1. HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY

2. Underlying principles for security  Ensure the confidentiality, integrity & availability of electronic Protected Health Information (ePHI)  Use safeguards to protect ePHI

3. Core requirements of HIPAA security  Designate a security official  Ensure the confidentiality, integrity & availablity of all ePHI that a covered entity creates, receives, maintains or transmits  Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI  Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required by the HIPAA Privacy Rule  Ensure compliance by the workforce

4. Security standards  Effective April 21, 2005  Contains 18 standards under three safeguard categories  14 required specifications  22 addressable specifications

5. Security Standards  HITECH - The Health Information Technology for Economic and Clinical Health  Effective February 18, 2009  To promote the adoption and meaningful use of health information technology  You can be held criminally liable for knowingly obtaining and disclosing PHI in violation of HIPAA Fines up to $250,000 Up to 10 years in prison  You can be personally sued by a patient claiming that the privacy of their PHI was violated

6. Three protection categories  Confidentiality  Data is used or disclosed by authorized persons for authorized purposes  Integrity  Data has not been altered or destroyed in an unauthorized manner  Availability  Data is accessible & useable upon demand by authorized persons

7. Three safeguard categories  Administrative  Physical  Technical

8. Administrative safeguards  Maintain security through risk analysis & management  Conduct regular system activity reviews  Audit logs, access reports, incident tracking  Enforce workforce security through clearance procedures, authorization & access controls  Train all workforce members on computer security  Track, report & respond to suspected or known security incidents  Establish a contingency plan to ensure availability of ePHI during emergencies or natural disasters

9. Physical safeguards  Limit physical access to electronic information systems to appropriate persons to prevent tampering or theft  Allow facility access to support disaster recovery efforts & emergency operations  Document repairs to the physical components of the security system & facilities  Restrict workstation access & activity to authorized users & authorized functions  Manage receipt, removal & disposal of hardware & electronic media

10. Technical safeguards  Use technical measures to control access to systems that maintain ePHI  Provide for unique user identification  Ensure necessary access to ePHI during emergencies  Implement audit controls that record & examine system activity  Protect ePHI from improper alteration or destruction  Ensure transmission security

11. Risk assessment  Must be “accurate and thorough”  Provides rationale for decisions about addressable specifications  Basic components  Threats & vulnerabilities  Likelihood of exploitation  Existing countermeasures  Control recommendations

12. KUMC Approach  Adapt existing assessment tools (NIST 800-26)  Conduct risk assessment (every two years)  Network  Servers  Departments Workstations Applications  Evaluate administrative, physical & technical safeguards in each of the above areas

13. Existing practices (to name a few)  Firewalls  Remote access through VPN  Limited public “visibility”  Ongoing intrusion detection  Role-based access  Anti-virus plan  Patch management  Background checks  Electronic signature  Unique user IDs  Strong passwords  Disaster recovery plans  Established backup procedures  Documented policies & procedures  Transmission encryption methods  Biometrics  Proximity sensors  Implanted chips

14. QUESTIONS Sherry Callahan, CISSP, CISA, CISM Director of Information Security scallahan@kumc.edu 913.588.0966 Juli Gardner, MHSA KUMC Compliance Program Manager jgardner3@kumc.edu 913.588.0940