Académique Documents
Professionnel Documents
Culture Documents
2013
2013
Importance of Privacy and
Security
Access from anywhere
2013
HIPAA
Health Insurance Portability and
Accounting Act (HIPPA) of 1996
o Title II: Fraud and Abuse/Administrative
Simplification
2013
Administrative Simplification
Purpose
Improve efficiency and effectiveness of
business processes of healthcare by
standardizing the electronic data
interchange of administrative and financial
transactions
Protect privacy and security of protected
health information
Reduce cost of doing business in
healthcare
2013
Protected Health Information
Individually identifiable health
information that covered entities or
their business associates transmit or
maintain in any form or format
2013
Sections of HIPAA Impacting HIM
Privacy rule
Security rule
Transactions and code sets
2013
Definition of Privacy
Right of patient to control disclosure of
personal information
2013
Definition of Security
Two definitions
o Means to control access from accidental or
intentional disclosure to unauthorized
persons and from unauthorized alteration,
destruction or loss
o Physical protection of facilities and
equipment from theft, damage, or
unauthorized access; collectively, the policies,
procedures, and safeguards, designed to
protect confidentiality of information,
maintain the integrity and availability of
information systems, and control access to
the content of these systems
2013
Covered Entity
A health plan, a healthcare
clearinghouse, or a healthcare
provider who transmits any health
information in electronic form for one
of the covered transactions
2013
Covered Transactions
Health plan premium payments
Enrollment or disenrollment in a health
plan
Eligibility
Referral certification and authorization
Claims
Payment and remittance advice
2013
Covered Transactions
Claim status
Coordination of benefits
Health claims attachment
First report of injury
2013
American Recovery and
Reinvestment Act
Increased privacy and security
restrictions
Health Information Technology for
Economic and Clinical Health (HITECH)
Act
2013
Transaction and Code Sets
Standardizes electronic transactions
Development and maintenance is
responsibility of designated standard
maintenance organizations
2013
Designated Standard
Maintenance Organizations
Accredited Standards Committee
(ASC) X12
Dental Contact Committee of the
American Dental Association
Health Level 7 (HL7)
National Council for Prescription Drug
Programs
National Uniform Billing Committee
National Uniform Claim Committee
2013
Electronic Data Interchange
Transfer of data from one point to
another without human intervention
2013
ASC X12
Claims, encounters, and coordination of
benefits837
Remittance advice835
Eligibility inquiry and response270271
Precertification and referral authorization
278
Enrollment in a health plan834
Premium payment820
2013
Code Sets and Standards
Designated code sets
o Set of codes used to encode data
elements
Official code sets
o ICD-10-CM
o CPT-4
o HCPCS
o CDT-2
o NDC
2013
Privacy Rule
Controls how covered entities may use
PHI
PHI includes that maintained by
covered entity or business associate
2013
Business Associate
Individuals or organizations who
perform work on behalf of the covered
entity that requires access to PHI
Examples
o Coding
o Release of information
o Billing
2013
PHI Identifiers
Name
Postal address information other than
town or city, state, and zip code
Telephone numbers
Fax numbers
Electronic mail addresses
Social security numbers
2013
PHI Identifiers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers,
including license plate numbers
Device identifiers and serial numbers
2013
PHI Identifiers
Web universal resource locators
Internet protocol (IP) address numbers
Biometric identifiers, including finger
and voice prints
Full-face photographic images and any
comparable images
2013
PrivacyPatient Rights
Right to inspect and copy their
protected health information and
records of most disclosures
Right to request amendment or
correction
Request for accounting of disclosure
2013
PrivacyPatient Rights
Right to be contacted at an alternate
location
Right to request restrictions on uses
and disclosures
Right to file complaint about violations
to plan or provider and to DHHS
2013
Privacy Rule
Defines when disclosure is permitted
with and without authorizations
Treatment, payment, and healthcare
operations (TPO)
2013
Security Rule
Electronic protected health
information
o PHI that is created, stored, or
transmitted by covered entities
Technology neutral and scalable
2013
ARRA
Incentive payments for the
implementation of health information
technology
Breach notifications
Increased severity of penalties
Certification of electronic health
records
Business associates subject to privacy
and security regulations
2013
Security Threats
Human error
Intentional activity
Natural disasters
2013
Human Error
Cutting electricity to a building when
digging
Destroying the wrong disk
Entering the wrong configuration
setting
2013
Intentional Activity
Intentional deletion
Intentional alteration
Infecting the information system with
viruses
Using data to steal a patients identify
2013
Natural Disasters
Floods, tornados, hurricanes, and other
natural disasters that
o Damage the facility or system
o Temporarily denial of access
2013
Safeguards
Administrative
Physical
Technical
Required standards
Addressable standards
2013
Administrative Safeguards
Administrative actions used as part of
security measures to protect ePHI
which includes policies/procedures as
well as employees
2013
Administrative Safeguards
Security management
Assigned security responsibility
Workforce security
Information access management
Security awareness and training
Security incident procedures
Contingency plan
Evaluation
Business associate contact and other
arrangements
2013
Business Associate Contracts
and Other Arrangements
Subject to security rule
Must protect ePHI
Business associate agreement
2013
Organizational Requirements
Business associate agreements
Policies and procedures
o Retain for minimum of six years from
creation or last in effect
o Available to workforce
Review and update documentation
periodically
2013
Assigned Security Responsibility
Develop goals and objectives
Determine how goals and objectives will
be met
Advise administration
Reporting process
Risk assessment
Risk acceptance
Develop and monitor security program
2013
Workforce Security
Access to appropriate ePHI
Workforce clearance procedure
Termination process
2013
Risk Management
Assess and reduce risk
Ongoing process
Develop plan
Sanction policy
Information system activity review
2013
Risk Analysis
Threats
Vulnerability
2013
Security Awareness and Training
Provided to all members of workforce
One size does not fit all
Covers
o Security policies
o Physical and workstation security
o Password management
o Importance of logging out
2013
Security Awareness and Training
Ongoing training
Documentation retained for six years
o Sign-in sheet
o Handouts
o Email messages
o Training database
2013
Contingency Planning and
Business Continuity Planning
How facility acts when information
system is down
Redundancy
Business continuity plan
2013
Data Recovery
Recovers lost data
2013
Evaluation of Security Plan
Ongoing monitoring and evaluation
Technical and nontechnical processes
2013
Technical Safeguards
Use of technology to protect ePHI
Categories
o Access control
o Audit controls
o Integrity
o Person or entity authentication
o Transmission security
2013
Audit Controls
Holds individual users responsible for
actions
Used to identify cause of problem, the
extent of the problem, and the way to
restore the system
Uses real-time monitoring to identify
breaches, technical problems, and
security issues
Watch for intrusions into the system
2013
Audit Controls
Audit trails
Triggers
o Examples
User has same last name as patient
Patient is public figure
Sensitive diagnoses
Not involved in care
Audit reduction tools
2013
Integrity
Confirm integrity of data passed across
network
Checksum validation
2013
Person or Entity Authentication
Something the individual knows, such
as a password or personal
identification number
Something the individual has, such as
a smart card or token
Something unique to the individual,
such as biometrics
2013
Transmission Security
Protect ePHI during transmission
between two points
Network security
Firewalls
Intrusion detection and response
2013
Data Security
Data must be protected against:
o Loss
o Destruction
o Tampering
o Inappropriate alteration
2013
Information Classification
Example 1
o Clinical
o Administrative
o Financial
Example 2
o Level of security required
2013
Access Control Systems and
Methodology
Access controls
Unique user identifier
Emergency access procedure
Passwords
Tokens
Biometrics
Telephone callback
2013
Methods of Authentication
One factor authentication
o Passwords
o Username
2013
Methods of Authentication
Two-factor authentication
o Two types of authentication
o Options include
Tokens
Biometrics
Telephone callback procedures
2013
Passwords Rules
Do not use passwords that are easily
guessed such as childs name
Passwords should have 7 or more
characters
Passwords should have 2 or more types of
characters
Passwords should be changed periodically
2013
Passwords Rules
Passwords should not be shared with
anyone
Passwords should not be written down
2013
Problem with Password
Users have multiple passwords
Single sign-on
2013
Types of Accessibility
Role-based
User-based
Context-based
2013
Access Control Systems and
Methodology
Encryption
o Symmetric
o Asymmetric
2013
Malicious Software
Virus
Worms
Trojans
Bots
Spyware
2013
Physical Safeguards
Protect information system and other
assets
Facility access controls
o Cardkeys
o Access codes
Workstation location and access
Workstation security
2013
Security Incident Procedures
Attempted or successful unauthorized
access
Policies and procedures
Monitor trends
Forensics
Spoliation
Mitigation
2013
64
Workstation Location and Use
Workstations include:
o Computers
o Handheld devices
o Other devices with ePHI
Policies and procedures
Property control tags
Contingency plan
2013
Physical Safeguards
Device and media controls
o Degaussing
Mobile security
Fire and natural disasters
2013
Security Incident
Examples
Former employee accessing ePHI
Virus attack that destroyed current files
Audit trail with evidence that someone
misused someone elses password
Physical break-in with ePHI copied or
stolen
PHI posted on the Internet from a web
portal
2013
Security Events
Poor security practices
Examples
o Shared logon
o Password visible
o Monitor left logged on and unattended
2013
Workstation Location and Use
Document maintenance
Protect data as well as device
o Automatic log-off
o Screen savers
o Privacy screens
2013
Penalties
Civil
Prison
2013
Certification
Certified in Healthcare Privacy and
Security (CHPS)
Certified Information Security
Manager (CISM)
Certified Information Systems
Security Professional (CISSP)
2013