Planning for the Worst
Rules and Regulations
Don't Forget Your Password
Cyber Attack!
Meaningful Use of Technology
100
This contains a backup plan, disaster recovery plan, and emergency mode operation plan.
What is a contingency plan? This is important because in case of an interruption to our regular operations, we need to be able to restore PHI and continuing seeing patients. https://www.cms.gov/research-statistics-data-and-systems/computer-data-and-systems/mmis/downloads/contingency.pdf
100
These rule requires facilities to have a contingency plan in place to protect electronic patient information.
What is the HIPAA Privacy, Security, and Breach Notification Rules? This rule focuses on patient safety, confidentiality, and availability of electronic patient information. It also details how healthcare providers, including our clinic, must protect and secure patient information. https://www.healthit.gov/safer/guide/sg003 and https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
100
This is what you say when a coworker asks to borrow your password at work.
What is NO! Assist the coworker in contacting IT support but it is never ok to share a password. Facilities should have password security policies in place and staff needs to be aware of them. Passwords should not be shared or easy to access. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf and https://www.healthit.gov/providers-professionals/faqs/what-password-policy
100
Cyber attacks are often aimed at these types of healthcare facilities.
What is small to midsize clinics? Many attacks are aimed at smaller or midsize facilities because they are less likely to be appropriately protecting themselves and their PHI. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
100
This is the main goal of the Meaningful Use programs.
What is the adoption of EHR systems at healthcare facilities? Meaningful Use Programs are designed to help providers with transitioning to the use of health information technology and the use of EHRs to improve the safety, quality, and efficiency of patient care. Specific standards must be met to receive incentive pay. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
200
This is the person who is assigned to plan how to protect ePHI during a disaster or security breach. They try and prevent security breaches.
Who is the security officer? We have appointed a security officer who manages and coordinates the contingency plan. We also determine who has access to data and who will help restore it. All staff has a responsibility to protect PHI though, it is a team effort. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
200
This rule requires that the media be notified if more than 500 patients are impacted by a security breach.
What is the HITECH Breach Notification Rule? A breach compromises the security or privacy of private patient information to unauthorized persons. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
200
Encryption and authentication are two primary ways of this.
What is protecting ePHI? These measures help to prevent access to ePHI by unauthorized individuals. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf
200
HIPAA Security Rule does not apply to this person and they may send information using unsecure routes.
Who is the patient? A patient has sent you an email containing private health information and you are worried that you have broken HIPAA regulations by receiving the email. No, HIPAA Security Rule does not apply to the patient and they may send information using unsecure routes. The information becomes protected once it is received by you. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
200
CMS has broken down Meaningful Use guidelines into these.
What are stages? The stages build upon each other and have criteria for quality improvement of technology systems. The stages are meant to keep the program from imposing an unnecessary burden on healthcare providers and make it more manageable. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
300
This is a way of determining that the contingency plan is effective before actual use.
What is a test run of the contingency plan? Without proper testing, ePHI may be lost during a disaster because the plan was ineffective. https://www.training-hipaa.net/hipaa-contingency-plan/ and https://www.hhs.gov/ocio/eplc/EPLC%20Archive%20Documents/36-Contingency-Disaster%20Recovery%20Plan/eplc_contingency_plan_practices_guide.pdf
300
This is how long healthcare providers have to notify effected individuals of a security breach.
What is 60 days? In addition to notification requirements, providers must also have policies in place regarding the notification procedures as well as staff training on necessary compliance. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html
300
This is a way that providers can regularly assess the encryption their devices.
What is conducting audits? Audits should include a comprehensive protocol to assess compliance. Improvements can be made as possible weaknesses are identified. http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html and https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html
300
These are great resources for providers and staff for understandig a contingency plan and preparing for possible cyber-attacks.
What are CDC website, National Institute of Standards and Technology, and The department of Health and human services? These organizations as well as others offer educational resources and tools to help providers and hospitals understand and plan for privacy and security risks in their practices. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf and https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources
300
When updating to new computer systems to meet meaningful use guidelines, this is what is done with the old devices.
What is destroy all ePHI on device before disposal? The Department of Health and Human Services (HHS) has issued protocols for destroying ePHI which makes the information unusable, unreadable or indecipherable to unauthorized individuals. Proper destruction methods can include clearing, purging, or physically destroying the media. https://www.healthit.gov/providers-professionals/faqs/can-you-reuse-or-dispose-mobile-device-has-stored-health-information-it
400
This needs to be done regularly, especially after staff turn over or after any changes are made to systems or policies.
What is contingency plan updates? The contingency plan needs to be regularly reviewed and updated to ensure proper safety measures are in place. https://www.training-hipaa.net/hipaa-contingency-plan/ and https://www.hhs.gov/ocio/eplc/EPLC%20Archive%20Documents/36-Contingency-Disaster%20Recovery%20Plan/eplc_contingency_plan_practices_guide.pdf
400
This notice informs patients on how we use and disclose their health information.
What is a Notice of Privacy Practice (NPP)? Providers must distribute a notice of privacy practice which describes an individual’s rights regarding personal health data in addition to other necessary information. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
400
This is electronic personal health information (ePHI) that is encrypted and is unable to be accessed by an unauthorized person.
What is secure PHI? The information is encrypted and the encryption has not been breached based off of regular audits. Paper with PHI should be properly shredded and other media is properly stored or destroyed. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
400
This refers to ways to prevent, detect, and respond to attacks or unauthorized access against a computer system and its information.
What is cybersecurity? We use a cybersecurity framework to help reduce and manage cybersecurity risks to our facility. The National Institute for Standards and Technology (NIST) published a framework for improving cybersecurity and explains that it is a shared responsibility. https://www.healthit.gov/providers-professionals/cybersecurity-shared-responsibility
400
Meaningful Use guidelines require the ePHI to be protected. Examples of this type of protection include physical, administrative, technical, policies/procedures, and organizational requirements.
What is security safeguards? Safeguards are put into place to decrease security risks. Safeguards can be implemented based on our regular risk analysis results. https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf
500
This information is stored in a secure and approved offsite location.
What is routine backups? Routine backups are stored offsite in case of a natural disaster which could destroy ePHI. This establishes procedures for obtaining and maintaining exact copies of electronic health records. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
500
This group oversees Meaningful Use programs.
What is CMS? Meaningful Use programs are designed to encourage facilities to adopt an EHR system through stages while also meeting privacy and security standards. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf and www.cms.gov
500
This is an analysis that is an ongoing responsibility for our practice.
What is security risk analysis? Our facility is responsible for updates and system improvements as possible weaknesses as areas for improvement are identified in order to adequately protect PHI. https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
500
This is the leading reason in 2016 for exposed or exploited PHI.
What is loss of a device? Lost or stolen devices accounted for 78% of exposed patient records in 2016. This means that our protocols regarding proper storage and handling of our devices that contain PHI are absolutely crucial and must be followed. http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/
500
Every 90 days in the first year and each calendar year for subsequent years.
What is how often a security risk analysis of the EHR must be performed to meet Meaningful Use guidelines? Meaningful Use reviews are required for each EHR reporting period in order to determine what stages have been met. This includes examining what security measures are in place. https://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf and https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3347738/
M
e
n
u