Chapter 12: HIPAA Security Rule
What does the Privacy rule protect?
PHI regardless of the medium on which it resides
What is under the workforce security?
Adequate authorization and supervision for workforce accessing ePHI Clearance procedures to determine appropriateness of access Termination procedures to terminate access when a workforce member is no longer employed or alter access when job responsibilities change.
What is the Assigned security responsibility?
Assign official responsible for overseeing the development of security policies and procedures.
What is under the Business Associate Contract?
BA complies with sub part that subcontractors comply with all terms of the agreement. Other arrangements- CE is in compliance with applicable provisions of the law
Who does the HIPAA Security rule applied too?
CE and BA
What are the implementation considerations?
CE size complexity and capabilities Security capabilities of CE hardware and software Costs of security measures Likelihood and security of potential risks to ePHI
What is under the facility access control?
Contingency operations- procedures to allow access to recover lost data Facility security plan- Policies and procedures to safeguard equipment from unauthorized access Access control and Validation Procedures- Control and validate access to facilities based on users roles or functions Maintenance Records- Policies and procedures to document repairs and modifications to physical components of a facility as they relate to security
What are the key ingredents to protect a ePHI?
Created Maintained Transmitted Recieved
What are 4 contingency planning?
Data backup plan Disaster recovery plan Emergency mode operation plan Testing and revision procedure
What is Integrity?
Data that has not been altered or destroyed
What is under information Access management?
Developing policies and procedures Isolating healthcare clearing house functions Authorize access by workstation, transactions Using access to authorization to establish, document, review, and modify a users right to access a workstation
What is under device and media controls?
Disposal- Policies/procedures for disposal of ePHI Media reuse- procedures for wiping data before media can be reused Accountability- Maintain a record of the movement of hardware, reassignment, relocation Data backup and storage- Create a retrievable, exact copy of ePHI, when needed before movement of equipment.
What is security incident reporting?
Document security incidents and their outcomes Document mitigation of harmful effects of security incidents
What is an ePHI?
Electronic protected health information
What are the general requirements for the security rule?
Ensures confidentiality, integrity, and availability of all ePHI created, received, maintained or transmitted Protects security or integrity of ePHI from reasonably anticipated threats or hazards Protects against reasonably anticipated ePHI uses or disclosures not permitted or required by the privacy rule. Ensure workforce compliance with the security rule
What are policies and procedures?
Establishment and implementation of policies and procedures to comply with the standards, implementation specifications and other requirements. A CE OR A BA MAY CHANGE ITS POLICIES AND PROCEDURES AT ANY TIME PROVIDE THAT THOSE CHANGES ARE DOCUMENTED AND IMPLEMENTED AND IN COMPLIANCE WITH THE SECURITY RULE
What is an evaluation?
Periodic performance of technical and nontechnical evaluations in response to environmental or operational changes affecting security of ePHI
What is under the group health plan?
Plan documents compliance with all provisions of the HIPAA Security rule
What is audit controls?
Implementation of hardware, software, and/or procedures that record and examine activity i the information system
What is workstation Security?
Implementation of physical safeguards for all workstations used to access ePHI to restrict unauthorized access (Password protected screensavers)
What is workstation use?
Implementation of policies and procedures by workstation as to functions performed, the manner performed, physical attributes of the surroundings in the accessing of ePHI
What is transmission security?
Implementation of technical measures to guard against unauthorized access to ePHI transmitted across a network.
What is #1 vulenrability?
Outsourcing healthcare
What is person or entity authentication?
Procedures for identity vertification
What is security?
Protecting information from loss, unauthorized access, or misuse, and also keeping it confidental
What is under the Security Management Process?
Risk analysis- conduct an assessment of vulnerabilities Risk management- implement security measures to reduce vulnerabilities Sanction policy- apply appropriate sanctions against workforce members who fail to comply Information system activity review- audits, access logs, security incident, tracking reports.
What is under secruity awareness training?
Security reminders Protection from malicious software Log-in monitioring Password management
What is confidentiality?
Speak with a healthcare provider or anyone in the health field in confidence of information integrity
What is the HITECH act 2009?
Strengthen privacy and security under HIPAA to promote the adoption and meaningful use of health information technology.
What is the purpose of the HIPAA security rule?
To ensure that CE's implement basic safeguards to protect ePHI from unauthorized access, alteration, deletion, and transmission, while ensuring that data or information is accessible and usable on demand by authorized individuals.
What is under access control?
Unique user identification- must assign name or number for identification Emergency access procedure- Establish procedures for obtaining necessary ePHI in an emergency Automatic log-off- implement electronic processes that terminate an electronic session after a predetermined time in inactivity Encryption and decryption- should implement a mechanism to encrypt and decrypt ePHI.
What does the security rule protect?
ePHI
