Chapter 4: HIPAA Security Rule Concepts

Ace your homework & exams now with Quizwiz!

American Recovery and Reinvestment Act of 2009 (ARRA)

Federal legislation that included significant funding for health information technology and provided for significant changes to the HIPAA Privacy Rule

Self-encrypted hard drives

Hard drives that protect their own data through keys that reside on the drive itself.

A former employee is angry at the CE because he was terminated. He hacked into the EHR and destroyed ePHI. What type of threat is this?

Intentional

Access privilege is what allows an individual to enter a computer system for an authorized purpose. TRUE or FALSE?

TRUE

What does Security Rule require covered entities to do under Physical Safeguards?

To establish policies and procedures that will provide physical safeguards for ePHI

Audit trail

(1) A chronological set of computerized records that provides evidence of information system activity (log-ins and logouts, file accesses), used to determine security violations (2) A record that shows who has accessed a computer system, when it was accessed, and what operations were performed.

Contingency plan

(1) Documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster;(2) A recovery plan in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected personal health information (ePHI).

Cryptography

(1) The art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again (2) The study of encryption and decryption techniques

Authentication

(1) The process of identifying the source of health record entries by attaching a handwritten signature, the author's initials, or an electronic signature; (2) Proof of authorship that ensures, as much as possible, that log-ins and messages from a user originate from an authorized source

Integrity

(1) The state of being whole or unimpaired; (2) The ability of data to maintain its structure and attributes, including protection against modification or corruption during transmission, storage, or at rest. Maintenance of data integrity is a key aspect of data quality management and security.

What are the four implementation specifications for Facility Access Controls?

-Contingency Operations-Facility Security Plan-Access Control and Validation Procedures-Maintenance Records

The Security Rule requires covered entities to:

-Ensure confidentiality, integrity, and availability of all electronic PHI (ePHI) created, received, maintained, or transmitted -Protect against reasonably anticipated threats or hazards that might affect the security or integrity of ePHI -Protect against reasonably anticipated uses or disclosures of ePHI that is not permitted or required -Ensure workforce compliance

What are the two implementation specifications for Transmission Security?

-Integrity Controls-Encryption

The following list provides examples of noncompliance with the HIPAA Security Rule

-Leaving a sheet of paper containing PHI at the front desk which is visible to other -A computer screen that is unattended and logged in to PH -Knowingly releasing PHI to unauthorized individual-Selling PHI to marketing firms

What are the five categories of HIPAA Security Rule standards?

-Physical safeguards -Technical safeguards -Administrative safeguards -Organizational requirements -Policies and procedures and documentation requirements

HIPAA Security Rule

-Regulates maintenance and transmission of electronic protected health information (ePHI) rather than regulating all PHI (paper, electronic, oral) -Places greater emphasis on technology

Context-based access control (CBAC)

A access control system which limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information.

AHIMA has a Disaster Planning and Recovery Toolkit that contains:

-Steps to draft a business continuity plan including communications, management, protecting health information, use and disclosure of health information, and recovery-Same contingency plan, staff competency list, immediate and short term concerns checklist, and sample emergency privilege application and release form

Transmission security

A HIPAA Security Rule technical safeguard that provides for measures to be taken to protect ePHI against unauthorized access during transmission via an electronic communications network.

Flexible

A characteristic of the HIPAA Security Rule that allows a covered entity (CE) to use any security measures that allow it to reasonably and appropriately implement the Security Rule's standards and implementation specifications.

Technology neutral

A characteristic of the HIPAA Security Rule that allows an organization to develop as their technological capabilities allow rather than requiring or prescribing certain technologies. specific technologies are not prescribed in the rules, which allows the use of the latest and appropriate technology

Audit log

A chronological record of electronic system(s) activities that enables the reconstruction, review, and examination of the sequence of events surrounding or leading to each event and/or transaction from its beginning to end. Includes who performed what event and when it occurred.

Risk managment

A comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. The processes in place to identify, evaluate, and control risk, defined as the organization's risk of accidental financial liability.

Workstation

A computer designed to accept data from multiple sources in order to assist in managing information for daily activities and to provide a convenient means of entering data desired by the user at the point of care.

"Break the glass"

A computer system capability that allows an individual who otherwise would not have access privileges to ePHI to access it through an alternative method in limited, necessary situations such as patient care emergencies.

Firewall

A computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network.

Role-based access control (RBAC)

A control system in which access decisions are based on the roles of individual users as part of an organization.

Full disk encryption

A process that signifies all data on a disk is encrypted.

Person authentication

A process, required by the HIPAA Security Rule, that requires a person is who he is in order to prevent unauthorized users from accessing ePHI.

User-based access control (UBAC)

A security mechanism used to grant users of a system access based on identity

Technical safeguards

A set of five standards defined by the HIPAA Security Rule that can be implemented from a technical standpoint using computer software; access controls, audit controls, data integrity, person or entity authentication, and transmission security to protect ePHI.

Administrative safeguards

A set of nine standards defined by the HIPAA Security Rule. Administrative actions such as policies and procedures, documentation retention to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.

HIPPA requires the covered entities to review their security rule standards and implementation specifications for each security safeguard and decide if it is required or__________ which allow an equivalent method to be used.

Addressable

Public key infrastructure is a less secure method of encryption because the key that decodes the information is transmitted with the data. True or False?

False

Public key infrastructure

Also called asymmetric encryption; uses two keys to encrypt and transmit a message; the sending computer uses a private key to code (scramble) the message and a public key is given to the receiving computer to decode (unscramble) the message.

Private key infrastructure (PKI)

Also called symmetric or single-key encryption, occurs where both the sending and receiving computers use software that assigns a secret code or key; this encryption is less secure that public key encryption because same key is transmitted with the data after the sending computer codes (scrambles) the data so the receiving computer can decode (unscramble) the data

The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control? a. Audit log b. Access Control c. Auto-Authentication d. Override Function

Audit log

___ identifiers are based on physical characteristics such as retinas, fingertips, palms and face recognition

Biometric

Antivirus software packages

Computer programs that search for malicious software (malware) that can damage an information system; anti-virus software package prevent, detect or remove viruses.

Implementation specifications

Descriptions that define how HIPAA standards are to be implemented.

Metadata

Descriptive data that characterize other data to create a clearer understanding of their meaning and to achieve greater reliability and quality of information. Consist of both indexing terms and attributes. Data about data. Ex: Creation date, date sent, date received, last access date, last modification date.

What term is also used to denote the HIPAA requirement of Contingency Planning? a. Data Backup b. Data Recovery c. Disaster Planning d. Emergency Mode of Operation

Emergency Mode of Operation

Sharing log in information with another employee is an example of a security___________ and a virus introduced by a disgruntled employee would be considered a security___________

Event, incident

While a covered entity is legally responsible for their employees, they are not responsible for the actions of business visitors. TRUE or FALSE?

FALSE

Coding Professionals Working at Home:

Many coding professionals access protected health information from home. It is not unusual for organizations to perform a home office evaluation to ensure compliance with policies and procedures. Security measures such as eliminating the print function on a coder's computer and closely monitoring computer activity may be implemented to manage the risk of unauthorized disclosure of PHI.

Physical safeguards

Measures such as locking doors to safeguard data and various media from unauthorized access and exposures; a set of four standards defined by the HIPAA Security Rule including facility access, controls, workstation use, workstation security, and device and media controls.

A HIPAA Officer may also be called

Privacy Officer

Account lockout

Prohibited access to an electronic account after an established number of attempts have been made.

type of malicious software that prohibits access to the hospital own information system unless they pay money to gain access

Ransomware

Decryption

Restoration of scrambled or encoded data to meaningful, readable data.

Intrusion detection systems

Software that analyze network traffic, sending an alarm if they detect potentially inappropriate attempts to access a network or particular account; require human intervention to monitor alarms and determine their validity.

Intrusion prevention systems

Software that identify inappropriate electronic traffic and block its passage in a mechanism similar to a firewall; require human intervention to monitor alarms and determine their validity.

What does Organizational Requirements implement?

They implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of the covered entity.

Entity authentication

The corroboration that an entity is who it claims to be.

Addressable specifications

The implementation specifications of the HIPAA Security Rule that are designated "addressable" rather than "required;" to be in compliance with the Rule, the covered entity must implement the specification as written, implement an alternative, or document that the risk for which the addressable implementation specification was provided either does not exist in the organization, or exists with a negligible probability of occurrence.

Required specifications

The implementation specifications of the HIPAA Security Rule that are designated "required" rather than "addressable"; required standards must be present for the covered entity to be compliance.

Scalable

The measure of a system to grow relative to various measures of size, speed, number of users, volume of data, and so on. the concept that based on the size of the Covered Entity, the threshold of compliance varies

Audit controls

The mechanisms that record and examine activity in information systems.

differentiate public key infrastructure and private key infrastructure

The private key is used to both encrypt and decrypt the data. This key is shared between the sender and receiver of the encrypted sensitive information. The public key is used to encrypt and a private key is used decrypt the data. The private key is shared between the sender and receiver of the encrypted sensitive information. The public key is also called asymmetric cryptography.

The Evaluation standard mandates that an organization determines whether their security plans actually protect ePHI adequately. True or False?

True

Electronic protected health information (ePHI)

Under HIPAA: All individually identifiable health information created or received electronically by a covered entity (i.e., healthcare provider) or business associate.

Invalid log-on attempt

Use of an incorrect user name or password to enter a network or particular account.

Single-factor authentication

Use of one of three mechanisms to corroborate the identity of who an individual claims to be; the three mechanisms include (1) what the person knows (password); (2) what the user has (token); (3) what the use is (biometrics); less secure than two factor authentication.

Two-factor authentication

Use of two of three mechanisms to corroborate the identity of who an individual claims to be; the three mechanisms include: (1) what the person knows (password), (2) what the user has (token), (3) what the use is (biometrics); is more secure than single-factor authentication.

the Security Rule defines facility

as the premises and the interior and exterior of buildings. All locations where there is physical access to ePHI must be considered including the homes of workforce members and other physical locations.

When staff have a need for emergency access to information in the electronic health record that they may not have access to, the procedure to allow emergency access is often called

break the glass

Methods for actually destroying electronic data include ___________, where ePHI is disrupted or actually erased through exposure to a strong magnetic field.

degaussing

destruction of electronic media include:

disintegration, pulverizing, melting, incinerating, or shredding

HIPAA Security Rule four standards of Physical safeguards

facility access controls, workstation use, workstation security, and device and media controls

Erasing or deleting a file does sufficiently remove the ePHI. true or false?

false

The HIPAA Security rule is technology neutral. What does this mean?

new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems, allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.

The facility access control used in the EHR requires a user name and password This is an example of ________ authentication

one factor

Encryption

scrambles or encodes data, protecting it from being comprehended by unauthorized individuals

The HIPAA Security rule is scalable. what does this mean?

so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity's particular size, organizational structure, and risks to consumers' e-PHI.

The Security Rule permits reuse of electronic media. true or false?

true


Related study sets

Financial Accounting: Chapter 3-4 Practice Exam

View Set

Maternity Ch. 2, Maternity Ch. 8 Violence against women, Maternity Ch. 6 Women's health problem, Maternity Ch. 1, Maternity Ch. 3, Maternity Ch. 5, Maternity ch. 4, Maternity Ch. 7 Social Issues, Old's Maternity Ch. 10, Maternity Ch. 9

View Set

Ultimate Test Guide - biz ethics

View Set

MOS Finance and Accounting Chapter 2: Conceptual framework underlying financial reporting

View Set

The Factory System/ Effects of Industrialization Mr. Moore

View Set

Biology (college) Chapter 1-3 review

View Set

Chapter 6: Values, Ethics, and Advocacy

View Set