Unit 6 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.



Similar documents
Topic 1: Analyze Your Pharmacy for HIPAA Compliance

CHIS, Inc. Privacy General Guidelines

White Paper. BD Assurity Linc Software Security. Overview

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

HIPAA Security Training Manual

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Copyright Telerad Tech RADSpa. HIPAA Compliance

Client Security Risk Assessment Questionnaire

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

HIPAA COMPLIANCE REVIEW

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

White Paper. Support for the HIPAA Security Rule PowerScribe 360

VMware vcloud Air HIPAA Matrix

HIPAA Privacy and Security Risk Assessment and Action Planning

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

My Docs Online HIPAA Compliance

Estate Agents Authority

Supplier Information Security Addendum for GE Restricted Data

Security Considerations

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

HIPAA Information Security Overview

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

VoIP Logic HIPAA/SSAE SOC II Compliance Overview for Service Providers

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

MAX Insight. HIPAA Hardening & Configuration Guide for MSP s

8.03 Health Insurance Portability and Accountability Act (HIPAA)

An Effective MSP Approach Towards HIPAA Compliance

HIPAA Security Series

How To Write A Health Care Security Rule For A University

UC Irvine Health Secure Mail Message Center

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

HIPAA Privacy & Security White Paper

Procedure Title: TennDent HIPAA Security Awareness and Training

HIPAA Security Alert

efolder White Paper: HIPAA Compliance

Support for the HIPAA Security Rule

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Samsung Security Solutions

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

Healthcare Compliance Solutions

GFI White Paper: GFI FaxMaker and HIPAA compliance

UF IT Risk Assessment Standard

HIPAA: The Role of PatientTrak in Supporting Compliance

HIPAA COMPLIANT STORAGE AND ACCESS POLICY

HIPAA Compliance Review Analysis and Summary of Results

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

HIPAA. considerations with LogMeIn

How To Protect Decd Information From Harm

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Security. assistance with implementation of the. security standards. This series aims to

How Managed File Transfer Addresses HIPAA Requirements for ephi

How To Protect Research Data From Being Compromised

Montclair State University. HIPAA Security Policy

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA SECURITY AWARENESS

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Research Information Security Guideline

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Policy Title: HIPAA Access Control

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security COMPLIANCE Checklist For Employers

How to Practice Safely in an era of Cybercrime and Privacy Fears

- Procedures for Administrative Access

HIPAA compliance audit: Lessons learned apply to dental practices

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Protecting the Information of Clients, Donors, the Organization, Oh MY! Stacey Keegan November 14, 2012

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance Guide

IT Security Procedure

Features Security. File Versioning. Intuitive User Interface. Fast and efficient Backups

HIPAA Audit Risk Assessment - Risk Factors

Data Access Request Service

Data Security in the Insurance Industry: WHAT YOU NEED TO KNOW

Secure Client Guide

HIPAA Privacy & Security Training for Clinicians

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

How To Ensure Your Office Meets The Privacy And Security Requirements Of The Health Insurance Portability And Accountability Act (Hipaa)

On-Site Computer Solutions values these technologies as part of an overall security plan:

HIPAA/HITECH Compliance Using VMware vcloud Air

White Paper. Improved Delivery and Management of Critical Information: Solicitors Regulation Authority Compliance

HIPAA ephi Security Guidance for Researchers

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Transcription:

Running head: UNIT 6 RESEARCH PROJECT 1 Unit 6 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/28/2014

UNIT 6 RESEARCH PROJECT 2 Table of Contents Abstract....3 Introduction..........4 Electronic and non-electronic forms of protected health information.....4 HIPAA organizational compliancy is identified......5 Physical and technical safeguards........6 Administrative and organizational safeguards........8 References....... 9

UNIT 6 RESEARCH PROJECT 3 Abstract The unit six research project delves into the topic of HIPAA compliance. The project is broken down into four subtopics which are designed to build understanding and knowledge around HIPAA standards. The research projects requires the graduate student to assess HIPAA compliance as it relates to Family Dental; Family Dental is the healthcare facility that is being evaluated for HIPPA compliance. The areas that will be assessed at Family Dental are electronic and non-electronic protected health information, general compliancy, physical and technical safeguards, and administrative and organization safeguards. Ultimately, the assignment is meant to provide the student with real-world knowledge for assessing networks for regulatory compliance; this knowledge is be utilized in identifying HIPAA compliant and non-compliant areas, and then to provide recommendations to bring healthcare facilities closer to HIPAA compliancy.

UNIT 6 RESEARCH PROJECT 4 Unit 6 Research Project The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of standards that protect patient healthcare information in storage, processing, and transmission. The main objective of HIPAA compliancy is to ensure that companies that deal with or manage patient data adhere to a strict set of security protocols. These security protocols cover a wide range of rules, including risk analysis and management, administrative safeguards, physical safeguards, technical safeguards, and organizational requirements (U.S. Department of Health & Human Services, n.d.). Understanding HIPAA security is critical to protecting patient data, and is essential to the Family Dental HIPAA compliancy report. In the Family Dental HIPAA compliancy report, there is to be a full assessment of electronic and non-electronic patient health information, general compliancy, physical and technical safeguards, and administrative and organizational safeguards. The current areas and procedures are to be reviewed, strong and weak areas identified, and suggestions made to increase HIPAA compliancy at Family Dental. HIPAA Report Q1: Electronic and non-electronic forms of protected health information. The first item in HIPAA compliancy report identifies the electronic and non-electronic protected health information. The electronic protected health information (ephi) would include email and the patient database. The patient database contains patient healthcare information, patient addresses, telephone numbers, healthcare-related images, and patient billing information (Rouse, n.d.). The non-electronic forms of protected health information include X-rays, print outs from the printers, and third party lab results. The third party lab results may include paper-based reports, molds for crowns, braces, false teeth, and soft dental protectors, as well as fax print outs containing patient lab results. Additionally, there are physical letters that are mailed out to patients highlighting visits and important details describing dental procedures that have been done, or that are

UNIT 6 RESEARCH PROJECT 5 scheduled to be done. Q2: HIPAA organizational compliancy is identified. The first step in identifying organizational compliancy is recognizing the covered entities. Entities include businesses, organizations, or even individuals that must comply with HIPAA rules (U.S. Department of Health & Human Services, n.d.). Currently there are several entities that affect the dental care office; the entities are Family Dental, a third party technical support service, a third party mold maker (for braces, dentures, crowns, etc.), and a third party lab results company. Additionally, because Family Dental does use third-party servicers to carry out healthcare-related functions, there must be a written business contract stating the relationship, responsibilities, and implied obligations of the servicer. The second step in identifying organizational compliancy, is to assess the general office setup and staffing, and consider whether or not HIPAA compliance guidelines are being met. In the case of Family Dental, HIPAA compliant areas are highlighted here: Office space is appropriately separated from sitting areas There are separate examination rooms for each patient Examination rooms are shielded from the noise of other rooms An ephi database is used to store and access patient data (centralizing most data) Family Dentals uses a website that contains no patient data The letters that are being sent out to patients are processes properly A few suggestions to move Family Dental closer to HIPAA compliance include: Server room areas should be locked to be protected from theft ephi needs to be protected as both stored data and transmitted data All computers need to have enforced security

UNIT 6 RESEARCH PROJECT 6 Q3: Physical and technical safeguards. Physical safeguards include limiting access to the facility itself, as well as restricting physical access to computers, server areas, telecommunication rooms, and other electronic devices. Technical safeguards include restricting access to ephi, implementing auditing and integrity controls, and securing data during transmission. The physical safeguards that are HIPAA compliant at Family Dental are: The front doors have a dead bolt Telephones are out of ear range from patient sitting areas and exam rooms Conversations from medical staff cannot be heard by patients Physical safeguard suggestions to make Family Dental more HIPAA compliant: The whole facility should be monitored by a security system Inside doors protecting patient data should have key coded punch locks Patient X-ray, molds, and other healthcare-related storage areas should monitored via cameras Printers and fax machines should not be assessable or viewable by patients LCD screens in exam areas should not be visible (by default) to patients Server and telecommunication rooms should be locked at all times Old paper-based patient data, molds, X-rays, etc. must be properly disposed if a disposal service is recommended The technical safeguards that are HIPAA compliant at Family Dental are: Servers have a required username and password Billing and Check-in computers are separated from patient areas

UNIT 6 RESEARCH PROJECT 7 Technical safeguard suggestions to make Family Dental more HIPAA compliant: All computers should have a login username and password All computer passwords must meet complexity requirements; recommended complexity is one upper case letter, at least seven letters, one number, and one special character Computer screensavers should be set for five minutes, and then the computer locks Auditing should be enabled on all files and folders containing patient data All computers should use Microsoft s Bitlocker to protect stored data All computers should have anti-virus and anti-spam software installed All computers should restrict the installation of software; administrator access is required All VPN transmissions should use SSL to protect data in transmission It is important to note, physical and technical safeguards are necessary to protect patient data that exists in storage areas, in examination rooms, at check-in and billing areas, as well as in the computer systems at Family Dental. HIPAA compliancy includes locking doors inside and outside, as well as implementing access and auditing controls on workstations. Auditing and access controls can be implemented using either Microsoft s Active Directory or local group policy (Microsoft, n.d.). Computer systems should be protected by encryption software, specifically Microsoft s Bitlocker. Bitlocker is a full disk encryption that protects hard drives in the case of loss or theft, thus protecting sensitive patient information that may be stored on the drives (Microsoft, n.d.). Additionally, how older patient data is disposed of is equally important; this is why a disposal service has been recommended. Finally, patient data must be protected while being transmitted between offices, as well as to other healthcare facilities; the recommended protection is Secure Sockets Layer (SSL). SSL provides an encrypted link between the client and server, thus providing the level of security that is required by HIPAA

UNIT 6 RESEARCH PROJECT 8 regulation (Digicert, n.d.). Q4: Administrative and organizational safeguards. Implementing administrative and organization safeguards will further increase HIPAA compliancy at Family Dental. These safeguards include identifying entities, acknowledging who is responsible for ephi, assessing vulnerabilities and risks, implementing policies and procedures discussing HIPAA and ephi, and finally, providing the appropriate training to staff (U.S. Department of Health & Human Services, n.d.). When considering the outside entities, or business contracts, it is important to factor-in how Family Dental exchanges data over its third party network infrastructure. Although Family Dental outsources the IT infrastructure, the dental company is responsible for making sure any and all third party services know their responsibilities and obligations as it relates to ephi. One important security measure is to have the third party sign a contractual agreement. The contractual agreement will highlight patient security as outlined in HIPAA regulations; basically, all third party services are responsible for ephi and could be held liable for breaches in security. Another security measure is to verify that the IT infrastructure is designed and built using best practices. Best practices should include using access control lists (ACLs) on the router/firewall, as well as implementing SSL over VPN connections. The next safeguard is an organizational safeguard and includes training staff. All staff should be required to attend a workshop where patient information security, ephi, and HIPAA standards are discussed in detail. Once the training is complete, personnel will sign a form that states they have received the training, and that they fully understand the training content and their responsibilities in protecting patient information; this workshop will become a yearly training session to remind personnel of their role in securing patient information (U.S. Department of Health & Human Services, n.d.).

UNIT 6 RESEARCH PROJECT 9 References Cisco. (n.d.). Access Control Lists: Overview and Guidelines. Retrieved from http://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scf acls.html Digicert. (n.d.). What is SSL (Secure Sockets Layer) and what are SSL certificates? Retrieved from https://www.digicert.com/ssl.htm Microsoft. (n.d.). BitLocker Drive Encryption Overview. Retrieved from http://windows. microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview Microsoft TechNet. (n.d.). Active Directory. Retrieved from http://technet.microsoft.com/enus/library/bb742424.aspx Rouse, Margaret. (n.d.). Electronic protected health information (ephi). Retrieved from http://searchhealthit.techtarget.com/definition/electronic-protected-health-informationephi U.S. Department of Health & Human Services. (n.d.). Health Information Privacy. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information