Www.DirectTrust.org 1101 Connecticut Ave NW, Washington, DC 20036 HISP Policy “HP” 1.0 Overview Policy Document available at DirectTrust.Org Presented.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Connecticut Ave NW, Washington, DC Understanding Patient Engagement in Stage 2 MU: Direct, HIPAA, VDT, and Patient Engagement.
Privacy, Security, Confidentiality, and Legal Issues
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
Connecticut Ave NW, Washington, DC Direct Exchange from Provider to Patient/Consumer ….and Back! David C. Kibbe, MD MBA.
Direct Project Scalable Trust and Trust Bundles. 12/06/10 Overview What is Scalable Trust State of Trust Trust Issues Trust Solutions Trust Bundle Demo.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works
Information Security Policies and Standards
Privacy and Security in the Direct Context Session 6 April 12, 2010.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
Understanding and Leveraging MU2 Optional Transports Paul M. Tuten, PhD Senior Consultant, ONC Leader, Implementation Geographies Workgroup, Direct Project.
Network security policy: best practices
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Connecticut Ave NW, Washington, DC Direct Exchange An Introduction for Providers Engaged in Stage 2 Meaningful Use David.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
+1 (801) Standards for Registration Practices Statements IGTF Considerations.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
1 David C. Kibbe, MD MBA DirectTrust A Discussion About Scalable Trust May 9,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
Information Security tools for records managers Frank Rankin.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Integrating the Healthcare Enterprise The Integration Profiles: Basic Security Profile.
Connecticut Ave NW, Washington, DC DirectTrust Collaborating to Build the Security and Trust Framework for Direct Exchange.
HIPAA: So You Think You’re Compliant September 1, 2011 Carolyn Heyman-Layne, J.D.
Audit Trail LIS 4776 Advanced Health Informatics Week 14
Introduction to the Federal Defense Acquisition Regulation
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
HIPAA Security Standards Final Rule
PLANNING A SECURE BASELINE INSTALLATION
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Presentation transcript:

Connecticut Ave NW, Washington, DC HISP Policy “HP” 1.0 Overview Policy Document available at DirectTrust.Org Presented by: Luis C. Maas III, MD, PhD Direct Project Connect-a-thon January 16, 2014

Connecticut Ave NW, Washington, DC Why DirectTrust Accreditation? Direct Messaging depends on trusted counterparties – By design, can only exchange with trusted Direct addresses – Market demands accredited HISPs, for confidence in exchange – Building pairwise contracts will not scale: a common set of requirements, signified by inclusion in a bundle of trusted anchors, is the most efficient way to grow interoperability  DirectTrust Network 2

Connecticut Ave NW, Washington, DC DirectTrust Accreditation: What is it? HISP accreditation demonstrates compliance with: – Direct Project Applicability Statement – HIPAA and HITECH, and all other federal and state laws Software management practices of HIPAA/HITECH apply to every HISP How PHI may be used is specified in every HISP’s own legal agreements with end users – Secure management of customers’ personal information For Certificate Authority and Registration Authority accreditation, existing active versions of DirectTrust Certificate Policy demand secure, industry standard practices of CAs/RAs 3

Connecticut Ave NW, Washington, DC Purpose of DirectTrust HISP Accreditation Set the minimum bar for HISP privacy and security, for the benefit of HISP end users + data exchange partners The added confidence in Direct exchange is expected to allow for rapid network growth from today’s DirectTrust Network of 14 HISPs: 4

Connecticut Ave NW, Washington, DC To The Nearly-Doubled DirectTrust Network expected in Q2, 2014: 5

Connecticut Ave NW, Washington, DC & Likely DirectTrust Network in 2015: 6

Connecticut Ave NW, Washington, DC Goals of the HP Clearly define the systems within a business constituting HISP services Establish the “measuring stick”: minimum administrative & technical requirements for Health Information Service Providers (HISPs) with regard to message and credential management and authentication to the system v1.0 of HP = current accreditation requirements (one exception noted later) 7

Connecticut Ave NW, Washington, DC HISP Definition-1 Direct Services cannot exist without a HISP ALWAYS part of HISP: – STA functions – Trust management – Certificate discovery – S/MIME interfaces – HISP side of edge protocol – End User private key stores – End User authentication – Maintain integrity of framework, ISSO functions 8

Connecticut Ave NW, Washington, DC HISP Definition-2 SOMETIMES part of HISP: – Provision Direct Addresses – Generate End User private keys – Operate SMTP server and/or POP/IMAP server – Operate DNS and/or LDAP for certificate discovery – Maintain End User message queues/mailboxes – Tools to create Direct message – Technical support 9

Connecticut Ave NW, Washington, DC HISP Definition-3 OUTSIDE the HISP/not in scope of HP: – CA and RA roles (covered in DirectTrust Certificate Policy) – Store/analyze EHR/PHR data – Other EHR functions – CDA processing/validation – Provider Directory – Use of Direct credentials for other purposes 10

Connecticut Ave NW, Washington, DC Classification of Direct Entities Covered Entity (CE) Business Associate (BA) Healthcare Entity (HE) Patient All four entities adhere to same HISP requirements, except Patient HISPs write data privacy policies rather than using BAA terms 11

Connecticut Ave NW, Washington, DC Privacy & Security Summary 1.HIPAA/HITECH (& other laws’) compliance by Direct entities governs privacy and security outside HISP boundary; this is outside the scope of DirectTrust 2.DirectTrust HISP Policy sets privacy and security requirements at edge and for access to user mailboxes via HIPAA/HITECH and other requirements – BAA in each HISP’s agreement describes HISP’s permitted use of PHI – Privacy Policies describe each Patient HISP’s permitted use of PHI – One of the above is required by DirectTrust, as appropriate 3.DirectTrust HISP Policy sets privacy and security requirements of message data via Direct Project and other requirements 1 2 HISP, Edge & User Mailboxes 3 Direct Messages Outside HISP Boundary Direct Exchange Counterparties, via SMTP 12

Connecticut Ave NW, Washington, DC Privacy & Security Summary Other data usage & processing outside scope of DirectTrust policies, but policy opinions are under development relating to: – Directories & Personal Information (Direct Directory Policy WG) – Patient HISPs (Patient & Consumer Participation WG) 13

Connecticut Ave NW, Washington, DC HISP Policy Requirements: Overview Infrastructure Data Privacy Policies Certificates Private Keys Physical Controls Software Controls & Processes Software Development Process Direct Project 14

Connecticut Ave NW, Washington, DC There’s More… Today’s overview covers the “MUST” requirements of the HISP Policy Many additional “SHOULDs”, recommendations, and Practice Notes not covered today 15

Connecticut Ave NW, Washington, DC Requirements: Infrastructure System diagram of essential HISP sites List of all hardware and software used w/ PHI Possess adequate physical resources Effective controls and procedures against malicious software Protection of internal databases, web servers Access controls on repositories 16

Connecticut Ave NW, Washington, DC Requirements: Data Privacy Policies Have contracts with customers that contain terms of BAAs when required by law, e.g. for every organization bound by HIPAA For non-Covered Entity customers, publish a privacy policy regarding authorized and unauthorized use of customer PHI, subcontractor terms, and PHI disposition on termination 17

Connecticut Ave NW, Washington, DC Requirements: Certificates Certificates conform to DirectTrust CP Ensure certificates in DNS or LDAP for discovery Protect private keys and use as certificate permits Guidelines for determining certificate revocation status—CRL required, OCSP optional HISP must request revocation if compromise of End User keys suspected Perform CA and RA roles or use an accredited CA and RA 18

Connecticut Ave NW, Washington, DC Requirements: Private Keys Perform private key risk assessment & mitigation ISSO ensures protection of keys & access lists Document how different LoAs supported; operate all infrastructure at highest LoA supported Hardware & software storing end user private keys must be well protected 19

Connecticut Ave NW, Washington, DC Requirements: Physical Controls Protect equipment from unauthorized access Only authorized HISP personnel may access equipment Implement & document procedures limiting access to facilities, including role-based access to software Document physical modifications to facilities that impact security Audit trail on equipment containing PHI Policies & procedures for final disposition of PHI and hardware/media/paper on which stored 20

Connecticut Ave NW, Washington, DC Multiple roles are defined so that malicious activity requires multiple parties’ involvement; must have staff to fill all roles and ensure relevant training—at minimum annually for those with access to PHI Maintain user access list to PHI Policies & procedures ensuring HIPAA compliance, federal, & state laws, archived 6 years Authenticate End Users and intermediate systems at LoA of HISP infrastructure Policies restricting personal, unlicensed, unapproved software Documented policies for workstations that may access PHI Requirements: Software Controls & Processes-1 21

Connecticut Ave NW, Washington, DC HISP employees, persons, software programs may access PHI only as needed, based on procedure used to determine initiation & termination of this purpose; policies must prevent unauthorized access by those without purpose Procedures to document, review, modify user access to workstation, transaction, program, or process Unique user identities for system access Inactivity timeouts Requirements: Software Controls & Processes-2 22

Connecticut Ave NW, Washington, DC Hybrid entities must protect PHI in healthcare component from other components of org. Hybrid entities must document healthcare component Sanctions within HISP for non-compliance with security policies BAAs are required of HISP contractors handling PHI; several specific stipulations Requirements: Software Controls & Processes-3 23

Connecticut Ave NW, Washington, DC Audit logs relating to security of HISP are made available during compliance audits PHI risk assessment must be performed Quarterly internal vulnerability assessment with improvement process; annually by 3 rd party Maintain written records of actions required by law for 6 years Procedures to respond to & document actual or suspected security issues Written disaster recovery policy Annual criticality analysis of contingency plan Requirements: Software Controls & Processes-4 24

Connecticut Ave NW, Washington, DC Security & breach notification procedures Procedure for secure facility access for data restoration & access to PHI during emergency PHI backup, if PHI is stored; additionally before equipment moved Configuration standards of systems involving PHI & workstations that access those systems No unencrypted PHI on PCs, consumer devices, or removable media Appropriate security for wireless networks Firewall configured to protect system integrity Monitored/blocked & alarmed intrusion detection Requirements: Software Controls & Processes-5 25

Connecticut Ave NW, Washington, DC Requirements: Software Development Process Documented software development policies Formal change management framework Have a process to evaluate and respond to new state and federal regulations 26

Connecticut Ave NW, Washington, DC HISP Policy Requirements: Direct-1 Message integrity checking Messages protected by HIPAA privacy rules SSL/TLS or equivalent edge encryption Documentation of message access methods Deliver messages without diverting or redistributing except for backup or as required by regulations Handling of untrusted messages 27

Connecticut Ave NW, Washington, DC HISP Policy Requirements: Direct-2 Document how trust can be configured for customers Perform authentication, encryption, trust verification, and acknowledgement of responsibility to deliver messages using SMTP as in the Applicability Statement Support DNS and LDAP for certificate discovery Perform STA functions per Applicability Statement and Certificate Discovery for Direct Project IG If one way trust is enabled for send or receive, must be able to receive or transmit MDNs with counterparty Counterparty HISPs may not be charged to exchange messages with end users 28

Connecticut Ave NW, Washington, DC HISP Policy Requirements: Direct-3 MDNs: – 1 hour response time for Processed/Dispatched else Fail recommended – Interoperability Note: Dispatched New requirement not in v 1.0 DTAAP criteria and not in 2014 MU2 criteria: – Messages must be sent wrapped and HISPs must be capable of receiving wrapped messages 29

Connecticut Ave NW, Washington, DC HISP Policy Q&A DirectTrust Security & Trust Compliance workgroup meets on Wednesdays at Noon PST 30

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.