Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
InfoSec Management and HIPAA
HIPAA• Title I: protects health insurance for workers  and their families when they lose or change  jobs.• Title II(InfoSe...
http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
Title II – What you should Know• HIPAA Key Terms & General Rules• When you can share patient information and  when you can...
HIPAA Key Terms• Protected Health Information (PHI)  – Patient health information created or given to a    medical practit...
HIPAA Key Terms• Covered Entities  – Health care practitioner that contains electronic    PHI  – Ie. Hospitals, family phy...
HIPAA Key Terms• TPO• (T)Treatment: activities for patient care• (P)Payment: monetary transaction for  healthcare services...
HIPAA Key Terms• Business Associate  – Third parties who have access to PHI     • Ie. security software vendors creating a...
HIPAA Key Terms• Minimum Necessary Rule  – PHI may only be accessed on an as needed basis.  – Only access enough PHI to co...
HIPAA Key Terms• Notice of Privacy Practices (NPP):  – Description of ways the healthcare practitioner    may use PHI with...
HIPAA Key Terms• Use: internal use of PHI within the healthcare  office• Disclosure: external distribution of PHI within  ...
HIPAA Key Terms• Types of Disclosure  1. No authorization required     •   Sharing PHI with other doctors for referrals  2...
HIPAA Key Terms• Incidental Disclosures:  – Speaking to a patient in a 2bed hospital room and    the second patient overhe...
How to Violate HIPAA• http://youtu.be/XyF40FZ0n5I
HIPAA Violations• Covered entities and individuals subject to  violation penalties• Up to $1.5 million fine per HIPAA viol...
HIPAA Scenarios1. If a doctor stores his patients initials and   medical notes on his iPhone does the   doctor’s iPhone co...
HIPAA Scenario Answers1. Yes, the iPhone now has PHI and must be   treated with the same care as an entire   patient medic...
Ensure HIPAA Compliance• Apply NIST Special Publication 800-66  – An Introductory Resource Guide for Implementing    the H...
Assignment• Imagine you’re hired by a dentists office to  help transfer their operations from paper file  based, to electr...
Upcoming SlideShare
Loading in …5
×

Hipaa

460 views

Published on

  • Be the first to comment

  • Be the first to like this

Hipaa

  1. 1. InfoSec Management and HIPAA
  2. 2. HIPAA• Title I: protects health insurance for workers and their families when they lose or change jobs.• Title II(InfoSec relevant): creates national standards for electronically transferred health care information• Title III: health plan tax adjustments• Title IV: Group Health plans• Title V: Revenue Offsets
  3. 3. http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
  4. 4. Title II – What you should Know• HIPAA Key Terms & General Rules• When you can share patient information and when you cannot• Patient’s Rights regarding their health information
  5. 5. HIPAA Key Terms• Protected Health Information (PHI) – Patient health information created or given to a medical practitioner – Medical information that identifies the patient in any format ie. verbal, written, or electronic – Includes: Names, addresses, dates, phone numbers, email addresses, social security numbers, license numbers, full face photos, etc. • Anything that identifies the patient
  6. 6. HIPAA Key Terms• Covered Entities – Health care practitioner that contains electronic PHI – Ie. Hospitals, family physicians, Blue Cross Blue Shield, Kaiser Permanente – Covered entities and anyone they share their data with are subject to HIPAA
  7. 7. HIPAA Key Terms• TPO• (T)Treatment: activities for patient care• (P)Payment: monetary transaction for healthcare services• (O)Operations: regular activities of a covered entity to perform healthcare functions
  8. 8. HIPAA Key Terms• Business Associate – Third parties who have access to PHI • Ie. security software vendors creating a secure system for the healthcare practitioner – Business Associates must sign agreement acknowledging HIPAA compliance
  9. 9. HIPAA Key Terms• Minimum Necessary Rule – PHI may only be accessed on an as needed basis. – Only access enough PHI to complete the job at hand and no more.
  10. 10. HIPAA Key Terms• Notice of Privacy Practices (NPP): – Description of ways the healthcare practitioner may use PHI without obtaining further patient authorization – Anytime PHI is released for another reason than TPO, further patient authorization is required
  11. 11. HIPAA Key Terms• Use: internal use of PHI within the healthcare office• Disclosure: external distribution of PHI within a larger healthcare system
  12. 12. HIPAA Key Terms• Types of Disclosure 1. No authorization required • Sharing PHI with other doctors for referrals 2. No authorization required but must provide opportunity to object • Discussing PHI with family members in the room – the patient must be allowed option of privacy 3. Authorization required • Disclose PHI for research
  13. 13. HIPAA Key Terms• Incidental Disclosures: – Speaking to a patient in a 2bed hospital room and the second patient overhears the conversation – Visitor’s hear a patients name called in the waiting room – Health practitioners should do their best to avoid these as much as possible and applying the minimum necessary rule
  14. 14. How to Violate HIPAA• http://youtu.be/XyF40FZ0n5I
  15. 15. HIPAA Violations• Covered entities and individuals subject to violation penalties• Up to $1.5 million fine per HIPAA violation per year• Criminal Fines up to $250,000 or up to 10 years in prison• Is HIPAA enforced? – http://www.ama- assn.org/amednews/2012/04/30/bisd0502.htm
  16. 16. HIPAA Scenarios1. If a doctor stores his patients initials and medical notes on his iPhone does the doctor’s iPhone contain PHI?2. As a doctor, are you allowed to email your patients own medical information to their personal email accounts?3. As a nurse, are you allowed to look up one of your patient’s address to mail a get well card?
  17. 17. HIPAA Scenario Answers1. Yes, the iPhone now has PHI and must be treated with the same care as an entire patient medical file.2. No, you are not allowed to send PHI to your patient’s personal email account because you cannot assure that account is secure.3. As a nurse you must abide the minimum necessary rule and sending a card is not necessary.
  18. 18. Ensure HIPAA Compliance• Apply NIST Special Publication 800-66 – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) – http://csrc.nist.gov/publications/nistpubs/800-66- Rev1/SP-800-66-Revision1.pdf
  19. 19. Assignment• Imagine you’re hired by a dentists office to help transfer their operations from paper file based, to electronic file based. – What sort of network system and security (physical and digital) would you recommend implementing? – Make sure and manage PHI correctly – Diagram the network – Write 1 single spaced page explaining why it works

×