HIPAA Security Standards - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

HIPAA Security Standards

Description:

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy Overview HIPAA-Health Insurance Portability and Accountability Act of 1996 Why Security? – PowerPoint PPT presentation

Number of Views:525
Avg rating:3.0/5.0
Slides: 21
Provided by: Emmy5
Category:

less

Transcript and Presenter's Notes

Title: HIPAA Security Standards


1
HIPAASecurity Standards
  • Emmanuelle Mirsakov
  • USC School of Pharmacy

2
Overview
  • HIPAA-Health Insurance Portability and
    Accountability Act of 1996
  • Why Security?
  • Focus on Security rule vs. Privacy rule
  • Security rule applies only to EPHI, while the
    Privacy rule applies to PHI which may be in
    electronic, oral, and paper form.
  • Privacy is the Who, What, and When and
    Security is the How

3
Who Oversees HIPAA? The U.S. Department of
Health Human Service
  • The Centers for Medicare
  • and Medicaid Services
  • Oversees
  • Transactions and Code Sets
  • Standard Unique Identifiers
  • Security
  • Contact info
  • http//www.cms.hhs.gov/hipaa/
  • hipaa2/
  • AskHIPAA_at_cms.hhs.gov
  • 1-866-282-0659
  • The Office for Civil Rights Oversees
  • Privacy
  • Contact info
  • http//www.hhs.gov/ocr/hipaa/
  • OCRPrivacy_at_hhs.gov
  • 1-866-627-7748

4
Goals Of Security Rule
  • Confidentiality
  • EPHI is accessible only by authorized people and
    processes
  • Integrity
  • EPHI is not altered or destroyed in an
    unauthorized manner
  • Availability
  • EPHI can be accessed as needed by an authorized
    person

5
Parts of the Security Rule
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Requirements
  • Policies Procedures Documentation
    Requirements

6
Security Rule
  • The rule is technology neutral
  • The rule does not prescribe the use of specific
    technologies, so that the health care community
    will not be bound by specific systems and/or
    software that may become obsolete
  • The security rule is based on the fundamental
    concepts of flexibility, scalability and
    technology neutrality.

7
Security Standards
  • Administrative Safeguards
  • Administrative functions that should be
    implemented to meet the security standards
  • Physical Safeguards
  • Mechanisms required to protect electronic
    systems, equipment and the data they hold, from
    threats, environmental hazards and unauthorized
    intrusion.
  • Technical Safeguards
  • The automated processes used to protect data and
    control access to data

8
Technical Safeguards
  • Main parts
  • Access Control
  • Audit Control
  • Integrity
  • Person or Entity Authentication
  • Transmission Security

9
Access Control
  • The ability or the means necessary to read,
    write, modify, or communicate data/information or
    otherwise use any system resource
  • Access controls should enable authorized users to
    access minimum necessary information needed to
    perform job functions.

10
4 implementation specifications associated with
Access Controls
  • Unique user identification (required)
  • Emergency access procedure (required)
  • Automatic logoff (addressable)
  • Encryption and decryption (addressable)

11
Audit Controls
  • Implement hardware, software, and/or procedural
    mechanisms that record and examine activity in
    information systems that contain or use
    electronic protected health information.
  • Useful to determine if a security violation
    occurred
  • The security rule does not identify data that
    must be gathered by the audit controls or how
    often the audit reports should be reviewed (no
    implementation specifications)

12
Integrity
  • The property that data or information have not
    been altered or destroyed in an unauthorized
    manner
  • The integrity of data can be compromised by both
    technical and non-technical sources
  • Implementation specification
  • Implement electronic mechanisms to corroborate
    that EPHI has not been altered or destroyed in an
    unauthorized manner. (addressable)

13
Person or Entity Authentication
  • Implement procedures to verify that a person or
    entity seeking access to EPHI is the one claimed
  • Ways to provide proof of identity
  • Require something known only to that individual
    (password or PIN)
  • Require smart card, token, or a key
  • Require a biometric (fingerprint, voice pattern,
    facial pattern, iris pattern)

14
Transmission Security
  • Implement technical security measures to guard
    against unauthorized access to EPHI that is being
    transmitted over an electronic communications
    network
  • This standard has 2 implementation
    specifications
  • Integrity Controls (addressable)
  • Encryption (addressable)

15
Implementation Specifications
  • Integrity Controls
  • Integrity in this context is focused on making
    sure that EPHI is not improperly modified during
    transmission
  • 1 through the use of network communications
    protocols
  • Data message authentication codes
  • Encryption
  • Implement a mechanism to encrypt EPHI whenever
    deemed appropriate

16
Pro Pharma Implementation
  • All hard drives can only be accessed by
    individuals with proper clearance by Pro Pharma
  • All employees have a unique user name and
    password
  • All employees are required to lock their station
    whenever they get up
  • Content filters allow Pro Pharma management to
    screen all incoming and outgoing e-mails for
    possible threats
  • Full virus protection is installed on every
    workstation
  • Network browsing is routed to a system that
    checks for threats
  • No employee has administrative rights to their
    local machine
  • No employees have domain administrative rights on
    the Pro Pharma domain
  • Every workstation is attached to a UPS power
    supply to protect from power failure or power
    surge

17
In Summary
  • Security rules are in place to enhance health
    information sharing and to protect patients
  • The Security rule technical safeguards are the
    technology related policies and procedures that
    protect EPHI and control access to it
  • Be cognizant of PHI, and follow Pro Pharma
    protocols

18
The Bright Side
  • Knock, knock. Whos there? HIPAA. HIPAA
    who?Sorry, Im not allowed to disclose that
    information.

19
In Case You Needed More
20
Last One I Promise!
Write a Comment
User Comments (0)
About PowerShow.com