Chapter 12 Test 4 Flashcards
Protection of information from loss, unauthorized access, or misuse, along with protecting its confidentiality
Security
Protects PHI regardless of the medium on which it resides
Privacy rule
Protects electronic PHI (ePHI)
Security rule
Lack of alteration of destruction in an unauthorized manner
Integrity
Not made available or disclosed to unauthorized persons or processes
Confidentiality
HIPAA Security Rule Protects ePHI that is:
Created
Maintained
Transmitted
Received
HIPAA Security rule Required compliance date
April 2005
Small health plans date
April 2006
Changes included as part of HITECH (a portion of ARRA)
Passed by Congress in _______
February 2009
Enforcement of the Security Rule was assumed by the _________ in 2009 (taken over from Centers for Medicare and Medicaid Services)
Office for Civil Rights of HHS
PHI maintained or transmitted in electronic form
For example, tapes, disks, optical disks, hard drives, servers, Internet, private networks
Not included: Voice mail messages, paper-to-paper faxes; copy machines
ePHI
HIPAA Security Rule Must be implemented
Required (R)
HIPAA Security Rule Must be implemented as the rule states or in an alternate manner or documented that risk does not exist or is negligible
Addressable implementation specifications cannot be ignored
Addressable (A)
Covered entities and BAs must use a ________ to decide which security measures to implement.
Risk analysis
__________ should be conducted to determine the cost of compliance.
Financial analysis
Implement policies and procedures to prevent, detect, contain, and correct security violations
Security Management Process
Identify a security official to develop and implement security policies and procedures to manage and supervise the use of security measures and the conduct of personnel in relation to protecting the data
Assigned Security Responsibility
Implement policies and procedures to ensure appropriate access to ePHI
Workforce Security
Implement policies and procedures authorizing access to ePHI
Information Access Management
Implement a security and awareness training program for all workforce members
Security Awareness Training
Implement policies & procedures to address security incidents
Security Incident Procedures
Establish policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems containing ePHI
Contingency Plan
Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI, that establishes extent to which an entity’s security policies and procedures meet HIPAA requirements
Evaluation
A covered entity may permit a BA to create, receive, maintain, or transmit ePHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances the BA will appropriately safeguard the information
Business Associate Contracts & Other Arrangements
