1 / 20

Hipaa security

Hipaa security. Community Health Network On-Line Mandatory Training. Objectives of Training. HIPAA Fundamentals Privacy Rule Basics Security Rule Basics Security Components Security Policies and Procedures Instructions: On-line mandatory training. What does HIPAA stand for ?. Health

brac
Download Presentation

Hipaa security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hipaa security Community Health Network On-Line Mandatory Training

  2. Objectives of Training • HIPAA Fundamentals • Privacy Rule Basics • Security Rule Basics • Security Components • Security Policies and Procedures • Instructions: On-line mandatory training

  3. What does HIPAA stand for? • Health • Insurance • Portability • Accountability • Act

  4. Hipaa Policies CHN has 25 policies that relate to HIPAA , they can be found on the CHN Intranet. • “Policies & Procedures – CHN Policies – Section 20 Information Technology” • “CHN Manuals & General Info – HIPAA”

  5. HIPAA overview HIPAA passed in 1996, the goal: • Standardizing records- Transaction coding and compliance more simple thereby saving money in the long-term. • Portability- Allows for easy transfer of medical information. • Accountability- The responsibility piece, keeping the information private and secure. • Therein lies two rules that we need to comply with: • The Privacy Rule • The Security Rule

  6. HIPAA: Privacy rule Privacy Rule: • Restricts what information can be disclosed and who should have access to it. Specifically in relation to: • Individually Identifiable Information • Personal Health Information (PHI)

  7. Hipaa: Privacy Rule Individually Identifiable Information: • A subset of health information, created or received by a Covered Entity relating to a condition, treatment, or payment which could be used to identify a client. • Any information that can be traced back to a specific person is then considered Individually Identifiable Information.

  8. Hipaa: Privacy Rule Public Health Information (PHI): • Any health or personal information given to a covered entity, whether verbal, written or electronic needs to remain confidential. This includes information that can connect the patient to the medical record: • Name • Address • Social Security number • Other identification numbers (MRN) • Physicians personal notes • Billing information

  9. HIPAA: Privacy Rule Covered Entity: • Any health plan, clearinghouse, or provider who transmits health information (CHN). • Covered entities MUST: • Allow patients to see and receive copies of their PHI. • Designate a Privacy Officer and a means to contact them. • Develop a Notice of Privacy Practice document for patients to read and sign. • Provide training to new employees and affiliates. • Develop and utilize a complaints process. • Ensure business associates also comply with the privacy ruling.

  10. Hipaa: Privacy rule Business Associate: • A person or organization that performs a function on behalf of a Covered Entity using individually identifiable information. • Are required to sign a Business Associate Agreement. • States the organization is held to the same degree of responsibility as the Covered Entity in regards to keeping information private. • If the Business Associate should need to share information with another organization they must continue the same process of establishing the Business Associate Agreement. • The chain on private information cannot be broken. • Patients can file a grievance if they think their rights have been violated.

  11. HiPAA: PRIVACY OFFICER Ann Trombley: Privacy Officer • Develops a Notice of Privacy Practice document. • Investigates complaints and violations. • Ensures Business Associates also comply with the privacy ruling. • Ensures CHN and it’s employees are compliant in regards to the privacy rule. • Ensures privacy standards comply with statutory and regulatory requirements. • Maintains HIPAA privacy policies and procedures.

  12. Hipaa: Security Rule • Ensures that electronic informationis kept private. • Four Requirements of Security: • Ensures confidentiality, integrity, and availability of electronic PHI. • Protects against possible threats and hazards to the information. • Hackers, viruses, natural disasters or system failures. • Protects against unauthorized uses or disclosures. • Ensures compliance by the workforce through security regulations and policies/procedures. • Three Components of Security: • Administrative Safeguards • Physical Safeguards • Technical Safeguards

  13. HIPAA: Security Rule Administrative Safeguards: • Documentation kept for 6 years. • Corrective action: • CHN has a ZERO TOLERANCE POLICY for non-compliance, the non-compliant individual will be immediately dismissed. • Violations of a severe nature may result in notification to law enforcement officials as well as regulating, accrediting, and/or licensing organizations. • Internal system audits minimize security violations. • Logins, file accesses, and or security incidents. • Information access management: • Access to PHI based on what is needed to preform the job. • Once computer access is requested, it will take 48-72 hours to implement due to complexity of security system. • Security awareness and training: • Security updates, incident reporting, log-in, and password management. • Security incidents will be reported if suspected or if there is an actual breach.

  14. Hipaa: Security Rule Physical Safeguards: • Safeguard the facility and equipment, from unauthorized physical access, tampering, and theft. • Workstations positioned so monitor screens/ keyboards are not directly visible to unauthorized persons. Use of privacy screens when applicable. Physical access to the server room limited to key IT personnel. • Workstation use and security. • Log on as themselves. Log off prior to leaving the workstation, • Inspect the last logon information, report any discrepancies. • Comply with all applicable password policies and procedures. • Close files not in use. • Perform memory-clearing functions.

  15. HIPAA: Security Rule Technical Safeguards: • Access controls: • User password setup is for one-time use initially. Allowing the individual to choosetheir own unique password for future access. • User passwords reset every 180 days. • Citrix sessions automatically close after 60 minutes of inactivity. • Meditech sessions automatically close at different intervals depending on place within the program. • Initial log-on screens close within seconds of inactivity. • Screens further into specific modules, close and back up to the previous screen, ranging from seconds to minutes of inactivity.

  16. Hipaa security officer Mike Bartman- Primary Security Officer • Maintains appropriate security measures to guard against unauthorized access to electronically stored and/or transmitted patient data and protect against reasonably anticipated threats and hazards. • Oversees and/or performs on-going security monitoring of organization information systems. • Ensures compliance through adequate training programs and periodic security audits. • Ensures security standards comply with statutory and regulatory requirements. • Maintains HIPAA security policies and procedures. **Backup Security Officer: Tom Krystowiak (Compliance Officer)

  17. Hipaa violations • Significant issues beyond CHN jurisdiction can be reported to : • Centers for Medicare & Medicaid Services (CMS) • Office for Civil Rights (OCR) • Department of Justice (DOJ) • HIPAA violations can and do result in civil and criminal penalties, which could be faced individually : • May range from a $100 civil penalty up to a maximum of $25,000 per year for each standard violated. • May become a criminal penalty for knowingly disclosing PHI, a penalty that could escalate to a maximum of $25,000 for visibly malice offenses.

  18. Who is responsible for HIPaa? EVERYONE at CHN(including our affiliates) has an obligation to maintain privacy and security, for example: • IT Managers/Staff: • Implement safeguards for the computer systems. • Medical Professionals: • Create and access the majority of patient information. • Managers and Supervisors: • Develop and implement policies and procedures that relate to security and ensure their staff are trained properly. • Clerical Staff: • Create and access patient information. • Volunteers: • Have access to patient information in various setting such as lobbies and waiting rooms.

  19. Tips for Hipaa compliance • Log on and off the network appropriately. • Never let others use your ID or work under your ID. • Do NOT write your password down. • Do NOT disable anti-virus software or install unapproved software. Never introduce new hardware or media. • E-mail may be, but is not always, a secure form of data transmission. Do NOT e-mail PHI unless using encrypted means. • Use caution in opening e-mail files from unknown sources. • Do NOT access non-permitted information or give non-permitted information to unauthorized employees. • Be aware of, and report, security threats to the Security Officer.

  20. Following the presentation • Be sure to complete the two required forms as documentation of completion. Successful completion of this on-line mandatory training is required to receive your computer access privileges. CHN HIPAA Security Quiz • Click HERE to take the quiz. • Print the form. • Answer the questions (No more than 3 wrong on the quiz). • Fill in the top of the form and sign at the bottom. Policy – Internet/Intranet Acceptable Use • Click HERE to read the Policy. • Read the policy. • Print page 3 – “Office Technology Use Agreement” • Fill in the top of the form and sign/date at the bottom. **Complete both items and return them to the applicable Department (HR or Education) PRIOR to your first day.**

More Related