1 / 20

HIPAA Security Standards

HIPAA Security Standards. Emmanuelle Mirsakov USC School of Pharmacy. Overview. HIPAA-Health Insurance Portability and Accountability Act of 1996 Why Security? Focus on Security rule vs. Privacy rule

juancarlos
Télécharger la présentation

HIPAA Security Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAASecurity Standards Emmanuelle Mirsakov USC School of Pharmacy

  2. Overview • HIPAA-Health Insurance Portability and Accountability Act of 1996 • Why Security? • Focus on Security rule vs. Privacy rule • Security rule applies only to EPHI, while the Privacy rule applies to PHI which may be in electronic, oral, and paper form. • Privacy is the “ Who, What, and When” and Security is the “How”

  3. Who Oversees HIPAA?The U.S. Department of Health & Human Service The Centers for Medicare and Medicaid Services Oversees: • Transactions and Code Sets • Standard Unique Identifiers • Security Contact info: • http://www.cms.hhs.gov/hipaa/ hipaa2/ • AskHIPAA@cms.hhs.gov • 1-866-282-0659 • The Office for Civil Rights Oversees: • Privacy • Contact info: • http://www.hhs.gov/ocr/hipaa/ • OCRPrivacy@hhs.gov • 1-866-627-7748

  4. Goals Of Security Rule • Confidentiality • EPHI is accessible only by authorized people and processes • Integrity • EPHI is not altered or destroyed in an unauthorized manner • Availability • EPHI can be accessed as needed by an authorized person

  5. Parts of the Security Rule • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Organizational Requirements • Policies & Procedures & Documentation Requirements

  6. Security Rule • The rule is technology neutral • The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete • The security rule is based on the fundamental concepts of flexibility, scalability and technology neutrality.

  7. Security Standards • Administrative Safeguards: • Administrative functions that should be implemented to meet the security standards • Physical Safeguards: • Mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. • Technical Safeguards: • The automated processes used to protect data and control access to data

  8. Technical Safeguards • Main parts: • Access Control • Audit Control • Integrity • Person or Entity Authentication • Transmission Security

  9. Access Control • “The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource” • Access controls should enable authorized users to access minimum necessary information needed to perform job functions.

  10. 4 implementation specifications associated with Access Controls: • Unique user identification (required) • Emergency access procedure (required) • Automatic logoff (addressable) • Encryption and decryption (addressable)

  11. Audit Controls: • “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” • Useful to determine if a security violation occurred • The security rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed (no implementation specifications)

  12. Integrity • “The property that data or information have not been altered or destroyed in an unauthorized manner” • The integrity of data can be compromised by both technical and non-technical sources • Implementation specification: • Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. (addressable)

  13. Person or Entity Authentication • “Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed” • Ways to provide proof of identity: • Require something known only to that individual (password or PIN) • Require smart card, token, or a key • Require a biometric (fingerprint, voice pattern, facial pattern, iris pattern)

  14. Transmission Security • “Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network” • This standard has 2 implementation specifications: • Integrity Controls (addressable) • Encryption (addressable)

  15. Implementation Specifications • Integrity Controls: • Integrity in this context is focused on making sure that EPHI is not improperly modified during transmission • 1° through the use of network communications protocols • Data message authentication codes • Encryption • “Implement a mechanism to encrypt EPHI whenever deemed appropriate”

  16. Pro Pharma Implementation • All hard drives can only be accessed by individuals with proper clearance by Pro Pharma • All employees have a unique user name and password • All employees are required to lock their station whenever they get up • Content filters allow Pro Pharma management to screen all incoming and outgoing e-mails for possible threats • Full virus protection is installed on every workstation • Network browsing is routed to a system that checks for threats • No employee has administrative rights to their local machine • No employees have domain administrative rights on the Pro Pharma domain • Every workstation is attached to a UPS power supply to protect from power failure or power surge

  17. In Summary • Security rules are in place to enhance health information sharing and to protect patients • The Security rule technical safeguards are the technology related policies and procedures that protect EPHI and control access to it • Be cognizant of PHI, and follow Pro Pharma protocols

  18. The Bright Side • Knock, knock. Who’s there? HIPAA. HIPAA who?Sorry, I’m not allowed to disclose that information.

  19. In Case You Needed More

  20. Last One I Promise!

More Related