HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY
Underlying principles for security Ensure the confidentiality, integrity & availability of electronic Protected Health Information (ePHI) Use safeguards to protect ePHI
Core requirements of HIPAA security Designate a security official Ensure the confidentiality, integrity & availablity of all ePHI that a covered entity creates, receives, maintains or transmits Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required by the HIPAA Privacy Rule Ensure compliance by the workforce
Security standards Effective April 21, 2005 Contains 18 standards under three safeguard categories 14 required specifications 22 addressable specifications
Security Standards HITECH - The Health Information Technology for Economic and Clinical Health Effective February 18, 2009 To promote the adoption and meaningful use of health information technology You can be held criminally liable for knowingly obtaining and disclosing PHI in violation of HIPAA Fines up to $250,000 Up to 10 years in prison You can be personally sued by a patient claiming that the privacy of their PHI was violated
Three protection categories Confidentiality Data is used or disclosed by authorized persons for authorized purposes Integrity Data has not been altered or destroyed in an unauthorized manner Availability Data is accessible & useable upon demand by authorized persons
Three safeguard categories Administrative Physical Technical
Administrative safeguards Maintain security through risk analysis & management Conduct regular system activity reviews Audit logs, access reports, incident tracking Enforce workforce security through clearance procedures, authorization & access controls Train all workforce members on computer security Track, report & respond to suspected or known security incidents Establish a contingency plan to ensure availability of ePHI during emergencies or natural disasters
Physical safeguards Limit physical access to electronic information systems to appropriate persons to prevent tampering or theft Allow facility access to support disaster recovery efforts & emergency operations Document repairs to the physical components of the security system & facilities Restrict workstation access & activity to authorized users & authorized functions Manage receipt, removal & disposal of hardware & electronic media
Technical safeguards Use technical measures to control access to systems that maintain ePHI Provide for unique user identification Ensure necessary access to ePHI during emergencies Implement audit controls that record & examine system activity Protect ePHI from improper alteration or destruction Ensure transmission security
Risk assessment Must be “accurate and thorough” Provides rationale for decisions about addressable specifications Basic components Threats & vulnerabilities Likelihood of exploitation Existing countermeasures Control recommendations
KUMC Approach Adapt existing assessment tools (NIST ) Conduct risk assessment (every two years) Network Servers Departments Workstations Applications Evaluate administrative, physical & technical safeguards in each of the above areas
Existing practices (to name a few) Firewalls Remote access through VPN Limited public “visibility” Ongoing intrusion detection Role-based access Anti-virus plan Patch management Background checks Electronic signature Unique user IDs Strong passwords Disaster recovery plans Established backup procedures Documented policies & procedures Transmission encryption methods Biometrics Proximity sensors Implanted chips
QUESTIONS Sherry Callahan, CISSP, CISA, CISM Director of Information Security Juli Gardner, MHSA KUMC Compliance Program Manager