Summary: <div>Confidentiality, HIPAA and HITECH<br> Brought to you by AllCEUs.com<br> Instructor: Dr. Dawn-Elise Snipes</div> <div></div> <div>An on-demand CEU course will be available for this class at <a href="https://www.allceus.com/member/cart/index/search?q=Confidentiality%2C+HIPAA+and+HITECH">allceus.com</a> </div> <div></div> <div>Objectives<br> ~ Review HIPAA and HITECH regulations as they pertain to maintaining confidentiality and security of PHI<br> ~ Encourage critical assessment of your work practices for compliance.<br> ~ Get through the presentation with all of you staying awake <br> Business Associates<br> ~ A person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.<br> ~ Business associate functions and activities include:<br> ~ Billing, claims processing, administration, benefit management<br> ~ Data analysis, processing or administration<br> ~ Utilization review & quality assurance<br> ~ ISPs are NOT business associates<br> ~ Software vendors providing EHR systems and providers of virtual offices and email services will clearly qualify as business associates<br> Requirements for PHI<br> ~ Risk analysis (Required) of the potential risks and vulnerabilities to the confidentiality, integrity, and availability.<br> ~ Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).<br> ~ Sanction policy (Required). Apply appropriate sanctions to workforce members who fail to comply with the security policies.<br> ~ Information system activity review (Required). Regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.</div> <div>Workforce Security<br> ~ Ensure that all members of its workforce have appropriate access to ePHI, and prevent those who do not from obtaining access to electronic PHI.<br> ~ Implement procedures for the authorization and/or supervision of workforce members who work with ePHI or in locations where it might be accessed.<br> ~ Implement procedures to determine that the access of a workforce member to ePHI is appropriate.<br> ~ Implement procedures for terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends or changes.</div> <div> Information Access Management<br> ~ Implement written policies and procedures for authorizing access to ePHI<br> ~ Implement policies and procedures for granting access to ePHI, for example, through access to a workstation, transaction, program, process, or other mechanism.<br> ~ Implement policies and procedures that establish, document, review, and modify a user's right of access to a workstation, transaction, program, or process.<br> ~ Virtual workstations<br> ~ Key cards<br> ~ Passwords</div> <div>Security Awareness and Training<br> ~ Training for all members of its workforce (including management)<br> ~ Periodic security updates.<br> ~ Procedures for guarding against, detecting, and reporting malicious software.<br> ~ Procedures for monitoring log-in attempts and reporting discrepancies.<br> ~ Procedures for creating, changing, and safeguarding passwords.</div> <div>Contingency Plan<br> ~ Establish (and implement as needed) policies and procedures for responding to a disaster that damages systems that contain electronic PHI.<br> ~ Data backup plan (Required).<br> ~ Disaster recovery plan including procedures to enable continuation of critical business processes for protection of the security of ePHI while operating in emergency mode (Required).<br> ~ Implement procedures for periodic testing and revision of contingency plans.</div> <div>Facility Access Controls<br> ~ Limit physical access to its electronic information systems and the facility or facilities in which they </div>
