Submit Search
Upload
Hm300 week 7 part 2 of 2
•
Download as PPTX, PDF
•
0 likes
•
90 views
B
BealCollegeOnline
Follow
Hm300 week 7 part 2 of 2
Read less
Read more
Education
Report
Share
Report
Share
1 of 47
Download now
Recommended
HIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
tbeckwith
HIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
HIPAA security risk assessments
HIPAA security risk assessments
Jose Ivan Delgado, Ph.D.
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
Evan Francen
Common Security Framework Summary
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
Charles McNeil
Recommended
HIPAA HiTech Security Assessment
HIPAA HiTech Security Assessment
data brackets
Hipaa Gap Assessment.Sanitized Report
Hipaa Gap Assessment.Sanitized Report
tbeckwith
HIPAA omnibus rule update
HIPAA omnibus rule update
O'Connor Davies CPAs
Mbm Hipaa Hitech Ss Compliance Risk Assessment
Mbm Hipaa Hitech Ss Compliance Risk Assessment
MBMeHealthCareSolutions
HIPAA security risk assessments
HIPAA security risk assessments
Jose Ivan Delgado, Ph.D.
Meaningful Use and Security Risk Analysis
Meaningful Use and Security Risk Analysis
Evan Francen
Common Security Framework Summary
Common Security Framework Summary
Jason Rusch - CISSP CGEIT CISM CISA GNSA
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
MBM eHealthCare Solutions HIPAA-HITECH & Meaningful Use Risk Analysis
Charles McNeil
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
Kimberly Simon MBA
Information security
Information security
Praveen Minz
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
Cole Libby
Agiliance Wp Hipaa
Agiliance Wp Hipaa
agiliancecommunity
Information security-management-system
Information security-management-system
intellisenseit
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
Lesson 2
Lesson 2
MLG College of Learning, Inc
Isms awareness presentation
Isms awareness presentation
Pranay Kumar
Network security policies
Network security policies
Usman Mukhtar
Information security management system
Information security management system
Arani Srinivasan
Chapter 5
Chapter 5
sivadnolram
Information security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
Developing an Information Security Program
Developing an Information Security Program
Shauna_Cox
Lesson 2
Lesson 2
MLG College of Learning, Inc
Lesson 2 - System Specific Policy
Lesson 2 - System Specific Policy
MLG College of Learning, Inc
Security policy and standards
Security policy and standards
Wilson Musyoka
Lesson 3- Fair Approach
Lesson 3- Fair Approach
MLG College of Learning, Inc
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
CMDLMS
Complying with HIPAA Security Rule
Complying with HIPAA Security Rule
complianceonline123
Privacy, Confidentiality, and Security Lecture 3_slides
Privacy, Confidentiality, and Security Lecture 3_slides
ZakCooper1
Privacy, Confidentiality, and Security Lecture 4_slides
Privacy, Confidentiality, and Security Lecture 4_slides
ZakCooper1
More Related Content
What's hot
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
Kimberly Simon MBA
Information security
Information security
Praveen Minz
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
Cole Libby
Agiliance Wp Hipaa
Agiliance Wp Hipaa
agiliancecommunity
Information security-management-system
Information security-management-system
intellisenseit
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
MLG College of Learning, Inc
Lesson 2
Lesson 2
MLG College of Learning, Inc
Isms awareness presentation
Isms awareness presentation
Pranay Kumar
Network security policies
Network security policies
Usman Mukhtar
Information security management system
Information security management system
Arani Srinivasan
Chapter 5
Chapter 5
sivadnolram
Information security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Kimberly Simon MBA
Developing an Information Security Program
Developing an Information Security Program
Shauna_Cox
Lesson 2
Lesson 2
MLG College of Learning, Inc
Lesson 2 - System Specific Policy
Lesson 2 - System Specific Policy
MLG College of Learning, Inc
Security policy and standards
Security policy and standards
Wilson Musyoka
Lesson 3- Fair Approach
Lesson 3- Fair Approach
MLG College of Learning, Inc
What's hot
(18)
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
Information security
Information security
HIPAA and Security Management for Physician Practices
HIPAA and Security Management for Physician Practices
Agiliance Wp Hipaa
Agiliance Wp Hipaa
Information security-management-system
Information security-management-system
Information Assurance And Security - Chapter 1 - Lesson 4
Information Assurance And Security - Chapter 1 - Lesson 4
Lesson 2
Lesson 2
Isms awareness presentation
Isms awareness presentation
Network security policies
Network security policies
Information security management system
Information security management system
Chapter 5
Chapter 5
Information security management system (isms) overview
Information security management system (isms) overview
HealthCare Compliance - HIPAA and HITRUST
HealthCare Compliance - HIPAA and HITRUST
Developing an Information Security Program
Developing an Information Security Program
Lesson 2
Lesson 2
Lesson 2 - System Specific Policy
Lesson 2 - System Specific Policy
Security policy and standards
Security policy and standards
Lesson 3- Fair Approach
Lesson 3- Fair Approach
Similar to Hm300 week 7 part 2 of 2
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
CMDLMS
Complying with HIPAA Security Rule
Complying with HIPAA Security Rule
complianceonline123
Privacy, Confidentiality, and Security Lecture 3_slides
Privacy, Confidentiality, and Security Lecture 3_slides
ZakCooper1
Privacy, Confidentiality, and Security Lecture 4_slides
Privacy, Confidentiality, and Security Lecture 4_slides
ZakCooper1
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
data brackets
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Tammy Clark
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
Alert Logic
HIPAA Compliance for Developers
HIPAA Compliance for Developers
TrueVault
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
Vinit Thakur
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
KeySys Health
Agiliance HIPAA Whitepaper
Agiliance HIPAA Whitepaper
agiliancecommunity
Information security management best practice
Information security management best practice
parves kamal
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare Sector
Nada G.Youssef
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
File000169
File000169
Desmond Devendran
Information security policy_2011
Information security policy_2011
codka
Information security policy_2011
Information security policy_2011
codka
HIPAA: security risk analysis
HIPAA: security risk analysis
JoAnna Cheshire
Policy formation and enforcement.ppt
Policy formation and enforcement.ppt
ImXaib
HxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason Wang
HxRefactored
Similar to Hm300 week 7 part 2 of 2
(20)
Comp8 unit6a lecture_slides
Comp8 unit6a lecture_slides
Complying with HIPAA Security Rule
Complying with HIPAA Security Rule
Privacy, Confidentiality, and Security Lecture 3_slides
Privacy, Confidentiality, and Security Lecture 3_slides
Privacy, Confidentiality, and Security Lecture 4_slides
Privacy, Confidentiality, and Security Lecture 4_slides
EHR meaningful use security risk assessment sample document
EHR meaningful use security risk assessment sample document
Start With A Great Information Security Plan!
Start With A Great Information Security Plan!
Securing Healthcare Data on AWS for HIPAA
Securing Healthcare Data on AWS for HIPAA
HIPAA Compliance for Developers
HIPAA Compliance for Developers
HITRUST CSF Meaningful use risk assessment
HITRUST CSF Meaningful use risk assessment
The Fundamentals of HIPAA Privacy & Security Risk Management
The Fundamentals of HIPAA Privacy & Security Risk Management
Agiliance HIPAA Whitepaper
Agiliance HIPAA Whitepaper
Information security management best practice
Information security management best practice
Chapter 14: Regulatory Compliance for the Healthcare Sector
Chapter 14: Regulatory Compliance for the Healthcare Sector
Bim tek 15 juni 2017 konsep iso27000-2016 smki
Bim tek 15 juni 2017 konsep iso27000-2016 smki
File000169
File000169
Information security policy_2011
Information security policy_2011
Information security policy_2011
Information security policy_2011
HIPAA: security risk analysis
HIPAA: security risk analysis
Policy formation and enforcement.ppt
Policy formation and enforcement.ppt
HxRefactored - TrueVault - Jason Wang
HxRefactored - TrueVault - Jason Wang
More from BealCollegeOnline
BA650 Week 3 Chapter 3 "Why Change? contemporary drivers and pressures
BA650 Week 3 Chapter 3 "Why Change? contemporary drivers and pressures
BealCollegeOnline
BIO420 Chapter 25
BIO420 Chapter 25
BealCollegeOnline
BIO420 Chapter 24
BIO420 Chapter 24
BealCollegeOnline
BIO420 Chapter 23
BIO420 Chapter 23
BealCollegeOnline
BIO420 Chapter 20
BIO420 Chapter 20
BealCollegeOnline
BIO420 Chapter 18
BIO420 Chapter 18
BealCollegeOnline
BIO420 Chapter 17
BIO420 Chapter 17
BealCollegeOnline
BIO420 Chapter 16
BIO420 Chapter 16
BealCollegeOnline
BIO420 Chapter 13
BIO420 Chapter 13
BealCollegeOnline
BIO420 Chapter 12
BIO420 Chapter 12
BealCollegeOnline
BIO420 Chapter 09
BIO420 Chapter 09
BealCollegeOnline
BIO420 Chapter 08
BIO420 Chapter 08
BealCollegeOnline
BIO420 Chapter 06
BIO420 Chapter 06
BealCollegeOnline
BIO420 Chapter 05
BIO420 Chapter 05
BealCollegeOnline
BIO420 Chapter 04
BIO420 Chapter 04
BealCollegeOnline
BIO420 Chapter 03
BIO420 Chapter 03
BealCollegeOnline
BIO420 Chapter 01
BIO420 Chapter 01
BealCollegeOnline
BA350 Katz esb 6e_chap018_ppt
BA350 Katz esb 6e_chap018_ppt
BealCollegeOnline
BA350 Katz esb 6e_chap017_ppt
BA350 Katz esb 6e_chap017_ppt
BealCollegeOnline
BA350 Katz esb 6e_chap016_ppt
BA350 Katz esb 6e_chap016_ppt
BealCollegeOnline
More from BealCollegeOnline
(20)
BA650 Week 3 Chapter 3 "Why Change? contemporary drivers and pressures
BA650 Week 3 Chapter 3 "Why Change? contemporary drivers and pressures
BIO420 Chapter 25
BIO420 Chapter 25
BIO420 Chapter 24
BIO420 Chapter 24
BIO420 Chapter 23
BIO420 Chapter 23
BIO420 Chapter 20
BIO420 Chapter 20
BIO420 Chapter 18
BIO420 Chapter 18
BIO420 Chapter 17
BIO420 Chapter 17
BIO420 Chapter 16
BIO420 Chapter 16
BIO420 Chapter 13
BIO420 Chapter 13
BIO420 Chapter 12
BIO420 Chapter 12
BIO420 Chapter 09
BIO420 Chapter 09
BIO420 Chapter 08
BIO420 Chapter 08
BIO420 Chapter 06
BIO420 Chapter 06
BIO420 Chapter 05
BIO420 Chapter 05
BIO420 Chapter 04
BIO420 Chapter 04
BIO420 Chapter 03
BIO420 Chapter 03
BIO420 Chapter 01
BIO420 Chapter 01
BA350 Katz esb 6e_chap018_ppt
BA350 Katz esb 6e_chap018_ppt
BA350 Katz esb 6e_chap017_ppt
BA350 Katz esb 6e_chap017_ppt
BA350 Katz esb 6e_chap016_ppt
BA350 Katz esb 6e_chap016_ppt
Recently uploaded
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
dawncurless
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Denish Jangid
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Chris Hunter
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
National Information Standards Organization (NISO)
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
GeoBlogs
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
Admir Softic
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
KokoStevan
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
TechSoup
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
AreebaZafar22
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
Maksud Ahmed
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
MateoGardella
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
Thiyagu K
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
misteraugie
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
VishalSingh1417
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
agholdier
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
Association for Project Management
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
Recently uploaded
(20)
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
microwave assisted reaction. General introduction
microwave assisted reaction. General introduction
Gardella_PRCampaignConclusion Pitch Letter
Gardella_PRCampaignConclusion Pitch Letter
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
Hm300 week 7 part 2 of 2
1.
© 2017 American
Health Information Management Association© 2017 American Health Information Management Association Chapter 12: The HIPAA Security Rule Fundamentals of Law for Health Informatics and Information Management, Third Edition
2.
© 2017 American
Health Information Management Association HIPAA Security Rule • Security: Protection of information from loss, unauthorized access, or misuse, along with protecting its confidentiality • Difference between privacy rule and security rule – Privacy rule: Protects PHI regardless of the medium on which it resides – Security rule: Protects electronic PHI (ePHI)
3.
© 2017 American
Health Information Management Association HIPAA Security Rule • Two primary purposes: – Implement appropriate security safeguards to protect ePHI that may be at risk – Protect an individual’s health information while permitting appropriate access and use
4.
© 2017 American
Health Information Management Association HIPAA Security Rule • Requires covered entities to ensure – Integrity: Lack of alteration of destruction in an unauthorized manner – Confidentiality: Not made available or disclosed to unauthorized persons or processes
5.
© 2017 American
Health Information Management Association HIPAA Security Rule • Protects ePHI that is – Created – Maintained – Transmitted – Received • Applies to – Covered healthcare providers – Health plans – Healthcare clearinghouses – Also applies to business associates (BAs) and their subcontractors (per HITECH)
6.
© 2017 American
Health Information Management Association HIPAA Security Rule • History – Required compliance date: April 2005 • Small health plans: April 2006 – Changes included as part of HITECH (a portion of ARRA) • Passed by Congress in February 2009 – Enforcement of the Security Rule was assumed by the Office for Civil Rights of HHS in 2009 (taken over from Centers for Medicare and Medicaid Services)
7.
© 2017 American
Health Information Management Association HIPAA Security Rule • Part of Title II: Administrative Simplification • Focuses solely on ePHI – Thus, more technical in nature • But, is – Flexible – Scalable – Technology neutral
8.
© 2017 American
Health Information Management Association HIPAA Security Rule v. Privacy Rule • ePHI: PHI maintained or transmitted in electronic form – For example, tapes, disks, optical disks, hard drives, servers, Internet, private networks – Not included: Voice mail messages, paper-to- paper faxes; copy machines
9.
© 2017 American
Health Information Management Association HIPAA Security Rule—Another Difference • Most standards contain implementation specifications – Required (R): Must be implemented – Addressable (A): Must be implemented as the rule states or in an alternate manner or documented that risk does not exist or is negligible • Addressable implementation specifications cannot be ignored
10.
© 2017 American
Health Information Management Association HIPAA Security Rule • Under the General Requirements, a CE must: – Ensure confidentiality, integrity, and availability of all ePHI created, received, maintained or transmitted – Protect the security or integrity of ePHI from reasonably anticipated threats or hazards – Protect against reasonably anticipated ePHI uses or disclosures not permitted or required by the privacy rule – Ensure workforce compliance with the security rule
11.
© 2017 American
Health Information Management Association HIPAA Security Rule (continued) • When considering flexibility of implementation, these must be considered when deciding on the most appropriate security measures – CE size, complexity, and capabilities – Security capabilities of CE’s hardware and software – Costs of security measures – Likelihood and severity of potential risks to ePHI (risk management)
12.
© 2017 American
Health Information Management Association HIPAA Security Rule (continued) HHS recommends the following security process: – Assess current security, risks, and gaps – Develop an implementation plan – Implement solutions – Document decisions – Reassess periodically
13.
© 2017 American
Health Information Management Association HIPAA Security Rule (continued) • Covered entities and BAs must use a risk analysis to decide which security measures to implement. – Financial analysis should be conducted to determine the cost of compliance.
14.
© 2017 American
Health Information Management Association HIPAA Security Rule (continued) • 5 categories of safeguards – Administrative Safeguards (164.308) – Physical Safeguards (164.310) – Technical Safeguards (164.312) – Organizational Requirements (164.314) – Policies, Procedures, and Documentation (164.316)
15.
© 2017 American
Health Information Management Association HIPAA Security Rule (continued) • The rule’s maintenance requirement provides that a continuing review of the reasonableness and appropriateness of a covered entity’s or BA’s (or subcontractor’s) security measures should be conducted – Modify as needed – Update documentation of review and modifications
16.
© 2017 American
Health Information Management Association HIPAA Security Rule Standards • Administrative Safeguards (164.308) – Security management process – Assigned security responsibility – Workforce security – Information access management – Security awareness training – Security incident reporting – Contingency plan – Evaluation – BA contracts and other arrangements
17.
© 2017 American
Health Information Management Association Administrative Safeguards: Security Management Process (164.308(a)(1)) • Implement policies and procedures to prevent, detect, contain, and correct security violations – Risk Analysis (R)—Accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI – Risk Management (R)—Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level – Sanction Policy (R)—Apply appropriate sanctions for non- compliance with security policy – Information System Activity Review (R)—Implement procedures to regularly review system activity, such as audit logs, access reports, and security incident tracking reports
18.
© 2017 American
Health Information Management Association Administrative Safeguards: Assigned Security Responsibility (164.308(a)(2)) • Identify a security official to develop and implement security policies and procedures to manage and supervise the use of security measures and the conduct of personnel in relation to protecting the data • No implementation specifications • Required
19.
© 2017 American
Health Information Management Association Administrative Safeguards: Workforce Security (164.308(a)(3)) • Implement policies and procedures to ensure appropriate access to ePHI – Authorization/supervision (A): Implement procedures to authorize/supervise personnel working w/ePHI or who may inadvertently access ePHI – Clearance procedures (A): Implement procedures to help ensure appropriate access of personnel (based on need-to-know) – Termination procedures (A): Implement procedures for ending access to ePHI when employment/contract ends or responsibilities change
20.
© 2017 American
Health Information Management Association Administrative Safeguards: Information Access Management (164.308(a)(4)) • Implement policies and procedures authorizing access to ePHI – Isolate clearinghouse functions (R): If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement P&P that protect the ePHI of the clearinghouse from unauthorized access by the larger organization. – Access authorization (A): Implement P&P for granting access to ePHI, for example, through access to a workstation, transaction, program, process, or other mechanism – Access establishment & modification (A): Implement procedures that establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process based on Access Authorization procedures
21.
© 2017 American
Health Information Management Association Administrative Safeguards: Security Awareness Training (164.308(a)(5)) • Implement a security and awareness training program for all workforce members – Security reminders (A): Periodic security updates/reminders for workforce – Protection from malicious software (A): Procedures for guarding against, detecting, and reporting malicious software – Login monitoring (A): Procedures for monitoring login attempts and reporting discrepancies – Password management (A): Procedures for creating, changing, and securing passwords
22.
© 2017 American
Health Information Management Association Administrative Safeguards: Security Incident Procedures (164.308(a)(6)) • Implement policies & procedures to address security incidents – Response & reporting (R) • Identify and respond to suspected or known security incidents • Mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity • Document security incidents and their outcomes
23.
© 2017 American
Health Information Management Association Administrative Safeguards: Contingency Plan (164.308(a)(7)) • Establish policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems containing ePHI – Data backup plan (R): Establish and implement procedures to create and maintain retrievable exact copies of ePHI – Disaster Recovery (R): Establish procedures to restore data after loss – Emergency mode operation (R): Establish procedures to enable continuation of critical business processes for ePHI security while operating in emergency mode – Testing and revision procedures (A): Implement procedures for periodic testing and revision of contingency plans – Applications and data criticality analysis (A): Assess relative criticality of specific applications and data in support of other contingency plan components
24.
© 2017 American
Health Information Management Association Administrative Safeguards: Evaluation (164.308(a)(8)) • Perform a periodic technical and non- technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI, that establishes extent to which an entity's security policies and procedures meet HIPAA requirements • No implementation specifications • Required
25.
© 2017 American
Health Information Management Association Administrative Safeguards: Business Associate Contracts & Other Arrangements (164.308(b)(1)) • A covered entity may permit a BA to create, receive, maintain, or transmit ePHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances the BA will appropriately safeguard the information • Does not apply to the following: – Transmission by a covered entity of ePHI to provider for treatment – Transmission of ePHI by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor – Transmission of ePHI to/from other agencies providing services when the covered entity is a health plan (government program) providing public benefits • Written contract or other arrangement (R): Document the satisfactory assurances of this section through a written contract or other arrangement
26.
© 2017 American
Health Information Management Association HIPAA Security Rule Standards • Physical Safeguards (164.310) – Facility access controls – Workstation use – Workstation security – Device and media controls
27.
© 2017 American
Health Information Management Association Physical Safeguards: Facility Access Controls (164.310(a)(1)) • Implement policies and procedures to limit physical access to electronic information systems and the facility(ies) in which they are housed, while ensuring that properly authorized access is allowed – Contingency operations (A): Establish procedures allowing facility access in support of restoring lost data under DRP and EMO plans during an emergency – Facility security plan (A): To safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft – Access control and validation procedures (A): To control and validate a person's access to facilities based on role or function, including visitor control, and control of access to software programs for testing and revision – Maintenance records (A): To document repairs and modifications to the physical components of a facility that are related to security (e.g., hardware, walls, doors, locks, etc.)
28.
© 2017 American
Health Information Management Association Physical Safeguards: Workstation Use (164.310(b)) • Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI • No implementation specifications • Required
29.
© 2017 American
Health Information Management Association Physical Safeguards: Workstation Security (164.310(c )) • Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users • No implementation specifications • Required
30.
© 2017 American
Health Information Management Association Physical Safeguards: Device and Media Controls (164.310(d)(1)) • Implement policies and procedures that govern the receipt/removal of hardware and electronic media containing ePHI into and out of a facility, and the movement of these items within the facility – Disposal (R): To address the final disposition of ePHI and/or the hardware or electronic media on which it is stored – Media re-use (R): Implement procedures for removal of ePHI from electronic media before the media are made available for re-use – Accountability (A): Maintain a record of the movements of hardware and electronic media and any person responsible – Data backup and storage (A): Create a retrievable, exact copy of ePHI, when needed, before movement of equipment
31.
© 2017 American
Health Information Management Association HIPAA Security Rule Standards • Technical Safeguards (164.312) – Access control – Audit controls – Integrity – Person or entity authentication – Transmission security
32.
© 2017 American
Health Information Management Association Technical Safeguards: Access Controls (164.312(a)(1)) • Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights – Unique user identification (R): Assign a unique name and/or number for identifying and tracking user identity – Emergency access procedures (R): Establish procedures for obtaining necessary ePHI during an emergency – Automatic logoff (A): Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity – Encryption and decryption (A): Implement a mechanism to encrypt and decrypt electronic protected health information
33.
© 2017 American
Health Information Management Association Technical Safeguards: Audit Controls (164.312(b)) • Implement hardware, software, or procedural mechanisms that record and examine activity in information systems that contain or use ePHI • No implementation specifications required
34.
© 2017 American
Health Information Management Association Technical Safeguards: Integrity (164.312 (c)(1)) • Implement policies and procedures to protect ePHI from improper alteration/destruction – Mechanism to authenticate ePHI (A): Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
35.
© 2017 American
Health Information Management Association Technical Safeguards: Person or Entity Authentication (164.312(d)) • Implement procedures to ensure the validity of a person or vendor seeking access is the one claimed • No implementation specifications • Required
36.
© 2017 American
Health Information Management Association Technical Safeguards: Transmission Security (164.312(e)(1)) • Implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network – Integrity controls (A): Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until disposed of – Encryption (A): Implement a mechanism to encrypt ePHI when deemed appropriate
37.
© 2017 American
Health Information Management Association HIPAA Security Rule Standards • Organizational Requirements (164.314) – Business associate contracts or other arrangements – Group health plans
38.
© 2017 American
Health Information Management Association Organizational Requirements: Business associate contracts or other arrangements (164.314(a)(1)) – Business associate contracts (R): Contract must provide for BA compliance and ensure subcontractors that create, receive, maintain, or transmit ePHI on behalf of BA agree to comply by entering into a contract or arrangement; must report to covered entity any security incident of which it becomes aware, including breaches of unsecured PHI – Other arrangements (R): Covered entity is in compliance if it has another arrangement that meets requirements of 164.504(e)(3) – Business associate contracts with subcontractors (R): Requirements between a covered entity and BA also apply to the contract or arrangement between a BA and a subcontractor
39.
© 2017 American
Health Information Management Association Organizational Requirements: Group health plans (164.314(b)(1)) • Requires plan sponsor to reasonably and appropriately safeguard the confidentiality, integrity, and availability of ePHI – Plan document (R): Group health plan documents must require sponsor to implement administrative, physical, and technical safeguards that protect the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits on behalf of the group plan; separation of ePHI is supported by security measures; ensure that any agent to whom it provides information agrees to implement security measures to protect information and report to the health plan any security incident of which it is aware
40.
© 2017 American
Health Information Management Association HIPAA Security Rule Standards • Policies, procedures, and documentation (164.316) – Policies and procedures – Documentation
41.
© 2017 American
Health Information Management Association Policies, Procedures, and Documentation: Policies and Procedures (164.316)(a)) • Implement policies and procedures to comply with the standards, implementation specifications, and other requirements • Policies and procedures may be changed at any time, as long as the changes are documented and implemented
42.
© 2017 American
Health Information Management Association Policies, Procedures, and Documentation: Documentation (164.316)(b)) • Requires maintenance of policies and procedures implemented to comply with the security rule in written form – Time limit (R): Retain documentation for 6 years from date of creation or when it was last in effect, whichever is later – Availability (R): Make documentation available to those responsible for implementing policies and procedures – Updates (R): Review documentation periodically and update as needed
43.
© 2017 American
Health Information Management Association HIPAA Security Rule: Security Officer Designation • Required per an implementation specification in the administrative safeguards standards • Individual must be assigned to be responsible for overseeing information security program • Title of security officer or chief security officer – May comprise 100% or a portion of individual’s duties – Depends on the size of the organization and extent of health information technology used
44.
© 2017 American
Health Information Management Association HIPAA Security Rule: Enforcement and Penalties for Non-Compliance • HITECH established four violation categories – Nature and extent of both the violation and the harm are considered – Maximum of $1.5 million for all identical violations within one calendar year – Penalties mandatory in all except the lowest (unknowing) category of violations
45.
© 2017 American
Health Information Management Association HIPAA Security Rule: Enforcement and Penalties for Non-Compliance • Penalty process – Begins with complaint (although random audits have been phased in per HITECH) – If investigation concludes non-compliance: • Goal of voluntary compliance; otherwise, corrective action or resolution agreement • Non-cooperation may result in civil monetary penalties • If deemed a potentially criminal action, case may be referred to US Department of Justice
46.
© 2017 American
Health Information Management Association HIPAA Security Rule: Enforcement and Penalties for Non-Compliance • Tiers of violations/penalties – Unknowing violations: $100–$50,000/violation – Due to reasonable cause (and not willful neglect): • $1,000–$50,000/violation – Due to willful neglect and corrected within 30 days of discovery: $10,000–$50,000/violation – Due to willful neglect and not corrected as required: $50,000+/violation • Cap of $1.5 million for each violation category
47.
© 2017 American
Health Information Management Association Disaster planning • Part of administration and physical safeguards • Should be part of the BA and CE risk assessment
Download now