Upload
shyam-prasad-p
View
220
Download
0
Embed Size (px)
Citation preview
7/30/2019 HIPAA Privacy Security Presentation for ISCA
1/26
Privacy & Security Matters:Privacy & Security Matters:
Protecting Personal DataProtecting Personal Data
Privacy & Security Project
7/30/2019 HIPAA Privacy Security Presentation for ISCA
2/26
7/30/2019 HIPAA Privacy Security Presentation for ISCA
3/26
What HIPAA Does1. Creates standards for protecting the privacy
of health information2. Creates standards for the security of health
information
3. Creates standards for electronic exchange ofhealth information
4. Requires action as single entity5. Privacy rule mandates training 25,000
workforce members on standards and policies
7/30/2019 HIPAA Privacy Security Presentation for ISCA
4/26
Deadlines for CompliancePrivacy
Security
Transactions & Code
SetsIdentifiers
April 14, 2003!
Fall 2004
Oct ober 16, 2003
Fall 2004
7/30/2019 HIPAA Privacy Security Presentation for ISCA
5/26
Key DefinitionsIndividually Identifiable Health Information Related to an individual; the provision of health care to an
individual; or payment for health care
and that identifies the individual
or a reasonable basis to believe the information can be usedto identify the individual
Protected Health Information (PHI) Individually Identifiable Health Information
Electronic, paper, oral Created or received by a health care provider, public health
authority, employer, school or university
7/30/2019 HIPAA Privacy Security Presentation for ISCA
6/26
Definitions
Covered Entity Health care provider who transmits any
health information in electronic form in
connection with HIPAA regulationsHealth care provider means a provider of
medical or health services, and any other
person or organization who furnishes, bills, oris paid for health care in the normal course ofbusiness.
7/30/2019 HIPAA Privacy Security Presentation for ISCA
7/26
Impact on the University
SystemSignificant financial implications
High level of risk to individuals and toinstitution civil monetary penalties
criminal sanctions
Requires a change in the way we do business
New U-wide policies & procedures Limits access to information
7/30/2019 HIPAA Privacy Security Presentation for ISCA
8/26
Scope of ImpactUniversity-wide
-Athlet ics -Ed and Human Devel.
-Auxiliary Services -College of Liberal Art s
-Car lson SOM -School of Music
-General Counsel -Food Science & Nut r it ion-MMF -Universit y Foundat ion
-U Health Plan -General College-Student Heal th Services -Disabi li ty Services
-Environmental Healt h -OI T
All Coordinate Campuses
Business part ners: UMP, FUMC, aff il iat ed sit es
business associates
7/30/2019 HIPAA Privacy Security Presentation for ISCA
9/26
Operations ImpactEducation ensure students competencies in privacy &
technology. Record keeping
curriculum
Research Major change to process
IRB processes and functionHealth Care
Culture change
7/30/2019 HIPAA Privacy Security Presentation for ISCA
10/26
University Policies and
Procedures NeededRegents policy on privacy, compliance and
enforcementPolicies for use and disclosures of PHI
Privacy policy for patientsAdministrative forms permitting disclosure
Policies for sanctions, mitigation, and
monitoringPolicies for data security
Policies for education and training
7/30/2019 HIPAA Privacy Security Presentation for ISCA
11/26
7/30/2019 HIPAA Privacy Security Presentation for ISCA
12/26
Privacy and Security Project
OrganizationEducat ion & Training
Task Force
Privacy and Confidentiality
Curriculum for Tech Competencies
Curriculum for Policy, Legal,Ethics, and Health Systems Issues
Privacy Environment
Implementation
Competency Assessment
Technology Task
Force
Clinical issues
Technical & Security Audit
Research Issues
7/30/2019 HIPAA Privacy Security Presentation for ISCA
13/26
Introduction to HIPAA PrivacyAnd Security Videotape
(7 minutes)
Privacy and Confidentialityin Research
(70 minutes)
Safeguarding PHI on Computers(70 minutes)
Privacy and Confidentialityin Clinical Settings
(55 minutes)
Privacy and Secur it y Proj ectEducat ion Program Model
P i d S i P j
7/30/2019 HIPAA Privacy Security Presentation for ISCA
14/26
Privacy and Security Project
Organization
Example
of
Training
Material
7/30/2019 HIPAA Privacy Security Presentation for ISCA
15/26
Security and the Privacy RuleMust implement appropriate technicalsafeguards to protect privacy of PHI.
Must be able to reasonably safeguard against
any intentional or unintentional use ordisclosure that is a privacy violation.
Should work in conjunction with minimum
necessary ruleCoordinated with HIPAA security regulations.
7/30/2019 HIPAA Privacy Security Presentation for ISCA
16/26
7/30/2019 HIPAA Privacy Security Presentation for ISCA
17/26
Goal of Security RuleTo ensure reasonable and appropriateadministrative, technical, and physicalsafeguards that insure the integrity,
availability and confidentiality of healthcare information, and protect against
reasonably foreseeable threats to thesecurity or integrity of the information.
7/30/2019 HIPAA Privacy Security Presentation for ISCA
18/26
Focus of Security RuleBoth external and internal threats
Prevention of denial of service
Theft of private information
Integrity of information
7/30/2019 HIPAA Privacy Security Presentation for ISCA
19/26
Rule has 4 categories1. Administrative Procedures
2. Physical Safeguards
3. Technical data security services
4. Technical security mechanisms
Administrative Procedures:
7/30/2019 HIPAA Privacy Security Presentation for ISCA
20/26
Administrative Procedures:
12 Requirements1. Certification
2. Chain of TrustAgreements
3. Contingency Plan
4. Mechanism forprocessing records
5. Information AccessControl
6. Internal Audit
7. Personnel Security
8. Security ConfigurationManagement
9. Security Incident
Procedures
10. Security ManagementProcess
11. TerminationProcedures
12. Training
Physical Safegaurds:
7/30/2019 HIPAA Privacy Security Presentation for ISCA
21/26
Physical Safegaurds:
6 Requirements1. Assigned Security Responsibility
2. Media Controls
3. Physical Access Controls
4. Policy on Workstation Use
5. Secure Workstation Location
6. Security Awareness Training
Technical Data Security
7/30/2019 HIPAA Privacy Security Presentation for ISCA
22/26
Technical Data Security
Services: 5 Requirements1. Access Control
2. Audit Controls
3. Authorization Control
4. Data Authentication
5. Entity Authentication
Technical Security Mechanism:
7/30/2019 HIPAA Privacy Security Presentation for ISCA
23/26
Technical Security Mechanism:
1 Requirement1. Protections for health information
transmitted over open networks via:
Integrity controls, and
Message authentication, and
Access controls OR encryption
7/30/2019 HIPAA Privacy Security Presentation for ISCA
24/26
Dash Board For Evaluation # staff - # volunteers - % trained
# of clients
# of security incidents
Have list of systems containing PHIand know location of system and who
is data steward -# of items on list Confidence that unit has good physicalsecurity
7/30/2019 HIPAA Privacy Security Presentation for ISCA
25/26
Dash Board For Evaluation Have list of data interfaces -# of data
interfaces
Have list of contracts/business
associates - # of contracts/businessassociates
Allow PHI to be put on personal PCsor in Email or loaded to WEB site
7/30/2019 HIPAA Privacy Security Presentation for ISCA
26/26