320 likes | 553 Vues
HIPAA Security 101. HIPAA Security. As a care provider, clearinghouse, and “insurer,” the Department of Public Welfare (DPW) deals with our citizens’ medical information on a daily basis. It is essential that we protect the privacy and security of those records. HIPAA Security.
E N D
HIPAA Security As a care provider, clearinghouse, and “insurer,” the Department of Public Welfare (DPW) deals with our citizens’ medical information on a daily basis. It is essential that we protect the privacy and security of those records.
HIPAA Security HIPAA privacy, which covers Protected Health Information (PHI) in any form has already been addressed as a separate training course. This training deals with HIPAA Security, the practices used to protect certain electronic health information. Although HIPAA Security covers PHI only in electronic form, it is closely linked to HIPAA privacy.
Quiz 1 What is HIPAA? • A large African animal that spends much of its time in the water. • A long-haired, bell-bottom and sandals wearing flower child. • The Health Insurance Portability and Accountability Act of 1996. Please make your selection: ____
Answer 1 If you selected choice 3, the Health Insurance Portability and Accountability Actof 1996, you are CORRECT! HIPAA was passed by the US Congress and signed by President Clinton. It is intended to simplify administration of the health care system and to reform the way health care providers, insurers, and other “covered” entities share and protect your health information.
Who is a “Covered” Entity? • Health Care Providers • Physicians, dentists, nurses, hospitals, nursing homes, etc. • Includes DPW • Health Care Clearinghouses • Billing services, etc. • Includes DPW • Health Care Plans • Group health plans, HMO’s, PPO’s, Medicare, Medicaid, etc. • Includes DPW
What does HIPAA Cover? • Transactions – standardizes diagnostic and treatment codes, forms, and, processes used by providers, insurers, and other covered entities • Identifiers– standardizes identifier codes or numbers for providers, health plans, and employers • Privacy – addresses who has access to PHI in any form (oral, written, electronic, etc.), the circumstances under which those records may or may not be shared, and how that information needs to be safeguarded • Security – addresses how PHI (electronic only) is protected, both in storage and in transmission
What are We Securing? Electronic PHI (ePHI) is data that… • Identifies or includes information that could identify an individual (including demographic information) • Relates to the past, present, or future • Physical or mental health or condition of an individual • Provision of health care to the individual • Payment for the provision of health care to an individual • Is stored or transmitted electronically
Quiz 2 Are data such as your name, address, phone number, date of birth, and social security number (SSN) examples of PHI covered by HIPAA? Yes or No?
Answer 2 YES As a part of a medical record, they are examples of data by which the identity of a client could be determined. Within the DPW data systems, this type of data is so intertwined with medical data that DPW has made a decision to treat all such data elements as PHI, regardless of their actual context or source.
What is HIPAA Security? Security consists of the administrative, physical, and technical controls or processes by which • We ensure: • Confidentiality – only the right people see the data • Integrity – the data is what it is supposed to be; it hasn’t been changed or corrupted • Availability – the data is available when it is needed
What is HIPAA Security? (cont.) • We protect data from: • Actual and reasonably anticipated threats or hazards to the security or integrity of ePHI (for example, fire, flood, theft, storm, etc.) • Actual and reasonably anticipated uses or disclosures of ePHI not permitted by the policy rules (including accidental or deliberate access or use by unauthorized persons)
Administrative Safeguards • Policies, procedures and practices including: • Security management processes • Risk analysis and management • Sanction policy • Information system review and auditing • Assigned security responsibility • HIPAA security officer • Workforce security • Authorization and/or supervision • Background checks • Termination procedure
Administrative Safeguards (cont.) • Information access management • Isolation of ePHI data from other data • User registration/deregistration process • Access authentication and authorization • Security awareness and training • HIPAA-specific workforce training, including program office and job-specific training • Security reminders/bulletins • Anti-virus and anti-spyware software and procedures • Login monitoring • Password policies
Administrative Safeguards (cont.) • Security incident procedures • Reporting and response • Contingency planning • Data backup • Disaster recovery planning • Agreements with entities performing HIPAA-covered work on DPW’s behalf • Written agreements, revisions of agreements, as appropriate • Evaluation • Periodic review and self-evaluation
Physical Safeguards • Means by which the physical systems and media are protected from unauthorized use or access: • Facility access controls • Contingency operation • Facility security (restricted access, monitoring, etc.) • Access control and validation procedure • Maintenance records • Workstation usage • Business use only • Restrictions on Internet access
Physical Safeguards (cont.) • Workstation security • UserID/Password required for access • Automatic lockout when workstation is unattended or unused for a certain amount of time • Device and media controls • Disposal of systems and media • Media re-use • Accountability and tracking • Data backup and storage
Technical Safeguards • Means by which electronic data, access to it, and its use are controlled and monitored • Access controls • Unique user identification • Emergency access procedure • Automatic logoff • Encryption and decryption
Technical Security (cont.) • Audit controls • Ability to determine who accessed data and when • Ability to determine who modified data and when • Integrity • Mechanisms in place to authenticate or validate ePHI • Transmission Security • Integrity controls to ensure that data isn’t lost or altered • Encryption to ensure that only the recipient can see the data
So Who Cares? • Each of us must care • We in DPW are responsible for the medical information of our citizens. In addition, the vast majority of us have been treated by health care practitioners and would care greatly if we thought our medical records might be shared with strangers or unauthorized individuals or entities. Why should we expect our clients to care any less than we would?
So Who Cares? (cont.) • The Commonwealth of Pennsylvania and DPW • We are the custodians of our citizens’ data and it is a serious responsibility. Misuse or unauthorized disclosure of this data could lead to termination or other disciplinary action, possible criminal charges, and/or civil penalties.
So Who Cares? (cont.) • Federal Department of Health and Human Services (DHHS) • DHHS was responsible for issuing HIPAA regulations. These regulations and the HIPAA statute passed by Congress comprise the HIPAA legal requirements. DHHS’s Centers for Medicare and Medicaid Services (CMS) enforces HIPAA security (and transaction) regulations; DHHS’s Office of Civil Rights (OCR) enforces HIPAA privacy regulations.
So Who Cares? (cont.) • The Federal Government • Federal penalties for misuse or unauthorized disclosure of PHI can result in criminal penalties including imprisonment of up to 10 years and fines of up to $250,000. Additional penalties may be applied as a result of civil action.
General DPW Practices • There are some general security practices that everyone must use, regardless of their job duties and access to or use of ePHI: • Abide by UserID and Password policies • Use strong passwords (7 or more characters, mix of uppercase, lowercase, numbers, punctuation) • Change passwords regularly • Don’t write passwords down where others can get them • Do not share your UserID and password with others
General DPW Practices (cont.) • Always lock your workstation when not using it or when away from your desk, for example, lock away any paper files containing PHI or floppies, CDs, or other media containing ePHI • Don’t install software from home or from the Internet on your workstation • Limit Internet use to work-related activities
General DPW Practices (cont.) • Don’t open unsolicited email from unknown senders or suspicious email from colleagues (this is a great way to spread computer viruses) • Immediately report unusual workstation behavior to your supervisor • Immediately report possible theft or misuse of your UserID to your supervisor
Job-Specific Practices Those of you who have access to or use ePHI as a part of fulfilling your job duties need to be especially aware of HIPAA security. Changing your password more frequently than generally required, encrypting data residing on your workstation, and using secure email are examples of practices to be followed.
Job-Specific Practices (cont.) Within DPW, there are many jobs that involve access to and use of PHI, far too many to cover in detail in this training session. Your program office or facility will be holding additional training sessions specific to HIPAA security as it relates to your job. Contact your supervisor for more information.
Resources HIPAA regulations and information: www.cms.gov/hipaa www.dhhs.gov DPW HIPAA Privacy Policy DPW HIPAA Security Policy DPW Business and Technical Standards Commonwealth Internet Usage Policy Commonwealth IT Standards
Contact Information • Diana Clark (Privacy, Legal) • diclark@state.pa.us • Frank Morrow (Security) • fmorrow@state.pa.us • Frank Potemra (Policy) • fpotemra@state.pa.us • Your Program Office Security Manager • Your Supervisor
Quiz 3 To wrap things up, what is HIPPO? • A large African animal that spends much of its time in the water. • A long-haired, bell-bottom and sandals wearing flower child. • The Health Insurance Portability and Accountability Act of 1996. Please make your selection: ____
Answer 3 Choice 1, of course! A HIPPO is a large African animal that spends much of its time in the water.