1 SECURITY & HIPAA DATA ENSURE INC. 798 PARK AVE. NW SUITE 204 NORTON, VA (276) D E
2 HIPAA Compliance Complying with HIPAA is challenging because this regulation affects so many areas, including standards for transactions, rules for data privacy/security, standards for clinical records and more. DATA ENSURE INC. 798 PARK AVE. NW SUITE 204 NORTON, VA (276) D E
3 HIPAA Background In August of 1996, Congress enacted the Health Insurance Portability and Accountability Act. (HIPAA) The goals of the legislation are to reduce the administrative costs of healthcare, to develop standard transactions for consistency industry wide, to require broad security and disaster recovery protections for “individually identifiable healthcare information”, to promote confidentiality of patient records and to provide an incentive for the healthcare companies to communicate electronically. In August of 1996, Congress enacted the Health Insurance Portability and Accountability Act. (HIPAA) The goals of the legislation are to reduce the administrative costs of healthcare, to develop standard transactions for consistency industry wide, to require broad security and disaster recovery protections for “individually identifiable healthcare information”, to promote confidentiality of patient records and to provide an incentive for the healthcare companies to communicate electronically.
4 HIPAA Background Any health care provider organization, office, or plan that electronically maintains or transmits health information pertaining to an individual must comply with HIPAA regulations. These federally governed regulations will require strict standards for Security and Disaster Recovery. Any health care provider organization, office, or plan that electronically maintains or transmits health information pertaining to an individual must comply with HIPAA regulations. These federally governed regulations will require strict standards for Security and Disaster Recovery.
5 Who Must Comply ? Those who must comply with HIPAA fall into two categories: Those who must comply with HIPAA fall into two categories: Covered Entities Business Associates.
6 HIPAA Overview HIPAA consists of five parts: Title1 - Health Insurance Portability - helps workers maintain insurance coverage when they change jobs Title 2 - Administrative Simplification - standardizes electronic health care-related transactions, and the privacy and security of health information Title 3 - Medical Savings Accounts & Health Insurance Tax Deductions Title 4 - Enforcement of Group Health Plan provisions Title 5 - Revenue Offset Provisions
7 The Security Rule The Final Security Rule was published in February 2003, and became effective on April 21, Compliance with this Rule has been required sense April 21, 2005.
8 The Security Rule The Security Rule legislates the means that should be used to protect ePHI (electronic Protected Health Information). It requires that covered entities have appropriate Administrative Procedures, Physical Safeguards, and Technical Safeguards to protect access to ePHI. The Security Rule legislates the means that should be used to protect ePHI (electronic Protected Health Information). It requires that covered entities have appropriate Administrative Procedures, Physical Safeguards, and Technical Safeguards to protect access to ePHI.
9 Examples of Appropriate Safeguards Include: Establishment of clear Access Control policies, procedures, and technology to restrict who has authorized access to ePHI. Establishment of restricted and locked areas where ePHI is stored. Establishment of appropriate Data Backup, Disaster Recovery, and Emergency Mode Operation planning. Establishment of technical security mechanisms such as encryption to protect data that is transmitted via a network.
10 The Security Rule Two Rules for Discussion are: (a)(7)(ii)(A) Data Backup Plan (R) (a)(7)(ii)(B) Disaster Recovery Plan (R)
11 Disaster Recovery Planning Disaster recovery planning is a necessary and vital part of any healthcare delivery organization. How does an institution recover from something as simple as a hardware or software failure or as catastrophic as the loss of a complete data center? How long can data be unavailable before it impacts patient care?
12 Disaster Recovery Planning These are precisely the situations that the Security Standard was intended to address by ensuring confidentiality, integrity and availability of patient information. To that end, disaster recovery planning should be viewed as a plan for business continuity and, further, as an opportunity to minimize the costs associated with regulatory compliance. These are precisely the situations that the Security Standard was intended to address by ensuring confidentiality, integrity and availability of patient information. To that end, disaster recovery planning should be viewed as a plan for business continuity and, further, as an opportunity to minimize the costs associated with regulatory compliance.
13 What is Required for a Disaster Recovery Plan? What should be included in the disaster recovery strategy? Considerations must include the end-user’s specific needs, the location and storage of the critical data, and every component in-between. The plan must allow a covered entity to re- create the entire infrastructure necessary to guarantee information availability. What should be included in the disaster recovery strategy? Considerations must include the end-user’s specific needs, the location and storage of the critical data, and every component in-between. The plan must allow a covered entity to re- create the entire infrastructure necessary to guarantee information availability.
14 Why Backup? It is an integral part of any Disaster Recovery Plan. The amount of data stored electronically is growing and your practice relies on it to conduct efficient and proper patient care. What if you lost your scheduling software? How long would it take to recreate it?
15 Who Performs Data Backups? It is estimated that less than 30% of businesses, properly protect their computer data. Healthcare related businesses do better job. Proper backups can ensure that your business / practice survives computer related disasters no matter how big or small.
16 How Often? Backups should be done on a schedule. Daily would be ideal. Most businesses don't do this for one reason or other; they don't keep a regular backup regimen. Backups should be done on a schedule. Daily would be ideal. Most businesses don't do this for one reason or other; they don't keep a regular backup regimen. Usually it's because the person responsible for doing backups (if there is one) is too busy doing something else, or someone is using the computer when it's time for a backup, or they simply forget. It should be automated so as not to depend on any one person.
17 Why Off-Site Backups? Of the estimated ten percent of companies that follow all the other rules for safe backups, only five percent follow this one. This is where almost every business makes its biggest mistake. Of the estimated ten percent of companies that follow all the other rules for safe backups, only five percent follow this one. This is where almost every business makes its biggest mistake. Even if you do everything else perfectly, your backups are of little use if your building burns or you are unable to physically recover your data backup media. Even if you do everything else perfectly, your backups are of little use if your building burns or you are unable to physically recover your data backup media.
18 Redundancy! Why? The general definition of "proper" backups requires redundancy. That is, one must keep multiple copies of the same files at different points in their development, called versions. The general definition of "proper" backups requires redundancy. That is, one must keep multiple copies of the same files at different points in their development, called versions. Part of the reason for doing backups is to be able to revert to the previous version of a file in case a virus, hardware failure, or human error damages the current version.
19 Redundancy! Why? If you copy new files over old ones you may lose your only backup by inadvertently copying a damaged file over it. This is much too important to overlook. If you copy new files over old ones you may lose your only backup by inadvertently copying a damaged file over it. This is much too important to overlook.
20 What Data is Backed Up? Most hard drives contain thousands of files, but only a small percentage of them contain your Critical Data. Find out which ones, and be sure you are backing them up. Most hard drives contain thousands of files, but only a small percentage of them contain your Critical Data. Find out which ones, and be sure you are backing them up. Ordinary backup software is often installed with a list of files to be backed up. This set of files usually represents the state of the system when the software was installed, and often misses critical files. Ordinary backup software is often installed with a list of files to be backed up. This set of files usually represents the state of the system when the software was installed, and often misses critical files.
21 What about Security? Of the very small percentage of companies that take their backups off-site regularly, an even smaller percentage encrypts their backups for security. Of the very small percentage of companies that take their backups off-site regularly, an even smaller percentage encrypts their backups for security. Most of those send backups home with an employee who might make a few stops on the way. If backups are stolen or lost, your ePHI data could easily end up in the hands of ?????????????. Most of those send backups home with an employee who might make a few stops on the way. If backups are stolen or lost, your ePHI data could easily end up in the hands of ?????????????.
22 What about Security? Would you want someone to be able to slip one of your backup tapes into a pocket and take it to ??????? It happens. Tape backups are not generally encrypted, so anyone can read them and gain access to your patient database, billing records, payroll, tax info, and everything else on your computer. Would you want someone to be able to slip one of your backup tapes into a pocket and take it to ??????? It happens. Tape backups are not generally encrypted, so anyone can read them and gain access to your patient database, billing records, payroll, tax info, and everything else on your computer.
23 What about Security? Jane Doe Birth date AddressConditionMedicationsTreatmentsInsurance
24 Data Encryption è & ( € € € €€ € € € €€ €€€ ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ wwwwwwwwwwwwwwpDDDDDDDDDDDDDDpÿÿÿÿÿÿÿÿÿÿÿÿÿô pÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿ ÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôp ÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿ ÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿ ÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpˆˆˆˆˆˆˆˆˆˆˆˆˆ„p DDDDDDDDDDDDDDpLLLLLLLLLNÎÎItpÌÌÌÌÌÌÌÌÌÌÌÌÌÄ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀ € € € € € € € € € € € € € € € € € € € € € € € À ÿÿÿÿÿÿÿÿÿÿÿÿ( À € € €€ € € € €€ €€€ ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ wwwwwwwDDDDDDDGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿø GOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGHˆˆˆˆˆˆGLÌÌÌÌÌÌGÄDDD DDDÀ ÿÿ € ÿÿ ÿÿ è & ( € € € €€ € € € €€ €€€ ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ wwwwwwwwwwwwwwpDDDDDDDDDDDDDDpÿÿÿÿÿÿÿÿÿÿÿÿÿô pÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿ ÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôp ÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿ ÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿ ÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpˆˆˆˆˆˆˆˆˆˆˆˆˆ„p DDDDDDDDDDDDDDpLLLLLLLLLNÎÎItpÌÌÌÌÌÌÌÌÌÌÌÌÌÄ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀ € € € € € € € € € € € € € € € € € € € € € € € À ÿÿÿÿÿÿÿÿÿÿÿÿ( À € € €€ € € € €€ €€€ ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ wwwwwwwDDDDDDDGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿø GOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGHˆˆˆˆˆˆGLÌÌÌÌÌÌGÄDDD DDDÀ ÿÿ € ÿÿ ÿÿ
25 What is RDB? Remote Data Backup works basically like regular tape backups, with one important difference. Instead of sending backups to a tape drive or other media, Remote Data Backup sends it over the internet to another computer safely off-site. Instead of sending backups to a tape drive or other media, Remote Data Backup sends it over the internet to another computer safely off-site.
26 What is RDB? It does this (usually) at night while the practice is closed and nobody is using the computers. And it's completely automatic. Remote Data Backup encrypts its backups for complete security so nobody can read them. Only Remote Data Backup has such an easy to use version control system. Further, you should be able to easily restore any of your files up to any given point in time.
27 Remote Data Backup From Data Ensure, Inc. Can be your data backup solution. It provides you with secure encrypted data storage and recovery and automatic backups. It meets HIPAA compliance standards for electronic transactions through the use of encryption and passwords in a secure environment. Can be your data backup solution. It provides you with secure encrypted data storage and recovery and automatic backups. It meets HIPAA compliance standards for electronic transactions through the use of encryption and passwords in a secure environment.
28 THANK YOU FOR ATTENDING!!! DATA ENSURE INC. 798 PARK AVE. NW, SUITE 204 NORTON, VA (276) D E