David Assee BBA, MCSE Florida International University

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

HIPAA Security NWOAHU Presented by Barb Gerken 11/12/2013.

HIPAA Health Insurance Portability and Accountability Act.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

NAU HIPAA Awareness Training

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Privacy, Security, Confidentiality, and Legal Issues

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

HIPAA Security Standards What’s happening in your office?

Security Controls – What Works

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Columbia University Medical Center Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy & Information Security Training 2009.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

Information Security Technological Security Implementation and Privacy Protection.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

HIPAA PRIVACY AND SECURITY AWARENESS.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

BUSINESS B1 Information Security.

What does “secure” mean? Protecting Valuables

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Note1 (Admi1) Overview of administering security.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Chap1: Is there a Security Problem in Computing?.

Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014.

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

© 2014 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.

HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

The Health Insurance Portability and Accountability Act

Understanding HIPAA Dr. Jennifer Lu.

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

INFORMATION SYSTEMS SECURITY and CONTROL

The Practical Side of Meaningful Use:

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA Security Standards Final Rule

Drew Hunt Network Security Analyst Valley Medical Center

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Introduction to the PACS Security

Presentation transcript:

Session: TH228 Billing Operations and Information Technology (Focus on IT Security Rules) David Assee BBA, MCSE Florida International University University Health Services Security Officer davida@fiu.edu June 2, 2011

Purpose of this Training To train you on HIPAA Security Regulations and why security is necessary for billing. HIPAA Security regulations were created to address the need to increase security standards for electronic protected health information.

Security & HIPAA Due to the seamless nature of most IT networks HIPAA security rules should apply to all software, users and computers that access EPHI. By taking a proactive approach to computer security now, you will be able to detect and prevent trouble later.

Defining IT Security IT security is about protecting information assets by effectively managing risks. How much protection is provided depends on the risk and magnitude of harm that could result if the data were lost, misused, disclosed, or modified. Assets are computers and data. Risks are managed by evaluating vulnerabilities and threats.

Defining IT Security Vulnerabilities: Weaknesses in a computer or network that leave it susceptible to potential exploitation such as unauthorized use or access. Vulnerabilities include but are not limited to weaknesses in security procedures, administrative or internal controls, or physical configuration; or features or bugs that enable an attacker to bypass security measures. Threats - Threats generally fall into three broad categories: A person (careless oversight, lack of training, malicious or criminal intent) A thing (a faulty piece of equipment) An event (a power outage, fire, or flood) A threat is the means through which a weakness can be exploited to adversely affect a network or supported systems. A threat is possible only because the system is vulnerable to that particular threat.

HIPAA Security Rule Administrative safeguards Physical safeguards There are three components of security to guard data integrity, confidentiality, and access: Administrative safeguards Physical safeguards Technical safeguards These components work together to establish a unified security approach based on the principle of “defense in depth.”

Defense in Depth Layers Administrative Physical Firewalls Router Configuration Technical Operating System Login User Login Database Access Settings

Administrative Safeguards Administrative safeguards make up 50% of the Security Rule’s Standard. They require documented policies and procedures for managing the day-to-day operations, the conduct and access of workforce members to EPHI, and the selection, development, and use of security controls.

Administrative Safeguards Security management process - An overall requirement to implement policies and procedures to prevent, detect, contain, and correct security violations. Have written policies and procedures for security violations. Assigned Security Responsibility - A single individual must be designated as having overall responsibility for the security of a CE’s EPHI. Assign a security designee.

Administrative Safeguards Workforce Security – Policies and procedures ensure that only properly authorized workforce members have access to EPHI. Set up procedures to ensure new employees have sign-on to systems which store EPHI only if authorized.

Administrative Safeguards Information access management – Policies and procedures detail how access to EPHI is established or modified. Access to medical management is documented, including changes in an employee’s role. Security awareness and training – All workforce members must undergo security awareness education and training. Employees are often the biggest threat to a network. Let them know what they can and cannot do.

Administrative Safeguards Security incident procedures – Policies and procedures provide means for reporting, responding to, and managing security incidents. Set up a method for reporting security incidents to the appropriate designee.

Administrative Safeguards OTHER Policies Contingency Plan Backup systems need to be maintained for disaster recovery. Review your backup plan to ensure it’s feasible. Business Associate contracts and other arrangements Contracts completed with external vendors to ensure the privacy and confidentiality of EPHI.

Physical Safeguards The physical safeguards are a series of requirements meant to protect a CE's electronic information systems and EPHI from unauthorized physical access. CEs must limit physical access while permitting properly authorized access.

Physical Safeguards Facility access controls - An overall requirement that limits physical access to electronic information systems while ensuring that properly authorized access is allowed. Only clinic employees should be allowed to access areas or equipment that store EPHI without approval.

Physical Safeguards Workstation use - Policies and procedures must provide physical safeguards for all workstations that can access PHI. Specify characteristics of the physical environment & appropriate use of the workstations that can access EPHI. Consider: Location of computer screens Fax machines & display devices Use of screen savers Use of privacy filters

Physical Safeguards Device and media controls – Policies and procedures must specify how hardware and electronic media containing EPHI are received or removed within or outside of a CE. Storage Media Sanitization policy. Restrictions on the removable media: Workstations should be designed to limit the easy removal of PHI. Eg. Storage devices (USB Thumb Drives) and via e-mail. Must also provide for appropriate destruction (i.e., shredding) of any hard copies of PHI. Some photocopiers can store information.

Technical Safeguards The technical safeguards are requirements for using technology to protect EPHI, particularly controlling access to it.

Technical Safeguards Access control – Information systems that contain EPHI must only allow access to persons or software programs that have appropriate access rights. Passwords, set at the OS and application levels, Biometric solution can add greater security. Audit controls – Information systems that contain or use EPHI must have mechanisms to record and examine activity. IT audits done on multiple levels. (Firewall, Operating System, Intrusion Detection System, Application *.)

Audit/Enforcement Examples 16 Employees Fired by Texas Hospital District For HIPAA Violations (December 3, 2009) 16 employees have been fired by the Harris County Hospital District for violating patient privacy laws, a hospital spokeswoman confirmed. They include managers, nurses, clerks and other employees. {Source: www.compliancehome.com} Five Hospital Employees to be Fired over HIPAA Violations (June 11, 2011) Tri-City Medical Center’s chief executive says the hospital has sent letters of intent to fire five employees, and has disciplined a sixth, for allegedly posting information about hospital patients online. “employees must come to understand and truly appreciate the huge risks involved and penalties at stake if they "taking a peek" at a patient's medical record for no legitimate purpose.”

Audit/Enforcement Examples (Cont’d) (February 14, 2011) Mass General Hospital to pay U.S. government $1 million. It also entered into a Corrective Action Plan that includes requirement to submit policies and procedures to HHS for review and approval. Policies must include and specifically address: Violations Physical removal and transport of PHI No laptop encryption No USB drive encryption

Technical Safeguards Integrity – EPHI must be protected from improper modification or destruction. Tools Used: Firewalls , Anti-Virus Software, intrusion detection systems, Application Audits and locks. Person or entity authentication - Must be able to verify that persons or entities seeking access to EPHI are who or what they claim to be. Tools Used: Passwords, audit controls.

Technical Safeguards Transmission security - Unauthorized access to EPHI being transmitted over an electronic communications network (e.g., the Internet) must be prevented. Tools Used: Firewalls, secure communications via encryption.

Conclusion Computer security is not just something you do if you have extra time. Developing a good security program is a good start, but employees need to understand and follow it. Even if you are NOT covered by HIPAA, your medical data still needs to be secure. Your security model is only as good as its weakest link. (IT or human).