1. Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000024.

2. System Security Procedures and Standards Learning Objectives 1.Identify regulatory requirements for EHRs (lecture a) 2.Provide training for system users regarding the methods and importance of security compliance (lecture a) 3.Identify administrative, physical, and technical safeguards for system security and regulatory compliance (lectures a and b) 4.Identify best practices for system security (lecture b) 5.Identify best practices for risk / contingency management (lecture b) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

3. Security and Privacy Federal, state, and local laws govern access to and control of health record information, particularly: –Who can have access –What should be done to protect the data –How long the records should be kept –Whom to notify and what to do if a breach is discovered 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

4. Security and Privacy: HIPAA HIPAA = Health Insurance Portability and Accountability Act of 1996 –Protected Health Information (PHI) includes any health information that: Explicitly identifies an individual Could reasonably be expected to allow individual identification. –Excludes PHI in education records covered by Family Educational Rights and Privacy Act (FERPA), employment records. 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

5. Security and Privacy: HIPAA (cont’d) 18 identifiers recognized as providing identifiable links to individuals. –Name, address, ZIP code –Dates (birth dates, discharge dates, etc.) –Contact info, including email, web URLs –Social Security Number or record numbers –Account numbers of any sort –License number, license plates, ID numbers –Device identifiers, IP addresses –Full face photos, finger prints, recognizable markings (Summary of the HIPAA Privacy Rule, n.d.) 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

6. Security and Privacy (cont’d) State and local laws vary. Federal law tends to supersede state and local laws. Where overlap occurs, always choose the most protective policy. Information available in state or local area Health department – see Minnesota example Requirements are followed regardless of ease of finding information – Ignorance is no excuse! This lecture will focus on federal regulatory obligations. (Minnesota Health Information Clearinghouse, n.d.) 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

7. What is HIPAA Privacy? Federal law governing privacy of patients' medical records and other health information maintained by covered entities including: –Health plans, including Veterans Health Administration, Medicare, and Medicaid –Most doctors & hospitals –Healthcare clearinghouses Gives patients access to records and significant control over use and disclosure. Compliance required since April 2003. (Summary of the HIPAA Privacy Rule, n.d.) 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

8. HIPAA Privacy Rule Privacy and security complaints –All investigated by Office of Civil Rights (OCR) of Dept. of Health and Human Services (HHS), as of 2009. –66,736 complaints received (as of December 2011), of which 15,176 required corrective actions. –Steep fines for validated complaints. –Entities needing the most corrective actions: Private health care practices General hospitals Pharmacies Outpatient facilities Group health plans (HIPAA Enforcement Highlights, 2012; Numbers at a Glance, n.d.; Poremba, 2008; Hamilton, 2009) 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

9. HIPAA Privacy Rule (cont’d) Violations investigated most often: 1.Impermissible uses and disclosures of protected health information (PHI) 2.Lack of safeguards of PHI 3.Lack of patient access to their PHI 4.Uses or disclosures of more than the minimum necessary PHI 5.Complaints to the covered entity (HIPAA Enforcement Highlights, 2012; Numbers at a Glance, n.d.; Poremba, 2008; Hamilton, 2009) 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

10. HIPAA Security Rule Established standards for securing electronic protected health information (ePHI) created, received, maintained, or transmitted. –Delineated as “required” or “addressable”. –Designed to be flexible, scalable. Entities required to: –Ensure confidentiality, integrity, availability of all ePHI –Identify and protect against reasonably anticipated threats to the security or integrity of the information. –Protect against reasonably anticipated, impermissible uses or disclosures. –Ensure compliance by workforce. Works in tandem with Privacy Rule. (Summary of the HIPAA Security Rule, n.d.) 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

11. What is Required by HIPAA Security Rule? Categories: 1.Administrative safeguards 2.Physical safeguards 3.Technical safeguards (Summary of the HIPAA Security Rule, n.d.) 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

12. Administrative Safeguards Address process of security management in your organization. Risk analysis –Evaluating likelihood and impact of potential risks to ePHI –Implementing appropriate security measures to address identified risks –Documenting security measures chosen, with rationale –Maintaining continuous, reasonable, appropriate protections Ongoing process, with regular reviews. (Summary of the HIPAA Security Rule, n.d.) 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

13. Administrative Safeguards (cont’d): Security personnel 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a Designated security official –Responsible for developing and implementing security policies and procedures. –Knowledge of good HIPAA practices –Familiarity with established IT security standards –Ability to interface well with all levels of management and staff. (Summary of the HIPAA Security Rule, n.d.)

14. Administrative Safeguards (cont’d): Access policy 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a –Policies & procedures for authorizing access to ePHI only when appropriate for one’s role (role-based access). Who gets access to ePHI data? What level of access is needed? Who is the agent authorizing the access? Is this authorization adequately documented? Is the access periodically reviewed? Is there a process for rescinding access when no longer needed? (Summary of the HIPAA Security Rule, n.d.)

15. Administrative Safeguards (cont’d): Training & Evaluation 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a Processes for appropriate authorization and supervision of workforce members who work with ePHI. Well-documented training of all workforce members in security policies and procedures –Appropriate sanctions against violators. Periodic assessment of procedures and policies –Are they still appropriate? –Are they being followed? (Summary of the HIPAA Security Rule, n.d.)

16. Physical Safeguards: Access 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a Limit physical access to facilities, while ensuring that authorized access is allowed. –Server rooms where ePHI is stored –Work areas where ePHI is accessed –Back-up media storage potentially containing ePHI Inventory hardware and software. –Know where inventory is kept. –Know value of hardware, software, equipment. (Summary of the HIPAA Security Rule, n.d.)

17. Physical Safeguards (cont’d): Device Security 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a Policies and procedures for proper use of & access to workstations & electronic media, including transfer, removal, disposal, re-use. –Lock down publicly-accessible systems potentially containing ePHI. –Strong passwords –At least 256-bit encryption, especially for wireless, backups, & offsite data –Media thoroughly wiped and rendered inaccessible (Summary of the HIPAA Security Rule, n.d.)

18. System Security Procedures and Standards Summary – Lecture a 18 Protected health information (ePHI) –Strictly regulated by HIPAA and other government guidelines prohibiting unwanted, unauthorized access. –Should be protected using layered approach, including numerous, administrative, physical, and technical safeguards. User training –Ensure awareness –Document and Review effectiveness Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a

19. System Security Procedures and Standards References – Lecture a 19 Health IT Workforce Curriculum Version 3.0/Spring 2012 Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a References: Summary of the HIPAA Privacy Rule. (n.d.). Retrieved from U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html Summary of the HIPAA Security Rule. (n.d.). Retrieved from U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html Enforcement Highlights. (2012, January 12) Retrieved from U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html Numbers at a Glance. (n.d.) Retrieved January 12, 2012, from U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/indexnumbers.htmlhttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/indexnumbers.html Poremba, S. M. (2008, May 23). Retrieved from SC Magazine website: http://www.scmagazine.com/proliferating- hipaa-complaints-and-medical-record-breaches/article/110555/http://www.scmagazine.com/proliferating- hipaa-complaints-and-medical-record-breaches/article/110555/ Hamilton, K. (2009, January 15). EHR security and privacy. Retrieved from SC Magazine website: http://www.scmagazine.com/ehr-security-and-privacy/article/125983/ http://www.scmagazine.com/ehr-security-and-privacy/article/125983/ Minnesota Health Information Clearinghouse, Medical Records Information. (n.d.) Retrieved January 12, 2012 from Minnesota Department of Health: http://www.health.state.mn.us/clearinghouse/medrecords.htmlhttp://www.health.state.mn.us/clearinghouse/medrecords.html Department of Health and Human Services (HHS), Office of Civil Rights (OCR), HIPAA Privacy Rule. 45 CFR Subtitle A (10-1-11 Edition) Part 154.514 Retrieved January 20, 2012 from GPO: http://www.gpo.gov/fdsys/pkg/CFR- 2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-514.pdfhttp://www.gpo.gov/fdsys/pkg/CFR- 2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-514.pdf