Health information security system


Published on

Published in: Education, Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Health information security system

  1. 1. Health Information Security System Diana Fernandez MHA 616 December 13, 2010 Instructor: David Cole                                                                                                
  2. 2. Introduction <ul><li>Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions (US DEPT)> </li></ul>
  3. 3. What is HIPAA? <ul><li>The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Public Law 104-191 is an act that specifies the privacy, security and electronic transaction standards with regard to patient information for all health care providers. It was assigned into law on August 21, 1996 and came about in response to rapidly expanding technology and the need for standardization in the health care industry (Choi, 2006). </li></ul><ul><li>HIPAA has developed regulations protecting the privacy and security of certain health information by establishing the privacy rule and the security rule (US Dept of H & H). </li></ul>
  4. 4. Privacy Rule <ul><li>WHAT IS THE HIPAA PRIVACY RULE? </li></ul><ul><li>HIPAA directed the U.S. Department of Health and Human Services (HHS) to promulgate a regulation—the Privacy Rule—to protect and enhance the right of consumers to control how their personal health information is used and disclosed. Specifically, the Privacy Rule: </li></ul><ul><li>stipulates the individual rights of consumers to control their personal health information, including guaranteed access to their medical records and a clear avenue of recourse if their medical privacy is compromised; </li></ul><ul><li>outlines the procedures organizations must adopt to enable patients to exercise their privacy rights, including proper notification of how their personal health information is used and shared; </li></ul><ul><li>establishes the conditions under which individuals or organizations may use and/or disclose personal health information; </li></ul><ul><li>sets an industry standard for disclosing only the minimum amount of information necessary to satisfy an authorized request for patient information; and </li></ul><ul><li>requires organizations to appoint a privacy officer to conduct privacy assessments, create policies to protect patient privacy, train staff, and establish an internal grievance process (NGA). </li></ul>
  5. 5. Security Rule <ul><li>HIPAA directed the U.S. Department of Health and Human Services (HHS) to promulgate regulation, the Security Rule, to ensure the integrity, safety, and security of patient medical information when collected, exchanged, or otherwise used in the health care marketplace. </li></ul><ul><li>The Security Rule established the organizational standards, administrative, physical, and technical, that covered entities must adopt to prevent unauthorized access to patient health information. It assures the safety and integrity of patient health information when consumers exercise their health privacy rights under HIPAA (NGA). </li></ul><ul><li>The Security Rule applies only to protected health information in electronic </li></ul><ul><li>form (EPHI), and requires a covered entity to ensure the confidentiality, integrity, and </li></ul><ul><li>availability of all EPHI the covered entity creates, receives, maintains, or transmits. </li></ul><ul><li>Covered entities must protect against any reasonably anticipated threats or hazards </li></ul><ul><li>to the security or integrity of such information, and any reasonably anticipated uses </li></ul><ul><li>or disclosures of such information that are not permitted or required under the </li></ul><ul><li>Privacy Rule; and ensure compliance by its workforce (USHHS). </li></ul>
  6. 6. PHI <ul><li>The HIPAA security standards apply to protected health information (PHI) that is either stored or transmitted electronically. PHI is health information in any form that personally identifies a patient (Kibbe, 2005). Although HIPAA pertains to all forms of PHI (verbal, paper, and electronic), currently only the electronic formats are addressed in the Security Standards Final Rule published in February 2003(Bradford, 2008). </li></ul>
  7. 7. HIPAA Safeguards <ul><li>Safeguards are the solutions and tools used to implement security policies. Individually identifiable health information should be protected with reasonable technical, physical and administrative safeguards to ensure its confidentiality, integrity, and availability to prevent unauthorized or inappropriate access, use, or disclosure (OCR). </li></ul>
  8. 8. Technical Safeguards <ul><li>Description of technical safeguards HIPAA standard </li></ul><ul><li>Access controls: Permits access to those </li></ul><ul><li>who have approved access rights </li></ul><ul><li>164.312(a)(1) </li></ul><ul><li>Unique identification: Allocates a unique </li></ul><ul><li>id to track users </li></ul><ul><li>164.312(a)(2)(i) </li></ul><ul><li>Emergency access procedure: Establishes </li></ul><ul><li>procedures for obtaining electronic </li></ul><ul><li>protected information during an </li></ul><ul><li>emergency </li></ul><ul><li>164.312(a)(2)(ii) </li></ul><ul><li>Automatic logoff and restriction of </li></ul><ul><li>connection time: Restriction of time for </li></ul><ul><li>high risk applications and a timeout </li></ul><ul><li>session after a predetermined time </li></ul><ul><li>164.312(a)(2)(iii) </li></ul><ul><li>Encryption and decryption: Uses </li></ul><ul><li>cryptology to ensure critical data stays </li></ul><ul><li>confidential </li></ul><ul><li>164.312(a)(2)(iv) </li></ul><ul><li>(Choi, 2006) </li></ul>
  9. 9. Physical Safeguards <ul><li>Physical safeguards to ensure compliance with HIPAA’s Security Rule may be the easiest way to begin the compliance process. </li></ul><ul><li>Examples of Physical Safeguards </li></ul><ul><ul><li>Office alarm systems </li></ul></ul><ul><ul><li>Sign in stations at computer terminals </li></ul></ul><ul><ul><li>Employee electronic swipe cards </li></ul></ul><ul><ul><li>Locked offices containing computing equipment that stores electronic health information (Choi, 2006). </li></ul></ul>
  10. 10. Administrative Safeguards <ul><li>The administration plays an integral part in establishing compliance with HIPAA security standards (Choi, 2006). </li></ul><ul><li>Examples of Administrative Safeguards </li></ul><ul><ul><li>Designate a privacy officer with primary responsibility for ensuring compliance with the regulations </li></ul></ul><ul><ul><li>Establish training programs for all employees </li></ul></ul><ul><ul><li>Implement appropriate policies and procedures intentional and accidental disclosures of protected information </li></ul></ul><ul><ul><li>Implement appropriate sanctions for violations of the privacy guidelines (DeMuro, 2001). </li></ul></ul>
  11. 11. Conclusion
  12. 12. References