Hipaa security standards
1 / 20

HIPAA Security Standards - PowerPoint PPT Presentation

  • Uploaded on

HIPAA Security Standards. Emmanuelle Mirsakov USC School of Pharmacy. Overview. HIPAA-Health Insurance Portability and Accountability Act of 1996 Why Security? Focus on Security rule vs. Privacy rule

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIPAA Security Standards' - juancarlos

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Hipaa security standards

HIPAASecurity Standards

Emmanuelle Mirsakov

USC School of Pharmacy


  • HIPAA-Health Insurance Portability and Accountability Act of 1996

  • Why Security?

  • Focus on Security rule vs. Privacy rule

    • Security rule applies only to EPHI, while the Privacy rule applies to PHI which may be in electronic, oral, and paper form.

    • Privacy is the “ Who, What, and When” and Security is the “How”

Who oversees hipaa the u s department of health human service
Who Oversees HIPAA?The U.S. Department of Health & Human Service

The Centers for Medicare

and Medicaid Services


  • Transactions and Code Sets

  • Standard Unique Identifiers

  • Security

    Contact info:

  • http://www.cms.hhs.gov/hipaa/


  • [email protected]

  • 1-866-282-0659

  • The Office for Civil Rights Oversees:

  • Privacy

  • Contact info:

  • http://www.hhs.gov/ocr/hipaa/

  • [email protected]

  • 1-866-627-7748

Goals of security rule
Goals Of Security Rule

  • Confidentiality

    • EPHI is accessible only by authorized people and processes

  • Integrity

    • EPHI is not altered or destroyed in an unauthorized manner

  • Availability

    • EPHI can be accessed as needed by an authorized person

Parts of the security rule
Parts of the Security Rule

  • Administrative Safeguards

  • Physical Safeguards

  • Technical Safeguards

  • Organizational Requirements

  • Policies & Procedures & Documentation Requirements

Security rule
Security Rule

  • The rule is technology neutral

    • The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete

    • The security rule is based on the fundamental concepts of flexibility, scalability and technology neutrality.

Security standards
Security Standards

  • Administrative Safeguards:

    • Administrative functions that should be implemented to meet the security standards

  • Physical Safeguards:

    • Mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion.

  • Technical Safeguards:

    • The automated processes used to protect data and control access to data

Technical safeguards
Technical Safeguards

  • Main parts:

    • Access Control

    • Audit Control

    • Integrity

    • Person or Entity Authentication

    • Transmission Security

Access control
Access Control

  • “The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource”

  • Access controls should enable authorized users to access minimum necessary information needed to perform job functions.

4 implementation specifications associated with access controls
4 implementation specifications associated with Access Controls:

  • Unique user identification (required)

  • Emergency access procedure (required)

  • Automatic logoff (addressable)

  • Encryption and decryption (addressable)

Audit controls
Audit Controls: Controls:

  • “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”

  • Useful to determine if a security violation occurred

  • The security rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed (no implementation specifications)

Integrity Controls:

  • “The property that data or information have not been altered or destroyed in an unauthorized manner”

  • The integrity of data can be compromised by both technical and non-technical sources

  • Implementation specification:

    • Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. (addressable)

Person or entity authentication
Person or Entity Authentication Controls:

  • “Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed”

  • Ways to provide proof of identity:

    • Require something known only to that individual (password or PIN)

    • Require smart card, token, or a key

    • Require a biometric (fingerprint, voice pattern, facial pattern, iris pattern)

Transmission security
Transmission Security Controls:

  • “Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network”

  • This standard has 2 implementation specifications:

    • Integrity Controls (addressable)

    • Encryption (addressable)

Implementation specifications
Implementation Specifications Controls:

  • Integrity Controls:

    • Integrity in this context is focused on making sure that EPHI is not improperly modified during transmission

      • 1° through the use of network communications protocols

      • Data message authentication codes

  • Encryption

    • “Implement a mechanism to encrypt EPHI whenever deemed appropriate”

Pro pharma implementation
Pro Pharma Implementation Controls:

  • All hard drives can only be accessed by individuals with proper clearance by Pro Pharma

  • All employees have a unique user name and password

  • All employees are required to lock their station whenever they get up

  • Content filters allow Pro Pharma management to screen all incoming and outgoing e-mails for possible threats

  • Full virus protection is installed on every workstation

  • Network browsing is routed to a system that checks for threats

  • No employee has administrative rights to their local machine

  • No employees have domain administrative rights on the Pro Pharma domain

  • Every workstation is attached to a UPS power supply to protect from power failure or power surge

In summary
In Summary Controls:

  • Security rules are in place to enhance health information sharing and to protect patients

  • The Security rule technical safeguards are the technology related policies and procedures that protect EPHI and control access to it

  • Be cognizant of PHI, and follow Pro Pharma protocols

The bright side
The Bright Side Controls:

  • Knock, knock. Who’s there? HIPAA. HIPAA who?Sorry, I’m not allowed to disclose that information.