Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Published byMilton Summers Modified over 8 years ago

Similar presentations

Presentation on theme: "The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,"— Presentation transcript:

1 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015.

2 Privacy, Confidentiality, and Security Learning Objectives Define and discern the differences between privacy, confidentiality, and security (Lecture a) Discuss the major methods for protecting privacy and confidentiality, including through the use of information technology (Lecture b) Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy Rule (Lecture c) Describe and apply privacy, confidentiality, and security under the tenets of the HIPAA Security Rule (Lecture d) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

3 HIPAA Security Rule Readable overview in Security 101 for Covered Entities (CMS, 2007) Aligned with terminology of Privacy Rule Aims to minimize specificity to allow scalability, flexibility, and changes in technology For covered entities and business associates, rules are either –Required – must be implemented –Addressable – if reasonable and appropriate to implement As with HIPAA Privacy Rule, some modifications under HITECH 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

4 General Provisions Covered entities (and now, business associates) must –Ensure confidentiality, integrity, and availability of electronic PHI that they create, receive, transmit, and maintain –Protect against reasonably anticipated threats and hazards to such information –Protect against reasonably anticipated uses or disclosures not permitted or required by Privacy Rule –Ensure compliance by work force HHS provides guidance on conducting risk assessments and helps determine whether something that is addressable should be addressed by the provider (2010) 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

5 Required Safeguards Grouped into three categories –Administrative – policies and procedures designed to prevent, detect, contain, and correct security violations –Physical – protecting facilities, equipment, and media –Technical – implementing technological policies and procedures Following slides from Security 101 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

6 Administrative Safeguards Security management process –Risk analysis (R) –Risk management (R) –Sanction policy (R) –Information system activity review (R) Assigned security responsibility (R) Workforce security –Authorization and/or supervision (A) –Workforce clearance procedure (A) –Termination procedures (A) Information access management –Isolating healthcare clearinghouse functions (R) –Access authorization (A) –Access establishment and modification (A) (R=required, A=addressable) 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

7 Administrative Safeguards (continued) Security awareness and training –Security reminders (A) –Protection from malicious software (A) –Log-in monitoring (A) –Password management (A) Security incident procedures – response and reporting (R) Contingency plan –Data back-up plan (R) –Disaster recovery plan (R) –Emergency mode operation plan (R) –Testing and revision procedures (A) –Application and data criticality analysis (A) Evaluation (R) Business association contracts and other arrangements (R) 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

8 Physical Safeguards Facility access controls –Contingency operations (A) –Facility security plan (A) –Access control and validation procedures (A) –Maintenance records (A) Workstation use (R) Workstation security (R) Device and media controls –Disposal (R) –Media re-use (R) –Accountability (A) –Data backup and storage (A) 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

9 Technical Safeguards Access control –Unique user identification (R) –Emergency access procedure (R) –Automatic logoff (A) –Encryption and decryption (A) Audit controls (R) Integrity – mechanism to authenticate electronic PHI (A) Person or entity authentication (R) Transmission security –Integrity controls (A) –Encryption (A) 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

10 Other Regulations Business associates are required to –Implement safeguards to protect covered entity’s PHI –Ensure its agents and subcontractors meet same standards –Report to covered entity any security incident Documentation of covered entity must –Be maintained for six years –Available to those responsible for implementing –Reviewed and updated periodically HITECH meaningful use criteria specify use of various encryption standards, e.g., AES, TLS, IPsec, SHA-2 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

11 In The End… Ongoing breaches of data are worsening, but –Complete security of all health information is impossible –Security is a trade-off with ease of use; a happy medium must be found –Will concerns be tempered when society sees more benefits of HIT? –Would other societal changes lessen the impact of this problem (e.g., changes in legal system, healthcare financing, etc.)? 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

12 Privacy, Confidentiality, and Security Summary – Lecture d HIPAA Security Rule aims to be actionable but flexible Rules are either required or addressable Rules fall into three categories of administrative, physical, and technical 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

13 Privacy, Confidentiality, and Security Summary Privacy is the right to keep information to one’s self Confidentiality is the right to keep information about one’s self from being disclosed to others Security in this context is the protection of sensitive health information There are many technologies to maintain security, but human vigilance is also required The HIPAA Privacy and Security Rules spell out the requirements for the United States 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

14 Privacy, Confidentiality, and Security References – Lecture d References Anonymous. (2007). Security 101 for Covered Entities. Baltimore, MD: Centers for Medicare and Medicaid Services. Retrieved Jan 2012 from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf Anonymous. (2010). Guidance on Risk Analysis Requirements under the HIPAA Security Rule. Washington, DC: Department of Health and Human Services. Retrieved Jan 2012 from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d

Download ppt "The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.
HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013.

HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA and the GLB Connections Between Congress and Information Assurance.

HIPAA and the GLB Connections Between Congress and Information Assurance.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Similar presentations

Ads by Google