hipaa security hipaa security
play

HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, - PowerPoint PPT Presentation

HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, UNC-CH Jack McCoy, ECU Jack McCoy, ECU Chad Bebout, UNC-CH Chad Bebout, UNC-CH Doug Brown, UNC-CH Doug Brown, UNC-CH What is this? What is this? Federal Regulations


  1. HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, UNC-CH Jack McCoy, ECU Jack McCoy, ECU Chad Bebout, UNC-CH Chad Bebout, UNC-CH Doug Brown, UNC-CH Doug Brown, UNC-CH

  2. What is this? What is this?  Federal Regulations Federal Regulations… …  – August 21, 1996 August 21, 1996 – HIPAA Became Law  HIPAA Became Law  – October 16, 2003 October 16, 2003 – Transaction Codes and Identifiers Deadline  Transaction Codes and Identifiers Deadline  – April 14, 2003 April 14, 2003 – Privacy Deadline  Privacy Deadline  – April 21, 2005 April 21, 2005 – Security Deadline  Security Deadline 

  3. You’ ’ve ve got to have goals… You  Everyone who sees, hears or handles Everyone who sees, hears or handles  PHI must keep it confidential and PHI must keep it confidential and follow these rules, even if the follow these rules, even if the individual does not have direct individual does not have direct patient contact. patient contact.

  4. What is PHI? What is PHI?  Protected Health Information: Protected Health Information:  PHI is any health information that PHI is any health information that can be used to identify a patient and can be used to identify a patient and which relates to the patient, which relates to the patient, healthcare services provided to the healthcare services provided to the patient, or the payment for these patient, or the payment for these services. services.

  5. What is this? What is this? 40+ Pages of very fine print… … 40+ Pages of very fine print “164.306 Security standards: General rules. 164.306 Security standards: General rules. “ (a) General requirements. General requirements. Covered entities must do the Covered entities must do the (a) following: following: (1) Ensure the confidentiality, integrity, and availability (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered of all electronic protected health information the covered entity creates, receives, maintains, or transmits. entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or disclosures of such information that are not permitted or required under subpart E of this part. required under subpart E of this part. (4) Ensure compliance with this subpart by its (4) Ensure compliance with this subpart by its workforce.” ” workforce.

  6. What is this? What is this?  Safeguards and Standards Safeguards and Standards  – Administrative Administrative – – Physical Physical – – Technical Technical –  Implementation Specifications Implementation Specifications  – Required – Required (You have to do this)  (You have to do this)  – Addressable Addressable – (You still have to do this)  (You still have to do this) 

  7. Hot Topics Hot Topics  Risk Assessments Risk Assessments   Activity Review and Logs Activity Review and Logs   Awareness and Training Awareness and Training   PHI in Email PHI in Email   Wireless, Mobile Devices Wireless, Mobile Devices   Shadow copies, unmanaged PHI Shadow copies, unmanaged PHI   Encryption Encryption 

  8. Awareness and Training Awareness and Training “164.308(5)(i) Implement a security 164.308(5)(i) Implement a security “ awareness and training program for all awareness and training program for all members of its workforce (including members of its workforce (including management)… … management) (A) Security reminders… … (A) Security reminders (B) Protection from malicious software… … (B) Protection from malicious software (C) Log-in monitoring… … (C) Log-in monitoring (D) Password management…” …” (D) Password management

  9. Risk Management Risk Management “ 164.308 Administrative safeguards. 164.308 Administrative safeguards. “ (1)(a)(ii)(A) Risk analysis Risk analysis (Required). Conduct (Required). Conduct (1)(a)(ii)(A) accurate and thorough assessment of the accurate and thorough assessment of the potential risks and vulnerabilities to the potential risks and vulnerabilities to the confidentiality, integrity, and availability of confidentiality, integrity, and availability of electronic protected health information held by electronic protected health information held by the covered entity. the covered entity. (1)(a)(ii)(B) Risk management Risk management (Required). (Required). (1)(a)(ii)(B) Implement security measures sufficient to reduce Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and risks and vulnerabilities to a reasonable and appropriate level to comply with § § 164.306(a). 164.306(a).” ” appropriate level to comply with

  10. Risk Management Risk Management  Why do we need this? Why do we need this?   Who will accept the risks? Who will accept the risks?   What is the determination process? What is the determination process?   Who will be involved determination Who will be involved determination  process? process?

  11. Physical Security Physical Security  164.310 Physical safeguards. 164.310 Physical safeguards.  “Physical safeguards are physical Physical safeguards are physical  “  measures, policies, and procedures to measures, policies, and procedures to protect a covered entity's electronic protect a covered entity's electronic information systems and related information systems and related buildings and equipment, from natural buildings and equipment, from natural and environmental hazards, and and environmental hazards, and unauthorized intrusion.” ” unauthorized intrusion.

  12. Physical Security Physical Security  Facilities Facilities  – Access Control Access Control – – Policies and Documentation – Policies and Documentation  Systems Systems  – Servers & Servers & Workstations Workstations –  Media Media  – Removable Magnetic, CD- Removable Magnetic, CD-Rs Rs, Memory , Memory – Keys, etc. Keys, etc. – Surplused Surplused Systems Systems –

  13. Physical Security Physical Security  Equipment such as PCs, servers, Equipment such as PCs, servers,  mainframes, fax machines, and copiers mainframes, fax machines, and copiers must be afforded appropriate physical must be afforded appropriate physical controls. controls.  Computer screens, copiers, fax machines, Computer screens, copiers, fax machines,  and printers must be situated in such a must be situated in such a and printers way that they cannot be accessed or way that they cannot be accessed or viewed by the public. viewed by the public.  Computers must use password-protected Computers must use password-protected  screen savers. screen savers.

  14. Physical Security Physical Security  PCs that are used in open areas must PCs that are used in open areas must  be adequately secured to protect be adequately secured to protect against theft or unauthorized access. against theft or unauthorized access.  Servers and mainframes must be Servers and mainframes must be  contained in a secured area that is contained in a secured area that is capable of limiting and monitoring capable of limiting and monitoring physical access. physical access.  Sealed envelopes marked Sealed envelopes marked  “CONFIDENTIAL CONFIDENTIAL” ” should be used should be used “ when mailing PHI. when mailing PHI.

  15. Appropriate Disposal of Data Appropriate Disposal of Data  Procedures for the appropriate disposal apply to PHI Procedures for the appropriate disposal apply to PHI  and Confidential Information. and Confidential Information.  Hard copy materials such as paper or microfiche Hard copy materials such as paper or microfiche  must be properly shredded or placed in a secured must be properly shredded or placed in a secured bin for shredding later. bin for shredding later.  Magnetic media such as diskettes, tapes, or hard Magnetic media such as diskettes, tapes, or hard  drives must be degaussed (subjected to a strong drives must be degaussed (subjected to a strong magnetic field) or “ “electronically shredded electronically shredded” ” using using magnetic field) or approved software and procedures. approved software and procedures.  CD ROM disks must be rendered unreadable by CD ROM disks must be rendered unreadable by  shredding, defacing the recording surface, or shredding, defacing the recording surface, or breaking. breaking.  No PHI or CI should be placed in the regular trash! No PHI or CI should be placed in the regular trash! 

  16. Activity Review Activity Review  “ “164.306(a)(D) Information system  activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Recommend


More recommend