Presentation by fjzhangweiqun


									HIPAA Security
   Community Health Network Staff
     On-Line Mandatory Training
Presentation Agenda

   HIPAA Fundamentals
   Privacy Rule Review
   Security Rule Basics
   Security Components
   Security Policies and Procedures
   Instructions for completing the on-line
    mandatory training
HIPAA Fundamentals

HIPAA Overview – What does HIPAA stand for?
                  In 1996, the HIPAA Act was passed.
 Health
 Insurance       The goal was to ensure that people had insurance
                  portability, that there was accountability for health
 Portability and care information, and lastly that there was
                  administrative simplification.
 Accountability • The portability allows you to transfer information
 Act             • The accountability adds the responsibility
                      • By standardizing record sets it made transaction
                        coding and compliance more simple thereby
                        saving money in the long-term
HIPAA Fundamentals

Three HIPAA Rules

   Privacy Rule
     – The HIPAA Privacy Rule went into effect April 14, 2003.
     – The Privacy rule deals with what information should be kept private and who
        should have access to it.

   Transaction Rule
     – The compliance deadline for the transaction rule was October 16, 2003.

   Security Rule
     – The Security Rule was finalized early last year and went into effect April 21,
     – The Security Rule is the reason for this training. This is the rule that governs
       what must be done to reasonably ensure that electronic information is kept
       private. Areas that this could impact you are in regards to sharing passwords,
       leaving workstations unattended, working from home, etc.
Privacy Rule Review
Before we get into Security Rule details, let’s revisit some key HIPAA
   We are a provider that transmits health information in electronic form so we are a covered
    entity and must comply with HIPAA.
   We also have many business associates with which we share patient information.
   HIPAA requires that we formally communicate the need to keep this information private and
    that by signing a Business Associate Agreement. The organization is held to the same
    degree of responsibility as the covered entity.
   If that Business Associate needs to share the information with another organization they
    must continue the process of establishing the business associate agreements.
   The chain on private information can’t be broken.
   Patients can file a grievance if they think their rights have been violated.

   Covered Entity
         Any health plan, clearinghouse, or provider who transmits health information in
         electronic form in connection with a HIPAA transaction
   Business Associate
         A person or organization that performs a function on behalf of a covered entity using
         individually identifiable information
Privacy Rule Review
   Individually Identifiable Information
       –   A subset of health information that is created or received by a covered entity related to
           condition, treatment, or payment for treatment which can be used to identify a client
       –   Many types of information that we work with in our daily lives are individually
           identifiable. You can think of it as if the information can be tracked back to a specific
           person then it is individually identifiable.

   Protected Health Information (PHI)
       – PHI is individually identifiable information that is maintained in any form by a
           covered entity
       –   PHI more specifically relates to the maintenance or transmittal of the information. You
           will see PHI referred to quite often as HIPAA is discussed. This is the information that
           must be kept confidential.
       –   Examples of PHI Include:
              Individual’s Name or Address
              SSN
              Date of Birth
              Treatment Documentation
              Billing Information
Security Rule Basics

   HIPAA enacted in 1996

   8/12/98 Security Rule proposed

   2/20/03 Security Rule adopted by the Federal
Security Rule Basics

Privacy vs. Security
 Privacy Rule
    –   This rule covers what information is protected and
        who should have access to it.
   Security Rule
    –   This rule covers what needs to be done to protect
        the information.
    –   The Security Rule specifically applies to the security of
        only electronic information.
Security Rule Basics

Four Requirements of Security
   Ensuring confidentiality, integrity, and availability of electronic (PHI)
     – We are required to keep information confidential, ensure it has not been
        tampered with and it is only available to those authorized
   Protecting against possible threats or hazards to our information
     – We must plan for items that may threaten our information systems. This
        includes intentional acts such as hackers and viruses as well as natural
        disasters and system failures.
   Protecting against unauthorized uses or disclosures
     – Requires us to restrict who gets access to our electronic PHI and who doesn’t
   Ensuring compliance by the workforce
     – We must ensure you are compliant with the security regulations and our
        policies and procedures are developed in accordance with the regulations
Security Rule Basics
Who is responsible for Security? EVERYONE, including:
 I/T Managers and Staff
    – I/T Managers and Staff are responsible for implementing safeguards into
       our computer systems
 Medical Professionals
    – Medical Professionals create and access the majority of patient information
       and have an obligation to maintain the privacy and security.
 Managers and Supervisors
    – Managers and supervisors are responsible for developing and implementing
       policies and procedures as well as ensuring their staff is properly trained
 Clerical Staff
    – Clerical Staff also create and access patient information and also have an
       obligation to maintain the privacy and security.
 Volunteers
    – Volunteers have access to patient information (such as Surgery Waiting
       Room) and have an obligation to maintain the privacy and security of this
 Business Associates (described earlier in presentation)
Security Rule Components

Three Components of Security
   Administrative Safeguards
   Physical Safeguards
   Technical Safeguards

 The organization has drafted 25 policies that relate
 to HIPAA Security. These policies can be found on
 the CHN Intranet.
  –   “Policies & Procedures – CHN Policies – Section 20
      Information Technology” or
  –   “CHN Manuals & General Info – HIPAA”

 Today’s session will review some of those policies and
 procedures that affect most employees. In some of the
 departments, you may have additional training to
 supplement what is presented here today.
Administrative Safeguards

#20-027-1104 HIPAA (I/T) – Sanctioning of Workforce
   –   Documentation is retained for 6 years
   –   Sanction follows the CHN policy 05-024 Corrective
       Action/Discipline Process (Includes HIPAA)
          first offense of noncompliance = documented coaching/counseling session
          second offense of noncompliance = documented one day leave without pay
          third offense of noncompliance = documented termination
          for incidents of serious misconduct, the process may be abbreviated and an
           employee is subject to immediate dismissal. Violations of a severe nature may
           result in notification to law enforcement officials as well as regulating,
           accreditation, and/or licensure organizations.
   –   In addition to CHN sanctions, civil and/or criminal penalties may
       apply to anyone committing noncompliant acts
Administrative Safeguards

#20-027-1104 HIPAA (I/T) – Information Systems
  Activity Review
  –   Periodic internal system reviews of records to minimize security
      violations to electronic protected health information
  –   Areas that are reviewed include, but are limited to, the following:
          Logins
          File accesses
          Security incidents
  –   In addition to CHN sanctions, civil and/or criminal penalties may apply
Administrative Safeguards

#20-025-1104 HIPAA (I/T) – Responsibilities of the I/T Security
  Officer (ITSO)
   –   Two ITSOs are designated – the Primary and the Backup
           Greg Beltran, Director of I/T is the Primary ITSO
           Thomas Krystowiak, Vice President of Finance is the Backup ITSO
   –   The ITSO is responsible for the following:
           Ensure that security standards comply with statutory and regulatory requirements
           Maintain security policies and procedures
           Maintain appropriate security measures and mechanisms to guard against
            unauthorized access to electronically stored and/or transmitted patient data and
            protect against reasonably anticipated threats and hazards
           Oversee and/or perform on-going security monitoring of organization information
           Ensure compliance through adequate training programs and periodic security
Administrative Safeguards

#20-019-1104 HIPAA (I/T) – Information Access Management
   –   Employees, contractors, and other users are granted access only
       to that health information to which they are authorized
   –   The workforce member’s immediate director/supervisor is
       responsible for determining and requesting (in a timely manner)
       the appropriate access to electronic protected health information
       via the “electronic green sheet” form found on the CHN Intranet.
   –   Access rights are verified upon hire/initial setup, and are reviewed
       upon job transfer and/or request of workforce member’s
       immediate director/supervisor.
   –   It takes 48-72 hours to implement the various access rights
       given the complexity of our security systems.
Administrative Safeguards

#20-028-1104 HIPAA (I/T) – Security Awareness & Training
   –   All workforce members of CHN and its affiliates, including management,
       shall receive mandatory training regarding security awareness.
   –   System Users of CHN and its affiliates shall receive training regarding:
          periodic security updates;
          Incident reporting;
          log-in; and
          password management
   –   CHN and its affiliates’ ITSO will send out periodic reminders and security
       updates every 6 months to make workforce members, as well as agents,
       and contractors, if necessary, aware of security concerns and initiatives
       on an ongoing basis.
   –   Successful completion of initial and periodically recurring training is a
       prerequisite for system access and a factor of job performance. A secure
       record will be maintained by I/T Network Administrators for tracking
       training requirement fulfillment for each individual.
Administrative Safeguards

#20-028-1104 HIPAA (I/T) – Security Incidents
   –   Workforce members, contractors, and others shall immediately
       report any and all suspected and actual breaches of information
       security to the I/T Security Official (ITSO).
   –   Anyone suspecting a security incident will immediately notify the
       Primary ITSO, by phone or personal visit (e-mail will not be used).
       You may be asked to supply the following information, which will
       be documented by the ITSO in his/her formal report:
          Name and phone number of person reporting the incident
          Date and time the incident was discovered
          Observed behaviors that led to the incident being suspected
          Any unusual circumstances surrounding the event
Physical Safeguards

#20-018-1104 HIPAA (I/T) - Facility Access Controls
   –   CHN and its affiliates will safeguard the facility and the
       equipment therein from unauthorized physical access, tampering,
       and theft
   –   Workstations will be positioned such that monitor screens and
       keyboards are not directly visible to unauthorized persons.
       Additionally, privacy screens will be used where applicable
Physical Safeguards

#20-021-1104 HIPAA (I/T) – Workstation Use and Security
    –  Workforce members shall use workstations in the appropriate
       manner considering the sensitivity of the information contained
       therein and minimize the possibility of unauthorized access to
       such information.
    –  Workstation users will:
           Log on as themselves, not as another workforce member
           Log off prior to leaving their workstation;
           Inspect the last logon information for consistency with actual last
            logon; report any discrepancies (as well as any other suspicious
            findings) to the Director of Information Technology;
           Comply with all applicable password policies and procedures
           Close files not in use; and
           Perform memory-clearing functions to comply as needed
Technical Safeguards

#20-032-1104 HIPAA (I/T) – Access Controls
    – User passwords upon initial setup are set for one-time use so the
      individual workforce member can choose their own unique
    – User passwords will reset every 180 days.
    – Citrix sessions will automatically close after 60 minutes of no
    – Meditech sessions will automatically close at different intervals
      depending on where you are in the program.
           Initial log-on screens will close within seconds of no activity
           Screens further into specific modules will close and back up to the
            previous screen anywhere from seconds to minutes of no activity
Policy Enforcement

The polices will be enforced internally by the HIPAA Information
  Technology Security Officer, or ITSO.
   –   The primary ITSO for CHN is Greg Beltran, Director of I/T.
   –   The contact information for the ITSO is located on the CHN
       Intranet under CHN Manuals & General Information – HIPAA.

For significant issues beyond the organization’s jurisdiction,
  CMS (Centers for Medicare & Medicaid Services – a
  department within the US Federal Government) will have
  responsibility for enforcement.

Under HIPAA Security, individuals may be held responsible
  individually and could face civil or criminal laws.
Security Policies and Procedures

What can I do?
   Log on and off the network appropriately; do not leave your workstation logged on
    while you are gone
   Never let others use your ID. Do not let someone work logged in as you.
   Secure your password; do not write it down, share it with others or leave in the
   Never disable anti-virus software or install unapproved software
   Never introduce new hardware or media to the network environment (don’t bring
    disks from home)
   Be aware of, and report, security threats to the ITSO
   Do not e-mail PHI unless using secure encrypted means. E-mail may be, but is
    not always, a secure form of data transmission
   Use caution in opening e-mail files from unknown sources to prevent a virus from
    entering the system; e-mail may be a secure form, but you can’t assume this
   Handle electronic media (floppy disk, cd, etc.) with care and follow appropriate
    disposal methods (tossing in the garbage can is not one of these)
   Don’t access non-permitted information or give non-permitted information to
    unauthorized employees
HIPAA Training Documentation
       Once you finish the presentation be sure to complete the two required
       forms. Documented successful completion of this on-line mandatory
       training is required to receive your computer access privileges. You
       must achieve no more than 3 wrong on the quiz and return both forms to
       H/R in order to get credit for successfully completing this training.
       CHN HIPAA Security Quiz
       • Click on the CHN HIPAA Security Quiz link.
       • Print the form to your printer.
       • Complete the information requested at the top of the quiz
       • Answer the questions.
       Policy #20-033-1104 HIPAA (I/T) – Internet/Intranet Acceptable Use
       • Click on the link to the policy
       • Read the policy
       • Print page 3 – the “Office Technology Use Agreement”
       • Fill in info at top of agreement form and sign/date at the bottom

       Complete both items and return them to applicable H/R
       Department PRIOR TO your first day of work.
Conclusion of Presentation

   Thank you for taking time today to review the HIPAA
    Security CHN Staff Training Presentation.
   Please use the “page down” key once more to end the
    presentation and then use the “BACK” button in your toolbar
    above to return to the HIPAA Security Training Index and
    continue the process.
   You will need to print both items (CHN HIPAA Security Quiz
    and the Office Use Technology Agreement). Complete the quiz
    (must achieve no more than 3 wrong to pass) and fill out the
    agreement form.
   When finished with both, return them to applicable H/R
    Department PRIOR TO your first day of work.

To top