11

SECURITYSECURITY&&

HIPAAHIPAA

DATA ENSURE INC.798 PARK AVE. NW

SUITE 204

NORTON, VA 24273

(276) 679-7900

WWW.DATAENSUREINC.COMDE

22

HIPAA ComplianceHIPAA ComplianceComplying with HIPAA is challenging Complying with HIPAA is challenging

because this regulation affects so because this regulation affects so many areas, including standards for many areas, including standards for

transactions, rules for data transactions, rules for data privacy/security, standards for clinical privacy/security, standards for clinical

records and more. records and more.

DATA ENSURE INC.798 PARK AVE. NW

SUITE 204

NORTON, VA 24273

(276) 679-7900

WWW.DATAENSUREINC.COMDE

33

HIPAA Background HIPAA Background

In August of 1996, Congress enacted the Health In August of 1996, Congress enacted the Health Insurance Portability and Accountability Act. Insurance Portability and Accountability Act. (HIPAA) The goals of the legislation are to (HIPAA) The goals of the legislation are to reduce the administrative costs of healthcare, to reduce the administrative costs of healthcare, to develop standard transactions for consistency develop standard transactions for consistency industry wide, to require broad security and industry wide, to require broad security and disaster recovery protections for “individually disaster recovery protections for “individually identifiable healthcare information”, to promote identifiable healthcare information”, to promote confidentiality of patient records and to provide confidentiality of patient records and to provide an incentive for the healthcare companies to an incentive for the healthcare companies to communicate electronically. communicate electronically.

44

HIPAA BackgroundHIPAA Background

Any health care provider organization, Any health care provider organization, office, or plan that electronically maintains office, or plan that electronically maintains or transmits health information pertaining or transmits health information pertaining to an individual must comply with HIPAA to an individual must comply with HIPAA regulations. These federally governed regulations. These federally governed regulations will require regulations will require strict standards strict standards for for SecuritySecurity and and Disaster RecoveryDisaster Recovery..

55

Who Must ComplyWho Must Comply ? ?

Those who must comply with HIPAA fall Those who must comply with HIPAA fall into two categories: into two categories:

Covered EntitiesCovered Entities

Business Associates Business Associates

. .

66

HIPAA OverviewHIPAA Overview HIPAA consists of five parts: HIPAA consists of five parts:

Title1 - Health Insurance Portability - helps workers Title1 - Health Insurance Portability - helps workers maintain insurance coverage when they change jobs maintain insurance coverage when they change jobs

Title 2 - Administrative Simplification - standardizes Title 2 - Administrative Simplification - standardizes electronic health care-related transactions, and the electronic health care-related transactions, and the privacy and security of health informationprivacy and security of health information

Title 3 - Medical Savings Accounts & Health Insurance Title 3 - Medical Savings Accounts & Health Insurance Tax Deductions Tax Deductions

Title 4 - Enforcement of Group Health Plan provisions Title 4 - Enforcement of Group Health Plan provisions

Title 5 - Revenue Offset Provisions Title 5 - Revenue Offset Provisions

77

The Security Rule The Security Rule

The Final Security Rule was published in The Final Security Rule was published in February 2003, and became effective on February 2003, and became effective on April 21, 2003. Compliance with this Rule April 21, 2003. Compliance with this Rule has been required sense has been required sense April 21, 2005April 21, 2005..

88

The Security RuleThe Security Rule

The Security Rule legislates the means The Security Rule legislates the means that should be used to protect that should be used to protect ePHIePHI (electronic Protected Health Information).(electronic Protected Health Information). It requires that covered entities have It requires that covered entities have appropriate Administrative Procedures, appropriate Administrative Procedures, Physical Safeguards, and Technical Physical Safeguards, and Technical Safeguards to protect access to ePHI. Safeguards to protect access to ePHI.

99

Examples of Appropriate Examples of Appropriate Safeguards Include: Safeguards Include:

Establishment of clear Access Control policies, Establishment of clear Access Control policies, procedures, and technology to restrict who has procedures, and technology to restrict who has authorized access to ePHI. authorized access to ePHI. Establishment of restricted and locked areas Establishment of restricted and locked areas where ePHI is stored. where ePHI is stored. Establishment of appropriate Establishment of appropriate Data BackupData Backup, , Disaster RecoveryDisaster Recovery, and Emergency Mode , and Emergency Mode Operation planning. Operation planning. Establishment of technical security mechanisms Establishment of technical security mechanisms such as such as encryptionencryption to to protect dataprotect data that is that is transmitted via a networktransmitted via a network. .

1010

The Security Rule The Security Rule

Two Rules for Discussion are:Two Rules for Discussion are:

164.308(a)(7)(ii)(A)164.308(a)(7)(ii)(A)

Data Backup PlanData Backup Plan ( (RR) )

164.308(a)(7)(ii)(B) 164.308(a)(7)(ii)(B)

Disaster Recovery PlanDisaster Recovery Plan ( (RR) )

1111

Disaster Recovery PlanningDisaster Recovery Planning

Disaster recovery planning is a necessary Disaster recovery planning is a necessary and vital part of any healthcare delivery and vital part of any healthcare delivery organization. How does an institution organization. How does an institution recover from something as simple as a recover from something as simple as a hardware or software failure or as hardware or software failure or as catastrophic as the loss of a complete data catastrophic as the loss of a complete data center? How long can data be unavailable center? How long can data be unavailable before it impacts patient care? before it impacts patient care?

1212

Disaster Recovery PlanningDisaster Recovery Planning

These are precisely the situations that the These are precisely the situations that the Security Standard was intended to Security Standard was intended to address by ensuring confidentiality, address by ensuring confidentiality, integrity and availability of patient integrity and availability of patient information. To that end, disaster recovery information. To that end, disaster recovery planning should be viewed as a plan for planning should be viewed as a plan for business continuity and, further, as an business continuity and, further, as an opportunity to minimize the costs opportunity to minimize the costs associated with regulatory compliance.associated with regulatory compliance.

1313

What is Required for a Disaster What is Required for a Disaster Recovery Plan?Recovery Plan?

What should be included in the disaster What should be included in the disaster recovery strategy? Considerations must recovery strategy? Considerations must include the end-user’s specific needs, the include the end-user’s specific needs, the location and storage of the location and storage of the criticalcritical datadata, , and every component in-between. The and every component in-between. The plan must allow a covered entity to re-plan must allow a covered entity to re-create the entire infrastructure necessary create the entire infrastructure necessary to guarantee information availability.to guarantee information availability.

1414

Why Backup?Why Backup?

It is an integral part of any Disaster It is an integral part of any Disaster Recovery Plan. The amount of data Recovery Plan. The amount of data stored electronically is growing and your stored electronically is growing and your practice relies on it to conduct efficient and practice relies on it to conduct efficient and proper patient care.proper patient care.

What if you lost your scheduling software?What if you lost your scheduling software?

How long would it take to recreate it?How long would it take to recreate it?

1515

Who Performs Data Backups? Who Performs Data Backups?

It is estimated that less than 30% of businesses, It is estimated that less than 30% of businesses, properly protect their computer data. properly protect their computer data.

Healthcare related businesses do better job.Healthcare related businesses do better job.

Proper backups can ensure that your business / Proper backups can ensure that your business / practice survives computer related disasters no practice survives computer related disasters no

matter how big or small. matter how big or small.

1616

How Often?How Often?

Backups should be done on a schedule. Daily would be Backups should be done on a schedule. Daily would be ideal. Most businesses don't do this for one reason or ideal. Most businesses don't do this for one reason or other; they don't keep a regular backup regimen.  other; they don't keep a regular backup regimen.  

Usually it's because the person responsible for doing Usually it's because the person responsible for doing backups (if there is one) is too busy doing something backups (if there is one) is too busy doing something else, or someone is using the computer when it's time for else, or someone is using the computer when it's time for a backup, or they simply forget. a backup, or they simply forget.

It should be automated so as not to depend on any one It should be automated so as not to depend on any one person. person.

1717

Why Off-Site Backups?Why Off-Site Backups?

Of the estimated ten percent of companies that Of the estimated ten percent of companies that follow all the other rules for safe backups, only follow all the other rules for safe backups, only five percent follow this one.  This is where five percent follow this one.  This is where almost every business makes its biggest almost every business makes its biggest mistake.  mistake. 

Even if you do everything else perfectly, your Even if you do everything else perfectly, your backups are of little use if your building burns or backups are of little use if your building burns or you are unable to physically recover your data you are unable to physically recover your data backup media.  backup media. 

1818

Redundancy! Why?Redundancy! Why?

The general definition of "proper" backups The general definition of "proper" backups requires redundancy.  That is, one must keep requires redundancy.  That is, one must keep multiple copies of the same files at different multiple copies of the same files at different points in their development, called versions.  points in their development, called versions. 

Part of the reason for doing backups is to be Part of the reason for doing backups is to be able to revert to the previous version of a file in able to revert to the previous version of a file in case a virus, hardware failure, or human error case a virus, hardware failure, or human error damages the current version. damages the current version.

1919

Redundancy! Why?Redundancy! Why?

If you copy new files over old ones you may lose If you copy new files over old ones you may lose your only backup by inadvertently copying a your only backup by inadvertently copying a damaged file over it.  This is much too important damaged file over it.  This is much too important to overlook.  to overlook. 

2020

What Data is Backed Up?What Data is Backed Up?

Most hard drives contain thousands of files, but Most hard drives contain thousands of files, but only a small percentage of them contain your only a small percentage of them contain your Critical DataCritical Data.  Find out which ones, and be sure .  Find out which ones, and be sure you are backing them up.  you are backing them up. 

Ordinary backup software is often installed with Ordinary backup software is often installed with a list of files to be backed up.  This set of files a list of files to be backed up.  This set of files usually represents the state of the system when usually represents the state of the system when the software was installed, and often misses the software was installed, and often misses critical files.  critical files. 

2121

What about Security?What about Security?

Of the very small percentage of companies that take Of the very small percentage of companies that take their backups off-site regularly, an even smaller their backups off-site regularly, an even smaller percentage percentage encryptsencrypts their backups for security.  their backups for security. 

Most of those send backups home with an employee Most of those send backups home with an employee who might make a few stops on the way.  If backups are who might make a few stops on the way.  If backups are stolen or lost, your ePHI data could easily end up in the stolen or lost, your ePHI data could easily end up in the hands of ?????????????.  hands of ?????????????. 

2222

What about Security?What about Security?

Would you want someone to be able to Would you want someone to be able to slip one of your backup tapes into a pocket slip one of your backup tapes into a pocket and take it to ???????  It happens.  Tape and take it to ???????  It happens.  Tape backups are not generally encrypted, so backups are not generally encrypted, so anyone can read them and gain access to anyone can read them and gain access to your patient database, billing records, your patient database, billing records, payroll, tax info, and everything else on payroll, tax info, and everything else on your computer.  your computer. 

2323

What about Security?What about Security?

Jane Doe Jane Doe

Birth dateBirth date

AddressAddress

ConditionCondition

MedicationsMedications

TreatmentsTreatments

InsuranceInsurance

2424

Data EncryptionData Encryption

è & ( ( @ € € € €€ € € € €€ € è & ( ( @ € € € €€ € € € €€ €€€ ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ €€ ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ wwwwwwwwwwwwwwpDDDDDDDDDDDDDDpÿÿÿÿÿÿÿÿÿÿÿÿÿôwwwwwwwwwwwwwwpDDDDDDDDDDDDDDpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpˆˆˆˆˆˆˆˆˆˆˆˆˆ„ÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpˆˆˆˆˆˆˆˆˆˆˆˆˆ„pDDDDDDDDDDDDDDpLLLLLLLLLNÎÎItpÌÌÌÌÌÌÌÌÌÌÌÌÌÄ pDDDDDDDDDDDDDDpLLLLLLLLLNÎÎItpÌÌÌÌÌÌÌÌÌÌÌÌÌÄ DDDDDDDDDDDDD@ DDDDDDDDDDDDD@ ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀ € € € € € € € € € € € € € € € € € € ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀ € € € € € € € € € € € € € € € € € € € € € € € À ÿÿÿÿÿÿÿÿÿÿÿÿ( À € € €€ € € € € € À ÿÿÿÿÿÿÿÿÿÿÿÿ( À € € €€ € € € €€ €€€ ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ € € € €€ €€€ ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ wwwwwwwDDDDDDDGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿwwwwwwwDDDDDDDGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGHˆˆˆˆˆˆGLÌÌÌÌÌÌGÄDDøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGHˆˆˆˆˆˆGLÌÌÌÌÌÌGÄDDDDDDÀ ÿÿ € ÿÿ ÿÿDDDDÀ ÿÿ € ÿÿ ÿÿ

2525

What is RDB?What is RDB?

RRemote emote DData ata BBackupackup works basically like works basically like regular tape backups, with one important regular tape backups, with one important difference. difference.

Instead of sending backups to a tape drive Instead of sending backups to a tape drive or other media, Remote Data Backup or other media, Remote Data Backup sends it over the internet to another sends it over the internet to another computer safely off-site.  computer safely off-site. 

2626

What is RDB?What is RDB?

It does this (usually) at night while the practice is It does this (usually) at night while the practice is closed and nobody is using the computers.  And closed and nobody is using the computers.  And it's completely automatic.it's completely automatic.

Remote Data Backup encrypts its backups for Remote Data Backup encrypts its backups for complete security so nobody can read them.complete security so nobody can read them.

Only Remote Data Backup has such an easy to Only Remote Data Backup has such an easy to use version control system.  Further, you should use version control system.  Further, you should be able to easily restore any of your files up to be able to easily restore any of your files up to any given point in time. any given point in time.

2727

Remote Data BackupRemote Data Backup From Data Ensure, Inc.From Data Ensure, Inc.

Can be your data backup solution. It Can be your data backup solution. It provides you with secure encrypted data provides you with secure encrypted data storage and recovery and automatic storage and recovery and automatic backups. It meets HIPAA compliance backups. It meets HIPAA compliance standards for electronic transactions standards for electronic transactions through the use of encryption and through the use of encryption and passwords in a secure environment. passwords in a secure environment.

2828

THANK YOU FOR ATTENDING!!!THANK YOU FOR ATTENDING!!!

DATA ENSURE INC.798 PARK AVE. NW, SUITE 204

NORTON, VA 24273

(276) 679-7900

WWW.DATAENSUREINC.COM

DE