1 / 47

HIPAA Training – Part III

HIPAA Training – Part III. Health Insurance Portability and Accountability Act. Policies & Procedures. Goals. Learn simple ways to protect information. Learn how to continually give training. Learn how to continually develop procedures. Policy. It’s the law.

jett
Download Presentation

HIPAA Training – Part III

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Training – Part III Health Insurance Portability and Accountability Act

  2. Policies & Procedures

  3. Goals • Learn simple ways to protect information. • Learn how to continually give training. • Learn how to continually develop procedures.

  4. Policy • It’s the law. • The doctor has to sign all of them. • The privacy official’s name must be on them. • Must be reviewed each year and proof of this must be documented.

  5. Procedure • How you apply the law to this office. • Writing procedures is an everlasting process of reviewing and updating.

  6. Why Review and Update the Procedures? • New breaches are discovered. • New technology is used. • Office changes occur such as remodeling. • What you’re doing to protect PHI.

  7. Procedures • Be general. • Don’t be specific.

  8. Training • Have documented meetings. • Each employee, including the doctor, must sign their own name on the Training Register. • If the doctor does not allow training, then the doctor is liable for all fines.

  9. Training • Some discussion topics: • Implementation of Policies • Notice of Privacy Forms • General Penalty for Failure to Comply with Requirements and Standards

  10. Training • More discussion topics: • Breaches • Office Procedures Regarding PHI • Complaints Regarding PHI • Handling Patients’ Restrictions • Medical Release Forms • Front Office Procedures • Back Office Procedures • Computer Security

  11. TrainingRegister

  12. What Do You Have to Do to Protect Information and to Avoid the Fines? • Understand two basic questions: • Continually have training. • Keep records.

  13. Keep Records • Every time you have training you must record it. • This is the government. • If you don’t have records, then training was never done.

  14. HIPAA Security • Computers were required to be secured by April of 2005. • Password • Hackers • Levels of service

  15. OBJECTIVES • Understand HIPAA Security Rule • Understand basics of network security

  16. HIPAA Security Standard • What is the purpose? • Establish a standard for health care providers with regards to treatment of patient health information • Give patients more control and access to their medical information • Secure protected health information (PHI) transmitted, stored, or maintained in electronic format from real or potential threats of disclosure or loss

  17. HIPAA Security Standard • General • Consistent with the Privacy rule in that the Security part of the Privacy rule requires that “appropriate” security be applied to all PHI in all events • Focuses more on “what” needs to be done, rather than “how”. • Cost of implementation is a factor, but not a preclusion. • Cost, size, technical infrastructure and criticality of potential risks are factors, allowing for a flexible approach. • Sets out processes for decision-making, but does not make decisions; remains ‘technology neutral’. • Results and documentation both are important.

  18. HIPAA Security Standard • What the rule does? • Ensures the confidentiality, integrity, and availability of all electronic PHI a covered entity (CE) creates, receives, maintains, or transmits. • Protects against any reasonably anticipated threats or hazards to the security or integrity of such information • Protects against any reasonably anticipated uses or disclosures of such information that are not permitted or required • Ensures compliance by covered entities workforce

  19. Privacy vs. Security • Privacy • Individuals rights to control access and disclosure of their protected or individually identifiable healthcare information • Establish authorization requirements • Establish individual rights • Establish regulations for use or disclosure of PHI • Security • Establishes minimum level of security that covered entities must meet • Adopts standards for the security of ePHI to be implemented by covered entities • Improving the efficiency of the healthcare industry in general

  20. Three Pillars of Data Security Data or information is not made available to unauthorized persons or processes Data or information has not been altered or destroyed in an unauthorized manner Data or information is accessible and usable upon demand by an authorized person Confidentiality Integrity Accessibility

  21. Security Rule OrganizationSafeguards • Administrative • Administrative actions, policies, and procedures, to manage, the selection, development, and implementation, including the maintenance of security measures to protect electronic health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information. • Physical • Security measures to protect a covered entity’s electronic information systems and related buildings and equipment from environmental hazards and unauthorized intrusions. • Technical • The technology and policy and procedures for how to protect electronic protected health information and control access to it.

  22. Electronic Data Security • Electronic Data Security: • The generic name for the tools designed to protect data and to prevent intrusions. • Principle of Easiest Penetration: • An intruder must be expected to use any available means of penetration. This is not the most obvious means, nor is it one against which the most solid defense has been installed. • Principle of Adequate Protection: • Computer hardware and software must be protected to a degree consistent with their value. Electronic data never loses its value, unless the information becomes outdated and obsolete.

  23. Security Threats • Virus • Spyware • Adware • Worms • Trojan Horse • Phishing (pharming) • War Dialing • Social Engineering

  24. Social Engineering • Preying on the Best Qualities of Human Nature: • The desire to be helpful • The tendency to trust people • The fear of getting into trouble A successful social engineer receives information without raising any suspicion as to what they are doing.

  25. Social Engineering • Impersonation • Important user • Third-party authorization • Technical support “There are system problems and you will have to log me on to check the connection”

  26. Recognize the Signs • In Person • May appear as an employee or • Dressed in a uniform. • Part of the cleaning crew. • Roams without raising suspicion. • Dumpster Diving • Shoulder Surfing • Shoulder surfing is using direct observation techniques, such as looking over someone's shoulder, to get information.

  27. Social Engineering • Refuse to give contact information • Rushing • Name-dropping • Intimidation • Small mistakes • Request confidential information • Request you to do something improper

  28. What can you do?Ask Questions! • Correct spelling of the person’s name? • Number where you can return the call? • Contact information? • Why the information is needed. • Who authorized the request. • Verify the authorization And Do It !!!

  29. Where Do Intruders Come From? Who are these threat agents? • Teenage pranksters • Hacker junkies • Disgruntled employees • Disgruntled patients • Competitors • Terrorists (disruption of services) • Criminals (selling information)

  30. Physical Vulnerabilities and Access • Being aware of your surroundings! • Where’s my computer located? • Is anyone watching me? • Is the hallway door open? • Is the monitor visible from the window? • Is the computer visible from the patient waiting area? • Are the servers in locked rooms or cabinets? • Does the cleaning crew have access to the computers? • Does the screen saver activate when idle? • Do I log out before leaving the room? • Do I use my PC for a night light?

  31. Password VulnerabilitiesIf you think it’s weak, then it is weak • Passwords • First line of defense against unauthorized access to your: • Computer, Files, Network Connections, Key to your electronic identity • Do Not Use: • Any dictionary words, any proper names, common phrases, obvious passwords, keyboard words, let a website save it, use the same one. • What to use: • At least eight characters, at least one capital letter, At least one number, at least one special character, one you can remember, change them regularly

  32. Your Account Is Only As Secure As Its Password • Recommendation • 120 day rotation • Don't let others watch you log in. • Change your password often. • Don’t write your password on a post-it note • Don’t attach it to your video monitor or under the keyboard. xT21b31

  33. Password Construction • It can’t be obvious or exist in a dictionary. • Every word in a dictionary can be tried within minutes. • Don’t use a password that has any obvious significance to you.

  34. Password Standard • Eight character minimum and should contain at least one of each of the following characters: • Uppercase letters ( A-Z ) • Lowercase letters ( a-z ) • Numbers ( 0-9 ) • Punctuation  marks (!@#$%^&*()_+=- )

  35. Password Management • Its OK to share offices, equipment and ideas, but... Do not share your password with anyone, anytime!

  36. Safeguard Your Strong Password • Be careful about typing your password into a strange computer. • Anti-virus protection enabled? • Owner trustworthy? • Keyboard logger running to record your keystrokes? • Who was the last person to use that computer? • Do not use the automatic logon feature in Microsoft.

  37. E-mail Vulnerabilities • Emails • Are you opening Pandora's box? • Basic method of communication to transfer: • Messages, Files, Programs • What to look out for: • Extensions (.xls, .doc, .php, .ppt, .exe, .vbs, .bin, .com, pif); Suspicious Subjects Lines; I love you/My daughter’s pictures; You have won/Free Gift; Funny, Humorous, etc.; Look alike sites; Chain Letters; Web Links; Attachment not expected • If it's suspicious, don't open it

  38. EMAIL Policy • Permissible uses: • Entity’s permissible uses? • Prohibited uses: • Entity’s prohibited uses? ALL MESSAGES SHOULD BE CONSIDERED PUBLIC!

  39. Web Browsing Security • Web Surfing • Active content and viruses or other malicious software • Security risks in the PC and MAC versions of Internet Explorer and Netscape browsers • Company determines your security.

  40. Visiting Internet Sites  • Be careful about providing personal, sensitive information to an internet site. • Be aware that you can get viruses from Instant Messenger-type services.

  41. Privileges and Responsibilities • Use of your company computer account is a privilege. • Along with the privilege to use company network resources come some responsibilities. • Remember that Internet traffic is logged, monitored, and saved

  42. Backups • Back your computer up every night • Take the back up offsite

  43. So How Do We Start? Security is 90% You and 10% Technical • Be aware! • Learn, practice and adopt good security habits. • Report anything unusual.

  44. Absolute vs. Acceptable Levels of Risk • “Absolute protection” from risk is an impossibility • “Acceptable level” of risk is a more realistic approach to managing risk

  45. Keep an Inventory • Know exactly what equipment you have by listing an inventory. • What kind of hardware do you have? • What kind of software do you have? • What kind of protection do you have? i.e., virus or spyware

  46. Keep an Inventory • Record: • When you began using it • When you stopped using it • When you upgraded

  47. The First Line of Defense Is You • The Last Line of Defense is You

More Related