HIPAA Security 101 - PowerPoint PPT Presentation

1 / 32
About This Presentation

HIPAA Security 101


HIPAA Security 101 HIPAA Security 101 PA Dept. of Public Welfare * -- v3.1 April 7, 2005 * HIPAA Security As a care provider, clearinghouse, and insurer, the ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 33
Provided by: dpwState8


Transcript and Presenter's Notes

Title: HIPAA Security 101

HIPAA Security 101
HIPAA Security
  • As a care provider, clearinghouse, and insurer,
    the Department of Public Welfare (DPW) deals with
    our citizens medical information on a daily
    basis. It is essential that we protect the
    privacy and security of those records.

HIPAA Security
  • HIPAA privacy, which covers Protected Health
    Information (PHI) in any form has already been
    addressed as a separate training course.
  • This training deals with HIPAA Security, the
    practices used to protect certain electronic
    health information. Although HIPAA Security
    covers PHI only in electronic form, it is closely
    linked to HIPAA privacy.

Quiz 1
  • What is HIPAA?
  • A large African animal that spends much of its
    time in the water.
  • A long-haired, bell-bottom and sandals wearing
    flower child.
  • The Health Insurance Portability and
    Accountability Act of 1996.
  • Please make your selection ____

Answer 1
  • If you selected choice 3, the Health Insurance
    Portability and Accountability Act of 1996, you
    are CORRECT!
  • HIPAA was passed by the US Congress and signed by
    President Clinton. It is intended to simplify
    administration of the health care system and to
    reform the way health care providers, insurers,
    and other covered entities share and protect
    your health information.

Who is a Covered Entity?
  • Health Care Providers
  • Physicians, dentists, nurses, hospitals, nursing
    homes, etc.
  • Includes DPW
  • Health Care Clearinghouses
  • Billing services, etc.
  • Includes DPW
  • Health Care Plans
  • Group health plans, HMOs, PPOs, Medicare,
    Medicaid, etc.
  • Includes DPW

What does HIPAA Cover?
  • Transactions standardizes diagnostic and
    treatment codes, forms, and, processes used by
    providers, insurers, and other covered entities
  • Identifiers standardizes identifier codes or
    numbers for providers, health plans, and
  • Privacy addresses who has access to PHI in any
    form (oral, written, electronic, etc.), the
    circumstances under which those records may or
    may not be shared, and how that information needs
    to be safeguarded
  • Security addresses how PHI (electronic only) is
    protected, both in storage and in transmission

What are We Securing?
  • Electronic PHI (ePHI) is data that
  • Identifies or includes information that could
    identify an individual (including demographic
  • Relates to the past, present, or future
  • Physical or mental health or condition of an
  • Provision of health care to the individual
  • Payment for the provision of health care to an
  • Is stored or transmitted electronically

Quiz 2
  • Are data such as your name, address, phone
    number, date of birth, and social security number
    (SSN) examples of PHI covered by HIPAA?
  • Yes or No?

Answer 2
  • YES
  • As a part of a medical record, they are examples
    of data by which the identity of a client could
    be determined. Within the DPW data systems, this
    type of data is so intertwined with medical data
    that DPW has made a decision to treat all such
    data elements as PHI, regardless of their actual
    context or source.

What is HIPAA Security?
  • Security consists of the administrative,
    physical, and technical controls or processes by
  • We ensure
  • Confidentiality only the right people see the
  • Integrity the data is what it is supposed to
    be it hasnt been changed or corrupted
  • Availability the data is available when it is

What is HIPAA Security? (cont.)
  • We protect data from
  • Actual and reasonably anticipated threats or
    hazards to the security or integrity of ePHI (for
    example, fire, flood, theft, storm, etc.)
  • Actual and reasonably anticipated uses or
    disclosures of ePHI not permitted by the policy
    rules (including accidental or deliberate access
    or use by unauthorized persons)

Administrative Safeguards
  • Policies, procedures and practices including
  • Security management processes
  • Risk analysis and management
  • Sanction policy
  • Information system review and auditing
  • Assigned security responsibility
  • HIPAA security officer
  • Workforce security
  • Authorization and/or supervision
  • Background checks
  • Termination procedure

Administrative Safeguards (cont.)
  • Information access management
  • Isolation of ePHI data from other data
  • User registration/deregistration process
  • Access authentication and authorization
  • Security awareness and training
  • HIPAA-specific workforce training, including
    program office and job-specific training
  • Security reminders/bulletins
  • Anti-virus and anti-spyware software and
  • Login monitoring
  • Password policies

Administrative Safeguards (cont.)
  • Security incident procedures
  • Reporting and response
  • Contingency planning
  • Data backup
  • Disaster recovery planning
  • Agreements with entities performing HIPAA-covered
    work on DPWs behalf
  • Written agreements, revisions of agreements, as
  • Evaluation
  • Periodic review and self-evaluation

Physical Safeguards
  • Means by which the physical systems and media are
    protected from unauthorized use or access
  • Facility access controls
  • Contingency operation
  • Facility security (restricted access, monitoring,
  • Access control and validation procedure
  • Maintenance records
  • Workstation usage
  • Business use only
  • Restrictions on Internet access

Physical Safeguards (cont.)
  • Workstation security
  • UserID/Password required for access
  • Automatic lockout when workstation is unattended
    or unused for a certain amount of time
  • Device and media controls
  • Disposal of systems and media
  • Media re-use
  • Accountability and tracking
  • Data backup and storage

Technical Safeguards
  • Means by which electronic data, access to it, and
    its use are controlled and monitored
  • Access controls
  • Unique user identification
  • Emergency access procedure
  • Automatic logoff
  • Encryption and decryption

Technical Security (cont.)
  • Audit controls
  • Ability to determine who accessed data and when
  • Ability to determine who modified data and when
  • Integrity
  • Mechanisms in place to authenticate or validate
  • Transmission Security
  • Integrity controls to ensure that data isnt lost
    or altered
  • Encryption to ensure that only the recipient can
    see the data

So Who Cares?
  • Each of us must care
  • We in DPW are responsible for the medical
    information of our citizens. In addition, the
    vast majority of us have been treated by health
    care practitioners and would care greatly if we
    thought our medical records might be shared with
    strangers or unauthorized individuals or
    entities. Why should we expect our clients to
    care any less than we would?

So Who Cares? (cont.)
  • The Commonwealth of Pennsylvania and DPW
  • We are the custodians of our citizens data and
    it is a serious responsibility. Misuse or
    unauthorized disclosure of this data could lead
    to termination or other disciplinary action,
    possible criminal charges, and/or civil penalties.

So Who Cares? (cont.)
  • Federal Department of Health and Human Services
  • DHHS was responsible for issuing HIPAA
    regulations. These regulations and the HIPAA
    statute passed by Congress comprise the HIPAA
    legal requirements. DHHSs Centers for Medicare
    and Medicaid Services (CMS) enforces HIPAA
    security (and transaction) regulations DHHSs
    Office of Civil Rights (OCR) enforces HIPAA
    privacy regulations.

So Who Cares? (cont.)
  • The Federal Government
  • Federal penalties for misuse or unauthorized
    disclosure of PHI can result in criminal
    penalties including imprisonment of up to 10
    years and fines of up to 250,000. Additional
    penalties may be applied as a result of civil

General DPW Practices
  • There are some general security practices that
    everyone must use, regardless of their job duties
    and access to or use of ePHI
  • Abide by UserID and Password policies
  • Use strong passwords (7 or more characters, mix
    of uppercase, lowercase, numbers, punctuation)
  • Change passwords regularly
  • Dont write passwords down where others can get
  • Do not share your UserID and password with others

General DPW Practices (cont.)
  • Always lock your workstation when not using it or
    when away from your desk, for example, lock away
    any paper files containing PHI or floppies, CDs,
    or other media containing ePHI
  • Dont install software from home or from the
    Internet on your workstation
  • Limit Internet use to work-related activities

General DPW Practices (cont.)
  • Dont open unsolicited email from unknown senders
    or suspicious email from colleagues (this is a
    great way to spread computer viruses)
  • Immediately report unusual workstation behavior
    to your supervisor
  • Immediately report possible theft or misuse of
    your UserID to your supervisor

Job-Specific Practices
  • Those of you who have access to or use ePHI as a
    part of fulfilling your job duties need to be
    especially aware of HIPAA security.
  • Changing your password more frequently than
    generally required, encrypting data residing on
    your workstation, and using secure email are
    examples of practices to be followed.

Job-Specific Practices (cont.)
  • Within DPW, there are many jobs that involve
    access to and use of PHI, far too many to cover
    in detail in this training session.
  • Your program office or facility will be holding
    additional training sessions specific to HIPAA
    security as it relates to your job. Contact your
    supervisor for more information.

  • HIPAA regulations and information
  • www.cms.gov/hipaa
  • www.dhhs.gov
  • DPW HIPAA Privacy Policy
  • DPW HIPAA Security Policy
  • DPW Business and Technical Standards
  • Commonwealth Internet Usage Policy
  • Commonwealth IT Standards

Contact Information
  • Diana Clark (Privacy, Legal)
  • diclark_at_state.pa.us
  • Frank Morrow (Security)
  • fmorrow_at_state.pa.us
  • Frank Potemra (Policy)
  • fpotemra_at_state.pa.us
  • Your Program Office Security Manager
  • Your Supervisor

Quiz 3
  • To wrap things up, what is HIPPO?
  • A large African animal that spends much of its
    time in the water.
  • A long-haired, bell-bottom and sandals wearing
    flower child.
  • The Health Insurance Portability and
    Accountability Act of 1996.
  • Please make your selection ____

Answer 3
  • Choice 1, of course! A HIPPO is a large African
    animal that spends much of its time in the water.
Write a Comment
User Comments (0)
About PowerShow.com