1 / 22

Understanding HIPAA

Understanding HIPAA. Dr. Jennifer Lu. Introduction. HIPAA = Heath Insurance Portability and Accountability Act. Historical Framework. Increasing automation in healthcare has created increasing awareness about the security of protected health information

steppe
Download Presentation

Understanding HIPAA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding HIPAA Dr. Jennifer Lu

  2. Introduction • HIPAA = Heath Insurance Portability and Accountability Act

  3. Historical Framework • Increasing automation in healthcare has created increasing awareness about the security of protected health information • 1997: National Research Council reports widespread weaknesses in healthcare security (user authentication, access controls, audit trails, external communications, physical security and disaster recovery)

  4. Historical Framework • 1990’s: Public begins to have serious concerns about the privacy and security of health information. This is due to breaches such as • Press disclosures of individuals’ HIV status • Disclosure of patient information for financial gain • Misdirected patient emails

  5. Violation Examples • A Michigan based health system accidentally posted the medical records of ten thousand patients on the internet • An employee of the Tampa health department took the names of 4,000 people who were HIV and tried to blackmail individuals. • A patient in a Boston hospital discovered her medical information had been viewed by more than 200 hospital employees. • A banker who sat on a county heath board gained access to patient’s records with cancer and called in their mortages.

  6. Violation Examples • A candidate for congress nearly saw her campaign derailed when newspapers published her medical records showing she had sought psychiatric help. • A physician diagnosed with AIDS in the hospital he worked in. His surgical privileges were suspended. • Johnson and Johnson marketed the names and addresses of elderly incontinent women to drug compaanies

  7. So how did we change things?

  8. Historical Framework • 2003 HIPAA is passed and includes a mandate for assurance of the security and integrity of health information • 1998: Privacy concerns cause an investigation by government • 2003: Security Rule is finalized and published in the Federal Register on February 20, 2003

  9. HIPAA Security Rule • Applicability: • Protected Health Information ( PHI) applies to all individually identifiable health information that is in electronic form (stored or transmitted) • All healthcare entities, health plans and clearinghouses which store health information or transmit it to others must comply

  10. HIPAA Security Rule • Security Threats • Internal • More likely to occur than external threats • Careless staff unaware of security issues • Malicious insiders

  11. HIPAA Security Rule • General Rule Information Securitymust be followed– no single policy or tool can effectively assure overall security and cultural and organizational issues must also be addressed. • Federal standard is set to a minimum or floor level and organizations may choose to exceed these standards

  12. HIPAA Security Rule • In order to address these principles, HIPAA security makes specificrecommendations in 3 areas: • Business Associate (Business Rules) • Physical Safeguards (Ability to use a machine) • Technical Safeguards (Ability to access data)

  13. HIPAA: Administrative Safeguards • These are ,mandatory formal practices that are designed to manage the integrity and execution of security measures • Intended to disclose health information only to the appropriate parties and protect this information from all others

  14. HIPAA: Administrative Safeguards • Security Awareness and Training • In order for an organization to work securely, the employees must be educated about security practices • Identifying threats • Monitoring LOGIN failures • Review of policies • Virus Protection

  15. HIPAA: Administrative Safeguards • Security Incident Procedures • Organizations are required to formalize their procedures for dealing with security breaches • Employees should be instructed on how to report security compromises • Roles and responsibilities during an incident should be published

  16. HIPAA: Administrative Safeguards • Evaluation • Evaluate compliance of existing security practices • Identify deficiencies • Correct deficiencies • This is a continuous process

  17. HIPAA: Physical Safeguards • Workstation Security • Have policies that govern workstation placement to avoid violations • Orient workstations to prevent potential viewing by unauthorized individuals • Installation of shields to protect screen contents • Use of monitoring and video surveillance as necessary

  18. HIPAA: Technical Safeguards • Physical restrictions that enable the need for timely access with risk for breach of confidentiality • Ensure the security of transmitted information over open networks

  19. HIPAA: Technical Safeguards • Access Control • A documented procedure for granting authorized access to data • Provision for care • The optional use of and decryption • Provision for an _logoff after idling for a period of time

  20. HIPAA: Technical Safeguards • Person or Entity Authentication • Organizations must take steps to protect against unauthorized access by an entity attempting to access data • Many solutions exist for this ( encrypted passwords, PIN numbers, tokens and telephone callback procedures)

  21. Here are some common ways that staff members can protect patient privacy • Always ensure privacy when discussing patients protected health information. • Move away from any open doorway when talking about a specific patient‘s care. • Avoid discussions about patients in elevators and cafeteria lines. • Do not leave messages on answering machines regarding patients medical information • Avoid patients using telephones to receive results. • Encourage portal use

  22. Questions

More Related