It’s About The ePHI Objective Review the security rule as it pertains to › Physical Safeguards ♦ ♦ How to protect the ePHI in the work environment Implementation ideas for your office The Security Rule Reasonable and appropriate safeguards that cover › Information systems › Related equipment › Facilities What Are The Safeguards? Physical measures › Locking the door › Requiring passwords Policies and procedures › For everything from employee training to protecting the data Three Areas Of Focus Facility Access Controls › Limiting physical access to ePHI Workstation Use and Security › Defining business use of workstations › Controlling the environment Device and Media Controls › For all equipment that contains ePHI Facility Access Controls Contingency operations Facility security plan Access control and validation procedures Maintenance records Contingency Operations Disaster recovery or emergency operations › Maintains proper security while allowing for data recovery Cover such events as: › Loss of power › Flood Consider access, as well as recovery › Chemical spills › Propane leak Facility Security Plan Policies and Procedures covering: › Physical access control › Tampering and theft prevention Access Control & Validation Procedures › Access based on roles and/or functions › Visitor guidelines › Software access ♦ ♦ Limit authority/responsibility Track updates/modification Maintenance Records Document › Repairs and modifications to the facility ♦ ♦ ♦ Type of repair Authorized by whom Reason for repair › Changes to alarm codes Workstations Defined as an electronic computing device such as: › Laptops › Desktops › Tablets Capable of electronic media storage Workstation Use Define business use of workstations Policies and Procedures › Proper functions to be completed › Manner in which they are performed › Physical attributes of the surroundings for the workstations with access to ePHI ♦ ♦ Visibility to others Accessible to unauthorized persons Workstation Security Restrict access to authorized users › Are workstations identified? › Viewed only by authorized individuals with unique user IDs and passwords? › Filters? › Screen savers? › Automatic log off? Device and Media Controls Policies and procedures › That govern how ePHI is protected ♦ ♦ ♦ During moves On backup media During upgrades Elements of Control Disposal – of ePHI › How does this happen? Media re-use › Is re-use allowed? › What steps are taken to eliminate ePHI Accountability › Where is the ePHI? Data Backup and Storage Disposal Policies and procedures that address the final disposition of ePHI › Including the media that held it › Render it unusable ♦ By erasing and overwriting or magnetically clearing or both › Or inaccessible ♦ By physically damaging it Media Re-use Remove ePHI Document the removal Have a policy and procedure that outlines the process Accountability Involves record keeping › This is only addressable in the final security rule, however, it would be very difficult to justify not keeping track of equipment Inventory of equipment that includes portable media › Take account of ♦ ♦ Person responsible for each device Serial numbers and/or labels for identification Data Backup And Storage Address the backup of ePHI before the movement of any equipment › Best to have a copy, just in case something unexpected happens! Maintain Integrity Of The ePHI Have in place: Policies and procedures that cover › Audits ♦ ♦ To track changes to data To review accesses › Inventory ♦ To know where the ePHI is located Inventory Control Log Should contain elements such as: › › › › › › › Device Name Make/Model Date Acquired Serial Number Location User Maintenance Performed ♦ › Date taken out of Service ♦ ♦ ♦ ePHI destroyed (Y/N) Method of destruction Certificate of destruction › Person responsible for destruction of ePHI › Person who validated or verified destruction of ePHI Description and Date The Process To Follow Inventory › Walk through your office › Notice everything ♦ Both in-service and out of service equipment › Record it all › Include portable and mobile devices Check the ePHI on the inventory › Record everything Review Physical Elements Offices / Exam Rooms › Doors and windows - lockable? Restricted areas › Locked and log of access maintained? Alarms › Who has access? Recent changes? Wireless access points › Monitor the devices that access your network Wiring › Are surge suppressors in use? Assess With the eyes of an outsider is ePHI › › › › Viewable? Portable – on unattended laptops? In use – where? On what? Is there out-of-service equipment with ePHI? › Accessible via your network? ♦ ♦ Monitor users on the network Have in place termination procedures that include disabling network access Protect ePHI Make changes › › › › Move monitors Turn desks Lock up equipment Secure work areas Control access › Know who has had the opportunity to view or hack your ePHI ♦ ♦ ♦ Telephone repairs Electricians Locksmiths It’s Not Just Computers Printers › What’s being printed? › Who can retrieve the paper? › Where is it located? Faxes and scanners › What is stored on the machine? › Where is it located? › Who can access the data? Include Also Incidental equipment › › › › › Pagers Dictaphone tapes Answering machines Point of care devices External hard drives Network wiring › Are access points open and available? Location of the router › Is it secure? Protection Options Protect all equipment from: › Outside access › Unauthorized use › Wandering off For Electronics › Use surge protectors Review fire extinguishers › Rated for electronics Remember ePHI › Is vast › Requires special protections and safeguards › Is subject to HIPAA’s Security Rule You have to know where the ePHI is located in order to protect it Take every precaution possible to protect ePHI QUESTIONS?