“Security and Sanity in the HIPAA-Compliant Workplace” !
Alex Connor Lead Architect at Crimson Care Management at Advisory Board Co. !!Tweet: @HITizen #cloudcamp
#cloudcamp @CloudCamp_CHI
Sponsored by
Hosted by
Security and Sanity In a HIPAA-compliant environment
HIPAA – BA Requirements • Data Security – PHI
• Encryption • Physical Security
• Traceability • To whom does the data refer? • Who saw it? • What did they see? • When did they see it? • How did they access it? • From where did they see it? • Why are they allowed to see it?
• Personnel • Annual HIPAA training • PHI access authorization
Safety Best Practices • Designate an Information Security Officer • Personal Computer
• HD must be encrypted • Screen shield • Lock it whenever you leave it – even for less than a minute
• Email • Encrypt or “send secure” by default • Report sensitive data sent by external parties
• Files • Never attach files with PHI to email or chat • Use SFTP or other secure file sharing
Staying Sane • Set clear expectations
• Define a policy and train staff on it • Include clear definitions around warnings, sanctions and breaches • Contextualize policy and definitions
• Cultivate a culture of security • Enforce screen lock policies • Make secure communication the norm, not the exception • Promote openness and discussion
• Keep Perspective • Have a sense of humor, as much as possible • Stay current with laws and best practices