1.4 What is HIPAA Part 3

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

2 hours 7 minutes
Video Transcription
Hey, everyone, welcome back to the course. So in the last video we talked about the privacy rule would take a pretty deep dive into it, too. So you can fully understand what it's used for in this video. We're gonna talk about the security rule.
Now again, the differentiating factor. The main factor that's different between the two is the security rules gonna cover your Elektronik pH iron, your electronic protected health information. So definitely remember that A special fear taking some kind of hip a test through your employer. If you see a question around that on there
again, I'm not giving you answers to a test cause there's many different tests out there.
But just understand again, the security rule is for electronic pH. I information.
Now with that is gonna outline three different types of safeguards. So we've got administrative safeguards, physical safe cards and then technical safeguards. So administration safeguards. What are those? So basically, those, they're gonna be things like your written policies and procedures. So things that designate like a privacy officer and most most of health care companies have this in some capacity, they
they right out and say, you know the director of nursing is our privacy officer. Or, you know, this person in accounting is a privacy officer. I don't know why you do that or
and more commonly it's somebody in the queue. A department is the privacy officer, or an attorney is a privacy officer. Etcetera. Center could basically be anybody, but there's somebody that's kind of in a senior level type of position that would be deemed as a privacy officer on DSO. That would be the case for developing and implementing any required policies and procedures.
Now the procedures and sales have to identify the classes of employees that are gonna have access to electronic protected health information and restrict it so again, restrict it
to only those employees who needed to complete their job function. So let's see that I'm the janitor, right?
I don't really need any access to pH. I've to go ahead and empty the trash and clean the rooms. I don't realistically need that. Right now. You're still gonna have me sign like hippo stuff and put me through hip a trading because I may come across that may accidentally go in a room, start cleaning. It will not accidentally clean it, but
I may go in the room and then I accidentally see because the nurse left a computer screen up
of some patient's chart might actually accidentally see some information. So obviously I'm gonna have him for training and have to sign some waivers. But I won't necessarily have to be a person that's specified in the policy or in the procedure, because I'm not gonna be that class of employees that
would have access to that information. Now I still may be specified. They still may say, Hey, the
the janitorial crew, you know, may inadvertently have access to protected health information. And so we make them sign, you know, a certain waver or whatever.
The procedures that are developed also need to address the access, authorization, establishment, modification or termination of the pH I. And then also, what
entities have to do is they have to show appropriate ongoing training for the handling of Ph I. So anyone that's worked in a hospital, for example, or doctor's office, you know that you generally speaking, you have to do annual hippo training,
and so you go watch some videos like this course or whatever you look at some documents You sign off saying yes, I know everything about him. But now you know, you take the test over, you pass it. If you don't pass it, you have to go back through the training usually, but basically the the security rule under the administration safeguards. That's where it actually specifies that you have to
develop that as an organization, you have to develop that ongoing training
and also specifies as administrative safeguard s o. The policy is gonna have to specify that you've got to back up your data, right? And then also, you gotta have disaster recovery procedures in place. So that way, if something happens to your data or if we got a natural disaster, hopefully you've backed up stuff to the cloud, so you could still access that data At some point,
we've also got established internal audits s so that way, you know, operations can be reviewed. And again, the goal with that, the overarching goals used to find out if we got any type of violations of HIPPA as we can make those corrections before Health and Human Services finds those violations and charges, charges us a lot of money
and then also the procedures, so the administrative safeguard procedures should specify instructions for dressing and responding to security breaches. So think of things like your incident response plan. That's where that would be encompassed out under the administrative safeguards.
No, I've never actually seen a hip attest that goes that in death on it. But maybe for I t personnel, it might,
um your organization may require that basically, if you get that type of questions, your incident response plan would generally fall under the administrative safeguards area.
Your physical safeguard. So obviously, most people could figure out we want to put a security guard in place as pictured here. We want to put locks on doors, that sort of stuff. So the physical safeguards would cover the physical access through the protected protected data. So that's, you know, can I go in and just grab your computer and run out, or is it bolted to the wall? You know where your computers at?
Can I physically access stuff? Can I go into the floor? Even is, Are the doors locked writing, you know, a key card or something to get in or after Buzz, and somebody has to let me in what kind of physical safeguards in place.
We also want to control the physical removal of hardware and software from the network on making limited to authorized individuals. So I don't want, like somebody's family member,
able to get down the network and remove remove software from one of the computers or run out the door with a computer. Right? What? I don't want them to do that.
So we want his part of the physical safeguards. We have to restrict the access to any equipment that contains health information, so we have to also monitor that as well. So most most hospitals do this by having access control doors, right? They have cameras everywhere.
They have people watching to see. You know, if somebody's running out the door with a computer, right?
Eso We've got things in place and Morse organizations nowadays to cover this. But that's where the physical safeguards come into place,
also keeping monitors out of public view. So, uh, what you'll find it said a lot of times in the olden days, at least tonight, and I could tell this for my own experience. Way back in the day, as a nursing assistant on I'm not gonna tell you when because that will date date myself. But a lot of times they would have computers where a
somebody anybody could walk by and to see what's on that computer. So
think of things now like, you know, screen locks or just basically hiding the monitor. So using monitor screens or just having the monitors all of the side of, like, the nursing station, where, like, the average person can't just walk behind there because there's usually somebody in there that says, Hey, get out of here, you know? So I have actually tested that before, on they screamed at me, Get out of here,
you know? You know, they didn't say like that, but they yelled like a You can't be back here type of thing. So,
um, that's what we're talking about here. We're talking about not letting you know Joe Schmo come in there and look at the patient data. We just want to be mindful of where the monitor screen is facing
and then also under the physical safeguards, make sure they're doing training so you know, contractors or any type of business associate to make sure that they're following those same things right. They're not letting some, you know, average person out there. Just walk by and look at the patient information on the computer screen, the re mindful of
where the monitor is facing and making sure that nobody is extending behind them. His shoulder
shoulder surfing is what is called to see what they're doing on the computer.
We don't have our technical safeguards. So
a za name applies. This is gonna be any type of protection from a data standpoint. So, you know, we want to protect in anything any computer system that's housing R P h I or transmitting r P h I. We want to protect that from intrusion. We don't want some criminal hacker stealing our data.
We also want to send specifications that the data
we have can't be changed or erased in an unauthorized manner. So we don't want to just allow somebody to go in and erase all the data for, you know, Jane Doe's chart. Um, we want to make it, you know, basically against our policy so that we were in compliance.
Now if it's authorized change, right? So if we you know what some kind of authorized change like Oh, oops. I made a mistake on this or that, or I accidentally opened an extra note in the chart
and I didn't meet. Set certain stipulations in place of, like, why is that unauthorized removal of data?
We also wanna corroborate our data to make sure the integrity is there. So that's what corroboration is all about. So, using things like a check check some double keying authentication of messaging digital signatures is probably more common thing there
on Basically, again, we're just doing the dead integrity. So that way, if I send you an email as an example, if I send you an email, you know the email actually is the original state from me, or if I email you a document or something,
you know that that's the original state of the documents. So maybe I've protected it with a password or, you know, I've digitally signed it in some capacity. So that way, you know, it's the real thing that you get on your end.
The other thing for technical safeguards is that the entities must actually make your documentation. You have to make HIPAA practice documentation available for the government. So if it Jase s comes in and they start looking around, you have to be able to say, like Look, you know, here's how we're complying with HIPPA Here's all our information about it
And here's all the technical safeguards that we have in place.
Also, the information technology documentation under there are technical safeguards that should include a written record of all your configuration settings. So your your network topology all this stuff that should be documented. Now, of course, you're not just gonna leave that out there for somebody else to find,
but you need to have that. So that way, if, like HHS or another entity comes in, they could see that you're actually
taking the appropriate measures under Hitler.
And then you have to document your risk risk analysis and risk management programs you have to document. This stuff is well again. When we use the S. R a to a little later on in the course, we'll talk about risk assessment will actually go through and do a risk assessment for ah, for a sample organization.
All right, so in this video, we talked about the security rule in the next video. Really? Go ahead and start talking about some of the common types of hip breeches, and we're also gonna talk about the penalties related to civil, both both civil and criminal under Hippo.
Up Next