HIPAA Security Training 2005 Security Training 2005
Introduction To improve the effectiveness of the health care system in protecting patient health information the federal government signed into law the Health Insurance Portability and Accountability Act in 1996. HIPAA, as it is commonly known provides health care entities with guidelines on how it must secure and safeguard electronic Protected Health Information (ePHI). This course: Explains the differences between HIPAA Security and Privacy Rules. Outlines new security regulations. Identifies new security-related policies and procedures. Reviews your role in protecting patient information. Use this template to create Intranet web pages for your workgroup or project. You can modify the sample content to add your own information, and you can even change the structure of the web site by adding and removing slides. The navigation controls are on the slide master. To change them, on the View menu, point to Master, then choose Slide Master. To add or remove hyperlinks on text or objects, or to change existing hyperlinks, select the text or object, then choose Hyperlink from the Insert menu. When you’re finished customizing, delete these notes to save space in your final HTML files. For more information, ask the Answer Wizard about: The Slide Master Hyperlinks
HIPAA Security HIPAA Security becomes effective on April 21, 2005. HIPAA Security and Privacy go hand-in-hand. While the Privacy Rule, effective on April 14, 2003 covers all forms of protected health information (PHI), the Security Rule only applies to PHI in electronic forms.
What is HIPAA Security? With a focus on the protection and monitoring of Electronic Protected Health Information (ePHI), HIPAA security regulations require an entity to: Ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI). Protect against any reasonably anticipated threats and uses or disclosures not allowed by the Privacy Rule. Mitigate threats by using safeguards reasonably and appropriately implemented that conform to the Security Rule standards.
What is PHI? Protected Health Information (PHI) consists of patient identifiable information delivered via paper, verbal communications or electronic means. Examples include: Patient name Address Date of birth SS# Medical record # Email address Identifiable health information may be shared among caregivers for the purposes of: Treatment, Payment or Healthcare Operations (TPO). Healthcare Operations include: QA/QI, Utilization Review, Disease, Management, Credentialing, Auditing, etc. Any other use of PHI or disclosure information, i.e., research, marketing, etc. requires the written authorization and consent of the patient.
Privacy/Security Comparison Similarities and Differences between HIPAA Privacy and Security PRIVACY Patient focused PHI – electronic, paper, or verbal Privacy officer Privacy awareness training Business associate contracts Policies and procedures that meet privacy standards SECURITY Covered entity focused PHI – only electronic Security officer Security awareness training Business associate contracts Policies and procedures that meet security standards
HIPAA Security Safeguards HIPAA Security safeguards fall into the following 3 main categories: Technical Access Control Audit Control Integrity Person or Entity Authentication Procedures in place that protect and monitor information access and prevent unauthorized use of data transmitted over the network. Physical Facility Access Workstation Use Workstation Security Device & Media Controls Protection of computer systems, building sites, and equipment from hazards and/or intrusions. Administrative Security Mgmt., Security Officer Workforce Security, Access Mgmt. Training, Incident Procedures Policies and procedures utilized to manage the selection and execution of security measures.
Technical Safeguards Using PHI Information Access is given on a “need-to-know” basis. Access to a system does not imply it is appropriate to search any patient information at will simply to satisfy a curiosity. Use/access the absolute minimum patient information. For information not currently available to you, ask your manager or supervisor for approval.
Computer Security Computer and information technology are a significant component to our business structure at BWH. Never leave any PHI data displayed on your monitor when you’re away from your desk. Lock your computer. Click on the yellow lock symbol at the bottom right of the task bar to enable the PHS Password Protected Screensaver. Do not download files to local directories or copy files to external devices, such as floppy disks, CDs, and flash drives without authorization. CDs, floppy disks, etc. must be physically destroyed when no longer needed. For example, break a CD or floppy disk in half.
Computer Viruses/Malicious Software Viruses can range from seemingly harmless “jokes,” all the way to widespread destructive infections that can shut down an entire network. Do not open email attachments from unknown senders. If an email looks suspicious – don’t open it! Delete it! If you think you downloaded a virus, contact the Help Desk. Avoid free downloads and software such as WeatherBug and Search bars. These are examples of spyware that interfere with PHS applications as well as bog down the system.
Protecting Portable ePHI Portable electronic media covers devices, such as laptops, diskettes, CD’s, zip drives, flash drives, PDA’s, etc All movement of electronic media containing ePHI into and out of BWH must be tracked and logged. BWH employees who move electronic media or information systems containing ePHI are responsible for the subsequent use of such items and must take all appropriate and reasonable actions to protect them against damage, theft, and unauthorized access. Prior to downloading/moving ePHI, refer to HIPAA Security Policy, Accountability of Electronic Media.
Controlling PHI Access Collecting PHI requires a controlled, secure environment to store information. As Employees Do not attempt to view information you have not been authorized to access. Memorize your password, never write it down. If you suspect your password has been compromised, change it immediately or call the Help Desk and request a new one. Audits are run regularly to ensure appropriateness. As Managers Authorize employees to receive minimum access to perform their jobs. If you’re a ‘key giver,’ identify the user’s role before giving them access. Conduct periodic application monitoring to identify and track who accessed PHI and determine its appropriateness. Remove an employee’s ability to access PHI within 24 hours after their termination date.
Email Use Emails containing PHI should be limited to instances of absolute necessity. Determine the following: Has the patient authorized you to communicate with them or a member of their family via email? Has all extraneous information been removed from the content of the message? Has the PHS disclaimer been linked to your outgoing messages? Have you password protected your files? For more information, refer to Clinical Email Guidelines in the BWH Administrative Policy Manual.
Physical Safeguards BWH Security staff regularly monitors those entering the building. Staff and employees must wear ID badges at all times. Report suspicious behavior. Restricted areas must remain restricted. Read and understand the BWH Privacy and Security policies, your departmental policies, and regulations regarding visitors.
Contingency Planning – BWH IS Contingency planning is important for maintaining the integrity of PHI. Partners Information Systems has policies and procedures in place in the event of a network or system failure. These procedures include: Methods to back up data in case of a system failure. Plans to protect data in case of an emergency or disaster. Methods to access data if due to an emergency, you cannot access it in the usual way.
Contingency Planning - BWH To learn more about contingency planning, refer to the online BWH Crisis Resource Manual (CRM). To access the BWH CRM, go to: Start Menu> Partners Applications > Clinical References > BWH Crisis Resource Manual (CRM). - OR - BWH Pike Notes > Hospital-wide Policies And Manuals > Emergency Management Manual > BWH Crisis Resource Manual (CRM).
Administrative Safeguards As part of HIPAA security, BWH has implemented a broad program that includes policies, procedures, standards and guidelines to guide, protect and support you. BWH strongly encourages you to report any issues or concerns you have about HIPAA security. If you observe any inappropriate activity, it is your responsibility to report it. Speak with your manager or supervisor. Email the BWH HIPAA Security Office mailbox. Call the BWH Compliance Hotline (617) 732-8907 to make an anonymous report.
You have completed the BWH HIPAA Security Training Course Congratulations You have completed the BWH HIPAA Security Training Course