HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH
What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers Deadline April 14, 2003 Privacy Deadline April 21, 2005 Security Deadline
You ve got to have goals Everyone who sees, hears or handles PHI must keep it confidential and follow these rules, even if the individual does not have direct patient contact.
What is PHI? Protected Health Information: PHI is any health information that can be used to identify a patient and which relates to the patient, healthcare services provided to the patient, or the payment for these services.
What is this? 40+ Pages of very fine print 164.306 Security standards: General rules. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.
What is this? Safeguards and Standards Administrative Physical Technical Implementation Specifications Required (You have to do this) (You still have to do this)
Hot Topics Risk Assessments Activity Review and Logs Awareness and Training PHI in Email Wireless, Mobile Devices Shadow copies, unmanaged PHI Encryption
Awareness and Training 164.308(5)(i) Implement a security awareness and training program for all members of its workforce (including management) (A) Security reminders (B) Protection from malicious software (C) Log-in monitoring (D) Password management
Risk Management 164.308 Administrative safeguards. (1)(a)(ii)(A) Risk analysis (Required). Conduct accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (1)(a)(ii)(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a).
Risk Management Why do we need this? Who will accept the risks? What is the determination process? Who will be involved determination process?
Physical Security 164.310 Physical safeguards. Physical safeguards are physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
Facilities Systems Physical Security Access Control Policies and Documentation Systems Servers & Workstations Media Removable Magnetic, CD-Rs Rs,, Memory Keys, etc. Surplused Systems
Physical Security Equipment such as PCs, servers, mainframes, fax machines, and copiers must be afforded appropriate physical controls. Computer screens, copiers, fax machines, and printers must be situated in such a way that they cannot be accessed or viewed by the public. Computers must use password-protected screen savers.
Physical Security PCs that are used in open areas must be adequately secured to protect against theft or unauthorized access. Servers and mainframes must be contained in a secured area that is capable of limiting and monitoring physical access. Sealed envelopes marked CONFIDENTIAL should be used when mailing PHI.
Appropriate Disposal of Data Procedures for the appropriate disposal apply to PHI and Confidential Information. Hard copy materials such as paper or microfiche must be properly shredded or placed in a secured bin for shredding later. Magnetic media such as diskettes, tapes, or hard drives must be degaussed (subjected to a strong magnetic field) or electronically shredded using approved software and procedures. CD ROM disks must be rendered unreadable by shredding, defacing the recording surface, or breaking. No PHI or CI should be placed in the regular trash!
Activity Review 164.306(a)(D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
Activity Review Auditing is a human-driven process Application logs? System logs Windows Event Logs Additional tracking has to be turned on Netware NetWare events are server-specific settings; that is, they must be enabled on each NCP Server object in the tree
Activity Review Networking Devices Firewalls, Routers, Switches Syslog? SNMP traps? Other Security Devices Anti-Virus Clients Intrusion Detection Intrusion Prevention Content Filters
Administrative Safeguards Security Management Process Risk Analysis Risk Management Sanction Policy I.S. Activity Review Required Required Required Required
Administrative Safeguards Assigned Security Responsibility Workforce Security Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures
Administrative Safeguards Information Access Management Isolating Healthcare Clearinghouse Required Access Authorization Access Establishment and Modification
Administrative Safeguards Security Awareness and Training Security Reminders Protection from Malicious Software Login Monitoring Password Management
Administrative Safeguards Security Incident Procedures Evaluation Business Associate Contracts
Administrative Safeguards Contingency Plan Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedure Applications and Data Criticality Required Required Required
Physical Safeguards Facility Access Controls Contingency Operations Facility Security Plan Access Control and Validation Maintenance Records
Physical Safeguards Workstation Use Workstation Security Device and Media Controls Disposal Required Media Re-use Required Accountability Data Backup and Storage
Technical Safeguards Access Control Unique User ID Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit Controls Required Required
Technical Safeguards Integrity Mechanism to Authenticate ephi Integrity Person or Entity Authentication Transmission Security Integrity Controls Encryption
Thank you Questions?