Embed Size (px)
Citation preview
HIPAA & HiTech 11/6/12
Copyright 2012 - Academy of Dental Learning 1
HIPAA Federal Security Rule
HIPAA
nsurance
ortability
ccountability
ct of 1996
HIPAA Introduction - What is HIPAA? • HIPAA = The Health Insurance Portability and Accountability Act … A Federal Law Created in 1996
H =
I =
P =
A =
A =
Health
Insurance
Portability and
Accountability
Act
It is considered the MOST significant
healthcare legislation since Medicare
in 1965!!!
Administrative Simplification
[Accountability]
Insurance Reform
[Portability]
Health Insurance Portability and Accountability Act
(HIPAA)
HIPAA OVERVIEW
Transactions, Code Sets, & Identifiers
Compliance Date: 10/16/2002 Or 10/16/03
Privacy
Compliance Date: 4/14/2003
Security
Compliance Date: 2005
Providers
Hospitals
Health Plans
HIPAA Introduction
Etc... Billing Agencies
Clearinghouses
Laboratories Pharmacies
Information has not been altered or destroyed without proper authorization
Information is only available or disclosed to persons authorized to receive it
Information is accessible and usable upon demand by authorized personnel
HIPAA & HiTech 11/6/12
Copyright 2012 - Academy of Dental Learning 2
WHAT IF WE DO NOT COMPLY?
• $100 for each violation • Maximum of $25,000 per year per specific provision
Penalties up to $250,000 Prison time up to 10 years
Non-Compliance
Unauthorized Disclosure or Misuse of Patient Information
• PRIVACY Refers to WHAT is protected — Health information about an individual and the determination of WHO is permitted to use, disclose, or access the information
PRIVACY vs. SECURITY What’s the Difference?:
SECURITY Refers to HOW private information is safeguarded—Insuring privacy by controlling access to information and protecting it from inappropriate disclosure and accidental or intentional destruction or loss.
Privacy Rule
Security Rule
Applies to protected health information in electronic, oral, and paper media
Applies to electronic protected health information at rest, during transmission, and receipt*
*Does not include faxed information
PRIVACY
• “Protected Health Information” • “Authorization” • “Treatment, Payment, Healthcare Operations” • “Patient Notice” • “Uses & Disclosures” • “Minimum Necessary” • “Business Associate Agreements”
HIPAA Privacy Definitions… just a few…
• Individual (Patient) identifiable health information relating to the past, present or future health conditions of the individual.
• This covers all information, whether maintained electronically, in paper form or communicated orally.
• PHI cannot be released unless authorized by the patient or for treatment, payment, or healthcare operations.
Protected Health Information
HIPAA & HiTech 11/6/12
Copyright 2012 - Academy of Dental Learning 3
• A covered entity may not use or disclose protected health information without a valid written authorization from the individual.
• An authorization must be specific and cannot be combined with other documents.
Authorization • Treatment - the provision, coordination or management of
health care and related services by one or more health care providers, including consultation or referral
• Payment - collection of premiums, reimbursement, coverage determinations, risk adjusting, billing, claims management, medical necessity determinations, utilization review, and pre-authorization of services
• Health Care Operations - specified activities by or for a health plan or health care provider that are related to its “covered functions,” including quality assessment and improvement; peer review, training and credentialing of providers; business planning; and business management.
Treatment, Payment & Operations
• Description of uses and disclosures of protected health information made by the covered entity.
• Every patient will receive a copy of the Patient Notice and will be asked to sign an “Acknowledgement”.
Patient Notice
• How Protected information will be used and disclosed • Have their rights explained in a Note of Privacy Practices
• Use – Employment, application, utilization, examination or analysis of information within a covered entity that holds the information.
• Disclosure – Release, transfer, provision of access to, or divulging in any other manner of information outside the covered entity holding the information.
Uses & Disclosures Minimum Necessary A covered entity must make reasonable efforts to limit uses, disclosures, and
requests for protected health information to the minimum necessary to accomplish the intended purpose (except uses and disclosures for treatment purposes).
For internal uses of protected health information, workforce members must be classified on a “need-to-know” basis with appropriate controls over access to PHI for each class.
For routine and recurring disclosures, standard protocols may be used to determine the minimum necessary amount of PHI required.
For non-routine disclosures, a covered entity must develop and apply criteria for determining the minimum necessary amount required.
HIPAA & HiTech 11/6/12
Copyright 2012 - Academy of Dental Learning 4
SECURITY OVERVIEW:
SECURITY FINAL RULE PUBLISHED In effect April 2005
Purpose:
Encompasses:
To protect both the system and the information it contains from unauthorized access & misuse
All safeguards in a covered entities structure including: • Information systems (hardware/software) • Personnel policies • Information practice policies • Disaster Preparedness
SECURITY Administrative
Procedures: To ensure security plans, policies, procedures, training, and contractual agreements exist
Physical Safeguards:
Technical Security Services
Technical Security Mechanisms
To provide assigned security responsibility and controls over all media and devices
To provide specific authentication, authorization, access, & audit controls to prevent improper access to electronically stored information
To establish communications/network controls to avoid the risk of interception and/or alteration during electronic transmission of information
HIPAA Security Standards What is the Security Rule
Bottom Line: • We must assure that systems and applications operate
effectively and provide appropriate confidentiality, integrity, and availability.
• We must protect information commensurate with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized access, or modification.
Confidentiality: “the property that data or information is not made available or disclosed to unauthorized persons or processes.”
• Must protect against unauthorized
– Uses
– Disclosures
– Access
Integrity: “the property that data or information has not been altered or destroyed in an unauthorized manner.”
• Must protect against improper destruction or alteration of data
• Must provide appropriate backup in the event of a threat, hazard, or natural disaster
• Name
• Address -- street address, city, county, zip code (more than 3 digits) or other geographic codes
• Dates directly related to patient
• Telephone Number
• Fax Number
• email addresses
• Social Security Number
• Medical Record Number
• Health Plan Beneficiary Number
• Account Number
• Certificate/License Number
• Any vehicle or device serial number
• Web URL, Internet Protocol (IP) Address
• Finger or voice prints
• Photographic images
• Any other unique identifying number, characteristic, or code (whether generally available in the public realm or not)
• Age greater than 89 (due to the 90 year old and over population is relatively small)
HIPAA & HiTech 11/6/12
Copyright 2012 - Academy of Dental Learning 5
Not only is HIPAA required, it’s good for business
• Perform a physical technical inventory • Conduct a risk assessment
• Develop policies and procedures
• Facility Access Controls • Workstation Use • Workstation Security • Device and Media Control
HIPAA & HiTech 11/6/12
Copyright 2012 - Academy of Dental Learning 6
• Risk Analysis • Conduct an assessment of potential risks
• Risk Management • Implement security measures sufficient to reduce risks
• Sanction Policy • Apply sanctions for workforce members that fail to
comply
• Information System Activity Review • Implement procedures to review records of information
system activity
• Assign a security official
• Authorization and supervision • Implement procedures for the authorized and/or supervised
data access
• Workforce Clearance Procedure • Ensure employees have appropriate access for their job
• Termination Procedures • Ensure that terminated employees no longer have access to
protected information
• Isolation Health Care Clearinghouse Function • Assure your clearinghouse is using HIPAA standards for
protected health information • Access Authorization
• Implement policies and procedures for granting access to protected health information
• Access Establishment and Modification • Ensure and create policies that users have only the access
they need to do their jobs
• Security Reminders • As appropriate, provide initial training on policies and
procedures as well as periodic security updates • Protection from Malicious Software
• Establish procedures for guarding against, detecting, and reporting malicious software
• Log-in Monitoring • Procedures for monitoring log-in attempts and reporting
discrepancies • Password Management
• Develop procedures for creating, changing, and safeguarding passwords
HIPAA & HiTech 11/6/12
Copyright 2012 - Academy of Dental Learning 7
• Response and reporting • Implement policies and procedures to address security
incidents
• Data Backup Plan • Establish and implement procedures to create and maintain
retrievable exact copies of electronic protected health information
• Disaster Recovery Plan • Establish (as needed) procedures to restore any loss of
data • Emergency Mode Operation Plan
• Establish (and implement as needed) a way to continue operation after an emergency
• Testing and Revision Procedures • Implement procedures for testing the contingency plans
• Evaluation • Perform periodic technical and non-technical evaluation of
your contingency plan
• Create policies and procedures to insure the proper • Functions to be performed • Manner in which they are performed • Physical attributes of the surroundings
• Implement physical safeguards for all workstations that access protected health information, to restrict access to unauthorized users
• Unique User Identification • Assign a unique name and/or number for identifying and
tracking user identity • Emergency User Identification
• Establish (and implement as necessary) procedures for obtaining necessary information during an emergency
• Automatic Logoff • Implement electronic procedures that terminate an electronic
session after a period of inactivity • Encryption and Decryption
• Implement a mechanism to encrypt and decrypt protected health information
• Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed
HIPAA & HiTech 11/6/12
Copyright 2012 - Academy of Dental Learning 8
• Your user id and password are critical to ePHI security.
• Maintain your password in a secure and confidential manner – DO NOT keep an unsecured paper record of your passwords.
– DO NOT post your password in open view e.g. on your monitor.
– DO NOT share your password with anyone.
– DO NOT use the same passwords for work and your personal accounts
– DO NOT include passwords in automated logon processes
– DO NOT use “weak” passwords
HIPAA Security Standards Administrative – Passwords
• Passwords must be changed every 90 days.
• Passwords should be changed whenever there is a question of compromise.
• Strong passwords must be utilized when possible – A minimum of 8 characters in length
– Must contain a component from at least 3 of the 4 following categories
• Upper case
• Lower case
• Numerals
• Keyboard symbols
HIPAA Security Standards Administrative – Malicious Software
• Emails with attachments should not be opened if: – The sender is unknown to you
– You were not expecting the attachment
– The attachment is suspicious in any way
– Do not open non-business related email attachments or suspicious web URLs
– Do not open file attachments or URLs sent via instant messaging.
HIPAA Security Standards Physical – Workstations
• Position workstations so as to avoid viewing by unauthorized personnel.
• Use privacy screens where applicable.
• Use automatic password protected screen savers.
• Lock, logoff or shut down workstations when not attended.
• Workstation access should be controlled based on job requirements.
FINAL NOTE on PRIVACY & SECURITY
