security planning susan lincke complying with hipaa and hitech
Post on 11-Jan-2016
223 Views
Preview:
TRANSCRIPT
Security PlanningSusan Lincke
Complying with HIPAA andHITECH
Security Planning: An Applied Approach | 04/21/23 | 2
Objectives:
Students shall be able to:Define HIPAA, Privacy Rule, Security Rule, CE, PHI.Define threat, vulnerability, threat agentDescribe what Privacy Rule covers at a high levelDescribe what Security Rule covers at a high levelDescribe the difference between Required and Addressable for the Security Rule.
Security Planning: An Applied Approach | 04/21/23 | 3
HIPAA
Introduced by Senators Edward Kennedy & Nancy KassebaumPortability: Workers can continue health care between different employersGroup insurance cannot reject, not renew, or charge higher premiums of certain individualsSimplify administration by creating a health care transaction standard
Accountability: Penalties for non-compliance Tax provisions
Security Planning: An Applied Approach | 04/21/23 | 4
HIPAA Titles
Title 1: Health Care Insurance Access, Portability, and RenewabilityTitle 2: Preventing Health Care Fraud & Abuse, Administrative Simplification, Medical Liability ReformTitle 3: Tax-related Health ProvisionsStandardizes medical savings accounts
Title 4: Application and Enforcement of Group Health Insurance RequirementsTitle 5: Revenue OffsetsDefines how employers can deduct company-owned life insurance premiums from income tax
Security Planning: An Applied Approach | 04/21/23 | 5
Title 2 Has Three Rules
Transactions, Code Sets, and Identifiers: Standards for electronic transmission• Electronic Data Interchange: Standardized records for health
care transactions
The Privacy Rule: Standard for Privacy of Individually Identifiable Health Information
The Security Rule: Security Standard for electronic patient health
Security Planning: An Applied Approach | 04/21/23 | 6
Reasons for Legislation
Records of patients or insurance claims made publicly available by accidentEmail reminder to take Prozac sent to 600 (not blind cc’d)Woman fired from job after positive review but expensive illness35% of Fortune 500 companies admitted checking medical records before hiring or promotingPeople avoid using insurance when they have AIDS, cancer, STD, substance abuse or mental illness
Security Planning: An Applied Approach | 04/21/23 | 7
Medical Identity Theft
When a person’s name and other parts of his/her medical identity are stolen for the purpose of getting medical services and goods.
Problems:
•Medical info is for wrong person
• Inaccurate health records
• Wrong diagnosis
• Fatal treatments
•Imposter claims health care
• Medical Insurance Fraud
• Inaccurate Credit History: Bills sent elsewhere
Security Planning: An Applied Approach | 04/21/23 | 8
Medical Identity Thieves:Who can commit this crime?
Computer hackers
Members of organized crime rings
Health care providers (doctor’s, dentists, hospital employees)
Security Planning: An Applied Approach | 04/21/23 | 9
Business Challenges Facing the Health Care Industry
Hospital computer systems contain notes from hospital employees and primary care physicians.Health Insurance Companies collect and compile patient data from different providers.
Organizations MUST maintain the security of computer systems that hold
health data.
Security Planning: An Applied Approach | 04/21/23 | 10
Breach Notification Laws
State Laws, called Breach Notification Laws require CEs to notify patients when their PHI has been breached
If data is encrypted and laptop is lost, notification is not requiredThis often applies to any industry that uses personal information,
such as Social Security Numbers
The Oregonian, May 2006In one of Oregon’s largest security breaches, ProvidenceHealth System disclosed that a burglar stole unencrypted
medical records on 365,000 patients kept on disks and tapes left overnight in an employee’s van
Security Planning: An Applied Approach | 04/21/23 | 11
HITECH: Health Information Technology for Economic and Clinical Health Act (2009)
Breach Notification Rule:Introduced notification requirements•Specifies how CE/BA should notify individuals and agencies if a breach of information occursPHI shall be encrypted in a way that is approved by HHS.PHI shall be shredded or destroyed and disposed of properly.
Security Planning: An Applied Approach | 04/21/23 | 12
Criminal Penalties for HIPAA
$ Penalty Imprison-ment
Offense
Up to $50K Up to one year
Wrongful disclosure of individually identifiable health information
Up to $100K Up to 5 years …committed under false pretenses
Up to $500K Up to 10 years
… with intent to sell, achieve personal gain, or cause malicious harm
Then consider bad press, state audit, state law penalties, lost claims, …
Security Planning: An Applied Approach | 04/21/23 | 13
HITECH Act (2009)
Each Violation
Max $ Per Year
CE/BA exercised reasonable diligence but did not learn about violation
$100-$50k $1.5 Million
Violation is due to reasonable cause $1k-$50k
$1.5 Million
CE/BA demonstrated willful neglect but corrected violation
$10k-$50k $1.5 Million
CE/BA demonstrated willful neglect and took no corrective action
$50k $1.5 Million
Penalties are prohibited if problem is corrected within 30 days and no willful neglectPenalties pay for enforcement and redress for harm caused
Security Planning: An Applied Approach | 04/21/23 | 14
Health Care OrganizationCovered Entities (CE)
Health careClearinghouse
Health Care Provider(e.g., doctor, hospital)
Health plan(e.g., HMO, PPO)
Standardbills/records
Nonstandardbills/records
Standard bills/records
Security Planning: An Applied Approach | 04/21/23 | 15
Health Care Organization
Health careClearinghouse
Health Care Provider
Health plan
Covered Entities (CE)
Business Associates (BA)
Performs: Claims ProcessingTranscription
BillingData Analysis
Independent organizationWork involves health infoNot bank or post office
Works
for
Security Planning: An Applied Approach | 04/21/23 | 16
Protected Health Information (PHI)
HealthInformation
Relates to Physical or
Mental healthor past/present/future payment
Identifiers
NameSSNcity or countyzip codephone or faxmedical record #fingerprint
Individually IdentifiableHealth Information
Created or maintained byCE or BA
Protected Health Information
(PHI)Covered by HIPAA
& HITECH
If YOU had AIDS, how could such identifiersIdentify you?
Security Planning: An Applied Approach | 04/21/23 | 17
Treatment, Payment & Health Care Operations (TPO)
Treatment
Provision & coordinationof health care amonghealth care providers,
including referral
Payment
Any activities involved in
compensationfor health care:
billing, determiningcoverage or eligibility
analyzing services
Health CareOperations
Administrativefunctions relatedto health care:
financial or legal orquality improvement,training, certification,case mgmt, business
planning
$
Security Planning: An Applied Approach | 04/21/23 | 18
HIPAA Standard Transactions
Plan Sponsor(Employer)
Health Care Provider(e.g., doctor, hospital)
Health plan(e.g., HMO, PPO)
Health Plan Eligibility Inquiry Certification & Authorization of Referral Health Care Claim Health Care Claim Status Request
Enrollment or Disenrollment into Health Plan Health Plan Premium Payment
Health Care Claim Payment
Certification & Authorization of Referral
Security Planning: An Applied Approach | 04/21/23 | 19
The Genetic Information Nondiscrimination Act of 2008
Protects against some types of genetic testing discrimination:Insurance companies can’t make eligibility decision based on genetic testing results.
Insurance companies can’t base cost of premiums on genetic testing results.
Employers can’t hire, fire or make job decisions based on the use genetic testing.
Employers/Health Insurance Plans can not requiring genetic testing.
Security Planning: An Applied Approach | 04/21/23 | 20
The HIPAA Privacy Rule
Security Planning: An Applied Approach | 04/21/23 | 21
Privacy Rule: Develop Policies
CE/BAs shall:Develop policies, procedures, and standards for how it will adhere to Privacy Rule. How will CE/BA:• use and disclose PHI?• protect patient rights?Regularly review policies and proceduresUpdate policies when new requirements emergeMonitor that policies/procedures are consistently applied throughout the organization
Security Planning: An Applied Approach | 04/21/23 | 22
Privacy Rule:No NonHealth Usage of PHI
Health information is not to be used for nonhealth purposes, unless an individual gives explicit permission
The National Law Journal, May 30, 1994
A banker who also served on his county’s health boardcross-referenced customer accounts with patient
Information. He called due the mortgages of anyone suffering from cancer.
Security Planning: An Applied Approach | 04/21/23 | 23
Privacy Rule:Need-to-Know Access
CE/BA Employees should have access only to what is absolutely required as part of their jobs.
What individuals should have access to PHI?What categories of PHI should individuals have access to?What conditions are required for access?How will Business Associates & Trading Partners be informed and controlled?
Washington Post, March 1, 1995
The 13-year-old daughter of a hospital employee took a list ofpatients’ names and phone numbers from the hospital when
visiting her mother at work. As a joke, she contacted patientsand told them they were diagnosed with HIV.
Security Planning: An Applied Approach | 04/21/23 | 24
Privacy Rule:Protections against Marketing
CE must obtain permission before sending any marketing materials, with limited exceptions
Boston Globe, August 1, 2000
A patient at Brigham and Women’s Hospital in Bostonlearned that employees had accessed her medical
record more than 200 times.
Security Planning: An Applied Approach | 04/21/23 | 25
Privacy Rule:Establish Privacy SafeguardsRequiredShut or locked doorsKeep voice downClear desk policyPrivacy curtainsPassword protectionAuto screen saversLocked cabinetsPaper shredders
Not RequiredSoundproof roomsRedesign office spacePrivate hospital rooms (semiprivate ok)OK for doctors to talk to nurses at nurse stations
Safeguards should be REASONABLE
Security Planning: An Applied Approach | 04/21/23 | 26
Privacy Rule:Employee Training & Accountability
Each CE organization shall name one person who is accountable for Privacy Rule complianceEach employee, volunteer, contractor shall be trained in privacy policies and procedures• Full and Part-time
New York Times, Jan. 19, 2002
Eli Lilly and Co. inadvertently revealed over 600 patiente-mail addresses when it sent an all message to everyindividual registered to receive reminders about taking
Prozac.
Security Planning: An Applied Approach | 04/21/23 | 27
Privacy Rule: Individual Privacy RightsPatients have the right to:See or obtain copies of medical information (except for psychotherapy notes)Request correction to health recordReceive a Notice of Privacy PracticesRequest restrictions as to who can see PHIRequest specific method of contact for sake of privacyKnow who has accessed PHIFile a complaint if their rights have been violatedAllow and withdraw authorizations for use and disclosure
CE must:Respond to requests within 30 daysMay extend delay with notice for another 30 daysKeep records of how PHI is disclosed
Security Planning: An Applied Approach | 04/21/23 | 28
Notice of Privacy PracticesPrivacy Requirements:NPP must be available when asked forNPP must be displayed prominently in the officeHealth Plan must provide upon enrollmentHealth Provider must provide on first service deliveryBoth must request written acknowledgment of receipt of NPPAfter change, revised NPP must be issued to clients within 60 days
Electronic Requirements (if web page):Must be displayed prominently on web pageMust be emailed to customers after a change in NPP
Security Planning: An Applied Approach | 04/21/23 | 29
Required & Permitted DisclosuresRequired Disclosure:Patient (or personal representative, e.g., parent, next of kin)
Office of Civil Rights Enforcement: Investigates potential violations to Privacy Rule
Permitted Disclosure:Minimum-Necessary PHI may be disclosed without authorization for: judicial proceedings, coroner/funeral, organ donation, approved research, military-related situations, government-provided benefits, worker’s compensation, domestic violence or abuse, some law enforcement activitiesID must be verified by proof of identity/badge and documentation
Security Planning: An Applied Approach | 04/21/23 | 30
More DisclosuresRoutine Disclosure
Disclosures that happen periodically should be addressed in policies, procedures, forms
E.g.: Referral to another provider, school immunization, report communicable disease, medical transcription, births, deaths & other vital statistics
Non-routine Disclosure
CEs shall have reasonable criteria to review requests for non-routine PHI disclosures
E.g., Research disclosures
Incidental Disclosure
CEs shall have reasonable safeguardsE.g. Patient overhears advice given to another patient
Accidental Disclosure
Computer is stolen with PHI
Disclosures must be tracked for THREE years
Security Planning: An Applied Approach | 04/21/23 | 31
Disclosures Requiring Authorization
Research project (special conditions may allow)Person outside health care systemEmployer• However, employer may require authorization for drug test before hiring
Other insurance companiesHealth care provider not involved in patient’s health careInsurance company not paying patient’s claimsLawyerPatient should get copy of authorization
Security Planning: An Applied Approach | 04/21/23 | 32
Sample Authorization FormDisclosure Authorization Form
Description of Information:_____________________________________
Patient making authorized disclosure____________________________
Person receiving information:__________________________________
Purpose of the disclosure:
Authorization Expiration Date:________________
Patient Signature__________________________ Date:____________A form to revoke authorization must be completed to terminate authorization.
Must be retained by CE for 6 years
Security Planning: An Applied Approach | 04/21/23 | 33
Implementing ‘Minimum Necessary’Minimum necessary: Just enough info to accomplish the main purposeE.g., Send prescription for glasses to optician, not medical history
Data Classification•Sensitivity of information•Type of treatment required
Questions to Answer•What parts of record can each user type access?•How will we constrain access to implement view?
Security Planning: An Applied Approach | 04/21/23 | 34
Business Associates (BA)
Legal
Actuarial
Accounting & Finance
Consulting
Administration &Management
Accreditation
Must also be responsible with PHI Not Business Associates
JanitorialElectricalPhoneVendingCopyConduit: MailFinancial Institution: Banks
Security Planning: An Applied Approach | 04/21/23 | 35
Business Associate Contract (BAC)CEs must request BA to sign a BAC:BA will not disclose PHIBA is liable for damage due to disclosure or misuseBA will use safeguards to prevent misuseBA will report any security incident or violation of agreementBA will destroy or protect PHI upon termination of contractCE can terminate contract if violation occursCE will provide BA copies of policies, procedures and materials for safeguardingEtc.
BAs are equally liable as CEs, under HITECH Act
Security Planning: An Applied Approach | 04/21/23 | 36
HITECH: Health Information Technology for Economic and Clinical Health Act (2009)
BA’s must follow the HIPAA Security Rule.BA’s are held to the same standard as CE’s.Health & Human Services (HHS) can: • require BA’s to comply with HIPAA. • enforce penalties on noncompliant BA’s.
Security Planning: An Applied Approach | 04/21/23 | 37
Violation of HIPAA Privacy Rule:WTHR Investigation Leads to Record $2.25M HIPAA Settlement, Indianapolis, IN, 2006:
Reported that CVS was “throwing sensitive personal information in the trash” (e.g.: unredacted pill bottles, prescription instruction sheets, pharmacy receipts with credit card information and health insurance account numbers.
After this, other CVS pharmacies were investigated and it was found that they also were improperly disposing of PHI.
In the settlement CVS was required to:•Create an information security program to protect personal information.•Requires that they get an independent audit every 2 years until 2029.•Pay $2.25 million to settle claims. CVS agreed to:•Implement a security plan that complies with HIPAA’s Privacy Rule.•Protect information during disposal.•Develop employee training programs.
Security Planning: An Applied Approach | 04/21/23 | 38
The HIPAA Security Rule
+
Security Planning: An Applied Approach | 04/21/23 | 39
Security Rule Enforces Privacy Rule on Computers
Privacy Rule Security RuleWith or w/o computer With computerProtect PHI Protect EPHI
Minimum Necessary Authentication & Access Control
Accounting of Disclosures Unique Login Credentials Authentication Track modifications to EPHI: Who did what when?
Security Planning: An Applied Approach | 04/21/23 | 40
Security Vocabulary
Asset: DiamondsThreat: TheftVulnerability: Open door or windowsThreat agent: BurglarOwner: Those accountable or who value the assetRisk: Danger to assets
Security Planning: An Applied Approach | 04/21/23 | 41
Security Rule Assures…
Security Planning: An Applied Approach | 04/21/23 | 42
Security Services
AuthenticationAccess ControlData confidentialityData integrityData backup & recoveryNonrepudiation = Cannot say it wasn’t you who sent or received dataRisk Management
Security Planning: An Applied Approach | 04/21/23 | 43
Risk Management
Risk assessmentPolicy & Procedures MaintenanceSecurity Program EnforcementAudit logs, vulnerability assessments, audit for procedure adherence and control effectivenessPatches are applied to softwareData is available, confidential, & integrity is protected
Security Planning: An Applied Approach | 04/21/23 | 44
Security Rule Standards
AdministrativeControls
Physical Controls
Technical Controls
Comprehensive Technology Neutral Scalable
Smallor
Large
Look to Best Practicesfor Technology Answers
e.g. NIST
SecurityRule
SecurityRule
Security Planning: An Applied Approach | 04/21/23 | 45
Three Areas of Safeguards
Security
Rule
Administrative: Administrative policies, procedures, and actions
to implement and maintain security controls to protect EPHI, includingrisk mgmt, access control, contingency plans, incident response.
Physical: Protection of the physical access to terminals, laptops,
servers, backup tapes, CDs, memory, including viewing,access, maintenance and disposal.
Technical: Protection using technology tools to protect EPHI,
including logs, encryption, authentication
Security Planning: An Applied Approach | 04/21/23 | 46
Policies & Procedures
Policies and Procedures MUST BE:Retained for 6 years after date of creation or last effect
Available to workers responsible for them
Must be updated regularly accommodating changes in environment & operations
Security Planning: An Applied Approach | 04/21/23 | 47
Security Rule Standard
DO IT!
This is recommended…Address this in some way…Implement equivalent alternative measure….If it doesn’t apply, document well why not…
We do this instead:…..
Security Planning: An Applied Approach | 04/21/23 | 48
Administrative:Security Mgmt Process
Risk Analysis: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the CIA of EPHI held by the CE.
R
Risk Mgmt: Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule
R
Sanction Policy: Apply appropriate penalties against workforce members who fail to comply with the entity’s security policies and procedures
R
Info System Activity Review: Implement procedures to regularly review records of IS activity, such as audit logs, access reports, and security incident tracking reports
R
Security Planning: An Applied Approach | 04/21/23 | 49
Security Mgmt Implications
The Sanction policy basically requires we all
sign a confidentiality
agreement and if someone breaks
the rule, they could be fired.
We will need an IT person to regularly check logs to
be sure our system was not broken into
Risk assessment must be ‘accurate and thorough’ –
that will be a challenge!
And all are Rs…
Security Mgmt Process
Security Planning: An Applied Approach | 04/21/23 | 50
Administrative:Workforce Security
Authorization and/or Supervision: Implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed
A
Workforce Clearance Procedure: Implement procedures to determine that the access of a workforce member to EPHI is appropriate
A
Termination Procedures: Implement procedures for terminating access to EPHI when the employment of a workforce member ends…
A
Security Planning: An Applied Approach | 04/21/23 | 51
Workforce Security Implications
.We must have procedures to
allocate authorization, periodically
check authorization, and
procedures to terminate someone
They are asking for checks and balances with
supervision or authorization
We are a three person operation, can we get away
with not doing this?Must we document
our situation?These are As.
WorkforceSecurity
Security Planning: An Applied Approach | 04/21/23 | 52
Administrative:Information Access Mgmt
Isolating Health Care Clearinghouse (CH) Function: If a health care CH is part of a larger organization, the CH operation must implement policies and procedures that protect the EPHI of the CH from unauthorized access by the larger organization
R
Access Authorization: Implement policies and procedure for granting access to EPHI – e.g., through access to a workstation, transaction, program, process, or other mechanism
A
Access Establishment & Modification: Implement policies and procedures that, based upon the entity’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program or process.
A
Security Planning: An Applied Approach | 04/21/23 | 53
Info Access Mgmt Implications
It is an implementation: We must define a data owner for
each major process
Isn’t this the same as the previous rule?
.And then our IT people must define
how they will grant access based upon
the data owner’s decisions.
Info AccessMgmt
Security Planning: An Applied Approach | 04/21/23 | 54
Administrative:Security Awareness & Training
Security Reminders: Provide periodic security updates to members of the workforce
A
Protection from Malicious Software: Implement procedures for guarding against, detecting, and reporting malicious software
A
Login Monitoring: Implement procedures for monitoring login attempts and reporting discrepancies
A
Password Mgmt: Implement procedures for creating, changing and safeguarding passwords
A
What do you think these mean?
Security Planning: An Applied Approach | 04/21/23 | 55
Administrative:Contingency Plan
Data Backup Plan: Establish and implement procedures to create and maintain retrievable exact copies of EPHI
R
Disaster Recovery Plan: Establish … procedures to restore any loss of data
R
Emergency Mode Operation Plan: The emergency mode operation plan requires CEs to establish … procedures to enable continuation of critical business processes, while maintaining the security of EPHI while operating in emergency mode
R
Testing & Revision Procedure: Implement procedures for periodic testing and revision of contingency plans.
A
Applications & Data Criticality Analysis: Assess the relative criticality of specific applications and data in support of other contingency plan components.
A
Security Planning: An Applied Approach | 04/21/23 | 56
Administrative:One-Line Safeguards
Assigned Security Responsibility: Identify the security official who is responsible for the development and implementation of the policies and procedures required by this rule for the entity.
R
Security Incident Procedures: Implement policies & procedures to address security incidents. Identify and respond to suspected or known security incidents; mitigate … harmful effects of security incidents that are known to the CE; and document security incidents and their outcomes.
R
Security Planning: An Applied Approach | 04/21/23 | 57
Administrative:More One-Line Safeguards
Evaluation: Perform a periodic technical and nontechical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of EPHI, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart
R
BA Contracts and Other Arrangements: A BA [may] create, receive, maintain, or transmit EPHI on the CE’s behalf only if the CE obtains satisfactory assurances that the BA will appropriately safeguard the information.
R
Security Planning: An Applied Approach | 04/21/23 | 58
Info Access Mgmt Implications
That makes sense when technology
changes, but I guess we have to
do it periodically as well, since the
world changes.
According to Evaluation, we must self-test or be certified on a regular basis, to be sure we
follow the Security RuleWe need to know who, what, when,
where, why for incident response.
Who shall we name as our Security
Manager?Evaluation
Security Planning: An Applied Approach | 04/21/23 | 59
Physical Safeguards: Facility Access ControlsFacility Access Controls: Implement policies and procedures to limit physical access to electronic info systems and areas where sensitive paper documents are stored and any facilities in which they are housed, while ensuring authorized access
Contingency Operations AFacility Security Plan AAccess Control & Validation Procedures AMaintenance Records A
Security Planning: An Applied Approach | 04/21/23 | 60
Physical Safeguards:Facility Access ControlHow will physical access be restricted to sensitive paper documents, terminals, server, backup copies, laptops, contingency operations in copy, view, or modify forms?How are visitors controlled from accessing PHI/EPHI?
When repairs occur (to facility or systems) how will
PHI/EPHI be safeguarded?
Security Planning: An Applied Approach | 04/21/23 | 61
Physical Safeguards: Workstations
Workstation Use: Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can be used to access EPHI
R
Workstation Security: Implement physical safeguards for all workstations that can be used to access EPHI, to restrict access to authorized users
R
Security Planning: An Applied Approach | 04/21/23 | 62
Workstation Use and Security
What functions will be performed on which workstations?How will workstation access be limited when the user leaves their station?How will theft of laptops be prevented?How will the workstations be positioned? What other physical safeguards (locked rooms, hoods) will be implemented to prevent shoulder surfing?
Security Planning: An Applied Approach | 04/21/23 | 63
Physical Safeguards:Device & Media ControlsDevice and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media and devices that contain EPHI into and out of a worksite or facility, and the movement of these items within the worksite or facility.
Disposal RMedia Reuse RAccountability AData Backup and Storage A
Security Planning: An Applied Approach | 04/21/23 | 64
Device & Media Controls
How will media be erased or damaged before disposal or reuse?Reformatting disk may not be adequate even for reuse
How, when and where has EPHI been moved or transferred? Documentation is necessaryHow is a backup made and where/how stored?
Security Planning: An Applied Approach | 04/21/23 | 65
Technical Safeguards:Access ControlAccess Control: Implement technical policies and procedures for electronic info systems that maintain EPHI. These policies and procedures should contain access protocols that will establish and enforce the entity’s other access policies, and allow access only to those persons or software programs that have been granted access rights
Unique User Identification REmergency Access Procedure RAutomatic Logoff AEncryption and Decryption A
Security Planning: An Applied Approach | 04/21/23 | 66
Technical Safeguards:Access ControlHow is each user uniquely identified to the system?How does authentication occur?In an emergency, what backup methods are used for authentication?How does automatic logoff occur after a period of inactivity?Which data is encrypted in storage and/or transmission?
Security Planning: An Applied Approach | 04/21/23 | 67
Technical Safeguards:Transmission Security
Transmission Security: Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network
Integrity Controls A
Encryption A
Security Planning: An Applied Approach | 04/21/23 | 68
Technical Safeguards:Transmission SecurityHow are we sure that data is not modified or lost during transmission?
What encryption techniques are used to protect the security of EPHI transmitted over a public network?
Security Planning: An Applied Approach | 04/21/23 | 69
Other Technical Safeguards
Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI
R
Integrity: Implement policies and procedures to protect EPHI at rest, meaning stored on organizational systems and applications, from improper alteration or destruction.
A
Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed
R
Security Planning: An Applied Approach | 04/21/23 | 70
Other Technical Safeguards
For which devices will the logs be monitored?What log events should be archived for security purposes?How will potential attacks found in logs be recorded, reported, and acted upon?What techniques will be used to ensure stored data has not been modified (hashes, message digests?)What authentication mechanisms will be used to assure that approved entities (people or systems) are accessing EPHI?
Security Planning: An Applied Approach | 04/21/23 | 71
Question
An example of a vulnerability is1. Theft2. Burglar3. Open door4. Diamonds
Security Planning: An Applied Approach | 04/21/23 | 72
Question
Protected Health Information is:1. SSN, medical information2. Name, SSN, medical information3. Name, address, SSN, phone, medical information4. Medical information stored in a computer
Security Planning: An Applied Approach | 04/21/23 | 73
Question
The Security Rule requires that:1. Logs are monitored2. An intrusion detection system is implemented3. Cabinets containing PHI must be locked4. Walls must be soundproof and all terminals outside of
waiting room
Security Planning: An Applied Approach | 04/21/23 | 74
Question
The Privacy Rule requires that:1. Logs are monitored2. An intrusion detection system is implemented3. Cabinets containing PHI must be locked4. Walls must be soundproof and all terminals outside of the
waiting room
Security Planning: An Applied Approach | 04/21/23 | 75
Question
The Addressable option for the Security Rule means:1. Smaller organizations need not implement if they can justify it
would be too expensive2. HIPAA discusses alternative means to accomplish this, and the
organization must select one3. The CE must document how they accomplish this provision4. This provision must be implemented or addressed in some
way, although alternative implementations are allowed
Security Planning: An Applied Approach | 04/21/23 | 76
HIPAA protects Protected Health information (PHI)Applicable to Covered Entities and their Business AssociatesIn General:•Privacy Rule covers Need-to-know, Disclosures, Notice of Privacy Practice, non-electronic privacy•Security Rule covers Administrative, Physical and Technical Safeguards•HITECH increases penalties for non-complianceHIPAA is an example of state-of-the-art Privacy and Security regulationMost of each chapter of this book is required for HIPAA
Summary
Security Planning: An Applied Approach | 04/21/23 | 77
Not Covered in this Presentation
Some specialized material is not being covered as part of this presentation, including:Hybrid Entities: Part Covered, Part NotOrganized Health Care Arrangement (OHCA): Group of doctorsJointly Administered Govt. ProgramTrading Partner: CEs exchange electronic transactions without clearinghouseCOBRA
top related