1 HIPAA Training Part III Health Insurance Portability and Accountability Act
2 POLICIES & PROCEDURES
3 Goals Learn simple ways to protect information. Learn how to continually give training. Learn how to continually develop procedures.
4 Policy It s the law. The doctor has to sign all of them. The privacy official s name must be on them. Must be reviewed each year and proof of this must be documented.
5 Procedure How you apply the law to this office. Writing procedures is an everlasting process of reviewing and updating.
6 Why Review and Update the Procedures? New breaches are discovered. New technology is used. Office changes occur such as remodeling. What you re doing to protect PHI.
7 Procedures Be general. Don t be specific.
8 Training Have documented meetings. Each employee, including the doctor, must sign their own name on the Training Register. If the doctor does not allow training, then the doctor is liable for all fines.
9 Training Some discussion topics: Implementation of Policies Notice of Privacy Forms General Penalty for Failure to Comply with Requirements and Standards
10 Training More discussion topics: Breaches Office Procedures Regarding PHI Complaints Regarding PHI Handling Patients Restrictions Medical Release Forms Front Office Procedures Back Office Procedures Computer Security
11 Training Register
12 What Do You Have to Do to Protect Information and to Avoid the Fines? Understand two basic questions: Continually have training. Keep records.
13 Keep Records Every time you have training you must record it. This is the government. If you don t have records, then training was never done.
14 HIPAA Security Computers were required to be secured by April of Password Hackers Levels of service
16 HIPAA Security Standard What is the purpose? Establish a standard for health care providers with regards to treatment of patient health information Give patients more control and access to their medical information Secure protected health information (PHI) transmitted, stored, or maintained in electronic format from real or potential threats of disclosure or loss
17 HIPAA Security Standard General Consistent with the Privacy rule in that the Security part of the Privacy rule requires that appropriate security be applied to all PHI in all events Focuses more on what needs to be done, rather than how. Cost of implementation is a factor, but not a preclusion. Cost, size, technical infrastructure and criticality of potential risks are factors, allowing for a flexible approach. Sets out processes for decision-making, but does not make decisions; remains technology neutral. Results and documentation both are important.
18 HIPAA Security Standard What the rule does? Ensures the confidentiality, integrity, and availability of all electronic PHI a covered entity (CE) creates, receives, maintains, or transmits. Protects against any reasonably anticipated threats or hazards to the security or integrity of such information Protects against any reasonably anticipated uses or disclosures of such information that are not permitted or required Ensures compliance by covered entities workforce
19 Privacy vs. Security Privacy Individuals rights to control access and disclosure of their protected or individually identifiable healthcare information Establish authorization requirements Establish individual rights Establish regulations for use or disclosure of PHI Security Establishes minimum level of security that covered entities must meet Adopts standards for the security of ephi to be implemented by covered entities Improving the efficiency of the healthcare industry in general
20 Three Pillars of Data Security Data or information is not made available to unauthorized persons or processes Data or information has not been altered or destroyed in an unauthorized manner Data or information is accessible and usable upon demand by an authorized person Confidentiality Integrity Accessibility
21 Security Rule Organization Safeguards Administrative Administrative actions, policies, and procedures, to manage, the selection, development, and implementation, including the maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. Physical Security measures to protect a covered entity s electronic information systems and related buildings and equipment from environmental hazards and unauthorized intrusions. Technical The technology and policy and procedures for how to protect electronic protected health information and control access to it.
22 Electronic Data Security Electronic Data Security: The generic name for the tools designed to protect data and to prevent intrusions. Principle of Easiest Penetration: An intruder must be expected to use any available means of penetration. This is not the most obvious means, nor is it one against which the most solid defense has been installed. Principle of Adequate Protection: Computer hardware and software must be protected to a degree consistent with their value. Electronic data never loses its value, unless the information becomes outdated and obsolete.
23 Security Threats Virus Spyware Adware Worms Trojan Horse Phishing (pharming) War Dialing Social Engineering
24 Social Engineering Preying on the Best Qualities of Human Nature: The desire to be helpful The tendency to trust people The fear of getting into trouble A successful social engineer receives information without raising any suspicion as to what they are doing.
25 Social Engineering Impersonation Important user Third-party authorization Technical support There are system problems and you will have to log me on to check the connection
26 Recognize the Signs In Person May appear as an employee or Dressed in a uniform. Part of the cleaning crew. Roams without raising suspicion. Dumpster Diving Shoulder Surfing Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information.
27 Social Engineering Refuse to give contact information Rushing Name-dropping Intimidation Small mistakes Request confidential information Request you to do something improper
28 What can you do? Ask Questions! Correct spelling of the person s name? Number where you can return the call? Contact information? Why the information is needed. Who authorized the request. Verify the authorization And Do It!!!
29 Where Do Intruders Come From? Who are these threat agents? Teenage pranksters Hacker junkies Disgruntled employees Disgruntled patients Competitors Terrorists (disruption of services) Criminals (selling information)
30 Physical Vulnerabilities and Access Being aware of your surroundings! Where s my computer located? Is anyone watching me? Is the hallway door open? Is the monitor visible from the window? Is the computer visible from the patient waiting area? Are the servers in locked rooms or cabinets? Does the cleaning crew have access to the computers? Does the screen saver activate when idle? Do I log out before leaving the room? Do I use my PC for a night light?
31 Password Vulnerabilities If you think it s weak, then it is weak Passwords First line of defense against unauthorized access to your: Computer, Files, Network Connections, Key to your electronic identity Do Not Use: Any dictionary words, any proper names, common phrases, obvious passwords, keyboard words, let a website save it, use the same one. What to use: At least eight characters, at least one capital letter, At least one number, at least one special character, one you can remember, change them regularly
32 Your Account Is Only As Secure As Its Password xt21b31 Recommendation 120 day rotation Don't let others watch you log in. Change your password often. Don t write your password on a post-it note Don t attach it to your video monitor or under the keyboard.
33 Password Construction It can t be obvious or exist in a dictionary. Every word in a dictionary can be tried within minutes. Don t use a password that has any obvious significance to you.
34 Password Standard Eight character minimum and should contain at least one of each of the following characters: Uppercase letters ( A-Z ) Lowercase letters ( a-z ) Numbers ( 0-9 ) Punctuation marks )
35 Password Management Its OK to share offices, equipment and ideas, but... Do not share your password with anyone, anytime!
36 Safeguard Your Strong Password Be careful about typing your password into a strange computer. Anti-virus protection enabled? Owner trustworthy? Keyboard logger running to record your keystrokes? Who was the last person to use that computer? Do not use the automatic logon feature in Microsoft.
37 Vulnerabilities s Are you opening Pandora's box? Basic method of communication to transfer: Messages, Files, Programs What to look out for: Extensions (.xls,.doc,.php,.ppt,.exe,.vbs,.bin,.com, pif); Suspicious Subjects Lines; I love you/my daughter s pictures; You have won/free Gift; Funny, Humorous, etc.; Look alike sites; Chain Letters; Web Links; Attachment not expected If it's suspicious, don't open it
38 Policy Permissible uses: Entity s permissible uses? Prohibited uses: Entity s prohibited uses? ALL MESSAGES SHOULD BE CONSIDERED PUBLIC!
39 Web Browsing Security Web Surfing Active content and viruses or other malicious software Security risks in the PC and MAC versions of Internet Explorer and Netscape browsers Company determines your security.
40 Visiting Internet Sites Be careful about providing personal, sensitive information to an internet site. Be aware that you can get viruses from Instant Messenger-type services.
41 Privileges and Responsibilities Use of your company computer account is a privilege. Along with the privilege to use company network resources come some responsibilities. Remember that Internet traffic is logged, monitored, and saved
42 Backups Back your computer up every night Take the back up offsite
43 So How Do We Start? Be aware! Security is 90% You and 10% Technical Learn, practice and adopt good security habits. Report anything unusual.
44 Absolute vs. Acceptable Levels of Risk Absolute protection from risk is an impossibility Acceptable level of risk is a more realistic approach to managing risk
45 Keep an Inventory Know exactly what equipment you have by listing an inventory. What kind of hardware do you have? What kind of software do you have? What kind of protection do you have? i.e., virus or spyware
46 Keep an Inventory Record: When you began using it When you stopped using it When you upgraded
47 The First Line of Defense Is You The Last Line of Defense is You
NC DPH: Computer Security Basic Awareness Training Introduction and Training Objective Our roles in the Division of Public Health (DPH) require us to utilize our computer resources in a manner that protects
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security awareness training, and security incident procedures. The
HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson
HIPAA: Privacy/Info Security Jeff Jones HIPAA Privacy Officer HIPAA Information Security Officer KY Region What you should know Discussion Topics Protected Health Security Awareness Information(PHI) Disclosure
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
Retail/Consumer Client Internet Banking Awareness and Education Program Table of Contents Securing Your Environment... 3 Unsolicited Client Contact... 3 Protecting Your Identity... 3 E-mail Risk... 3 Internet
Procedure Title: TennDent HIPAA Security Awareness and Training Number: TD-QMP-P-7011 Subject: Security Awareness and Training Primary Department: TennDent Effective Date of Procedure: 9/23/2011 Secondary
Your identity is one of the most valuable things you own. It s important to keep your identity from being stolen by someone who can potentially harm your good name and financial well-being. Identity theft
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
HIPAA Email Compliance & Privacy What You Need to Know Now Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) places a number of requirements on the healthcare industry
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious programs,
Belmont Savings Bank Are there Hackers at the gate? 2013 Wolf & Company, P.C. MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2013 Wolf & Company, P.C. About Wolf & Company, P.C.
National Cyber Security Month 2015: Daily Security Awareness Tips October 1 New Threats Are Constantly Being Developed. Protect Your Home Computer and Personal Devices by Automatically Installing OS Updates.
Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning Lee Zelyck Network Administrator Regina Public Library Malware, Spyware, Trojans
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
INFORMATION SECURITY FOR YOUR AGENCY Presenter: Chad Knutson Secure Banking Solutions, LLC CONTACT INFORMATION Dr. Kevin Streff Professor at Dakota State University Director - National Center for the Protection
Information Security Training 2012 Authored by: Gwinnett Medical Center Information Security Department Modified for affiliated schools students & instructors by: Linda Horst, RN, BSN, BC Objectives After
HIPAA Security Education Updated May 2016 Course Objectives v This computer-based learning course covers the HIPAA, HITECH, and MSHA Privacy and Security Program which includes relevant Information Technology(IT)
BSHSI Security Awareness Training Originally developed by the Greater New York Hospital Association Edited by the BSHSI Education Team Modified by HSO Security 7/1/2008 1 What is Security? A requirement
HIPAA and Health Information Privacy and Security Revised 7/2014 What Is HIPAA? H Health I Insurance P Portability & A Accountability A - Act HIPAA Privacy and Security Rules were passed to protect patient
Cyber Security Awareness User IDs and Passwords Home Computer Protection Protecting your Information Firewalls Malicious Code Protection Mobile Computing Security Wireless Security Patching Possible Symptoms
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
Malware, Spyware, Adware, Viruses Gracie White, Scott Black Information Technology Services The average computer user should be aware of potential threats to their computer every time they connect to the
O C T O B E R 2 0 1 3 Healthcare Insurance Portability & Accountability Act (HIPAA) Secure Messaging White Paper This white paper briefly details how HIPAA affects email security for healthcare organizations,
HIPAA - Privacy And Security Audit For Provider Practices THIS IS A MODEL AUDIT. IT WILL NEED TO BE CHANGED TO MEET THE PARTICULAR NEEDS AND CIRCUMSTANCES OF ANY TRUSTED SOURCES DEVELOPING AN AUDIT. The
1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
HACKERS vs. THE I.T. TEAM IT Staff Multifaceted role As custodians of the network your responsibilities include: supporting servers networking hardware Infrastructure disaster recovery workstations operating
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
Information Security By Louis Morgan, CISSP Information Security Officer Why Bother with IT Security? Recent estimate - 900 million personal computers worldwide. Computer hackers are out there. How long
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
For All Workforce Members UCSC Student Health Services Revised April 2009 Click the arrow to start the audio. Note: Once the audio is playing, navigate through the presentation by first clicking on this
BCS IT User Syllabus IT for Users Level 2 Version 1.0 June 2009 ITS2.1 System Performance ITS2.1.1 Unwanted messages ITS2.1.2 Malicious ITS126.96.36.199 ITS188.8.131.52 ITS184.108.40.206 ITS220.127.116.11 ITS18.104.22.168 ITS22.214.171.124
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
Chapter 11 Manage Computing Securely, Safely and Ethically Discovering Computers 2012 Your Interactive Guide to the Digital World Objectives Overview Define the term, computer security risks, and briefly
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below
Welcome to Information Security Training Welcome to Georgia Perimeter College s Information Security Training. Information security consists of processes, measures, and technologies employed to protect
Cyber Security Awareness William F. Pelgrin Chair Page 1 Introduction Information is a critical asset. Therefore, it must be protected from unauthorized modification, destruction and disclosure. This brochure
For All HIPAA Workforce Members Revised April 2013 1 } ephi = Electronic Protected Health Information Medical record number, account number or SSN Patient demographic data, e.g., address, date of birth,
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
How-To Guide: Cyber Security Content Provided by Who needs cyber security? Businesses that have, use, or support computers, smartphones, email, websites, social media, or cloudbased services. Businesses
Desktop and Laptop Security Policy Appendix A Examples of Desktop and Laptop standards and guidelines 1. Implement anti-virus software An anti-virus program is necessary to protect your computer from malicious
Policy Title: HIPAA Security Awareness and Training Number: TD-QMP-7011 Subject: HIPAA Security Awareness and Training Primary Department: TennDent/Quality Monitoring/Improvement Effective Date of Policy:
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
Course: Information Security Management in e-governance Day 1 Session 5: Securing Data and Operating systems Agenda Introduction to information, data and database systems Information security risks surrounding
Guadalupe Regional Medical Center Health Insurance Portability & Accountability Act (HIPAA) By Debby Hernandez, Compliance/HIPAA Officer HIPAA Privacy & Security Training Module 1 This module will address
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
Network Security and the Small Business Why network security is important for a small business Many small businesses think that they are less likely targets for security attacks as compared to large enterprises,
SAFE ONLINE BANKING Online Banking, Data Security You & Your Partnership for Safe Online Banking Partnering for Online Security O Online banking has grown rapidly from a niche service to a major new way
Infocomm Sec rity is incomplete without U Be aware, responsible secure! HACKER Smack that What you can do with these five online security measures... ANTI-VIRUS SCAMS UPDATE FIREWALL PASSWORD [ 2 ] FASTEN
Computer Security and Privacy 5-2 Protecting Your Computer Lesson Contents Protecting Your Computer Guidelines for Protecting Your Computer Best Practices for Securing Online and Network Transactions Measures
CITY OF BOULDER *** POLICIES AND PROCEDURES CONNECTED PARTNER EFFECTIVE DATE: SECURITY POLICY LAST REVISED: 12/2006 CHRISS PUCCIO, CITY IT DIRECTOR CONNECTED PARTNER SECURITY POLICY PAGE 1 OF 9 Table of
COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus Worm Trojan Spyware Adware Messenger Service 2 VIRUS A computer virus is a small program written to alter the way a computer
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
Malicious software About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for
Top tips for improved network security Network security is beleaguered by malware, spam and security breaches. Some criminal, some malicious, some just annoying but all impeding the smooth running of a
HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY Illinois Department of Healthcare and Family Services Training Outline: Training Goals What is the HIPAA Security Rule? What is the HFS Identity
Community Bank Auditors Group Best Practices in Auditing Record Retention, Safeguarding Paper Documents, GLBA and Privacy June 10, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT
Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida 32217 Telephone (904) 448-5552 Facsimile (904) 448-5653 email@example.com use e Health care law firm fighting
HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits
Exploring the Landscape of Philippine Cybersecurity Understanding the Risk and Taking Appropriate Steps to Mitigate Cybersecurity Threats Freddy Tan, CISSP Chairperson, (ISC)² Board of Directors Copyright
Data Loss Prevention Program Safeguarding Intellectual Property Author: Powell Hamilton Senior Managing Consultant Foundstone Professional Services One of the major challenges for today s IT security professional