1 / 32

securing the ehr system montana ehr collaborative

HIPAA Enforcement . Office of Civil Rights (Privacy)CMS (Transactions, Code Sets, Identifiers, Security)Justice DepartmentFBIOIG (Re: lessons learned from fraud

oshin
Download Presentation

securing the ehr system montana ehr collaborative

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Securing the EHR SystemMontana EHR Collaborative Carolyn Hartley Physicians EHR, LLC

    3. Summary of HIPAA Privacy RuleCompliance Activities HHS Office of Civil Rights (OCR) 12,542 complaints received as of Apr. 30, 2005 Filed against: Private Health Care Practices General Hospitals Pharmacies Outpatient Facilities Group Health Plans

    4. Summary of HIPAA Privacy RuleCompliance Activities (cont.) Allegations raised most frequently in the complaints are: The impermissible use or disclosure of an individual’s identifiable health information The lack of adequate safeguards to protect identifiable health information The refusal or failure to provide the individual with access to or a copy of his or her records The disclosure of more information than is minimally necessary to satisfy a particular request for information The failure to have the individual’s valid authorization for a disclosure that requires one

    5. 65% have been closed, because either: OCR lacks jurisdiction under HIPAA The activity alleged does not violate the Rule Matter satisfactorily resolved through voluntary compliance Summary of HIPAA Privacy RuleCompliance Activities (cont.)

    6. Case closures include those: where OCR lacks jurisdiction under HIPAA such as a complaint alleging a violation prior to the compliance date or alleging a violation by an entity not covered by the Privacy Rule where the activity alleged does not violate the Rule such as when the covered entity has declined to disclose protected health information in circumstances where the Rule would permit such a disclosure where the matter has been satisfactorily resolved through voluntary compliance for example, where an individual is provided access to their medical record based on a complaint that such access had been previously denied.

    7. 200+ referrals to the Dept. of Justice (DOJ) Summary of HIPAA Privacy RuleCompliance Activities (cont.)

    8. The Role of Security in HIT Adoption Security: required before moving into electronic exchanges of protected health information Security is as much about protecting your business assets as it is about protecting your electronic assets

    10. Threats and Vulnerabilities (2)

    11. CIA of HIPAA Security

    12. Safeguards ePHI refers to electronic protected health information. Protected health information refers to any oral, written or electronic information that can be used to individually identify a patient. The Privacy Rule safeguards PHI in oral, written or electronic form. The Security Rule safeguards just the electronic information. ePHI refers to electronic protected health information. Protected health information refers to any oral, written or electronic information that can be used to individually identify a patient. The Privacy Rule safeguards PHI in oral, written or electronic form. The Security Rule safeguards just the electronic information.

    13. Required or Addressable Required You must comply with the rule Addressable Do what the rule says Don’t do what the rule says, but document reason Develop solution and document why this approach Each of the safeguards are either required or addressable. If a safeguard is required, then you must comply with the rule. If it is addressable, you have one of three choices. An addressable can be much more difficult because the practice must now determine whether to meet the requirement or find a solution that better matches the practice. For example one addressable standard is to conduct a background search on new employees. That would not be practical if the physician is hiring a family member to be an office manager. Each of the safeguards are either required or addressable. If a safeguard is required, then you must comply with the rule. If it is addressable, you have one of three choices. An addressable can be much more difficult because the practice must now determine whether to meet the requirement or find a solution that better matches the practice. For example one addressable standard is to conduct a background search on new employees. That would not be practical if the physician is hiring a family member to be an office manager.

    14. The Case For Security Business Imperatives Protect your practice Inventory your hardware and software Know where the inventory is kept Know the value of your hardware, software, equipment Conduct a risk assessment and evaluate threats and vulnerabilities Develop a contingency plan Much of the Security Rule is just good business sense. Practices who said they would not bother to comply with the Security Rule have rethought that decision and are using the Security Rule to find good business practices. If moving to an electronic health record environment after April 21, 2005, security rule requirements must be in place. Much of the Security Rule is just good business sense. Practices who said they would not bother to comply with the Security Rule have rethought that decision and are using the Security Rule to find good business practices. If moving to an electronic health record environment after April 21, 2005, security rule requirements must be in place.

    15. Contingency Plan Critical data backed up and stored Emergency call list Plan to restore systems Plan to move into temporary office Secure offsite storage? Identify situations that may activate contingency plan

    16. The Case for Security Legislative Imperatives Required by law to comply with Security Rule by April 21, 2005 Periodic security training: Log-in monitoring Password management Protection from malicious software Security reminders

    17. Risk Analysis in a Clinical Setting The required standard (Review system audit logs) means you must conduct regular review of system audit logs, perhaps only to find out if someone has tried to hack into your system. Assigned access is addressable because in a small office, the receptionist may also be the billing clerk and the system administrator. The point in each case is that the practice needs to document how they plan to comply with the standard. The required standard (Review system audit logs) means you must conduct regular review of system audit logs, perhaps only to find out if someone has tried to hack into your system. Assigned access is addressable because in a small office, the receptionist may also be the billing clerk and the system administrator. The point in each case is that the practice needs to document how they plan to comply with the standard.

    18. Technology Vulnerabilities And Threats Exist Among Physician Practices 20% of medical practices are using an EHR software program Everyone has a story. Other 80% are stopped by costs and complexities Local Area Network Wide Area Network Local Wireless Wide Area Wireless Client-Server ASP

    19. Basic Network - usually wired Hospital Information System Hospital Lab Outside Lab Radiology / Pathology Labs Pharmacy Practice Management System Document Management

    20. Wireless and peripherals Local Wireless Wide Area Wireless PDAs cell phone access web access PDA sync model

    21. Conducting A Security Impact Analysis In a Clinical Setting Database server Physically secure Locked Backup process secure Backup media secure Storage capacity sufficient Administrator Password Protected Database Password Protected Clients Fat clients with data PDAs, unsynced Places where charts are left Computer workstations Printers Scanners

    22. Data Transmission 1 Wired Wireless LAN Wireless Server -- access point -- wireless receiver LAN Wired Server – fat client

    23. Data Transmission 2 Practice Management System (PMS) Document Management System

    24. Data Transmission 3 WAN, Wired server – HIS HIS – server server – LIS LIS – server server – Radiology / Pathology lab Pharmacy server – pharmacy info system fax

    25. PDAs PDA, wireless PDA, synced Prescribing, CPOE, Notes Hospital, Home Health

    26. Internet Access By providers By patients Policy, restrictions Email to transmit information Secure methods

    27. Paper to electronic records Scanning Printing Faxing Mailing

    28. Printed clinical documents Prescriptions Patient Instructions Histories Clinical Notes Referrals School forms Insurance forms Work-related forms Reports

    29. Best Practices in Risk Reduction 1 Have a Plan Written Plans Risk Assessment Database backup Database secure storage Data restore plan Disaster recovery plan Software Inventory Hardware Inventory Logs - transmission points

    30. Best Practices in Risk Reduction 2 Staff Security Committee Medical staff IT staff Training Communication

    31. Training Locking up Backup Log in Password Management Virus Protection Malware Protection Internet access

    32. Thank you Carolyn Hartley Carolyn@physiciansehr.com

More Related