Transcript HIPAA Security 101 - The Department of Human Services

HIPAA Security 101
1 -- v3.1 April 7, 2005
HIPAA Security 101
PA Dept. of Public Welfare
HIPAA Security
As a care provider, clearinghouse, and “insurer,”
the Department of Public Welfare (DPW) deals
with our citizens’ medical information on a
daily basis. It is essential that we protect the
privacy and security of those records.
2 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
HIPAA Security
HIPAA privacy, which covers Protected Health
Information (PHI) in any form has already
been addressed as a separate training course.
This training deals with HIPAA Security, the
practices used to protect certain electronic
health information. Although HIPAA Security
covers PHI only in electronic form, it is closely
linked to HIPAA privacy.
3 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Quiz 1
What is HIPAA?
1.
2.
3.
A large African animal that spends much of
its time in the water.
A long-haired, bell-bottom and sandals
wearing flower child.
The Health Insurance Portability and
Accountability Act of 1996.
Please make your selection: ____
4 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Answer 1
If you selected choice 3, the Health Insurance
Portability and Accountability Act of 1996,
you are CORRECT!
HIPAA was passed by the US Congress and
signed by President Clinton. It is intended to
simplify administration of the health care
system and to reform the way health care
providers, insurers, and other “covered”
entities share and protect your health
information.
5 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Who is a “Covered” Entity?

Health Care Providers



Health Care Clearinghouses



Physicians, dentists, nurses, hospitals, nursing
homes, etc.
Includes DPW
Billing services, etc.
Includes DPW
Health Care Plans


Group health plans, HMO’s, PPO’s, Medicare,
Medicaid, etc.
Includes DPW
6 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
What does HIPAA Cover?

Transactions – standardizes diagnostic and
treatment codes, forms, and, processes used by
providers, insurers, and other covered entities
 Identifiers – standardizes identifier codes or
numbers for providers, health plans, and employers

Privacy – addresses who has access to PHI in any
form (oral, written, electronic, etc.), the circumstances
under which those records may or may not be shared,
and how that information needs to be safeguarded

Security – addresses how PHI (electronic only) is
protected, both in storage and in transmission
7 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
What are We Securing?
Electronic PHI (ePHI) is data that…


Identifies or includes information that could identify
an individual (including demographic information)
Relates to the past, present, or future




Physical or mental health or condition of an individual
Provision of health care to the individual
Payment for the provision of health care to an individual
Is stored or transmitted electronically
8 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Quiz 2
Are data such as your name, address, phone
number, date of birth, and social security
number (SSN) examples of PHI covered by
HIPAA?
Yes or No?
9 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Answer 2
YES
As a part of a medical record, they are examples
of data by which the identity of a client could
be determined. Within the DPW data systems,
this type of data is so intertwined with medical
data that DPW has made a decision to treat all
such data elements as PHI, regardless of their
actual context or source.
10 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
What is HIPAA Security?
Security consists of the administrative, physical,
and technical controls or processes by which
 We ensure:



Confidentiality – only the right people see the
data
Integrity – the data is what it is supposed to be; it
hasn’t been changed or corrupted
Availability – the data is available when it is
needed
11 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
What is HIPAA Security? (cont.)

We protect data from:


Actual and reasonably anticipated threats or
hazards to the security or integrity of ePHI (for
example, fire, flood, theft, storm, etc.)
Actual and reasonably anticipated uses or
disclosures of ePHI not permitted by the policy
rules (including accidental or deliberate access or
use by unauthorized persons)
12 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Administrative Safeguards

Policies, procedures and practices including:

Security management processes




Assigned security responsibility


Risk analysis and management
Sanction policy
Information system review and auditing
HIPAA security officer
Workforce security



Authorization and/or supervision
Background checks
Termination procedure
13 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Administrative Safeguards (cont.)

Information access management




Isolation of ePHI data from other data
User registration/deregistration process
Access authentication and authorization
Security awareness and training





HIPAA-specific workforce training, including program
office and job-specific training
Security reminders/bulletins
Anti-virus and anti-spyware software and procedures
Login monitoring
Password policies
14 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Administrative Safeguards (cont.)




Security incident procedures
 Reporting and response
Contingency planning
 Data backup
 Disaster recovery planning
Agreements with entities performing HIPAAcovered work on DPW’s behalf
 Written agreements, revisions of agreements, as
appropriate
Evaluation
 Periodic review and self-evaluation
15 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Physical Safeguards

Means by which the physical systems and
media are protected from unauthorized use or
access:

Facility access controls





Contingency operation
Facility security (restricted access, monitoring, etc.)
Access control and validation procedure
Maintenance records
Workstation usage


Business use only
Restrictions on Internet access
16 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Physical Safeguards (cont.)

Workstation security



UserID/Password required for access
Automatic lockout when workstation is unattended or
unused for a certain amount of time
Device and media controls




Disposal of systems and media
Media re-use
Accountability and tracking
Data backup and storage
17 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Technical Safeguards

Means by which electronic data, access to it,
and its use are controlled and monitored

Access controls

Unique user identification

Emergency access procedure

Automatic logoff

Encryption and decryption
18 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Technical Security (cont.)


Audit controls

Ability to determine who accessed data and when

Ability to determine who modified data and when
Integrity


Mechanisms in place to authenticate or validate ePHI
Transmission Security


Integrity controls to ensure that data isn’t lost or altered
Encryption to ensure that only the recipient can see the
data
19 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
So Who Cares?

Each of us must care

We in DPW are responsible for the medical
information of our citizens. In addition, the vast
majority of us have been treated by health care
practitioners and would care greatly if we thought
our medical records might be shared with strangers
or unauthorized individuals or entities. Why should
we expect our clients to care any less than we
would?
20 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
So Who Cares? (cont.)

The Commonwealth of Pennsylvania and
DPW

We are the custodians of our citizens’ data and it is
a serious responsibility. Misuse or unauthorized
disclosure of this data could lead to termination or
other disciplinary action, possible criminal charges,
and/or civil penalties.
21 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
So Who Cares? (cont.)

Federal Department of Health and Human
Services (DHHS)

DHHS was responsible for issuing HIPAA
regulations. These regulations and the HIPAA
statute passed by Congress comprise the HIPAA
legal requirements. DHHS’s Centers for Medicare
and Medicaid Services (CMS) enforces HIPAA
security (and transaction) regulations; DHHS’s
Office of Civil Rights (OCR) enforces HIPAA
privacy regulations.
22 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
So Who Cares? (cont.)

The Federal Government

Federal penalties for misuse or unauthorized
disclosure of PHI can result in criminal penalties
including imprisonment of up to 10 years and fines
of up to $250,000. Additional penalties may be
applied as a result of civil action.
23 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
General DPW Practices

There are some general security practices that
everyone must use, regardless of their job
duties and access to or use of ePHI:

Abide by UserID and Password policies




Use strong passwords (7 or more characters, mix of
uppercase, lowercase, numbers, punctuation)
Change passwords regularly
Don’t write passwords down where others can get them
Do not share your UserID and password with others
24 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
General DPW Practices (cont.)



Always lock your workstation when not using it or
when away from your desk, for example, lock away
any paper files containing PHI or floppies, CDs, or
other media containing ePHI
Don’t install software from home or from the Internet
on your workstation
Limit Internet use to work-related activities
25 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
General DPW Practices (cont.)



Don’t open unsolicited email from unknown senders
or suspicious email from colleagues (this is a great
way to spread computer viruses)
Immediately report unusual workstation behavior to
your supervisor
Immediately report possible theft or misuse of your
UserID to your supervisor
26 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Job-Specific Practices
Those of you who have access to or use ePHI as
a part of fulfilling your job duties need to be
especially aware of HIPAA security.
Changing your password more frequently than
generally required, encrypting data residing on
your workstation, and using secure email are
examples of practices to be followed.
27 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Job-Specific Practices (cont.)
Within DPW, there are many jobs that involve
access to and use of PHI, far too many to
cover in detail in this training session.
Your program office or facility will be holding
additional training sessions specific to HIPAA
security as it relates to your job. Contact your
supervisor for more information.
28 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Resources
HIPAA regulations and information:
www.cms.gov/hipaa
www.dhhs.gov
DPW HIPAA Privacy Policy
DPW HIPAA Security Policy
DPW Business and Technical Standards
Commonwealth Internet Usage Policy
Commonwealth IT Standards
29 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Contact Information





Diana Clark (Privacy, Legal)
 [email protected]
Frank Morrow (Security)
 [email protected]
Frank Potemra (Policy)
 [email protected]
Your Program Office Security Manager
Your Supervisor
30 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Quiz 3
To wrap things up, what is HIPPO?
1. A large African animal that spends much of
its time in the water.
2. A long-haired, bell-bottom and sandals
wearing flower child.
3. The Health Insurance Portability and
Accountability Act of 1996.
Please make your selection: ____
31 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare
Answer 3
Choice 1, of course! A
HIPPO is a large
African animal that
spends much of its
time in the water.
32 -- v3.1 April 7, 2007
HIPAA Security 101
PA Dept. of Public Welfare