Security in Higher Education - UA College of Community
Download
Report
Transcript Security in Higher Education - UA College of Community
University Medical Center
University Medical Center HIPAA
Privacy and Security Training
Compliance is Everyone’s Job
UMC’S HIPAA Privacy/Security Officer: Jan Chaisson
[email protected]
348-1231
Topics to Cover
• General HIPAA Privacy and Security Overview
• HIPAA Privacy
–
–
–
–
–
Use and Disclosure of PHI
Notice of Privacy Practices
Authorization Form
Accounting for Disclosures
Business Associate Agreements
• HIPAA Security
–
–
–
–
–
Security and Other Related-UA Policies
Access Controls
Contingency Planning
Audit Controls
Reporting Breaches & Security Incidents
• Questions/Acknowledgment of Training
INTERNAL USE ONLY
2
What is HIPAA?
• The Health Insurance Portability and
Accountability Act
• Law passed to ease the movement of
healthcare data between providers.
• Privacy and Security regulations must be
followed by a “Covered Entity”
INTERNAL USE ONLY
3
Applicability of HIPAA to UA
• UA is a “Hybrid Entity” –Only A Few Areas Must Comply
– HIPAA Applies to UA’s Covered “Health Care Components”:
• University of Alabama Medical Center
• Brewer-Porch Children's Center
• The Speech & Hearing Center
– HIPAA Applies to UA’s Covered Health Plans
• UA Group Health Insurance/Flexible Spending Plan/Other (EAP)
• Also applies to Administrative Departments supporting any of
these covered entities (like Legal Office, Auditing, Financial
Affairs, UA Privacy/Security Officer, etc.)
INTERNAL USE ONLY
4
What is Protected Health Information (PHI)
• Any information, maintained in any medium, including
demographic information
• Created/received by covered entity
• Relates to/describes physical/mental health or payment
for healthcare
• Can be used to identify the patient
INTERNAL USE ONLY
5
Some Records are not PHI:
• Student records that fall under the Family
Educational Rights and Privacy Act (FERPA).
• Medical records, exempt from FERPA, of students 18
or over attending UA and that are made or
maintained by a health care provider and used only
to treat the student and disclosed only to individuals
providing the treatment.
• The University’s employment records.
• Not PHI if you de-identify by removing all of the 18
identifiers
INTERNAL USE ONLY
6
Data to Remove to De-Identify Patient Information
• Names
• Geographic subdivisions smaller than state (address, city,
county, zip)
• All elements of DATES (except year) including DOB, admission,
discharge, death, ages over 89
• Telephone, fax, SSN#s, VIN, license plate #s
• Med record #, account #, health plan beneficiary #
• Certificate/license #s
• Email address, IP address, URLs
• Biometric identifiers, including finger & voice prints
• Full face photographic and comparable images
• Any other unique identifying #, characteristic, or code
INTERNAL USE ONLY
7
HIPAA Privacy & Security Work Together
• Privacy Rule applies to all PHI of covered entity and
sets rules for use or disclosure of PHI, and gives
person certain rights to PHI—requires entity to
safeguard PHI
• Security Rule applies to PHI in electronic form (EPHI)
and requires various safeguards to protect the
confidentiality, integrity and availability of EPHI
INTERNAL USE ONLY
8
HIPAA Privacy & Security Work Together
•
•
•
Confidentiality ensures the protection of data during all aspects of its life. This includes
data at rest on computers, data in transit between computers and destruction of data
when no longer needed or the asset holding the data is no longer needed. Remember
the rule of “Least Privilege” - Users should have access to the data they need to perform
their jobs and nothing else.
Integrity is upheld when we are confident that the data is maintained in an accurate
manner free of unauthorized modification. This requires controls to be in place for the
hardware, software and network components to ensure that the data is free of any
possible interception and/or unauthorized changes.
Availability provides the necessary capacity and performance to access data in a
predictable manner. Appropriate protection mechanisms should be in place to prevent
attacks both from the inside and the outside that could jeopardize Availability.
Environmental issues can also affect availability such as heat, cold, humidity, static
electricity and contamination.
INTERNAL USE ONLY
9
HIPAA Security/Privacy Rule Penalties
• State Breach of Privacy Claims
• DOJ-Imposed Criminal Penalties for the Employee:
– Wrongfully Accessing or Disclosing PHI: Fines up to $50,000 and up to 1
Year in Prison.
– Obtaining PHI Under False Pretenses: Fines up to $100,000 and up to 5
Years in Prison.
– Wrongfully Using PHI for a Commercial Activity: Fines up to $250,000
and up to 10 Years in Prison.
• Federal-Imposed Civil Penalties for UA:
– Up to $100 per violation
– Each Name in a Data Set Can Be a Violation. Not to Exceed $25,000 Per
Calendar Year.
– Feds have six years from occurrence to initiate civil penalty action
INTERNAL USE ONLY
10
UA HIPAA Sanctions
• UMC Employees who do not follow Privacy and
Security Policies and related workplace rules and
policies are subject to disciplinary action, up to and
including dismissal
• Type of sanction depends on severity of violation,
intent, pattern/practice of improper activity, etc.
• Sanction records maintained 6 years
• Possible notification to Enforcement Officials
INTERNAL USE ONLY
11
General Rule for Use and Disclosure of PHI
• A covered entity can always use and disclose PHI for
any purpose if it gets the person’s written
authorization.
• HIPAA requires certain components to be in the
authorization in order for it to be valid.
• There are many exceptions to the requirement for
authorization.
INTERNAL USE ONLY
12
Exceptions:
• No authorization is needed if for Treatment, Payment
and Healthcare Operations (TPO).
• PHI (except psychotherapy notes) may be
used/disclosed for the covered entity’s own TPO.
• PHI may be disclosed to other covered entities or
health care providers for the payment activities of the
entity that receives the information, such as an
ambulance company.
• PHI may be disclosed to another covered entity or
health care provider for its health care operations,
under limited circumstances.
INTERNAL USE ONLY
13
No Authorization is Required to Disclose to Business
Associates
• PHI may be disclosed to a Business Associate (BA)
if UMC has executed a Business Associate
Agreement with that organization or vendor.
• Regulations define who qualifies as a BA.
• Each UA Health Care Provider must maintain
records of who its identifies as a Business
Associate, and must ensure agreements are in
place.
INTERNAL USE ONLY
14
No Authorization is Needed to Disclose PHI:
• When required (not permitted) by law;
• To Public Health/Legal Authorities charged with
preventing and controlling disease, disability or injury;
• To FDA to ensure quality, safety, or effectiveness of FDAregulated products;
INTERNAL USE ONLY
15
And:
• To persons who may have been exposed to
communicable disease or may be at risk of contracting
or spreading a disease;
• To entities charged with overseeing victims of abuse,
neglect or domestic violence, consistent with reporting
obligations;
• To a health oversight agency for activities authorized by
law (gov’t. licensing or accreditation agencies)
INTERNAL USE ONLY
16
And:
• In response to a Court order;
• In response to a subpoena that meets certain
requirements (always check with the Legal Office);
• Law enforcement officials seeking to identify a suspect,
witness, or victim of a crime;
• Coroners/medical examiners/funeral directors to
identify a deceased person or determine a cause of
death;
• Organizations handling organ, eye or tissue donation;
INTERNAL USE ONLY
17
And:
• To prevent/lessen a serious and imminent threat to
patients or others health and safety;
• To military command authorities and federal officials
for intelligence and national security activities;
• To comply with workers compensation laws;
• Facility directories, if asked by name.
• Individuals involved in patient’s care or payment.
• Persons involved in disaster relief.
INTERNAL USE ONLY
18
HIPAA requires UA’s health care providers to:
• Provide Notice to
individuals of privacy
practices
• Authorization Forms
• Control access
• Account for use and
disclosures
• Manage complaints
•
•
•
•
Have a privacy officer
Conduct training
Provide sanctions
Develop Business
Associate Agreements
• Have policies and
procedures
INTERNAL USE ONLY
19
Under HIPPA, Patients Have the Right to:
•
•
•
•
Receive Notice of Health Information Practices.
Authorize use of their data.
Request access to their data.
Request an accounting of the uses and disclosures of
their data.
• Request amendment and corrections to their data.
• Request restrictions on use of data.
• File a complaint.
INTERNAL USE ONLY
20
UA Must Meet the Minimum Necessary Standard
• Providers should disclose or use only the minimum
necessary amount of PHI in order to do their jobs.
• Minimum necessary does not apply to:
1.
2.
3.
4.
5.
Disclosures used for treatment;
To the individual who is the subject of the disclosure;
When a valid HIPAA authorization is signed;
Uses and disclosures required by law;
Disclosures to HHS.
INTERNAL USE ONLY
21
Incidental Disclosures are Permitted if:
•
•
•
•
They cannot be reasonably prevented;
Are limited in nature;
Are a by-product of otherwise permitted use; and
The Covered Entity has established “reasonable
safeguards” to ensure only necessary information is
disclosed.
INTERNAL USE ONLY
22
Incidental Uses and Disclosures Include:
• Waiting room sign-in sheets
• Patient charts at bedside
• Physician conversations with patients in semi-private
room
• Physicians conferring at nurse’s stations.
INTERNAL USE ONLY
23
What HIPAA Did Not Change:
• Family and friends can still pick up prescriptions for
sick people.
• Physicians and Nurses do not have to whisper.
• State laws still govern the disclosure of minor’s
health information to parents. (a minor is under the
age of 19 in Alabama)
INTERNAL USE ONLY
24
UA’s Covered Health Care Providers are Required to Have and Use:
1. Notice of Privacy Practices
2. Authorization Forms
3. Accounting for Disclosures
4. Business Associate Agreements
UA has developed template forms and policies for
its health care components/health plans.
INTERNAL USE ONLY
25
1. Notice of Privacy Practices
• Notice of patient’s rights with respect to PHI and our
privacy practices.
• We must make a good faith effort to obtain the
patient’s written acknowledgement at the time of
receipt of the Notice of Privacy Practices, except in
emergency circumstances.
• Each patient must receive a Notice of Privacy
practices no later than the date of first service
delivery.
INTERNAL USE ONLY
26
The Notice of Privacy Practices:
• Must list each type of disclosure that may be made
by the covered entity and distinguish between those
that are made pursuant to law and those that are
not.
INTERNAL USE ONLY
27
2. The Authorization Form
• An Authorization Form is required for the use and
disclosure of PHI for business-related purposes other
than Treatment, Payment, and Operations and other
than the permitted exceptions.
• Authorizations are always required to disclose
psychotherapy notes in order to give psychotherapy
notes stronger protections.
INTERNAL USE ONLY
28
Psychotherapy Notes
• Must be kept separately from the patient’s medical
record.
• Consists of the “process notes” that the therapist
makes about counseling sessions.
• Does not include summary information used for
treatment such as symptoms; summary notes;
diagnosis, and medications.
INTERNAL USE ONLY
29
Authorization Required for Marketing
• UA is prohibited from using or disclosing PHI for
marketing purposes without the patient’s express
authorization.
• Prohibited from selling patient lists to third parties.
• CAN talk with patients about our treatment options,
and have common health care communication about
wellness, prescription refill reminders, therapies, and
appointment notifications without an authorization.
INTERNAL USE ONLY
30
Authorization for Marketing:
• Must disclose if UA is receiving benefits or payment
from any third party receiving the patient’s
information.
INTERNAL USE ONLY
31
3. Accounting For Disclosures
• Individuals have the right to receive an accounting
of disclosures of PHI made by UA (even to our
Business Associates), except for:
– Disclosures made to carry out Treatment, Payment and
health care Operations;
– PHI provided to the patient about them;
– PHI disclosed to family members or friends involved in
a patient’s care;
– Disclosures made pursuant to authorization
UA has designed forms for tracking disclosures.
INTERNAL USE ONLY
32
4. Business Associate Agreements
• BA performs specific tasks involving the
use/disclosure of PHI on our behalf, such as billing,
legal services, and accreditation.
• Agreement requires BA to
– not use/disclose PHI except as necessary to perform duties
on our behalf
– safeguard PHI and ePHI
– report security incidents/breaches of confidentiality
– log/track its disclosures of PHI.
• UA has a BAA Template, which Legal has approved
• If UA is the BA, Legal should review agreement
INTERNAL USE ONLY
33
HIPAA Put New Requirements on Research:
• If you work for a Health Care Provider under HIPAA, do
not release PHI for research unless:
– The patient has signed a valid HIPAA authorization, or
– The IRB at UA has approved a waiver of authorization; or
– The IRB agrees that an exception applies.
Separate training on HIPAA & Research is available through
the Privacy Office.
INTERNAL USE ONLY
34
Security Standards – General Rules
• HIPAA security standards ensure the confidentiality, integrity,
and availability of PHI created, received, maintained, or
transmitted electronically (ePHI – Electronic Protected Health
Information) by and with all facilities.
• Protect against any reasonably anticipated threats or hazards to
the security or integrity or such information
• Protect against any reasonably anticipated uses or disclosures
of such information that are not permitted
INTERNAL USE ONLY
35
The HIPAA Security Rule Requires…
HIPAA Security Policy Documents
•
•
•
•
•
•
•
•
•
•
General Security Requirements
Risk Analysis and Management
HIPAA Security Sanction Policy
Information System Activity Review
Named Security Officer
Workforce Security
Information Access Management
Security Awareness and Training
Protection from Malicious Software
Security Incident Procedures
Contingency Planning
Facility Access Controls
Workstation Use and Security
Device and Media Controls
Medial Reallocation and Disposal
Access Controls
Audit Controls
Data Authentication
Person or Entity Authentication
Transmission Security
INTERNAL USE ONLY
36
Managing Access to Information
• Access to UMC’S computer systems and information is based on your work
duties and responsibilities with UMC
• Access privileges are limited to only the minimum necessary information you
need to do your work
• Access to an information system does not automatically mean that you are
authorized to view or use all the data in that system
• Different levels of access for personnel to EPHI is intentional!
– Doctors access is for physicians
– Nursing access is for nursing
– Students access is for students
•
•
•
•
Access in one capacity may not permit access in another capacity
If job duties change, clearance levels for access to EPHI is re-evaluated
Access is eliminated if employee terminated
Accessing EPHI for which you are not cleared or for which there is no jobrelated purpose will subject you to sanctions!
INTERNAL USE ONLY
37
Information Access Control
• Do not allow unauthorized persons into restricted areas where
access to PHI or ePHI could occur
• Arrange computer screens so they are not visible to
unauthorized persons and/or patients; use security screens in
areas accessible to public
• Log in with password, log off prior to leaving work area, and do
not leave computer unattended
• Close files not in use/turn over paperwork containing PHI
• Do not duplicate, transmit, or store PHI without authorization
• Storage of PHI on removable devices (Disk/CD Rom/DVD/
Thumb Drives) is prohibited without prior authorization
INTERNAL USE ONLY
38
Password Management
• Do not allow coworkers to use your computer without first logging off
your user account
• Do not share passwords or reuse expired passwords
• Use passwords that cannot be easily guessed (B’day, pets, kids)
• Choose new passwords when they must be reset
• Do not write down passwords that could provide access to EPHI
• Change password if you suspect anyone else knows it
• Change passwords or delete accounts when employees are transferred or
terminated
• Pick good passwords – Recommendations for good passwords:
–
–
–
–
7 characters long
3 of 4 data types – Upper, Lower, Numeric and Special Character
Change periodically
Good password scheme is critical for complex passwords – R0llt!de (don’t use
this, just an example)
INTERNAL USE ONLY
39
Log-in Monitoring by Security Officer
• Look for Inappropriate Access – Outside Normal Classification
• Monitor Logs for Brute Force Attacks
– Same ID, Multiple Password Guesses
– Multiple ID/Password Attempts That Fail
– Multiple Attempts to Log-in to Administrative Accounts
• Log-in Outside Normal Hours
• Multiple Log-ins With Same ID
• Significant findings are recorded and presented to management
and safeguards adjusted based on findings
INTERNAL USE ONLY
40
Protection from Malicious Software
•
•
•
Malicious software can be thought of as any virus, worm, malware, adware, etc.
As a result of an unauthorized infiltration, ePHI and other data can be damaged or
destroyed
Practice good PC hygiene
– Automatic patch update for your Operating System
– Install and use a good anti virus/anti spyware software package and set updates to daily and a
full system scan once a week
– If possible, enable firewall protection for your PC
•
•
•
Notify your supervisor, system support representative, and/or security officer
immediately if you believe your computer has been compromised or infected with a
virus—do not continue using computer until resolved.
Do not disable anti-virus software on individual workstations
Do not open e-mail or attachments from an unknown, suspicious, or untrustworthy
source or if the subject line is questionable or unexpected—DELETE THEM
IMMEDIATELY
INTERNAL USE ONLY
41
Use of Technology
• Email, internet use, fax and telephones are to be used for UA business
purposes (see UA policies)
• No ePHI is permitted to leave facility in any format without prior approval
• Email should never be used to communicate PHI without being encrypted
• We must be sure electronically transmitted ePHI is not improperly
modified without detection
• Fax of PHI should only be done when the recipient can be reliably
identified
• Verify fax number and recipient before transmitting
• Uploading of PHI for instruction or communication is prohibited w/o prior
approval and demonstration of appropriate de-identification procedures
INTERNAL USE ONLY
42
General Misuse of Workstations
• Do not misuse e-mail privileges by sending and forwarding non-business
related mass e-mails, chain e-mails and junk e-mail
• Do not misuse internet privileges by spending excessive time on the internet
for non-work related business or accessing inappropriate sites
• Do not download, install, or run unauthorized software
• Do not use non-work related chat rooms and instant messaging programs at
work
• Do not knowingly enable an external/remote party to gain unauthorized access
or control of any device, application, or system to the data networks
• Only individuals with administrative responsibilities or their designee may be
granted access to the e-mail account of their former employee or vendor
INTERNAL USE ONLY
43
Links to UA Policies
• Network and Computing Support Policies:
http://ncs.ua.edu/policies/index.html
• Electronic Media Policy:
http://www.hr.ua.edu/empl_rel/policymanual/electronic-media.htm
• University of Alabama General Policies:
http://policies.ua.edu/
INTERNAL USE ONLY
44
Media Reallocation and Disposal
• All computers, disks, removable storage devices must be
properly cleaned/erased before transfer or disposal
– No computer or disk/CD Rom/DVD or any other removable storage device
should leave the facility for disposal/transfer without ensuring that ePHI
has been properly cleaned
– Do not throw away a disk/CD Rom/DVD or any other removal storage
device containing ePHI
– Do not transfer computers to another department before taking steps to
ensure that any ePHI has been PROPERLY erased/deleted from that
computer
– Do not transfer any hard drive/disk/CD Rom/DVD or other removable
storage device before taking steps to ensure that any ePHI has been
erased/deleted
– Merely deleting files is not a proper cleaning method. See Media
Reallocation and Disposal Policy for proper sanitization methods
• Sanctions can be imposed for violations of this policy!
INTERNAL USE ONLY
45
Facility Access Controls
• Access to our centers must be managed and controlled to
prevent unauthorized visitors from accessing the facilities or
PHI
• Help to monitor the controls we have for Facility Access
– Sign-in Visitors and Vendors
– Insure that locks, card access, or any other physical access controls are
working as expected
• Report any problems or possible problems to your supervisor,
administrator, and/or your security officer.
INTERNAL USE ONLY
46
Contingency Planning
• Contingency planning allows us to continue some critical
operations in the event of an emergency
• Help us prepare for emergencies by pointing out critical areas
necessary for continuing operations
• This includes emergency communications plans, emergency
operations plans, back up and recovery plans and many other
items included in an Impact Analysis and Disaster Recovery Plan
• Some of you may be asked to participate in the creation of
these plans and will be involved in testing
INTERNAL USE ONLY
47
Audit Controls
• Audit Controls are required to insure that we are following all
of the required regulations associated with the HIPAA Privacy
and Security Rules
• This will require us to make sure that we have procedures in
place that provide tracking and audit records demonstrating
compliance with all rules and regulations
• Please notify your supervisor and Security Officer of any
improvements necessary or deficiencies that would assist
with properly tracking and controlling access to PHI
INTERNAL USE ONLY
48
Reporting Security Incidents
• Notify your Security Officer or supervisor of any
unusual or suspicious incident
• Security incidents include the following:
–
–
–
–
–
–
–
–
Theft of or damage to equipment
Unauthorized use of a password
Unauthorized use of a system
Violations of standards or policy
Computer hacking attempts
Malicious code
Security Weaknesses
Breaches to patient, employee, or student privacy
INTERNAL USE ONLY
49
Questions/Comments
• Know Your Security and Privacy Officer:
– UMC’S Privacy/Security Officer: Jan Chaisson, [email protected],
348-1231
– UA Privacy Officer: Jan Chaisson
– UA Security Officer: Ashley Ewing
• Other References
– Privacy:
• www.hhs.gov/ocr/hipaa
– Security:
• www.cms.hhs.gov/SecurityStandard
• Acknowledgement:
– Please Complete the Training Acknowledgement Form to Obtain Credit for
Completing the Annual Training
INTERNAL USE ONLY
50