hipaa security standards n.
Skip this Video
Download Presentation
HIPAA Security Standards

Loading in 2 Seconds...

play fullscreen
1 / 20

HIPAA Security Standards - PowerPoint PPT Presentation

  • Uploaded on

HIPAA Security Standards. Emmanuelle Mirsakov USC School of Pharmacy. Overview. HIPAA-Health Insurance Portability and Accountability Act of 1996 Why Security? Focus on Security rule vs. Privacy rule

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'HIPAA Security Standards' - juancarlos

Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hipaa security standards

HIPAASecurity Standards

Emmanuelle Mirsakov

USC School of Pharmacy

  • HIPAA-Health Insurance Portability and Accountability Act of 1996
  • Why Security?
  • Focus on Security rule vs. Privacy rule
    • Security rule applies only to EPHI, while the Privacy rule applies to PHI which may be in electronic, oral, and paper form.
    • Privacy is the “ Who, What, and When” and Security is the “How”
who oversees hipaa the u s department of health human service
Who Oversees HIPAA?The U.S. Department of Health & Human Service

The Centers for Medicare

and Medicaid Services


  • Transactions and Code Sets
  • Standard Unique Identifiers
  • Security

Contact info:

  • http://www.cms.hhs.gov/hipaa/


  • AskHIPAA@cms.hhs.gov
  • 1-866-282-0659
  • The Office for Civil Rights Oversees:
  • Privacy
  • Contact info:
  • http://www.hhs.gov/ocr/hipaa/
  • OCRPrivacy@hhs.gov
  • 1-866-627-7748
goals of security rule
Goals Of Security Rule
  • Confidentiality
    • EPHI is accessible only by authorized people and processes
  • Integrity
    • EPHI is not altered or destroyed in an unauthorized manner
  • Availability
    • EPHI can be accessed as needed by an authorized person
parts of the security rule
Parts of the Security Rule
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Requirements
  • Policies & Procedures & Documentation Requirements
security rule
Security Rule
  • The rule is technology neutral
    • The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete
    • The security rule is based on the fundamental concepts of flexibility, scalability and technology neutrality.
security standards
Security Standards
  • Administrative Safeguards:
    • Administrative functions that should be implemented to meet the security standards
  • Physical Safeguards:
    • Mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion.
  • Technical Safeguards:
    • The automated processes used to protect data and control access to data
technical safeguards
Technical Safeguards
  • Main parts:
    • Access Control
    • Audit Control
    • Integrity
    • Person or Entity Authentication
    • Transmission Security
access control
Access Control
  • “The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource”
  • Access controls should enable authorized users to access minimum necessary information needed to perform job functions.
4 implementation specifications associated with access controls
4 implementation specifications associated with Access Controls:
  • Unique user identification (required)
  • Emergency access procedure (required)
  • Automatic logoff (addressable)
  • Encryption and decryption (addressable)
audit controls
Audit Controls:
  • “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.”
  • Useful to determine if a security violation occurred
  • The security rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed (no implementation specifications)
  • “The property that data or information have not been altered or destroyed in an unauthorized manner”
  • The integrity of data can be compromised by both technical and non-technical sources
  • Implementation specification:
    • Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. (addressable)
person or entity authentication
Person or Entity Authentication
  • “Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed”
  • Ways to provide proof of identity:
    • Require something known only to that individual (password or PIN)
    • Require smart card, token, or a key
    • Require a biometric (fingerprint, voice pattern, facial pattern, iris pattern)
transmission security
Transmission Security
  • “Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network”
  • This standard has 2 implementation specifications:
    • Integrity Controls (addressable)
    • Encryption (addressable)
implementation specifications
Implementation Specifications
  • Integrity Controls:
    • Integrity in this context is focused on making sure that EPHI is not improperly modified during transmission
      • 1° through the use of network communications protocols
      • Data message authentication codes
  • Encryption
    • “Implement a mechanism to encrypt EPHI whenever deemed appropriate”
pro pharma implementation
Pro Pharma Implementation
  • All hard drives can only be accessed by individuals with proper clearance by Pro Pharma
  • All employees have a unique user name and password
  • All employees are required to lock their station whenever they get up
  • Content filters allow Pro Pharma management to screen all incoming and outgoing e-mails for possible threats
  • Full virus protection is installed on every workstation
  • Network browsing is routed to a system that checks for threats
  • No employee has administrative rights to their local machine
  • No employees have domain administrative rights on the Pro Pharma domain
  • Every workstation is attached to a UPS power supply to protect from power failure or power surge
in summary
In Summary
  • Security rules are in place to enhance health information sharing and to protect patients
  • The Security rule technical safeguards are the technology related policies and procedures that protect EPHI and control access to it
  • Be cognizant of PHI, and follow Pro Pharma protocols
the bright side
The Bright Side
  • Knock, knock. Who’s there? HIPAA. HIPAA who?Sorry, I’m not allowed to disclose that information.