Embed Size (px)
DESCRIPTION
Now that the ARRA and HITECH Acts hold business associates directly accountable for HIPAA compliance, you may find yourself needing some training materials for your staff. Here's an easy-to-read booklet on the basics of the HIPAA Security Rule. If you'd like help with more training materials, feel free to contact me. Have a HIPAA-Compliant Day!
Citation preview
Everything You Needed to Know About
HIPAA Security You Learned as a Child!
Written by Terri B. Stamm, Director Quality & Compliance, NovoLogix, Inc. ClipArt available at Microsoft Office ClipArt Gallery
© 2008
Everything You Needed to Know About HIPAA Security You Learned as a Child!
It’s amazing how many stories are in the news lately about security breaches in healthcare. Thousands of patient records are jeopardized because of stolen laptops, unauthorized access to restricted areas, and several other episodes of lack of common sense. The HIPAA Security Rule requires some basic safeguards for electronic protected health information, also referred to as e-PHI. As an employee, you play a critical role in the company’s security program. This training document provides an overview of the HIPAA Security Rule and explains how easy it really is for you to comply.
The Security Rule provides basic standards for protecting e-PHI and organizes these standards into three main categories:
1. Administrative Safeguards – policies, procedures, training, awareness, and preparedness.
2. Physical Safeguards – physical protection of e-PHI.3. Technical Safeguards – technology-based practices for protecting e-PHI
as it is stored or transmitted electronically.
You’ve probably read stories as a child that taught you everything you needed to know to comply with the HIPAA Security Rule. Let me explain.
2
ADMINISTRATIVE SAFEGUARDS
1. Security Management Process
a. Risk Analysis b. Risk Management
This is a basic standard that we have been practicing since we were children. Remember what you mother always told you? “Look both ways before you cross the street.” Well, that is the fundamental basic of any risk assessment. Check for potential danger. What would you do if it was a busy street? Use the crosswalk. That’s risk management in a nutshell. For HIPAA Security, an organization is required to “look both ways before they cross the street.” Check for all the potential dangers that could jeopardize the integrity, confidentiality, and availability of e-PHI. Once the risks are identified, “use the crosswalk.” Implement policies, procedures, and systems that avoid, eliminate, or manage the risks that pose a threat to the security of e-PHI.
Remember, you never quit “looking both ways” because the risk never really always go away, but rather changes from time to time. Just as when you were a kid, it didn’t matter which street you planned to cross and who was with you; you always looked both ways before you crossed the street and chose the safest route, such as the crosswalk. Risk assessment might occur formally or organization-wide on an annual basis, but you should always be watching for potentials hazards and threats. If you identify a potential risk, notify your supervisor and the Security Officer.
3
4
c. Sanction Policy
Remember the story of the three little kittens that lost their mittens? Well, that’s a sanctions policy. If you do something wrong, you won’t get any pie. Should you violate the company’s security policies and procedures, you will be disciplined, and the details of the sanctions policy are in your employee handbook. However, the company applies the practice found in the rest of the storybook. When the kittens found their mittens, they were able to have some pie. The company recognizes employees that do the right thing and help correct deficiencies identified.
d. Information System Activity Review (Monitoring)
The HIPAA Security Rule requires monitoring of activity and access to PHI. Just like moms who watch their kids on the playground to ensure they are playing safely on the equipment and nicely with the other kids, IT monitors your activities at work and users’ activities as they access our various systems and networks. Many electronic records have their own audit logs to track exactly who did what and when.
5
2. Assigned Security Responsibility (Security Officer)
As children, we often participated in role playing activities. Whether it was Cowboys and Indians, Pirates, School, Camelot, etc., there was usually someone in charge – the Sheriff, the Captain, the Teacher, the King or Queen. They got to make the rules and were responsible for making sure everyone playing followed them. That’s the Security Officer. He/she is responsible for making sure everyone in the company knows the rules and follows them.
3. Workforce Security
a. Authorization and/or Supervision
To comply with this standard, a company simply needs to have an organizational structure in place that ensures supervision of employees accessing e-PHI. Similar to the need for parents to monitor what their kids watch on television or sites they visit on the Internet, supervisors must ensure their staff is acting in a safe and compliant manner with e-PHI.
b. Workforce Clearance Procedure
6
Employees need to have the correct level of access to do their jobs while the company sets appropriate restrictions to safeguard e-PHI. If an employee cannot access a file that is necessary to do their job, the company may meet one standard of protecting e-PHI, but has failed to meet this one because the employee does not have an appropriate access level. However, if the company does not restrict employees’ access to e-PHI appropriately, they are putting the information at risk. An easy way to comply with this standard is to create access levels based on one’s assigned job description/position in the company.
c. Termination Procedure
Companies are required to have a procedure in place to terminate an employee’s access to e-PHI when the employee is no longer a member of the company.
4. Information Access Managementa. Access Authorizationb. Access Establishment and Modification
I remember my brother having a really cool tree house in the backyard. I wasn’t allowed to go up and play in the tree house because there was “No Girls Allowed.” He had a sign almost as big as the trunk of the tree hanging from a crooked branch just next to the ladder. To make sure I couldn’t get in, he would even take the ladder down and hide it when he and his friends weren’t there. Once I was allowed to go up in the tree house, but I couldn’t open any of the boxes or play any of the games they played because it was restricted to boys only.
This is access management – restricting access to e-PHI to authorized personnel only. Whether it was a tree house, clubhouse, diary, closet, or a locked drawer in your desk, you probably had some place you stored secret information and went to great lengths to make sure no one got a hold of it. The company is required to do the same thing with e-PHI. As an employee, you can help by making sure no one obtains unauthorized access to e-PHI. Protect your login information. Only give user accounts to authorized parties. When in doubt, seek guidance from your supervisor and the Security Officer.
7
5. Security Awareness and Training
a. Security Reminders
How many times did your mom tell you to wash your hands, look both ways before you cross the street, brush your teeth, don’t talk to strangers, etc.? She was trying to protect you from risks that could harm you or make you ill. Security reminders are the same thing. Whether it’s an article in the company newsletter, a poster on the employee bulletin board, an e-mail, or even training such as this document, security reminders are essential to ensure ongoing compliance with the company security program and continued protection of PHI.
8
b. Protection from Malicious Software
Many of us have a strange circular scar on our upper arm. Do you remember why? It is from your smallpox vaccine. We received shots throughout childhood to protect us from potentially life-threatening viruses. As adults, we continue to protect ourselves from these health hazards by getting a flu shot every year, Hepatitis B vaccine if our work environment increases our risk of exposure, and multiple vaccines if we are going overseas. Well, our IT department is doing the same thing to protect PHI stored in our system. They routinely update virus protection software and restrict access to potentially harmful Internet sites.
Remember the story of Snow White and the poison apple? Well, you can help protect the company from “poison apples” (malicious software) by avoiding potentially harmful sites, refraining from downloading any file or program unless approved by the Security Officer, and limiting the use of company computers and network access to only authorized activities as defined in the employee handbook and security policy.
c. Log-in Monitoringd. Password Management
The HIPAA Security Rules requires that a company monitor login attempts, require periodic changing of passwords, and reporting discrepancies to reduce unauthorized access to e-PHI. It also requires employees to protect their password so that unauthorized parties cannot use it to access the system. This reminds me of my brother’s
9
“secret” tackle box. He had this tackle box to keep specials things safe, such as baseball cards, my grandfather’s pocketknife and other things that are priceless to a 10-year old boy. He had a combination lock on it and wouldn’t let anyone know the combination, not even my dad. To this day, I have no idea where he hid the combination. I tried several times to figure it out and open his treasure chest. If he caught me trying to break into his tackle box, he would tattle on me and tell my mom. Naturally, I would get punished (there’s that sanction policy again). If someone attempts to break into one of the company’s systems, IT will find out and take appropriate action. It is important that you protect your login and password information to prevent unauthorized access to e-PHI.
6. Security Incident Procedures
a. Response and Reporting
This was explained in the previous scenario, but it is important to remind everyone to report security incidents and work collaboratively with the Security Officer to respond to the incident, take appropriate action, and implement policies and procedures to prevent reoccurrence. My brother was successful at this by rigging his tackle box with a mouse trap. Needless to say, I never tried breaking into it again.
7. Contingency Plan
a. Data Backup Plan
You can’t tell a client “the dog ate my homework.” Simply put, make sure you have a plan to backup data so that it is retrievable, useable, and accessible to authorized parties.
b. Disaster Recovery Plan
Don’t be a Humpty Dumpty. Have a disaster recovery plan. Also, make sure that everyone knows what to do in the event of a disaster. If employees don’t know what actions are necessary to recover from a
10
disaster, then they will be just like all the King’s horses and all the King’s men and do nothing but sit their looking at a mess.
c. Emergency Mode Operation Plan
Sometimes it takes time to recover from a disaster or other type of system outage. In the event you cannot restore everything to fully operational as quickly as you need to respond to customer needs, have a plan in place to continue servicing customers (internal and external). Such is the case in the story The Three Little Pigs. The first two were able to continue business by utilizing the third pig’s facilities temporarily.
d. Testing and Revision Procedures
Make sure your disaster recovery plan actually works. In the story, There Was an Old Lady Who Swallowed a Fly, she activated a disaster recovery plan that proved to be detrimental. However, in The Three Little Pigs, the first two pigs were able to actually recover from the Big Bad Wolf’s destruction because the third pig was prepared.
Test your disaster recovery plan regularly. Remember the song, There’s a Hole in the Bucket? Had Liza and Henry tested their plan once in awhile, they would have been able to fix the hole and would have been able to continue business as usual.
11
e. Applications and Data Criticality Analysis
The HIPAA Security Rule requires a company to prioritize applications and data and have a plan to restore them in an order that meets the most critical needs of customers first.
12
8. Evaluation
Companies are required to perform periodic assessments of their security plans and their ability to comply with the HIPAA Security Rule then make adjustments as necessary. Children often have to take standardized tests in school to determine if they are able to complete the work at their assigned grade level. Adjustments to the child’s curriculum may be made based on the assessments completed. Some kids may have to go to summer school, while others may be placed in advanced classes. It is important to routinely evaluate how the company is doing in regards to security to prevent unnecessary breaches.
9. Business Associate Contracts and Other Arrangements
The HIPAA Security Rule requires organizations to have contracts in place that ensure business associates and vendors agree to comply with the standards, implementation specifications, and requirements of the HIPAA Security and Privacy Rules. We did the same thing as kids when we agreed to comply with the Boy Scout Oath or the Girl Scout Promise - we agreed to comply with the rules of the organization and laws that governed its operations. HIPAA requires that we get that same agreement from those handling e-PHI on the company’s behalf.
13
14
PHYSICAL SAFEGUARDS
1. Facility Access Controls
a. Contingency Operations
It is important to maintain security of the facility during emergency mode operations. Controlling facility access during emergency mode operations can vary significantly from normal processes.
b. Facility Security Plan
There is a great example of a poor facility security plan, and it can be found in the story The Three Little Bears. Goldilocks was able to waltz right into their home, eat their food, destroy their furniture, and get all the way up to their bedroom and crash before they even noticed. Hopefully, you are working with your company and the Security Officer to implement a more effective facility security plan.
c. Access Control and Validation Procedures
HIPAA requires organizations to implement policies and procedures to ensure only authorized personnel access the facility and areas of operation. In Little Red Riding Hood, Grandmother didn’t do a very good job of this and allowed the Wolf to enter her home; as a result the wolf gobbled her up. Another example is the story The Three Billy Goats Gruff. Each goat was able to trick the troll and cross the bridge. Snow White paid a terrible price when she allowed the wicked queen disguised as an elderly lady into the Dwarfs’ home, and we all remember what happened with The Cat in the Hat! Don’t let intruders
15
reap havoc on your company. Comply with the company’s policies and procedures on facility security.
d. Maintenance Records
Covered entities are required to maintain records of repairs and modifications to the physical components of a facility which are related to security. There should be documentation explaining the changes made, when they were completed, and who authorized the modifications.
2. Workstation Use
HIPAA requires organizations to specify what functions can be performed at each workstation (computer) because inappropriate use of computer workstations can expose a company to risks – malicious attacks, security breaches, etc. A classic example of this is Wile E Coyote and his numerous attempts to catch the Road Runner. He failed to use the Acme products correctly and suffered the consequences each and every time. While your workstation won’t blow up or result in your fatal flaw from a cliff in the desert, your actions can result in a security breach or other potentially disastrous event for the organization.
3. Workstation Security
This applies to the physical security of workstations as the access management standard applies to the actual user accounts. It is important to have several layers of security to truly protect the organization in case one level or perimeter is breached. As in the story Aladdin, it was an internal threat that Aladdin failed to protect himself against. Unfortunately, the lamp (workstation) was accessed by the wrong person and created mayhem for everyone. Don’t let your magic lamp end up in the wrong hands. Protect your workstation from unauthorized access.
16
17
4. Device and Media Controls
a. Disposal
Do you remember passing notes in class? Do you remember what happened if the teacher or someone else would get a hold of them? Public humiliation, after-school detention, and possibly the end of any chance of the boy with the sandy brown hair and dreamy blue eyes two rows over ever liking you. Well, a more adult version of public humiliation could occur if you don’t destroy unwanted PHI correctly. Just think what would happen if a CD containing all the patient records you accessed that day fell into the hands of an identity thief. Paper PHI is easy to dispose of – toss it in the shredder. Electronic PHI may be more difficult, so ask your supervisor and Security Officer for guidance.
b. Media Re-use
Some of us are old enough to remember our first mixed tape of our favorite songs. It was really cool if your boyfriend made one of all the songs that reminded him of you. Unfortunately, things happen and relationships don’t always work out. So, you need to erase that mixed tape and put songs from your new boyfriend on them.
Just like the songs on that mixed tape from your ex, so must PHI be completely erased from removable media before reusing it. Also, never save PHI to a flash drive unless authorized to do so by the Security Officer.
c. Accountability
The HIPAA Security Rule requires organizations to maintain records of the movements of hardware and electronic media and any person
18
responsible for them. You need to know where everything and anybody is at all times to ensure protection of sensitive information such as PHI.
Why is it so important to know where everything and everyone is? Just read the nursery rhyme Little Bo Peep. Bad things happen when things get lost and fall into the wrong hands.
d. Data Backup and Storage
HIPAA requires that organizations create a retrievable, exact copy of e-PHI, when needed, before movement. Similar to the data backup plan requirement, this standard requires the company to maintain the ability to continue business regardless of what may happen. Two ways an organization can comply with the standard is to make backup copies of e-PHI stored on hard drives before moving them OR the company can restrict where e-PHI can be stored to reduce the need to create such backup files.
The ability to retrieve data when something happens can prove to be extremely rewarding. Remember Cinderella? Had she not had an exact copy of the infamous lost glass slipper, she may still be scrubbing floors for snooty people and talking to rodents in an attic.
TECHNICAL SAFEGUARDS
1. Access Control
a. Unique User Identification
Everyone needs to have his/her own user account in order for the Security Officer or designee to monitor access to e-PHI. Just like in school when you had to put your name on your homework, your test, or anything else you turned into the teacher, so must you use a unique account when accessing e-PHI.
b. Emergency Access Procedure
In the event of an emergency or disaster, there needs to be a way to access e-PHI and the company’s systems. Remember the Superfriends? All of them had special powers to help in an emergency situation. Well, the Security Officer has the same super powers in a sense. He/she maintains a process for accessing the company’s systems during an emergency.
19
c. Automatic Logoff
Automatic logoff prevents unauthorized access to e-PHI should you have stepped away from your workstation and failed to lock or log off the system. It’s the same as in the story, The Poky Little Puppy. If you don’t appear to be present, you will be locked out to keep everyone else in the house safe.
d. Encryption and Decryption
The HIPAA Security Rule requires protection of e-PHI as it is transmitted from one place to another electronically as in e-mail, Internet applications, file transfers, etc.
My favorite example of encryption and decryption is R2D2’s message from Princess Leah to Obi Wan Kenobi. Had that message not been so well protected during travel, Luke may still be stuck in the desert tinkering with junk with his uncle. It serves as a great reminder to us all the importance of protecting data as it is transmitted from one to another.
2. Audit Controls
This standard states that covered entities must implement hardware, software, and processes that record and examine activity in systems that contain or use e-PHI.
It’s important to monitor the use of and access to e-PHI to prevent inappropriate and even illegal activity. Take the case of Little Red Riding Hood. No one was monitoring Grandma’s house, so the Wolf was able to deceive his way into the house and steal her identity, which could happen if you don’t protect one’s e-PHI. Fortunately, Red understood the importance of authentication and security incident reporting. She asked the Wolf a series of questions, confirmed he was
20
NOT Grandma, and notified the woodsman with her screams, thus preventing further tragedy.
3. Integrity
a. Mechanism to Authenticate e-PHI
The HIPAA Security Rule requires organizations to implement policies and procedures to prevent wrongful alteration or destruction of e-PHI. A great example of this is the story of Alice in Wonderland. Alice’s adventures were a result of alterations of information and strange events.
4. Person or Entity Authentication
This standard simply states that a company needs to have a method of verifying persons or entities seeking access to e-PHI is the person/entity they claim to be. As stated before, Snow White suffered the consequences of not authenticating visitors and fell victim to someone not being who they claimed to be. The same thing happened to Little Red’s Grandma and the lamb in the fable The Wolf in Sheep’s Clothing. On a lighter note, Bugs Bunny actually made us laugh at the many ways he was able to deceive people and cause havoc in their lives; too bad they didn’t have the HIPAA Security Rule back then.
21
5. Transmission Securitya. Integrity Controlsb. Encryption
HIPAA requires the protection of e-PHI while it is being transmitted. It doesn’t matter if you and your business associate can protect e-PHI within your network if you leave it exposed to potential danger as it travels from point A to point B. Companies need to have a way to protect e-PHI as it travels through cyberspace from one place to another. Do you remember the story The Legend of Sleepy Hollow? Everyone was safe when they were at home or in the tavern, but it was on the road travelers met their tragic fate with the headless horseman. Don’t let your e-PHI become victim of a psychopath riding a horse and throwing pumpkin heads. Protect your e-PHI as it travels the roads of cyberspace.
The HIPAA Security Rule is a series of practical, common sense practices that should be implemented to protect sensitive data. While we rely on our systems and IT departments to carry most of the burden of complying with the Security Rule, all of us play a vital role in the company’s plan to protect e-PHI. Remember to follow company policies and procedures and protect patient information when using, disclosing, storing or transmitting it in any way.
For more information regarding the HIPAA Security Rule, please visit the CMS Education Materials web site:
http://www.cms.hhs.gov/EducationMaterials/04_SecurityMaterials.asp
22
