credit card and other confidential data from intrusion, tampering, and theft - at all times.
The Joint Commission accredits and certifies more than 17,000 health care organizations and programs in the United States.
The TJC has recently updated and expanded its information management (IM) accreditation standards for healthcare organizations.
New readiness standards for information management and IT risk management are requiring hospitals to rethink how they protect and secure sensitive information, audit, and improve continuity of operations and disaster recovery planning.
To maintain and earn accreditation, organizations must have an extensive on-site review by a team of Joint Commission healthcare professionals, at least once every three years.
The purpose of the review is to evaluate the organization's performance in areas that affect care.
Accreditation may then be awarded based on how well the organizations met Joint Commission standards.
A hospital's IT infrastructure is at the foundation of delivering quality care.
TJC recognizes this in the enhanced information management readiness standards.
Among numerous other topics, TJC specifically addresses three key areas of IT risk management in the new IM standards.
These include:
- Patient record security
- System security from intrusion and data tampering
- Continuity of operations and disaster recovery capabilities
Plan for Continuity of IM Processes (IM.
01.
01.
03) The organization must have a written plan for managing interruptions to its information processes (paper-based, electronic, or a mix of paper-based and electronic).
The hospital's plan for managing interruptions to information processes must address the following:
- Have a back-up of electronic information systems
- Plan for interruptions of electronic information systems
- Provide training for staff and licensed independent practitioners on alternate procedures to follow when electronic information systems are unavailable
- Establish a plan to handle interruptions to information processes is tested for effectiveness according to time frames defined by the hospital
- Implement its plan for managing interruptions to information processes to maintain access to information needed for patient care
02.
01.
01)
- Use health information only for purposes as required by law and regulation or further limited by its policy on privacy
- Disclose health information only by authorization from the patient or as otherwise consistent with law and regulation
- Monitor compliance with its policy on the privacy of health information
02.
01.
03)
- Protect against unauthorized access, use, and disclosure of health information
- Protect health information against loss, damage, unauthorized alteration, unintentional change, and accidental destruction
- Control the intentional destruction of health information
- Monitor compliance with its policies regarding the security and integrity of health information
A typical hospital, for example, is subject to HIPAA regulations, PCI compliance (credit card), and often Sarbanes Oxley.
The Common Denominator Common among these regulations and other information security best practice standards is the need to protect all patient, credit card and other confidential data from intrusion, tampering, and theft - at all times.
Source...