Hello again and welcome to the Hcs PP certification course with Sai Buri. I'm so happy you're here for security definitions and concepts. Part three.
My name is Shalane Hutchins and I'm your instructor.
In this video, we're gonna talk about segregation of duties least privilege, more about business continuity and data retention and destruction.
Segregation of duties is the method of reducing
the risk of accidental or deliberate misuse of the system.
How you're saying, Well, let's talk it out.
Separating the management or execution of certain duties or areas of responsibility
is key in reducing the potential opportunities for misuse or unauthorised modification of information or services.
Care must be taken so that no single person can perpetrate fraud in areas of single responsibility without being detected.
The easiest scenario to consider this concept is within banking or finance.
To have one person responsible for collecting, storing and reconcile it finances is a recipe for fraud. In this series,
segregating duties between multiple people reduces the risk of collusion and fraud
When it comes to information technology. Those systems that maintain finances or purchase orders or any sensitive data creates an opportunity for misusing collusion, segregation of duties is a security concept and a control to mitigate that.
Okay, let's talk about least privilege. It's just a zit sounds Onley, allowing someone to have just the privilege they need
to do the job. They're responsible to do it.
The minimum necessary standard requires covered entities to evaluate their practices and enhanced safeguards as needed to limit unnecessary or inappropriate access to and disclosure of personal health information.
The privacy rules requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity.
The privacy rule generally requires covered into teas to take responsible steps and reasonable steps to limit the use or disclosure of
and requests for protected health information to the minimum necessary to accomplish the intended purpose.
the minimum necessary standard does not apply to the father
does not apply to disclosures to or requests by a health care provider
for treatment purposes. So if a doctor needs the information to to provide treatment,
the minimum necessary does not. Why
disclosures to the individual who is the subject of the information
so patients have access to all the information,
uses or disclosures made pursuant to an individual's authorization.
So if a patient has not provided authorization or has given authorization,
um minimum necessary does not apply
uses or disclosures required for compliance with HIPPA. Administrative simplification rules.
And it does not acquire to disclosures to the HHS when disclosures required for enforcement purposes and uses or disclosures that are required by other loss.
Business continuity is very closely related to business contingency and disaster recovery.
Sometimes the terms are used interchangeably.
However, the one key distinction of business continuity
how a business continues during and after a significant disruption.
Once again, we're currently experiencing a worldwide pandemic. Look Cove in 19
Business continuity is how covered entities, critical systems and processes are able to continue
during this sustained disruption
on a national level within the United States, we suffered a shortage of personal protective equipment for our frontline workers due to the initial spike in the cove. It 19 virus
hospital systems were at or above their limit to handle the large number of patients, and states began to issue stay at home orders to help slow down the spread of the fires.
As social distancing began to have the effect of slowing down the sprint so that hospital systems could vanish the number of patients.
As businesses began to reopen hospitals Air still tasked with being prepared for another spike with newly infected patients,
many covered entities began to leverage their business continuity plans. The pandemic situation will not be over any time soon and will likely last a year or more until a vaccine is created and administered broadly enough to slow down the effects of the virus.
Business continuity should be a part of the security policy and program.
The main reason to have a BCP is to reduce the risk of financial loss by improving the hospital's ability to recover and restore operations and mitigate the effects of the disaster for emergency situation.
Make sure to review the information around disaster recovery plans and business continuity plans within the supplemental materials to gain an understanding of the various background backup methods.
Mandated retention and destruction is the act of story
and destroying data in accordance with the records management framework that meets legal and business data storage requirements.
The hip a security rule requires that covered entities implement policies and procedures to address the final disposition of electronics, PH. I and or the hardware or electronics media that it is start on, as well as having procedures for removal of data from media
In general, examples of proper disposal methods may include, but are not limited to,
P. H I and paper records by shredding, burning pulping or polarizing the records. So the pH eyes rendered unreadable,
indecipherable and cannot be reconstructed.
Maintain label prescription bottles and other pH. I in opaque bags in a secure area. And using a disposal vendor as a business associate to pick up and shred or destroy the pH i
E. Ph. I on electronic media by clearing or using software to override it. Purging or dig housing, destroying the magnetic domains or destroying the media via shredding, melting, polarizing or incinerating.
Those are examples of proper disposal methods that may be included in your data retention and destruction program.
Well, that's it. Friends we've cover. It's segregation of duties, least privilege, business continuity and data retention and destruction. Stay tuned for the next video on privacy principles