HIM 300 HIPAA SECURITY RULE. HIPAA Security Rule Agenda What is the HIPAA Security RuleWhat is the HIPAA Security Rule –Authority –Definition –Scope RequirementsRequirements

HIM 300HIM 300HIPAA SECURITY RULEHIPAA SECURITY RULE

HIPAA Security RuleHIPAA Security RuleAgendaAgenda

• What is the HIPAA Security RuleWhat is the HIPAA Security Rule– AuthorityAuthority– DefinitionDefinition– ScopeScope

• RequirementsRequirements– AdministrativeAdministrative– Physical Physical – Technical Technical – Individual ResponsibilitiesIndividual Responsibilities– EducationEducation– Security consciousnessSecurity consciousness– ReportingReporting– SanctionsSanctions

Information Technology SecurityInformation Technology SecurityNational Institute of Standards and TechnologyNational Institute of Standards and Technology

NIST SP 800-70: Security Configuration Checklists Program NIST SP 800-70: Security Configuration Checklists Program for IT Products.for IT Products.

““High Security:High Security: A High Security Environment is at high risk of A High Security Environment is at high risk of attack or data exposure, and therefore security takes attack or data exposure, and therefore security takes precedence over usability. This environment encompasses precedence over usability. This environment encompasses computers that are usually limited in their functionality to computers that are usually limited in their functionality to specific specialized purposes. They may contain highly specific specialized purposes. They may contain highly confidential information (e.g. personnel records, medical confidential information (e.g. personnel records, medical records, financial information) or perform vital records, financial information) or perform vital organizational functions (e.g. accounting, payroll organizational functions (e.g. accounting, payroll processing, web servers, and firewalls).”processing, web servers, and firewalls).”

HIPAAHIPAAHealth Insurance Portability and Accountability Act of 1996Health Insurance Portability and Accountability Act of 1996

Title IITitle II

Preventing Preventing Health Health

Care Fraud Care Fraud and Abuseand Abuse

Administrative Administrative SimplificationSimplification

Medical Medical Liability Liability ReformReform

SecuritySecurity• Administrative SafeguardsAdministrative Safeguards

• Physical SafeguardsPhysical Safeguards

• Technical SafeguardsTechnical Safeguards

Electronic Electronic Data Data

InterchangInterchangee

PrivacyPrivacy

HIPAA Security StandardsHIPAA Security StandardsWhat is the Security RuleWhat is the Security Rule

• Legislation designed to protect the confidentiality, Legislation designed to protect the confidentiality, integrity, and availability of electronic protected health integrity, and availability of electronic protected health information (ePHI).information (ePHI).

• Deadline for compliance was Deadline for compliance was April 20April 20thth, 2005, 2005!!

• Comprised of three main categories of “standards” Comprised of three main categories of “standards” pertaining to the pertaining to the administrative, physical, and administrative, physical, and technical technical aspects of ePHI (protected health aspects of ePHI (protected health information)information)

• Applies to the security and integrity of electronically Applies to the security and integrity of electronically created, stored, transmitted, received, or manipulated created, stored, transmitted, received, or manipulated personal health information.personal health information.

HIPAA Security StandardsHIPAA Security StandardsWhat is the Security RuleWhat is the Security Rule

Bottom Line:Bottom Line:

• We must assure that systems and We must assure that systems and applications operate effectively and provide applications operate effectively and provide appropriate confidentiality, integrity, and appropriate confidentiality, integrity, and availability.availability.

• We must protect information commensurate We must protect information commensurate with the level of risk and magnitude of harm with the level of risk and magnitude of harm resulting from loss, misuse, unauthorized resulting from loss, misuse, unauthorized access, or modification. access, or modification.

HIPAA Security StandardsHIPAA Security StandardsDefinitionsDefinitions

Confidentiality: “the property that data or information Confidentiality: “the property that data or information is is not made available or disclosed to not made available or disclosed to

unauthorized persons or unauthorized persons or processes.”processes.”

• Must protect against unauthorizedMust protect against unauthorized

– AccessAccess

– UsesUses

– DisclosuresDisclosures


Integrity: “the property that data or information has Integrity: “the property that data or information has not not been altered or destroyed in an been altered or destroyed in an unauthorized unauthorized manner.” manner.”

• Must protect against improper destruction or Must protect against improper destruction or alteration of dataalteration of data

• Must provide appropriate backup in the event of a Must provide appropriate backup in the event of a threat, hazard, or natural disasterthreat, hazard, or natural disaster


Availability: “the property that data or information is Availability: “the property that data or information is accessible and usable upon demand by an accessible and usable upon demand by an authorized person.”authorized person.”

• Must provide for ready availability to authorized personnelMust provide for ready availability to authorized personnel

• Must guard against threats and hazards that may deny Must guard against threats and hazards that may deny access to data or render the data unavailable when access to data or render the data unavailable when needed.needed.

• Must provide appropriate backup in the event of a threat, Must provide appropriate backup in the event of a threat, hazard, or natural disasterhazard, or natural disaster

• Must provide appropriate disaster recovery and business Must provide appropriate disaster recovery and business continuity plans for departmental operations involving continuity plans for departmental operations involving ePHI.ePHI.

HIPAA Security StandardsHIPAA Security StandardsWhat Constitutes PHI – Eighteen IdentifiersWhat Constitutes PHI – Eighteen Identifiers

• NameName

• Address -- street address, city, Address -- street address, city, county, zip code (more than 3 county, zip code (more than 3 digits) or other geographic codesdigits) or other geographic codes

• Dates directly related to patient Dates directly related to patient

• Telephone NumberTelephone Number

• Fax NumberFax Number

• email addressesemail addresses

• Social Security Number Social Security Number

• Medical Record NumberMedical Record Number

• Health Plan Beneficiary Number Health Plan Beneficiary Number

• Account NumberAccount Number

• Certificate/License NumberCertificate/License Number

• Any vehicle or device serial Any vehicle or device serial numbernumber

• Web URL, Internet Protocol (IP) Web URL, Internet Protocol (IP) AddressAddress

• Finger or voice prints Finger or voice prints

• Photographic imagesPhotographic images

• Any other unique identifying Any other unique identifying number, characteristic, or code number, characteristic, or code (whether generally available in the (whether generally available in the public realm or not)public realm or not)

• Age greater than 89 (due to the Age greater than 89 (due to the 90 year old and over population is 90 year old and over population is relatively small)relatively small)

HIPAA Security StandardsHIPAA Security StandardsDefinitions continued…Definitions continued…

ePHI: data in an electronic format that contains any ePHI: data in an electronic format that contains any of the of the 18 identifiers18 identifiers

• This may include but is not limited to the following:This may include but is not limited to the following:

– Data stored on the network, internet, or intranetData stored on the network, internet, or intranet

– Data stored on a personal computer or personal digital Data stored on a personal computer or personal digital assistant ie. Palm pilotassistant ie. Palm pilot

– Data stored on “USB keys,” memory cards, external hard Data stored on “USB keys,” memory cards, external hard drives, CDs, DVDs, floppy disks, tapes, or digital drives, CDs, DVDs, floppy disks, tapes, or digital cameras/camcorderscameras/camcorders

– Data stored on your Data stored on your HOMEHOME computer computer

– Data utilized for researchData utilized for research

HIPAA Security StandardsHIPAA Security StandardsAdministrative SafeguardsAdministrative Safeguards

• Administrative Safeguards – “Administrative actions, Administrative Safeguards – “Administrative actions, policies, and procedures to manage the selection, policies, and procedures to manage the selection, development, implementation, and maintenance of security development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection the covered entity’s workforce in relation to the protection of that information.”of that information.”

• Bottom Line:Bottom Line:

– Every facility must adopt policies and procedures to Every facility must adopt policies and procedures to control access to ePHI.control access to ePHI.

– Each employee must be familiar with these policies and Each employee must be familiar with these policies and procedures at the institution and departmental levels.procedures at the institution and departmental levels.

HIPAA Security StandardsHIPAA Security StandardsAdministrative - AccessAdministrative - Access

• Access to ePHI is granted only to authorized individuals Access to ePHI is granted only to authorized individuals with a “need to know.”with a “need to know.”

• SOM computer equipment should only be used for SOM computer equipment should only be used for authorized purposes in the pursuit of accomplishing your authorized purposes in the pursuit of accomplishing your specific duties.specific duties.

• Installation of software without prior approval is prohibited. Installation of software without prior approval is prohibited.

• Disclosure of ePHI via electronic means is strictly forbidden Disclosure of ePHI via electronic means is strictly forbidden without appropriate authorization.without appropriate authorization.

• Do not use computer equipment to engage in any activity Do not use computer equipment to engage in any activity that is in violation of the facilities policies and procedures or that is in violation of the facilities policies and procedures or is illegal under local, state, federal, or international law. is illegal under local, state, federal, or international law.


• Facilities will monitor logon attempts to the Facilities will monitor logon attempts to the network.network.

• Inappropriate logon attempts should be reported to Inappropriate logon attempts should be reported to the respective departmental level security the respective departmental level security designee. designee.

• All facilities computer systems are subject to audit. All facilities computer systems are subject to audit.

• Access to the intranet will be monitored.Access to the intranet will be monitored.


• All computers should be manually locked, locked All computers should be manually locked, locked via a screen saver, or logged off when unattended.via a screen saver, or logged off when unattended.

• Computers with older operating systems (anything Computers with older operating systems (anything other than Windows 2000 or Windows XP) should:other than Windows 2000 or Windows XP) should:

– Utilize a “boot” passwordUtilize a “boot” password

– Utilize a screen saver with passwordUtilize a screen saver with password

– Shut down your computer when you leave for Shut down your computer when you leave for an extended period of time.an extended period of time.


• You must access the healthcare facility You must access the healthcare facility information utilizing information utilizing YOURYOUR username and username and password – password – NO PASSWORD SHARINGNO PASSWORD SHARING..

• You are personally responsible for access to You are personally responsible for access to any information utilizing your password.any information utilizing your password.

• You are subject to disciplinary action if You are subject to disciplinary action if information is accessed inappropriately information is accessed inappropriately utilizing your password.utilizing your password.

HIPAA Security StandardsHIPAA Security StandardsAdministrative – PasswordsAdministrative – Passwords

• Your user id and password are critical to ePHI Your user id and password are critical to ePHI security.security.

• Maintain your password in a secure and confidential Maintain your password in a secure and confidential mannermanner

– DO NOT keep an unsecured paper record of your DO NOT keep an unsecured paper record of your passwords.passwords.

– DO NOT post your password in open view e.g. on your DO NOT post your password in open view e.g. on your monitor.monitor.

– DO NOT share your password with anyone.DO NOT share your password with anyone.

– DO NOT include passwords in automated logon processesDO NOT include passwords in automated logon processes

– DO NOT use “weak” passwordsDO NOT use “weak” passwords


• Passwords must be changed every 90 days.Passwords must be changed every 90 days.

• Passwords should be changed whenever there is a Passwords should be changed whenever there is a question of compromise.question of compromise.

• Strong passwords must be utilized when possibleStrong passwords must be utilized when possible

– A minimum of 8 characters in lengthA minimum of 8 characters in length

– Must contain a component from at least 3 of the 4 Must contain a component from at least 3 of the 4 following categoriesfollowing categories

• Upper caseUpper case

• Lower caseLower case

• NumeralsNumerals

• Keyboard symbolsKeyboard symbols


Examples:Examples:

• I like to play with computers 2!I like to play with computers 2!

– Using the first letter of each word yields Using the first letter of each word yields “Iltpwc2!”“Iltpwc2!”

• I wish these silly passwords would go away!I wish these silly passwords would go away!

– Using the first letter of each word and a $ symbol Using the first letter of each word and a $ symbol yields “I$wtsPwga!”yields “I$wtsPwga!”

HIPAA Security StandardsHIPAA Security StandardsAdministrative – AccessAdministrative – Access

• Termination and/or transfer proceduresTermination and/or transfer procedures

– Administrative directors are responsible for informing Administrative directors are responsible for informing the appropriate IT administrator of changes in an the appropriate IT administrator of changes in an employee’s employment status. employee’s employment status.

– Upon termination of employment all employees Upon termination of employment all employees network and PC access is terminated.network and PC access is terminated.

– All ePHI and computer equipment (laptops, PDAs, All ePHI and computer equipment (laptops, PDAs, etc.) should be retrieved.etc.) should be retrieved.

– The use of a prior employee’s user-ids and passwords The use of a prior employee’s user-ids and passwords is strictly forbidden. “Generic” user-ids are strictly is strictly forbidden. “Generic” user-ids are strictly forbidden.forbidden.

HIPAA Security StandardsHIPAA Security StandardsAdministrative – Remote AccessAdministrative – Remote Access

• All ePHI stored or accessed remotely must be All ePHI stored or accessed remotely must be maintained under the same security guidelines as for maintained under the same security guidelines as for data accessed within the healthcare facility.data accessed within the healthcare facility.

• This applies to home equipment and Internet-based This applies to home equipment and Internet-based storage of data.storage of data.

• All ePHI should be kept in such a fashion as to be All ePHI should be kept in such a fashion as to be inaccessible to family members.inaccessible to family members.

HIPAA Security StandardsHIPAA Security StandardsAdministrative – Malicious SoftwareAdministrative – Malicious Software

Pirated software, “viruses,” “worms,” “Trojans,” Pirated software, “viruses,” “worms,” “Trojans,” “spyware,” and file sharing software e.g. Kazaa“spyware,” and file sharing software e.g. Kazaa

• All software installed on healthcare facilities equipment All software installed on healthcare facilities equipment must be approved by the department chairperson, must be approved by the department chairperson, administrative director or their designee – typically the administrative director or their designee – typically the department level security officer.department level security officer.

• Installation of software on healthcare facilities computers Installation of software on healthcare facilities computers must be in compliance with healthcare software policy must be in compliance with healthcare software policy and applicable licensing agreements.and applicable licensing agreements.

• Installation of personal software or software downloaded Installation of personal software or software downloaded from the Internet is prohibited.from the Internet is prohibited.


• Approved anti-virus software must be installed Approved anti-virus software must be installed and kept current on:and kept current on:

– All computer systems.All computer systems.

– Home equipment utilized to access the facilities Home equipment utilized to access the facilities network.network.

• Never disable anti-virus software.Never disable anti-virus software.

• Suspicious software should be brought to the Suspicious software should be brought to the attention of the IT technical support personnel attention of the IT technical support personnel immediately. immediately.


• Emails with attachments should not be Emails with attachments should not be opened if:opened if:

– The sender is unknown to youThe sender is unknown to you

– You were not expecting the attachmentYou were not expecting the attachment

– The attachment is suspicious in any wayThe attachment is suspicious in any way

– Do not open non-business related email Do not open non-business related email attachments or suspicious web URLsattachments or suspicious web URLs

– Do not open file attachments or URLs sent via Do not open file attachments or URLs sent via instant messaging.instant messaging.

HIPAA Security StandardsHIPAA Security StandardsAdministrative – Backup and RecoveryAdministrative – Backup and Recovery

• A system must be in place to ensure recovery from any A system must be in place to ensure recovery from any damage to computer equipment or data within a damage to computer equipment or data within a reasonable time period based on the criticality of reasonable time period based on the criticality of function.function.

• Each department must determine and document data Each department must determine and document data criticality, sensitivity, and vulnerabilities.criticality, sensitivity, and vulnerabilities.

• Each department must devise and document a backup, Each department must devise and document a backup, disaster recovery, and business continuity plan.disaster recovery, and business continuity plan.

• Backup data must be stored in an off-site location.Backup data must be stored in an off-site location.

• Backup data must be maintained with the same level of Backup data must be maintained with the same level of security as the original data.security as the original data.

HIPAA Security StandardsHIPAA Security StandardsAdministrative – Incident ReportingAdministrative – Incident Reporting

• All known and suspected security violations must be All known and suspected security violations must be reported. reported.

• Security incidents should be reported to the Security incidents should be reported to the departmental Administrative Director or their designee. departmental Administrative Director or their designee.

• Security incidents must be fully documented to include Security incidents must be fully documented to include time/date, personnel involved, cause, mitigation, and time/date, personnel involved, cause, mitigation, and preventive measures.preventive measures.

• Site surveys will be requiredSite surveys will be required– Semi-annually basis to reassess compliance, risks, and Semi-annually basis to reassess compliance, risks, and

vulnerabilities.vulnerabilities.

– When a new type of threat emergesWhen a new type of threat emerges

• Backup, disaster recovery, and business continuity Backup, disaster recovery, and business continuity procedures will be reviewed and tested to procedures will be reviewed and tested to determine their adequacy.determine their adequacy.

• Any changes or additions to departmental Any changes or additions to departmental electronic assets must be made in conjunction with electronic assets must be made in conjunction with SOM IT personnel and after performance of a SOM IT personnel and after performance of a proper risk assessment.proper risk assessment.

Information Technology SecurityInformation Technology SecurityAdministrative –AssessmentsAdministrative –Assessments

HIPAA Security StandardsHIPAA Security StandardsPhysical SafeguardsPhysical Safeguards

• Physical Safeguards – “the security measures to protect a Physical Safeguards – “the security measures to protect a covered entity’s electronic health information systems and covered entity’s electronic health information systems and related buildings and equipment from natural and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.”environmental hazards and unauthorized intrusion.”


– Electronic assets must be protected from physical Electronic assets must be protected from physical damage and theftdamage and theft..

HIPAA Security StandardsHIPAA Security StandardsPhysical – Media and DevicesPhysical – Media and Devices

• All electronic devices containing ePHI should be All electronic devices containing ePHI should be secured behind locked doors when applicable.secured behind locked doors when applicable.

• Special security consideration should be given to Special security consideration should be given to portable devices (PDAs, laptops, smart cell portable devices (PDAs, laptops, smart cell phones, digital cameras, digital camcorders, phones, digital cameras, digital camcorders, external hard drives, CDs, DVDs, USB “drives,” external hard drives, CDs, DVDs, USB “drives,” and memory cards) to protect against damage and and memory cards) to protect against damage and theft.theft.

HIPAA Security StandardsHIPAA Security StandardsPhysical – Media and DevicesPhysical – Media and Devices

• Private Health Information must never be stored on Private Health Information must never be stored on mobile computing devices or storage media unless mobile computing devices or storage media unless the following minimum requirements are met:the following minimum requirements are met:

– Power-on or boot passwordsPower-on or boot passwords

– Auto logoff or password protected screen saversAuto logoff or password protected screen savers

– Encryption of stored data by acceptable encryption Encryption of stored data by acceptable encryption software approved by the IT Security Officer or software approved by the IT Security Officer or designee e.g. designee e.g. TrueCryptTrueCrypt®®

Information Technology SecurityInformation Technology SecurityPhysical Facilities and HIPAAPhysical Facilities and HIPAA

§ 164.310 Physical safeguards.§ 164.310 Physical safeguards.A covered entity must, in accordance with § 164.306:A covered entity must, in accordance with § 164.306:

Standard: Facility access controls. Standard: Facility access controls. Implement policies Implement policies and procedures to limit physical access to its and procedures to limit physical access to its electronic information systems and the facility or electronic information systems and the facility or facilities in which they are housed, while ensuring that facilities in which they are housed, while ensuring that properly authorized access is allowed.properly authorized access is allowed.

Facility security plan Facility security plan (Addressable). Implement policies (Addressable). Implement policies and procedures to safeguard the facility and the and procedures to safeguard the facility and the equipment therein from unauthorized physical equipment therein from unauthorized physical access, tampering, and theft.access, tampering, and theft.

Information Technology SecurityInformation Technology SecurityPhysical Facilities and HIPAAPhysical Facilities and HIPAA

§ 164.310 Physical safeguards.§ 164.310 Physical safeguards.A covered entity must, in accordance with § 164.306:A covered entity must, in accordance with § 164.306:

Access control and validation procedures Access control and validation procedures (Addressable). (Addressable). Implement procedures to control and validate a person’s Implement procedures to control and validate a person’s access to facilities based on their role or function, including access to facilities based on their role or function, including visitor control, and control of access to software programs visitor control, and control of access to software programs for testing and revision.for testing and revision.

Maintenance records Maintenance records (Addressable). Implement policies and (Addressable). Implement policies and procedures to document repairs and modifications to the procedures to document repairs and modifications to the physical components of a facility which are related to physical components of a facility which are related to security (for example, hardware, walls, doors, and locks).security (for example, hardware, walls, doors, and locks).

HIPAA Security StandardsHIPAA Security StandardsPhysical – Paper Medical Records or PHIPhysical – Paper Medical Records or PHI

• Physical safeguards also must provide Physical safeguards also must provide appropriate levels of protection against fire, appropriate levels of protection against fire, water, and other environmental hazards water, and other environmental hazards such as extreme temperatures and power such as extreme temperatures and power outages/surges.outages/surges.

HIPAA Security StandardsHIPAA Security StandardsPhysical – WorkstationsPhysical – Workstations

• Position workstations so as to avoid viewing Position workstations so as to avoid viewing by unauthorized personnel.by unauthorized personnel.

• Use privacy screens where applicable.Use privacy screens where applicable.

• Use automatic password protected screen Use automatic password protected screen savers.savers.

• Lock, logoff or shut down workstations when Lock, logoff or shut down workstations when not attended.not attended.

• Workstation access should be controlled Workstation access should be controlled based on job requirements.based on job requirements.

HIPAA Security StandardsHIPAA Security StandardsPhysical – Information TransferPhysical – Information Transfer

• Hard drives sent to vendors outside the Hard drives sent to vendors outside the facility for data recovery or for warranty facility for data recovery or for warranty repairs require a Business Associate repairs require a Business Associate Agreement between the facility and the Agreement between the facility and the specified vendor. specified vendor.

HIPAA Security StandardsHIPAA Security StandardsTechnicalTechnical

• Technical Safeguards – “the technology and the policy and Technical Safeguards – “the technology and the policy and procedures for its use that protect electronic protected procedures for its use that protect electronic protected health information and control access to it.”health information and control access to it.”


– Technological solutions are required to protect ePHI Technological solutions are required to protect ePHI where applicable. where applicable.

– Examples include data encryption and secure data Examples include data encryption and secure data transfer over the network.transfer over the network.

HIPAA Security StandardsHIPAA Security StandardsTechnical – NetworkTechnical – Network

• All wireless network communications require All wireless network communications require proper security protocols and encryption proper security protocols and encryption technology.technology.

• Wireless networking must be configured and Wireless networking must be configured and managed by Security.managed by Security.

• All electronic transmission of ePHI must be All electronic transmission of ePHI must be appropriately encrypted.appropriately encrypted.

HIPAA Security StandardsHIPAA Security StandardsTechnical – NetworkTechnical – Network

• Private Health Information residing on any Private Health Information residing on any form of electronic media or computing device form of electronic media or computing device must be encrypted if stored or taken off-site must be encrypted if stored or taken off-site e.g. Backup CDs, DVDs, external Hard e.g. Backup CDs, DVDs, external Hard Drives, etc.Drives, etc.

• Encryption must be achieved through Encryption must be achieved through software approved by the SOM IT Department software approved by the SOM IT Department Security Officer or designee, e.g. Security Officer or designee, e.g. TrueCryptTrueCrypt®®

• Change is painful but necessaryChange is painful but necessary

• Provide a re-designed IT infrastructure that will Provide a re-designed IT infrastructure that will enable us to embrace future technological enable us to embrace future technological developmentdevelopment

• Provide for the security of the electronic assetsProvide for the security of the electronic assets

• Provide a tremendous opportunity to enhance Provide a tremendous opportunity to enhance patient care, collaborative research, and patient care, collaborative research, and teachingteaching

Information Technology UpdateInformation Technology UpdateSummarySummary

Questions?Questions?

Information Technology UpdateInformation Technology Update

Documents

HIM 300 HIPAA SECURITY RULE. HIPAA Security Rule Agenda What is the HIPAA Security RuleWhat is the HIPAA Security Rule –Authority –Definition –Scope RequirementsRequirements