HIPAA and the GLB Connections Between Congress and Information Assurance.

Slides:

Advertisements

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Advertisements

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

HIPAA, Computer Security, and Domino/Notes Chuck Connell,

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Security Controls – What Works

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Information Security Technological Security Implementation and Privacy Protection.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

HIPAA PRIVACY AND SECURITY AWARENESS.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

1 General Awareness Training Security Awareness Module 1 Overview and Requirements.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Group 3 Angela, Rachael, Misty, Kayelee, and Krysta.

HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.

Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.

Design of Health Technologies lecture 22 John Canny 11/28/05.

Patient Confidentiality and Electronic Medical Records Ann J. Olsen, MBA, MA Information Security Officer and Director, Information Management Planning.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.

HIPAA Security Final Rule Overview

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

HIPAA Security Best Practices Clint Davies Principal BerryDunn

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

The Health Insurance Portability and Accountability Act

iSecurity Compliance with HIPAA

Understanding HIPAA Dr. Jennifer Lu.

Paul T. Smith Davis Wright Tremaine LLP

Disability Services Agencies Briefing On HIPAA

Final HIPAA Security Rule

County HIPAA Review All Rights Reserved 2002.

Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA Security Standards Final Rule

HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.

Lesson 1: Introduction to HIPAA

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Presentation transcript:

HIPAA and the GLB Connections Between Congress and Information Assurance

The Basics HIPAA passed in 1996 Regulation authority by Health and Human Services Privacy rule in effect in 2003 Security rule in effect 2005 GLB passed in 1999 Scope is financial institutions and personal information Regulated by many agencies the Federal Trade Commission is the umbrella agency

Privacy Rule Information regarding medical condition or diagnosis must be kept separately from hiring/firing information Requires development of both internal and external security

Security Rule The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.

Appendix A to Subpart C of Part 164—Security Standards: Matrix Standards Sections Implementation Specifications (R)=Required, (A)=Addressable Administrative Safeguards Security Management Process (a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (a)(2) (R) Workforce Security (a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) Information Access Management (a)(4) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training (a)(5) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures (a)(6) Response and Reporting (R) Contingency Plan (a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation (a)(8) (R) Business Associate Contracts and Other Arrangement (b)(1) Written Contract or Other Arrangement (R) Physical Safeguards Facility Access Controls (a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use (b) (R) Workstation Security (c) (R) Device and Media Controls (d)(1) Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A) Technical Safeguards (see § ) Access Control (a)(1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (b) (R) Integrity (c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication (d) (R) Transmission Security (e)(1) Integrity Controls (A) Encryption (A)

What’s Required? (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (C) Emergency mode operation plan Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

What’s Optional? (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

Pros and Cons Flexible taking limited resources into account Steps are general and not technology specific Security 101, best practice Flexible allowing different interpretations to be made May slow technology in health field Lawsuits are feared by some

Gramm-Leach Bliley Protection of private personal information Obligations on disclosure of personal information Disclosure of institutions privacy policy

Specifics of the GLB Because the states are responsible for regulating the insurance industry, Gramm-Leach-Bliley (GLB) stipulates that the states pass legislation to enforce the requirements laid out in the law. Similar to these privacy requirements, GLB requires security provisions to be enforced by the states for the insurance industry. There is an exception in GLB that states that banks offering insurance products will be subject to the requirements and deadlines of their regulatory agency, as opposed to the state in which the institution resides. Currently, four states have passed personal financial information security laws, while several other states have proposed laws. It is important to note, however, that implementing and enforcing laws for the security of personal information is a requirement of GLB, and all states must eventually pass legislation for the insurance carriers in their state. It is a matter of time before all states have laws on the books implementing the security requirements of GLB.

Goals of Law Tighten customer protection Provide ‘Opt out’ rule Give people more control Companies in the financial sector have to let customers or consumers know what information it has on people who use its’ services, who has access in terms of other companies, and how it protects the information

Complications A month before the deadline to comply with sweeping privacy regulations, I asked a senior IT person responsible for compliance at a securities firm how things were going. He laughed. “Can you explain the regulations?” he asked. He was joking, I think, but his comment sums things up. As simply one factor backfiring, the companies are required to give customers an annual notice giving them their chance to opt out.

Still More Complications Inter-State Complications International Issues This has left global institutions confused about how to, say, and send information about a European employee to U.S. headquarters

Future Predictions Privacy and security are growing concerns as viruses and worm attacks become more numerous year by year, as identity theft costs more and more, and as the public leaders become more and more computer literate. In 2002 Identity theft cost the US an estimated 53 billion. A major incident will galvanize the government into passing some wider-scope or possibly more stringent than the current rather reasonable HIPAA standards.

Works Cited “Boulder Computer Services Firm Encourages Companies to Prevent Computer Hackers and Consumer Identity Theft” posted Brewin, Bob. Computerworld “Health Care Group: Lack Of IT Leads to Deaths” Brewin, Bob. Computerworld “New HIPAA Security Rules could open door to litigation” Federal Register 45 Health Insurance Reform: Security Standards; Final Rule CFR Parts 160, 162, and Fonseca, Brian. Computerworld “Sun, Digex and Divine push outsourced HIPAA solutions” Glass, Michelle R. and Hoeg, Gregory J. “The Likely Impact of the Gramm-Leach-Bliley Financial Modernization Act of 1999” posted at Scalet, Sarah D. CSO “Managing HIPAA’s Pain” April Watson Wyatt Insider “Bigger Than a Breadbox: The Impact of HIPAA on American Employers April