200 likes | 311 Views
HIPAA for Allied Health Careers. Chapter 3. The HIPAA Security Standards. LEARNING OUTCOMES After studying this chapter, you should be able to: Define electronic protected health information (ePHI). List the three goals of the HIPAA security standards.
E N D
HIPAA for Allied Health Careers Chapter 3 The HIPAA Security Standards
LEARNING OUTCOMES After studying this chapter, you should be able to: Define electronic protected health information (ePHI). List the three goals of the HIPAA security standards. Compare and contrast risk analysis and risk management. Define identity theft. Describe the organization of the HIPAA Security Rule. Explain the purpose of implementation specifications, distinguishing between those that are required and those that are addressable. Describe key administrative safeguards. Discuss key physical safeguards. Describe key technical safeguards. Discuss the HIPAA security considerations for portable and/or mobile devices and for fax and e-mail transmissions.
addressable implementation specifications administrative standards antivirus software authentication authorization availability backup procedure confidentiality confidentiality notice cryptography degaussing digital certificate Key Terms
e-discovery electronic protected health information (ePHI) encryption firewall HIPAA Security Rule identity theft implementation specifications integrity malware network security password physical standards KEY TERMS (cont’d)
portable and/or mobile media devices protocol required implementation specifications risk analysis risk management role-based authorization sanction policy security incidents technical standards unique user identification workstation Key Terms (cont’d)
Electronic Protected Health Information (ePHI) Security rule applies to covered entities. Focuses only on ePHI. Goals are Confidentiality Integrity Availability HIPAA Security
Threats to Information Security Covered entities must perform risk analysis. Covered entities must establish risk management. Common threats: Natural disasters Utility outages Malware Identity theft Subversive employees or contractors Computer system changes and updates HIPAA Security (cont’d)
Security Background Network Basics Users within an organization share information via a network. Users need a user ID and password. Routers, Firewalls, and Proxy Servers Router links a local network to a remote network. Firewalls examine data entering and leaving a network. HIPAA Security (cont’d)
Security Background (cont’d) Passwords Password logging programs Role-based authorization Cryptography and Transmission Protocols Cryptography uses encryption. Protocols require a check digit. Antivirus Software Scans for most viruses. Needs constant updating. HIPAA Security (cont’d)
Administrative, Physical, and Technical Standards Administrative Standards Office policies to detect and correct security violations Physical Standards Policies that limit unauthorized physical access Technical Standards Policies that govern access to ePHI Organization of the HIPAA Security Standards
Implementation Specifications Required implementation specifications Specifications that must be addressed exactly as indicated by HIPAA Addressable implementation specifications Specifications that must be addressed in some manner Organization of the HIPAA Security Standards (cont’d)
Key Provisions Security management process includes risk analysis and risk management. Assigned security responsibility requires CEs to have a security officer. Workforce security is managing access to information for employees. Information access management includes authorization procedures. Security incident procedures means having procedures to address security incidents. Contingency plans are plans for emergencies or other threats to the security of information. Evaluation is the ongoing evaluation of a CE’s administrative policies. Business associates contracts are required. Administrative Standards
Implementation Specifications for Administrative Standards Sanction policy states consequences for violations. Workforce clearance procedures, such as background checks, are an addressable specification. Data backup plan includes backup procedures for all important files. Disaster recovery plan includes procedures for recovering data after a disaster. Emergency mode operation plan includes procedures for accessing information in an emergency. Administrative Standards (cont’d)
Key Provisions Facility access controls must include limitations on physical access to facilities. Workstation use limits the use of certain workstations within an entity. Workstation security requires that access to workstations be limited. Device and media controls require that information be protected when moving computers. Physical Standards
Implementation Specifications for Physical Standards Disposal means destruction of all data as by degaussing before disposal. Reuse means removal of all data before reuse. Physical Standards (cont’d)
Key Specifications Access controls means limiting access to ePHI as by the use of passwords. Audit controls are devices or software that monitor security breaches. Integrity is the protection of information from alteration or destruction. Person or entity authentication involves authentication of individuals and digital certificates. Transmission security guards against access to information while it is being transmitted. Technical Standards
Implementation Specifications for Physical Standards Unique user identification is required for each employee who needs access to ePHI. Emergency access procedure must be in place to access ePHI in emergencies. Technical Standards (cont’d)
Portable and/or Mobile Media Guidance Widely used devices are: USB flash drives and memory cards Laptop computers Personal digital assistants (PDAs) and smart phones Home computers Hotel, library, or other public workstations and wireless access points (WAPs) Backup media Remote access devices (including security hardware) HIPAA Security Standards: Portable and/or Mobile Media, Faxes, and E-Mail
Basic guidelines are: Strictly limit remote access to ePHI. Back up all ePHI entered into remote systems. Employ encryption on all portable or remote devices that store PHI. Install virus protection software on portable devices. HIPAA Security Standards: Portable and/or Mobile Media, Faxes, and E-Mail (cont’d)
Sending Faxes and E-Mails Administrative procedures include double-checking fax numbers and a confidentiality notice. Physical safeguards include limited access to fax machines and ask for notification of fax number changes. Technical safeguards include testing numbers and reviewing audit controls. HIPAA Security Standards: Portable and/or Mobile Media, Faxes, and E-Mail (cont’d)