HIPAA Standards Update

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Security Training 2005
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA Security Standards What’s happening in your office?
Security Controls – What Works
Information Security Policies and Standards
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
New Data Regulation Law 201 CMR TJX Video.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
N ational P rovider I dentifier Type 1 Workforce Training Month Day, Year The NPI will become the standard, unique identifier for health care providers.
Information Security Technological Security Implementation and Privacy Protection.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.
Working with HIT Systems
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
HIPAA Yesterday, Today and Tomorrow? Dianne S. Faup Office of HIPAA Standards Centers for Medicare & Medicaid Services.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
The Health Insurance Portability and Accountability Act 
Securing Network Servers
DATA SECURITY FOR MEDICAL RESEARCH
Working with your AoA Project Officer
Control system network security issues and recommendations
Information Security Board
Pass4itsure Cisco Dumps
Unit 7 – Organisational Systems Security
The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Final HIPAA Security Rule
TM Workgroup for Electronic Data Interchange.
RST processes Session 5 Presentation 2.
County HIPAA Review All Rights Reserved 2002.
TM Workgroup for Electronic Data Interchange.
IS4680 Security Auditing for Compliance
The Centers for Medicare & Medicaid Services
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
The Centers for Medicare & Medicaid Services
HIPAA Security Standards Final Rule
Electronic Data Interchange
Neopay Practical Guides #2 PSD2 (Should I be worried?)
Introduction to the PACS Security
Transaction, Code Sets and Identifier Update
Presentation transcript:

HIPAA Standards Update 11/24/2018 HIPAA Standards Update Centers for Medicare and Medicaid Services Office of eHealth Standards and Services March 2007 11/24/2018

Claims Attachment Final rule in process 11/24/2018 Claims Attachment Final rule in process HL7 process – technical comments Policy issues Unsolicited attachments Attachments in COB process 11/24/2018

ICD-10 Policy discussions continue Issues 5010 status Compliance date 11/24/2018 ICD-10 Policy discussions continue Issues Compliance date Cost to industry 5010 status 11/24/2018

Remote Access Security Guidance 11/24/2018 Remote Access Security Guidance Supports policies and strategies for compliance with the HIPAA Security Rule Highlights three activities: Conducting Security Risk Assessments Developing and Implementing Policies and Procedures Implementing Mitigation Strategies Released December 28, 2006 at: http://www.cms.hhs.gov/securitystandard/ 11/24/2018

Why a new guidance? Since the original rule there has been: 11/24/2018 Why a new guidance? Since the original rule there has been: Changes in Technology Increases in mobile devices Increased workforce mobility Increased use of portable media Recent Security Incidents Reports of thefts of laptops and media containing EPHI Reports of access to EPHI by unauthorized users The original rule was intentionally broad Technology changes allow for greater specificity in guidances, as standards and best practices have evolved since the original HIPAA Security Rule was promulgated. 11/24/2018

What’s Affected? Laptops Home PCs PDAs Smart Phones 11/24/2018 What’s Affected? Devices, Media and Connectivity Tools: Laptops Home PCs PDAs Smart Phones Library, Hotel, and other public PCs Wireless Access Points USB Flash Drives CDs and DVDs Floppy Disks Backup Media Email Smart Cards Remote Access Devices Etc. Remote Access Devices: usually “second factor” devices like RSA’s SecureID card, which provides a cryptographic token used to log into a secure network. Can be very serious if lost, particularly if the owner has not followed good security procedures and, for instance, affixed their username and password to the card. This is not a complete list. 11/24/2018

Guiding Principles Be deliberate about EPHI release 11/24/2018 Guiding Principles Be deliberate about EPHI release EPHI release should have a valid operational justification EPHI Release Requires: Risk Analysis Policy & Procedure Development Risk Mitigation Strategies The next seven slides will discuss each of these in more detail, including the three areas of risk mitigation 11/24/2018

11/24/2018 Risk Analysis Security compliance requires analysis of risks and mitigation factors Factors to consider in risk assessments, per § 164.306(b)(2): The size, complexity, and capabilities of the covered entity. The covered entity's technical infrastructure, hardware, and software security capabilities. The costs of security measures. The probability and criticality of potential risks to [EPHI]. 11/24/2018

Policy Development Requires training and compliance 11/24/2018 Policy Development Requires training and compliance Ongoing workforce awareness programs Guidance discusses three key areas: Data Access Data Storage Data Transmission Data access policies and procedures focus on ensuring that users only access data for which they are appropriately authorized. Remote access to EPHI should only be granted to authorized users based on their role within the organization and their need for access to EPHI. Storage policies and procedures address the security requirements for media and devices which contain EPHI and are moved beyond the covered entity’s physical control. Such media and devices include laptops, hard drives, backup media, USB flash drives and any other data storage item which could potentially be removed from the organization’s facilities. Transmission policies focus on ensuring the integrity and safety of EPHI sent over networks, and include both the direct exchange of data (for example, in trading partner relationships) and the provisioning of remote access to applications hosted by the organization (such as a provider’s home access to ePrescribing systems or “web mail” in organizations where EPHI might be included in internal communications). The next three slides discuss risks and mitigation strategies for each of these three areas. 11/24/2018

Example Data Access Strategies 11/24/2018 Example Data Access Strategies Risks Potential Mitigation Strategies Lost passwords Unauthorized access Unattended workstations and home computers Failure to log off public machines Viruses Two-factor authentication Secure user names Clearance and training procedures for data use Limiting access to EPHI to users with specific requirements and authorization Session termination and timeouts for remote applications Personal firewall and antivirus software 11/24/2018

11/24/2018 Next Steps Notice of Proposed Rule Making to incorporate guidance into the Security Rule 11/24/2018

NPI Implementation Status 11/24/2018 NPI Implementation Status May 23, 2007 compliance date (for all but small plans) Over 1.9 million providers enumerated (of an estimated 2.3 million universe) Data dissemination notice under review by OMB 11/24/2018

NCVHS Hearings Testimony from broad spectrum of stakeholders 11/24/2018 NCVHS Hearings Testimony from broad spectrum of stakeholders Consensus: Much progress toward compliance BUT Many covered entities will not meet May 23 date Situation is similar to 2003, when HHS declared contingency for transactions and code set standards 11/24/2018

11/24/2018 Specific Issues Complexity of building and testing crosswalks between NPIs and legacy ID’s Some providers have not gotten their NPIs, most are not submitting them on transactions Outreach and education efforts have not reached all affected entities 11/24/2018

Specific Issues (cont’d) 11/24/2018 Specific Issues (cont’d) Mechanisms needed to promote easy access for providers to NPIs of other providers Labs and DME suppliers need NPI of referring provider Hospitals need NPI of operating physician Pharmacies need NPI of prescriber 11/24/2018

NCVHS Recommendations 11/24/2018 NCVHS Recommendations Adopt contingency guidance similar to 2003 Covered entities can adopt contingency plans to work with noncompliant trading partners to work toward compliance without jeopardizing cash flows In event of complaint, CMS would assess “good faith efforts” 11/24/2018

NCVHS Recommendations (cont’d) 11/24/2018 NCVHS Recommendations (cont’d) Contingency period would end 6 months after later of: May 23, 2007 First date where NPPES data available Time limited contingency encourages continued movement toward compliance 11/24/2018

NCVHS Recommendations (cont’d) 11/24/2018 NCVHS Recommendations (cont’d) Did not specify what a contingency plan would look like (e.g., did not require ability to process both NPI and legacy ID’s) Did reflect expectation that providers should obtain and use NPI asap and that plans should be ready to accept them asap 11/24/2018

NCVHS Recommendations (cont’d) 11/24/2018 NCVHS Recommendations (cont’d) Publish Data Dissemination Notice asap AND make data available as soon thereafter as possible Continue outreach and education, in particular to provider community 11/24/2018

Next Steps Watch CMS website, listservs, etc. for further information 11/24/2018 Next Steps Watch CMS website, listservs, etc. for further information Plans should consider possibility of contingency in event of guidance What would contingency be, how would it be communicated? 11/24/2018