210 likes | 386 Views
HIPAA Security Standards. Emmanuelle Mirsakov USC School of Pharmacy. Overview. HIPAA-Health Insurance Portability and Accountability Act of 1996 Why Security? Focus on Security rule vs. Privacy rule
E N D
HIPAASecurity Standards Emmanuelle Mirsakov USC School of Pharmacy
Overview • HIPAA-Health Insurance Portability and Accountability Act of 1996 • Why Security? • Focus on Security rule vs. Privacy rule • Security rule applies only to EPHI, while the Privacy rule applies to PHI which may be in electronic, oral, and paper form. • Privacy is the “ Who, What, and When” and Security is the “How”
Who Oversees HIPAA?The U.S. Department of Health & Human Service The Centers for Medicare and Medicaid Services Oversees: • Transactions and Code Sets • Standard Unique Identifiers • Security Contact info: • http://www.cms.hhs.gov/hipaa/ hipaa2/ • AskHIPAA@cms.hhs.gov • 1-866-282-0659 • The Office for Civil Rights Oversees: • Privacy • Contact info: • http://www.hhs.gov/ocr/hipaa/ • OCRPrivacy@hhs.gov • 1-866-627-7748
Goals Of Security Rule • Confidentiality • EPHI is accessible only by authorized people and processes • Integrity • EPHI is not altered or destroyed in an unauthorized manner • Availability • EPHI can be accessed as needed by an authorized person
Parts of the Security Rule • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Organizational Requirements • Policies & Procedures & Documentation Requirements
Security Rule • The rule is technology neutral • The rule does not prescribe the use of specific technologies, so that the health care community will not be bound by specific systems and/or software that may become obsolete • The security rule is based on the fundamental concepts of flexibility, scalability and technology neutrality.
Security Standards • Administrative Safeguards: • Administrative functions that should be implemented to meet the security standards • Physical Safeguards: • Mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. • Technical Safeguards: • The automated processes used to protect data and control access to data
Technical Safeguards • Main parts: • Access Control • Audit Control • Integrity • Person or Entity Authentication • Transmission Security
Access Control • “The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource” • Access controls should enable authorized users to access minimum necessary information needed to perform job functions.
4 implementation specifications associated with Access Controls: • Unique user identification (required) • Emergency access procedure (required) • Automatic logoff (addressable) • Encryption and decryption (addressable)
Audit Controls: • “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.” • Useful to determine if a security violation occurred • The security rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed (no implementation specifications)
Integrity • “The property that data or information have not been altered or destroyed in an unauthorized manner” • The integrity of data can be compromised by both technical and non-technical sources • Implementation specification: • Implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. (addressable)
Person or Entity Authentication • “Implement procedures to verify that a person or entity seeking access to EPHI is the one claimed” • Ways to provide proof of identity: • Require something known only to that individual (password or PIN) • Require smart card, token, or a key • Require a biometric (fingerprint, voice pattern, facial pattern, iris pattern)
Transmission Security • “Implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network” • This standard has 2 implementation specifications: • Integrity Controls (addressable) • Encryption (addressable)
Implementation Specifications • Integrity Controls: • Integrity in this context is focused on making sure that EPHI is not improperly modified during transmission • 1° through the use of network communications protocols • Data message authentication codes • Encryption • “Implement a mechanism to encrypt EPHI whenever deemed appropriate”
Pro Pharma Implementation • All hard drives can only be accessed by individuals with proper clearance by Pro Pharma • All employees have a unique user name and password • All employees are required to lock their station whenever they get up • Content filters allow Pro Pharma management to screen all incoming and outgoing e-mails for possible threats • Full virus protection is installed on every workstation • Network browsing is routed to a system that checks for threats • No employee has administrative rights to their local machine • No employees have domain administrative rights on the Pro Pharma domain • Every workstation is attached to a UPS power supply to protect from power failure or power surge
In Summary • Security rules are in place to enhance health information sharing and to protect patients • The Security rule technical safeguards are the technology related policies and procedures that protect EPHI and control access to it • Be cognizant of PHI, and follow Pro Pharma protocols
The Bright Side • Knock, knock. Who’s there? HIPAA. HIPAA who?Sorry, I’m not allowed to disclose that information.