StudentShare
Contact Us
Sign In / Sign Up for FREE
Search
Go to advanced search...
Free

HIPAA Risk Analysis of Security Incident Procedures - Essay Example

Cite this document
Summary
This work "HIPAA Risk Analysis of Security Incident Procedures" describes administrative safeguards, the position of security incident procedures. It is clear HITAA prescribes the regulations since all the standards have a specific way that they are supposed to be dealt with. The author outlines the benefits of information technology documentation…
Download full paper File format: .doc, available for editing
GRAB THE BEST PAPER96.7% of users find it useful
HIPAA Risk Analysis of Security Incident Procedures
Read Text Preview

Extract of sample "HIPAA Risk Analysis of Security Incident Procedures"

Topic: HIPAA risk analysis of security incident procedures The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA) that was passed by the United States congress and consequently signed by the then President Bill Clinton in 1996 has two titles that deal with issues in the health insurance sector. The first title aims at protecting health insurance for employees and their families if they change from one job to another or if they lose their jobs altogether. The second title is also referred to as the Administrative Simplification provisions prescribes the formation of national standards for the health care transactions that are electronic and also some identifiers for the health insurance plans and the employers. This act also maintains a right to privacy to the people that are between the age of twelve and eighteen and they health insurance provider must get a consent from the person that is affected before disclosing any information about the healthcare that they sought even to the parents. Security incident procedures (SIP) The HIPAA has administrative safeguards that state that the entities that are covered are supposed to implement policies and measures that will be used to address any issues that are related to security. The security further describes a security incident as an effort that is made or a successful access to use or disclosure and modification or destroy the information in a manner that is not authorized and also the interference with the operations of the system in information systems. The regulations go further to state what an information system is by stating that it is an interconnected set of resources that deal with information that are all under the direct administration control and share the same nature of functionality. The system will in the normal circumstances be comprised of hardware, software, information and raw data to be processed, applications that will process this data, communications and the people that will utilize these systems. The standard is defined by a single implementation directive or specification that is the “response and reporting” which includes three steps. To start with there is the process of identifying the responding to the suspected or known incident of security, then there is mitigating the destructive outcomes of these security incidents that are known or are being suspected to the extents that are attainable. Lastly the incidents and the outcomes that came as a result of these incidences are documented. Intent of the SIP The overall purpose of the SIP is to provide a documented report and procedures that are formal which will be used in the response to security violations so that they can be reported and taken care of as fast as possible. The documentation process and the responses that are to be taken will be dependent on the nature of the security violation and will be specific to particular situations based on the entity of the environment and the information that is involved. DHHS (Final Rule, p.101,102). Here it only addresses the cases that involve internal reporting and response to these situations and does not address the external reporting since they will be regulated by business or legal rules like the requirements of the state law although the security incident documentation for this must remain available. Regulation and the implementation of SIP February 20, 2003 was the day the Final Rule on Security Standard was issued and consequently it started being applied on the 12st of April the same year with the prescribed date of compliance being the 21st of April 2005 for most of the entities that were covered and a year later for those that had plans that were smaller. This rule was developed to work with the privacy rule where the privacy rule deals with all the Health Information that is protected including those that are either recorded on paper or employ electronic recording, while the security rule deals particularly with the health information that is electronically protected. It recommends three types of security measures that are needed for compliance the administrative, the physical and technical areas. For each of these categories, the rule recognizes certain standards where it clearly defines the implementation specifications that are required and those that can be addressed. The specifications that are required must be accepted and administered in the manner that the rule states while the addressable specifications have a more flexible characteristic. The entities that are covered individually are given the power to assess their particular position and consequently make a decision on which is their preferred way of implementing this specifications that are addressable though some people have raised concern that this flexible nature may provide too much latitude to the entities that are covered. Administrative procedures The standards and the specifications entail having administrative procedures that are meant to come up with policies and procedures that are made to define clearly how the entity will be able to fulfill the act. These entities that are covered are required to comply with the HIPAA regulations through adopting a written set of rules that state the privacy procedures to be followed and entitle a privacy officer to take care of the process of coming up with the needed policies and resources and subsequently applying them. The policies and procedures are supposed to unmistakably categorize employees or the classes of employees that will be granted the access to the electronic protected health information and this access is supposed to be regulated and restricted to those employees that must look at them so that they can be able to do their work. These procedures must look at the authorization, establishment, modification and the termination of the information that is concerned and the entities must demonstrate that an elaborate program for training on how PHI is handled is being given to the employees that are responsible for performing health plan administrative functions. The covered entities that get some of the business processes by out-sourcing to a third party are required to certify that the party that they are dealing with has structure in existence that will act within the regulations of the HIPAA. The clauses that are in the contract that state that the vendor will comply with the data protection regulations that are being practiced by the covered entity should be present in the contract that will bind the two companies. The covered entity should very vigilant to find out if the vendor that is giving services also out-sources any data handling functions to other vendors so that it can be known if these vendors follow the same regulations that the covered entity follows that are required by the HIPAA. An emergency plan that will be used to respond to any eventualities should always be present so that it can be used to respond to any emergencies that arise. It is the responsibility of the covered entity to make sure that their data has a backup and that there are disaster recovery procedures that exist. This emergency plan should be able to define the priority of data and analyze the any failures that may occur while at same time stating the testing activities that can be undertaken and the change control procedures. There should also be internal audits which are vital in HIPAA compliance as they are used to review operations with the aim of pointing out the possible sources of security violations. The policies and procedures that are present should particularly define the depth, the number of times and the processes that will be used when taking audits as they should take place regularly and also when the circumstances dictate. The procedures should clearly state the guidelines that will be needed to address and respond to any security breach that will be pointed out as the audit goes on or when the normal day to day operations are being carried out. Physical safeguards These are put in place so that physical access can be regulated so as to avoid cases of unwarranted access to the data that is protected. This controls are supposed to guide any addition or removal of hardware from the network and when any part of the equipment in the network needs to be replaced for one reason or another, the method that will be used disposed should guarantee that PHI will not be compromised. Any access to the equipment that contains any health information is supposed to be cautiously regulated and supervised and right to use hardware and software that is connected to the network should be a preserve of the people that are authorized to use them to avoid any breaches from the people that are unauthorized. The required access controls are supposed to incorporate the facility’s plans for security, records that are kept when maintenance takes place, the records of the visitors that went in and the people that went in with then if any. The correct use of the workstations should also be addressed by the policy and they should be kept in places that will not experience a high traffic of people at the same time making sure that the screens cannot be seen directly by the people that are not supposed to have access to them. Training of any contractors or agents that the covered utility decides to employ is supposed to take place so that these contractors or agents can learn the physical access responsibilities that are part of the policy. Technical safeguards These are put in place so that they can be able to regulate the right to use of the computer systems and to allow the covered entities to safeguard the communications that carry PHI that are transmitted electronically using open networks from being captured and received by any other party that is not the intended recipient. The systems that hold the PHI should be safeguarded from any interference and disturbance by making sure that if the information is sent over networks that are open they are subjected to encryption but if there is a closed network then the access controls that are in place can be trusted to prevent any intrusion as the work sufficiently. All covered entities have the responsibility of guaranteeing that the data that they have in their systems is not modified or deleted in a way that is not permitted and data integrity must be taken seriously using things like check sum and digital signatures to achieve this. It is the obligation of the covered entity to make sure that the entities that they have communications with are the genuine and intended entities and this authentication will entail confirming the identity of the other entity by the use of passwords telephone or token systems that will be available for the genuine entities only. They are also required to avail certification of their HIPAA practices to the government so that it can be able to verify if they are complying. The information technology documentation is supposed to cover the policies and procedures and the access record while including a record that is written which has all the arrangement setting of the constituents that are in the network since these components are dynamic and intricate. Risk analysis and risk management should be documented and availed by the covered entity and they should cautiously contemplate the risks that their systems face as they put up systems that will conform with the act while taking all precautions necessary (U.S. Department of Health & Human Services, n.d.). Conclusion This rule will not favor small providers since they will be forced to employ HIT consultants so thet they can be able to conform to the regulations that HITAA prescribes since all the standards have a specific way that they are supposed to be dealt with. This makes it unfair for thes small providers as the will have to incur the extra cost so that they can be able to comply. References U.S. Department of Health & Human Services. (n.d. )Summary of the HIPAA Privacy Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html Read More
Cite this document
  • APA
  • MLA
  • CHICAGO
(HIPAA Risk Analysis of Security Incident Procedures Essay, n.d.)
HIPAA Risk Analysis of Security Incident Procedures Essay. https://studentshare.org/health-sciences-medicine/1811358-hipaa-risk-analysis-of-security-incident-procedures
(HIPAA Risk Analysis of Security Incident Procedures Essay)
HIPAA Risk Analysis of Security Incident Procedures Essay. https://studentshare.org/health-sciences-medicine/1811358-hipaa-risk-analysis-of-security-incident-procedures.
“HIPAA Risk Analysis of Security Incident Procedures Essay”. https://studentshare.org/health-sciences-medicine/1811358-hipaa-risk-analysis-of-security-incident-procedures.
  • Cited: 0 times

CHECK THESE SAMPLES OF HIPAA Risk Analysis of Security Incident Procedures

Safe Cannulation: Procedure & Risks

Learning Objectives Select the appropriate equipment for procedures Identify own professional responsibilities in relation to these procedures Demonstrate an understanding of normal anatomy and the physiology of the arm when selecting appropriate sites for cannulation Follow infection control guidelines when performing the procedure (hand hygiene and skin preparation) Identify complications, causes, and treatments Demonstrate correct technique for cannulation insertion Discuss the importance of documentation and post-cannulation care Equipment Tourniquet Sharps bin 5ml syringe Sterile container Cleansing wipes Cannulas Clean gauze/sterile dressing (Cole, 2008)....
4 Pages (1000 words) Essay

Risk Management

Another crucial method of preventing employee theft while operating a cash drawer is to always be aware of the cash in the inventory, store, security, and staff behaviors at all times.... In this way, an employer is able to prevent any sort of losses through employee theft since security is intensive (Fennelly 50).... Piecing together a system that allows advent and regular inspection of largely what goes around the store facilitates security and prevents shoplifting in places where they use cash drawers (Ramsey and Ramsey 68)....
4 Pages (1000 words) Research Paper

Hipaa, How it may affect me in a doctor office

eep the conversations on phone privateHave to be discrete when calling out patients nameEnsure that the charts of the patients are kept confidentialFollow the policies set while handling requests from the patirentFollow procedures set by the hospitalParticipate in the trainings about HIPAA (Osborne, 2002)It is clear from the above discussion how HIPAA affects me while working in the doctor's office.... Also I must comply with the personnel and security management systems in the hospital....
2 Pages (500 words) Essay

New Policy Statements- HIPAA

Although the present policy of the company ensures high level of security but still it should structure a new policy.... eviewing the Policy The organization or company whose policies regarding information security need to be reviewed is in the business of insurance and deals with health insurance.... ccording to the new information security policy statement of Heart-Healthy Insurance a fresh user should be provided access only after meeting the above mentioned security standards laid down in the policy statement....
2 Pages (500 words) Assignment

HIPAA - Compliant Standardization

As mentioned above, HIPAA is a collection of security rules that aim at protecting the patient's information.... It should be done by using a series of procedures and mechanisms that aim at restoring the confidentiality, availability and integrity of the information.... That is to say, adherence to the procedures and the law ensure that the information may be or may not be disclosed.... My responsibilities include ensuring… I also identified three critical HIPAA security policy requirements, which included confidentiality, availability and integrity of the stored data. In order to ensure compliance, I would do a thorough HIPAA Compliance HIPAA Compliance It is the prime goal of every health facility and related projects to comply with the HIPAA regulations....
2 Pages (500 words) Essay

HIPPA and Technology

ap Analysis: To bring current policies and procedures at the level of the latest regulations, providers and associates need to conduct a risk analysis to evaluate gaps in policies and procedures.... ncryption Technology: All parties need to use encryption technology on portable devices to minimize the risk of exposure.... “The use of electronic systems to ensure the comprehensive collection of patient demographic data, including, at a hipaa guidelines and use of technology There are several hipaa rules that address the use of iPhones and iPads....
1 Pages (250 words) Essay

Security Standards: Technical Safeguards

According to the paper, HIPAA provides national standards so that it can “protect the privacy and security of health information” and gives individuals the rights in relation to their health information (United States Department of Health and Human Services, 2007).... IPAA information privacy establishes standards so that it can protect medical records and the related health information that applies to the entities involved who transact or communicate electronically  HIPAA provides national standards so that it can “protect the privacy and security of health information” and gives individuals the rights in relation to their health information[Sec07]....
1 Pages (250 words) Essay

Training Plan of HIPPA

hellip; From this paper, it is clear that risk analysis involves the small medical office having the ability to review the operational system's ability for the organization in a bid to understand the risk factors that the running of the Information Technology systems faces in a bid to avoid all types.... risk analysis involves the small medical office having the ability to review the ability of the operating system for the organization in a bid to understand the risk factors that the running of the Information Technology systems faces in a bid to avoid all types....
3 Pages (750 words) Assignment
sponsored ads
We use cookies to create the best experience for you. Keep on browsing if you are OK with that, or find out how to manage cookies.
Contact Us