Presentation on theme: "HIPAA Security Training 2005. 2 To improve the effectiveness of the health care system in protecting patient health information the federal government."— Presentation transcript:
HIPAA Security Training 2005
2 To improve the effectiveness of the health care system in protecting patient health information the federal government signed into law the Health Insurance Portability and Accountability Act in HIPAA, as it is commonly known provides health care entities with guidelines on how it must secure and safeguard electronic Protected Health Information (ePHI). This course: Explains the differences between HIPAA Security and Privacy Rules. Outlines new security regulations. Identifies new security-related policies and procedures. Reviews your role in protecting patient information. Introduction
3 HIPAA Security HIPAA Security becomes effective on April 21, HIPAA Security and Privacy go hand-in-hand. While the Privacy Rule, effective on April 14, 2003 covers all forms of protected health information (PHI), the Security Rule only applies to PHI in electronic forms.
4 What is HIPAA Security? With a focus on the protection and monitoring of Electronic Protected Health Information (ePHI), HIPAA security regulations require an entity to: Ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI). Protect against any reasonably anticipated threats and uses or disclosures not allowed by the Privacy Rule. Mitigate threats by using safeguards reasonably and appropriately implemented that conform to the Security Rule standards.
5 What is PHI? Protected Health Information (PHI) consists of patient identifiable information delivered via paper, verbal communications or electronic means. Examples include: Patient name Address Date of birth Identifiable health information may be shared among caregivers for the purposes of: Treatment, Payment or Healthcare Operations (TPO). Healthcare Operations include: QA/QI, Utilization Review, Disease, Management, Credentialing, Auditing, etc. Any other use of PHI or disclosure information, i.e., research, marketing, etc. requires the written authorization and consent of the patient. SS# Medical record # address
6 Privacy/Security Comparison PRIVACY Patient focused PHI – electronic, paper, or verbal Privacy officer Privacy awareness training Business associate contracts Policies and procedures that meet privacy standards SECURITY Covered entity focused PHI – only electronic Security officer Security awareness training Business associate contracts Policies and procedures that meet security standards Similarities and Differences between HIPAA Privacy and Security
7 HIPAA Security Safeguards Access Control Audit Control Integrity Person or Entity Authentication Facility Access Workstation Use Workstation Security Device & Media Controls Security Mgmt., Security Officer Workforce Security, Access Mgmt. Training, Incident Procedures Procedures in place that protect and monitor information access and prevent unauthorized use of data transmitted over the network. Protection of computer systems, building sites, and equipment from hazards and/or intrusions. Policies and procedures utilized to manage the selection and execution of security measures. Technical Physical Administrative HIPAA Security safeguards fall into the following 3 main categories:
8 Using PHI Information Access is given on a “need-to-know” basis. Access to a system does not imply it is appropriate to search any patient information at will simply to satisfy a curiosity. Use/access the absolute minimum patient information. For information not currently available to you, ask your manager or supervisor for approval. Technical Safeguards
9 Computer and information technology are a significant component to our business structure at BWH. Computer Security Never leave any PHI data displayed on your monitor when you’re away from your desk. Lock your computer. Click on the yellow lock symbol at the bottom right of the task bar to enable the PHS Password Protected Screensaver. Do not download files to local directories or copy files to external devices, such as floppy disks, CDs, and flash drives without authorization. CDs, floppy disks, etc. must be physically destroyed when no longer needed. For example, break a CD or floppy disk in half.
10 Computer Viruses/Malicious Software Viruses can range from seemingly harmless “jokes,” all the way to widespread destructive infections that can shut down an entire network. Do not open attachments from unknown senders. If an looks suspicious – don’t open it! Delete it! If you think you downloaded a virus, contact the Help Desk. Avoid free downloads and software such as WeatherBug and Search bars. These are examples of spyware that interfere with PHS applications as well as bog down the system.
11 Protecting Portable ePHI Portable electronic media covers devices, such as laptops, diskettes, CD’s, zip drives, flash drives, PDA’s, etc All movement of electronic media containing ePHI into and out of BWH must be tracked and logged. BWH employees who move electronic media or information systems containing ePHI are responsible for the subsequent use of such items and must take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized access. Prior to downloading/moving ePHI, refer to HIPAA Security Policy, Accountability of Electronic Media.
12 Controlling PHI Access Collecting PHI requires a controlled, secure environment to store information. As Employees Do not attempt to view information you have not been authorized to access. Memorize your password, never write it down. If you suspect your password has been compromised, change it immediately or call the Help Desk and request a new one. Audits are run regularly to ensure appropriateness. As Managers Authorize employees to receive minimum access to perform their jobs. If you’re a ‘key giver,’ identify the user’s role before giving them access. Conduct periodic application monitoring to identify and track who accessed PHI and determine its appropriateness. Remove an employee’s ability to access PHI within 24 hours after their termination date.
13 s containing PHI should be limited to instances of absolute necessity. Determine the following: Has the patient authorized you to communicate with them or a member of their family via ? Has all extraneous information been removed from the content of the message? Has the PHS disclaimer been linked to your outgoing messages?disclaimer Have you password protected your files? For more information, refer to Clinical Guidelines in the BWH Administrative Policy Manual.Clinical Guidelines Use
14 BWH Security staff regularly monitors those entering the building. Staff and employees must wear ID badges at all times. Report suspicious behavior. Restricted areas must remain restricted. Read and understand the BWH Privacy and Security policies, your departmental policies, and regulations regarding visitors. Physical Safeguards
15 Contingency planning is important for maintaining the integrity of PHI. Partners Information Systems has policies and procedures in place in the event of a network or system failure. These procedures include: Methods to back up data in case of a system failure. Plans to protect data in case of an emergency or disaster. Methods to access data if due to an emergency, you cannot access it in the usual way. Contingency Planning – BWH IS
16 To learn more about contingency planning, refer to the online BWH Crisis Resource Manual (CRM). To access the BWH CRM, go to: Start Menu> Partners Applications > Clinical References > BWH Crisis Resource Manual (CRM). - OR - BWH Pike Notes > Hospital-wide Policies And Manuals > Emergency Management Manual > BWH Crisis Resource Manual (CRM). BWH Pike Notes > Hospital-wide Policies And Manuals > Emergency Management Manual > BWH Crisis Resource Manual (CRM). Contingency Planning - BWH
17 Administrative Safeguards As part of HIPAA security, BWH has implemented a broad program that includes policies, procedures, standards and guidelines to guide, protect and support you. BWH strongly encourages you to report any issues or concerns you have about HIPAA security. If you observe any inappropriate activity, it is your responsibility to report it. Speak with your manager or supervisor. the BWH HIPAA Security Office mailbox. Call the BWH Compliance Hotline (617) to make an anonymous report.
Congratulations You have completed the BWH HIPAA Security Training Course