• No results found

HIPAA Privacy and Security Requirements

N/A
N/A
Protected

Academic year: 2021

Share "HIPAA Privacy and Security Requirements"

Copied!
21
0
0

Loading.... (view fulltext now)

Full text

(1)

HIPAA Privacy and Security

Requirements

600 East Superior Street, Suite 404 I Duluth, MN 55802 I Ph. 800.997.6685 or 218.727.9390 I www.ruralcenter.org

Joe Wivoda

CIO and HIT Consultant June 19, 2013

(2)

Purpose

The National Rural Health Resource Center is a

nonprofit organization dedicated to sustaining and improving health care in rural communities. As the nation’s leading technical assistance and knowledge center in rural health, The Center focuses on five

core areas:

•Performance Improvement

•Health Information Technology •Recruitment & Retention

•Community Health Assessments •Networking

(3)

Introduction

• B.S. and M.S. in Physics, Ph.D (ABD) in

Business Administration

• Computational Physics and Computer Modeling

• Innovation Process and Management of Technology

• Worked as CIO/Director of IT for several

hospitals and systems, exclusively in rural and

Critical Access

• HIT Consultant for MN/ND REC, HIT Network

Grantees, TASC, and other programs

(4)

Some Interesting Facts…

•Since 2009 there have been 615

reported breaches affecting over 500

people

•22 Million patients affected

•Want to know who lost the data? We

can look it up, AND they had to notify

the local media (newspaper, television,

etc)

(5)

How was this data lost?

•Hackers?

• Yes, but only 7% • Unauthorized Access?

• Yes, but only 3% • The winner is…

• Theft and Loss at 46%!

Data from

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.ht ml

(6)

Where was the data?

•Email – 1.5%

•EMR – 12%

•Laptops - 11%

•Servers - 12%

•BIG winner is Backup media at 30%!

Data from

(7)

What does this mean?

•We need to be good stewards of the data

• If banking industry had as many breaches, how would we feel about banking online?

•There are simple ways to protect the data

•Meaningful Use (HiTech Act) places

requirements on annual HIPAA Risk

Assessments. We need to make this an

ongoing activity!

(8)

Intro to HiTECH Requirements

•Breach notification

• Breaches of “unsecured” PHI must be provided to each affected individual within 60 days at the latest.

• PHI is considered “unsecured” unless it is rendered “unusable, unreadable, or

indecipherable” to unauthorized users (encrypted or shredded).

• Breaches over 500 individuals? Notify prominent local media.

(9)

Intro to HiTECH Requirements

•Breach notification

• Breaches of “unsecured” PHI must be provided to each affected individual within 60 days at the latest.

• PHI is considered “unsecured” unless it is rendered “unusable, unreadable, or

indecipherable” to unauthorized users (encrypted or shredded).

• Breaches over 500 individuals? Notify prominent local media.

(10)

Intro to HiTECH Requirements (cont)

•Business Associate Agreements

• HIPAA now applies DIRECTLY to business

associates.

• All BAAs will need to be updated with new

language (security compliance, breach

notification, etc).

• All the provisions you fall under, your BAs

now fall under, including random audits

(11)

Risk Assessment Overview

•“Conduct or review a security risk

analysis and correct identified security

deficiencies as per 45 CFR 164.308”

http://edocket.access.gpo.gov/cfr_2009/octqtr/pdf/4

5cfr164.308.pdf

•There are several tools that can help you

keep track or perform the risk assessment

•Horse’s mouth:

http://scap.nist.gov/hipaa/

(12)

Risk Assessment Overview: IT Focus

• Administrative Safeguards

• Business associate agreements

• Policies for downtime, passwords, access, access termination • Role-based security

• Auditing policies

• Malicious software and repeated login attempts policies • Security incident response

• Contingency plans and periodic testing • Backup policies

(13)

Risk Assessment Overview: IT Focus

(cont)

•Physical Safeguards

• Policy on access to computer equipment

• Documentation of repairs and changes

• Final disposition of EPHI

(14)

Risk Assessment Overview: IT Focus

(cont)

•Technical Safeguards

• Unique name or number for individuals

• Session timeout

• EPHI encryption policy

• Audit controls

(15)

Auditing Policies

• Auditing of access to patient data is a

requirement of HIPAA

• There are several ways to do this effectively

• High profile patients • Random employee • Random patient

• Patient/employee last name matches • During monthly tracers

(16)

How to get started

• A team should be assembled for the risk

assessment – this is NOT an IT or HIM project!

• Security officer • Privacy officer • HIM

• Nursing • Others

(17)

What you need to focus on…

•Business Associates

• Update language to contain HiTech requirements • Check your list of BAs (or create one)

• Renew agreements

• Update policies and procedures for privacy and security requirements

• Should be reviewed annually

• Auditing access to patient data

(18)

What IT needs to focus on…

• Backups

• Do you store off site? Are they encrypted?

• Server room and network closets

• Secure?

• Protected from fire, water, power failure, and other threats?

• Encryption

• Everyone will need an encryption solution • Where will you need encryption?

• Securing mobile devices

• Moving target

• Understand your devices, and expect that they will change!

• Security holes

(19)

Myths and Facts

• Encryption

• All devices do NOT need encryption • You do not need to encrypt on the wire!

• Tapes are not required to be encrypted, but it may be a good idea…

• Disaster recovery

• You need to have a contingency plan

• Disaster recovery, as part of the contingency plan, should be enough information to get you up and running

• Rely on your vendor as much as possible, do expect that you will need to reinstall your EHR without their help

• Need for a hot site

• Not required by the regulations • May be a good idea

(20)

Useful Web Sites

•NIST Security Rule Toolkit

• http://scap.nist.gov/hipaa/

•HiPAA Collaborative of Wisconsin

• http://hipaacow.org/

•Rural Assistance Center HIT Toolkit –

Privacy and Security section

(21)

Joe Wivoda

CIO and HIT Consultant

National Rural Health Resource Center 600 East Superior Street, Suite 404

Duluth, MN 55802 (218) 262-9100

References

Related documents

The HIPAA Privacy Rule specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other

Physical access to critical infrastructure is restricted and monitored. wiring cabinet is locked, cables are protected by conduit, no access to cables, routers, or switches

Compliance Program, Hospital Privacy and Security Officer responsibilities, Hospital Privacy and Security Officer reporting requirements, and all systems used for HIPAA

„ CSU sponsored health plans (including the fully-insured plans, HCRA and possibly, the EAPs) and CSU’s health care insurance carriers are covered entities under the HIPAA

– If a patient “opts out” of the patient list, callers or visitors should be told, “I have no information available on that person.”. • All patients admitted to a

FOR COMPLIANCE WITH THE HIPAA PRIVACY & SECURITY REGULATIONS The purpose of the HIPAA Privacy and Security Regulations are to require group health plans not to use or disclose

Overview of HIPAA  Security Rule Security Rule  Requirements.

I have reviewed the HIPAA basic training module which includes information regarding the Privacy and Security regulations the IU HIPAA Privacy and Security. regulations, the IU