Posted: March 12th, 2023

Prj 3

The human resources department is updating its 
HIPAA Basic Training for Privacy and Security course. 

HIPAA Basic Training for Privacy and Security Course Topics
What is HIPAA?	HIPAA Privacy Rule	HIPAA Security Rule
Why HIPAA is Important	Safeguarding of PII and PHI and ePHI	Disclosures of PII and PHI and ePHI
HIPAA, PII, PHI, and ePHI Definitions	BA Agreements	Potential Violations
Patients´ Rights	Breach Notifications	Reporting Procedures
Vendors and Contractors	Policy Enforcement	Sanctions for Privacy and   Information Security Violations

As a security analyst for the hospital, you have been tasked with covering the topics in the training related to the HIPAA security rule and the information that hospital staff need to know regarding personally identifiable information (PII), personal health information (PHI), and electronic personal health information (ePHI) to comply with federal regulations.  

The deliverable for this assignment (due in Week 7) is a narrated PowerPoint presentation that provides definitions of HIPAA, PII, PHI, and ePHI, and describes the security measures required for compliance. 

Your narrated presentation should contain one to two slides for each of the following topics:

· HIPAA Security Rule 

· HIPAA, PII, PHI, and ePHI Definitions

· Safeguarding of PII, PHI, and ePHI 

· Disclosures of PII, PHI, and ePHI

To get started, review the learning resources below. 

Learning Resources

The following learning topics can help you identify what to include in your training presentation:  

·

HIPAA

·

Information Security Breaches

This resource provides instructions and tips for creating and recording a narrated presentation in Microsoft PowerPoint or Sway: 

·

Presentation Resources

Health care isn’t the only industry that has special regulations and compliance requirements. This resource describes some important industry-specific requirements that you as an IT professional should be aware of.

·

Industry-Specific Legal, Regulations, Investigations and Compliance

HIPAA

Print

The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 to improve the security of the storage and use of health care data.  These regulations define how health care agencies must secure patients’ personal information and regulate its disclosure. 

IT staff members should understand how HIPAA applies to their work so they can correctly handle sensitive information and demonstrate the organization’s compliance with the law in order to protect patients and the organization (DNS Stuff, n.d.).  Unauthorized access or release of data can lead to problems for the individuals whose data has been compromised and also fines and penalties for organization (Ashraf, n.d.).  Two important IT-related aspects of HIPAA are the Privacy Rule and the Security Rule.

HIPAA Privacy Rule 

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Privacy Rule requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients specific rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections (HHS, “Privacy Rule,” n.d.).

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral (HHS, “Summary of the HIPAA Privacy Rule,” n.d.). The Privacy Rule calls this information “protected health information (PHI).”  PHI is information, including demographic data, that relates to:

· the individual’s past, present or future physical or mental health or condition, 

· the provision of health care to the individual, or

· the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual, such as name, address, birth date, Social Security number).

HIPAA Security Rule

The Security Rule (HHS, “Summary of the HIPAA Security Rule,” n.d.). requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting 
electronic personal health information (ePHI). Specifically, covered entities must:

1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;

2. Identify and protect against reasonably anticipated threats to the security or integrity of the information; 

3. Protect against reasonably anticipated, impermissible uses or disclosures; and

4. Ensure compliance by their workforce.

Note that the concept of personal health information is very similar to the term 
personally identifiable information (PII), which is a broader term used by the federal government to indicate “any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; an any other information that is linked or linkable to an individual,” such as medical, educational, financial, and employment information (GAO, 2008).

References

Ashraf, A. (n.d.). PII and PHI overview: What CISSPs need to know. Infosec. https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/asset-security/protecting-privacy/#gref

Department of Health and Human Services (HHS). (n.d.). The HIPAA privacy rule. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

Department of Health and Human Services (HHS). (n.d.). The HIPAA security rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

DNSStuff. (n.d.) What is HIPAA compliance? https://www.dnsstuff.com/what-is-hipaa-compliance

United States Government Accountability Office (GAO). (2008). Privacy: Alternatives exist for enhancing protection of personally identifiable information. https://www.gao.gov/new.items/d08536

Learning Topic

Information Security Breaches

Print

yougyet / E+ / Getty Images

According to HIPAA, a 
breach is any impermissible use or disclosure that compromises the security or privacy of protected health information.

Covered entities (CEs) and business associates (BAs) are responsible for reporting any breaches of unsecured personal health information (PHI). 

CEs and BAs that fail to comply with the HIPAA rules can face civil and criminal penalties.

Resources

The following link will take you to a document that will discuss breach notification, HIPAA enforcement, and other laws and requirements that an IT professional should be aware of:

Breach Notification, HIPAA Enforcement, and Other Laws and Requirements

 

image1

Course Resource

Print

Presentation Resources

Source: cnythzl / Getty Images

A narrated presentation is for a specific audience to which you would ideally present in person or online in real time, but for practical reasons, you need to record for later viewing. 

While Microsoft PowerPoint is considered the default presentation tool for presentations, you may consider using other presentation platforms or tools. Just be sure the tool supports prerecorded narration.

Preparing for Your Presentation

Source: cnythzl / Getty Images

As with any project, it is good to begin by creating an outline. This will help you determine how many slides you will need to develop and how much information you will need to present on each slide. It should also help determine a logical order in which to present material.

Be sure to dedicate enough time to the narrated presentation to get the timing for transitions right, and ensure that the sound is clear and the narration is at the right volume. 

Creating Slides 

Source: cnythzl / Getty Images

A good recorded presentation shares most of the same traits as a good live presentation. Your presentation should not be an academic paper cut into text-filled slides. You are giving a talk to an audience, so the narrative should provide most of your ideas and argumentation. Be sure the themes either flow or transition appropriately from slide to slide.

Here are some recommendations:

· Keep slides uncluttered by using brief bullet points—only a few key words each.

· An easy way to make your presentation look more appealing is to use one of the designs provided within PowerPoint.

· Adding images and/or clip art is another good way to add visual interest to your presentation, but don’t overuse slide transitions or animations, as these can be distracting.

· When you are citing sources of information on a slide, use a small font size so the citations don’t detract from the primary points.

· Be sure to proofread carefully: Any errors on a slide will be particularly noticeable because of the relatively small number of words.

· When you record audio for each slide, a loudspeaker icon will appear in the middle of the slide. You can drag this icon to a better position (often the bottom right corner of the slide) so it doesn’t interfere with the text.

Writing the Script

Source: cnythzl / Getty Images

The script for your presentation can be a complete word-for-word documentation of what you intend to say as each slide is displayed, or it can be a much briefer set of notes to use as a reminder while you are recording to ensure that you cover all the points. The latter approach is preferable, because this makes it less likely that you will sound rushed or overly scripted when speaking. Keep in mind that if you were making the presentation in person, you would not want to be reading your comments; instead, you would want to make eye contact with the audience.

Here are some additional recommendations for your script:

· Try to keep the amount of narration to less than two minutes per slide. If you need to say more than that, create another slide so the audience doesn’t get bored.

· Make sure the script and what appears on the slide are closely related so the audience can easily follow what you have to say.

· Don’t simply read the material on the slide—add value by providing additional information.

Recording the Narration

Source: cnythzl / Getty Images

At this point, you have created and saved slides as a PowerPoint presentation, and you have the script ready. Now it’s time to record the audio.

Here are a few general recommendations before you record:

· If you are using a computer to record, use a headset/microphone combination rather than using the computer’s built-in speakers and microphone for better audio quality. It isn’t necessary to spend a lot on a headset/mic (typically $20 or less), and you will be rewarded with better sound quality and less background noise.

· Make sure the headset/mic is installed and working. There are simple programs on both Macs and PCs that allow you to test whether recording is occurring and whether the sound quality is acceptable.

· Choose a quiet location to record so that background noise is minimal.

· When you begin recording, speak clearly and conversationally without rushing.

· Remember that it’s easy to redo the audio for a slide. If you’re not happy with the way it sounds, you can do it again.

· Once you have completed and narrated the presentation, it is a good idea to email the file to another computer. If you are able to watch and listen to the slide show successfully on the second computer, you will know that the audio files have been successfully embedded in the presentation.

For Technical Support

Source: cnythzl / Getty Images

Below are specific recording instructions for some common tools for presentations:

·

Record a Slide Show With Narration and Slide Timings in PowerPoint 

·

Getting Started With Microsoft Sway 

If you have technical difficulties with using PowerPoint, contact the UMGC 360 Help Desk, available 24/7 http://support.umgc.edu Phone: 1-888-360-UMUC (8682).

image5

image6

image1

image2

image3

image4

Learning Topic

Industry Specific Legal, Regulations, Investigations and Compliance

Print

Compliance

Warchi / Signature Collection / Getty Images

Many industries, including financial, health care, and education, are required to follow specific regulations and compliance requirements. Failure to meet those requirements can lead to criminal prosecution, monetary fines, and/or civil sanctions. As an IT professional, you will want to align your knowledge with requirements backed by the Certified Information Systems Security Professional (CISSP) certification, in this case the Legal, Regulations, Investigations and Compliance domain of the CISSP body of knowledge. You will need to have a basic understanding of the general requirements of industry-specific laws and where they might be applicable. Some examples are listed below.

 

· Payment Card Industry Data Security Standard (PCI DSS)

· Patriot Act

·

General Data Protection Regulation (GDPR)

  

· Computer Fraud and Abuse Act 

·

Electronic Communications Privacy Act (ECPA)

·

Gramm-Leach-Bliley Act (GLBA)

·

Health Insurance Portability and Accountability Act (HIPAA)

·

Sarbanes-Oxley Act

  

·

Family Educational Rights and Privacy Act (FERPA)

Payment Card Industry Data Security Standard (PCI DSS) 

The PCI Security Standards Council (PCI SSC) has developed standards to protect the credit card payment data of cardholders. Any businesses that store, process, or transmit this data are governed by these security standards, and all technical and operational system components must be in compliance with the rules set by the standards.

PCI DSS compliance to these standards helps to ensure that payments systems are safe from cyberattacks and that transactions conducted by those systems are secure (Ryan Technical Services, n.d.).

There are 12 core requirements associated with this compliance. The table below provides the PCI DSS requirements and the control objectives achieved by those requirements.

Control Objectives	PCI DSS Requirements
Build and maintain a secure network	1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data	3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
Maintaina vulnerability management program	5. Use and regularly update antivirus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications
Implement strong access control measures	7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
Regularly monitor and test networks	10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
Maintain an information security policy	12. Maintain a policy that addresses information security
Payment Card Industry Data Security Standard from  Wikipedia is available under a  Creative Commons Attribution-ShareAlike 3.0 Unported license. UMGC has modified this work and it is available under the original license .

Patriot Act

Under the Patriot Act, federal governmental agencies can use surveillance techniques against anyone who is suspected of crime or terror. The legislation provides federal investigators with a variety of investigative and intelligence surveillance tools and removed the legal barriers preventing law enforcement agencies from sharing intelligence with each other. The act’s actual title is the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001.

The act “creates a definition of ‘computer trespasser’ and makes such activities a terrorist act in certain circumstances” (Smith et al., 2002), enabling law enforcement officials to “intercept the communications of computer trespassers” (Smith et al., 2002). Many provisions of the law, particularly Title III, could affect e-commerce, in the areas of international money laundering and terrorism finance. “Over time, these provisions may affect e-commerce broadly, and electronic fund transfers specifically” (Smith et al., 2002)

In 2015, the USA FREEDOM Act updated some elements of the Patriot Act. Specifically, it set new limits on the bulk collection of telecommunication metadata by federal intelligence agencies. Agencies are now required to obtain targeted warrants before collecting this information (Diamond, 2015).

As political policies change over time, IT professionals should monitor any updates or revisions that could affect their organizations.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the European Union’s (EU) data privacy law that was implemented May 25, 2018. It applies to any organization that holds or uses data on citizens inside the EU, regardless of the physical location of the company itself (Kottasová, 2018). So, if your company deals with data on EU’s residents, you should be aware of the regulation’s restrictions.

The central idea behind this law is to require “privacy by default” with regard to the collection and handling of all personal data (defined as any information relating to an identified or identifiable person) (AWS, 2018).

Electronic Communications Privacy Act (ECPA)

The Electronic Communications Privacy Act of 1986 (ECPA) authorized electronic data transmissions by computer to be subject to collection by authorized agents of the US government, thus protecting all electronic communication from unauthorized government access. Law enforcement agencies are required to obtain search warrants to access any electronic communication. In addition, the act prohibits wiretapping of employees’ electronic data transmissions and telephone conversations, and also prohibits unauthorized access to employees’ communication stored by employers.

The ECPA was amended and updated with the passage of the Patriot Act in 2001, which authorizes law enforcement officers to use search warrants to compel disclosure of voice mail stored with a third-party provider.

Computer Fraud and Abuse Act – Title 18 Section 1030

The Computer Fraud and Abuse Act (CFAA) delineates specific illegal acts relating to computer crimes. The CFAA covers the following:

· defines specific key terms used throughout the legislation

· outlines the components that do and do not constitute criminal acts

· specifies the consequences of those acts, as well as certain aggravating factors

·  describes exceptions to the criminality of these acts in cases of law enforcement and similar contexts

The scope of the CFAA covers seven criminal offenses, including accessing a computer without proper authorization to obtain national defense information, accessing a computer without proper authorization to obtain private, financial records, information from any US department or agency, or information from any protected computer, accessing a nonpublic computer of any US department or agency without proper authorization, accessing a protected computer with intent to defraud, causing damage to a protected computer by transmitting a malicious program, information, code, or command, trafficking passwords or similar information to access a computer without authorization, and extorting through the use of a computer. It should be noted that the CFAA defines a protected computer as a computer that is exclusively used by a financial institution or the US Government or a computer that is used for interstate or foreign commerce or communication, a definition that covers virtually every computer in use (US Department of Justice, n.d.).

Gramm-Leach-Bliley Act (GLBA)

Enacted in November 1999, the Gramm-Leach-Bliley Act (GLBA) establishes a requirement for financial institutions to protect the sensitive personal information of their customers. Also known as the Financial Services Modernization Act of 1999, GLBA “…requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data” (Federal Trade Commission, n.d., a.). The act was authored by Senator Phil Gramm and Representatives Thomas J. Bliley Jr. and Jim Leach. GLBA contains the “Safeguards Rule,” which establishes the requirement for financial institutions to protect the information they collect from their consumers.

GLBA has several requirements regarding privacy protection. The first is an annual requirement for customers to receive the financial institution’s privacy notice. This notice must clearly state opt-out instructions for sharing personal financial information. GLBA also puts limits on the use or redisclosure of nonpublic personal information acquired from a financial institution. And, GLBA establishes requirements for securely storing personal financial information. Institutions subject to GLBA include nonbank mortgage lenders, loan brokers, some financial or investment advisors, tax preparers, providers of real estate settlement services, and debt collectors (Federal Trade Commission, n.d., b.).

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA) was established in 1996 to improve the security of the storage and use of health care data.  These regulations define how health care agencies must secure patients’ personal information and regulate its disclosure.

IT professionals should understand how HIPAA applies to their work so they can correctly handle sensitive information and demonstrate the organization’s compliance with the law in order to protect patients and the organization (DNS Stuff, n.d.).  Unauthorized access or release of data can lead to problems for the individuals whose data has been compromised and also fines and penalties for the organization (Ashraf, n.d.).

Three rules within HIPAA are most relevant to professionals working in information technology:

· The 
Privacy Rule requires safeguards to protect the privacy of personal health information and “sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization (HHS, “Privacy Rule,” n.d.). It provides patients the right to view health information and request corrections (HHS, “Privacy Rule,” n.d.).

· The 
Security Rule “requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic personal health information” (ePHI) (HHS, “Summary of the HIPAA Security Rule,” n.d.).

· The 
Breach Notification Rule requires covered entities to notify patients when their protected information has been used without proper permission or disclosed in a manner that compromises privacy and security (HHS, “Breach Notification Rule,” n.d.).

Sarbanes-Oxley Act

The Sarbanes-Oxley Act was enacted in 2002 to protect shareholders and the general public from accounting errors and fraudulent practices by publicly traded corporations. It is often referred to as SOX. The act was also called the “Public Company Accounting Reform and Investor Protection Act” in the Senate and “Corporate and Auditing Accountability, Responsibility, and Transparency Act,” in the House (“Sarbanes-Oxley Act,” n.d.).

To comply with SOX, corporations must save all business records, including electronic records and messages, for “not less than five years,” according to the legislation. This means that IT departments must create and maintain an archive of corporate records with security controls that ensure that financial data is accurate and protected against loss (De Groot, 2019).

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the US Department of Education. Under FERPA, schools may disclose, without consent, directory information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA.

References

Amazon Web Services (AWS). (2018). General Data Protection Regulation (GDPR) center. https://aws.amazon.com/compliance/gdpr-center/?sc_medium=AW_AWNS_FMM_GDPR_nb_041018&trk=70150000000mkld&s_kwcid=AL!4422!3!265937371174!e!!g!!gdpr&ef_id=WvTFNQAAALLzX2jc:20180731134307:s

Ashraf, A. (n.d.). PII and PHI overview: What CISSPs need to know. Infosec.  https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/asset-security/protecting-privacy/#gref

De Groot, J. (2019). What is SOX compliance? 2019 SOX requirements and more.  https://digitalguardian.com/blog/what-sox-compliance

Diamond, J. (2015). NSA surveillance bill passes after weeks-long showdown. https://www.cnn.com/2015/06/02/politics/senate-usa-freedom-act-vote-patriot-act-nsa/

DNSStuff. (n.d.) What is HIPAA compliance? https://www.dnsstuff.com/what-is-hipaa-compliance

Federal Trade Commission. (n.d., a.). Gramm-Leach-Bliley Act. Retrieved from https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

Federal Trade Commission. (n.d., b.). In brief: The financial privacy requirements of the Gramm-Leach-Bliley Act. Retrieved from https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act

Department of Health and Human Services (HHS). (n.d.). The HIPAA privacy rule. https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

Department of Health and Human Services (HHS). (n.d.). The HIPAA security rule. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

Department of Health and Human Services (HHS). (n.d.). Breach notification rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html

Kottasová, I. (2018, May 21). What is GDPR? Everything you need to know about Europe’s new data law. https://money.cnn.com/2018/05/21/technology/gdpr-explained-europe-privacy/index.html?iid=EL

Ryan Technical Services (n.d.). PCI DSS compliance. http://ryantech.com/pci-dss-compliance 

Sarbanes-Oxley Act. (n.d.). In Wikipedia. https://en.wikipedia.org/wiki/Sarbanes%E2%80%93Oxley_Act

Smith, M. S., Seifert, J. W., McLoughlin, G. J., & Moteff, J. D. (2002). The internet and the USA PATRIOT Act: Potential implications for electronic privacy, security, commerce, and Government. Congressional Research Service. https://epic.org/privacy/terrorism/usapatriot/RL31289

Solove, D. (2006). A brief history of information privacy law.  http://papers.ssrn.com/sol3/papers.cfm?abstract_id=914271

US Department of Justice. (n.d.). Prosecuting computer crimes. Computer Crime and Intellectual Property Section, Criminal Division.  https://www.justice.gov/criminal/cybercrime/docs/ccmanual  

US Department of Justice. (n.d.). Public law 99-508.  http://www.justice.gov/jmd/ls/legislative_histories/pl99-508/act-pl99-508

image1