HIPAA, Computer Security, and Domino/Notes Chuck Connell, www.chc-3.comwww.chc-3.com.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
ISecurity Compliance with HIPAA. Part 1 About HIPAA.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA and the GLB Connections Between Congress and Information Assurance.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Presented by the Office of the General Counsel An Overview of HIPAA.
Westbrook Technologies from Document Management’s Role in HIPAA.
NAU HIPAA Awareness Training
HIPAA Basics A Matter of Integrity. Introduction “A Matter of Integrity” defines HIPAA and protecting patient health information. Success depends on our.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
© 2011 The McGraw-Hill Companies, Inc. All rights reserved. 2.5 HIPAA Legislation and its Impact on Physician Practices 2-15 The Health Insurance Portability.
Security Controls – What Works
Information Security Policies and Standards
HIPAA COMPLIANCE FANTASTIC FOUR CASEY FORD MANINDER SINGH RANGER OLSOM Information Security in Real Business.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Information Security Technological Security Implementation and Privacy Protection.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
1 SECURITY & HIPAA DATA ENSURE INC. 798 PARK AVE. NW SUITE 204 NORTON, VA (276) D E.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
HIPAA Compliance. What is it? The federal Health Insurance Portability and Accountability Act of Ensures the privacy rights of patients.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
HIPAA Health Insurance Portability and Accountability Act of 1996.
1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007
Is HIPAA Ready for the EHR? Practical and Legal Considerations of the Interoperable Electronic Health Record Barry S. Herrin, CHE, Esq. Smith Moore LLP.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
Health Insurance Portability and Accountability Act By Bradley Gleich.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Table of Contents. Lessons 1. Introduction to HIPAA Go Go 2. The Privacy Rule Go Go.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
The Health Insurance Portability and Accountability Act (HIPAA) requires Plumas County to train all employees in covered departments about the County’s.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill/Irwin Chapter 6 The Privacy and Security of Electronic Health Information.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
Healthcare Careers II HIPAA-Overview for Healthcare Workers.
Junli M. Awit, RN.  Enacted by President Bill Clinton in 1996  Title I of HIPAA protects health insurance coverage for workers and their families when.
The Health Insurance Portability and Accountability Act 
iSecurity Compliance with HIPAA
HIPAA.
Disability Services Agencies Briefing On HIPAA
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
HIPAA Security Standards Final Rule
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

HIPAA, Computer Security, and Domino/Notes Chuck Connell,

What is HIPAA?  Health Insurance Portability and Accountability Act of  Large far-reaching health-care law from federal government.  Five main sections, which take effect on different dates. 

So What? (There are lots of big federal laws.)  Healthcare is a $1.3T industry in the US, covering 14% of GNP.  It is one of the few growth sectors in the economy lately.  It is the only growth sector in the computer business over the last couple years.  It is likely that you or your business will be affected by HIPAA in some way. –Who has run into this already?

Five Section of HIPAA  Title I, Insurance Reform (now)  Title II, Administrative Simplification –Privacy (April 03) –Transactions and Code Sets (Oct 03) –Identifiers (July 04) –Computer Security (April 05)  Small organizations have an extra year.  (These dates are a summary.)

Insurance Reform  Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.  Largely eliminates problems with “pre- existing conditions”.  The greatest benefit of HIPAA for consumers.

Privacy  Defines who can see your medical information and how it can be used.  In general, the rules make sense, and are what you want. –Examples: Can always share information when medically necessary. Cannot shout your diagnosis across the waiting room.  You received “privacy notices” from your doctors last spring – for compliance with this privacy reg.  But there are many gray areas. –Should a hospital tell a caller that you are there? –Should the hospital accept flowers if you are there?

Transactions and Code Sets  There were many incompatible formats for the transmission and coding of medical information. –Organizations could not communicate electronically, because they could not agree on a file format. –A medical procedure might be known as A101 to one insurance company, but 55b to another.  HIPAA mandated standard medical codes, file formats, and electronic processing.  IT impact; all this is computerized.  Deadline just occurred – 10/03 –Extended because the medical business was about to fall apart due to non-readiness.

Identifiers  A common standard for unambiguous identification of entities involved in healthcare.  Solves problem of Dr. Feelgood being known as provider XC-546-T3 to Blue Cross, but to Tufts.  IT impact; much of this is computerized.  Deadline next summer; July  (Unique identification of individuals dropped due to political pressure.)

Questions ?

Computer Security  Five sub-sections –Administrative –Physical –Organizational –Policies, Procedures, Documentation –Technical  April 2005 deadline

Security, Administrative  Risk analysis, risk management  Identify responsible individual  User authorization / termination procedures  Virus protection  Log-in monitoring, threat reporting  Backup and disaster plan  More…

Security, Physical  Building security plan  Building access control and monitoring  Physical safeguard of workstations  Policy and procedures for workstation and work areas  Storage of backup media  Re-use and disposal of media  More…

Security, Organizational  Contracts between healthcare organization and its business partners must reflect these rules –Example: offsite backup company –But, who is a business partner (window washer??)  Group health plan documents must show they are following HIPAA rules

Security, Policies & Docs  Documentation about the security policies  Modification, retention, availability of these documents

Security, Technical 1. Access Controls / Unique User Identification Assign a unique name and/ or number for identifying and tracking user identity. 2. Access Controls / Emergency Access Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. 3. Access Controls / Automatic Logoff Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Security, Technical (2) 4. Access Controls / Data Encryption Implement a mechanism to encrypt and decrypt electronic protected health information. 5. Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. 6. Data Integrity Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner.

Security, Technical (3) 7. Person and Entity Authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. 8. Transmission Security / Integrity Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. 9. Transmission Security / Encryption Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate.

General observations  The HIPAA security rules give wide latitude for implementation. –They never say S/MIME or two-factor or password expiration. –This is by design, based on objections to early drafts.  Some items are required and some are addressable. –Definitions –You will hear a lot of talk about this  Domino/Notes can meet all of the HIPAA security rules.

HIPAA and Notes/Domino 1. Notes ID files and Internet accounts in the NAB provide unique identification of each person. Do not assign shared generic IDs (such as AcctPayable) 2. Security rules should not get in the way of patient care. Need way to get around security restrictions, for good medical care. Domino/Notes can accomplish this in several ways. (Ideas??) 3. Auto logoff built into Notes security preferences.

HIPAA and Notes/Domino (2) 4. Data encryption via encrypted fields or database encryption. 5. Audit trails via server log, web log, database user activity, transaction logging, event records, 3 rd party products. 6. Encryption (and other methods) achieve data integrity.

HIPAA and Notes/Domino (3) 7. Notes IDs and Domino web accounts ensure positive identification of each user. Of course, no method is perfect and must be implemented correctly. 8. SSL and Notes port encryption. 9. SSL and Notes port encryption.

HIPAA Audit Database  Tool I created, for free distribution  Posted on my Downloads pageDownloads  Demonstration

Questions ?  Contact info: –Chuck Connell –chc-3.comchc-3.com –