HIPAA Security 101 - PowerPoint PPT Presentation

1 / 32

About This Presentation

Title:

HIPAA Security 101

Description:

HIPAA Security 101 HIPAA Security 101 PA Dept. of Public Welfare * -- v3.1 April 7, 2005 * HIPAA Security As a care provider, clearinghouse, and insurer, the ... – PowerPoint PPT presentation

Number of Views:267

Avg rating:3.0/5.0

Slides: 33

Provided by: dpwState8

Category:

more less

Transcript and Presenter's Notes

Title: HIPAA Security 101

1
HIPAA Security 101
2
HIPAA Security

As a care provider, clearinghouse, and insurer,
the Department of Public Welfare (DPW) deals with
our citizens medical information on a daily
basis. It is essential that we protect the
privacy and security of those records.

3
HIPAA Security

HIPAA privacy, which covers Protected Health
Information (PHI) in any form has already been
addressed as a separate training course.
This training deals with HIPAA Security, the
practices used to protect certain electronic
health information. Although HIPAA Security
covers PHI only in electronic form, it is closely
linked to HIPAA privacy.

4
Quiz 1

What is HIPAA?
A large African animal that spends much of its
time in the water.
A long-haired, bell-bottom and sandals wearing
flower child.
The Health Insurance Portability and
Accountability Act of 1996.
Please make your selection ____

5
Answer 1

If you selected choice 3, the Health Insurance
Portability and Accountability Act of 1996, you
are CORRECT!
HIPAA was passed by the US Congress and signed by
President Clinton. It is intended to simplify
administration of the health care system and to
reform the way health care providers, insurers,
and other covered entities share and protect
your health information.

6
Who is a Covered Entity?

Health Care Providers
Physicians, dentists, nurses, hospitals, nursing
homes, etc.
Includes DPW
Health Care Clearinghouses
Billing services, etc.
Includes DPW
Health Care Plans
Group health plans, HMOs, PPOs, Medicare,
Medicaid, etc.
Includes DPW

7
What does HIPAA Cover?

Transactions standardizes diagnostic and
treatment codes, forms, and, processes used by
providers, insurers, and other covered entities
Identifiers standardizes identifier codes or
numbers for providers, health plans, and
employers
Privacy addresses who has access to PHI in any
form (oral, written, electronic, etc.), the
circumstances under which those records may or
may not be shared, and how that information needs
to be safeguarded
Security addresses how PHI (electronic only) is
protected, both in storage and in transmission

8
What are We Securing?

Electronic PHI (ePHI) is data that
Identifies or includes information that could
identify an individual (including demographic
information)
Relates to the past, present, or future
Physical or mental health or condition of an
individual
Provision of health care to the individual
Payment for the provision of health care to an
individual
Is stored or transmitted electronically

9
Quiz 2

Are data such as your name, address, phone
number, date of birth, and social security number
(SSN) examples of PHI covered by HIPAA?
Yes or No?

10
Answer 2

YES
As a part of a medical record, they are examples
of data by which the identity of a client could
be determined. Within the DPW data systems, this
type of data is so intertwined with medical data
that DPW has made a decision to treat all such
data elements as PHI, regardless of their actual
context or source.

11
What is HIPAA Security?

Security consists of the administrative,
physical, and technical controls or processes by
which
We ensure
Confidentiality only the right people see the
data
Integrity the data is what it is supposed to
be it hasnt been changed or corrupted
Availability the data is available when it is
needed

12
What is HIPAA Security? (cont.)

We protect data from
Actual and reasonably anticipated threats or
hazards to the security or integrity of ePHI (for
example, fire, flood, theft, storm, etc.)
Actual and reasonably anticipated uses or
disclosures of ePHI not permitted by the policy
rules (including accidental or deliberate access
or use by unauthorized persons)

13
Administrative Safeguards

Policies, procedures and practices including
Security management processes
Risk analysis and management
Sanction policy
Information system review and auditing
Assigned security responsibility
HIPAA security officer
Workforce security
Authorization and/or supervision
Background checks
Termination procedure

14
Administrative Safeguards (cont.)

Information access management
Isolation of ePHI data from other data
User registration/deregistration process
Access authentication and authorization
Security awareness and training
HIPAA-specific workforce training, including
program office and job-specific training
Security reminders/bulletins
Anti-virus and anti-spyware software and
procedures
Login monitoring
Password policies

15
Administrative Safeguards (cont.)

Security incident procedures
Reporting and response
Contingency planning
Data backup
Disaster recovery planning
Agreements with entities performing HIPAA-covered
work on DPWs behalf
Written agreements, revisions of agreements, as
appropriate
Evaluation
Periodic review and self-evaluation

16
Physical Safeguards

Means by which the physical systems and media are
protected from unauthorized use or access
Facility access controls
Contingency operation
Facility security (restricted access, monitoring,
etc.)
Access control and validation procedure
Maintenance records
Workstation usage
Business use only
Restrictions on Internet access

17
Physical Safeguards (cont.)

Workstation security
UserID/Password required for access
Automatic lockout when workstation is unattended
or unused for a certain amount of time
Device and media controls
Disposal of systems and media
Media re-use
Accountability and tracking
Data backup and storage

18
Technical Safeguards

Means by which electronic data, access to it, and
its use are controlled and monitored
Access controls
Unique user identification
Emergency access procedure
Automatic logoff
Encryption and decryption

19
Technical Security (cont.)

Audit controls
Ability to determine who accessed data and when
Ability to determine who modified data and when
Integrity
Mechanisms in place to authenticate or validate
ePHI
Transmission Security
Integrity controls to ensure that data isnt lost
or altered
Encryption to ensure that only the recipient can
see the data

20
So Who Cares?

Each of us must care
We in DPW are responsible for the medical
information of our citizens. In addition, the
vast majority of us have been treated by health
care practitioners and would care greatly if we
thought our medical records might be shared with
strangers or unauthorized individuals or
entities. Why should we expect our clients to
care any less than we would?

21
So Who Cares? (cont.)

The Commonwealth of Pennsylvania and DPW
We are the custodians of our citizens data and
it is a serious responsibility. Misuse or
unauthorized disclosure of this data could lead
to termination or other disciplinary action,
possible criminal charges, and/or civil penalties.

22
So Who Cares? (cont.)

Federal Department of Health and Human Services
(DHHS)
DHHS was responsible for issuing HIPAA
regulations. These regulations and the HIPAA
statute passed by Congress comprise the HIPAA
legal requirements. DHHSs Centers for Medicare
and Medicaid Services (CMS) enforces HIPAA
security (and transaction) regulations DHHSs
Office of Civil Rights (OCR) enforces HIPAA
privacy regulations.

23
So Who Cares? (cont.)

The Federal Government
Federal penalties for misuse or unauthorized
disclosure of PHI can result in criminal
penalties including imprisonment of up to 10
years and fines of up to 250,000. Additional
penalties may be applied as a result of civil
action.

24
General DPW Practices

There are some general security practices that
everyone must use, regardless of their job duties
and access to or use of ePHI
Abide by UserID and Password policies
Use strong passwords (7 or more characters, mix
of uppercase, lowercase, numbers, punctuation)
Change passwords regularly
Dont write passwords down where others can get
them
Do not share your UserID and password with others

25
General DPW Practices (cont.)

Always lock your workstation when not using it or
when away from your desk, for example, lock away
any paper files containing PHI or floppies, CDs,
or other media containing ePHI
Dont install software from home or from the
Internet on your workstation
Limit Internet use to work-related activities

26
General DPW Practices (cont.)

Dont open unsolicited email from unknown senders
or suspicious email from colleagues (this is a
great way to spread computer viruses)
Immediately report unusual workstation behavior
to your supervisor
Immediately report possible theft or misuse of
your UserID to your supervisor

27
Job-Specific Practices

Those of you who have access to or use ePHI as a
part of fulfilling your job duties need to be
especially aware of HIPAA security.
Changing your password more frequently than
generally required, encrypting data residing on
your workstation, and using secure email are
examples of practices to be followed.

28
Job-Specific Practices (cont.)

Within DPW, there are many jobs that involve
access to and use of PHI, far too many to cover
in detail in this training session.
Your program office or facility will be holding
additional training sessions specific to HIPAA
security as it relates to your job. Contact your
supervisor for more information.

29
Resources