TRAINING ON PRIVACY AND SECURITY

OF ELECTRONIC HEALTH INFORMATION

TABLE OF CONTENTS
1. INTRODUCTION
2. WHAT IS HIPAA
3. WHAT IS PHI / ePHI
4. ePHI IDENTIFIERS
5. PURPOSE OF HIPAA
6. HIPAA SCOPE
7. HIPAA SCOPE PERTAINING TO
AXELLIANT
8. HIPAA REQUIREMENTS
9. PRIVACY RULE
10. SECURITY RULE
11. BREACH NOTIFICATION RULE
12. BREACH NOTIFICATION PLAN
13. POLICIES, PROCEDURES & PLANS
14. TECHNICAL SOLUTIONS
15. HIPAA VIOLATIONS
16. PENALTIES FOR VIOLATION OF
HIPAA RULES
1. INTRODUCTION
2. WHAT IS HIPAA

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

It is a federal law enacted in the United States in 1996. Its primary purpose
is to address various healthcare-related issues, including health insurance
coverage, portability of health insurance, and the privacy and security of
individuals' protected health information (PHI).
3. WHAT IS PHI / ePHI
PHI - PROTECTED HEALTH INFORMATION
ePHI - ELECTRONIC PROTECTED HEALTH INFORMATION
• Protected health information (PHI) is any information in the
medical record or designated record set that can be used to
identify an individual and that was created, used, or disclosed
in the course of providing a health care service such as diagnosis
or treatment.
• It must be protected no matter how or where it is collected,
transmitted, or stored and cannot be disclosed without the
patient’s knowledge or consent.
4. ePHI IDENTIFIERS
THE OFFICE OF CIVIL RIGHTS (OCR)
5. PURPOSE OF HIPAA
• The purpose of HIPAA laws is to establish a set of national standards
regarding the use of health data. Additionally, these laws hold
healthcare providers and insurance companies accountable for the
ways in which they use PHI.
• HIPAA regulations have been adapted to focus on patient rights in a
digital world. As the number of cyber attacks continues to increase,
HIPAA laws help protect both providers and patients from data
breaches.
6. HIPAA SCOPE
• HIPAA applies to all healthcare facilities, healthcare providers, and
healthcare clearinghouses (insurance and billing companies) who transmit
PHI electronically. These businesses are referred to as “covered entities.”
• HIPAA requirements also extend to the relationships between covered
entities and their vendors (“business associates”), particularly those that
handle PHI or other sensitive data.
• Technology-based business associates include companies that create and
manage electronic health record systems, prescription management
programs, and billing software. These companies contract directly with
covered entities and are therefore subject to HIPAA requirements.
7. HIPAA SCOPE PERTAINING TO AXELLIANT
• Software developers, system and business analysts, UI/UX designers,
software testers and all other roles involved in the software
development and maintenance.
• Network engineers responsible for maintaining the network,
implementing security, and managing computers and other IT
equipment.
• Management in direct chain of command.
• Any other personnel exposed to PHI in the performance of their duties.
8. HIPAA REQUIREMENTS
a) Privacy Rule
b) Security Rule
i. Administrative Safeguards
ii. Technical Safeguards
iii.Physical Safeguards
c) Breach Notification Rule
d) Enforcement Rule
9. PRIVACY RULE
• Privacy Rule applies to Protected Health Information in any format.
• The HIPAA Privacy Rule protects an individual’s health information and other
identifying information by limiting the permissible uses and disclosure of such
information by “covered entities” and “business associates” without an individual’s
authorization. The information cannot be used for purposes other than those for
which it was collected without first providing patients with a clear notice informing
them of their right to opt-out of such use and how they may do so.
• The rule also gives individuals the right to request copies of their information and
request corrections when omissions or errors exist.
• Business Associates may also be required to comply with the Privacy Rule
depending on the service being provided.
9. PRIVACY RULE (Contd.)

• Covered entities and business associates must establish safeguards

to deter unauthorized PHI access. This includes physical measures like
alarm systems and locks, technical measures like access controls and
encryption, and administrative measures like security management
processes and designated security personnel.
• Breaches of unsecured PHI must be reported to the individuals
affected, the Secretary of Health and Human Services, and in certain
circumstances, to the media.
10. SECURITY RULE
• Security Rule only applies to ePHI
• The HIPAA Security Rule consists of regulations, standards, and
implementation specifications that have the objective of ensuring the
confidentiality, integrity, and availability of electronic Protected Health
Information (ePHI) created, collected, maintained, or transmitted by
covered entities, business associates, and other organizations subject to
HIPAA compliance.
• All organizations subject to HIPAA must comply with the “applicable”
Security Rule regulations, standards, and implementation specifications.
Therefore, the Security Rule must be followed by anyone who works with
electronic Protected Health Information (ePHI).
10. SECURITY RULE (Contd.)
• The Security Rule requires covered entities to maintain reasonable and
appropriate administrative, technical, and physical safeguards for
protecting ePHI. Specifically, covered entities must:
o Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive,
maintain or transmit;
o Identify and protect against reasonably anticipated threats to the security or integrity of the
information;
o Protect against reasonably anticipated, impermissible uses or disclosures; and
o Ensure compliance by their workforce.

• The Security Rule also provides standards for ensuring that data are
properly destroyed when no longer needed.
 10. SECURITY RULE (Contd.)
• Assign Security Officer
• Risk Analysis and Management
• Administrative Safeguards
o Security Management Process
o Security Personnel
o Information Access Management
o Workforce Training and Management
o Evaluation
• Physical Safeguards
o Facility Access and Control
o Workstation and Device Security.
• Technical Safeguards
o Access Control.
o Audit Controls
o Integrity Controls
o Transmission Security.
• Organizational Requirements
o Covered Entity Responsibilities.
o Business Associate Contracts.
• Documentation of Policies and
Procedures
 11. BREACH NOTIFICATION RULE
The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA
covered entities and their business associates to provide notification following
a breach of unsecured protected health information
Submitting Notice of a Breach to Customer
Axelliant must notify the customer if it discovers a breach of unsecured protected health information. If a breach of
unsecured protected health information occurs at or by a Axelliant workforce member, Axelliant will notify the customer
following the discovery of the breach.
• Breaches Affecting 500 Or More Individuals
If a breach of unsecured ePHI affects 500 or more individuals, Axelliant will notify the customer of the breach without
unreasonable delay and in no case later than 15 calendar days from the discovery of the breach.
• Breaches Affecting Fewer Than 500 Individuals
If a breach of unsecured ePHI affects fewer than 500 individuals, Axelliant will notify customer of the breach within 30
days of the breach or before the end of the calendar year in which the breach was discovered whichever comes first.
• Breaches Affecting Unknown Number of Individuals
If the number of individuals affected by a breach is uncertain at the time of submission, Axelliant will provide an
estimate, and, if it discovers additional information, submit updates.
12. BREACH NOTIFICATION PLAN
INCIDENT
DETECTION BY TEAM LEAD /
WORKFORCE MANAGER
MEMBER
DATA BREACH
INCIDENT
REPORTING RESPONSE AND
NOTIFICATION
SECURITY OFFICER
PLAN

YES INVESTIGATION,
EVALUATION BY DATA GATHERING, REPORT BREACH
DATA BREACH
SECURITY OFFICER DOCUMENTATION TO MANAGEMENT
AND LOGGING

NO

INCIDENT/
VIOLATION
RECOMMEND NOTIFY
ASSESSMENT,
MEASURES CUSTOMER
DOCUMENTATION
AND LOGGING

CLOSE CASE CLOSE CASE

13. POLICIES, PROCEDURES AND PLANS
POLICIES
• Risk Register
• Sanctions Policy
• Access Control Policy
• Logs Maintenance Policy
• User Login and Password Management Policy
• Data Backup Policy
• Incident Response and Management Policy
• Policies & Procedures Documentation
Review and Update Policy
PROCEDURES, PLANS & RECORDS
• Access Control Procedure
• Logs Maintenance Procedure
• User Login & Password Management Procedure
• Emergency Mode Operation Plan
• Data Backup Procedure
• Emergency Access Procedure
• Incident Response and Management Plan
• Facility Security Plan
• Disaster Recovery Plan
• Physical Access Control & Maintenance Records
• Contingency Operations Plan for Facility
• Applications and Data Criticality Analysis
Procedure
14. TECHNICAL SOLUTIONS
• Regular Security Updates • Password Management
• Anti Malware • Encryption and Decryption
• Device and Media Controls • Automatic Logoff
• Media Re-use
• Accountability
• Data Backup and Storage
• Login Monitoring
• Unique Usernames
15. HIPAA VIOLATIONS
• The failure to comply with HIPAA rules is considered a violation
of HIPAA – even if no harm has resulted.
• A HIPAA violation occurs when a member of the workforce fails to
comply with any standard in the Privacy, Security, or Breach
Notification Rules. It is not necessary for a breach to occur in order for
there to be a HIPAA violation
• Examples
o Impermissible disclosures of PHI
o Failure to implement safeguards to ensure confidentiality, integrity, and availability of PHI
o Failure to implement access controls to limit who can view PHI
o Failure to provide security awareness training
o Sharing of PHI online or via social media without permission
o Failure to maintain and monitor PHI access logs
16. PENALTIES FOR VIOLATION OF HIPAA RULES
(ENFORCEMENT RULE)

• The penalties for violations of HIPAA rules are dependent on the

nature of the violation, the level of culpability, how much harm was
caused by the violation, and the efforts made by the Covered Entity
or Business Associate to mitigate the breach or its impact.
• With penalties carrying fines of up to $50,000 per violation and/or
potential jail time and criminal charges for Willful Neglect charges,
employees need to understand the different levels of infractions
and how they can affect both themselves and the company.
QUESTIONS?
THANK YOU