Doctors Hospital Group HIPAA Compliance

Published on May 2016 | Categories: Types, School Work | Downloads: 29 | Comments: 0 | Views: 227
of 5
Download PDF   Embed   Report

This was a MEMO done for my Undergrad in Computer Information Systems. It is a Memo on HIPAA Compliance.

Comments

Content

Doctors Hospital Group

Memo
To: From: Date: Re:

Doctors Hospital Group CSO John Freund Security Engineer Desiree Carter 2/17/2014 HIPAA Compliance

Goals and Objectives of HIPAA
“■ Confidentiality is the protection of information from unauthorized people, resources, and processes.

■ Integrity is the protection of information or processes from intentional or accidental unauthorized modification.

■ Availability is the assurance that systems and information are accessible by authorized users when needed.” (Greene)

The first thing that is needed to bring the hospital into HIPAA security compliance is the move of all records into an electronic data base. HIPAA covers data that is stored and/or transmitted electronically. There is the HIPAA Security Rule which specifically focuses on safe guarding the electronic data that is that is classified as data that is individually identifiable health information. Individually identifiable health information is information that can be used reasonably to identify an individual person such as medical records. The standards and implementation of the HIPAA Security Rule is applied to both the public and private sector entities that process, store or transmit electronically and is to be followed by all hospitals in the Doctors Hospital Group. All the hospitals in Doctors Hospital Group must achieve and maintain HIPAA compliance.

1

“Civil penalties are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison to up to $250,000 in fines and ten years in jail. The Center for Medicare and Medicaid Services (CMS) has been assigned responsibility for enforcement and related actions.” (Greene) Be warned that grave concerns to the medical community is that noncompliance may be used in liability cases and that Attorneys may choose to sue on the behalf of clients who belie that their rights have been violated. The administrative safeguards that are to be implemented are used for documenting policies and procedures pertaining to managing day - to - day operations such as the updating and storage of medical records. The conduct and access of workforce members of individually identifiable health is covered in the administrative safeguards development and the selection, development and use of security controls.

The hospital must have defined roles and responsibilities for all job functions including only people who should have access to the individually identifiable health information have it and those who shouldn’t have any access to it. The permission to access individually identifiable health information must be clearly stated in written job descriptions. The permission to view, alter, retrieve and store data at specific times and under the specific circumstances and purposes for these actions must also be defined in job descriptions. Employees hired by Doctors Hospital Group must have the necessary knowledge, skills, and abilities to fulfill their role within the hospital that they are placed in. Also the activity of all roles within the hospital must be clearly identified and documented. Also employees must be screened ranging from verification of their employment and educational references to criminal and credit checks.

The hospital is also responsible for managing termination procedures within the hospital. There must be procedures to recover access control devices such as ID badges. They also must recover equipment such as laptops and must also deactivate computer access accounts. In order to implement this cooperation between Human Resources department and the Information Technology department

 Page 2

is required. “As a check to this process, HR should send a periodic list to IT of all terminated employees. Conversely, IT should send HR a list of all employees who have not logged in during a specified amount of time. The security officer should be copied on this correspondence.” (Greene)

Healthcare clearinghouse functions must be Isolated. Typically all of the hospitals in Doctor’s Hospital Group rely on role-based access however the hospital in Alba, IA is mall and group-based access can be used. A security awareness campaign should be used to keep users reminded of potential threats and their part in mitigating the risk to the organization. The security awareness campaign should also be extended to anyone who interacts with individually identifiable health information. The people who should be involved in the campaign include employees, contractors, and business partners. The users must trained in proper procedures for guarding against, detecting, and reporting malicious software. Malicious software is defined as viruses, worms, Trojans, and spyware. The training should include how to keep computer systems updated with the latest version of antivirus software, how to recognize malware should it appear, how to respond to suspicious system behaviors, and how to report suspicious incidents.

The users must also be trained in procedures for monitoring login attempts and reporting discrepancies. They should be on lookout for suspicious behavior. Such as noticing that someone else had unexpectedly logged in at their workstation or finding their password credential no longer valid. Users also need to be trained how to create change, and safeguard passwords. Their selection needs to be in accordance with the organization’s policy. There must be procedures to create and maintain retrievable exact copies of individually identifiable health information meaning that the data needs to be backed up on a scheduled basis. “The procedures to back up (and restore) the data must be documented and the responsibility to run and verify the backup must be assigned. In addition to verification that the backup job ran successfully, test restores should be conducted regularly. Testing both verifies the media and provides a training opportunity in a low-stress situation. There are few

 Page 3

situations more nerve-wracking than that of learning how to restore data in a crisis situation. Backup media should not remain on-site. It should be securely transported off-site. The location where it is stored needs to be secured in accordance with the organization’s security policy.” (Greene)

 Page 4

References Greene, S. Security policies and practice

 Page 5

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close