Complying with HIPAA and HITECH Security Planning Susan Lincke

advertisement
Complying with HIPAA and
HITECH
Security Planning
Susan Lincke
Security Planning: An Applied Approach | 6/21/2016 | 2
Objectives:
Students shall be able to:
Define HIPAA, Privacy Rule, Security Rule, CE, PHI.
Define threat, vulnerability, threat agent
Describe what Privacy Rule covers at a high level
Describe what Security Rule covers at a high level
Describe the difference between Required and
Addressable for the Security Rule.
Security Planning: An Applied Approach | 6/21/2016 | 3
HIPAA
Introduced by Senators Edward Kennedy & Nancy
Kassebaum
Portability: Workers can continue health care between
different employers
Group insurance cannot reject, not renew, or charge higher
premiums of certain individuals
Simplify administration by creating a health care transaction
standard
Accountability:
Penalties for non-compliance
Tax provisions
Security Planning: An Applied Approach | 6/21/2016 | 4
HIPAA Titles
Title 1: Health Care Insurance Access, Portability, and
Renewability
Title 2: Preventing Health Care Fraud & Abuse, Administrative
Simplification, Medical Liability Reform
Title 3: Tax-related Health Provisions
Standardizes medical savings accounts
Title 4: Application and Enforcement of Group Health Insurance
Requirements
Title 5: Revenue Offsets
Defines how employers can deduct company-owned life insurance premiums
from income tax
Security Planning: An Applied Approach | 6/21/2016 | 5
Title 2 Has Three Rules
Transactions, Code Sets, and Identifiers: Standards for electronic
transmission
• Electronic Data Interchange: Standardized records for health
care transactions
The Privacy Rule: Standard for Privacy of Individually Identifiable
Health Information
The Security Rule: Security Standard for electronic patient health
Security Planning: An Applied Approach | 6/21/2016 | 6
Reasons for Legislation
Records of patients or insurance claims made publicly available
by accident
Email reminder to take Prozac sent to 600 (not blind cc’d)
Woman fired from job after positive review but expensive illness
35% of Fortune 500 companies admitted checking medical
records before hiring or promoting
People avoid using insurance when they have AIDS, cancer, STD,
substance abuse or mental illness
Security Planning: An Applied Approach | 6/21/2016 | 7
Medical Identity Theft
When a person’s name and other parts of his/her medical identity are stolen for the
purpose of getting medical services and goods.
Problems:
• Medical info is for wrong person
• Inaccurate health records
• Wrong diagnosis
• Fatal treatments
• Imposter claims health care
• Medical Insurance Fraud
• Inaccurate Credit History: Bills sent elsewhere
Security Planning: An Applied Approach | 6/21/2016 | 8
Medical Identity Thieves:
Who can commit this crime?
Computer hackers
Members of organized crime rings
Health care providers (doctor’s, dentists, hospital employees)
2003: An employee at a cancer center stole the identity of a center
patient. The identity thief was sentenced to 16 mos. In prison and
ordered to pay restitution.
2006: A desk clerk at a Florida clinic stole the health info of over 1,000
patients. The clerk sold the data to another person. That person used
the information to submit $2.8M in fraudulent Medicare claims to the
U.S. government.
Security Planning: An Applied Approach | 6/21/2016 | 9
Business Challenges Facing the Health Care
Industry
Hospital computer systems contain notes from
hospital employees and primary care physicians.
Health Insurance Companies collect and compile
patient data from different providers.
Organizations MUST maintain the
security of computer systems that hold
health data.
Security Planning: An Applied Approach | 6/21/2016 | 10
Breach Notification Laws
The Oregonian, May 2006
In one of Oregon’s largest security breaches, Providence
Health System disclosed that a burglar stole unencrypted
medical records on 365,000 patients kept on disks and
tapes left overnight in an employee’s van
State Laws, called Breach Notification Laws require CEs to notify
patients when their PHI has been breached
If data is encrypted and laptop is lost, notification is not required
This often applies to any industry that uses personal information,
such as Social Security Numbers
Security Planning: An Applied Approach | 6/21/2016 | 11
HITECH: Health Information Technology for
Economic and Clinical Health Act (2009)
Breach Notification Rule:
Introduced notification requirements
• Specifies how CE/BA should notify individuals and agencies if a
breach of information occurs
PHI shall be encrypted in a way that is approved by HHS.
PHI shall be shredded or destroyed and disposed of properly.
Security Planning: An Applied Approach | 6/21/2016 | 12
Criminal Penalties for HIPAA
$ Penalty
Up to $50K
Imprisonment
Up to one
year
Offense
Wrongful disclosure of individually
identifiable health information
Up to $100K Up to 5 years …committed under false pretenses
Up to $500K Up to 10
years
… with intent to sell, achieve
personal gain, or cause malicious
harm
Then consider bad press, state audit, state law penalties, lost claims, …
Security Planning: An Applied Approach | 6/21/2016 | 13
HITECH Act (2009)
Each
Violation
Max $ Per
Year
CE/BA exercised reasonable diligence
but did not learn about violation
$100-$50k
$1.5
Million
Violation is due to reasonable cause
$1k$50k
$1.5
Million
CE/BA demonstrated willful neglect but $10k-$50k
corrected violation
$1.5
Million
CE/BA demonstrated willful neglect and
took no corrective action
$1.5
Million
$50k
Penalties are prohibited if problem is corrected within 30 days and no willful neglect
Penalties pay for enforcement and redress for harm caused
Security Planning: An Applied Approach | 6/21/2016 | 14
Health Care Organization
Covered Entities (CE)
Health plan
(e.g., HMO, PPO)
Standard
bills/records
Health care
Clearinghouse
Standard
bills/records
Nonstandard
bills/records
Health Care Provider
(e.g., doctor, hospital)
Security Planning: An Applied Approach | 6/21/2016 | 15
Health Care Organization
Business Associates (BA)
Works
Covered
Entities (CE)
Health plan
for
Performs: Claims Processing
Transcription
Billing
Data Analysis
Independent organization
Work involves health info
Not bank or post office
Health care
Clearinghouse
Health Care Provider
Security Planning: An Applied Approach | 6/21/2016 | 16
Protected Health Information (PHI)
Health
Information
Relates to
Physical or
Mental health
or past/present/
future payment
Identifiers
Name
SSN
city or county
zip code
phone or fax
medical record #
fingerprint
If YOU had AIDS, how could such identifiers
Identify you?
Individually Identifiable
Health Information
Created or maintained by
CE or BA
Protected Health
Information
(PHI)
Covered by HIPAA
& HITECH
Security Planning: An Applied Approach | 6/21/2016 | 17
Treatment, Payment & Health Care
Operations (TPO)
Treatment
Payment
Provision & coordination
of health care among
health care providers,
including referral
Any activities
involved in
compensation
for health care:
billing, determining
coverage or eligibility
analyzing services
$
Health Care
Operations
Administrative
functions related
to health care:
financial or legal or
quality improvement,
training, certification,
case mgmt, business
planning
Security Planning: An Applied Approach | 6/21/2016 | 18
HIPAA Standard Transactions
Health plan
(e.g., HMO, PPO)
 Enrollment or Disenrollment into
Health Plan
 Health Plan Premium Payment
 Health Plan Eligibility Inquiry
 Certification & Authorization
of Referral
 Health Care Claim
 Health Care Claim Status Request
 Health Care
Claim Payment
Plan Sponsor
(Employer)
 Certification &
Authorization
of Referral
Health Care Provider
(e.g., doctor, hospital)
Security Planning: An Applied Approach | 6/21/2016 | 19
The Genetic Information Nondiscrimination Act
of 2008
Protects against some types of genetic testing
discrimination:
Insurance companies can’t make eligibility decision based on
genetic testing results.
Insurance companies can’t base cost of premiums on genetic
testing results.
Employers can’t hire, fire or make job decisions based on the use
genetic testing.
Employers/Health Insurance Plans can not requiring genetic
testing.
Security Planning: An Applied Approach | 6/21/2016 | 20
The HIPAA
Privacy Rule
Security Planning: An Applied Approach | 6/21/2016 | 21
Privacy Rule: Develop Policies
CE/BAs shall:
Develop policies, procedures, and standards for how it
will adhere to Privacy Rule. How will CE/BA:
• use and disclose PHI?
• protect patient rights?
Regularly review policies and procedures
Update policies when new requirements emerge
Monitor that policies/procedures are consistently
applied throughout the organization
Security Planning: An Applied Approach | 6/21/2016 | 22
Privacy Rule:
No NonHealth Usage of PHI
The National Law Journal, May 30, 1994
A banker who also served on his county’s health board
cross-referenced customer accounts with patient
Information. He called due the mortgages of anyone
suffering from cancer.
Health information is not to be used for nonhealth
purposes, unless an individual gives explicit permission
Security Planning: An Applied Approach | 6/21/2016 | 23
Privacy Rule:
Need-to-Know Access
Washington Post, March 1, 1995
The 13-year-old daughter of a hospital employee took a list of
patients’ names and phone numbers from the hospital when
visiting her mother at work. As a joke, she contacted patients
and told them they were diagnosed with HIV.
CE/BA Employees should have access only to what is absolutely
required as part of their jobs.
What individuals should have access to PHI?
What categories of PHI should individuals have access to?
What conditions are required for access?
How will Business Associates & Trading Partners be informed and
controlled?
Security Planning: An Applied Approach | 6/21/2016 | 24
Privacy Rule:
Protections against Marketing
Boston Globe, August 1, 2000
A patient at Brigham and Women’s Hospital in Boston
learned that employees had accessed her medical
record more than 200 times.
CE must obtain permission before sending any
marketing materials, with limited exceptions
Security Planning: An Applied Approach | 6/21/2016 | 25
Privacy Rule:
Establish Privacy Safeguards
Required
Shut or locked doors
Keep voice down
Clear desk policy
Privacy curtains
Password protection
Auto screen savers
Locked cabinets
Paper shredders
Not Required
Soundproof rooms
Redesign office space
Private hospital rooms
(semiprivate ok)
OK for doctors to talk to nurses
at nurse stations
Safeguards should be REASONABLE
Security Planning: An Applied Approach | 6/21/2016 | 26
Privacy Rule:
Employee Training & Accountability
New York Times, Jan. 19, 2002
Eli Lilly and Co. inadvertently revealed over 600 patient
e-mail addresses when it sent an all message to every
individual registered to receive reminders about taking
Prozac.
Each CE organization shall name one person who is accountable
for Privacy Rule compliance
Each employee, volunteer, contractor shall be trained in privacy
policies and procedures
• Full and Part-time
Security Planning: An Applied Approach | 6/21/2016 | 27
Privacy Rule: Individual Privacy Rights
Patients have the right to:
See or obtain copies of medical information (except for psychotherapy notes)
Request correction to health record
Receive a Notice of Privacy Practices
Request restrictions as to who can see PHI
Request specific method of contact for sake of privacy
Know who has accessed PHI
File a complaint if their rights have been violated
Allow and withdraw authorizations for use and disclosure
CE must:
Respond to requests within 30 days
May extend delay with notice for another 30 days
Keep records of how PHI is disclosed
Security Planning: An Applied Approach | 6/21/2016 | 28
Notice of Privacy Practices
Privacy Requirements:
NPP must be available when asked for
NPP must be displayed prominently in the office
Health Plan must provide upon enrollment
Health Provider must provide on first service delivery
Both must request written acknowledgment of receipt of NPP
After change, revised NPP must be issued to clients within 60 days
Electronic Requirements (if web page):
Must be displayed prominently on web page
Must be emailed to customers after a change in NPP
Security Planning: An Applied Approach | 6/21/2016 | 29
Required & Permitted Disclosures
Required Disclosure:
Patient (or personal representative, e.g., parent, next of kin)
Office of Civil Rights Enforcement: Investigates potential violations
to Privacy Rule
Permitted Disclosure:
Minimum-Necessary PHI may be disclosed without authorization
for: judicial proceedings, coroner/funeral, organ donation,
approved research, military-related situations, governmentprovided benefits, worker’s compensation, domestic violence or
abuse, some law enforcement activities
ID must be verified by proof of identity/badge and documentation
Security Planning: An Applied Approach | 6/21/2016 | 30
More Disclosures
Routine Disclosure
Disclosures that happen periodically should be addressed in policies,
procedures, forms
E.g.: Referral to another provider, school immunization, report communicable
disease, medical transcription, births, deaths & other vital statistics
Non-routine Disclosure
CEs shall have reasonable criteria to review requests for non-routine PHI
disclosures
E.g., Research disclosures
Incidental Disclosure
CEs shall have reasonable safeguards
E.g. Patient overhears advice given to another patient
Accidental Disclosure
Computer is stolen with PHI
Disclosures must be tracked for THREE years
Security Planning: An Applied Approach | 6/21/2016 | 31
Disclosures Requiring Authorization
Research project (special conditions may allow)
Person outside health care system
Employer
• However, employer may require authorization for drug test before hiring
Other insurance companies
Health care provider not involved in patient’s health care
Insurance company not paying patient’s claims
Lawyer
Patient should get copy of authorization
Security Planning: An Applied Approach | 6/21/2016 | 32
Sample Authorization Form
Disclosure Authorization Form
Description of Information:_____________________________________
Patient making authorized disclosure____________________________
Person receiving information:__________________________________
Purpose of the disclosure:
Authorization Expiration Date:________________
Patient Signature__________________________ Date:____________
A form to revoke authorization must be completed to terminate authorization.
Must be retained by CE for 6 years
Security Planning: An Applied Approach | 6/21/2016 | 33
Implementing ‘Minimum Necessary’
Minimum necessary: Just enough info to accomplish
the main purpose
E.g., Send prescription for glasses to optician, not medical history
Data Classification
• Sensitivity of information
• Type of treatment required
Questions to Answer
• What parts of record can each user type access?
• How will we constrain access to implement view?
Security Planning: An Applied Approach | 6/21/2016 | 34
Business Associates (BA)
Must also be responsible with PHI
Accreditation
Consulting
Actuarial
Not Business
Associates
Janitorial
Electrical
Phone
Vending
Copy
Conduit: Mail
Financial Institution:
Banks
Security Planning: An Applied Approach | 6/21/2016 | 35
Business Associate Contract (BAC)
CEs must request BA to sign a BAC:
BA will not disclose PHI
BA is liable for damage due to disclosure or misuse
BA will use safeguards to prevent misuse
BA will report any security incident or violation of agreement
BA will destroy or protect PHI upon termination of contract
CE can terminate contract if violation occurs
CE will provide BA copies of policies, procedures and materials for
safeguarding
Etc.
BAs are equally liable as CEs, under HITECH Act
Security Planning: An Applied Approach | 6/21/2016 | 36
HITECH: Health Information Technology
for Economic and Clinical Health Act
(2009)
BA’s must follow the HIPAA Security Rule.
BA’s are held to the same standard as CE’s.
Health & Human Services (HHS) can:
• require BA’s to comply with HIPAA.
• enforce penalties on noncompliant BA’s.
Security Planning: An Applied Approach | 6/21/2016 | 37
Violation of HIPAA Privacy Rule:
WTHR Investigation Leads to Record $2.25M HIPAA Settlement, Indianapolis,
IN, 2006:
Reported that CVS was “throwing sensitive personal information in the trash”
(e.g.: unredacted pill bottles, prescription instruction sheets, pharmacy
receipts with credit card information and health insurance account numbers.
After this, other CVS pharmacies were investigated and it was found that they
also were improperly disposing of PHI.
In the settlement CVS was required to:
• Create an information security program to protect personal information.
• Requires that they get an independent audit every 2 years until 2029.
• Pay $2.25 million to settle claims.
CVS agreed to:
• Implement a security plan that complies with HIPAA’s Privacy Rule.
• Protect information during disposal.
• Develop employee training programs.
Security Planning: An Applied Approach | 6/21/2016 | 38
The HIPAA
Security Rule
+
Security Planning: An Applied Approach | 6/21/2016 | 39
Security Rule Enforces
Privacy Rule on Computers
Privacy Rule
With or w/o computer
Protect PHI
Security Rule
With computer
Protect EPHI
Minimum Necessary
Authentication &
Access Control
Accounting of Disclosures
Unique Login Credentials
Authentication
Track modifications to EPHI:
Who did what when?
Security Planning: An Applied Approach | 6/21/2016 | 40
Security Vocabulary
Asset: Diamonds
Threat: Theft
Vulnerability: Open door or
windows
Threat agent: Burglar
Owner: Those accountable
or who value the asset
Risk: Danger to assets
Security Planning: An Applied Approach | 6/21/2016 | 41
Security Rule Assures…
Security Planning: An Applied Approach | 6/21/2016 | 42
Security Services
Authentication
Access Control
Data confidentiality
Data integrity
Data backup & recovery
Nonrepudiation = Cannot say it wasn’t you who sent or received
data
Risk Management
Security Planning: An Applied Approach | 6/21/2016 | 43
Risk Management
Risk assessment
Policy & Procedures Maintenance
Security Program Enforcement
Audit logs, vulnerability assessments, audit for procedure
adherence and control effectiveness
Patches are applied to software
Data is available, confidential, & integrity is protected
Security Planning: An Applied Approach | 6/21/2016 | 44
Security Rule Standards
Comprehensive
Technology Neutral
Scalable
Administrative
Controls
Security
Rule
Small
or
Large
Physical Controls
Technical Controls
Look to Best Practices
for Technology Answers
e.g. NIST
Security
Rule
Security Planning: An Applied Approach | 6/21/2016 | 45
Three Areas of Safeguards
Administrative: Administrative policies, procedures, and actions
to implement and maintain security controls to protect EPHI, including
risk mgmt, access control, contingency plans, incident response.
Security
Rule
Physical: Protection of the physical access to terminals, laptops,
servers, backup tapes, CDs, memory, including viewing,
access, maintenance and disposal.
Technical: Protection using technology tools to protect EPHI,
including logs, encryption, authentication
Security Planning: An Applied Approach | 6/21/2016 | 46
Policies & Procedures
Policies and Procedures MUST BE:
Retained for 6 years after date of creation or last effect
Available to workers responsible for them
Must be updated regularly accommodating changes in
environment & operations
Security Planning: An Applied Approach | 6/21/2016 | 47
Security Rule Standard
This is recommended…
Address this in some way…
Implement equivalent alternative
measure….
If it doesn’t apply, document well
why not…
DO IT!
We do this instead:
…..
Security Planning: An Applied Approach | 6/21/2016 | 48
Administrative:
Security Mgmt Process
Risk Analysis: Conduct an accurate and thorough assessment of the
potential risks and vulnerabilities to the CIA of EPHI held by the CE.
R
Risk Mgmt: Implement security measures sufficient to reduce risks
and vulnerabilities to a reasonable and appropriate level to comply
with the Security Rule
R
Sanction Policy: Apply appropriate penalties against workforce
members who fail to comply with the entity’s security policies and
procedures
R
Info System Activity Review: Implement procedures to regularly
review records of IS activity, such as audit logs, access reports, and
security incident tracking reports
R
Security Planning: An Applied Approach | 6/21/2016 | 49
Security Mgmt Implications
We will need an IT person
to regularly check logs to
be sure our system was not
broken into
The Sanction
policy basically
requires we all
sign a
confidentiality
agreement and if
someone breaks
the rule, they
could be fired.
Risk assessment
must be ‘accurate
and thorough’ –
that will be a
challenge!
And all are Rs…
Security Mgmt
Process
Security Planning: An Applied Approach | 6/21/2016 | 50
Administrative:
Workforce Security
Authorization and/or Supervision: Implement procedures A
for the authorization and/or supervision of workforce
members who work with EPHI or in locations where it
might be accessed
Workforce Clearance Procedure: Implement procedures
A
to determine that the access of a workforce member to
EPHI is appropriate
Termination Procedures: Implement procedures for
terminating access to EPHI when the employment of a
workforce member ends…
A
Security Planning: An Applied Approach | 6/21/2016 | 51
Workforce Security Implications
They are asking for checks
and balances with
supervision or
authorization
.We must have
procedures to
allocate
authorization,
periodically
check
authorization, and
procedures to
terminate
someone
Workforce
Security
We are a three
person operation,
can we get away
with not doing this?
Must we document
our situation?
These are As.
Security Planning: An Applied Approach | 6/21/2016 | 52
Administrative:
Information Access Mgmt
Isolating Health Care Clearinghouse (CH) Function: If a health care CH
is part of a larger organization, the CH operation must implement
policies and procedures that protect the EPHI of the CH from
unauthorized access by the larger organization
R
Access Authorization: Implement policies and procedure for granting
access to EPHI – e.g., through access to a workstation, transaction,
program, process, or other mechanism
A
Access Establishment & Modification: Implement policies and
procedures that, based upon the entity’s access authorization policies,
establish, document, review, and modify a user’s right of access to a
workstation, transaction, program or process.
A
Security Planning: An Applied Approach | 6/21/2016 | 53
Info Access Mgmt Implications
Isn’t this the same as the
previous rule?
It is an
implementation:
We must define a
data owner for
each major
process
.And then our IT
people must define
how they will grant
access based upon
the data owner’s
decisions.
Info Access
Mgmt
Security Planning: An Applied Approach | 6/21/2016 | 54
Administrative:
Security Awareness & Training
Security Reminders: Provide periodic security updates to
members of the workforce
A
Protection from Malicious Software: Implement
procedures for guarding against, detecting, and reporting
malicious software
Login Monitoring: Implement procedures for monitoring
login attempts and reporting discrepancies
A
Password Mgmt: Implement procedures for creating,
changing and safeguarding passwords
A
What do you think these mean?
A
Security Planning: An Applied Approach | 6/21/2016 | 55
Administrative:
Contingency Plan
Data Backup Plan: Establish and implement procedures to create and
maintain retrievable exact copies of EPHI
R
Disaster Recovery Plan: Establish … procedures to restore any loss of
data
R
Emergency Mode Operation Plan: The emergency mode operation plan
requires CEs to establish … procedures to enable continuation of critical
business processes, while maintaining the security of EPHI while
operating in emergency mode
R
Testing & Revision Procedure: Implement procedures for periodic testing
and revision of contingency plans.
A
Applications & Data Criticality Analysis: Assess the relative criticality of
specific applications and data in support of other contingency plan
components.
A
Security Planning: An Applied Approach | 6/21/2016 | 56
Administrative:
One-Line Safeguards
Assigned Security Responsibility: Identify the security
R
official who is responsible for the development and
implementation of the policies and procedures required by
this rule for the entity.
Security Incident Procedures: Implement policies &
R
procedures to address security incidents. Identify and
respond to suspected or known security incidents;
mitigate … harmful effects of security incidents that are
known to the CE; and document security incidents and
their outcomes.
Security Planning: An Applied Approach | 6/21/2016 | 57
Administrative:
More One-Line Safeguards
Evaluation: Perform a periodic technical and nontechical
evaluation, based initially upon the standards implemented
under this rule and subsequently, in response to environmental
or operations changes affecting the security of EPHI, that
establishes the extent to which an entity’s security policies and
procedures meet the requirements of this subpart
R
BA Contracts and Other Arrangements: A BA [may] create,
receive, maintain, or transmit EPHI on the CE’s behalf only if the
CE obtains satisfactory assurances that the BA will appropriately
safeguard the information.
R
Security Planning: An Applied Approach | 6/21/2016 | 58
Info Access Mgmt Implications
According to Evaluation, we
must self-test or be certified on
a regular basis, to be sure we
follow the Security Rule
That makes sense
when technology
changes, but I
guess we have to
do it periodically as
well, since the
world changes.
We need to know
who, what, when,
where, why for
incident response.
Evaluation
Who shall we name
as our Security
Manager?
Security Planning: An Applied Approach | 6/21/2016 | 59
Physical Safeguards:
Facility Access Controls
Facility Access Controls: Implement
policies and procedures to limit physical
access to electronic info systems and areas
where sensitive paper documents are stored
and any facilities in which they are housed,
while ensuring authorized access
Contingency Operations
Facility Security Plan
Access Control & Validation Procedures
Maintenance Records
A
A
A
A
Security Planning: An Applied Approach | 6/21/2016 | 60
Physical Safeguards:
Facility Access Control
How will physical access be restricted to sensitive paper
documents, terminals, server, backup copies, laptops,
contingency operations in copy, view, or modify forms?
How are visitors controlled from accessing PHI/EPHI?
When repairs occur (to facility or systems) how will
PHI/EPHI be safeguarded?
Security Planning: An Applied Approach | 6/21/2016 | 61
Physical Safeguards: Workstations
Workstation Use: Implement policies and
R
procedures that specify the proper functions to be
performed, the manner in which those functions are
to be performed, and the physical attributes of the
surroundings of a specific workstation or class of
workstation that can be used to access EPHI
Workstation Security: Implement physical
R
safeguards for all workstations that can be used to
access EPHI, to restrict access to authorized users
Security Planning: An Applied Approach | 6/21/2016 | 62
Workstation Use and Security
What functions will be performed on which
workstations?
How will workstation access be limited when the user
leaves their station?
How will theft of laptops be prevented?
How will the workstations be positioned?
What other physical safeguards (locked rooms, hoods)
will be implemented to prevent shoulder surfing?
Security Planning: An Applied Approach | 6/21/2016 | 63
Physical Safeguards:
Device & Media Controls
Device and Media Controls: Implement policies and
procedures that govern the receipt and removal of
hardware and electronic media and devices that
contain EPHI into and out of a worksite or facility, and
the movement of these items within the worksite or
facility.
Disposal
Media Reuse
Accountability
Data Backup and Storage
R
R
A
A
Security Planning: An Applied Approach | 6/21/2016 | 64
Device & Media Controls
How will media be erased or damaged before disposal
or reuse?
Reformatting disk may not be adequate even for reuse
How, when and where has EPHI been moved or
transferred? Documentation is necessary
How is a backup made and where/how stored?
Security Planning: An Applied Approach | 6/21/2016 | 65
Technical Safeguards:
Access Control
Access Control: Implement technical policies and
procedures for electronic info systems that maintain
EPHI. These policies and procedures should contain
access protocols that will establish and enforce the
entity’s other access policies, and allow access only to
those persons or software programs that have been
granted access rights
Unique User Identification
R
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption
R
A
A
Security Planning: An Applied Approach | 6/21/2016 | 66
Technical Safeguards:
Access Control
How is each user uniquely identified to the system?
How does authentication occur?
In an emergency, what backup methods are used for
authentication?
How does automatic logoff occur after a period of
inactivity?
Which data is encrypted in storage and/or
transmission?
Security Planning: An Applied Approach | 6/21/2016 | 67
Technical Safeguards:
Transmission Security
Transmission Security: Implement technical
security measures to guard against
unauthorized access to EPHI that is being
transmitted over an electronic communications
network
Integrity Controls
A
Encryption
A
Security Planning: An Applied Approach | 6/21/2016 | 68
Technical Safeguards:
Transmission Security
How are we sure that data is not modified or lost during transmission?
What encryption techniques are used to protect the security of EPHI
transmitted over a public network?
Security Planning: An Applied Approach | 6/21/2016 | 69
Other Technical Safeguards
Audit Controls: Implement hardware, software, and/or R
procedural mechanisms that record and examine
activity in information systems that contain or use EPHI
Integrity: Implement policies and procedures to
protect EPHI at rest, meaning stored on organizational
systems and applications, from improper alteration or
destruction.
Person or Entity Authentication: Implement
procedures to verify that a person or entity seeking
access to EPHI is the one claimed
A
R
Security Planning: An Applied Approach | 6/21/2016 | 70
Other Technical Safeguards
For which devices will the logs be monitored?
What log events should be archived for security purposes?
How will potential attacks found in logs be recorded, reported,
and acted upon?
What techniques will be used to ensure stored data has not been
modified (hashes, message digests?)
What authentication mechanisms will be used to assure that
approved entities (people or systems) are accessing EPHI?
Security Planning: An Applied Approach | 6/21/2016 | 71
Question
An example of a vulnerability is
1. Theft
2. Burglar
3. Open door
4. Diamonds
Security Planning: An Applied Approach | 6/21/2016 | 72
Question
1.
2.
3.
4.
Protected Health Information is:
SSN, medical information
Name, SSN, medical information
Name, address, SSN, phone, medical information
Medical information stored in a computer
Security Planning: An Applied Approach | 6/21/2016 | 73
Question
The Security Rule requires that:
1. Logs are monitored
2. An intrusion detection system is implemented
3. Cabinets containing PHI must be locked
4. Walls must be soundproof and all terminals outside of
waiting room
Security Planning: An Applied Approach | 6/21/2016 | 74
Question
The Privacy Rule requires that:
1. Logs are monitored
2. An intrusion detection system is implemented
3. Cabinets containing PHI must be locked
4. Walls must be soundproof and all terminals outside of the
waiting room
Security Planning: An Applied Approach | 6/21/2016 | 75
Question
The Addressable option for the Security Rule means:
1. Smaller organizations need not implement if they can justify it
would be too expensive
2. HIPAA discusses alternative means to accomplish this, and the
organization must select one
3. The CE must document how they accomplish this provision
4. This provision must be implemented or addressed in some
way, although alternative implementations are allowed
Security Planning: An Applied Approach | 6/21/2016 | 76
Summary
HIPAA protects Protected Health information (PHI)
Applicable to Covered Entities and their Business Associates
In General:
• Privacy Rule covers Need-to-know, Disclosures, Notice of
Privacy Practice, non-electronic privacy
• Security Rule covers Administrative, Physical and Technical
Safeguards
• HITECH increases penalties for non-compliance
HIPAA is an example of state-of-the-art Privacy and Security
regulation
Most of each chapter of this book is required for HIPAA
Security Planning: An Applied Approach | 6/21/2016 | 77
Not Covered in this Presentation
Some specialized material is not being covered
as part of this presentation, including:
Hybrid Entities: Part Covered, Part Not
Organized Health Care Arrangement (OHCA): Group of
doctors
Jointly Administered Govt. Program
Trading Partner: CEs exchange electronic transactions
without clearinghouse
COBRA
Download