Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing a HIPAA Security Rule Training Program for System Administrators at East Carolina University Copyright: Carol Davis, 2006EDUCAUSE 2006 Security.

Published bySharlene Rice Modified over 8 years ago

Similar presentations

Presentation on theme: "Implementing a HIPAA Security Rule Training Program for System Administrators at East Carolina University Copyright: Carol Davis, 2006EDUCAUSE 2006 Security."— Presentation transcript:

1 Implementing a HIPAA Security Rule Training Program for System Administrators at East Carolina University Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

2 Copyright Statement This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

3 East Carolina University –Facts Located in Greenville, NC (1.5 hrs. from Raleigh). Founded in 1907 to alleviate the shortage of teachers in the eastern part of the state. East Carolina is a constituent institution of the University of North Carolina. 4306 active employees and 23,000 students Brody School of Medicine ranked fifth in the nation in rural medicine by U.S. News & World Report. School of Nursing and School of Allied Health Sciences produces more new nurses and allied health professionals than any other school in North Carolina. East Carolina leads the UNC system in distance- learning enrollment (count not included above). Supported Information Technology & Computing Services. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

4 Understanding the HIPAA Rule Sets Privacy Rule – Covered entities (CE) that creates or receives health information. This rules covers the use and disclosure of health information about an individual in any format (April 14, 2003). Transaction and Code Set Rule – This rule is to standardize transactions and code sets for the electronic transfer of information (October 16, 2003). Security Rule - Electronic protected health information or (EPHI) that states requirements necessary to secure health care information in electronic format in any media for health plans, clearinghouses, or health care providers (April 21, 2005). Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

5 What is the HIPAA Security Rule? The rule applies to electronic protected health information (EPHI), which is individually identifiable in electronic form. 1) an individual's past, present, or future physical or mental health information, 2) an individual's provision of health care, or 3) past, present, or future payment for provision of health care. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

6 Covered Entities (CEs) Must Comply CEs are health plans, clearinghouses, or healthcare providers who transmit any electronic protected health information (EPHI). CEs must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their EPHI against any reasonably anticipated risks.

7 Security Standards – Concepts Flexible, Scalable Permits standards to be interpreted and implemented appropriately from the smallest provider to the largest plan Comprehensive Cover all aspects of security, behavioral as well as technical Technology Neutral Can utilize future technology advances in this fast-changing field Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

8 Privacy and Security The Privacy and Security Rule are NOT mutually exclusive. There are overlaps and interdependencies between the two rules. Both require appropriate and reasonable safeguards. Understanding of risk management, access controls, and developed policies and training awareness is critical. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

9 Violation Penalties CE’s that do not comply with the Security Rule requirements are subject to a number of penalties. Civil penalties are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail. Additional Negatives: Negative publicity Loss of Customers Loss of Business Partners Legal Liability Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

10 HIPAA Training and Awareness HIPAA Privacy and Security ongoing training was a requirement as a covered entity. As a CE, we must implement a security awareness and training program for all members of its workforce, including management. Our current security awareness training was very basic and not compliancy related. Policy information was not included in the training. Specific system administrator training was not available. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

11 System Administrator Training Under the HIPAA Security Rule, a covered entity or provider must implement a training program for systems administrators that manage systems with electronic protected health information (EPHI) in order to meet federal compliancy requirements. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

12 HIPAA Initial Training We were already offering web-based HIPAA Privacy training using Authorware. Visitors and students completed a abbreviated version of the training. Completion of a web-based quiz and giving a copy of the signed quiz to the supervisor was used to meet the annual requirement. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

13 HIPAA Security Rule Training for Systems Administrator - Project -

14 New HIPAA Training Needs HIPAA Security Rule Training for Systems Administrators was needed. General overview of the HIPAA Security Rule needed to be provided to workforce members in the clinical environments to include safeguard and policy specific information. Visitors and HIPAA Student training needed to cover general security rule basics.

15 Project Challenges/Questions Who needs the training? How will you deliver the training? What are the cost factors? How will you ensure the training is completed? What measures can ensure the training is effective? Will the training be required annually? How will the information be communicated? Who will continue to update the training content as needed? What are the overall project alternatives? Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

16 HIPAA Security Rule Training Project Alternatives Each of the selected Alternatives were thoroughly reviewed: Alternative One (Status Quo) Implement no training program Federal Compliancy Regulations will not be met Potential increase in security incidents Cost for increased legal cases News reporting of cases Potential loss of patients Reputation damage to the school Loss of faculty, staff, and student confidence Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

17 Alternative Options Continued Alternative Two Purchase general HIPAA Security Rule training from a vendor. Alternative Three Develop a customized training program in Blackboard to better meet compliancy requirements. (Check with the Blackboard Administrator on all initial project aspects.) Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

18 Alternative Selected - Three Blackboard course creation allowed the course to be tailored to our organization and address specific needs. The course content could be changed as needed and additional content easily added. The majority of faculty, staff, and students were familiar with Blackboard. There were no additional costs. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

19 HIPAA Security Rule Training HIPAA Security Rule content was included in the current HIPAA Privacy Training. The visitors and student abbreviated version of the training was updated. Administrators were identified as those related to the clinical systems (System Administrators, Networking, Database, Workstation Support). Blackboard training content was developed and approved by the HIPAA Committee.

20 HIPAA Security Rule Training Blackboard course was populated and communicated to those needed. Training guidelines were provided electronically. Course deadlines were included. New staff could register for the training through the OneStop Portal. Management participated in ensuring course completion.

21 HIPAA Security Rule Training for Systems Administrator - Course Objectives and Content -

22 Defined Course Objectives Brief Overview and Structure of HIPAA Understanding the HIPAA Rule Sets Why Privacy and Security? How does this apply to me? What are the Safeguards? Reviewing the Security Policies Technology Security Awareness Your Responsibility for Protecting Health Information Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

23 Course Structure The Blackboard Course includes (5) modules to help breakdown the training; HIPAA OVERVIEW AND STRUCTURE HIPAA SECURITY RULE PRINCIPLES ITCS SAFEGUARDS SECURITY AWARENESS NOTIFICATION OF SECURITY INCIDENTS Quiz is used to measure the results Survey to measure the training effectiveness. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

24 HIPAA Overview and Structure HIPAA Administration Simplification Understanding the HIPAA Rule Sets HIPAA Privacy Rule Requirements Who are Workforce Members? Privacy Rule Policies Privacy Policies Website Overlaps of Privacy and Security Rules General Concepts of Security Standards Violation Penalties Does this apply to me? Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

25 HIPAA Security Rule Principles Security Rule Principles Guiding Principles for Security Rule Security Safeguards Summary “Required” Versus “Addressable” Administrative Safeguards and Policies Physical Safeguards and Policies Technical Safeguards and Policies Healthcare Workforce Global Policies HIPAA Security Policies Website Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

26 ITCS Safeguards What are Information Technology Safeguards? ITCS Security Provided Safeguards ITCS Security Projects Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

27 Security Awareness Basic Security Awareness Client Security Awareness HIPAA E-mail Guidelines HIPAA Wireless Guidelines System Administrator Awareness Home Workstation Security Awareness Social Engineering Awareness Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

28 Notification Of Security Incidents Your Role and Responsibility! Security Incidents Process Notification of Security Incidents Understanding the Privacy Officer and Security Officer Role Who is the Privacy Officer and Security Officer? Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

29 HIPAA Security Rule Quiz There are (10) questions on the quiz. The quiz includes basic questions on HIPAA Privacy and concentrates more on HIPAA Security specifics. Used as a tool to verify the training objectives are achieved and has been completed. Certificates are presented to those with scores of 80 or above. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

30 HIPAA Security Training Survey Provides feedback regarding the training module Was the material presented clearly Did the training apply to their position responsibilities Helps determine if the course objectives were achieved Blank field for additional comments

31 HIPAA Systems Admin Training - Measuring Results -

32 Security Rule Training Results Measure the current knowledge through sampling by having administrators complete the quiz before the online training (i.e. between 67.0 and 72.0 or a mean of 69.5). System administrators complete the Blackboard online training and you measure the quiz scores (i.e. 81.0 and 88.0 or a mean of 84.5). You can compare the results to determine if a knowledge increase was achieved! Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

33 HIPAA Privacy and Security Training - Latest Phase -

34 HIPAA Current Training Phase HIPAA Privacy Training for Clinical Workforce Members course was developed in Blackboard. HIPAA Security Training was changed to System Admin. Privacy and System Admin training now reside under one course, but broken into two modules. HIPAA Privacy (Clinical Workforce Members) HIPAA System Admin (technical staff administrating systems with electronic protected health information)

35 BLACKBOARD DEMO Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

36 Next Training Phase/Challenges Incorporate student training in Blackboard as a module. Review role-based training opportunities. HR identify and flag positions that require compliancy or other special training. Identify new departments that require HIPAA Training throughout campus. Continuous updates to the training content.

37 Final Conclusions East Carolina University implemented a very successful online Blackboard course for training their system administrators on the HIPAA Security Rule. The outlined goals in this project were achieved by increasing their knowledge, reducing the number of security incidents, and meeting the federal compliancy requirements. Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

38 Continued Challenges Monitor ongoing success and implement needed changes Identifying additional departments that require the training Auto-populating of course rosters Ensuring that participants complete the coursework Identify additional needed Federal Regulations Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

39 Questions? Carol Davis IT Security Planning and Disaster Recovery East Carolina University (252) 328-9000 Copyright: Carol Davis, 2006EDUCAUSE 2006 Security Professionals Conference

Download ppt "Implementing a HIPAA Security Rule Training Program for System Administrators at East Carolina University Copyright: Carol Davis, 2006EDUCAUSE 2006 Security."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics.

HIPAA and Privacy An Overview of the New Federal Requirements of the Health Insurance Portability and Accountability Act (HIPAA) Reid Cushman, UM Ethics.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

Similar presentations

Ads by Google