hipaa security 101
DESCRIPTION
HIPAA Security 101. HIPAA Security. As a care provider, clearinghouse, and “insurer,” the Department of Public Welfare (DPW) deals with our citizens’ medical information on a daily basis. It is essential that we protect the privacy and security of those records. HIPAA Security. - PowerPoint PPT PresentationTRANSCRIPT
HIPAA Security 101PA Dept. of Public Welfare1 -- v3.1 April 7, 2005
HIPAA Security 101
HIPAA Security 101PA Dept. of Public Welfare2 -- v3.1 April 7, 2007
HIPAA Security
As a care provider, clearinghouse, and “insurer,” the Department of Public Welfare (DPW) deals with our citizens’ medical information on a daily basis. It is essential that we protect the privacy and security of those records.
HIPAA Security 101PA Dept. of Public Welfare3 -- v3.1 April 7, 2007
HIPAA Security
HIPAA privacy, which covers Protected Health Information (PHI) in any form has already been addressed as a separate training course.
This training deals with HIPAA Security, the practices used to protect certain electronic health information. Although HIPAA Security covers PHI only in electronic form, it is closely linked to HIPAA privacy.
HIPAA Security 101PA Dept. of Public Welfare4 -- v3.1 April 7, 2007
Quiz 1
What is HIPAA?1. A large African animal that spends much of
its time in the water.2. A long-haired, bell-bottom and sandals
wearing flower child.3. The Health Insurance Portability and
Accountability Act of 1996.
Please make your selection: ____
HIPAA Security 101PA Dept. of Public Welfare5 -- v3.1 April 7, 2007
Answer 1
If you selected choice 3, the Health Insurance Portability and Accountability Act of 1996, you are CORRECT!
HIPAA was passed by the US Congress and signed by President Clinton. It is intended to simplify administration of the health care system and to reform the way health care providers, insurers, and other “covered” entities share and protect your health information.
HIPAA Security 101PA Dept. of Public Welfare6 -- v3.1 April 7, 2007
Who is a “Covered” Entity?
Health Care Providers Physicians, dentists, nurses, hospitals, nursing
homes, etc. Includes DPW
Health Care Clearinghouses Billing services, etc. Includes DPW
Health Care Plans Group health plans, HMO’s, PPO’s, Medicare,
Medicaid, etc. Includes DPW
HIPAA Security 101PA Dept. of Public Welfare7 -- v3.1 April 7, 2007
What does HIPAA Cover?
Transactions – standardizes diagnostic and treatment codes, forms, and, processes used by providers, insurers, and other covered entities
Identifiers – standardizes identifier codes or numbers for providers, health plans, and employers
Privacy – addresses who has access to PHI in any form (oral, written, electronic, etc.), the circumstances under which those records may or may not be shared, and how that information needs to be safeguarded
Security – addresses how PHI (electronic only) is protected, both in storage and in transmission
HIPAA Security 101PA Dept. of Public Welfare8 -- v3.1 April 7, 2007
What are We Securing?
Electronic PHI (ePHI) is data that… Identifies or includes information that could identify
an individual (including demographic information) Relates to the past, present, or future
Physical or mental health or condition of an individual Provision of health care to the individual Payment for the provision of health care to an individual
Is stored or transmitted electronically
HIPAA Security 101PA Dept. of Public Welfare9 -- v3.1 April 7, 2007
Quiz 2
Are data such as your name, address, phone number, date of birth, and social security number (SSN) examples of PHI covered by HIPAA?
Yes or No?
HIPAA Security 101PA Dept. of Public Welfare10 -- v3.1 April 7, 2007
Answer 2
YESAs a part of a medical record, they are examples
of data by which the identity of a client could be determined. Within the DPW data systems, this type of data is so intertwined with medical data that DPW has made a decision to treat all such data elements as PHI, regardless of their actual context or source.
HIPAA Security 101PA Dept. of Public Welfare11 -- v3.1 April 7, 2007
What is HIPAA Security?
Security consists of the administrative, physical, and technical controls or processes by which
We ensure: Confidentiality – only the right people see the
data Integrity – the data is what it is supposed to be; it
hasn’t been changed or corrupted Availability – the data is available when it is
needed
HIPAA Security 101PA Dept. of Public Welfare12 -- v3.1 April 7, 2007
What is HIPAA Security? (cont.)
We protect data from: Actual and reasonably anticipated threats or
hazards to the security or integrity of ePHI (for example, fire, flood, theft, storm, etc.)
Actual and reasonably anticipated uses or disclosures of ePHI not permitted by the policy rules (including accidental or deliberate access or use by unauthorized persons)
HIPAA Security 101PA Dept. of Public Welfare13 -- v3.1 April 7, 2007
Administrative Safeguards
Policies, procedures and practices including: Security management processes
Risk analysis and management Sanction policy Information system review and auditing
Assigned security responsibility HIPAA security officer
Workforce security Authorization and/or supervision Background checks Termination procedure
HIPAA Security 101PA Dept. of Public Welfare14 -- v3.1 April 7, 2007
Administrative Safeguards (cont.)
Information access management Isolation of ePHI data from other data User registration/deregistration process Access authentication and authorization
Security awareness and training HIPAA-specific workforce training, including program
office and job-specific training Security reminders/bulletins Anti-virus and anti-spyware software and procedures Login monitoring Password policies
HIPAA Security 101PA Dept. of Public Welfare15 -- v3.1 April 7, 2007
Administrative Safeguards (cont.)
Security incident proceduresReporting and response
Contingency planningData backupDisaster recovery planning
Agreements with entities performing HIPAA-covered work on DPW’s behalf
Written agreements, revisions of agreements, as appropriate
EvaluationPeriodic review and self-evaluation
HIPAA Security 101PA Dept. of Public Welfare16 -- v3.1 April 7, 2007
Physical Safeguards
Means by which the physical systems and media are protected from unauthorized use or access: Facility access controls
Contingency operation Facility security (restricted access, monitoring, etc.) Access control and validation procedure Maintenance records
Workstation usage Business use only Restrictions on Internet access
HIPAA Security 101PA Dept. of Public Welfare17 -- v3.1 April 7, 2007
Physical Safeguards (cont.)
Workstation security UserID/Password required for access Automatic lockout when workstation is unattended or
unused for a certain amount of time
Device and media controls Disposal of systems and media Media re-use Accountability and tracking Data backup and storage
HIPAA Security 101PA Dept. of Public Welfare18 -- v3.1 April 7, 2007
Technical Safeguards
Means by which electronic data, access to it,
and its use are controlled and monitored Access controls
Unique user identification
Emergency access procedure
Automatic logoff
Encryption and decryption
HIPAA Security 101PA Dept. of Public Welfare19 -- v3.1 April 7, 2007
Technical Security (cont.)
Audit controls Ability to determine who accessed data and when
Ability to determine who modified data and when
Integrity Mechanisms in place to authenticate or validate ePHI
Transmission Security Integrity controls to ensure that data isn’t lost or altered
Encryption to ensure that only the recipient can see the
data
HIPAA Security 101PA Dept. of Public Welfare20 -- v3.1 April 7, 2007
So Who Cares?
Each of us must care We in DPW are responsible for the medical
information of our citizens. In addition, the vast majority of us have been treated by health care practitioners and would care greatly if we thought our medical records might be shared with strangers or unauthorized individuals or entities. Why should we expect our clients to care any less than we would?
HIPAA Security 101PA Dept. of Public Welfare21 -- v3.1 April 7, 2007
So Who Cares? (cont.)
The Commonwealth of Pennsylvania and DPW We are the custodians of our citizens’ data and it is
a serious responsibility. Misuse or unauthorized disclosure of this data could lead to termination or other disciplinary action, possible criminal charges, and/or civil penalties.
HIPAA Security 101PA Dept. of Public Welfare22 -- v3.1 April 7, 2007
So Who Cares? (cont.)
Federal Department of Health and Human Services (DHHS) DHHS was responsible for issuing HIPAA
regulations. These regulations and the HIPAA statute passed by Congress comprise the HIPAA legal requirements. DHHS’s Centers for Medicare and Medicaid Services (CMS) enforces HIPAA security (and transaction) regulations; DHHS’s Office of Civil Rights (OCR) enforces HIPAA privacy regulations.
HIPAA Security 101PA Dept. of Public Welfare23 -- v3.1 April 7, 2007
So Who Cares? (cont.)
The Federal Government Federal penalties for misuse or unauthorized
disclosure of PHI can result in criminal penalties including imprisonment of up to 10 years and fines of up to $250,000. Additional penalties may be applied as a result of civil action.
HIPAA Security 101PA Dept. of Public Welfare24 -- v3.1 April 7, 2007
General DPW Practices
There are some general security practices that everyone must use, regardless of their job duties and access to or use of ePHI: Abide by UserID and Password policies
Use strong passwords (7 or more characters, mix of uppercase, lowercase, numbers, punctuation)
Change passwords regularly Don’t write passwords down where others can get them Do not share your UserID and password with others
HIPAA Security 101PA Dept. of Public Welfare25 -- v3.1 April 7, 2007
General DPW Practices (cont.)
Always lock your workstation when not using it or when away from your desk, for example, lock away any paper files containing PHI or floppies, CDs, or other media containing ePHI
Don’t install software from home or from the Internet on your workstation
Limit Internet use to work-related activities
HIPAA Security 101PA Dept. of Public Welfare26 -- v3.1 April 7, 2007
General DPW Practices (cont.)
Don’t open unsolicited email from unknown senders or suspicious email from colleagues (this is a great way to spread computer viruses)
Immediately report unusual workstation behavior to your supervisor
Immediately report possible theft or misuse of your UserID to your supervisor
HIPAA Security 101PA Dept. of Public Welfare27 -- v3.1 April 7, 2007
Job-Specific Practices
Those of you who have access to or use ePHI as a part of fulfilling your job duties need to be especially aware of HIPAA security.
Changing your password more frequently than generally required, encrypting data residing on your workstation, and using secure email are examples of practices to be followed.
HIPAA Security 101PA Dept. of Public Welfare28 -- v3.1 April 7, 2007
Job-Specific Practices (cont.)
Within DPW, there are many jobs that involve access to and use of PHI, far too many to cover in detail in this training session.
Your program office or facility will be holding additional training sessions specific to HIPAA security as it relates to your job. Contact your supervisor for more information.
HIPAA Security 101PA Dept. of Public Welfare29 -- v3.1 April 7, 2007
Resources
HIPAA regulations and information:www.cms.gov/hipaawww.dhhs.gov
DPW HIPAA Privacy PolicyDPW HIPAA Security PolicyDPW Business and Technical StandardsCommonwealth Internet Usage PolicyCommonwealth IT Standards
HIPAA Security 101PA Dept. of Public Welfare30 -- v3.1 April 7, 2007
Contact Information
Diana Clark (Privacy, Legal)[email protected]
Frank Morrow (Security) [email protected]
Frank Potemra (Policy) [email protected]
Your Program Office Security Manager Your Supervisor
HIPAA Security 101PA Dept. of Public Welfare31 -- v3.1 April 7, 2007
Quiz 3
To wrap things up, what is HIPPO?1. A large African animal that spends much of
its time in the water.2. A long-haired, bell-bottom and sandals
wearing flower child.3. The Health Insurance Portability and
Accountability Act of 1996.
Please make your selection: ____
HIPAA Security 101PA Dept. of Public Welfare32 -- v3.1 April 7, 2007
Answer 3
Choice 1, of course! A HIPPO is a large African animal that spends much of its time in the water.