Presentation on theme: "HIPAA Security Understanding the Regulations And Your Role in Protecting Confidential Data."— Presentation transcript:
HIPAA Security Understanding the Regulations And Your Role in Protecting Confidential Data
What is HIPAA Security? Federal regulations to ensure the security of electronic Protected Health Information (ePHI) What is HIPAA Security? The goal of these rules are to: 1.Ensure the Confidentiality, Integrity, and Availability of all ePHI an organization creates, receives, maintains, or transmits. 2.Protect against threats or hazards to the security or integrity of such information 3.Protect against uses or disclosures of such information that are not permitted or required by the Privacy Rule 4.Ensure compliance by its workforce
Protecting the Confidentiality, Integrity and Availability of patients’ ePHI is the foundation of Information Security and the responsibility of everyone at the Scott Center Information Security and Electronic PHI What is Information Security? Information Security is the the process of protecting data from accidental or intentional misuse by persons inside or outside of the Scott Center or FLTech.
What is Considered ePHI? 1.Names 2.All geographic subdivisions smaller than State, including street address, city, county, precinct, zip code, and other equivalent geocodes 3.All elements of dates (except year) for dates directly related to an individual, including: a) birth date b) admission date c) discharge date d) date of death 4.Telephone numbers 5.Fax Numbers 6.Email addresses 7.Social Security numbers 8.Medical record Numbers 9.Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers, including license plate numbers 13. Device identifiers and serial numbers 14. Web Universal Resource Locators (URLs) 15. Internet protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photograph images and any comparable images 18. Any other unique identifying number, characteristic, or code that is derived from or related to information about the individual
Deliberately breaking HIPAA's rules can undermine patient trust in the Scott Center and could place staff and the organization at risk for penalties under HIPAA as well as other laws Penalties for HIPAA Violations? Sanctions for HIPAA Violations In an investigation into HIPAA violations, both the Scott Center and you may be subject to civil or even criminal penalties. These penalties may include fines and possible time in jail: HIPAA allows fines of up to $100 for each violation of the law, to a limit of $25,000 per year for violations of the same requirement Criminal sanctions for knowing misuse or disclosures of PHI carry fines of $50,000 to $250,000 and one to ten years imprisonment If it is found that you have been misusing data or inappropriately accessing systems, you may face disciplinary actions --- Please see the Scott Center manual and SOP for more detail
You are the first line of defense in Information Security Good Security Begins With You!
Don’t Share Logins and Passwords Protect Your Passwords 1.Never let other people use your id/password to login to a system. You can be held personally responsible for any activity that happens under your user id 2.Passwords should never be written down or stored where others can find it 3.Don't reveal a password over the phone to ANYONE 4.Don't reveal a password in an email message 5.Don't reveal a password to co-workers while on vacation 6.Don’t reuse old passwords Treat Your Passwords Like Your Toothbrush - Don’t Share Them!
Viruses One Virus can Make Your Computer Sick! Protect Your Computer! 1.Virus protection must be running on all computers. Always make sure you are running the latest versions and continuously update your virus definitions 2.Run Spyware programs such as Ad-aware or Spybot to prevent malicious code from monitoring/infecting your system 3.NEVER open any files attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your Trash 4.Delete spam, chain, and other junk email without forwarding 5.Do not download files from websites unless absolutely necessary to accomplish your work. Never download freeware onto your workstation 6.If your computer detects a virus, stop using the computer and notify your local support team or call the IT help desk at immediately
Keep Your Desktop Secure 1.Keep Operating System patches up to date 2.Check periodically for security updates to your software (Office XP, Browser, etc.) 3.Enable personal desktop firewalls to prevent unauthorized access of a computer from the network 4.Backup critical data and system configurations on a regular basis and store the data in a safe place 5.Shut your computer off when not in use. A computer that is turned off cannot be electronically compromised 6.Automatic screen locks with password protection must be enabled on your workstations so that during periods of inactivity, unauthorized users are prevented from inappropriately viewing ePHI
Securing Email Email is NOT the same as a letter sent through the normal mail. Your messages are "written" on the electronic equivalent of postcards. What does this mean? Anyone can look at your message 1.Do not email ePHI to a non-fit.edu email account, unless email has been encrypted. If you need to email ePHI to perform your job, please contact your local support team for a secure method 2.Do not use non-fit.edu email such as Web Mail (like Hotmail, Yahoo! Mail, AOL) to conduct business or send information about a patient 3.If you need to email documents, make sure they are password protected! (thescottcenter)
Physical Security. Many information security problems start with a breach of physical security such as an unlocked door, material that hasn't been destroyed securely, or a stolen computer These problems aren't limited to malicious acts - an accident such as a fire could result in a temporary loss of service availability, or the permanent loss of critical information Information Security is not limited to merely the security of a workstation
Physical Security 1.Make sure that you are very familiar with downtime procedures needed to perform your job in the event that systems you use to do your job crash or cannot be used for hours, days or weeks 2.Practice common sense security. Report any suspicious persons or activity, and do not allow people into unauthorized areas without proper badges or id’s 3.Any computer equipment that may contain ePHI must not be re-used or discarded a)Equipment includes Biomed devices, zip drives, laptops, PDA’s, hard drives, etc.
Unauthorized Software/Hardware Software/Hardware Installation Do not install software or hardware without the approval of your IT team first! Many organizations have been hit with viruses and worse when well-meaning employees installed what they thought was “harmless” software They did not realize that “free” web postcards or other Internet tools can disable their computer, threaten the network, or contain malicious software that would allow someone access to their computer Examples of inappropriate software: Music sharing software (Kazaa, LimeWire) Remote access software Games Instant Messenger (AIM, Yahoo!, MSN) Gator/GAIN/GAIM WeatherBug iMeshShopAtHome
Laptop and PDA Safety Like your desktop, make sure to run the latest OS/Security patches and most current virus software. Keep these updated on a daily basis! Only connect to the Hospital network through a secure method Do not share passwords or login information, even with family members. Practice Portable Safety The most frequent risk to using PDAs and laptops is the risk of theft of the device. This results in a loss of equipment and potential loss of data confidentiality General Safety: Do NOT leave your Laptop or PDA unattended. Purchase a locking security cable to attach to your laptop around an immovable object to prevent theft Use strong passwords to prevent unauthorized users from accessing your laptop or PDA
Incident Response and Reporting Report a security incident if: a.You receive email which includes threats or material that could be considered harassment c.Someone asks you for your password or asks to use your login account d.You suspect that someone is inappropriately using confidential data e.You discover unauthorized or missing hardware or software If you suspect an incident or that your computer/account has been compromised, call your local support team and firstname.lastname@example.org immediately! email@example.com Please see the “HIPAA” Policy located on the S drive Reporting Security Breaches