HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works
Information Security Policies and Standards
Privacy, Confidentiality, and Security M8120 Fall 2001.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
Session 3 – Information Security Policies
HIPAA Strategy Methodologies and Tools. 1 Presentation Agenda  Review of HIPAA Objectives  Overview and Update on the Status of HIPAA  Components/Objectives.
Network security policy: best practices
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Technological Security Implementation and Privacy Protection.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
Information Systems Security Computer System Life Cycle Security.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Patient Data Security and Privacy Lecture # 7 PHCL 498 Amar Hijazi, Majed Alameel, Mona AlMehaid.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,
HIPAA Security Final Rule Overview
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
iSecurity Compliance with HIPAA
Disability Services Agencies Briefing On HIPAA
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations

First Consulting Group Presentation Agenda w Security Introduction w Security Component Requirements and Impacts –Administrative Procedures –Physical Safeguards –Technical Security Services –Technical Security Mechanisms w Summary

First Consulting Group Presentation Objectives At the end of this presentation, you should: w Understand the background for the security regulations w Understand the specific HIPAA security components w Understand the business and technology impacts of the HIPAA security components w Begin to understand the gaps between the current environment and the HIPAA security requirements

Security Introduction Definition Organizational Threats Principles Key Points of Security Rule Structure Categories

First Consulting Group Definition w “The purpose of security is to protect both the system and the information it contains from unauthorized access from without and misuse from within.” –draft Security Rule w Security also protects information from alteration, destruction or loss w Security should reasonably ensure the confidentiality, integrity and availability of health care information

First Consulting Group Organizational Threats

First Consulting Group Principles w Healthcare security is about risk mitigation –Operational risk –Financial risk –Regulatory risk –Fraud risk w “The standard does not address the extent to which a particular entity should implement the specific features. Instead, we would require that each affected entity assess its own security needs and risks and devise, implement, and maintain appropriate security to address its business requirements.” –draft Security Rule

First Consulting Group Key Points of Security Rule: Source w Security requirements were taken from the National Research Council’s report For the Record: Protecting Electronic Health Information w “This report presents findings and recommendations related to health data security, and…concludes that appropriate security practices are highly dependent on individual circumstances… w “It is therefore not possible to prescribe in detail specific practices for all organizations; rather, each organization must analyze its systems, vulnerabilities, risks and resources to determine optimal security measures. Nevertheless, the committee believes that a set of practices can be articulated in a sufficiently general way that they can be adopted by all health care organizations in one form or another.”

First Consulting Group Key Points of Security Rule: Standards w Organizations must therefore establish a reasonable “defensible position” for security compliance –Develop specifications for security requirements –Determine what technologies to implement to meet those specifications –Balance usability and cost with risk w We can set the community standard for these practices in the Pacific Northwest

First Consulting Group w The standards are not only scalable, but technology neutral as well w Covered entities must establish and maintain reasonable and appropriate…safeguards w Healthcare organizations must ensure the protection of all electronic PHI –Final rule may also cover PHI in paper format to align with final HIPAA Privacy rule w Policies and procedures must be developed to implement both the Privacy and Security Rules Key Points of Security Rule: Standards (cont.)

First Consulting Group w Business processes related to security functions within the organization must be formally documented, implemented, and enforced throughout the organization w Proposed standards for Electronic Signatures currently coupled with the Security Standards will be removed and published separately w The final Security Rule will be harmonized with the final Privacy Rule Key Points of Security Rule: More Standards

First Consulting Group Structure w The current HIPAA Security standards are organized into five categories: 1. Administrative Procedures 2. Physical Safeguards 3. Technical Security Services (applications) 4. Technical Security Mechanisms (networks) 5. Electronic Signatures * * For the purposes of this discussion only the first four categories will be addressed

First Consulting Group w Administrative Procedures: formal policies and procedures to address operating procedures, management controls, personnel requirements, audit mechanisms and disciplinary procedures –Security management/maintenance –Security training –Internal system certification –Procedures upon employee hire, transfer, or termination –System security audits –Chain of trust partner agreements –Contingency plan –Information access control –Security incident procedures Administrative Procedures

First Consulting Group Physical Safeguards w Physical Safeguards: formal policies and procedures to protect health information from threats of fire, disaster, and unauthorized access –Security responsibility and accountability –Media control –Physical access to data –Workstation use and location –Security awareness training

First Consulting Group Technical Security Services w Technical Security Services: measures to control and monitor information access –Employee access controls, such as passwords –System audits –Intrusion and detection alarms –Automatic logoffs –Telephone callback procedures –Message authentication –Integrity contols –Data authentication

First Consulting Group Technical Security Mechanisms w Technical Security Mechanisms: mechanisms to guard against unauthorized access to data that is transmitted over a communication network –Employee access controls –Entity authentication –Message authentication –Integrity contols –Encryption –Alarms –Audit trail –Event reporting

Security Requirements and Impacts Administrative Procedures Physical Safeguards Technical Security Services Technical Security Mechanisms

Administrative Procedures Rules Impacts

First Consulting Group Administrative Procedures – Rules w Certification: technical evaluation certifying that systems and network meet pre-defined criteria –Example: Annual certification audit w Chain-of-Trust Partner Agreement: Contract to secure integrity of data transmission with any third parties –Example: Claims processing w Contingency Plan: Includes application and data criticality analysis, data backup plan, disaster recovery plan, emergency mode operation plan, and testing and revision procedures –Example: Business continuity plans w Formal Record Processing Mechanisms: Policies and procedures for receipt, manipulation, storage, dissemination, transmission, and/or disposal of health information –Example: PC hard drive disposal

First Consulting Group Administrative Procedures – Rules (cont.) w Information Access Controls: Policies and procedures for granting different levels of access to health care information –Example: Application profile documentation w Internal Audit: Ongoing in-house review of the records of system activity (log-ins, file accesses and security incidents) –Example: Proactive, defensible review of PHI activity w Personnel Security: Granting of access to health information via an authorization process –Example: Card key access systems to file rooms, background checks maintenance of security personnel w Security Configuration Management: Procedures to ensure that routine changes to system hardware and/or software do not create security weaknesses –Example: Routine pre- and post-implementation procedures

First Consulting Group Administrative Procedures – Rules (cont.) w Security Incident Procedures: Documented instructions for reporting and reviewing security breaches –Example: Reporting pathways (anonymous if necessary) w Security Management Process: Processes to ensure the prevention, detection, containment and correction of security breaches. Includes risk analysis, risk management, sanction policy and security policy –Example: Annual risk level reviews w Termination Procedures : Procedures for securing systems upon employee termination –Example: Exit interviews and checklists w Training : User education and awareness training –Example: Incorporated awareness training with existing programs

First Consulting Group Administrative Procedures – Impact w Most organizations have inadequate security policies and procedures w This requires additional resources for updates and development efforts w Ensuring all security policies and procedures are enforced throughout the organization requires cooperation from all employee levels w Integration of chain of trust partner agreement language may require new contracts with third parties w Providing security awareness training for all employees requires a detailed training program with ongoing maintenance

Physical Safeguards Rules Impacts

First Consulting Group Physical Safeguards – Rules w Assigned Security Responsibility : Security responsibility assigned to a specific individual(s) –Example: Security committee w Media Controls : Policies and procedures that govern the receipt and removal of hardware and software into and out of a facility. Includes data backup, storage and disposal –Example: Property accountability documentation w Physical Access Controls: Limiting physical access to systems. Includes the following: disaster recovery, emergency mode operation, equipment control, facility security, physical access verification, maintenance records, need-to-know procedures, visitor sign-in, and testing and revision of all components –Example: Data center restrictions

First Consulting Group Physical Safeguards – Rules (cont.) w Workstation Use: Instructions and procedures delineating secure use of computer workstations –Example: Acceptable workstation usage guidelines w Workstation Location: Safeguards for secure location of computer workstations –Example: Monitor position in public areas w Security Awareness Training: Security awareness training for all employees, agents and contractors –Example: Incorporated awareness training with existing programs

First Consulting Group Physical Safeguards – Impacts w In order to properly address security issues organizational charts and individual responsibilities may need review w Workstation use must be addressed through employee education and consistent enforcement of policies and procedures w Physical access controls and secure workstation locations may affect current business practices

Technical Security Services Rules Impacts

First Consulting Group Technical Security Services – Rules w Access Control: Restricted access to health information by need-to-know –Example: Application access based on job description w Audit Controls: Audit control mechanisms to record and examine system activity –Example: Turn on network event logs to allow for appropriate audits w Authorization Control: Mechanisms for obtaining consent for use and disclosure of health information –Example: Application functionality which allows “flagging” w Data Authentication: Ability to corroborate that data have not been altered or destroyed –Example: Use or check sum, double keying or digital signature to assure the data are not altered w Entity Authentication: Ability to corroborate that user is who he claims he is –Example: Biometric ID or unique usernames and passwords

First Consulting Group Technical Security Services – Impact w Some systems in use today may not have adequate security controls to comply w Implementation of access controls for systems must be an integrated effort between business and IT w System processing and storage requirements may increase to support enhanced auditing capabilities w Group ID’s and shared passwords will not be permitted

Technical Security Mechanisms Rules Impacts

First Consulting Group Technical Security Mechanisms – General Rules For all systems: w Integrity Controls: A security mechanism employed to ensure the validity of the information being electronically transmitted or stored –Example: Approved/unapproved network protocols w Message Authentication: Ensuring, typically with a message authentication code, that a message received (usually via a network) matches the message sent –Example: Verification that data packet sent is received w Access Controls or Encryption: Protection of sensitive communications over open or private networks so that they cannot be easily intercepted and interpreted by parties other than the intended recipient OR transforming confidential plaintext into ciphertext to protect it –Example: VANs may eliminate the need for certain encryption technologies

First Consulting Group Technical Security Mechanisms – Network Rules If using a network for communications: w Alarm: In communication systems, any device that can sense and abnormal condition within the system and provide, either locally or remotely, a signal indicating the presence of the abnormality –Example: Devices that sense abnormal conditions w Audit Trail: The data collected and potentially used to facilitate a security audit –Example: Audit log retention

First Consulting Group Technical Security Mechanisms – Network Rules (cont.) If using a network for communications: w Entity Authentication: A communications or network mechanism to irrefutably identify authorized users, programs, and processes and to deny access to unauthorized users, programs and processes –Example: Unique identification w Event Reporting: A network message indicating operational irregularities in physical elements of a network or a response to the occurrence of a significant task, typically the completion of a request for information –Example: Network messages indicating operational abnormalities

First Consulting Group Technical Security Mechanisms – Impacts w Implementation of access controls to the network must be an integrated effort between the business and IT w Use of new network security technologies (e.g. encryption) will require significant end user training w Group ID’s and shared passwords will not be permitted w Network alarms, audit trail, and event reporting requirements may require additional resources and technologies to ensure compliance

Summary The Bottom Line Questions

First Consulting Group Summary w Areas of impact on health care organizations will be: –Development, documentation and training of policies and procedures –Assignment and operation of security responsibility –Identifying and contracting chain of trust agreements with trading partners –Training workforce members on information security and altering the confidentiality culture –Implementing access controls, authorization controls and entity authentication for all systems –Identifying and implementing the “right” technical solutions

First Consulting Group The Bottom Line w The Privacy regulations have been the top priority for HHS; the final Security Rule is expected in August 2002 w Compliance is 26 months after the final rule is published w At the present time, there is no indication who will be the enforcement agency, when enforcement will be effective, and how enforcement will be conducted

Questions and Discussion ? ? ? ? ? ? ? ?

Resources

First Consulting Group Resources Association for Electronic Health Care Transactions (AFEHCT): –Impacts of HIPAA (particularly EDI) –Security Self-Evaluation Checklist American Health Information Management Association (AHIMA): –Benchmark information and case studies –Interim Steps for Getting Started American Society for Testing and Materials (ASTM): –Standards guides for security Center for Healthcare Information Management (CHIM): –Up-to-date industry perspective on proposed rules and their status Computer-Based Patient Record Institute (CPRI): –CPRI Security Toolkit Department of Health and Human Services HIPAA Administrative Simplification: –Latest News on Regulations –Current proposed and final rules Electronic Healthcare Network Accreditation Commission (EHNAC): –Certification Program for HIPAA Compliance (under development)

First Consulting Group Resources (cont.) For the Record: Protecting Electronic Health Information (National Academy Press, 1997) –Full Report Health Privacy Forum –Comparison of Privacy proposed and final rules –Comparison of state privacy laws HIMSS: Protecting the Security and Confidentiality of Healthcare Information (Volume 12, Number 1, Spring 1998) –Articles HIPAA Home Pagehttp:// HIPAA Transaction Implementation Guides from the Washington Publishing Company Joint Healthcare Information Technology Alliance (JHITA) –Summary of Privacy rules –Upcoming HIPAA conferences Links to other HIPAA siteshttp:// Medicare EDIhttp://

First Consulting Group Resources (cont.) National Uniform Billing Committeehttp:// National Uniform Claims Committeehttp:// Washington Publishing Company –ANSI ASC X12N HIPAA Implementation Guides Subscribe to release of HIPAA documents (such as notice of proposed rule making) Workgroup for Electronic Data Interchange (WEDI): –Details of SNIP effort (Strategic National Implementation Pilot)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.