HIPAA Privacy Security Presentation for ISCA

7/30/2019 HIPAA Privacy Security Presentation for ISCA

1/26

Privacy & Security Matters:Privacy & Security Matters:

Protecting Personal DataProtecting Personal Data

Privacy & Security Project


2/26


3/26

What HIPAA Does1. Creates standards for protecting the privacy

of health information2. Creates standards for the security of health

information

3. Creates standards for electronic exchange ofhealth information

4. Requires action as single entity5. Privacy rule mandates training 25,000

workforce members on standards and policies


4/26

Deadlines for CompliancePrivacy

Security

Transactions & Code

SetsIdentifiers

April 14, 2003!

Fall 2004

Oct ober 16, 2003

Fall 2004


5/26

Key DefinitionsIndividually Identifiable Health Information Related to an individual; the provision of health care to an

individual; or payment for health care

and that identifies the individual

or a reasonable basis to believe the information can be usedto identify the individual

Protected Health Information (PHI) Individually Identifiable Health Information

Electronic, paper, oral Created or received by a health care provider, public health

authority, employer, school or university


6/26

Definitions

Covered Entity Health care provider who transmits any

health information in electronic form in

connection with HIPAA regulationsHealth care provider means a provider of

medical or health services, and any other

person or organization who furnishes, bills, oris paid for health care in the normal course ofbusiness.


7/26

Impact on the University

SystemSignificant financial implications

High level of risk to individuals and toinstitution civil monetary penalties

criminal sanctions

Requires a change in the way we do business

New U-wide policies & procedures Limits access to information


8/26

Scope of ImpactUniversity-wide

-Athlet ics -Ed and Human Devel.

-Auxiliary Services -College of Liberal Art s

-Car lson SOM -School of Music

-General Counsel -Food Science & Nut r it ion-MMF -Universit y Foundat ion

-U Health Plan -General College-Student Heal th Services -Disabi li ty Services

-Environmental Healt h -OI T

All Coordinate Campuses

Business part ners: UMP, FUMC, aff il iat ed sit es

business associates


9/26

Operations ImpactEducation ensure students competencies in privacy &

technology. Record keeping

curriculum

Research Major change to process

IRB processes and functionHealth Care

Culture change


10/26

University Policies and

Procedures NeededRegents policy on privacy, compliance and

enforcementPolicies for use and disclosures of PHI

Privacy policy for patientsAdministrative forms permitting disclosure

Policies for sanctions, mitigation, and

monitoringPolicies for data security

Policies for education and training


11/26


12/26

Privacy and Security Project

OrganizationEducat ion & Training

Task Force

Privacy and Confidentiality

Curriculum for Tech Competencies

Curriculum for Policy, Legal,Ethics, and Health Systems Issues

Privacy Environment

Implementation

Competency Assessment

Technology Task

Force

Clinical issues

Technical & Security Audit

Research Issues


13/26

Introduction to HIPAA PrivacyAnd Security Videotape

(7 minutes)

Privacy and Confidentialityin Research

(70 minutes)

Safeguarding PHI on Computers(70 minutes)

Privacy and Confidentialityin Clinical Settings

(55 minutes)

Privacy and Secur it y Proj ectEducat ion Program Model

P i d S i P j


14/26

Privacy and Security Project

Organization

Example

of

Training

Material


15/26

Security and the Privacy RuleMust implement appropriate technicalsafeguards to protect privacy of PHI.

Must be able to reasonably safeguard against

any intentional or unintentional use ordisclosure that is a privacy violation.

Should work in conjunction with minimum

necessary ruleCoordinated with HIPAA security regulations.


16/26


17/26

Goal of Security RuleTo ensure reasonable and appropriateadministrative, technical, and physicalsafeguards that insure the integrity,

availability and confidentiality of healthcare information, and protect against

reasonably foreseeable threats to thesecurity or integrity of the information.


18/26

Focus of Security RuleBoth external and internal threats

Prevention of denial of service

Theft of private information

Integrity of information


19/26

Rule has 4 categories1. Administrative Procedures

2. Physical Safeguards

3. Technical data security services

4. Technical security mechanisms

Administrative Procedures:


20/26

Administrative Procedures:

12 Requirements1. Certification

2. Chain of TrustAgreements

3. Contingency Plan

4. Mechanism forprocessing records

5. Information AccessControl

6. Internal Audit

7. Personnel Security

8. Security ConfigurationManagement

9. Security Incident

Procedures

10. Security ManagementProcess

11. TerminationProcedures

12. Training

Physical Safegaurds:


21/26

Physical Safegaurds:

6 Requirements1. Assigned Security Responsibility

2. Media Controls

3. Physical Access Controls

4. Policy on Workstation Use

5. Secure Workstation Location

6. Security Awareness Training

Technical Data Security


22/26

Technical Data Security

Services: 5 Requirements1. Access Control

2. Audit Controls

3. Authorization Control

4. Data Authentication

5. Entity Authentication

Technical Security Mechanism:


23/26

Technical Security Mechanism:

1 Requirement1. Protections for health information

transmitted over open networks via:

Integrity controls, and

Message authentication, and

Access controls OR encryption


24/26

Dash Board For Evaluation # staff - # volunteers - % trained

# of clients

# of security incidents

Have list of systems containing PHIand know location of system and who

is data steward -# of items on list Confidence that unit has good physicalsecurity


25/26

Dash Board For Evaluation Have list of data interfaces -# of data

interfaces

Have list of contracts/business

associates - # of contracts/businessassociates

Allow PHI to be put on personal PCsor in Email or loaded to WEB site


26/26

Documents

HIPAA Privacy Security Presentation for ISCA