Download presentation
Presentation is loading. Please wait.
Published byJeremy Merritt Modified over 9 years ago
2
Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office
3
Reasonable and appropriate safeguards that cover ›Information systems ›Related equipment ›Facilities
4
Physical measures ›Locking the door ›Requiring passwords Policies and procedures ›For everything from employee training to protecting the data
5
Facility Access Controls ›Limiting physical access to ePHI Workstation Use and Security ›Defining business use of workstations ›Controlling the environment Device and Media Controls ›For all equipment that contains ePHI
6
Contingency operations Facility security plan Access control and validation procedures Maintenance records
7
Disaster recovery or emergency operations ›Maintains proper security while allowing for data recovery Cover such events as: ›Loss of power ›Flood Consider access, as well as recovery ›Chemical spills ›Propane leak
8
Policies and Procedurescovering: ›Physical access control ›Tampering and theft prevention
9
Procedures ›Access based on roles and/or functions ›Visitor guidelines ›Software access ♦ Limit authority/responsibility ♦ Track updates/modification
10
Document ›Repairs and modifications to the facility ♦ Type of repair ♦ Authorized by whom ♦ Reason for repair ›Changes to alarm codes
11
Defined as an electronic computing device such as: ›Laptops ›Desktops ›Tablets Capable of electronic media storage
12
Define business use of workstations Policies and Procedures ›Proper functions to be completed ›Manner in which they are performed ›Physical attributes of the surroundings for the workstations with access to ePHI ♦ Visibility to others ♦ Accessible to unauthorized persons
13
Restrict access to authorized users ›Are workstations identified? ›Viewed only by authorized individuals with unique user IDs and passwords? ›Filters? ›Screen savers? ›Automatic log off?
14
Policies and procedures ›That govern how ePHI is protected ♦ During moves ♦ On backup media ♦ During upgrades
15
Disposal – of ePHI ›How does this happen? Media re-use ›Is re-use allowed? ›What steps are taken to eliminate ePHI Accountability ›Where is the ePHI? Data Backup and Storage
16
Policies and procedures that address the final disposition of ePHI ›Including the media that held it ›Render it unusable ♦ By erasing and overwriting or magnetically clearing or both ›Or inaccessible ♦ By physically damaging it
17
Remove ePHI Document the removal Have a policy and procedure that outlines the process
18
Involves record keeping ›This is only addressable in the final security rule, however, it would be very difficult to justify not keeping track of equipment Inventory of equipment that includes portable media ›Take account of ♦ Person responsible for each device ♦ Serial numbers and/or labels for identification
19
Address the backup of ePHI before the movement of any equipment ›Best to have a copy, just in case something unexpected happens!
20
Have in place: Policies and procedures that cover ›Audits ♦ To track changes to data ♦ To review accesses ›Inventory ♦ To know where the ePHI is located
21
›Device Name ›Make/Model ›Date Acquired ›Serial Number ›Location ›User ›Maintenance Performed ♦ Description and Date ›Date taken out of Service ♦ ePHI destroyed (Y/N) ♦ Method of destruction ♦ Certificate of destruction ›Person responsible for destruction of ePHI ›Person who validated or verified destruction of ePHI Should contain elements such as :
22
Inventory ›Walk through your office ›Notice everything ♦ Both in-service and out of service equipment ›Record it all ›Include portable and mobile devices Check the ePHI on the inventory ›Record everything
23
Offices / Exam Rooms ›Doors and windows - lockable? Restricted areas ›Locked and log of access maintained? Alarms ›Who has access? Recent changes? Wireless access points ›Monitor the devices that access your network Wiring ›Are surge suppressors in use?
24
With the eyes of an outsider is ePHI ›Viewable? ›Portable – on unattended laptops? ›In use – where? On what? ›Is there out-of-service equipment with ePHI? ›Accessible via your network? ♦ Monitor users on the network ♦ Have in place termination procedures that include disabling network access
25
Make changes ›Move monitors ›Turn desks ›Lock up equipment ›Secure work areas Control access ›Know who has had the opportunity to view or hack your ePHI ♦ Telephone repairs ♦ Electricians ♦ Locksmiths
26
Printers ›What’s being printed? ›Who can retrieve the paper? ›Where is it located? Faxes and scanners ›What is stored on the machine? ›Where is it located? ›Who can access the data?
27
Incidental equipment ›Pagers ›Dictaphone tapes ›Answering machines ›Point of care devices ›External hard drives Network wiring ›Are access points open and available? Location of the router ›Is it secure?
28
Protect all equipment from: ›Outside access ›Unauthorized use ›Wandering off For Electronics ›Use surge protectors Review fire extinguishers ›Rated for electronics
29
ePHI ›Is vast ›Requires special protections and safeguards ›Is subject to HIPAA’s Security Rule You have to know where the ePHI is located in order to protect it Take every precaution possible to protect ePHI
30
QUESTIONS?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.