Chapter 12 Test 4 Flashcards
Protection of information from loss, unauthorized access, or misuse, along with protecting its confidentiality
Security
Protects PHI regardless of the medium on which it resides
Privacy rule
Protects electronic PHI (ePHI)
Security rule
Lack of alteration of destruction in an unauthorized manner
Integrity
Not made available or disclosed to unauthorized persons or processes
Confidentiality
HIPAA Security Rule Protects ePHI that is:
Created
Maintained
Transmitted
Received
HIPAA Security rule Required compliance date
April 2005
Small health plans date
April 2006
Changes included as part of HITECH (a portion of ARRA)
Passed by Congress in _______
February 2009
Enforcement of the Security Rule was assumed by the _________ in 2009 (taken over from Centers for Medicare and Medicaid Services)
Office for Civil Rights of HHS
PHI maintained or transmitted in electronic form
For example, tapes, disks, optical disks, hard drives, servers, Internet, private networks
Not included: Voice mail messages, paper-to-paper faxes; copy machines
ePHI
HIPAA Security Rule Must be implemented
Required (R)
HIPAA Security Rule Must be implemented as the rule states or in an alternate manner or documented that risk does not exist or is negligible
Addressable implementation specifications cannot be ignored
Addressable (A)
Covered entities and BAs must use a ________ to decide which security measures to implement.
Risk analysis
__________ should be conducted to determine the cost of compliance.
Financial analysis
Implement policies and procedures to prevent, detect, contain, and correct security violations
Security Management Process
Identify a security official to develop and implement security policies and procedures to manage and supervise the use of security measures and the conduct of personnel in relation to protecting the data
Assigned Security Responsibility
Implement policies and procedures to ensure appropriate access to ePHI
Workforce Security
Implement policies and procedures authorizing access to ePHI
Information Access Management
Implement a security and awareness training program for all workforce members
Security Awareness Training
Implement policies & procedures to address security incidents
Security Incident Procedures
Establish policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems containing ePHI
Contingency Plan
Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI, that establishes extent to which an entity’s security policies and procedures meet HIPAA requirements
Evaluation
A covered entity may permit a BA to create, receive, maintain, or transmit ePHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances the BA will appropriately safeguard the information
Business Associate Contracts & Other Arrangements
Implement policies and procedures to limit physical access to electronic information systems and the facility(ies) in which they are housed, while ensuring that properly authorized access is allowed
Facility Access Controls
Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
Workstation Use
Implement physical safeguards for all workstations that access ePHI, to restrict access to authorized users
Workstation Security
Implement policies and procedures that govern the receipt/removal of hardware and electronic media containing ePHI into and out of a facility, and the movement of these items within the facility
Device and Media Controls
Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights
Access Controls
Implement hardware, software, or procedural mechanisms that record and examine activity in information systems that contain or use ePHI
Audit Controls
Implement policies and procedures to protect ePHI from improper alteration/destruction
Integrity
Implement procedures to ensure the validity of a person or vendor seeking access is the one claimed
Person or Entity Authentication
Implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network
Transmission Security
Requires plan sponsor to reasonably and appropriately safeguard the confidentiality, integrity, and availability of ePHI
Group health plans
Implement ___________ to comply with the standards, implementation specifications, and other requirements
____________ may be changed at any time, as long as the changes are documented and implemented
Policies and Procedures
Requires maintenance of policies and procedures implemented to comply with the security rule in written form
Documentation
Unknowing violations fine amount
$100–$50,000/violation
Due to reasonable cause (and not willful neglect) fine amount
$1,000–$50,000/violation
Due to willful neglect and corrected within 30 days of discovery fine amount
$10,000–$50,000/violation
Due to willful neglect and not corrected as required fine amount
$50,000+/violation
Cap of ______ for each violation category
$1.5 million
