Introduction to

Computer Systems for

Health Information
Technology

Chapter 12: Privacy and Security

2013
2013
Importance of Privacy and
Security
Access from anywhere

2013
HIPAA
Health Insurance Portability and
Accounting Act (HIPPA) of 1996
o Title II: Fraud and Abuse/Administrative
Simplification

2013
Administrative Simplification
Purpose
Improve efficiency and effectiveness of
business processes of healthcare by
standardizing the electronic data
interchange of administrative and financial
transactions
Protect privacy and security of protected
health information
Reduce cost of doing business in
healthcare

2013
Protected Health Information
Individually identifiable health
information that covered entities or
their business associates transmit or
maintain in any form or format

2013
Sections of HIPAA Impacting HIM
Privacy rule
Security rule
Transactions and code sets

2013
Definition of Privacy
Right of patient to control disclosure of
personal information

2013
Definition of Security
Two definitions
o Means to control access from accidental or
intentional disclosure to unauthorized
persons and from unauthorized alteration,
destruction or loss
o Physical protection of facilities and
equipment from theft, damage, or
unauthorized access; collectively, the policies,
procedures, and safeguards, designed to
protect confidentiality of information,
maintain the integrity and availability of
information systems, and control access to
the content of these systems

2013
Covered Entity
A health plan, a healthcare
clearinghouse, or a healthcare
provider who transmits any health
information in electronic form for one
of the covered transactions

2013
Covered Transactions
Health plan premium payments
Enrollment or disenrollment in a health
plan
Eligibility
Referral certification and authorization
Claims
Payment and remittance advice

2013
Covered Transactions
Claim status
Coordination of benefits
Health claims attachment
First report of injury

2013
American Recovery and
Reinvestment Act
Increased privacy and security
restrictions
Health Information Technology for
Economic and Clinical Health (HITECH)
Act

2013
Transaction and Code Sets
Standardizes electronic transactions
Development and maintenance is
responsibility of designated standard
maintenance organizations

2013
Designated Standard
Maintenance Organizations
Accredited Standards Committee
(ASC) X12
Dental Contact Committee of the
American Dental Association
Health Level 7 (HL7)
National Council for Prescription Drug
Programs
National Uniform Billing Committee
National Uniform Claim Committee

2013
Electronic Data Interchange
Transfer of data from one point to
another without human intervention

2013
ASC X12
Claims, encounters, and coordination of
benefits837
Remittance advice835
Eligibility inquiry and response270271
Precertification and referral authorization
278
Enrollment in a health plan834
Premium payment820

2013
Code Sets and Standards
Designated code sets
o Set of codes used to encode data
elements
Official code sets
o ICD-10-CM
o CPT-4
o HCPCS
o CDT-2
o NDC

2013
Privacy Rule
Controls how covered entities may use
PHI
PHI includes that maintained by
covered entity or business associate

2013
Business Associate
Individuals or organizations who
perform work on behalf of the covered
entity that requires access to PHI
Examples
o Coding
o Release of information
o Billing

2013
PHI Identifiers
Name
Postal address information other than
town or city, state, and zip code
Telephone numbers
Fax numbers
Electronic mail addresses
Social security numbers

2013
PHI Identifiers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers,
including license plate numbers
Device identifiers and serial numbers

2013
PHI Identifiers
Web universal resource locators
Internet protocol (IP) address numbers
Biometric identifiers, including finger
and voice prints
Full-face photographic images and any
comparable images

2013
PrivacyPatient Rights
Right to inspect and copy their
protected health information and
records of most disclosures
Right to request amendment or
correction
Request for accounting of disclosure

2013
PrivacyPatient Rights
Right to be contacted at an alternate
location
Right to request restrictions on uses
and disclosures
Right to file complaint about violations
to plan or provider and to DHHS

2013
Privacy Rule
Defines when disclosure is permitted
with and without authorizations
Treatment, payment, and healthcare
operations (TPO)

2013
Security Rule
Electronic protected health
information
o PHI that is created, stored, or
transmitted by covered entities
Technology neutral and scalable

2013
ARRA
Incentive payments for the
implementation of health information
technology
Breach notifications
Increased severity of penalties
Certification of electronic health
records
Business associates subject to privacy
and security regulations
2013
Security Threats
Human error
Intentional activity
Natural disasters

2013
Human Error
Cutting electricity to a building when
digging
Destroying the wrong disk
Entering the wrong configuration
setting

2013
Intentional Activity
Intentional deletion
Intentional alteration
Infecting the information system with
viruses
Using data to steal a patients identify

2013
Natural Disasters
Floods, tornados, hurricanes, and other
natural disasters that
o Damage the facility or system
o Temporarily denial of access

2013
Safeguards
Administrative
Physical
Technical
Required standards
Addressable standards

2013
Administrative Safeguards
Administrative actions used as part of
security measures to protect ePHI
which includes policies/procedures as
well as employees

2013
 Administrative Safeguards
Security management
Assigned security responsibility
Workforce security
Information access management
Security awareness and training
Security incident procedures
Contingency plan
Evaluation
Business associate contact and other
arrangements

2013
Business Associate Contracts
and Other Arrangements
Subject to security rule
Must protect ePHI
Business associate agreement

2013
Organizational Requirements
Business associate agreements
Policies and procedures
o Retain for minimum of six years from
creation or last in effect
o Available to workforce
Review and update documentation
periodically

2013
Assigned Security Responsibility
Develop goals and objectives
Determine how goals and objectives will
be met
Advise administration
Reporting process
Risk assessment
Risk acceptance
Develop and monitor security program

2013
Workforce Security
Access to appropriate ePHI
Workforce clearance procedure
Termination process

2013
Risk Management
Assess and reduce risk
Ongoing process
Develop plan
Sanction policy
Information system activity review

2013
Risk Analysis
Threats
Vulnerability

2013
Security Awareness and Training
Provided to all members of workforce
One size does not fit all
Covers
o Security policies
o Physical and workstation security
o Password management
o Importance of logging out

2013
Security Awareness and Training
Ongoing training
Documentation retained for six years
o Sign-in sheet
o Handouts
o Email messages
o Training database

2013
Contingency Planning and
Business Continuity Planning
How facility acts when information
system is down
Redundancy
Business continuity plan

2013
Data Recovery
Recovers lost data

2013
Evaluation of Security Plan
Ongoing monitoring and evaluation
Technical and nontechnical processes

2013
Technical Safeguards
Use of technology to protect ePHI
Categories
o Access control
o Audit controls
o Integrity
o Person or entity authentication
o Transmission security

2013
 Audit Controls
Holds individual users responsible for
actions
Used to identify cause of problem, the
extent of the problem, and the way to
restore the system
Uses real-time monitoring to identify
breaches, technical problems, and
security issues
Watch for intrusions into the system

2013
Audit Controls
Audit trails
Triggers
o Examples
User has same last name as patient
Patient is public figure
Sensitive diagnoses
Not involved in care
Audit reduction tools

2013
Integrity
Confirm integrity of data passed across
network
Checksum validation

2013
Person or Entity Authentication
Something the individual knows, such
as a password or personal
identification number
Something the individual has, such as
a smart card or token
Something unique to the individual,
such as biometrics

2013
Transmission Security
Protect ePHI during transmission
between two points
Network security
Firewalls
Intrusion detection and response

2013
Data Security
Data must be protected against:
o Loss
o Destruction
o Tampering
o Inappropriate alteration

2013
Information Classification
Example 1
o Clinical
o Administrative
o Financial
Example 2
o Level of security required

2013
Access Control Systems and
Methodology
Access controls
Unique user identifier
Emergency access procedure
Passwords
Tokens
Biometrics
Telephone callback

2013
Methods of Authentication
One factor authentication
o Passwords
o Username

2013
Methods of Authentication
Two-factor authentication
o Two types of authentication
o Options include
Tokens
Biometrics
Telephone callback procedures

2013
Passwords Rules
Do not use passwords that are easily
guessed such as childs name
Passwords should have 7 or more
characters
Passwords should have 2 or more types of
characters
Passwords should be changed periodically

2013
Passwords Rules
Passwords should not be shared with
anyone
Passwords should not be written down

2013
Problem with Password
Users have multiple passwords
Single sign-on

2013
Types of Accessibility
Role-based
User-based
Context-based

2013
Access Control Systems and
Methodology
Encryption
o Symmetric
o Asymmetric

2013
Malicious Software
Virus
Worms
Trojans
Bots
Spyware

2013
Physical Safeguards
Protect information system and other
assets
Facility access controls
o Cardkeys
o Access codes
Workstation location and access
Workstation security

2013
 Security Incident Procedures
Attempted or successful unauthorized
access
Policies and procedures
Monitor trends
Forensics
Spoliation
Mitigation

2013
64
Workstation Location and Use
Workstations include:
o Computers
o Handheld devices
o Other devices with ePHI
Policies and procedures
Property control tags
Contingency plan

2013
Physical Safeguards
Device and media controls
o Degaussing
Mobile security
Fire and natural disasters

2013
Security Incident
Examples
Former employee accessing ePHI
Virus attack that destroyed current files
Audit trail with evidence that someone
misused someone elses password
Physical break-in with ePHI copied or
stolen
PHI posted on the Internet from a web
portal

2013
Security Events
Poor security practices
Examples
o Shared logon
o Password visible
o Monitor left logged on and unattended

2013
Workstation Location and Use
Document maintenance
Protect data as well as device
o Automatic log-off
o Screen savers
o Privacy screens

2013
Penalties
Civil
Prison

2013
Certification
Certified in Healthcare Privacy and
Security (CHPS)
Certified Information Security
Manager (CISM)
Certified Information Systems
Security Professional (CISSP)

2013