220 likes | 233 Views
Understanding HIPAA. Dr. Jennifer Lu. Introduction. HIPAA = Heath Insurance Portability and Accountability Act. Historical Framework. Increasing automation in healthcare has created increasing awareness about the security of protected health information
E N D
Understanding HIPAA Dr. Jennifer Lu
Introduction • HIPAA = Heath Insurance Portability and Accountability Act
Historical Framework • Increasing automation in healthcare has created increasing awareness about the security of protected health information • 1997: National Research Council reports widespread weaknesses in healthcare security (user authentication, access controls, audit trails, external communications, physical security and disaster recovery)
Historical Framework • 1990’s: Public begins to have serious concerns about the privacy and security of health information. This is due to breaches such as • Press disclosures of individuals’ HIV status • Disclosure of patient information for financial gain • Misdirected patient emails
Violation Examples • A Michigan based health system accidentally posted the medical records of ten thousand patients on the internet • An employee of the Tampa health department took the names of 4,000 people who were HIV and tried to blackmail individuals. • A patient in a Boston hospital discovered her medical information had been viewed by more than 200 hospital employees. • A banker who sat on a county heath board gained access to patient’s records with cancer and called in their mortages.
Violation Examples • A candidate for congress nearly saw her campaign derailed when newspapers published her medical records showing she had sought psychiatric help. • A physician diagnosed with AIDS in the hospital he worked in. His surgical privileges were suspended. • Johnson and Johnson marketed the names and addresses of elderly incontinent women to drug compaanies
Historical Framework • 2003 HIPAA is passed and includes a mandate for assurance of the security and integrity of health information • 1998: Privacy concerns cause an investigation by government • 2003: Security Rule is finalized and published in the Federal Register on February 20, 2003
HIPAA Security Rule • Applicability: • Protected Health Information ( PHI) applies to all individually identifiable health information that is in electronic form (stored or transmitted) • All healthcare entities, health plans and clearinghouses which store health information or transmit it to others must comply
HIPAA Security Rule • Security Threats • Internal • More likely to occur than external threats • Careless staff unaware of security issues • Malicious insiders
HIPAA Security Rule • General Rule Information Securitymust be followed– no single policy or tool can effectively assure overall security and cultural and organizational issues must also be addressed. • Federal standard is set to a minimum or floor level and organizations may choose to exceed these standards
HIPAA Security Rule • In order to address these principles, HIPAA security makes specificrecommendations in 3 areas: • Business Associate (Business Rules) • Physical Safeguards (Ability to use a machine) • Technical Safeguards (Ability to access data)
HIPAA: Administrative Safeguards • These are ,mandatory formal practices that are designed to manage the integrity and execution of security measures • Intended to disclose health information only to the appropriate parties and protect this information from all others
HIPAA: Administrative Safeguards • Security Awareness and Training • In order for an organization to work securely, the employees must be educated about security practices • Identifying threats • Monitoring LOGIN failures • Review of policies • Virus Protection
HIPAA: Administrative Safeguards • Security Incident Procedures • Organizations are required to formalize their procedures for dealing with security breaches • Employees should be instructed on how to report security compromises • Roles and responsibilities during an incident should be published
HIPAA: Administrative Safeguards • Evaluation • Evaluate compliance of existing security practices • Identify deficiencies • Correct deficiencies • This is a continuous process
HIPAA: Physical Safeguards • Workstation Security • Have policies that govern workstation placement to avoid violations • Orient workstations to prevent potential viewing by unauthorized individuals • Installation of shields to protect screen contents • Use of monitoring and video surveillance as necessary
HIPAA: Technical Safeguards • Physical restrictions that enable the need for timely access with risk for breach of confidentiality • Ensure the security of transmitted information over open networks
HIPAA: Technical Safeguards • Access Control • A documented procedure for granting authorized access to data • Provision for care • The optional use of and decryption • Provision for an _logoff after idling for a period of time
HIPAA: Technical Safeguards • Person or Entity Authentication • Organizations must take steps to protect against unauthorized access by an entity attempting to access data • Many solutions exist for this ( encrypted passwords, PIN numbers, tokens and telephone callback procedures)
Here are some common ways that staff members can protect patient privacy • Always ensure privacy when discussing patients protected health information. • Move away from any open doorway when talking about a specific patient‘s care. • Avoid discussions about patients in elevators and cafeteria lines. • Do not leave messages on answering machines regarding patients medical information • Avoid patients using telephones to receive results. • Encourage portal use