Presentation on theme: "Security Awareness Training Revision 2010. The purpose of security awareness training HIPPA PHI PII HITECH Act 2009 NC ITPA Sensitive Data."— Presentation transcript:
Security Awareness Training Revision 2010
The purpose of security awareness training HIPPA PHI PII HITECH Act 2009 NC ITPA Sensitive Data Best Practices Documentation
Why do I need to know this stuff? Training protects employees & customers Training reinforces good work practices It is required by legal and regulatory agencies
What is HIPPA? The law known as “HIPAA” stands for the Health Insurance Portability and Accountability Act of Congress passed this landmark law to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry. There are four parts to HIPAA’s Administrative Simplification: 1. Electronic transactions and code sets standards requirements 2. Privacy requirements (PHI) 3. Security requirements (Technical & physical data safeguards) 4. National identifier requirements (NPI)
Where are we? As of 2010, Electronic Data Interchange (EDI) with clearing houses (known as Trading Partners) should already be satisfying the electronic transactions requirements and NPI. However, it is up to you to perform compliance testing too. Under HIPAA regulations, health care providers should already have replaced their insurance provider numbers with a new national provider identifier number as of May Privacy requirements (PHI) should already be in place with small plans having been the last to comply by April 21, Note that a lot of confusing exists regarding terminology such as health plans, covered entities, and small providers. In general, more active approaches can only help you as rules become tighter. Security requirements (Technical & physical data safeguards) vary greatly depending on the size and setup of the organization. rs.pdf rs.pdf
Are we a covered entity? In general, if your practice does any of the standard transactions electronically, either directly or through a billing service or other third party, then you will be required to comply with the HIPAA Electronic Transaction & Code Sets Standards, as well as other Administrative Simplification Requirements, such as Privacy and Security. OK, I have to comply… So what is “reasonable diligence” ? Assign a HIPPA compliance officer Create compliance policies and procedures Take an active role in protecting and transferring data appropriately
Are there penalties for non-compliance? The law does provide for fines for non-compliance. The Secretary of HHS may impose a civil monetary penalty on any person or covered entity who violates any HIPAA requirement. The civil monetary penalty for violating transaction standards is up to $100 per person per violation and up to $25,000 per person per violation of a single standard per calendar year. Keep in mind, CMS sees its primary role as a promoter of compliance and would only impose a monetary fine as a last resort. As discussed earlier, organizations that exercise “reasonable diligence” and make efforts to correct problems are unlikely to be subject to civil penalties. However, if the covered entity does not respond to CMS, fines could be imposed as a last resort.
What is it? PHI stands for Protected Health Information which is also known as the “security rule” part of HIPPA. The Security Rule standards allow any covered entity (including small providers) to use any security measures that help the covered entity to reasonably and appropriately implement the standards to protect electronic health information. In deciding what security measures to use, a covered entity can take into account its size, capabilities, and costs of security measures. A small provider who is a covered entity would first assess their security risks and vulnerabilities and the mechanisms currently in place to mitigate those risks and vulnerabilities. Following this assessment, they should determine what additional measures, if any, need to be taken to meet the standards; taking into account their capabilities and the cost of those measures.
What information is protected? The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI).“ PHI includes information (even demographic data) that relates to: 1. The individual’s past, present or future physical or mental health 2. The provision of health care to the individual 3. Past, present, or future payments for the provision of health care 4. Information that identifies the individual 5. Information which can be reasonably used to identify the individual
What is it? Personally Identifiable Information (PII), as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The U.S. General Services Administration says… “The term Personally Identifiable Information means any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.“
Health Information Technology for Economic and Clinical Health (HITECH) Act On April 17, 2009, HHS issued guidance specifying the technologies and methodologies that render protected health information unusable, unreadable, or indecipherable to unauthorized individuals, as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA). What does it mean? Providers are responsible for taking the necessary steps to secure sensitive data and quickly report suspected breaches or face fines from $0 - $1,500,000 based on a tiered structure.
The HITECH Act gave HIPPA teeth! Tier A is for violations in which the offender didn’t realize he or she violated the Act and would have handled the matter differently if he or she had. This results in a $100 fine for each violation, and the total imposed for such violations cannot exceed $25,000 for the calendar year. Tier B is for violations due to reasonable cause, but not “willful neglect.” The result is a $1,000 fine for each violation, and the fines cannot exceed $100,000 for the calendar year. Tier C is for violations due to willful neglect that the organization ultimately corrected. The result is a $10,000 fine for each violation, and the fines cannot exceed $250,000 for the calendar year. Tier D is for violations of willful neglect that the organization did not correct. The result is a $50,000 fine for each violation, and the fines cannot exceed $1,500,000 for the calendar year.
What do you mean it gets worse? The HITECH Act also allows states’ attorneys general to levy fines and seek attorneys fees from covered entities on behalf of victims. Courts now have the ability to award costs, which they were previously unable to do. Your burning me out with all this bad news! OK, just one more slide to go and we will start looking at how we can avoid this mess.
The North Carolina Identity Theft Protection Act In 2005, the N.C. General Assembly passed a law requiring private businesses and government agencies to protect personally identifying information that could be used for identity theft. If a security breach occurs, the business is responsible to notify all affected individuals. The North Carolina Office of Attorney General supports individuals who wish to file suite for damages against the business responsible for the data.
What is sensitive data? Sensitive data includes any data or data combinations which can be used to identify a unique individual. Sensitive data includes, but is not limited to; Name, address, phone number, date of birth, Social Security Number, driver license number, insurance ID number, credit card numbers, and other data when used in combination could yield a unique identity. What are we supposed to do? Protect it to the best of our ability without limiting medical services or resources that customers need.
The plan is The network administrator will perform a periodic network security analysis Computers should be patched with security updates regularly Do not download software to computers without approval Passwords should contain upper & lowercase letters, numbers, and symbols Use passwords that are no less than 8 characters long Do not share your password with others Logoff your computer when it is unattended Do not leave paper files where non-employees can view or access them Store all electronic sensitive data on the NAS not your own workstation Shred or archive sensitive data as appropriate Ensure clinic is physically locked if no employee is present Personal computers and devices are not authorized on this network See the policies and procedures manual for more details In the event of an issue, contact your supervisor immediately
Training needs to be documented Please sign the training log to show that you have completed this training.
If you have questions, please contact your supervisor for more information
This concludes your security awareness training. Please review training as necessary. Presentation prepared by Mark Fox