Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing HIPAA Security and Complying with the HIPAA Privacy/Security Workforce Training Requirement John Parmigiani National Practice Director HIPAA.

Published byOsborne Mitchell Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing HIPAA Security and Complying with the HIPAA Privacy/Security Workforce Training Requirement John Parmigiani National Practice Director HIPAA."— Presentation transcript:

1 Implementing HIPAA Security and Complying with the HIPAA Privacy/Security Workforce Training Requirement John Parmigiani National Practice Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

2 2  Introduction  HIPAA and Privacy/Security  Steps & Tools Toward Compliance  Privacy/Security Training  Training Requirements  Training Delivery  Conclusions

3 3

4 4 John Parmigiani  CTGHS National Director of HIPAA Compliance Services  HCS Director of Compliance Programs  HIPAA Security Standards Government Chair/ HIPAA Infrastructure Group  Directed development and implementation of security initiatives for HCFA (now CMS)  Security architecture  Security awareness and training program  Systems security policies and procedures  E-commerce/Internet  Directed development and implementation of agency-wide information systems policy and standards and information resources management  AMC Workgroup on HIPAA Security and Privacy;Content Committee of CPRI-HOST/HIMSS Security and Privacy Toolkit; Editorial Advisory Boards of HIPAA Compliance Alert’s HIPAA Answer Book and HIPAA Training Line; Chair,HIPAA-Watch Advisory Board; Train for HIPAA Advisory Board

5 5

6 6 Title II: Subtitle F Administrative Simplification  Reduce healthcare administrative costs by standardizing electronic data interchange (EDI) for claims submission, claims status, referrals and eligibility  Establish patient’s right to Privacy  Protect patient health information by setting and enforcing Security Standards  Promote the attainment of a complete Electronic Medical Record (EMR)

7 7 HIPAA Characteristics  HIPAA is forever and compliance is an ever- changing target  HIPAA is more about process than technology  HIPAA is about saving $$ and delivering improved healthcare  HIPAA is policy-based (documentation is the key)  HIPAA advocates cost-effective, reasonable solutions  HIPAA should be applied with a great deal of “common sense”

8 8 Privacy Rule vs. Security Rule Privacy Standard  Minimum use- payment & operations, not treatment  Notice of Privacy Practices/Designated Record Set  Incidental use and disclosure if and only if…  Verification of requestor  Sanctions  Business Associate Contracts Security Requirement  Access control  Authentication  Network Controls  Training  Reasonable safeguards  Workstation controls: use; location (physical and technical)  Authentication/ Authorization  Audit trails  Chain-of-Trust Agreements

9 9 Security Framework  Are based upon good business practices  Tell you What to do not How to do it  Each affected entity  Must assess own security needs and risks and  Devise, implement, and maintain appropriate security to address business requirements HIPAA

10 10 Security Goals  Confidentiality  Integrity  Availability of protected health information

11 11 Security is Good Business  No such thing as 100% security  “Reasonable measures” need to be taken to protect confidential information (due diligence)  A balanced security approach provides due diligence without impeding health care  Good security can reduce liabilities- patient safety, fines, lawsuits, bad public relations

12 12 Benefits of Security  Security can protect confidential information {Can have security by itself, but Cannot have Privacy without Security}  Health care organizations can build patient trust by protecting their confidential information.  Trust between patient and provider improves the quality of health care

13 13 Protecting Confidential Information Providing patients with quality healthcare also includes protecting their confidential information.

14 14 Security Standards can be grouped into four categories: Administrative safeguards -comprehensive security policies and procedures; security training Physical safeguards -data integrity, backup, access, workstation location Technical security services -measures to protect patient information and control individual access to such information when it is at rest Technical security mechanisms -security measures to guard against unauthorized access to data when it is transit

15 15 Consequences of Inadequate Security  Civil Lawsuit Financial loss  Criminal Penalties Fines and prison time  Reputation Lack of confidence and trust Violation of patient privacy may result in: Major threats: Dissatisfied Employees and Dissatisfied Patients

16 16 Or Worse… A breach in security could damage your organization’s reputation and continued viability. “There is a news crew from 60 Minutes in the lobby. They want to speak to to you about an incident that violated a patient’s privacy.”

17 17

18 18 Steps Toward Compliance…  Establish good security practices  Train the workforce  Update policies and procedures  Make sure your business associates and vendors help enable your compliance efforts

19 19 New Security Practices Required  Media Controls  Automatic Logoff  Personnel Security Practices  Clearances  Terminations  Technical Security Policies  Protection of Data at Rest  Data in Transmission

20 20 Existing Practices to Evaluate  Trash/Recycle/Shred  Unattended Computers  Wireless Technology  E-Mail

21 21 Security Compliance Areas:  Training and Awareness  Policy and Procedure Review  System Review  Documentation Review  Contract Review  Infrastructure and Connectivity Review  Access Controls  Authentication  Media Controls

22 22 Security Compliance Areas…:  Workstation  Emergency Mode Access  Audit Trails  Automatic Removal of Accounts  Event Reporting  Incident Reporting  Sanctions  Business Associates  Technology Vendors

23 23 Documentation Review- “if it has been documented, it hasn’t been done”!  Policies and Procedures dealing with accessing, collecting, manipulating, disseminating, transmitting, storing, disposing of, and protecting the confidentiality of patient data both internally (e-mail) and externally  Medical Staff By-laws  Disaster Recovery/Business Continuity Plans

24 24 Privacy Policies and Procedures  Corporate and department policies and procedures relating to: confidentiality, information security, information security incident reporting, disciplinary action and sanctions for security and confidentiality breaches, physical and technical security  Confidentiality agreements-employees and vendors  State law vs. Privacy Rule Health Privacy Project, Georgetown U.: www.healthprivacy.org

25 25 System Review  Inventory of Systems (updated from Y2K)  Examine systems for existence of PHI Identify personal digital assistants (PDAs), notebooks, biomedical equipment, and independent databases containing PHI  Data flows of all patient-identifiable information both internally and externally  Identify system sources and sinks of patient data and associated system vendors/external business partners  Inventory all departments that:  Create PHI  Store/Maintain/Destroy PHI  Disclose PHI (then determine the identity and level of knowledge of those people doing the disclosures)

26 26 As part of the identification and flow of PHI : Identify locations of all official medical records Identify locations of all other clinical data, such as films, strips, billing records, etc. Identify the existence and location of any shadow records (copies of original records)

27 27 Contract Review  Vendor responsibility for enabling HIPAA compliance both initially and with upgrades as the regulations change  Business Associate Contracts/Chain of Trust not only with systems vendors but also with billing agents, transcription services, outsourced IT, etc.  Confidentiality agreements with vendors who must access patient data for system installations and maintenance (pc Anywhere)

28 28 Infrastructure & Connectivity Review  System Security Plans exist for all applications  Hardware/Software Configuration Management/Change Control Procedures- procedures for installing security patches  Security is one of the mandated requirements of the Systems Development Life Cycle  Network security- firewalls, routers, servers, intrusion detection regularly tested with penetration attempts, e-mail, Internet connectivity  E-commerce initiatives involving patient data  PDAs

29 29 Access/Authorization Controls  Only those with a “need to know”- principle of least privilege  Based on user, role, or context determines level  Must encrypt on Internet or open system  Procedure to obtain consent to use and disclose PHI  Physical access controls- keypads, card reader/proximity devices, escort procedures, sign-in logs

30 30 Media Controls  Policy/Procedure for receipt and removal of hardware and software (virus checking, “foreign” software); wipe or remove PHI from systems or media prior to disposal  Disable print capability, A drive, Read Only  Limit e-mail distribution/Internet access  E-fax as an alternative  Encourage individual back-up or store on network drive/ password protect confidential files

31 31 Workstation* Use * (Applies to monitors, fax machines, printers, copy machines)  Screen Savers/Automatic Log Off  Secure location to minimize the possibility of unauthorized access to individually identifiable health information  Install covers, anti-glare screens, or enclosures if unable to locate in a controlled access area  Regular updates of anti-virus software

32 32 Server Checklist  In a locked room?  Connected to UPS?-surge protector?- regular tests conducted?  Protected from environmental hazards?  Are routine backups done?- how often?- where are they stored?- tested regularly?- has the server ever been restored from backup media?  Anti-virus software running on server?  Is access control monitored? etc., etc.

33 33 Web - Hype Vs. Reality  Sandra Bullock - “The Net”  What is the real threat?

34 34 Strong Passwords ( guidelines )  At least 6 characters in length (with at least one numeric or special character)  Easy to remember  Difficult to guess (by a hacker)  Don’t use personal data, words found in a dictionary, common abbreviations, team names, pet names, repeat characters  Don’t index your password each time you change it

35 35 Termination Procedures  Documentation for ending access to systems when employment ends  Policies and Procedures for changing locks, turning in hardware, software, remote access capability  Removal from system accounts  Remind employee that PHI that they had access to must remain confidential even after leaving

36 36 Sanctions  Must be spelled out  Punishment should fit the crime  Enforcement  Documentation  “Teachable Moment”- Training Opportunity

37 37 Incident Report and Handling  Can staff identify an unauthorized use of patient information?  Do staff know how to report security incidents?  Will staff report an incident?  Do those investigating security incidents know how to preserve evidence?  Is the procedure enforced? Security Incident Reporting: Categorizing Incident Severity & Resolution

38 38 Business Associates  Identify Business Associates  Query department directors  Compare against contracts file  Compare information against accounts payable files  From PHI data flow analysis  Develop Business Associate Contract (BAC) language, then negotiate BACs

39 39 Business & Technology Vendors  Billing and Management Services  Data Aggregation Services  Software Vendors  Biomedical Equipment Vendors  PDA Vendors  Application Service Providers/Hosting Services  Transcription Services…etc.

40 40 Vendor/Covered Entities Issues  New risks for both sides  Vendor cannot make a Covered Entity “HIPAA Compliant”  Only Covered Entities and Business Associates can be HIPAA compliant  HIPAA Security compliance is a combination of business process + human interaction + technology  Vendors may ask for indemnification if covered entities do not implement systems completely to utilize all “features”

41 41 Vendor Questions  What features specifically have you incorporated into your products to support HIPAA Security and Privacy requirements; e.g., session time-outs, access controls, authorizations, backups and recovery, reporting of attempted intrusions, data integrity, audit trails, encryption algorithms, digital signatures, password changes?

42 42 Vendor Questions  Virus checks each time a PDA is synchronized with a laptop or desktop to avoid transmitting garbled information, missed appointments, faulty diagnoses, erroneous prescriptions…; authenticating access; encryption to guard against intercepts  Encryption software updates as the technology develops  Smart card or biometrics to log on and access files and information on PDAs, desktops, and laptops

43 43 Vendor Questions  Will any of these features have an adverse impact on system performance- response time, throughput, availability?  Are these capabilities easily upgradeable without scrapping the current system as HIPAA matures?; Will we have to pay for them or will they be part of regular maintenance?  Are you participating in any of the national forums like WEDI SNIP, CPRI/HIMSS, NCHICA, etc. that are attempting to identify best practices for HIPAA compliance ?

44 44

45 45 Culture of Health Care  Poor history of adopting standards  Limited resources for security  Privacy has not been a market differentiator  Most believe the risk is low  Up until HIPAA, few incentives How long does it take to change an organization’s culture?

46 46 HIPAA = Culture Change Organizational culture will have a greater impact on security than technology. Must have people optimally interacting with technology to provide the necessary security to protect patient privacy. Open, caring-is-sharing environment replaced by “need to know” to carry out healthcare functions. Organizational Culture Technology 20% technical 80% policies & procedures

47 47 Culture Change Training ( Hands-on ), Education (Knowledge), and Awareness ( Top of Mind )

48 48

49 49 HIPAA Privacy/Security Training Requirements

50 50 Workforce Training  Privacy and security* training to:  Entire workforce by compliance date  New employees following hire  Affected employees after material changes in policies  Both general and targeted  Need to document *can combine, since symbiotic relationship

51 51 Who needs to be trained? Everyone !  Management  Clinical  Non-Clinical  Board of Directors  Vendors  Contractors  Volunteers  Physicians  Educators  Researchers  Students  Patients Includes: Full-time, Part-time, Temps, etc.

52 52 Workforce Training…  Training must be in the entity’s privacy and security policies and practices (not just HIPAA)  “Workforce” includes employees, volunteers, trainees and others whose work is under the provider’s control.  Hospital medical staff are not workforce, but privacy training for physicians is advisable.  Method of training is not specified (videos, handouts, tapes, etc.)

53 53 Topical Areas HIPAA Security Training Requirements:  Individual security responsibilities  Virus protection  Monitoring login success and failure  Incident reporting  Password management

54 54 Topical Areas Others topics may include:  Policies and Procedures (with respect to protecting health information)  Confidentiality, Integrity, Availability (CIA)  Sensitivity of health data  Threats to information security  Countermeasures (Physical, technical, operational)  Sanctions for security breaches

55 55

56 56 Steps Toward Compliance…  Develop programs for Awareness, Education, and Training  Identify various audiences  Determine specific needs of each audience  Determine best mode of delivery  Establish a “certification” test for each aspect of the program (to ensure knowledge transfer and for proof of compliance)

57 57 How People Learn  10 % by Hearing  40% by Seeing  50% by Doing “What I hear, I forget. What I see, I remember. What I do, I understand.” - Confucius 451 BC

58 58 Training Delivery Mechanisms  Briefings  Formal Classroom Training  Video  CBT  WBT  Conferences

59 59 Some Commonly Used Methods  Fliers or handouts  Posters  An Intranet web page  Articles in company newsletters  Promotional products EX: Mouse pads, rulers, stress balls, flowers, etc.  Presentations at meetings  “Munch-N-Learn” Bring snacks! (“If you feed them, they will come.”)

60 60 Less Common Methods  Host special events  Integrate security into other training classes  Use screen savers with awareness reminders  Use network logon messages  Look for “teachable moments”  Develop security “champions”  Leverage a “negative event”  Use the “Grapevine”

61 61 Targeted Training  Board Members and Executives  Stress oversight role and consequences of non-compliance  How rest of industry is addressing compliance  Up-to-date awareness of guidance, rulemaking, and legislative changes  Front-line Staff  Emphasize privacy and how it’s protected by security  Describe penalties for rogue actions  Explain good security practices

62 62 Targeted Training…  Administrative Staff  Emphasize good security practices  Describe how access to PHI must be terminated when the employee leaves or is reassigned to a new function  Technical Staff  Emphasize security mechanisms for protecting data at rest and in transit  How to implement authentication and access, disaster recovery, encryption, etc. requirements

63 63 Targeted Training…  Support Staff- cleaning, maintenance, business associates, etc.  What to do when they encounter PHI: any information seen on someone’s desk or computer monitor is private and nothing is to be done to it  Any information, not their own, is not to be discussed, even if accidentally viewed

64 64 Preferred Delivery Modes  New hires: Internet, Intranet, or multi- media computer training  Can be accessed at anytime  Same question can be repeated  Can be turned off when audience loses interest  Best as introduction

65 65 Preferred Delivery Modes…  Clinicians, mid-level managers, and board members: stand-up presentations  Can be customized  Speaker can respond to questions from the audience  Departmental point people: train-the- trainer approach  Can relate to co-workers and provide relevant, pertinent lessons  Impact on each departmental function explained

66 66 "Our next speaker's remarks are encrypted. Those of you with hand-helds may log on if you have the password." Cartoon by Dave Harbaugh from hcPro’s healthcare Humor Keep it simple!

67 67

68 68 A Balanced Approach $ Risk  Cost of safeguards vs. the value of the information to protect  Security should not impede care  Security and Privacy are inextricably linked  Your organization’s risk aversion

69 69 Vendors  Vendors cannot make you HIPAA- compliant- will “enable”  You need to be an informed buyer  Create a business associate contract that is favorable to you  HIPAA will be continuously fine-tuned- build growth potential in your systems at no or minimal cost

70 70 Reasonableness/Common Sense  Administrative Simplification Provisions are aimed at process improvement and saving money  Healthcare providers and payers should not have to go broke becoming HIPAA- compliant  Expect fine-tuning adjustments over the years and be flexible and innovative in keeping your workforce trained

71 71 Due Diligence! Remember:

72 72 john.parmigiani@ctghs.comjohn.parmigiani@ctghs.com / 410-750-2497

Download ppt "Implementing HIPAA Security and Complying with the HIPAA Privacy/Security Workforce Training Requirement John Parmigiani National Practice Director HIPAA."

Similar presentations

HIPAA’s Security Regulations

HIPAA’s Security Regulations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.

1 Electronic Information Security – What Researchers Need to Know University of California Office of the President Office of Research May 2005.
Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.

Data Security for Healthcare Facilities Debbie Abbott Health Information Consultant Resolutions (Int) Pty Ltd.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards

Similar presentations

Ads by Google