210 likes | 355 Views
Health information security & compliance. Charles Nwasor, Xcellent Technologies. Agenda. 1. HIPAA. 2. The New Healthcare Paradigm. 3. Internal Compliance. 4. Conclusion. 1. HIPAA. HIPAA – Overview .
E N D
Health information security & compliance Charles Nwasor, Xcellent Technologies
Agenda 1 HIPAA 2 The New Healthcare Paradigm 3 Internal Compliance 4 Conclusion
1 HIPAA
HIPAA – Overview • Sets standards to assure the Confidentiality, Integrity, and Availability of PHI • Health Insurance Portability & Accountability Act (HIPAA) • Privacy – individuals’ rights of privacy and standards • Security – security of ePHI • Breach Notification – reporting breach information • Limits the use and disclosure of confidential information: • Protected Health Information (PHI) • Electronic Protected Health Information (ePHI)
HIPAA – PHI • PHI and Personally Identifiable Information • Any information (verbal, electronic, or written) that relates to a person’s physical or mental health or payment information • Name • Postal Address • All elements of Date • Telephone Number • Fax Number • Email Address • URL • IP Address • Social Security Number • Account Numbers • License Number • Medical Record Number • Health Plan Number • Device Identifier • Vehicle Identifier • Biometric Identifier • Full-face Photos • Any other unique identifying number • Genetic information
HIPAA – CIA Triad • Confidentiality – keeping information from unauthorized access • Integrity – safeguarding against unauthorized modification • Availability – assuring the constant availability of information
HIPAA – Privacy Rule • Establishes rights of privacy and standards for disclosure • Permitted Disclosures • Personal Representatives • Treatment, Payment and Healthcare Operations • Written Authorization/Verbal Consent • De-identified Data • Required Disclosures • Public Health Activities • Law Enforcement • Verification Requirements • Notice of Privacy Practices
HIPAA – Security Rule • Requires control measures to safeguard the confidentiality, integrity and availability of electronic Protected Health Information (ePHI) • Organizational Requirements – Business Associate Agreements (BAAs) • Security Standards • Administrative • Physical • Technical • Security ManagementProcess • Information Access Management • Security Awareness and Training
HIPAA – Breach Notification Rule • Requires notifications to authorities and/or patients when unsecured PHI has been breached • Defines Breach as the inappropriate use or disclosure that compromises the security and privacy of PHI • Exceptions • Unintentional Acquisition by a workforce member • Inadvertent Disclosure between workforce members • Recipient can not reasonably retain the information • Unsecured PHI – is PHI that has not been rendered unreadable or indecipherable to unauthorized persons
2 The New Healthcare Paradigm
3 Internal Compliance
Internal Compliance Framework • Information Security Policy & Technical Controls • Acceptable Use • Access controls & Physical Security • Secure Software & Malicious Code • Security Incident Management • Sanctions • Breach Notification • Workforce Security • Security Awareness and Training • Proper Conduct and Authorized Disclosures
Impacts of Non-Compliance • Regulatory Fines • Lawsuits and Liability • Loss of Business • Professional Sanctions
Current Examples • Hospice of North Idaho - $50,000 • Massachusetts Eye and Ear Associates Inc. - $1.5 Million • River Falls Medical Clinic – 2,400 Patient Records stolen • Shands Jacksonville Clinic – 261 Patient Records photographed • Goldthwait Associates, a Billing Service Provider - $140,000 • Phoenix Cardiac Surgery, P.C. - $100,000
4 Conclusion
Assuring the Privacy and Security of Patients’ Information is a vital component of providing healthcare.
Xcellent Technologies 43155 Main Street Suite 2210-DNovi, MI 48375 (248) 956.0538 info@xcellenttechnologies.com http://www.xcellenttechnologies.com