1 / 14

HIPAA: Federal regulations regarding patient Security

HIPAA: Federal regulations regarding patient Security. Underlying principles for security. Ensure the confidentiality, integrity & availability of electronic Protected Health Information ( ePHI ) Use safeguards to protect ePHI. Core requirements of HIPAA security.

khoi
Download Presentation

HIPAA: Federal regulations regarding patient Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA: Federal regulations regarding patient Security

  2. Underlying principles for security • Ensure the confidentiality, integrity & availability of electronic Protected Health Information (ePHI) • Use safeguards to protect ePHI

  3. Core requirements of HIPAA security • Designate a security official • Ensure the confidentiality, integrity & availablity of all ePHI that a covered entity creates, receives, maintains or transmits • Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI • Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required by the HIPAA Privacy Rule • Ensure compliance by the workforce

  4. Security standards • Effective April 21, 2005 • Contains 18 standards under three safeguard categories • 14 required specifications • 22 addressable specifications

  5. Security Standards • HITECH - The Health Information Technology for Economic and Clinical Health • Effective February 18, 2009 • To promote the adoption and meaningful use of health information technology • You can be held criminally liable for knowingly obtaining and disclosing PHI in violation of HIPAA • Fines up to $250,000 • Up to 10 years in prison • You can be personally sued by a patient claiming that the privacy of their PHI was violated

  6. Three protection categories • Confidentiality • Data is used or disclosed by authorized persons for authorized purposes • Integrity • Data has not been altered or destroyed in an unauthorized manner • Availability • Data is accessible & useable upon demand by authorized persons

  7. Three safeguard categories • Administrative • Physical • Technical

  8. Administrative safeguards • Maintain security through risk analysis & management • Conduct regular system activity reviews • Audit logs, access reports, incident tracking • Enforce workforce security through clearance procedures, authorization & access controls • Train all workforce members on computer security • Track, report & respond to suspected or known security incidents • Establish a contingency plan to ensure availability of ePHI during emergencies or natural disasters

  9. Physical safeguards • Limit physical access to electronic information systems to appropriate persons to prevent tampering or theft • Allow facility access to support disaster recovery efforts & emergency operations • Document repairs to the physical components of the security system & facilities • Restrict workstation access & activity to authorized users & authorized functions • Manage receipt, removal & disposal of hardware & electronic media

  10. Technical safeguards • Use technical measures to control access to systems that maintain ePHI • Provide for unique user identification • Ensure necessary access to ePHI during emergencies • Implement audit controls that record & examine system activity • Protect ePHI from improper alteration or destruction • Ensure transmission security

  11. Risk assessment • Must be “accurate and thorough” • Provides rationale for decisions about addressable specifications • Basic components • Threats & vulnerabilities • Likelihood of exploitation • Existing countermeasures • Control recommendations

  12. KUMC Approach • Adapt existing assessment tools (NIST 800-26) • Conduct risk assessment (every two years) • Network • Servers • Departments • Workstations • Applications • Evaluate administrative, physical & technical safeguards in each of the above areas

  13. Existing practices (to name a few) • Firewalls • Remote access through VPN • Limited public “visibility” • Ongoing intrusion detection • Role-based access • Anti-virus plan • Patch management • Background checks • Electronic signature • Unique user IDs • Strong passwords • Disaster recovery plans • Established backup procedures • Documented policies & procedures • Transmission encryption methods • Biometrics • Proximity sensors • Implanted chips

  14. QUESTIONS Sherry Callahan, CISSP, CISA, CISM Director of Information Security scallahan@kumc.edu 913.588.0966 Juli Gardner, MHSA KUMC Compliance Program Manager jgardner3@kumc.edu 913.588.0940

More Related