HIPAA Security Rule Flashcards
2 purposes of the Security Rule
- implement appropriate security safeguards to protect ePHI
- Protect an indv health info
What does the Security Rule protect?
electronic PHI
Difference between Privacy and Security Rules
Privacy: protects PHI regardless of medium
Security: ePHI
Which office enforces the security rule?
Office for Civil Rights of HHS
What does it mean to “protect” the data?
CEs must ensure integrity and confidentiality
What is integrity?
Lack of alteration of destruction in an unauthorized manner
What is a key characteristic of the Security Rule?
It must be flexible
(NOTE: small orgs cannot implement the same as large orgs).
Security Rule: Required (R) implementation
Must be implemented as laid out
Security Rule: Addressable (A) implementation
Must be implemented as laid out OR in an alternate manner OR documented if not needed
Can addressable implementation specifications be ignored?
No
5 components of HIPAA Security Rule
A. General Requirements
B. Flexibility of Approach
C. Standards
D. Implementation Specifications
E. Maintenance
HIPAA Security Rule: A- General Requirements (4)
- ensure confidentiality and integrity
- protect ePHI from threats
- protect against reasonably anticipated ePHI uses/disclosures
- ensure workforce compliance
HIPAA Security Rule: B- Flexibility of Approach (4)
- CE size and complexity
- security capabilities
- cost of security measures
- risk management
HIPAA Security Rule: C- Standards Safeguards (5)
- Administrative
- Physical
- Technical
- Org Requirements
- Policies, Procedures and Documentation
Admin Safeguards (Security management process)
Implement procedures to prevent, detect, contain, and correct security violations
Ex:
- Risk analysis (R)
- Risk management (R)
- Sanction policy (R)
- Info system activity review (R)
Admin Safeguards (Security management process) - Sanction Policy
(R) Apply sanctions for non-compliance
Admin Safeguards (Security management process) - Info System Activity Review
(R) regular procedures to review system activity
Admin Safeguards (Assigned Security Responsibility)
(R) identifying security official to develop and implement security policies
Admin Safeguards (Workforce Security)
Policies to ensure appropriate access to ePHI
Ex:
- Authorization/Supervision (A)
- Clearance procedures (A)
- Termination procedures (A)
Administrative Safeguards: Info Access Management
Procedures authorizing access to ePHI
ex:
- Isolate clearinghouse functions (R)
- access authorization (A)
- access establishments & modifications (A)
Administrative Safeguards: Security Awareness Training
Implementing a security and awareness training program for workforce members
Ex:
- security reminders (A)
- login monitoring (A)
- Password management (A)
Administrative Safeguards: Security Incident Reporting
policies to address security incidents
Ex:
- Response & reporting (R)
Administrative Safeguards: Contingency Plan
Policies for responding to an emergency or other occurrence that may damage ePHI
Ex:
- Data backup plan (R)
- Disaster recovery (R)
- Emergency mode operation (R)
- Testing & revision procedures (A)
- Application and data criticality analysis (A)
Administrative Safeguards: Evaluation
Performing periodic technical and non-technical evaluations (R)
Administrative Safeguards: BA Contracts & Other Arrangements
CEs permit BAs to deal with ePHI on their behalf in a written contract
Three instances where BA cannot transmit ePHI
- transmission to provider for treatment
- transmission to a health plan
- transmission when CE is a gov health plan providing public benefits
4 categories of physical safeguards
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
Physical Safeguards: Facility Access Controls
Limiting physical access to e-info and facilities where they are housed
Ex:
- Contingency Operations (A)
- Facility Security Plan (A)
- Access Control and Validation Procedures (A)
- Maintenance Records (A)
Physical Safeguards: Workstation Use
Policies that specify the proper work functions (R)
Physical Safeguards: Workstation Security
Physical safeguards for workstations that access ePHI (R)
Physical Safeguards: Device and Media Controls
Policies that govern the receipt/removal of hardware and e-media containing ePHI
Ex:
- Disposal (R)
- Media Re-Use (R)
- Accountability (A)
- Data Backup and Storage (A)
5 categories of Technical Safeguards
- Access Control
- Audit Controls
- Integrity
- Person or Entity Authentication
- Transmission Security
Technical Safeguards: Access Control
Implementing measures so ePHI is only accessed by those with access
Ex:
- Unique User Identification (R)
- Emergency Access Procedures (R)
- Automatic Logoff (A)
- Encryption and Decryption (A)
Technical Safeguards: Audit Controls
Measures that record/examine activity
Technical Safeguards: Integrity
Measures that protect ePHI from improper alteration or destruction
Ex:
- Mechanism to authenticate ePHI (A)
Technical Safeguards: Person or Entity Authentication
Measures to validate person/vendor seeking access (R)
Technical Safeguards: Transmission Security
Measures to guard against unauthorized access to ePHI transmitted over electronic communication network
Ex:
- Integrity controls (A)
- Encryption (A)
Two Categories of Organizational Requirements
- BA Contracts or other arrangements
- Group Health Plans
Organizational Requirements: BA Contracts or other arrangements Must Have…. (3)
- BA compliance
- subcontractors compliance
- reporting to CE of security incidents
Organizational Requirements: Group Health Plans
Requires plan sponsor to reasonably and appropriately safeguard ePHI
Ex:
- Plan Document (R)
Can policies and procedures be changed?
Yes, as long as the changes are documented
HHS Recommended Implementation Steps
- Assess current security and risks/gaps
- Develop a plan
- Implement solutions
- Document decisions
HIPAA Security Rule:Security Officer Designation
Individual assigned to be responsible for overseeing the information security program
HIPAA Security Rule: Part (e) - Maintenance
a continuing review of the reasonableness and appropriateness of a CE’s or BA’s (or subcontractor’s) security measures
Patient Matching Errors
info is mismatched or not included in a pt’s record
Types of Security Threats (3)
- Human (internal vs external)
- Natural
- Environmental (internal vs external)
Examples of internal threats (2)
- lack of MFA
- victims of phishing
Examples of external threats (1)
- identity theft
Types of Medical Identity Theft (2)
- use w/out consent to obtain medical services
- Use to obtain money by falsifying claims
HITECH Act and Medical ID Theft Red Flags
Red flags to capture medical identity theft
Common Security Mechanisms (4)
- biometric identification
- automatic log off
- termination access
- audit trail
Firewall protection
A hardware or software that examines traffic entering and leaving a network
Viruses: File Infectors
Attach to program files
Viruses: System or Boot-Record Infectors
Infect areas of hard disks or diskettes
Viruses: Macro Viruses
Infects Microsoft Word application, inserting unwanted words or phrases
Viruses: Worm
Stores and replicates itself
Viruses: Trojan Horse
Destructive programming code that hides itself in another piece of programming code
