Transcript HIPAA Security Standards - Pro Pharma Pharmaceutical

HIPAA
Security Standards
Emmanuelle Mirsakov
USC School of Pharmacy
Overview
HIPAA-Health Insurance Portability and
Accountability Act of 1996
 Why Security?
 Focus on Security rule vs. Privacy rule

Security rule applies only to EPHI, while the
Privacy rule applies to PHI which may be in
electronic, oral, and paper form.
 Privacy is the “ Who, What, and When” and
Security is the “How”

Who Oversees HIPAA?
The U.S. Department of Health & Human
Service
The Centers for Medicare
and Medicaid Services
Oversees:



Transactions and Code Sets
Standard Unique Identifiers
Security
Contact info:
 http://www.cms.hhs.gov/hipaa/
hipaa2/
 [email protected]
 1-866-282-0659
The Office for Civil Rights
Oversees:
• Privacy
Contact info:
•http://www.hhs.gov/ocr/hipaa/
•[email protected]
•1-866-627-7748
Goals Of Security Rule

Confidentiality


Integrity


EPHI is accessible only by authorized people
and processes
EPHI is not altered or destroyed in an
unauthorized manner
Availability

EPHI can be accessed as needed by an
authorized person
Parts of the Security Rule
 Administrative
Safeguards
 Physical Safeguards
 Technical Safeguards
 Organizational Requirements
 Policies & Procedures &
Documentation Requirements
Security Rule

The rule is technology neutral
The rule does not prescribe the use of specific
technologies, so that the health care
community will not be bound by specific
systems and/or software that may become
obsolete
 The security rule is based on the fundamental
concepts of flexibility, scalability and
technology neutrality.

Security Standards

Administrative Safeguards:


Physical Safeguards:


Administrative functions that should be implemented
to meet the security standards
Mechanisms required to protect electronic systems,
equipment and the data they hold, from threats,
environmental hazards and unauthorized intrusion.
Technical Safeguards:

The automated processes used to protect data and
control access to data
Technical Safeguards
 Main
parts:
 Access Control
 Audit Control
 Integrity
 Person or Entity Authentication
 Transmission Security
Access Control
 “The
ability or the means necessary to
read, write, modify, or communicate
data/information or otherwise use any
system resource”
 Access controls should enable
authorized users to access minimum
necessary information needed to
perform job functions.
4 implementation specifications associated
with Access Controls:
 Unique
user identification (required)
 Emergency access procedure
(required)
 Automatic logoff (addressable)
 Encryption and decryption
(addressable)
Audit Controls:
 “Implement hardware, software, and/or
procedural mechanisms that record and
examine activity in information systems that
contain or use electronic protected health
information.”
 Useful to determine if a security violation
occurred
 The security rule does not identify data that
must be gathered by the audit controls or how
often the audit reports should be reviewed (no
implementation specifications)
Integrity



“The property that data or information have not
been altered or destroyed in an unauthorized
manner”
The integrity of data can be compromised by
both technical and non-technical sources
Implementation specification:

Implement electronic mechanisms to corroborate that
EPHI has not been altered or destroyed in an
unauthorized manner. (addressable)
Person or Entity Authentication
“Implement procedures to verify that a
person or entity seeking access to EPHI is
the one claimed”
 Ways to provide proof of identity:

Require something known only to that
individual (password or PIN)
 Require smart card, token, or a key
 Require a biometric (fingerprint, voice pattern,
facial pattern, iris pattern)

Transmission Security
“Implement technical security measures to
guard against unauthorized access to
EPHI that is being transmitted over an
electronic communications network”
 This standard has 2 implementation
specifications:

Integrity Controls (addressable)
 Encryption (addressable)

Implementation Specifications

Integrity Controls:
 Integrity in this context is focused on making
sure that EPHI is not improperly modified
during transmission
 1°
through the use of network communications
protocols
 Data message authentication codes

Encryption

“Implement a mechanism to encrypt EPHI whenever
deemed appropriate”
Pro Pharma Implementation









All hard drives can only be accessed by individuals with
proper clearance by Pro Pharma
All employees have a unique user name and password
All employees are required to lock their station whenever they
get up
Content filters allow Pro Pharma management to screen all
incoming and outgoing e-mails for possible threats
Full virus protection is installed on every workstation
Network browsing is routed to a system that checks for
threats
No employee has administrative rights to their local machine
No employees have domain administrative rights on the Pro
Pharma domain
Every workstation is attached to a UPS power supply to
protect from power failure or power surge
In Summary
Security rules are in place to enhance
health information sharing and to protect
patients
 The Security rule technical safeguards are
the technology related policies and
procedures that protect EPHI and control
access to it
 Be cognizant of PHI, and follow Pro
Pharma protocols

The Bright Side

Knock, knock.
Who’s there?
HIPAA.
HIPAA who?
Sorry, I’m not allowed to disclose that
information.
In Case You Needed More
Last One I Promise!