Mid Semester Project Electronic Medical Records Due: Friday, April 10th 2015 11:59 PM, CIT 2nd Floor Hand in



Similar documents
Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

CHIS, Inc. Privacy General Guidelines

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

VMware vcloud Air HIPAA Matrix

HIPAA Compliance Guide

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

Overview of the HIPAA Security Rule

SECURITY RISK ASSESSMENT SUMMARY

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Compliance Guide

HIPAA and Mental Health Privacy:

C.T. Hellmuth & Associates, Inc.

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Privacy & Security White Paper

Healthcare Compliance Solutions

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

Datto Compliance 101 1

VENDOR MANAGEMENT. General Overview

HIPAA Information Security Overview

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

How to Use the NYeC Privacy and Security Toolkit V 1.1

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA and HITECH Compliance for Cloud Applications

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Healthcare Management Service Organization Accreditation Program (MSOAP)

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Healthcare Compliance Solutions

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

HIPAA Security Rule Compliance

The OCR Audit Protocol a first look

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Security Alert

Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES

HIPAA Requirements for Data Security

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

HIPAA/HITECH Compliance Using VMware vcloud Air

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

HIPAA Security Rule Changes and Impacts

Authorized. User Agreement

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

ARKANSAS OFFICE OF HEALTH INFORMATION TECHNOLOGY (OHIT) PRIVACY POLICIES

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Policy Title: HIPAA Security Awareness and Training

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Security COMPLIANCE Checklist For Employers

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Topic 1: Analyze Your Pharmacy for HIPAA Compliance

SCDA and SCDA Member Benefits Group

TABLE OF CONTENTS. University of Northern Colorado

INFORMATION SECURITY California Maritime Academy

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance: Are you prepared for the new regulatory changes?

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Secure HIPAA Compliant Cloud Computing

HIPAA SECURITY AWARENESS

Voice Documentation in HIPAA Compliance

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Healthcare Cybersecurity Risk Management: Keys To an Effective Plan

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

The HIPAA Audit Program

State HIPAA Security Policy State of Connecticut

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

How Managed File Transfer Addresses HIPAA Requirements for ephi

Nine Network Considerations in the New HIPAA Landscape

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Montclair State University. HIPAA Security Policy

HIPAA: In Plain English

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

HIPAA Security Education. Updated May 2016

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Unit 6 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

Preparing for and Responding to an OCR HIPAA Audit

Sustainable Compliance: A System for Ongoing Audit Readiness

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

Audit Report. University Medical Center HIPAA Compliance. June Angela M. Darragh, CPA, CISA, CFE Audit Director AUDIT DEPARTMENT

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA Privacy Rule Policies

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

Transcription:

CSCI 1800: Cybersecurity and International Relations Mid Semester Project Electronic Medical Records Due: Friday, April 10th 2015 11:59 PM, CIT 2nd Floor Hand in Introduction While most individuals are still rather careless when it comes to their security and privacy on the Internet, that same attitude cannot be ascribed to their medical records. In several ways medical records would seem to be most secure when maintained in their physical paper form. However, in an increasingly mobile society, leaving records in this form seems both impractical in terms of physical storage as well as in terms of accessibility. In this project you will design (in groups of 2) a system that can distribute information via the Internet so that a doctor operating on a broken leg in Aspen can have access to the patient's records in Miami. Each team will consist of one person with a Computer Science background and one with an International Relations/Political Science background. Assignment The project itself consists of two primary components due on April 10th, as well as a design check that occurs the week of March 16th. The first of these components is a detailed policy paper outlining how the proposed system complies with current HIPAA protocols, while also taking into account the various privacy, security, and legal issues that arise when designing a distributed medical records system. This paper should be 8 10 pages (double spaced). You should design your database with HIPAA protocols in mind; the focus should be on the specifics of how your database complies with HIPAA regulations, rather than HIPAA in general. However, exploration of themes involving shortcomings in the current HIPAA system, coupled with proposed solutions or avenues that could generate such solutions are entirely within the scope of the paper. The second part of the project consists of a detailed technical design of the technical implementation of the system. A good design should not contain code, but should be detailed enough that it could be handed off to a team of developers and implemented without further explanation. While the design must be technical, the writing should be cogent and accessible to all backgrounds. CSCI 1800 is a writing designated class and the TAs will levy serious deductions for pieces that exhibit writing deficiencies. This document should outline each technical component of the system, describing their structure and role within the system as a whole, as well as how it interacts with the other components of the system. This paper should be 8 10 pages (double spaced).

The complete midterm, including both policy and technical papers, should be no more than 20 double spaced pages combined, including diagrams or other inset information excluding the bibliography. Design Check Please bring a one page, single spaced paper (about one longer paragraph for policy, about one longer paragraph for technical) outline of how you plan to design and implement your proposed system. The policy paper should address the main policy points described in this outline; the technical should do the same with the technical material. We will be holding open office hours for these design checks; if you have questions about your design, we are happy to help. If not, we will ask you to come by to turn in your document in order to receive a complete for the 10% design check grade that will be factored into your overall midterm grade. Requirements These requirements should form a framework for your design. When choosing your design, keep in mind the need to comply with HIPAA standards, while also creating a technically sound system. Feel free to be creative, but be sure to thoroughly read HIPAA specifications. 1. Centralized/Decentralized Database A centralized database would include few centers where the majority of data is stored; a decentralized system would spread that information across many centers. Do you want your design to consolidate records, or would you rather have each medical center maintain their own records? What other options exist? 2. Types of Access It is possible that many types of individuals will need access to medical records, including the individual patients, doctors, and other medical and pharmaceutical personnel. Who would you like to have access to this protected information? Should every person have a similar amount of access? Clearly read HIPAA to decide the depth of information that should be given to any entity you wish to give access to. 3. Security, Encryption, and Authentication Protocols Under HIPAA, information must be encrypted before being sent across networks; proper authentication should be received before access to information is granted. What encryption scheme should be used to access information in your database? What authentication protocols do you want to employ? Be sure to consider how easy your database would be to hack, and make sure to address counter arguments or flaws in your system. 4. Auditing and Backup Protocols

HIPAA requires certain auditing and backup protocols be in place. Familiarize yourself with the requirements for routine and security based audits. How will your information be backed up and stored, especially in cases of natural disaster or emergency? Hints and Useful Questions 1. When designing the system, make sure to consider who stores the medical records, where those records are stored, and the advantages/disadvantages to these decisions. 2. When thinking about access control, consider not only who should have access to the medical records, but also for how long. For instance, the doctor in Aspen who needs their patient's files before operating on a broken leg does not need access to patient information one year in the future. 3. Since this project revolves around putting forth a proposal for a new medical records transfer service, feel free to propose changes to the HIPAA rules. For instance, you might need an increased federal oversight, or some third party identification/authentication system that doesn't yet exist. However, if you do this, make sure that the changes proposed are reasonable, and that you outline how they will be completed/implemented, and why this path is necessary. You cannot say for instance that all authentication needs to be done by the federal government, and then use that to avoid having to propose some sort of authentication system. The assignments page contains a link to a new National Strategy for Trusted Identities in Cyberspace, a 2011 federal initiative to issue some privacy and security concerns for Electronic Health Records. Issues That Must Be Addressed 1. Privacy Rule a. The Privacy Rule regulates the use and disclosure of Protected Health Information by medical personnel and covered entities with access to information (look at Requirement 2 above). PHI includes any part of medical history and payment information related to medical history. Covered entities are obligated to release PHI when requested within 30 days, and when required by law in cases of child abuse or other illegal activity. b. This rule also requires that covered entities correct any inaccurate PHI. It also bolsters patient confidentiality, allowing for individuals to ask for the release of information by a specific venue ie, home phone number versus work number. c. Covered entities are also obligated to report uses of PHI to individuals. Covered entities must keep track of disclosures, document privacy policies, and appoint a Privacy Official responsible for training all covered entities, and who can be contacted with complaints. 2. Security Rule

a. The Security Rule supports the Privacy Rule in that while the Privacy Rule protects all Protected Health Information, the Security Rule protects all Electronic Protected Health Information. The following three safeguards must be implemented in order to adhere to the Security Rule, although covered entities can determine how to implement these safeguards: b. Administrative Policies to show how the entity complies with the act on an administrative level. This includes: i. Adoption of written privacy procedures and designation of a privacy officer, referencing managerial and organizational oversight. ii. Clear identification of levels of access and types of individuals granted access, with an ongoing HIPAA training process. iii. Policies must address the access of EPHI, establishment of access, modification of EPHI, and termination of access to EPHI. iv. Assurance that any contracted parties (ie, labs, clearing houses) or business associates comply with HIPAA protocols. v. Safeguards should include an outline of auditing and backup policies, designed to both routinely check security of the database as well as respond to emergency situations. How will your database respond in the case of a security breach? c. Physical Policies to control access to EPHI and other protected data. i. Covered entities must control access to installation and removal of all hardware and software that will be used to access EPHI (ie, when equipment is retired, it should be disposed of properly). ii. Both hardware and software that can access EPHI should be protected, and only accessed by authorized individuals. iii. Access to physical sites should be strictly controlled and monitored; workstations should not be in public, high traffic areas. iv. Any contractors or agents will need HIPAA training before access. d. Technical Policies to control access to communications, EPHI, and networks through which EPHI is transmitted. i. Encryption must be utilized for any transmission of EPHI, unless the database uses a closed network. ii. Covered entities are responsible for ensuring that EPHI has not been tampered with or erased without authorization. iii. Data corroboration (for example, double keying, message authentication, etc) may be used to ensure data integrity. iv. All entities with access to EPHI must be authenticated before receiving access to EPHI.

v. Documentation of HIPAA practices must be made available to the government to assure compliance. vi. All configuration specifications should also be documented and maintained in a written record. vii. Risk analysis and risk management must also be documented. These aforementioned security requirements make up a minimum level of adherence, and places responsibility on the covered entities to take reasonable precautions to prevent EPHI being used for non health purposes. 3. National Provider Identifier a. All medical personnel are currently required to use a National Provider Identifier to identify their practice. The NPI is a 10 character, unique number that does not contain any intelligence information. How will your database utilize or acknowledge the NPI? 4. HITECH Rule a. The Health Information Technology for Economic and Clinical Health Act extends HIPAA regulations to business associates of covered entities. Essentially this Act requires business associates (ie, pharmaceutical companies and medical clearing houses, among others) to report breaches of Protected Health Information. Be sure to address these requirements in your midterm. Grading You will be graded based on the metrics described in the midterm rubric. Your grade will be shared with your partner, so we expect equal amounts of effort and completeness on both policy and technical aspects in order to maximize points. Distribution is as follows: 10 percent of the grade will be based on the design check. 90 percent of the grade will be based on the policy and technical papers (see rubric below).

Midterm Project Grading Rubric Requirements Paper Guidelines (100 Points) Points Purpose of the system 10 Counter arguments to the proposed system (justification of decisions 10 made) and why the proposed system is better than the existing system and alternatives Complies with HIPAA, HITECH, Legal Privacy and the Security 15 Rule (changes to HIPAA must be reasonable and supported; implementation of system must be explained) Server/Client interface 8 Auditing and backup (automated and manual) 8 Database location, centralization/decentralization, Storage advantages/disadvantages 8 Authorized access: types, time to live for access 8 Secure communication between client/server 8 Style Grammar, 8 10 pages single spaced (including both papers), follows standard formatting guidelines for papers 15 Independent Research (including bibliography) 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information