HIPAA Compliance

Part II

Agenda
Safeguards
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Access

Controls
Audit Controls
Integrity
Person or Entity Authentication
Cost of HIPAA Non-Compliance

Administrative Safeguards

Administrative Safeguards
Administrative Safeguards are actions, policies,

and procedures, to manage the selection,

development, implementation and maintenance
of security measures to protect electronic
protected health information and to manage the
conduct of the covered entity's workforce in
relation to the protection of that information.

Administrative Safeguards

1. Security
2.
3.
4.
5.

Management Process
Assigned Security
Responsibility
Workforce Security
Information Access
Management
Security and
Awareness training

6. Security Incident

Procedures
7. Contingency Plan
8. Evaluation
9. Business Associate
Contracts and other
arrangements

Physical Safeguards

Physical Safeguards
Storiesof medical records found in dumpsters,

recycling bins, and parks further emphasized

thereality that physical security of paper records
continues
to
be
a
greater
issue
than
electronicinformation hacking.
The Physical Safeguards in the HIPAA Security
Rule
are
physical
measures,
policies,
andprocedures to protect a covered entitys
electronic information systems and related
buildingsand equipment, from natural and
environmental
hazards,
and
unauthorized
intrusion.

Physical Safeguards

The main areas of the Physical Safeguard Requiremen

are:
1. Facility Access Controls
2. Workstation Use
3. Workstation Security
4. Device and Media Controls

Technical Safeguards

Technical Safeguards
The HIPAA Security Rules technicalstandards are

the technology and the policy and procedures for

its use that protect electronicprotected health
information and control access to it.
The main requirements of the HIPAA Security

Rules Technical Standards are:

1. Access Controls
2. Audit Controls
3. Integrity
4. Person or Entity Authentication

Technical Safeguards Access

Controls
1. Unique User Identification
2. Emergency Access Procedure
3. Automatic Log-Of
4. Encryption and Decryption

Technical Safeguards Access

Controls
Unique User Identification
Create and assign a unique log-in name and/or

number for each user of a software system.

Include process for Unique User Identification
within a policy and procedure with the
organization.

Technical Safeguards Access

Controls
Emergency Access Procedure
Establish and implement procedures for obtaining

necessary electronic protected health information

during an emergency
Determine type of situation that may required
emergency access to ePHI.
Determine who will need access to ePHI in case of
an emergency.
Create a policy and procedure governing emergency
access to ePHI.
e.g: Accessing Patient Information associated with

one physician who is on vacation by another

physician in an emergency.

Technical Safeguards Access

Controls
Automatic Logof
Implement electronic procedures that terminate an

electronic session after a predetermined time of

inactivity.
Create a policy and procedure that governs how
automatic logof is used within the facility and be
specific to each application, including automatic log
of of operating system.
Best practice is to be consistent across the entire
organization with auto logof unless a business needs
supports having diferent automatic logofs and other
safeguards exist.
e.g: Application should be logged of if no activity

happened for the duration of 20 minutes.

Technical Safeguards Access

Controls
Encryption and Decryption
Create a process to encrypt and decrypt devices

containing electronic protected health information.

Encryption is a method of converting an original
message of regular text into encoded text using an
algorithm.
Any algorithm approved by NIST can be used for

Encryption:
AES (Advanced Encryption Standard)
Tiple DES (Triple Data Encryption)
Skipjack

Technical Safeguards Audit

Controls
Audit Controls
Implement hardware, software, and/or procedural

mechanisms that record and examine activity in

information systems that contain or use electronic
protected health information.
An audit trail can be defined as a record that shows
who has accessed a computer system, when it was
accessed, and what operations were performed.

Technical Safeguards Audit

Controls
Audit Controls
The

date, time, patient identification, and user

identification must be recorded when electronic
health information is created, modified, accessed, or
deleted and an indication of which action(s)
occurred and by whom must also be recorded.

e.g: Implemented User Log and Transaction Log in

USR Projects. User Log will record.

Database values are UserId, UserName, EventType,
DateTime, PageURL,PageTitle, SessionId, Action,
Action Description.
If we are dealing with Patient Info that also has to be
recorded.

Technical Safeguards Integrity

Integrity
Implement

policies and procedures to protect

electronic protected health information from
improper alteration or destruction.
Implement electronic mechanisms to corroborate
that electronic protected health information has not
been altered or destroyed in an unauthorized
manner.

Person or Entity Authentication

Person or Entity Authentication
Implement procedures to verify that a person or

entity seeking access to electronic protected

health information is the person they claimed to
be.
Some ways to provide Proof of Identity:
Require a password or PIN that only the user

would know.
Require a physical possession such as a smart
card or token for authentication.
Utilize biometrics such as fingerprints, voice
patterns, or facial patterns.

Transmission Security
Transmission Security
Implement technical security measures to guard

against unauthorized access to electronic

protected health information that is being
transmitted over an electronic communications
network.
A hashing algorithm with a security strength equal

to or greater than SHA1 (Secure Hash Algorithm)

as specified by NIST must be used to verify that
electronic health information has not been altered.

Cost of HIPAA NonCompliance

Cost of HIPAA Non-Compliance

Non-Compliance
Non-Compliance (Civil
(CivilPenalty)
Penalty)

$100 for each violation

Maximum
incident

of

$25,000

per

year

per

Unauthorized
Unauthorized Disclosure
Disclosure or
or Misuse
Misuse of
of
Patient
PatientInformation
Information (Criminal
(CriminalPenalty)
Penalty)

Penalties up to $250,000

Prison time up to 10 years

Penalties
Penalties may
may apply
apply
to
to the
the individual
individual
violator
violator but
but they
they may
may
also
also apply
apply to
to the
the
organization
organization or
or even
even
to
toits
itsofficers
officers

Case Examples

Case Example I
Mrs. Johnson is a PT patient in your outpatient

area.
You receive a phone call from her
granddaughter wanting to know how she is doing.
What do you do?

Case Example I - Answer

Ask the granddaughter her name, then check the

PHI Communication Resource Form to see if the

granddaughter is listed as an authorized person to
receive info. If not listed, you can give a general
condition, but not specific PHI. You can direct her
to someone listed on PHI for specific PHI. If the
patient requests not to publish info then you
may not provide any info.

Case Example II
Margaret is a receptionist and has access to the

schedule of patients coming in for appointments

each day. One day Margaret notices that Connie,
one of her daughters friends, has an appointment
in PT that week for LBP. When she goes home
that evening she tells her daughter that she will
be seeing Connie later in the week at the clinic. Is
she violating privacy rules?

Case Example II - Answer

Yes Margaret is violating privacy rules when she

tells her daughter about Connies scheduled

appointment.

Case Example III

Anna is a PT on the ortho floor. One day a fellow

college classmate is admitted to the hospital.

Anna checks the chart and finds out that he was
admitted with a diagnosis of cancer. When Anna
gets home she calls all his friends to tell them he
is in the hospital with cancer and to collect money
for flowers.
Do Annas actions violate HIPAA
privacy?

Case Example III - Answer

Yes even though she might have had good

intensions, she disclosed to a third party that the

patient had been admitted. She also revealed PHI
by disclosing the patients diagnosis without his
consent.

Finally

HIPAA Mantra
Remember the HIPAA Mantra
i.e.
Everyone is responsible for the privacy and
security of protected health information.

Thank You

Thank You