Transcript Hipaa security

HIPAA PRIVACY AND
SECURITY
COMMUNITY HEALTH NETWORK, INC.
ON-LINE MANDATORY TRAINING
OBJECTIVES OF TRAINING
• HIPAA Fundamentals
• Privacy Rule Basics
• Security Rule Basics
• Security Components
• Security Policies and Procedures
• Instructions: On-line mandatory training
WHAT DOES HIPAA STAND FOR?
• Health
• Insurance
• Portability
• Accountability
• Act
HIPAA POLICIES
CHN has 25 policies that relate to HIPAA they can be found on the
CHN Intranet. CHN HIPAA policies are updated on an ongoing
basis in order to satisfy changing compliance requirements and
industry best practice.
• “Policies & Procedures” – Section 20 – Information Technology
• “CHN Manuals & General Info – HIPAA”
• “Policies & Procedures” – Section 37 – Corporate Compliance
HIPAA OVERVIEW
HIPAA originally passed in 1996 and finalized in
January of 2013. The Rule is meant to:
• Standardize Records- Transaction coding and
compliance more simple thereby saving money in the
long-term.
• Provide Portability- Allows for easy transfer of medical
information.
• Promote Accountability- The responsibility piece,
keeping the information private and secure.
Within HIPAA there are two rules that we need to comply
with:
• The Privacy Rule
• The Security Rule
HIPAA: PRIVACY RULE
Privacy Rule:
• Restricts what information can be disclosed and
who should have access to it. Specifically in
relation to:
• Individually Identifiable Information
• Protected Health Information (PHI)
HIPAA: PRIVACY RULE
Individually Identifiable Information:
• A subset of health information, created or received by
a Covered Entity, like CHN, relating to a condition,
treatment, or payment which could be used to identify
a client.
• Any information that can be traced back to a specific
person is then considered Individually Identifiable
Information.
HIPAA: PRIVACY RULE
Protected Health Information (PHI):
• Any health or individually identifiable information given
to a covered Entity, like CHN, whether verbal, written
or electronic needs to remain confidential. This
includes information that can connect the patient to
the medical record:
• Name
• Address
• Social Security Number & Other ID Numbers
• Medical Record Number (MRN)
• Physician’s Notes
• Billing Information
HIPAA: PRIVACY RULE
Covered Entity:
• Any health plan, clearinghouse, or provider who
transmits health information (CHN).
• Covered entities MUST:
• Allow patients to see and receive copies of their PHI and
do so electronically.
• Designate a Privacy Officer and a means to contact
him/her.
• Develop a Notice of Privacy Practice document for
patients.
• Provide training to new employees and affiliates.
• Develop and utilize a complaints process.
• Ensure Business Associates also comply with the privacy
regulations.
HIPAA: PRIVACY RULE
Business Associate:
• A person or organization that performs a function on
behalf of a Covered Entity using individually
identifiable information.
• Business Associates are required to sign a Business
Associate Agreement.
• If the Business Associate should need to share
information with another organization or subcontractor
they must continue the same process of establishing
the Business Associate Agreement.
• The chain on private information cannot be broken.
• Patients can file a grievance if they think their rights
have been violated.
HIPAA: PRIVACY RULE
• Corrective action for HIPAA Privacy
violation:
• CHN has a ZERO TOLERANCE POLICY for noncompliance in relation to Privacy Breaches,
the non-compliant individual will be
immediately dismissed.
• Violations of a severe nature may result in
notification to law enforcement officials as
well as regulating, accrediting, and/or
licensing organizations.
HIPAA: PRIVACY OFFICER
Privacy Officer-Director of Health Info Services
• Develops a Notice of Privacy Practice document.
• Investigates complaints and violations related to
Privacy Breaches.
• Works with Compliance Officer to make sure Business
Associates also comply with the privacy ruling.
• Ensures CHN and it’s employees are compliant in regards to
the privacy rule.
• Ensures privacy standards comply with statutory and
regulatory requirements.
• Maintains HIPAA privacy policies and procedures.
HIPAA: SECURITY RULE
• Ensures that electronic information is kept private.
• Four Requirements of Security:
• Ensures confidentiality, integrity, and availability of electronic
PHI.
• Protects against possible threats and hazards to the
information.
• Hackers, viruses, natural disasters or system failures.
• Protects against unauthorized uses or disclosures.
• Ensures compliance by the workforce through
security regulations and policies/procedures.
• Three Components of Security:
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
HIPAA: SECURITY RULE
Administrative Safeguards:
• Documentation kept for 6 years.
• Corrective action for HIPAA security violation:
• Violations of a severe nature may result in notification to law enforcement
officials as well as regulating, accrediting, and/or licensing organizations.
• Internal system audits minimize security violations.
• Logins, file accesses, and or security incidents.
• Information access management:
• Access to PHI based on what is needed to preform the job.
• Once computer access is requested, it will take 48-72 hours to implement
due to complexity of security system.
• Security awareness and training:
• Security updates, incident reporting, log-in, and password management.
• Security incidents will be reported if suspected or if there is an
actual breach.
HIPAA: SECURITY RULE
Physical Safeguards:
• Safeguard the facility and equipment, from
unauthorized physical access, tampering, and theft.
• Workstations positioned so monitor screens/ keyboards are not
directly visible to unauthorized persons. Use of privacy screens
when applicable. Physical access to the server room limited to
key IT personnel.
• Staff complies with appropriate workstation
access/use.
• Log on as themselves. Log off prior to leaving the workstation.
• Comply with all applicable password policies and procedures.
• Close files not in use.
HIPAA: SECURITY RULE
Physical Safeguards (Continued):
• Exercise caution when saving any files that may
contain PHI or proprietary business information:
• Avoid saving such information whenever possible.
• If files containing EPHI must be saved, only store on CHN
shared drives.
• NEVER save files containing EPHI or proprietary business
information to a flash drive, laptop, or local PC harddrive
• If you have questions, or would like assistance properly
securing files, please call the IT helpdesk (x6600)
• Report any concerns regarding data security to CHN’s IT
Security Officer, Privacy Officer, or The Corporate Compliance
Officer.
HIPAA: SECURITY RULE
Technical Safeguards:
• Access controls:
• User password setup is for one-time use initially. Allowing
the individual to choose their own unique password for
future access.
• User passwords reset every 180 days.
• Citrix sessions automatically close after 60 minutes of
inactivity.
• Electronic “patient charts” will automatically close at
different intervals depending on place within the
program.
• Initial log-on screens close within seconds of inactivity.
• Screens further into specific modules, close and back up
to the previous screen, ranging from seconds to minutes
of inactivity.
• No downloading to laptops, tablets, or PC’s.
HIPAA SECURITY OFFICER
Security Officer- IT Manager
• Maintains appropriate security measures to guard against
unauthorized access to electronically stored and/or transmitted
patient data and protect against reasonably anticipated threats
and hazards.
• Oversees and/or performs on-going security monitoring of
organization information systems.
• Ensures compliance through adequate training programs and
periodic security audits.
• Ensures security standards comply with statutory and regulatory
requirements.
• Maintains HIPAA security policies and procedures.
HIPAA: CORPORATE COMPLIANCE
• HIPAA regulations are also overseen by the
Corporate Compliance Officer as part of the
CHN Corporate Compliance Plan.
• The Corporate Compliance Officer works with both
the Privacy and Security Officer to ensure processes
are in place to maintain compliance with HIPAA
regulations.
• The Corporate Compliance Officer aids both the
Privacy and Security Officer in investigating actual or
suspected HIPAA violations.
• Privacy and Security breaches can be
reported to the Corporate Compliance Officer
HIPAA VIOLATIONS
• Significant issues beyond CHN jurisdiction can be
reported to :
•
•
•
•
Centers for Medicare & Medicaid Services (CMS)
Office for Civil Rights (OCR)
Department of Justice (DOJ)
Attorney General
• HIPAA violations can and do result in civil and criminal
penalties, which could be faced individually :
• May range from a $100 civil penalty up to a maximum of
$1,000,000 per year for each standard violated.
• May become a criminal penalty for knowingly disclosing
PHI, a penalty that could escalate to a maximum of
$25,000 for visibly malice offenses.
WHO IS RESPONSIBLE FOR HIPAA?
EVERYONE at CHN (including our affiliates) has an
obligation to maintain privacy and security, for example:
• IT Managers/Staff:
• Implement safeguards for the computer systems.
• Medical Professionals:
• Create and access the majority of patient information.
• Managers and Supervisors:
• Develop and implement policies and procedures that relate to
security and ensure their staff are trained properly.
• Clerical Staff:
• Create and access patient information.
• Volunteers:
• Have access to patient information in various setting such as
lobbies and waiting rooms.
TIPS FOR HIPAA COMPLIANCE
•
•
•
•
•
•
•
•
•
•
Log on and off the network appropriately.
Never let others use your ID or work under your ID.
Do NOT write your password down.
Do NOT disable anti-virus software or install unapproved software.
Never introduce new hardware or media.
E-mail may be, but is not always, a secure form of data
transmission. Do NOT e-mail PHI outside of CHN unless entering
“@encrypt” in the subject line to send encrypted.
Only access PHI if you need it to preform your job.
Be aware of, and report, security threats to the Security Officer.
Put security safeguards on your mobile devices.
Be careful and aware of who is around you when PHI is being
discussed.
Report lost or stolen laptops, tablets, or cell phones ASAP.
FOLLOWING THE PRESENTATION
• Be sure to complete the two required forms as
documentation of completion. Successful completion
of this on-line mandatory training is required to receive
your computer access privileges.
CHN HIPAA Security Quiz
Policy – Internet/Intranet Acceptable Use
**Complete both items and return them to the
applicable Department (HR or Education) PRIOR to your
first day.**