Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Hipaa privacy and Security
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Regulations What do you need to know?.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Privacy, Security, Confidentiality, and Legal Issues
Health information security & compliance
Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
Unit 6a System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Western Asset Protection
HIPAA Security Final Rule Overview
Configuring Electronic Health Records Privacy and Security in the US Lecture a This material (Comp11_Unit7a) was developed by Oregon Health & Science University.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
Board of Directors – March 24, 2016 Denise Mannon, AHFI, CHPC Corporate Compliance Officer.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Privacy: HIPAA Emerson Murphy-Hill. Rosie Callender, RHIA, web.msm.edu/hipaa/An%20Introduction%20to%20HIPAA.ppt What is HIPAA? A Federal Law Created in.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
The Health Insurance Portability and Accountability Act 
Developed for Ridgeview Institute 2015 Hospital Wide Orientation
East Carolina University
Installation and Maintenance of Health IT Systems
Paul T. Smith Davis Wright Tremaine LLP
HIPAA.
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Disability Services Agencies Briefing On HIPAA
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
The Health Insurance Portability and Accountability Act
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Introduction to the PACS Security
WELCOME.
Privacy, Confidentiality, Security, and HIPAA
The Health Insurance Portability and Accountability Act
Presentation transcript:

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC

System Security Procedures and Standards Learning Objectives 1.Identify regulatory requirements for EHRs (lecture a) 2.Provide training for system users regarding the methods and importance of security compliance (lecture a) 3.Identify administrative, physical, and technical safeguards for system security and regulatory compliance (lectures a and b) 4.Identify best practices for system security (lecture b) 5.Identify best practices for risk / contingency management (lecture b) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

Security and Privacy Federal, state, and local laws govern access to and control of health record information, particularly: –Who can have access –What should be done to protect the data –How long the records should be kept –Whom to notify and what to do if a breach is discovered 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

Security and Privacy: HIPAA HIPAA = Health Insurance Portability and Accountability Act of 1996 –Protected Health Information (PHI) includes any health information that: Explicitly identifies an individual Could reasonably be expected to allow individual identification. –Excludes PHI in education records covered by Family Educational Rights and Privacy Act (FERPA), employment records. 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

Security and Privacy: HIPAA (cont’d) 18 identifiers recognized as providing identifiable links to individuals. –Name, address, ZIP code –Dates (birth dates, discharge dates, etc.) –Contact info, including , web URLs –Social Security Number or record numbers –Account numbers of any sort –License number, license plates, ID numbers –Device identifiers, IP addresses –Full face photos, finger prints, recognizable markings (Summary of the HIPAA Privacy Rule, n.d.) 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

Security and Privacy (cont’d) State and local laws vary. Federal law tends to supersede state and local laws. Where overlap occurs, always choose the most protective policy. Information available in state or local area Health department – see Minnesota example Requirements are followed regardless of ease of finding information – Ignorance is no excuse! This lecture will focus on federal regulatory obligations. (Minnesota Health Information Clearinghouse, n.d.) 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

What is HIPAA Privacy? Federal law governing privacy of patients' medical records and other health information maintained by covered entities including: –Health plans, including Veterans Health Administration, Medicare, and Medicaid –Most doctors & hospitals –Healthcare clearinghouses Gives patients access to records and significant control over use and disclosure. Compliance required since April (Summary of the HIPAA Privacy Rule, n.d.) 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

HIPAA Privacy Rule Privacy and security complaints –All investigated by Office of Civil Rights (OCR) of Dept. of Health and Human Services (HHS), as of –66,736 complaints received (as of December 2011), of which 15,176 required corrective actions. –Steep fines for validated complaints. –Entities needing the most corrective actions: Private health care practices General hospitals Pharmacies Outpatient facilities Group health plans (HIPAA Enforcement Highlights, 2012; Numbers at a Glance, n.d.; Poremba, 2008; Hamilton, 2009) 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

HIPAA Privacy Rule (cont’d) Violations investigated most often: 1.Impermissible uses and disclosures of protected health information (PHI) 2.Lack of safeguards of PHI 3.Lack of patient access to their PHI 4.Uses or disclosures of more than the minimum necessary PHI 5.Complaints to the covered entity (HIPAA Enforcement Highlights, 2012; Numbers at a Glance, n.d.; Poremba, 2008; Hamilton, 2009) 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

HIPAA Security Rule Established standards for securing electronic protected health information (ePHI) created, received, maintained, or transmitted. –Delineated as “required” or “addressable”. –Designed to be flexible, scalable. Entities required to: –Ensure confidentiality, integrity, availability of all ePHI –Identify and protect against reasonably anticipated threats to the security or integrity of the information. –Protect against reasonably anticipated, impermissible uses or disclosures. –Ensure compliance by workforce. Works in tandem with Privacy Rule. (Summary of the HIPAA Security Rule, n.d.) 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

What is Required by HIPAA Security Rule? Categories: 1.Administrative safeguards 2.Physical safeguards 3.Technical safeguards (Summary of the HIPAA Security Rule, n.d.) 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

Administrative Safeguards Address process of security management in your organization. Risk analysis –Evaluating likelihood and impact of potential risks to ePHI –Implementing appropriate security measures to address identified risks –Documenting security measures chosen, with rationale –Maintaining continuous, reasonable, appropriate protections Ongoing process, with regular reviews. (Summary of the HIPAA Security Rule, n.d.) 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

Administrative Safeguards (cont’d): Security personnel 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a Designated security official –Responsible for developing and implementing security policies and procedures. –Knowledge of good HIPAA practices –Familiarity with established IT security standards –Ability to interface well with all levels of management and staff. (Summary of the HIPAA Security Rule, n.d.)

Administrative Safeguards (cont’d): Access policy 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a –Policies & procedures for authorizing access to ePHI only when appropriate for one’s role (role-based access). Who gets access to ePHI data? What level of access is needed? Who is the agent authorizing the access? Is this authorization adequately documented? Is the access periodically reviewed? Is there a process for rescinding access when no longer needed? (Summary of the HIPAA Security Rule, n.d.)

Administrative Safeguards (cont’d): Training & Evaluation 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a Processes for appropriate authorization and supervision of workforce members who work with ePHI. Well-documented training of all workforce members in security policies and procedures –Appropriate sanctions against violators. Periodic assessment of procedures and policies –Are they still appropriate? –Are they being followed? (Summary of the HIPAA Security Rule, n.d.)

Physical Safeguards: Access 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a Limit physical access to facilities, while ensuring that authorized access is allowed. –Server rooms where ePHI is stored –Work areas where ePHI is accessed –Back-up media storage potentially containing ePHI Inventory hardware and software. –Know where inventory is kept. –Know value of hardware, software, equipment. (Summary of the HIPAA Security Rule, n.d.)

Physical Safeguards (cont’d): Device Security 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a Policies and procedures for proper use of & access to workstations & electronic media, including transfer, removal, disposal, re-use. –Lock down publicly-accessible systems potentially containing ePHI. –Strong passwords –At least 256-bit encryption, especially for wireless, backups, & offsite data –Media thoroughly wiped and rendered inaccessible (Summary of the HIPAA Security Rule, n.d.)

System Security Procedures and Standards Summary – Lecture a 18 Protected health information (ePHI) –Strictly regulated by HIPAA and other government guidelines prohibiting unwanted, unauthorized access. –Should be protected using layered approach, including numerous, administrative, physical, and technical safeguards. User training –Ensure awareness –Document and Review effectiveness Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

System Security Procedures and Standards References – Lecture a 19 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a References: Summary of the HIPAA Privacy Rule. (n.d.). Retrieved from U.S. Department of Health & Human Services website: Summary of the HIPAA Security Rule. (n.d.). Retrieved from U.S. Department of Health & Human Services website: Enforcement Highlights. (2012, January 12) Retrieved from U.S. Department of Health & Human Services website: Numbers at a Glance. (n.d.) Retrieved January 12, 2012, from U.S. Department of Health & Human Services website: Poremba, S. M. (2008, May 23). Retrieved from SC Magazine website: hipaa-complaints-and-medical-record-breaches/article/110555/ hipaa-complaints-and-medical-record-breaches/article/110555/ Hamilton, K. (2009, January 15). EHR security and privacy. Retrieved from SC Magazine website: Minnesota Health Information Clearinghouse, Medical Records Information. (n.d.) Retrieved January 12, 2012 from Minnesota Department of Health: Department of Health and Human Services (HHS), Office of Civil Rights (OCR), HIPAA Privacy Rule. 45 CFR Subtitle A ( Edition) Part Retrieved January 20, 2012 from GPO: title45-vol1/pdf/CFR-2011-title45-vol1-sec pdfhttp:// title45-vol1/pdf/CFR-2011-title45-vol1-sec pdf

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.