4
HIPAAComponents
Title 1Portabil
ity
Title IIAdmin
Simplification
Title IIIMed
Savings Account
Title IVGroup Health
Plan Provisions
Title VRevenue Offset
Provision
Privacysince 4/03
EDI
SecurityCompliant since
4/05
Transactions
Code Sets
Identifiers
Use/Disclosure
of PHI
Individual Rights
Administrative
Requirements
AdminProcedures
Physical Safeguards
Organizational
Requirements
Technical Safeguards
HIPAAComponents(est. 1996)
www.IonITGroup.com
5
HIPAAComponents(est. 1996)
Title 1Portabil
ity
Title IIAdmin
Simplification
Title IIIMed
Savings Account
Title IVGroup Health
Plan Provisions
Title VRevenue Offset
Provision
PrivacyComplian
t since 4/03
EDI
SecurityCompliant since
4/05
Transactions
Code Sets
Identifiers
Use/Disclosure
of PHI
Individual Rights
Administrative
Requirements
AdminProcedures
Physical Safeguards
Technical Security
Mechanisms
Technical Security Service
www.IonITGroup.com
Why Should We Care about Network Security?
Potential for downtime and impact on patient careIt’s both a State and Federal lawThe dreaded blank check scenarioPossible fines for security breachesHIPAA requires we implement security measures to protect PHI on paper and electronically!Damage to reputation for security breaches (newspaper headlines)
6www.IonITGroup.com
HeadlinesJuly 07, 2010
Conn. AG, Health Net Reach Settlement Over Medical Data Breach• On Tuesday, insurer Health Net reached a $250,000 settlement with Connecticut Attorney General Richard Blumenthal (D), who sued the company after it lost a computer hard drive in 2009, Dow Jones/Wall Street Journal reports. The hard drive contained medical and financial information on about 500,000 members from the state.
(Solsman, Dow Jones/Wall Street Journal, 7/6).7
HeadlinesJune 2, 2010
“Many of the major healthcare information breaches reported since last September, when the HITECH Breach Notification Rule took effect, have involved the theft or loss of unencrypted laptops and other portable devices.”
Terrell Herzig is HIPAA security officer at UAB Health System in Birmingham, Ala.
8
10
Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Meaningful Use Core Set verbiage says…
www.IonITGroup.com
11
Aaaannd that means what??…..164.308 - Administrative Safeguards
1.You must have a Security Management Process -a) Implement Policies and procedures to prevent, detect contain and correct security violations.
2.Risk Analysis -a) Conduct and accurate and thorough assessment of the potential risks and vulnerabilities to
the confidentiality, integrity and availability of ePHI held by the covered entity. 3.Risk Management -
a) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).
4.Sanction Policy – a) Apply appropriate sanctions against workforce members who fail to comply with the security
policies of the covered entity.5.Information System Activity Review –
a) Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
PS. Breach notification was effective 9/2009
Covered entities and business associates have the burden of proof to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. This section also requires covered entities to comply with several other provisions of the Privacy Rule with respect to breach notification.
www.IonITGroup.com
User Access Control and Password Guidance
Unique User IDAll system access with your ID is YOUR responsibility.
Password GuidelinesPasswords must be a combination of upper and lower case letters, number and special characters.
13
Automatic LogoffYour EHR session should terminate after 15 minutes of inactivity. Always save your work before leaving your
workstation!
www.IonITGroup.com
Accounting for DisclosuresAccounting for Disclosures
Always indicate why treatment, payment, or authorization information is being disclosed.Minimum Necessary Rule: “…take reasonable steps to limit the use or disclosure of, and requests for, [PHI] to the minimum necessary to accomplish the intended purpose.”
14www.IonITGroup.com
Tasks for the IT DeptRole-Based Access: Manage who gets access to what.
Firewall Review: Make sure that communication with the outside world is secure.
Wireless Security: Manage who gets WiFi access.
Antivirus: Manage software to keep viruses and malware at bay.
Server/Workstation Updates: Make sure all software gets appropriate updates to mitigate problems.
15www.IonITGroup.com
Tasks for the IT DeptBackup: Keep a backup of all data, just in case!Backup Encryption: Make backup data unreadable to snoopers.Recovery: Have a plan in case disaster strikes!
16www.IonITGroup.com
SummaryProtecting data is everyone’s responsibility.Understand HIPAA.Hold each other accountable.
17www.IonITGroup.com
Top Related