it’s about t he ephi
DESCRIPTION
It’s About T he ePHI. Keep it Safe and Secure. Objective. Review the security rule as it pertains to Physical Safeguards How to protect the ePHI in the work environment Implementation ideas for your office. The Security Rule. Reasonable and appropriate safeguards that cover - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/1.jpg)
![Page 2: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/2.jpg)
Review the security rule as it pertains to› Physical Safeguards
♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office
![Page 3: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/3.jpg)
Reasonable and appropriate safeguards that cover› Information systems
› Related equipment
› Facilities
![Page 4: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/4.jpg)
Physical measures› Locking the door
› Requiring passwords Policies and procedures
› For everything from employee training to protecting the data
![Page 5: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/5.jpg)
Facility Access Controls › Limiting physical access to ePHI
Workstation Use and Security› Defining business use of workstations
› Controlling the environment Device and Media Controls
› For all equipment that contains ePHI
![Page 6: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/6.jpg)
Contingency operations Facility security plan Access control and validation procedures Maintenance records
![Page 7: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/7.jpg)
Disaster recovery or emergency operations› Maintains proper security while allowing for data
recovery
Cover such events as:› Loss of power› Flood
Consider access, as well as recovery› Chemical spills › Propane leak
![Page 8: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/8.jpg)
Policies and Procedures covering:› Physical access control
› Tampering and theft prevention
![Page 9: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/9.jpg)
Procedures › Access based on roles and/or functions
› Visitor guidelines
› Software access ♦ Limit authority/responsibility♦ Track updates/modification
![Page 10: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/10.jpg)
Document › Repairs and modifications to the facility
♦ Type of repair ♦ Authorized by whom♦ Reason for repair
› Changes to alarm codes
![Page 11: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/11.jpg)
Defined as an electronic computing device such as:› Laptops
› Desktops
› Tablets Capable of electronic media storage
![Page 12: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/12.jpg)
Define business use of workstations Policies and Procedures
› Proper functions to be completed
› Manner in which they are performed
› Physical attributes of the surroundings for the workstations with access to ePHI
♦ Visibility to others♦ Accessible to unauthorized persons
![Page 13: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/13.jpg)
Restrict access to authorized users› Are workstations identified?
› Viewed only by authorized individuals with unique user IDs and passwords?
› Filters?
› Screen savers?
› Automatic log off?
![Page 14: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/14.jpg)
Policies and procedures › That govern how ePHI is protected
♦ During moves♦ On backup media♦ During upgrades
![Page 15: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/15.jpg)
Disposal – of ePHI› How does this happen?
Media re-use› Is re-use allowed?
› What steps are taken to eliminate ePHI Accountability
› Where is the ePHI? Data Backup and Storage
![Page 16: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/16.jpg)
Policies and procedures that address the final disposition of ePHI› Including the media that held it
› Render it unusable♦ By erasing and overwriting or magnetically
clearing or both
› Or inaccessible♦ By physically damaging it
![Page 17: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/17.jpg)
Remove ePHI Document the removal Have a policy and procedure that
outlines the process
![Page 18: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/18.jpg)
Involves record keeping› This is only addressable in the final
security rule, however, it would be very difficult to justify not keeping track of equipment
Inventory of equipment that includes portable media› Take account of
♦ Person responsible for each device♦ Serial numbers and/or labels for identification
![Page 19: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/19.jpg)
Address the backup of ePHI before the movement of any equipment › Best to have a copy, just in case
something unexpected happens!
![Page 20: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/20.jpg)
Have in place:Policies and procedures that cover
› Audits♦ To track changes to data♦ To review accesses
› Inventory♦ To know where the ePHI is located
![Page 21: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/21.jpg)
› Device Name› Make/Model› Date Acquired› Serial Number› Location› User› Maintenance
Performed♦ Description and Date
› Date taken out of Service
♦ ePHI destroyed (Y/N)♦ Method of destruction♦ Certificate of destruction
› Person responsible for destruction of ePHI
› Person who validated or verified destruction of ePHI
Should contain elements such as:
![Page 22: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/22.jpg)
Inventory› Walk through your office
› Notice everything♦ Both in-service and out of service equipment
› Record it all
› Include portable and mobile devices Check the ePHI on the inventory
› Record everything
![Page 23: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/23.jpg)
Offices / Exam Rooms› Doors and windows - lockable?
Restricted areas › Locked and log of access maintained?
Alarms› Who has access? Recent changes?
Wireless access points› Monitor the devices that access your network
Wiring› Are surge suppressors in use?
![Page 24: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/24.jpg)
With the eyes of an outsider is ePHI› Viewable?› Portable – on unattended laptops?› In use – where? On what?› Is there out-of-service equipment with
ePHI?› Accessible via your network?
♦ Monitor users on the network♦ Have in place termination procedures that
include disabling network access
![Page 25: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/25.jpg)
Make changes› Move monitors› Turn desks› Lock up equipment› Secure work areas
Control access› Know who has had the opportunity to view or
hack your ePHI♦ Telephone repairs♦ Electricians♦ Locksmiths
![Page 26: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/26.jpg)
Printers› What’s being printed?
› Who can retrieve the paper?
› Where is it located? Faxes and scanners
› What is stored on the machine?
› Where is it located?
› Who can access the data?
![Page 27: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/27.jpg)
Incidental equipment› Pagers› Dictaphone tapes› Answering machines› Point of care devices› External hard drives
Network wiring› Are access points open and available?
Location of the router› Is it secure?
![Page 28: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/28.jpg)
Protect all equipment from:› Outside access
› Unauthorized use
› Wandering off For Electronics
› Use surge protectors Review fire extinguishers
› Rated for electronics
![Page 29: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/29.jpg)
![Page 30: It’s About T he ePHI](https://reader035.vdocuments.net/reader035/viewer/2022081513/56814e3a550346895dbba30d/html5/thumbnails/30.jpg)
QUESTIONS?