Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

Similar presentations


Presentation on theme: "HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy."— Presentation transcript:

1 HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy

2 Overview HIPAA-Health Insurance Portability and Accountability Act of 1996 HIPAA-Health Insurance Portability and Accountability Act of 1996 Why Security? Why Security? Focus on Security rule vs. Privacy rule Focus on Security rule vs. Privacy rule Security rule applies only to EPHI, while the Privacy rule applies to PHI which may be in electronic, oral, and paper form. Security rule applies only to EPHI, while the Privacy rule applies to PHI which may be in electronic, oral, and paper form. Privacy is the “ Who, What, and When” and Security is the “How” Privacy is the “ Who, What, and When” and Security is the “How”

3 Who Oversees HIPAA? Who Oversees HIPAA? The U.S. Department of Health & Human Service The Centers for Medicare and Medicaid Services Oversees: Transactions and Code Sets Transactions and Code Sets Standard Unique Identifiers Standard Unique Identifiers Security Security Contact info: http://www.cms.hhs.gov/hipaa/ http://www.cms.hhs.gov/hipaa/hipaa2/ AskHIPAA@cms.hhs.gov AskHIPAA@cms.hhs.gov 1-866-282-0659 1-866-282-0659 The Office for Civil Rights Oversees: Privacy Contact info: http://www.hhs.gov/ocr/hipaa/ OCRPrivacy@hhs.gov 1-866-627-7748

4 Goals Of Security Rule Confidentiality Confidentiality EPHI is accessible only by authorized people and processes EPHI is accessible only by authorized people and processes Integrity Integrity EPHI is not altered or destroyed in an unauthorized manner EPHI is not altered or destroyed in an unauthorized manner Availability Availability EPHI can be accessed as needed by an authorized person EPHI can be accessed as needed by an authorized person

5 Parts of the Security Rule Administrative Safeguards Administrative Safeguards Physical Safeguards Physical Safeguards Technical Safeguards Technical Safeguards Organizational Requirements Organizational Requirements Policies & Procedures & Documentation Requirements Policies & Procedures & Documentation Requirements

6 Security Rule The rule is technology neutral The rule is technology neutral The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete The security rule is based on the fundamental concepts of flexibility, scalability and technology neutrality. The security rule is based on the fundamental concepts of flexibility, scalability and technology neutrality.

7 Security Standards Administrative Safeguards: Administrative Safeguards: Administrative functions that should be implemented to meet the security standards Administrative functions that should be implemented to meet the security standards Physical Safeguards: Physical Safeguards: Mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. Mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. Technical Safeguards: Technical Safeguards: The automated processes used to protect data and control access to data The automated processes used to protect data and control access to data

8 Technical Safeguards Main parts: Main parts: Access Control Access Control Audit Control Audit Control Integrity Integrity Person or Entity Authentication Person or Entity Authentication Transmission Security Transmission Security

9 Access Control “The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource” “The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource” Access controls should enable authorized users to access minimum necessary information needed to perform job functions. Access controls should enable authorized users to access minimum necessary information needed to perform job functions.

10 4 implementation specifications associated with Access Controls: Unique user identification (required) Unique user identification (required) Emergency access procedure (required) Emergency access procedure (required) Automatic logoff (addressable) Automatic logoff (addressable) Encryption and decryption (addressable) Encryption and decryption (addressable)

11 Audit Controls: “ Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” “ Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Useful to determine if a security violation occurred Useful to determine if a security violation occurred The security rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed (no implementation specifications) The security rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed (no implementation specifications)

12 Integrity “The property that data or information have not been altered or destroyed in an unauthorized manner” “The property that data or information have not been altered or destroyed in an unauthorized manner” The integrity of data can be compromised by both technical and non-technical sources The integrity of data can be compromised by both technical and non-technical sources Implementation specification: Implementation specification: Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. (addressable) Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. (addressable)

13 Person or Entity Authentication “Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed” “Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed” Ways to provide proof of identity: Ways to provide proof of identity: Require something known only to that individual (password or PIN) Require something known only to that individual (password or PIN) Require smart card, token, or a key Require smart card, token, or a key Require a biometric (fingerprint, voice pattern, facial pattern, iris pattern) Require a biometric (fingerprint, voice pattern, facial pattern, iris pattern)

14 Transmission Security “Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network” “Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network” This standard has 2 implementation specifications: This standard has 2 implementation specifications: Integrity Controls (addressable) Integrity Controls (addressable) Encryption (addressable) Encryption (addressable)

15 Implementation Specifications Integrity Controls: Integrity Controls: Integrity in this context is focused on making sure that EPHI is not improperly modified during transmission Integrity in this context is focused on making sure that EPHI is not improperly modified during transmission 1° through the use of network communications protocols 1° through the use of network communications protocols Data message authentication codes Data message authentication codes Encryption Encryption “Implement a mechanism to encrypt EPHI whenever deemed appropriate” “Implement a mechanism to encrypt EPHI whenever deemed appropriate”

16 Pro Pharma Implementation All hard drives can only be accessed by individuals with proper clearance by Pro Pharma All hard drives can only be accessed by individuals with proper clearance by Pro Pharma All employees have a unique user name and password All employees have a unique user name and password All employees are required to lock their station whenever they get up All employees are required to lock their station whenever they get up Content filters allow Pro Pharma management to screen all incoming and outgoing e-mails for possible threats Content filters allow Pro Pharma management to screen all incoming and outgoing e-mails for possible threats Full virus protection is installed on every workstation Full virus protection is installed on every workstation Network browsing is routed to a system that checks for threats Network browsing is routed to a system that checks for threats No employee has administrative rights to their local machine No employee has administrative rights to their local machine No employees have domain administrative rights on the Pro Pharma domain No employees have domain administrative rights on the Pro Pharma domain Every workstation is attached to a UPS power supply to protect from power failure or power surge Every workstation is attached to a UPS power supply to protect from power failure or power surge

17 In Summary Security rules are in place to enhance health information sharing and to protect patients Security rules are in place to enhance health information sharing and to protect patients The Security rule technical safeguards are the technology related policies and procedures that protect EPHI and control access to it The Security rule technical safeguards are the technology related policies and procedures that protect EPHI and control access to it Be cognizant of PHI, and follow Pro Pharma protocols Be cognizant of PHI, and follow Pro Pharma protocols

18 The Bright Side Knock, knock. Who’s there? HIPAA. HIPAA who? Sorry, I’m not allowed to disclose that information. Knock, knock. Who’s there? HIPAA. HIPAA who? Sorry, I’m not allowed to disclose that information.

19 In Case You Needed More

20 Last One I Promise!


Download ppt "HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy."

Similar presentations


Ads by Google