cloudcamp chicago lightning talk: "security and sanity in the hipaa-compliant workplace" -...

“Security and Sanity in the HIPAA-Compliant Workplace” !

Alex Connor Lead Architect at Crimson Care Management at Advisory Board Co. !!Tweet: @HITizen #cloudcamp

#cloudcamp @CloudCamp_CHI

Sponsored by

Hosted by

Security and Sanity In a HIPAA-compliant environment

HIPAA – BA Requirements •  Data Security – PHI

•  Encryption •  Physical Security

•  Traceability •  To whom does the data refer? •  Who saw it? •  What did they see? •  When did they see it? •  How did they access it? •  From where did they see it? •  Why are they allowed to see it?

•  Personnel •  Annual HIPAA training •  PHI access authorization

Safety Best Practices • Designate an Information Security Officer • Personal Computer

•  HD must be encrypted •  Screen shield •  Lock it whenever you leave it – even for less than a minute

• Email •  Encrypt or “send secure” by default •  Report sensitive data sent by external parties

•  Files •  Never attach files with PHI to email or chat •  Use SFTP or other secure file sharing

Staying Sane • Set clear expectations

•  Define a policy and train staff on it •  Include clear definitions around warnings, sanctions and breaches •  Contextualize policy and definitions

• Cultivate a culture of security •  Enforce screen lock policies •  Make secure communication the norm, not the exception •  Promote openness and discussion

• Keep Perspective •  Have a sense of humor, as much as possible •  Stay current with laws and best practices