HIPAA Security Standards

1
HIPAASecurity Standards

• Emmanuelle Mirsakov
• USC School of Pharmacy

2
Overview

• HIPAA-Health Insurance Portability and
  Accountability Act of 1996
• Why Security?
• Focus on Security rule vs. Privacy rule
• Security rule applies only to EPHI, while the
  Privacy rule applies to PHI which may be in
  electronic, oral, and paper form.
• Privacy is the Who, What, and When and
  Security is the How

3
Who Oversees HIPAA? The U.S. Department of
Health Human Service

• The Centers for Medicare
• and Medicaid Services
• Oversees
• Transactions and Code Sets
• Standard Unique Identifiers
• Security
• Contact info
• http//www.cms.hhs.gov/hipaa/
• hipaa2/
• AskHIPAA_at_cms.hhs.gov
• 1-866-282-0659

• The Office for Civil Rights Oversees
• Privacy
• Contact info
• http//www.hhs.gov/ocr/hipaa/
• OCRPrivacy_at_hhs.gov
• 1-866-627-7748

4
Goals Of Security Rule

• Confidentiality
• EPHI is accessible only by authorized people and
  processes
• Integrity
• EPHI is not altered or destroyed in an
  unauthorized manner
• Availability
• EPHI can be accessed as needed by an authorized
  person

5
Parts of the Security Rule

• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Organizational Requirements
• Policies Procedures Documentation
  Requirements

6
Security Rule

• The rule is technology neutral
• The rule does not prescribe the use of specific
  technologies, so that the health care community
  will not be bound by specific systems and/or
  software that may become obsolete
• The security rule is based on the fundamental
  concepts of flexibility, scalability and
  technology neutrality.

7
Security Standards

• Administrative Safeguards
• Administrative functions that should be
  implemented to meet the security standards
• Physical Safeguards
• Mechanisms required to protect electronic
  systems, equipment and the data they hold, from
  threats, environmental hazards and unauthorized
  intrusion.
• Technical Safeguards
• The automated processes used to protect data and
  control access to data

8
Technical Safeguards

• Main parts
• Access Control
• Audit Control
• Integrity
• Person or Entity Authentication
• Transmission Security

9
Access Control

• The ability or the means necessary to read,
  write, modify, or communicate data/information or
  otherwise use any system resource
• Access controls should enable authorized users to
  access minimum necessary information needed to
  perform job functions.

10
4 implementation specifications associated with
Access Controls

• Unique user identification (required)
• Emergency access procedure (required)
• Automatic logoff (addressable)
• Encryption and decryption (addressable)

11
Audit Controls

• Implement hardware, software, and/or procedural
  mechanisms that record and examine activity in
  information systems that contain or use
  electronic protected health information.
• Useful to determine if a security violation
  occurred
• The security rule does not identify data that
  must be gathered by the audit controls or how
  often the audit reports should be reviewed (no
  implementation specifications)

12
Integrity

• The property that data or information have not
  been altered or destroyed in an unauthorized
  manner
• The integrity of data can be compromised by both
  technical and non-technical sources
• Implementation specification
• Implement electronic mechanisms to corroborate
  that EPHI has not been altered or destroyed in an
  unauthorized manner. (addressable)

13
Person or Entity Authentication

• Implement procedures to verify that a person or
  entity seeking access to EPHI is the one claimed
• Ways to provide proof of identity
• Require something known only to that individual
  (password or PIN)
• Require smart card, token, or a key
• Require a biometric (fingerprint, voice pattern,
  facial pattern, iris pattern)

14
Transmission Security

• Implement technical security measures to guard
  against unauthorized access to EPHI that is being
  transmitted over an electronic communications
  network
• This standard has 2 implementation
  specifications
• Integrity Controls (addressable)
• Encryption (addressable)

15
Implementation Specifications

• Integrity Controls
• Integrity in this context is focused on making
  sure that EPHI is not improperly modified during
  transmission
• 1 through the use of network communications
  protocols
• Data message authentication codes
• Encryption
• Implement a mechanism to encrypt EPHI whenever
  deemed appropriate

16
Pro Pharma Implementation

• All hard drives can only be accessed by
  individuals with proper clearance by Pro Pharma
• All employees have a unique user name and
  password
• All employees are required to lock their station
  whenever they get up
• Content filters allow Pro Pharma management to
  screen all incoming and outgoing e-mails for
  possible threats
• Full virus protection is installed on every
  workstation
• Network browsing is routed to a system that
  checks for threats
• No employee has administrative rights to their
  local machine
• No employees have domain administrative rights on
  the Pro Pharma domain
• Every workstation is attached to a UPS power
  supply to protect from power failure or power
  surge

17
In Summary

• Security rules are in place to enhance health
  information sharing and to protect patients
• The Security rule technical safeguards are the
  technology related policies and procedures that
  protect EPHI and control access to it
• Be cognizant of PHI, and follow Pro Pharma
  protocols

18
The Bright Side

• Knock, knock. Whos there? HIPAA. HIPAA
  who?Sorry, Im not allowed to disclose that
  information.

19
In Case You Needed More
20
Last One I Promise!