410 likes | 932 Views
HIPAA Security. Community Health Network Staff On-Line Mandatory Training. Presentation Agenda. HIPAA Fundamentals Privacy Rule Review Security Rule Basics Security Components Security Policies and Procedures Instructions for completing the on-line mandatory training. HIPAA Fundamentals.
E N D
HIPAA Security Community Health Network Staff On-Line Mandatory Training
Presentation Agenda • HIPAA Fundamentals • Privacy Rule Review • Security Rule Basics • Security Components • Security Policies and Procedures • Instructions for completing the on-line mandatory training
HIPAA Fundamentals HIPAA Overview – What does HIPAA stand for? • Health • Insurance • Portability and • Accountability • Act • In 1996, the HIPAA Act was passed. • The goal was to ensure that people had insurance portability, that there was accountability for health care information, and lastly that there was administrative simplification. • The portability allows you to transfer information • easily • The accountability adds the responsibility • requirement • By standardizing record sets it made transaction • coding and compliance more simple thereby • saving money in the long-term
HIPAA Fundamentals Three HIPAA Rules • Privacy Rule • The HIPAA Privacy Rule went into effect April 14, 2003. • The Privacy rule deals with what information should be kept private and who should have access to it. • Transaction Rule • The compliance deadline for the transaction rule was October 16, 2003. • Security Rule • The Security Rule was finalized early last year and went into effect April 21, 2005. • The Security Rule is the reason for this training. This is the rule that governs what must be done to reasonably ensure that electronic information is kept private. Areas that this could impact you are in regards to sharing passwords, leaving workstations unattended, working from home, etc.
Privacy Rule Review Before we get into Security Rule details, let’s revisit some key HIPAA terms. • We are a provider that transmits health information in electronic form so we are a covered entity and must comply with HIPAA. • We also have many business associates with which we share patient information. • HIPAA requires that we formally communicate the need to keep this information private and that by signing a Business Associate Agreement. The organization is held to the same degree of responsibility as the covered entity. • If that Business Associate needs to share the information with another organization they must continue the process of establishing the business associate agreements. • The chain on private information can’t be broken. • Patients can file a grievance if they think their rights have been violated. HIPAA Terms • Covered Entity Any health plan, clearinghouse, or provider who transmits health information in electronic form in connection with a HIPAA transaction • Business Associate A person or organization that performs a function on behalf of a covered entity using individually identifiable information
Privacy Rule Review HIPAA Terms • Individually Identifiable Information • A subset of health information that is created or received by a covered entity related to condition, treatment, or payment for treatment which can be used to identify a client • Many types of information that we work with in our daily lives are individually identifiable. You can think of it as if the information can be tracked back to a specific person then it is individually identifiable. • Protected Health Information (PHI) • PHI is individually identifiable information that is maintained in any form by a covered entity • PHI more specifically relates to the maintenance or transmittal of the information. You will see PHI referred to quite often as HIPAA is discussed. This is the information that must be kept confidential. • Examples of PHI Include: • Individual’s Name or Address • SSN • Date of Birth • Treatment Documentation • Billing Information
Security Rule Basics • HIPAA enacted in 1996 • 8/12/98 Security Rule proposed • 2/20/03 Security Rule adopted by the Federal Register
Security Rule Basics Privacy vs. Security • Privacy Rule • This rule covers what information is protected and who should have access to it. • Security Rule • This rule covers what needs to be done to protect the information. • The Security Rule specifically applies to the security of only electronic information.
Security Rule Basics Four Requirements of Security • Ensuring confidentiality, integrity, and availability of electronic (PHI) • We are required to keep information confidential, ensure it has not been tampered with and it is only available to those authorized • Protecting against possible threats or hazards to our information • We must plan for items that may threaten our information systems. This includes intentional acts such as hackers and viruses as well as natural disasters and system failures. • Protecting against unauthorized uses or disclosures • Requires us to restrict who gets access to our electronic PHI and who doesn’t • Ensuring compliance by the workforce • We must ensure you are compliant with the security regulations and our policies and procedures are developed in accordance with the regulations
Security Rule Basics Who is responsible for Security? EVERYONE, including: • I/T Managers and Staff • I/T Managers and Staff are responsible for implementing safeguards into our computer systems • Medical Professionals • Medical Professionals create and access the majority of patient information and have an obligation to maintain the privacy and security. • Managers and Supervisors • Managers and supervisors are responsible for developing and implementing policies and procedures as well as ensuring their staff is properly trained • Clerical Staff • Clerical Staff also create and access patient information and also have an obligation to maintain the privacy and security. • Volunteers • Volunteers have access to patient information (such as Surgery Waiting Room) and have an obligation to maintain the privacy and security of this information. • Business Associates (described earlier in presentation)
Security Rule Components Three Components of Security • Administrative Safeguards • Physical Safeguards • Technical Safeguards
Policies The organization has drafted 25 policies that relate to HIPAA Security. These policies can be found on the CHN Intranet. • “Policies & Procedures – CHN Policies – Section 20 Information Technology” or • “CHN Manuals & General Info – HIPAA” Today’s session will review some of those policies and procedures that affect most employees. In some of the departments, you may have additional training to supplement what is presented here today.
Administrative Safeguards #20-027-1104 HIPAA (I/T) – Sanctioning of Workforce • Documentation is retained for 6 years • Sanction follows the CHN policy 05-024 Corrective Action/Discipline Process (Includes HIPAA) • first offense of noncompliance = documented coaching/counseling session • second offense of noncompliance = documented one day leave without pay • third offense of noncompliance = documented termination • for incidents of serious misconduct, the process may be abbreviated and an employee is subject to immediate dismissal. Violations of a severe nature may result in notification to law enforcement officials as well as regulating, accreditation, and/or licensure organizations. • In addition to CHN sanctions, civil and/or criminal penalties may apply to anyone committing noncompliant acts
Administrative Safeguards #20-027-1104 HIPAA (I/T) – Information Systems Activity Review • Periodic internal system reviews of records to minimize security violations to electronic protected health information • Areas that are reviewed include, but are limited to, the following: • Logins • File accesses • Security incidents • In addition to CHN sanctions, civil and/or criminal penalties may apply
Administrative Safeguards #20-025-1104 HIPAA (I/T) – Responsibilities of the I/T Security Officer (ITSO) • Two ITSOs are designated – the Primary and the Backup • Greg Beltran, Director of I/T is the Primary ITSO • Thomas Krystowiak, Vice President of Finance is the Backup ITSO • The ITSO is responsible for the following: • Ensure that security standards comply with statutory and regulatory requirements • Maintain security policies and procedures • Maintain appropriate security measures and mechanisms to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards • Oversee and/or perform on-going security monitoring of organization information systems. • Ensure compliance through adequate training programs and periodic security audits.
Administrative Safeguards #20-019-1104 HIPAA (I/T) – Information Access Management • Employees, contractors, and other users are granted access only to that health information to which they are authorized • The workforce member’s immediate director/supervisor is responsible for determining and requesting (in a timely manner) the appropriate access to electronic protected health information via the “electronic green sheet” form found on the CHN Intranet. • Access rights are verified upon hire/initial setup, and are reviewed upon job transfer and/or request of workforce member’s immediate director/supervisor. • It takes 48-72 hours to implement the various access rights given the complexity of our security systems.
Administrative Safeguards #20-028-1104 HIPAA (I/T) – Security Awareness & Training • All workforce members of CHN and its affiliates, including management, shall receive mandatory training regarding security awareness. • System Users of CHN and its affiliates shall receive training regarding: • periodic security updates; • Incident reporting; • log-in; and • password management • CHN and its affiliates’ ITSO will send out periodic reminders and security updates every 6 months to make workforce members, as well as agents, and contractors, if necessary, aware of security concerns and initiatives on an ongoing basis. • Successful completion of initial and periodically recurring training is a prerequisite for system access and a factor of job performance. A secure record will be maintained by I/T Network Administrators for tracking training requirement fulfillment for each individual.
Administrative Safeguards #20-028-1104 HIPAA (I/T) – Security Incidents • Workforce members, contractors, and others shall immediately report any and all suspected and actual breaches of information security to the I/T Security Official (ITSO). • Anyone suspecting a security incident will immediately notify the Primary ITSO, by phone or personal visit (e-mail will not be used). You may be asked to supply the following information, which will be documented by the ITSO in his/her formal report: • Name and phone number of person reporting the incident • Date and time the incident was discovered • Observed behaviors that led to the incident being suspected • Any unusual circumstances surrounding the event
Physical Safeguards #20-018-1104 HIPAA (I/T) - Facility Access Controls • CHN and its affiliates will safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft • Workstations will be positioned such that monitor screens and keyboards are not directly visible to unauthorized persons. Additionally, privacy screens will be used where applicable
Physical Safeguards #20-021-1104 HIPAA (I/T) – Workstation Use and Security • Workforce members shall use workstations in the appropriate manner considering the sensitivity of the information contained therein and minimize the possibility of unauthorized access to such information. • Workstation users will: • Log on as themselves, not as another workforce member • Log off prior to leaving their workstation; • Inspect the last logon information for consistency with actual last logon; report any discrepancies (as well as any other suspicious findings) to the Director of Information Technology; • Comply with all applicable password policies and procedures • Close files not in use; and • Perform memory-clearing functions to comply as needed
Technical Safeguards #20-032-1104 HIPAA (I/T) – Access Controls • User passwords upon initial setup are set for one-time use so the individual workforce member can choose their own unique password • User passwords will reset every 180 days. • Citrix sessions will automatically close after 60 minutes of no activity • Meditech sessions will automatically close at different intervals depending on where you are in the program. • Initial log-on screens will close within seconds of no activity • Screens further into specific modules will close and back up to the previous screen anywhere from seconds to minutes of no activity
Policy Enforcement The polices will be enforced internally by the HIPAA Information Technology Security Officer, or ITSO. • The primary ITSO for CHN is Greg Beltran, Director of I/T. • The contact information for the ITSO is located on the CHN Intranet under CHN Manuals & General Information – HIPAA. For significant issues beyond the organization’s jurisdiction, CMS (Centers for Medicare & Medicaid Services – a department within the US Federal Government) will have responsibility for enforcement. Under HIPAA Security, individuals may be held responsible individually and could face civil or criminal laws.
Security Policies and Procedures What can I do? • Log on and off the network appropriately; do not leave your workstation logged on while you are gone • Never let others use your ID.Do not let someone work logged in as you. • Secure your password; do not write it down, share it with others or leave in the open • Never disable anti-virus software or install unapproved software • Never introduce new hardware or media to the network environment (don’t bring disks from home) • Be aware of, and report, security threats to the ITSO • Do not e-mail PHI unless using secure encrypted means. E-mail may be, but is not always, a secure form of data transmission • Use caution in opening e-mail files from unknown sources to prevent a virus from entering the system; e-mail may be a secure form, but you can’t assume this • Handle electronic media (floppy disk, cd, etc.) with care and follow appropriate disposal methods (tossing in the garbage can is not one of these) • Don’t access non-permitted information or give non-permitted information to unauthorized employees
HIPAA Training Documentation • Once you finish the presentation be sure to complete the two required forms. Documented successful completion of this on-line mandatory training is required to receive your computer access privileges. You must achieve no more than 3 wrong on the quiz and return both forms to H/R in order to get credit for successfully completing this training. • CHN HIPAA Security Quiz • Click on the CHN HIPAA Security Quiz link. • Print the form to your printer. • Complete the information requested at the top of the quiz • Answer the questions. • Policy #20-033-1104 HIPAA (I/T) – Internet/Intranet Acceptable Use • Click on the link to the policy • Read the policy • Print page 3 – the “Office Technology Use Agreement” • Fill in info at top of agreement form and sign/date at the bottom • Complete both items and return them to applicable H/R Department PRIOR TO your first day of work.
Conclusion of Presentation • Thank you for taking time today to review the HIPAA Security CHN Staff Training Presentation. • Please use the “page down” key once more to end the presentation and then use the “BACK” button in your toolbar above to return to the HIPAA Security Training Index and continue the process. • You will need to print both items (CHN HIPAA Security Quiz and the Office Use Technology Agreement). Complete the quiz (must achieve no more than 3 wrong to pass) and fill out the agreement form. • When finished with both, return them to applicable H/R Department PRIOR TO your first day of work.