hipaa security 101

HIPAA Security 101PA Dept. of Public Welfare1 -- v3.1 April 7, 2005

HIPAA Security 101


HIPAA Security

As a care provider, clearinghouse, and “insurer,” the Department of Public Welfare (DPW) deals with our citizens’ medical information on a daily basis. It is essential that we protect the privacy and security of those records.


HIPAA Security

HIPAA privacy, which covers Protected Health Information (PHI) in any form has already been addressed as a separate training course.

This training deals with HIPAA Security, the practices used to protect certain electronic health information. Although HIPAA Security covers PHI only in electronic form, it is closely linked to HIPAA privacy.


Quiz 1

What is HIPAA?1. A large African animal that spends much of

its time in the water.2. A long-haired, bell-bottom and sandals

wearing flower child.3. The Health Insurance Portability and

Accountability Act of 1996.

Please make your selection: ____


Answer 1

If you selected choice 3, the Health Insurance Portability and Accountability Act of 1996, you are CORRECT!

HIPAA was passed by the US Congress and signed by President Clinton. It is intended to simplify administration of the health care system and to reform the way health care providers, insurers, and other “covered” entities share and protect your health information.


Who is a “Covered” Entity?

Health Care Providers Physicians, dentists, nurses, hospitals, nursing

homes, etc. Includes DPW

Health Care Clearinghouses Billing services, etc. Includes DPW

Health Care Plans Group health plans, HMO’s, PPO’s, Medicare,

Medicaid, etc. Includes DPW


What does HIPAA Cover?

Transactions – standardizes diagnostic and treatment codes, forms, and, processes used by providers, insurers, and other covered entities

Identifiers – standardizes identifier codes or numbers for providers, health plans, and employers

Privacy – addresses who has access to PHI in any form (oral, written, electronic, etc.), the circumstances under which those records may or may not be shared, and how that information needs to be safeguarded

Security – addresses how PHI (electronic only) is protected, both in storage and in transmission


What are We Securing?

Electronic PHI (ePHI) is data that… Identifies or includes information that could identify

an individual (including demographic information) Relates to the past, present, or future

Physical or mental health or condition of an individual Provision of health care to the individual Payment for the provision of health care to an individual

Is stored or transmitted electronically


Quiz 2

Are data such as your name, address, phone number, date of birth, and social security number (SSN) examples of PHI covered by HIPAA?

Yes or No?


Answer 2

YESAs a part of a medical record, they are examples

of data by which the identity of a client could be determined. Within the DPW data systems, this type of data is so intertwined with medical data that DPW has made a decision to treat all such data elements as PHI, regardless of their actual context or source.


What is HIPAA Security?

Security consists of the administrative, physical, and technical controls or processes by which

We ensure: Confidentiality – only the right people see the

data Integrity – the data is what it is supposed to be; it

hasn’t been changed or corrupted Availability – the data is available when it is

needed


What is HIPAA Security? (cont.)

We protect data from: Actual and reasonably anticipated threats or

hazards to the security or integrity of ePHI (for example, fire, flood, theft, storm, etc.)

Actual and reasonably anticipated uses or disclosures of ePHI not permitted by the policy rules (including accidental or deliberate access or use by unauthorized persons)


Administrative Safeguards

Policies, procedures and practices including: Security management processes

Risk analysis and management Sanction policy Information system review and auditing

Assigned security responsibility HIPAA security officer

Workforce security Authorization and/or supervision Background checks Termination procedure


Administrative Safeguards (cont.)

Information access management Isolation of ePHI data from other data User registration/deregistration process Access authentication and authorization

Security awareness and training HIPAA-specific workforce training, including program

office and job-specific training Security reminders/bulletins Anti-virus and anti-spyware software and procedures Login monitoring Password policies


Administrative Safeguards (cont.)

Security incident proceduresReporting and response

Contingency planningData backupDisaster recovery planning

Agreements with entities performing HIPAA-covered work on DPW’s behalf

Written agreements, revisions of agreements, as appropriate

EvaluationPeriodic review and self-evaluation


Physical Safeguards

Means by which the physical systems and media are protected from unauthorized use or access: Facility access controls

Contingency operation Facility security (restricted access, monitoring, etc.) Access control and validation procedure Maintenance records

Workstation usage Business use only Restrictions on Internet access


Physical Safeguards (cont.)

Workstation security UserID/Password required for access Automatic lockout when workstation is unattended or

unused for a certain amount of time

Device and media controls Disposal of systems and media Media re-use Accountability and tracking Data backup and storage


Technical Safeguards

Means by which electronic data, access to it,

and its use are controlled and monitored Access controls

Unique user identification

Emergency access procedure

Automatic logoff

Encryption and decryption


Technical Security (cont.)

Audit controls Ability to determine who accessed data and when

Ability to determine who modified data and when

Integrity Mechanisms in place to authenticate or validate ePHI

Transmission Security Integrity controls to ensure that data isn’t lost or altered

Encryption to ensure that only the recipient can see the

data


So Who Cares?

Each of us must care We in DPW are responsible for the medical

information of our citizens. In addition, the vast majority of us have been treated by health care practitioners and would care greatly if we thought our medical records might be shared with strangers or unauthorized individuals or entities. Why should we expect our clients to care any less than we would?


So Who Cares? (cont.)

The Commonwealth of Pennsylvania and DPW We are the custodians of our citizens’ data and it is

a serious responsibility. Misuse or unauthorized disclosure of this data could lead to termination or other disciplinary action, possible criminal charges, and/or civil penalties.



Federal Department of Health and Human Services (DHHS) DHHS was responsible for issuing HIPAA

regulations. These regulations and the HIPAA statute passed by Congress comprise the HIPAA legal requirements. DHHS’s Centers for Medicare and Medicaid Services (CMS) enforces HIPAA security (and transaction) regulations; DHHS’s Office of Civil Rights (OCR) enforces HIPAA privacy regulations.



The Federal Government Federal penalties for misuse or unauthorized

disclosure of PHI can result in criminal penalties including imprisonment of up to 10 years and fines of up to $250,000. Additional penalties may be applied as a result of civil action.


General DPW Practices

There are some general security practices that everyone must use, regardless of their job duties and access to or use of ePHI: Abide by UserID and Password policies

Use strong passwords (7 or more characters, mix of uppercase, lowercase, numbers, punctuation)

Change passwords regularly Don’t write passwords down where others can get them Do not share your UserID and password with others


General DPW Practices (cont.)

Always lock your workstation when not using it or when away from your desk, for example, lock away any paper files containing PHI or floppies, CDs, or other media containing ePHI

Don’t install software from home or from the Internet on your workstation

Limit Internet use to work-related activities


General DPW Practices (cont.)

Don’t open unsolicited email from unknown senders or suspicious email from colleagues (this is a great way to spread computer viruses)

Immediately report unusual workstation behavior to your supervisor

Immediately report possible theft or misuse of your UserID to your supervisor


Job-Specific Practices

Those of you who have access to or use ePHI as a part of fulfilling your job duties need to be especially aware of HIPAA security.

Changing your password more frequently than generally required, encrypting data residing on your workstation, and using secure email are examples of practices to be followed.


Job-Specific Practices (cont.)

Within DPW, there are many jobs that involve access to and use of PHI, far too many to cover in detail in this training session.

Your program office or facility will be holding additional training sessions specific to HIPAA security as it relates to your job. Contact your supervisor for more information.


Resources

HIPAA regulations and information:www.cms.gov/hipaawww.dhhs.gov

DPW HIPAA Privacy PolicyDPW HIPAA Security PolicyDPW Business and Technical StandardsCommonwealth Internet Usage PolicyCommonwealth IT Standards


Contact Information

Diana Clark (Privacy, Legal)[email protected]

Frank Morrow (Security) [email protected]

Frank Potemra (Policy) [email protected]

Your Program Office Security Manager Your Supervisor


Quiz 3

To wrap things up, what is HIPPO?1. A large African animal that spends much of

its time in the water.2. A long-haired, bell-bottom and sandals

wearing flower child.3. The Health Insurance Portability and

Accountability Act of 1996.

Please make your selection: ____


Answer 3

Choice 1, of course! A HIPPO is a large African animal that spends much of its time in the water.

hipaa security 101

Documents