The document discusses the HIPAA Security Rule and its requirements for ensuring the confidentiality, integrity and availability of protected health information. It outlines the three main safeguards - technical, physical and administrative controls - that healthcare providers must implement. Technical controls include access controls, encryption, auditing and monitoring systems access. Physical controls involve protecting hardware and restricting physical access. Administrative controls consist of security policies, procedures, risk analysis, training and designating a security officer.

1. HIPAA Security Putting the Pieces Together People’s Hospital

2. C onfidentiality-preventing disclosure of private information I ntegrity- ensuring health data has not been altered or misplaced A vailability- ensures information is accessible by authorized users Security Rules ensure C.I.A

3. 3 Safeguards of the HIPAA Security Rules Technical Physical Administrative

4. Technical Access- granted based on job level and a “need to know”, password protected access, monitor logins, audit access, and mandate locking of computers. Use auto logoffs, Mandate no sharing of passwords and changing passwords every 3 months Electronic transmission of ePHI must be encrypted and decrypted

5. Technical cont. Terminate access immediately should employee leave Educate staff on strong password use Mandate passwords be changed when compromised Educate staff on the consequence of inappropriate password use

6. Physical Protect hardware from theft and destruction Monitor access of staff and visitors into the hospital Restrict access to areas based on job roles Protect servers from physical damage and store in an access controlled area Prohibit network alterations Ensure disposal of paper data in shred boxes and electronic data must be destroyed prior to shredding

7. Administrative Risk Analysis- perform an assessment of the risk to determine necessary activities Policies and procedures to prevent, detect, contain and correct security violations Risk Management- measures to reduce risk such as using virus protection and firewall’s

8. Administrative cont. Sanctions- Ensure staff are educated on the “0 tolerance” policy regarding infractions Information System Activity Review- run audits and reports regularly Security Awareness-ensure all staff are trained on security Back Up data plans and disaster recovery plans will be implemented

9. Administrative cont. Mr. Joe Smith, the Information Security officer responsible for policies and procedures Security Incident Reporting- identify violations and corrective actions Instruct staff aware if an unauthorized disclosure occurs, they should report it promptly

10. HIPAA is mandated by law All health care providers and their associates must comply All health care providers and their associates must be aware of the laws and consequences of violations

11. Ensure Compliance

12. References Wager, K. A., Lee, F. W., & Glaser, J. (2009). Introduction to Health Care Information. Health care information systems: a practical approach for health care management (2nd ed., p. 5). San Francisco, CA: Jossey-Bass. Summary of the HIPAA Security Rule. (n.d.). United States Department of Health and Human Services . Retrieved June 20, 2011, from http://www.hhs.gov/ocr/privacy/hipaa