Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

Published byDulce Lush Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy."— Presentation transcript:

1 HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy

2 Overview HIPAA-Health Insurance Portability and Accountability Act of 1996 HIPAA-Health Insurance Portability and Accountability Act of 1996 Why Security? Why Security? Focus on Security rule vs. Privacy rule Focus on Security rule vs. Privacy rule Security rule applies only to EPHI, while the Privacy rule applies to PHI which may be in electronic, oral, and paper form. Security rule applies only to EPHI, while the Privacy rule applies to PHI which may be in electronic, oral, and paper form. Privacy is the “ Who, What, and When” and Security is the “How” Privacy is the “ Who, What, and When” and Security is the “How”

3 Who Oversees HIPAA? Who Oversees HIPAA? The U.S. Department of Health & Human Service The Centers for Medicare and Medicaid Services Oversees: Transactions and Code Sets Transactions and Code Sets Standard Unique Identifiers Standard Unique Identifiers Security Security Contact info: http://www.cms.hhs.gov/hipaa/ http://www.cms.hhs.gov/hipaa/hipaa2/ AskHIPAA@cms.hhs.gov AskHIPAA@cms.hhs.gov 1-866-282-0659 1-866-282-0659 The Office for Civil Rights Oversees: Privacy Contact info: http://www.hhs.gov/ocr/hipaa/ OCRPrivacy@hhs.gov 1-866-627-7748

4 Goals Of Security Rule Confidentiality Confidentiality EPHI is accessible only by authorized people and processes EPHI is accessible only by authorized people and processes Integrity Integrity EPHI is not altered or destroyed in an unauthorized manner EPHI is not altered or destroyed in an unauthorized manner Availability Availability EPHI can be accessed as needed by an authorized person EPHI can be accessed as needed by an authorized person

5 Parts of the Security Rule Administrative Safeguards Administrative Safeguards Physical Safeguards Physical Safeguards Technical Safeguards Technical Safeguards Organizational Requirements Organizational Requirements Policies & Procedures & Documentation Requirements Policies & Procedures & Documentation Requirements

6 Security Rule The rule is technology neutral The rule is technology neutral The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete The security rule is based on the fundamental concepts of flexibility, scalability and technology neutrality. The security rule is based on the fundamental concepts of flexibility, scalability and technology neutrality.

7 Security Standards Administrative Safeguards: Administrative Safeguards: Administrative functions that should be implemented to meet the security standards Administrative functions that should be implemented to meet the security standards Physical Safeguards: Physical Safeguards: Mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. Mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. Technical Safeguards: Technical Safeguards: The automated processes used to protect data and control access to data The automated processes used to protect data and control access to data

8 Technical Safeguards Main parts: Main parts: Access Control Access Control Audit Control Audit Control Integrity Integrity Person or Entity Authentication Person or Entity Authentication Transmission Security Transmission Security

9 Access Control “The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource” “The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource” Access controls should enable authorized users to access minimum necessary information needed to perform job functions. Access controls should enable authorized users to access minimum necessary information needed to perform job functions.

10 4 implementation specifications associated with Access Controls: Unique user identification (required) Unique user identification (required) Emergency access procedure (required) Emergency access procedure (required) Automatic logoff (addressable) Automatic logoff (addressable) Encryption and decryption (addressable) Encryption and decryption (addressable)

11 Audit Controls: “ Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” “ Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” Useful to determine if a security violation occurred Useful to determine if a security violation occurred The security rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed (no implementation specifications) The security rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed (no implementation specifications)

12 Integrity “The property that data or information have not been altered or destroyed in an unauthorized manner” “The property that data or information have not been altered or destroyed in an unauthorized manner” The integrity of data can be compromised by both technical and non-technical sources The integrity of data can be compromised by both technical and non-technical sources Implementation specification: Implementation specification: Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. (addressable) Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. (addressable)

13 Person or Entity Authentication “Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed” “Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed” Ways to provide proof of identity: Ways to provide proof of identity: Require something known only to that individual (password or PIN) Require something known only to that individual (password or PIN) Require smart card, token, or a key Require smart card, token, or a key Require a biometric (fingerprint, voice pattern, facial pattern, iris pattern) Require a biometric (fingerprint, voice pattern, facial pattern, iris pattern)

14 Transmission Security “Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network” “Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network” This standard has 2 implementation specifications: This standard has 2 implementation specifications: Integrity Controls (addressable) Integrity Controls (addressable) Encryption (addressable) Encryption (addressable)

15 Implementation Specifications Integrity Controls: Integrity Controls: Integrity in this context is focused on making sure that EPHI is not improperly modified during transmission Integrity in this context is focused on making sure that EPHI is not improperly modified during transmission 1° through the use of network communications protocols 1° through the use of network communications protocols Data message authentication codes Data message authentication codes Encryption Encryption “Implement a mechanism to encrypt EPHI whenever deemed appropriate” “Implement a mechanism to encrypt EPHI whenever deemed appropriate”

16 Pro Pharma Implementation All hard drives can only be accessed by individuals with proper clearance by Pro Pharma All hard drives can only be accessed by individuals with proper clearance by Pro Pharma All employees have a unique user name and password All employees have a unique user name and password All employees are required to lock their station whenever they get up All employees are required to lock their station whenever they get up Content filters allow Pro Pharma management to screen all incoming and outgoing e-mails for possible threats Content filters allow Pro Pharma management to screen all incoming and outgoing e-mails for possible threats Full virus protection is installed on every workstation Full virus protection is installed on every workstation Network browsing is routed to a system that checks for threats Network browsing is routed to a system that checks for threats No employee has administrative rights to their local machine No employee has administrative rights to their local machine No employees have domain administrative rights on the Pro Pharma domain No employees have domain administrative rights on the Pro Pharma domain Every workstation is attached to a UPS power supply to protect from power failure or power surge Every workstation is attached to a UPS power supply to protect from power failure or power surge

17 In Summary Security rules are in place to enhance health information sharing and to protect patients Security rules are in place to enhance health information sharing and to protect patients The Security rule technical safeguards are the technology related policies and procedures that protect EPHI and control access to it The Security rule technical safeguards are the technology related policies and procedures that protect EPHI and control access to it Be cognizant of PHI, and follow Pro Pharma protocols Be cognizant of PHI, and follow Pro Pharma protocols

18 The Bright Side Knock, knock. Who’s there? HIPAA. HIPAA who? Sorry, I’m not allowed to disclose that information. Knock, knock. Who’s there? HIPAA. HIPAA who? Sorry, I’m not allowed to disclose that information.

19 In Case You Needed More

20 Last One I Promise!

Download ppt "HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
ISecurity Compliance with HIPAA. Part 1 About HIPAA.

ISecurity Compliance with HIPAA. Part 1 About HIPAA.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Hipaa privacy and Security

Hipaa privacy and Security
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA, Computer Security, and Domino/Notes Chuck Connell, www.chc-3.comwww.chc-3.com.

HIPAA, Computer Security, and Domino/Notes Chuck Connell,
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.

© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.

Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.

Electronic Health Records Danielle P. Berthelot, RHIA Director, Health Information Management and Cancer Registry Privacy Officer Woman’s Hospital.
Information Security Policies and Standards

Information Security Policies and Standards

Similar presentations

Ads by Google