1 / 30

It’s About T he ePHI

It’s About T he ePHI. Keep it Safe and Secure. Objective. Review the security rule as it pertains to Physical Safeguards How to protect the ePHI in the work environment Implementation ideas for your office. The Security Rule. Reasonable and appropriate safeguards that cover

emmet
Download Presentation

It’s About T he ePHI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. It’s About The ePHI Keep it Safe and Secure

  2. Objective • Review the security rule as it pertains to • Physical Safeguards • How to protect the ePHI in the work environment • Implementation ideas for your office

  3. The Security Rule • Reasonable and appropriate safeguards that cover • Information systems • Related equipment • Facilities

  4. What Are The Safeguards? • Physical measures • Locking the door • Requiring passwords • Policies and procedures • For everything from employee training to protecting the data

  5. Three Areas Of Focus • Facility Access Controls • Limiting physical access to ePHI • Workstation Use and Security • Defining business use of workstations • Controlling the environment • Device and Media Controls • For all equipment that contains ePHI

  6. Facility Access Controls • Contingency operations • Facility security plan • Access control and validation procedures • Maintenance records

  7. Contingency Operations • Disaster recovery or emergency operations • Maintains proper security while allowing for data recovery • Cover such events as: • Loss of power • Flood • Consider access, as well as recovery • Chemical spills • Propane leak

  8. Facility Security Plan • Policies and Procedures covering: • Physical access control • Tampering and theft prevention

  9. Access Control & Validation • Procedures • Access based on roles and/or functions • Visitor guidelines • Software access • Limit authority/responsibility • Track updates/modification

  10. Maintenance Records • Document • Repairs and modifications to the facility • Type of repair • Authorized by whom • Reason for repair • Changes to alarm codes

  11. Workstations • Defined as an electronic computing device such as: • Laptops • Desktops • Tablets • Capable of electronic media storage

  12. Workstation Use • Define business use of workstations • Policies and Procedures • Proper functions to be completed • Manner in which they are performed • Physical attributes of the surroundings for the workstations with access to ePHI • Visibility to others • Accessible to unauthorized persons

  13. Workstation Security • Restrict access to authorized users • Are workstations identified? • Viewed only by authorized individuals with unique user IDs and passwords? • Filters? • Screen savers? • Automatic log off?

  14. Device and Media Controls • Policies and procedures • That govern how ePHI is protected • During moves • On backup media • During upgrades

  15. Elements of Control • Disposal – of ePHI • How does this happen? • Media re-use • Is re-use allowed? • What steps are taken to eliminate ePHI • Accountability • Where is the ePHI? • Data Backup and Storage

  16. Disposal • Policies and procedures that address the final disposition of ePHI • Including the media that held it • Render it unusable • By erasing and overwriting or magnetically clearing or both • Or inaccessible • By physically damaging it

  17. Media Re-use • Remove ePHI • Document the removal • Have a policy and procedure that outlines the process

  18. Accountability • Involves record keeping • This is only addressable in the final security rule, however, it would be very difficult to justify not keeping track of equipment • Inventory of equipment that includes portable media • Take account of • Person responsible for each device • Serial numbers and/or labels for identification

  19. Data Backup And Storage • Address the backup of ePHI before the movement of any equipment • Best to have a copy, just in case something unexpected happens!

  20. Maintain Integrity Of The ePHI Have in place: • Policies and procedures that cover • Audits • To track changes to data • To review accesses • Inventory • To know where the ePHI is located

  21. Inventory Control Log • Device Name • Make/Model • Date Acquired • Serial Number • Location • User • Maintenance Performed • Description and Date • Date taken out of Service • ePHI destroyed (Y/N) • Method of destruction • Certificate of destruction • Person responsible for destruction of ePHI • Person who validated or verified destruction of ePHI • Should contain elements such as:

  22. The Process To Follow • Inventory • Walk through your office • Notice everything • Both in-service and out of service equipment • Record it all • Include portable and mobile devices • Check the ePHI on the inventory • Record everything

  23. Review Physical Elements • Offices / Exam Rooms • Doors and windows - lockable? • Restricted areas • Locked and log of access maintained? • Alarms • Who has access? Recent changes? • Wireless access points • Monitor the devices that access your network • Wiring • Are surge suppressors in use?

  24. Assess • With the eyes of an outsider is ePHI • Viewable? • Portable – on unattended laptops? • In use – where? On what? • Is there out-of-service equipment with ePHI? • Accessible via your network? • Monitor users on the network • Have in place termination procedures that include disabling network access

  25. Protect ePHI • Make changes • Move monitors • Turn desks • Lock up equipment • Secure work areas • Control access • Know who has had the opportunity to view or hack your ePHI • Telephone repairs • Electricians • Locksmiths

  26. It’s Not Just Computers • Printers • What’s being printed? • Who can retrieve the paper? • Where is it located? • Faxes and scanners • What is stored on the machine? • Where is it located? • Who can access the data?

  27. Include Also • Incidental equipment • Pagers • Dictaphone tapes • Answering machines • Point of care devices • External hard drives • Network wiring • Are access points open and available? • Location of the router • Is it secure?

  28. Protection Options • Protect all equipment from: • Outside access • Unauthorized use • Wandering off • For Electronics • Use surge protectors • Review fire extinguishers • Rated for electronics

  29. Remember • ePHI • Is vast • Requires special protections and safeguards • Is subject to HIPAA’s Security Rule • You have to know where the ePHI is located in order to protect it • Take every precaution possible to protect ePHI

  30. QUESTIONS?

More Related