Upload
regina-collins
View
215
Download
0
Tags:
Embed Size (px)
Citation preview
HIPAA SecurityTraining
Deadline April 21, 2005
Start
HIPAA Security Training Agenda
Lesson 1. HIPPA Security Ruling
Lesson 2. Information Security Officer
Lesson 3. On Site Security Liaison
Lesson 4. Electronic Protected Health Information (ePHI)
Lesson 4. Accessing ePHI
Lesson 5. Password Maintenance
Lesson 7. Computer Audits
Lesson 8. Safeguards- Physical and Technical
Lesson 9. Disposing of ePHI
Lesson 10. Reporting Security risks
Lesson 11. My responsibility for Securing ePHI
Next
Lesson 1. HIPAA Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) security rule applies to all individually identifiable health information that is in electronic form whether it is being stored or transmitted. Security HIPAA rule deadline is April 21, 2005– Security applies to the physical, technical and
administrative safeguards that are put in place to protect the integrity, availability and confidentiality of information
Next
Lesson 2. Security Officer The Purpose of the HIPAA Information Security
Officer is to protect the confidentiality, integrity, and availability of information systems and Electronic Protected Health Information (ePHI).– The HIPAA Information Security Officer is responsible
for the development and implementation of all policies and procedures necessary to protect our information systems and ePHI
– The OPRS Information Security Officer is Joyce Miller Evans, Vice president and Chief Information Officer at Corporate.
Next
Lesson 3. On-site HIPAA Liaison The Purpose of the On-site HIPAA Security
Liaison is to provide each facility with a contact for asking questions or reporting issues. The liaisons will work closely with the Information Security Officer to protect the confidentiality, integrity, and availability of information systems and Electronic Protected Health Information (ePHI).– Example
• The On-site contact for Breckenridge Village is Elaine Kuhl.
Next
Lesson 4. Electronic Patient Health Information Forms of ePHI at OPRS is
– Resident Information in the following systems:• AIM – CCRC Resident Billing System• Misys – Home Care Clinical Documentation & Billing System• Reps – Marketing Database• Micromain – Work Order System• Momentus – Dietary System• Raiser’s Edge – Fund Raising System• Tele-health – Remote Patient Care• Other Data – Excel Spreadsheets and Access Databases
– Possible forms are name, location and level of care, diagnosis, treatment plan, MDS, etc…
Next
Lesson 5. Access Authorization
Authorization to Computer and Data is provided on an AS Need Basis and is authorized by your supervisor.– Obtaining a manager’s approval is required for
computer access. An email from a manager is required to obtain computer access.
– Changing job duties or roles requires a review of a users access.
– Any attempt to gain access to information systems containing ePHI for which you do not have proper authorization is prohibited and may result in sanctions.
Next
Lesson 6. Password Management OPRS has policies for creating, changing and
safeguarding passwords for logging on to any computer system.– Passwords are used to validate a user’s identity and
establish access to it’s information systems and data.
– Each user establishes their own password. Passwords shall be a mix of numeric and alphabetical characters, with at least one symbol.
– ( example: &mrd48e2) YOUR PASSWORD IS NOT TO BE SHARED WITH ANYONE!
Next
Lesson 7. System Audit Activity
Local and Corporate personnel will be auditing user access to ePHI .– These Audits will be conducted on a regular
basis, and any necessary steps addressing corrective action will be taken.
– Any user that has concerns for unauthorized access to ePHI shall contact their On-site HIPAA Security Liaison.
Next
Lesson 8. Safeguards Physical
– Do not leave your computer screens with resident information
– Placement of workstations should be placed in secure areas and monitors should not be visible to the general public…
– All computer servers are to physically secured and locked in each community
– Report any issues to your on-site HIPAA Liaison.
Technical – OPRS network runs anti-virus software
on all PCs– OPRS PCs use password protected
screen savers– All users accessing the OPRS network
from home or a remote site shall follow OPRS policies.
– All OPRS ePHI data is stored and backed up regularly
– OPRS Business Continuity Plan to be utilized for business interruptions.
– Downloading from the internet is not permitted at OPRS without permission from the IS Technical Director. (includes PC screen savers and backgrounds)
Next
Lesson 9. PC Disposal - ePHI
The disposal of all devices storing ePHI shall be done following HIPAA Policy.
– Procedures for removing the devise from the site includes:
• Logging the pick up
• Reason for the transaction
• Removal of ePHI
• Verification of disposal
– This must be done prior to disposing of the devise
Next
Lesson 10. Reporting Security Risks Responsibility for protecting ePHI is to be shared
by all OPRS’ employees.
– If you notice ePHI is not being protected call your on-site HIPAA Security Liaison or Security Officer depending on the seriousness of the risk.
– A response to your concern will be provided to you as part of the resolution to the issue.
Next
Lesson 11. My Responsibility in securing ePHI Knowledge of the Security HIPAA regulations Recognize your Security Officer and Onsite Security
Liaison No ePHI to be sent electronically including emails outside
OPRS without IS Technology Director approval Know how to report a security issue Use good passwords Follow the OPRS policies related to computer use Read your quarterly HIPAA Newsletter Understand that misconduct with computer equipment or
its use will involve disciplinary action
Next
Post Test
Test Your Knowledge
Next
HIPAA Security
What is the compliance date for the Security component of the HIPAA regulation?
a. March 30, 2005
b. April 15, 2005
c. April 21, 2005
HIPAA Security
Name the three types of safeguards discussed in the Security Rule?
a. Physical
b. Administrative
c. Technical
d. All of the above
Next
HIPAA Security
What type of PHI is protected under the Security Rule?
a. All PHI
b. Only written PHI
c. Electronic PHI
HIPAA Security
Since I work at OPRS I have the right to access anybody’s Electronic Protected Health Information or ePHI, even if it doesn’t pertain to my job duties.
a. True
b. False
Next
HIPAA Security
Which of the following are examples of electronic media?
a. Any computer, networks, desktops and laptops
b. Magnetic tapes and compact discs
c. Personal digital assistants and handheld computers
d. All of the above
Next
HIPAA Security All of the following statements are good
examples of computer device custodial practices except
a. My computer makes me put in a private password when I log-in every morning
b. I only access information as it applies to my job duties, or on a need to know basis
c. My computer is visible to anyone who comes to the desk to check-in or out
Next
HIPAA Security
Who is the Information Security Officer for OPRS?
a. Joyce Miller Evans
b. David Kaasa
c. Ken Kemper
d. Brad Reynolds
Next
HIPAA Security Who is your On-site HIPAA Liaison?
Elaine Kuhl – BV Jackie Shutt – WT Theresa Kies – DL Annette Linton – MP Tim Lanning – SC Home Care
Administrators
Paul Shaw - VC Maurita Hoffman-
LV Beth Barber - CM Karen Bakita – RN Nancy Conroy –
LT Robin Heinz - PV
Next
HIPAA Security
This concludes the HIPAA Security general training. If you have questions contact your local HIPAA Security Liaison or your local Human Resources Department.
The Corporate Information Security Officer may also be contacted with questions or concerns and be reached at 614 888-7800.
Return to Start