 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

Slides:



Advertisements
Similar presentations
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Advertisements

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
CONFIDENTIALITY / PRIVACY. Federal Laws Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….
Chapter 7: Physical & Environmental Security
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University
HIPAA Security Training 2005
 Privacy Act of 1974 PII (Personally Identifiable Information)….Protection of social security numbers……….
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Health Insurance Portability & Accountability Act “HIPAA” To every patient, every time, we will provide the care that we would want for our own loved ones.
Privacy, Security, Confidentiality, and Legal Issues
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
PHYSICAL SECURITY Attacker. Physical Security Not all attacks on your organization's data come across the network. Many companies focus on an “iron-clad”
Maintaining and Troubleshooting Computer Systems Computer Technology.
Information Security Policies and Standards
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
The EHR: Benefits for Privacy and Security How the EHR Protects Health Information.
10 Essential Security Measures PA Turnpike Commission.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
ICT School Policies 6 th November Suggested Policies for Schools Not always a requirement, but useful to cover you, your school and the students.
HIPAA Privacy & Security EVMS Health Services 2004 Training.
MAINTAINING AND TROUBLESHOOTING COMPUTER SYSTEMS UNIT 6.
New Data Regulation Law 201 CMR TJX Video.
Information Security Technological Security Implementation and Privacy Protection.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Chapter 16 Designing Effective Output. E – 2 Before H000 Produce Hardware Investment Report HI000 Produce Hardware Investment Lines H100 Read Hardware.
ITSC Writing an Operational Security Plan E. Jane Powanda FISSEA 2005 Conference March 22,
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
Information Systems Security Operational Control for Information Security.
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Chapter 2 Securing Network Server and User Workstations.
Unit 3: Identifying and Safeguarding Vital Records Unit Introduction and Overview Unit objective:  Describe the elements of an effective vital records.
ISO/IEC 27001:2013 Annex A.8 Asset management
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.
Security and Ethics Safeguards and Codes of Conduct.
Protecting Data. Privacy Everyone has a right to privacy Data is held by many organisations –Employers –Shops –Banks –Insurance companies –etc.
1 HIPAA Information Security Awareness Training “Good Computing Practices” for Confidential Electronic Information For All NXC Employees October 2011.
Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
The Health Insurance Portability and Accountability Act 
Payment Card Industry (PCI) Rules and Standards
Managing the IT Function
HIPAA.
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
Security of Data  
HIPAA Security Standards Final Rule
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
Introduction to the PACS Security
G061 - Network Security.
Presentation transcript:

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office

 Reasonable and appropriate safeguards that cover ›Information systems ›Related equipment ›Facilities

 Physical measures ›Locking the door ›Requiring passwords  Policies and procedures ›For everything from employee training to protecting the data

 Facility Access Controls ›Limiting physical access to ePHI  Workstation Use and Security ›Defining business use of workstations ›Controlling the environment  Device and Media Controls ›For all equipment that contains ePHI

 Contingency operations  Facility security plan  Access control and validation procedures  Maintenance records

 Disaster recovery or emergency operations ›Maintains proper security while allowing for data recovery  Cover such events as: ›Loss of power ›Flood  Consider access, as well as recovery ›Chemical spills ›Propane leak

 Policies and Procedurescovering: ›Physical access control ›Tampering and theft prevention

 Procedures ›Access based on roles and/or functions ›Visitor guidelines ›Software access ♦ Limit authority/responsibility ♦ Track updates/modification

 Document ›Repairs and modifications to the facility ♦ Type of repair ♦ Authorized by whom ♦ Reason for repair ›Changes to alarm codes

 Defined as an electronic computing device such as: ›Laptops ›Desktops ›Tablets  Capable of electronic media storage

 Define business use of workstations  Policies and Procedures ›Proper functions to be completed ›Manner in which they are performed ›Physical attributes of the surroundings for the workstations with access to ePHI ♦ Visibility to others ♦ Accessible to unauthorized persons

 Restrict access to authorized users ›Are workstations identified? ›Viewed only by authorized individuals with unique user IDs and passwords? ›Filters? ›Screen savers? ›Automatic log off?

 Policies and procedures ›That govern how ePHI is protected ♦ During moves ♦ On backup media ♦ During upgrades

 Disposal – of ePHI ›How does this happen?  Media re-use ›Is re-use allowed? ›What steps are taken to eliminate ePHI  Accountability ›Where is the ePHI?  Data Backup and Storage

 Policies and procedures that address the final disposition of ePHI ›Including the media that held it ›Render it unusable ♦ By erasing and overwriting or magnetically clearing or both ›Or inaccessible ♦ By physically damaging it

 Remove ePHI  Document the removal  Have a policy and procedure that outlines the process

 Involves record keeping ›This is only addressable in the final security rule, however, it would be very difficult to justify not keeping track of equipment  Inventory of equipment that includes portable media ›Take account of ♦ Person responsible for each device ♦ Serial numbers and/or labels for identification

 Address the backup of ePHI before the movement of any equipment ›Best to have a copy, just in case something unexpected happens!

Have in place:  Policies and procedures that cover ›Audits ♦ To track changes to data ♦ To review accesses ›Inventory ♦ To know where the ePHI is located

›Device Name ›Make/Model ›Date Acquired ›Serial Number ›Location ›User ›Maintenance Performed ♦ Description and Date ›Date taken out of Service ♦ ePHI destroyed (Y/N) ♦ Method of destruction ♦ Certificate of destruction ›Person responsible for destruction of ePHI ›Person who validated or verified destruction of ePHI  Should contain elements such as :

 Inventory ›Walk through your office ›Notice everything ♦ Both in-service and out of service equipment ›Record it all ›Include portable and mobile devices  Check the ePHI on the inventory ›Record everything

 Offices / Exam Rooms ›Doors and windows - lockable?  Restricted areas ›Locked and log of access maintained?  Alarms ›Who has access? Recent changes?  Wireless access points ›Monitor the devices that access your network  Wiring ›Are surge suppressors in use?

 With the eyes of an outsider is ePHI ›Viewable? ›Portable – on unattended laptops? ›In use – where? On what? ›Is there out-of-service equipment with ePHI? ›Accessible via your network? ♦ Monitor users on the network ♦ Have in place termination procedures that include disabling network access

 Make changes ›Move monitors ›Turn desks ›Lock up equipment ›Secure work areas  Control access ›Know who has had the opportunity to view or hack your ePHI ♦ Telephone repairs ♦ Electricians ♦ Locksmiths

 Printers ›What’s being printed? ›Who can retrieve the paper? ›Where is it located?  Faxes and scanners ›What is stored on the machine? ›Where is it located? ›Who can access the data?

 Incidental equipment ›Pagers ›Dictaphone tapes ›Answering machines ›Point of care devices ›External hard drives  Network wiring ›Are access points open and available?  Location of the router ›Is it secure?

 Protect all equipment from: ›Outside access ›Unauthorized use ›Wandering off  For Electronics ›Use surge protectors  Review fire extinguishers ›Rated for electronics

 ePHI ›Is vast ›Requires special protections and safeguards ›Is subject to HIPAA’s Security Rule  You have to know where the ePHI is located in order to protect it  Take every precaution possible to protect ePHI

QUESTIONS?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.