hipaa security hipaa security
play

HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, - PowerPoint PPT Presentation

Jun 28, 2023 •222 likes •514 views

HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, UNC-CH Jack McCoy, ECU Jack McCoy, ECU Chad Bebout, UNC-CH Chad Bebout, UNC-CH Doug Brown, UNC-CH Doug Brown, UNC-CH What is this? What is this? Federal Regulations

  1. HIPAA Security HIPAA Security Jeanne Smythe, UNC-CH Jeanne Smythe, UNC-CH Jack McCoy, ECU Jack McCoy, ECU Chad Bebout, UNC-CH Chad Bebout, UNC-CH Doug Brown, UNC-CH Doug Brown, UNC-CH

  2. What is this? What is this?  Federal Regulations Federal Regulations… …  – August 21, 1996 August 21, 1996 – HIPAA Became Law  HIPAA Became Law  – October 16, 2003 October 16, 2003 – Transaction Codes and Identifiers Deadline  Transaction Codes and Identifiers Deadline  – April 14, 2003 April 14, 2003 – Privacy Deadline  Privacy Deadline  – April 21, 2005 April 21, 2005 – Security Deadline  Security Deadline 

  3. You’ ’ve ve got to have goals… You  Everyone who sees, hears or handles Everyone who sees, hears or handles  PHI must keep it confidential and PHI must keep it confidential and follow these rules, even if the follow these rules, even if the individual does not have direct individual does not have direct patient contact. patient contact.

  4. What is PHI? What is PHI?  Protected Health Information: Protected Health Information:  PHI is any health information that PHI is any health information that can be used to identify a patient and can be used to identify a patient and which relates to the patient, which relates to the patient, healthcare services provided to the healthcare services provided to the patient, or the payment for these patient, or the payment for these services. services.

  5. What is this? What is this? 40+ Pages of very fine print… … 40+ Pages of very fine print “164.306 Security standards: General rules. 164.306 Security standards: General rules. “ (a) General requirements. General requirements. Covered entities must do the Covered entities must do the (a) following: following: (1) Ensure the confidentiality, integrity, and availability (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered of all electronic protected health information the covered entity creates, receives, maintains, or transmits. entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or disclosures of such information that are not permitted or required under subpart E of this part. required under subpart E of this part. (4) Ensure compliance with this subpart by its (4) Ensure compliance with this subpart by its workforce.” ” workforce.

  6. What is this? What is this?  Safeguards and Standards Safeguards and Standards  – Administrative Administrative – – Physical Physical – – Technical Technical –  Implementation Specifications Implementation Specifications  – Required – Required (You have to do this)  (You have to do this)  – Addressable Addressable – (You still have to do this)  (You still have to do this) 

  7. Hot Topics Hot Topics  Risk Assessments Risk Assessments   Activity Review and Logs Activity Review and Logs   Awareness and Training Awareness and Training   PHI in Email PHI in Email   Wireless, Mobile Devices Wireless, Mobile Devices   Shadow copies, unmanaged PHI Shadow copies, unmanaged PHI   Encryption Encryption 

  8. Awareness and Training Awareness and Training “164.308(5)(i) Implement a security 164.308(5)(i) Implement a security “ awareness and training program for all awareness and training program for all members of its workforce (including members of its workforce (including management)… … management) (A) Security reminders… … (A) Security reminders (B) Protection from malicious software… … (B) Protection from malicious software (C) Log-in monitoring… … (C) Log-in monitoring (D) Password management…” …” (D) Password management

  9. Risk Management Risk Management “ 164.308 Administrative safeguards. 164.308 Administrative safeguards. “ (1)(a)(ii)(A) Risk analysis Risk analysis (Required). Conduct (Required). Conduct (1)(a)(ii)(A) accurate and thorough assessment of the accurate and thorough assessment of the potential risks and vulnerabilities to the potential risks and vulnerabilities to the confidentiality, integrity, and availability of confidentiality, integrity, and availability of electronic protected health information held by electronic protected health information held by the covered entity. the covered entity. (1)(a)(ii)(B) Risk management Risk management (Required). (Required). (1)(a)(ii)(B) Implement security measures sufficient to reduce Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and risks and vulnerabilities to a reasonable and appropriate level to comply with § § 164.306(a). 164.306(a).” ” appropriate level to comply with

  10. Risk Management Risk Management  Why do we need this? Why do we need this?   Who will accept the risks? Who will accept the risks?   What is the determination process? What is the determination process?   Who will be involved determination Who will be involved determination  process? process?

  11. Physical Security Physical Security  164.310 Physical safeguards. 164.310 Physical safeguards.  “Physical safeguards are physical Physical safeguards are physical  “  measures, policies, and procedures to measures, policies, and procedures to protect a covered entity's electronic protect a covered entity's electronic information systems and related information systems and related buildings and equipment, from natural buildings and equipment, from natural and environmental hazards, and and environmental hazards, and unauthorized intrusion.” ” unauthorized intrusion.

  12. Physical Security Physical Security  Facilities Facilities  – Access Control Access Control – – Policies and Documentation – Policies and Documentation  Systems Systems  – Servers & Servers & Workstations Workstations –  Media Media  – Removable Magnetic, CD- Removable Magnetic, CD-Rs Rs, Memory , Memory – Keys, etc. Keys, etc. – Surplused Surplused Systems Systems –

  13. Physical Security Physical Security  Equipment such as PCs, servers, Equipment such as PCs, servers,  mainframes, fax machines, and copiers mainframes, fax machines, and copiers must be afforded appropriate physical must be afforded appropriate physical controls. controls.  Computer screens, copiers, fax machines, Computer screens, copiers, fax machines,  and printers must be situated in such a must be situated in such a and printers way that they cannot be accessed or way that they cannot be accessed or viewed by the public. viewed by the public.  Computers must use password-protected Computers must use password-protected  screen savers. screen savers.

  14. Physical Security Physical Security  PCs that are used in open areas must PCs that are used in open areas must  be adequately secured to protect be adequately secured to protect against theft or unauthorized access. against theft or unauthorized access.  Servers and mainframes must be Servers and mainframes must be  contained in a secured area that is contained in a secured area that is capable of limiting and monitoring capable of limiting and monitoring physical access. physical access.  Sealed envelopes marked Sealed envelopes marked  “CONFIDENTIAL CONFIDENTIAL” ” should be used should be used “ when mailing PHI. when mailing PHI.

  15. Appropriate Disposal of Data Appropriate Disposal of Data  Procedures for the appropriate disposal apply to PHI Procedures for the appropriate disposal apply to PHI  and Confidential Information. and Confidential Information.  Hard copy materials such as paper or microfiche Hard copy materials such as paper or microfiche  must be properly shredded or placed in a secured must be properly shredded or placed in a secured bin for shredding later. bin for shredding later.  Magnetic media such as diskettes, tapes, or hard Magnetic media such as diskettes, tapes, or hard  drives must be degaussed (subjected to a strong drives must be degaussed (subjected to a strong magnetic field) or “ “electronically shredded electronically shredded” ” using using magnetic field) or approved software and procedures. approved software and procedures.  CD ROM disks must be rendered unreadable by CD ROM disks must be rendered unreadable by  shredding, defacing the recording surface, or shredding, defacing the recording surface, or breaking. breaking.  No PHI or CI should be placed in the regular trash! No PHI or CI should be placed in the regular trash! 

  16. Activity Review Activity Review  “ “164.306(a)(D) Information system  activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.”

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HIPAA SECURITY POLICIES AND PROCEDURES (P&P) AND COMPUTER NETWORK DOCUMENTATION (CND) Get it

HIPAA SECURITY POLICIES AND PROCEDURES (P&P) AND COMPUTER NETWORK DOCUMENTATION (CND) Get it

HIPAA SECURITY POLICIES AND PROCEDURES (P&P) AND COMPUTER NETWORK DOCUMENTATION (CND) Get it from DUMATEK ! Get you HIPAA Security P&P and CND here! ONLY $5040.00 This solution becomes ongoing and proprietary to your company. HIPAA

107 views • 10 slides
Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy,

Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy,

Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy, Confidentiality & Security Subcommittee May 15, 2018 Beyond HIPAA Initiative Builds on NCVHSs past work and the work of other government and private

240 views • 10 slides
HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The

HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The

HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security

575 views • 33 slides
EVV Security and Privacy Approach Marguerite Marsh, HIPAA Privacy Officer Matt Williams, Bureau

EVV Security and Privacy Approach Marguerite Marsh, HIPAA Privacy Officer Matt Williams, Bureau

EVV Security and Privacy Approach Marguerite Marsh, HIPAA Privacy Officer Matt Williams, Bureau Chief, Information Security and Technology 1 What is HIPAA? 2 HIPAA What: Health Insurance Portability and How: Congress mandated the establishment

444 views • 9 slides
HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and

HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and

Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance TUESDAY, FEBRUARY 5, 2013 1pm Eastern | 12pm Central | 11am

793 views • 53 slides
Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement

Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement

Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement HIPAA Security 2 HIPAA & Research HIPAA & Research 4 HIPAA & Research PHI Disclosure for PHI Use for Research Research

752 views • 59 slides
HIPAA Security Rule Overview Jennings Aske, JD, CISSP, CIPP/US VP Chief Information Security

HIPAA Security Rule Overview Jennings Aske, JD, CISSP, CIPP/US VP Chief Information Security

HIPAA Security Rule Overview Jennings Aske, JD, CISSP, CIPP/US VP Chief Information Security Officer NewYork-Presbyterian Hospital The Use of Electronic Technology in Healthcare Over the past decade the health care industry began to rely

256 views • 14 slides
HIPAA Privacy and Security: y y Surviving Heightened Enforcement Crafting and Implementing Data

HIPAA Privacy and Security: y y Surviving Heightened Enforcement Crafting and Implementing Data

Presenting a live 90 minute webinar with interactive Q&A HIPAA Privacy and Security: y y Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches THURS DAY, MAY 5, 2011 1pm Eastern

836 views • 56 slides
Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA

Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA

Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA initially went into effect April 14, 2003 HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

284 views • 25 slides
Beyond HIPAA: Stewardship By Design as applied to data, device, and app exemplars NCVHS

Beyond HIPAA: Stewardship By Design as applied to data, device, and app exemplars NCVHS

Beyond HIPAA: Stewardship By Design as applied to data, device, and app exemplars NCVHS Subcommittee on Privacy, Confidentiality and Security September 2018 Beyond HIPAA Initiative Builds on NCVHSs past work and the work of other

189 views • 15 slides
and Security Training 2016 for Instructors and Students Authored by: Office of HIPAA

and Security Training 2016 for Instructors and Students Authored by: Office of HIPAA

Information Privacy and Security Training 2016 for Instructors and Students Authored by: Office of HIPAA Administration Objectives After you finish this Computer-Based Learning (CBL) module, you should be able to: Define privacy practices

827 views • 37 slides
and Security Training 2017 for Instructors and Students Authored by: Office of HIPAA

and Security Training 2017 for Instructors and Students Authored by: Office of HIPAA

Information Privacy and Security Training 2017 for Instructors and Students Authored by: Office of HIPAA Administration Objectives After you finish this Computer-Based Learning (CBL) module, you should be able to: Define privacy practices

691 views • 37 slides
Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to obtaining a persons medical records for court proceedings and law enforcement purposes. A) Entities covered by HIPAA The medical records of a patient

405 views • 6 slides
HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c.

HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c.

HIPAA COW Webinar: HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c. HIPAA COW Webinar November 11, 2010 Presentation Overview TOP 3 HIPAA Compliance Risks Unauthorized Use and Disclosure of

522 views • 28 slides
HIPAA PRIVACY POLICIES & PROCEDURES Department of Behavioral Health and Developmental

HIPAA PRIVACY POLICIES & PROCEDURES Department of Behavioral Health and Developmental

HIPAA PRIVACY POLICIES & PROCEDURES Department of Behavioral Health and Developmental Services DBHHDS GENERAL AWARENESS TRAINING March 2012 HIPAA Humor (North Dakota Dept of Health) 2 HIPAA-Ectomy - the removal of individual

1.19k views • 61 slides
HIPAA SECURITY SPOT AUDITS BEGIN: CHICKEN LITTLES AND ANNUAL LITTLES AND ANNUAL TRADITIONS

HIPAA SECURITY SPOT AUDITS BEGIN: CHICKEN LITTLES AND ANNUAL LITTLES AND ANNUAL TRADITIONS

2/21/2012 HIPAA SECURITY SPOT AUDITS BEGIN: CHICKEN LITTLES AND ANNUAL LITTLES AND ANNUAL TRADITIONS KENNETH N. RASHBAUM, ESQ. RASHBAUM ASSOCIATES, LLC www.rashbaumassociates.com BREACHES MUNDANE AND COMPLEX Increasing Incidents Of

418 views • 6 slides
CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS

CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS

CYBERSECURITY RISK ASSESSMENT AND PENETRATION TESTING FOR BOCES PARTICIPATING SCHOOL DISTRICTS RFP #2416 OUR DIFFERENTIATORS Global Risk Atlantic has a deep understanding of Risk Assessment and Penetration Testing on a Assessment global

519 views • 7 slides
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech Information Security Center Georgia Tech

763 views • 16 slides
Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br

Securing Networks in the Programmable Data Plane Era Luciano Gaspary paschoal@inf.ufrgs.br Instituto de Informtica UFRGS Securing Networks in the Programmable Data Plane Era Network softwarization : the first wave P4 programs are

607 views • 12 slides
Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015,

Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015,

Massively distributed intrusions detection : goals, challenges and possible solutions. SEC2 2015, Lille Michal Hauspie CRIStAL, CNRS UMR 9189 quipe 2XS . . . . . . . . . . . . . . . . . . . . . . . . . . . .

643 views • 40 slides
Yihua Liao, V. Rao Vemuri Mingxing Gong CISC850 Cyber Analytics Outline Introduction

Yihua Liao, V. Rao Vemuri Mingxing Gong CISC850 Cyber Analytics Outline Introduction

Use of K-Nearest Neighbor classifier for intrusion detection Yihua Liao, V. Rao Vemuri Mingxing Gong CISC850 Cyber Analytics Outline Introduction Methodology Experiments Discussion & Conclusion Outline Introduction

455 views • 19 slides
PAGE 2 The Need for New Levels of Protection Business Drivers Greater Increased Higher

PAGE 2 The Need for New Levels of Protection Business Drivers Greater Increased Higher

Kaspersky Endpoint Security 8 Control Technologies PAGE 1 Youre in c ontrol. Youre in the drivers seat. . Applications Devices Web content filtering PAGE 2 The Need for New Levels of Protection Business Drivers Greater Increased

457 views • 20 slides
De Deli livering ering Sustainable stainable Val alue ue Invest estor Presen enta tati

De Deli livering ering Sustainable stainable Val alue ue Invest estor Presen enta tati

De Deli livering ering Sustainable stainable Val alue ue Invest estor Presen enta tati tion on Augus ust t 2012 Certain of the statements made in this Presentation may contain forward-looking statements within the meaning of the

762 views • 48 slides
Cyb yber er Sec ecurity rity @ UN @ UNC Industr stry y Based ed Broadening dening

Cyb yber er Sec ecurity rity @ UN @ UNC Industr stry y Based ed Broadening dening

Cyb yber er Sec ecurity rity @ UN @ UNC Industr stry y Based ed Broadening dening Information rmation Operat rations ns Denni nis s Schmid idt Assistant Vice Chancellor for Information Security and Privacy and Chief Information

624 views • 38 slides

More recommend