Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Transcription

1 Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security awareness training, and security incident procedures.

2 The next administrative safeguard is information access management. This standard focuses on implementing policies and procedures for authorizing access to electronic PHI that are consistent with the written minimum necessary rules under the HIPAA privacy rule. Three specifications make up this standard. 1 is required and 2 are addressable. 1. Isolating Healthcare Clearinghouse Function is a required specification 2. Access authorization is an addressable specification 3. Access establishment and modification is an addressable specification

3 The first specification is isolating healthcare clearinghouse functions. This standard focusing on a healthcare clearinghouse that is part of a larger organization. For this specification, a clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Some implementation recommendations are: This standard ONLY applies if the healthcare clearinghouse is part of a larger organization. For example, if Healthcare Clearing House ABC is owned by Company XYZ. Create policies and procedures to protect the ephi processed during the clearinghouse functions Assure technical and physical safeguards are in place to keep the information separate from the larger organization.

4 Access authorization is an addressable specification under information access management. This specification requires the covered entity to implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. Implementation recommendations: Create a policy and procedure that documents how your organization grants access to protected health information at all levels Create a process for how the authorization is granted and who has access to grant it Assure that the minimum necessary standard in the Privacy Rule is being followed

5 The last specification under this standard is access establishment and authorization. This specification requires a covered entity to Implement policies and procedures that, based upon the entity s access authorization policies, establish, document, review, and modify a user s right of access to a workstation, transaction, program, or process. Implementation Recommendations: Create policies and procedures that address establishing, documenting, reviewing and modifying a user s rights of access to ephi through a workstation, program or process Assure to address all systems that contain ephi and assure there is a process for each Document process for regular review of lists of people with access to systems

6 The next standard under the HIPAA security rule is security awareness and training. This standard requires covered entities to Implement a security awareness and training program for all members of its workforce (including management). There are four addressable specifications under this standard: Security Reminders Protection from Malicious Software Log-in Monitoring Password Management

7 The first addressable specification is security reminders. Covered entities should create a process for periodic security reminders. This provides workforce on-going training and reminders regarding important security requirements and updates in between formal yearly trainings. Some implementation recommendations are: Create policies and procedures that define how on-going periodic training on security reminders will happen and how often Document how the security reminders will be kept and maintained for the minimum required time (6 years under HIPAA) Discuss the different types of media that will be used to provide security reminders.

8 The next addressable specification is malicious software which is focused on policies and procedures for guarding against, detecting, and reporting malicious software. This standard is set up to assure that regular updates and system patches are utilized to protect against any malicious software such as worms, viruses, and Trojan horses. Some implementation recommendations are: Create policies and procedures that document the requirements for updates to systems, hardware, and other electronic devices Document the responsible party or responsible department for the oversight of this requirement Document security features in place such as firewalls, malicious code filters, web browser security, up to date operating systems, anti-virus software, and operating system patches, etc.

9 The third addressable specification is log-in monitoring. This specification focuses on the covered entity creating procedures that monitor log-in attempts and reporting discrepancies. This standard creates a process for reviewing and evaluating log in attempts into the system that houses ephi. The intent of this standard is to create focus on understanding log in attempts and when they are not appropriate. Some implementation recommendations for this standard are: Create policies and procedures to define: A standard for an auto lock after so many failed attempts Review of audit logs on log in attempts success and failures to look for any trends How often the logs will be reviewed and how the review will be documented

10 The last addressable specification is password management. This specification creates the requirement to have a policy and procedure for creating, changing, and safeguarding passwords. All employees should be trained and aware of how to safeguard information and password policies and procedures. Some implementation standards: Create policies and procedures to govern password management Some key questions to think about are What are the requirements of the password. For example, are uppercase, lowercase, number, and symbols required in a password? How often are passwords required to change? Are staff able to reuse old passwords? Any other password management requirements, including not sharing passwords and not writing down passwords.

11 The last standard in this presentation is the security incident response standard. This standard is a required standard and is focused on covered entities implementing policies and procedures to address security incidents. For the purpose of the HIPAA Security Rule, a security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. There is one required specification under this standard. A covered entity must create a process for response and reporting of all security incidents. The process should include the identification, mitigation, and documentation of all security incidents. A policy and procedure should be created to manage this process within an organization.

12 Here are several recommended components that should be addressed in a security incident response policy and procedure. A Policy and Procedure should be created and include at a minimum How to identify potential incidents How/Who to notify of potential incidents How to respond to suspected incidents Steps to investigate the incident Steps to mitigate the incident Steps to communicate with media (if needed) How to document incidents including information to be contained How to work with Business Associates on potential Issues How it coordinates with your Breach Notification Policy and Procedure

13