HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?



Similar documents
HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security Alert

HIPAA Security Series

HIPAA Information Security Overview

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Security Checklist

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

VMware vcloud Air HIPAA Matrix

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Compliance Guide

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

State HIPAA Security Policy State of Connecticut

Why Lawyers? Why Now?

C.T. Hellmuth & Associates, Inc.

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security Rule Compliance

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Overview of the HIPAA Security Rule

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Policy Title: HIPAA Security Awareness and Training

HIPAA/HITECH: A Guide for IT Service Providers

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Policies and Compliance Guide

How To Write A Health Care Security Rule For A University

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Security and HITECH Compliance Checklist

Healthcare Compliance Solutions

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA Security Education. Updated May 2016

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Datto Compliance 101 1

Healthcare Compliance Solutions

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

CHIS, Inc. Privacy General Guidelines

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA Requirements and Mobile Apps

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

AUDITING TECHNIQUES TO ASSESS FRAUD RISKS IN ELECTRONIC HEALTH RECORDS

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Compliance: Are you prepared for the new regulatory changes?

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Security Manual for Protected Health Information

HIPAA and Mental Health Privacy:

Security Is Everyone s Concern:

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Compliance Annual Mandatory Education

Joseph Suchocki HIPAA Compliance 2015

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

ITS HIPAA Security Compliance Recommendations

Krengel Technology HIPAA Policies and Documentation

HIPAA: In Plain English

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Montclair State University. HIPAA Security Policy

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

HIPAA Privacy & Security Rules

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HIPAA Compliance Guide

HIPAA. considerations with LogMeIn

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Policy Title: HIPAA Access Control

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

How Managed File Transfer Addresses HIPAA Requirements for ephi

Huseman Health Law Group 3733 University Blvd. West, Suite 305-A Jacksonville, Florida Telephone (904) Facsimile (904)

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Support for the HIPAA Security Rule

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA Risk Assessments for Physician Practices

ISLAND COUNTY SECURITY POLICIES & PROCEDURES

Procedure Title: TennDent HIPAA Security Awareness and Training

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

University of Pittsburgh Security Assessment Questionnaire (v1.5)

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Security Matrix

New Boundary Technologies HIPAA Security Guide

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

McAfee Enterprise Mobility Management

Transcription:

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY? HIPAA is a huge piece of legislation. Only a small portion of it applies to IT providers in healthcare; mostly the Security Rule. The HIPAA Security Rule outlines how electronic protected health information (ephi) must be handled. Below, we outline the parts of the HIPAA Security Rule that affect IT most. What is the HIPAA Security Rule? under HIPAA. First, let s be clear about the Security Rule. It s not a rule it s a whole bunch of rules that fall The U.S. Department of Health and Human Services defines the Security Rule as the following sections of the Code of Federal Regulations Title 45: Part 160 General Administrative Requirements Part 164 Subpart A General Provisions Part 164 Subpart C Security Standards for the Protection of Electronic Protected Health Information

Here s the thing: only the last section above has a large number of requirements for IT. The rest of the Security Rule may be important for your lawyer or compliance officer to review, but it s not something you will deal with regularly. Important parts of the HIPAA Security Rule So now that we ve narrowed down the most important section of HIPAA for IT providers, let s outline the five main parts of the Security Rule to be aware of: 1. 164.308 Administrative safeguards 2. 164.310 Physical safeguards 3. 164.312 Technical safeguards 4. 164.314 Organizational requirements 5. 164.316 Policies and procedures and documentation requirements #1: Administrative safeguards ( 164.308) Administrative Safeguards are the elements that have to be in place to manage a healthcare provider s security. They are functions that are designed to help manage, execute, and evaluate security measures that protect ephi. They also help ensure proper management of business associates so that ephi is properly protected. Examples of the Administrative Safeguards that apply to any HIPAA-covered healthcare provider: Evaluations of existing security measures, as well an analysis of potential risks and vulnerabilities to ephi

Sanctioning system for those who fail to comply with security policies Review procedures for information system activity Identification of officials who implement security policies and procedures ( i.e. assigned security responsibility ) Authorization measures to protect ephi from unauthorized access or use Clearance procedures provided for workforce members, as well as mandatory security awareness and training programs Response and reporting procedures for addressing security incidents, such as physical break-ins, virus attacks, and lost or stolen passwords Contingency plans to respond to disruptions in critical business operations #2: Physical safeguards ( 164.310) Physical safeguards prevent thieves from grabbing a system and running out the front door. They are the measures that physically protect information systems, as well as the buildings and equipment that handle or store healthcare data. These safeguards are fairly straightforward and mostly require organizations to document how they will use, protect, and manage physical information systems. They are broken broken down into the following four types:

Workstation use The organization must lay out the appropriate functions for any electronic computing device, including laptops, desktops, and other devices that store electronic media. Though seemingly mundane, this is an important consideration since inappropriate use (such as using a workstation to visit online gambling sites) can expose the organization to greater risks. Workstation security The organization must identify all workstations that have access to ephi and whether or not access to a workstation needs to be restricted (i.e. keeping a workstation in a locked room). Facility access controls Policies that protect and limit access to facilities where information systems are located must also be identified (i.e. authorization measures, ID badges, surveillance cameras). Device and media controls The organization must document and follow measures for handling the receipt and removal of hardware and media that contain ephi into and out of a facility. #3. Technical safeguards ( 164.312) The Security Rule gets more specific in the section on Technical Safeguards. Here HIPAA lists implementation specifications for IT systems that will handle and protect ephi. For example, standards are included for the following: Access controls Healthcare organizations need systems in place to allow access to ephi only to people and systems that have a legitimate

reason. The access controls should include unique user identification, emergency access procedures, automatic logoff, and data encryption. Audit controls Mechanisms must be in place to record and examine activity in formation systems that contain ephi. These audits are helpful for determining if a security breach occurred. Integrity Policies and procedures must be in place to protect health data from improper alteration or destruction. For example, health organizations need to validate that health data has not been tampered with. Authentication People and entities that seek to access ephi must be verified as legitimate. This can be accomplished by providing proof of identity, such as by supplying a password or pin, smartcard, or a biometric indicator. Transmission security ephi must also be protected from unauthorized access while in transit. This includes measures to ensure the data has not been modified while in transit, and the use of encryption to protect the data should the transmission be intercepted. The Technical Safeguards in HIPAA s Security Rule does list the types of protections healthcare organizations must have in place. However, it stops short of specifying the exact technology they should use (for example, organizations must use encryption, but a specific type is not specified). #4: Organizational requirements ( 164.314)

Healthcare organizations are required to have a contract or other agreement with their business associates under the Organizational Requirements. This section also specifies the criteria for the contracts. For example, when your client hands you a BA agreement to sign, expect to see clauses that require you to do the following: Agree to implement safeguards to protect ephi and ensure that any subcontractors do the same Agree to report any security incident you become aware of Authorize the client to terminate the contract if you violate any part of it Note: the Organizational Requirements also include information for group health plans. This section may not affect you, but just be aware that that group plan sponsors must protect any ephi they work with on behalf of the plan. This requirement must be listed in the plan document, using language similar to the safeguard requirements in business associate contracts. #5: Policies and procedures and documentation requirements ( 164.316 ) This section requires healthcare organizations to adopt Policies and Procedures to meet HIPAA s guidelines. These items must be documented and maintained, and they can be changed at any time. In case you are unsure of these terms: Security policy a written outline of how you will protect and maintain the organization s IT assets. The term policy may refer to a specific area, such as an email policy, or an overarching plan to protect all IT resources.

Security procedure a series of written steps to follow in a given situation. For example, a virus response procedure would list the steps to be taken once a computer on the system was shown to be infected by a virus. Documentation requirements HIPAA does not specify the policies and procedures organizations must have in place. However, it does require organizations to have them and document them. The documents must be maintained for six years after their creation or last effective date, and they must be regularly updated to reflect any changes that may affect the security of ephi. Here you can find good examples of security policies and procedures used by the London School of Economics. Thanks to the Flexibility of Approach provisions in HIPAA, your client can tailor their policies and procedures to fit the size and current practices of the healthcare establishment, as long as the following factors are considered: The size, complexity and capabilities of the organization The organization s technical infrastructure, hardware, and software security capabilities The costs of security measures The probability and criticality of potential risks to ephi

A solid understanding of these four sections of the Security Rule will help you know what type of requirements and safeguards you ll need to follow when serving your healthcare clients.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information