Chapter 4: HIPAA Security Rule Concepts
American Recovery and Reinvestment Act of 2009 (ARRA)
Federal legislation that included significant funding for health information technology and provided for significant changes to the HIPAA Privacy Rule
Self-encrypted hard drives
Hard drives that protect their own data through keys that reside on the drive itself.
A former employee is angry at the CE because he was terminated. He hacked into the EHR and destroyed ePHI. What type of threat is this?
Intentional
Access privilege is what allows an individual to enter a computer system for an authorized purpose. TRUE or FALSE?
TRUE
What does Security Rule require covered entities to do under Physical Safeguards?
To establish policies and procedures that will provide physical safeguards for ePHI
Audit trail
(1) A chronological set of computerized records that provides evidence of information system activity (log-ins and logouts, file accesses), used to determine security violations (2) A record that shows who has accessed a computer system, when it was accessed, and what operations were performed.
Contingency plan
(1) Documentation of the process for responding to a system emergency, including the performance of backups, the line-up of critical alternative facilities to facilitate continuity of operations, and the process of recovering from a disaster;(2) A recovery plan in the event of a power failure, disaster, or other emergency that limits or eliminates access to facilities and electronic protected personal health information (ePHI).
Cryptography
(1) The art of keeping data secret through the use of mathematical or logical functions that transform intelligible data into seemingly unintelligible data and back again (2) The study of encryption and decryption techniques
Authentication
(1) The process of identifying the source of health record entries by attaching a handwritten signature, the author's initials, or an electronic signature; (2) Proof of authorship that ensures, as much as possible, that log-ins and messages from a user originate from an authorized source
Integrity
(1) The state of being whole or unimpaired; (2) The ability of data to maintain its structure and attributes, including protection against modification or corruption during transmission, storage, or at rest. Maintenance of data integrity is a key aspect of data quality management and security.
What are the four implementation specifications for Facility Access Controls?
-Contingency Operations-Facility Security Plan-Access Control and Validation Procedures-Maintenance Records
The Security Rule requires covered entities to:
-Ensure confidentiality, integrity, and availability of all electronic PHI (ePHI) created, received, maintained, or transmitted -Protect against reasonably anticipated threats or hazards that might affect the security or integrity of ePHI -Protect against reasonably anticipated uses or disclosures of ePHI that is not permitted or required -Ensure workforce compliance
What are the two implementation specifications for Transmission Security?
-Integrity Controls-Encryption
The following list provides examples of noncompliance with the HIPAA Security Rule
-Leaving a sheet of paper containing PHI at the front desk which is visible to other -A computer screen that is unattended and logged in to PH -Knowingly releasing PHI to unauthorized individual-Selling PHI to marketing firms
What are the five categories of HIPAA Security Rule standards?
-Physical safeguards -Technical safeguards -Administrative safeguards -Organizational requirements -Policies and procedures and documentation requirements
HIPAA Security Rule
-Regulates maintenance and transmission of electronic protected health information (ePHI) rather than regulating all PHI (paper, electronic, oral) -Places greater emphasis on technology
Context-based access control (CBAC)
A access control system which limits users to accessing information not only in accordance with their identity and role, but to the location and time in which they are accessing the information.
AHIMA has a Disaster Planning and Recovery Toolkit that contains:
-Steps to draft a business continuity plan including communications, management, protecting health information, use and disclosure of health information, and recovery-Same contingency plan, staff competency list, immediate and short term concerns checklist, and sample emergency privilege application and release form
Transmission security
A HIPAA Security Rule technical safeguard that provides for measures to be taken to protect ePHI against unauthorized access during transmission via an electronic communications network.
Flexible
A characteristic of the HIPAA Security Rule that allows a covered entity (CE) to use any security measures that allow it to reasonably and appropriately implement the Security Rule's standards and implementation specifications.
Technology neutral
A characteristic of the HIPAA Security Rule that allows an organization to develop as their technological capabilities allow rather than requiring or prescribing certain technologies. specific technologies are not prescribed in the rules, which allows the use of the latest and appropriate technology
Audit log
A chronological record of electronic system(s) activities that enables the reconstruction, review, and examination of the sequence of events surrounding or leading to each event and/or transaction from its beginning to end. Includes who performed what event and when it occurred.
Risk managment
A comprehensive program of activities intended to minimize the potential for injuries to occur in a facility and to anticipate and respond to ensuring liabilities for those injuries that do occur. The processes in place to identify, evaluate, and control risk, defined as the organization's risk of accidental financial liability.
Workstation
A computer designed to accept data from multiple sources in order to assist in managing information for daily activities and to provide a convenient means of entering data desired by the user at the point of care.
"Break the glass"
A computer system capability that allows an individual who otherwise would not have access privileges to ePHI to access it through an alternative method in limited, necessary situations such as patient care emergencies.
Firewall
A computer system or a combination of systems that provides a security barrier or supports an access control policy between two networks or between a network and any other traffic outside the network.
Role-based access control (RBAC)
A control system in which access decisions are based on the roles of individual users as part of an organization.
Full disk encryption
A process that signifies all data on a disk is encrypted.
Person authentication
A process, required by the HIPAA Security Rule, that requires a person is who he is in order to prevent unauthorized users from accessing ePHI.
User-based access control (UBAC)
A security mechanism used to grant users of a system access based on identity
Technical safeguards
A set of five standards defined by the HIPAA Security Rule that can be implemented from a technical standpoint using computer software; access controls, audit controls, data integrity, person or entity authentication, and transmission security to protect ePHI.
Administrative safeguards
A set of nine standards defined by the HIPAA Security Rule. Administrative actions such as policies and procedures, documentation retention to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information.
HIPPA requires the covered entities to review their security rule standards and implementation specifications for each security safeguard and decide if it is required or__________ which allow an equivalent method to be used.
Addressable
Public key infrastructure is a less secure method of encryption because the key that decodes the information is transmitted with the data. True or False?
False
Public key infrastructure
Also called asymmetric encryption; uses two keys to encrypt and transmit a message; the sending computer uses a private key to code (scramble) the message and a public key is given to the receiving computer to decode (unscramble) the message.
Private key infrastructure (PKI)
Also called symmetric or single-key encryption, occurs where both the sending and receiving computers use software that assigns a secret code or key; this encryption is less secure that public key encryption because same key is transmitted with the data after the sending computer codes (scrambles) the data so the receiving computer can decode (unscramble) the data
The capture of data by a hospital's data security system that shows multiple invalid attempts to access the patients' database is an example of what type of security control? a. Audit log b. Access Control c. Auto-Authentication d. Override Function
Audit log
___ identifiers are based on physical characteristics such as retinas, fingertips, palms and face recognition
Biometric
Antivirus software packages
Computer programs that search for malicious software (malware) that can damage an information system; anti-virus software package prevent, detect or remove viruses.
Implementation specifications
Descriptions that define how HIPAA standards are to be implemented.
Metadata
Descriptive data that characterize other data to create a clearer understanding of their meaning and to achieve greater reliability and quality of information. Consist of both indexing terms and attributes. Data about data. Ex: Creation date, date sent, date received, last access date, last modification date.
What term is also used to denote the HIPAA requirement of Contingency Planning? a. Data Backup b. Data Recovery c. Disaster Planning d. Emergency Mode of Operation
Emergency Mode of Operation
Sharing log in information with another employee is an example of a security___________ and a virus introduced by a disgruntled employee would be considered a security___________
Event, incident
While a covered entity is legally responsible for their employees, they are not responsible for the actions of business visitors. TRUE or FALSE?
FALSE
Coding Professionals Working at Home:
Many coding professionals access protected health information from home. It is not unusual for organizations to perform a home office evaluation to ensure compliance with policies and procedures. Security measures such as eliminating the print function on a coder's computer and closely monitoring computer activity may be implemented to manage the risk of unauthorized disclosure of PHI.
Physical safeguards
Measures such as locking doors to safeguard data and various media from unauthorized access and exposures; a set of four standards defined by the HIPAA Security Rule including facility access, controls, workstation use, workstation security, and device and media controls.
A HIPAA Officer may also be called
Privacy Officer
Account lockout
Prohibited access to an electronic account after an established number of attempts have been made.
type of malicious software that prohibits access to the hospital own information system unless they pay money to gain access
Ransomware
Decryption
Restoration of scrambled or encoded data to meaningful, readable data.
Intrusion detection systems
Software that analyze network traffic, sending an alarm if they detect potentially inappropriate attempts to access a network or particular account; require human intervention to monitor alarms and determine their validity.
Intrusion prevention systems
Software that identify inappropriate electronic traffic and block its passage in a mechanism similar to a firewall; require human intervention to monitor alarms and determine their validity.
What does Organizational Requirements implement?
They implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the ePHI that it creates, receives, maintains, or transmits on behalf of the covered entity.
Entity authentication
The corroboration that an entity is who it claims to be.
Addressable specifications
The implementation specifications of the HIPAA Security Rule that are designated "addressable" rather than "required;" to be in compliance with the Rule, the covered entity must implement the specification as written, implement an alternative, or document that the risk for which the addressable implementation specification was provided either does not exist in the organization, or exists with a negligible probability of occurrence.
Required specifications
The implementation specifications of the HIPAA Security Rule that are designated "required" rather than "addressable"; required standards must be present for the covered entity to be compliance.
Scalable
The measure of a system to grow relative to various measures of size, speed, number of users, volume of data, and so on. the concept that based on the size of the Covered Entity, the threshold of compliance varies
Audit controls
The mechanisms that record and examine activity in information systems.
differentiate public key infrastructure and private key infrastructure
The private key is used to both encrypt and decrypt the data. This key is shared between the sender and receiver of the encrypted sensitive information. The public key is used to encrypt and a private key is used decrypt the data. The private key is shared between the sender and receiver of the encrypted sensitive information. The public key is also called asymmetric cryptography.
The Evaluation standard mandates that an organization determines whether their security plans actually protect ePHI adequately. True or False?
True
Electronic protected health information (ePHI)
Under HIPAA: All individually identifiable health information created or received electronically by a covered entity (i.e., healthcare provider) or business associate.
Invalid log-on attempt
Use of an incorrect user name or password to enter a network or particular account.
Single-factor authentication
Use of one of three mechanisms to corroborate the identity of who an individual claims to be; the three mechanisms include (1) what the person knows (password); (2) what the user has (token); (3) what the use is (biometrics); less secure than two factor authentication.
Two-factor authentication
Use of two of three mechanisms to corroborate the identity of who an individual claims to be; the three mechanisms include: (1) what the person knows (password), (2) what the user has (token), (3) what the use is (biometrics); is more secure than single-factor authentication.
the Security Rule defines facility
as the premises and the interior and exterior of buildings. All locations where there is physical access to ePHI must be considered including the homes of workforce members and other physical locations.
When staff have a need for emergency access to information in the electronic health record that they may not have access to, the procedure to allow emergency access is often called
break the glass
Methods for actually destroying electronic data include ___________, where ePHI is disrupted or actually erased through exposure to a strong magnetic field.
degaussing
destruction of electronic media include:
disintegration, pulverizing, melting, incinerating, or shredding
HIPAA Security Rule four standards of Physical safeguards
facility access controls, workstation use, workstation security, and device and media controls
Erasing or deleting a file does sufficiently remove the ePHI. true or false?
false
The HIPAA Security rule is technology neutral. What does this mean?
new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems, allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.
The facility access control used in the EHR requires a user name and password This is an example of ________ authentication
one factor
Encryption
scrambles or encodes data, protecting it from being comprehended by unauthorized individuals
The HIPAA Security rule is scalable. what does this mean?
so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity's particular size, organizational structure, and risks to consumers' e-PHI.
The Security Rule permits reuse of electronic media. true or false?
true