HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Slides:



Advertisements
Similar presentations
Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
Advertisements

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
HIPAA AWARENESS TRAINING
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works
Information Security Policies and Standards
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 National Audioconference Sponsored by the HIPAA Summit June 6, 2002 Chris Apgar, CISSP Data Security & HIPAA Compliance Officer Providence Health Plan.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
HIPAA Security Final Rule Overview
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Security Final Rule Overview for HIPAA Summit West June 5, 2003Karen Trudel.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA Security Best Practices Clint Davies Principal BerryDunn
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
HIPAA Yesterday, Today and Tomorrow? Dianne S. Faup Office of HIPAA Standards Centers for Medicare & Medicaid Services.
Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
The Health Insurance Portability and Accountability Act 
Overview Introduction Meaningful Use Objective for Security Key Security Areas and Measures Best Practices Security Risk Analysis (SRA) Action Plan Demonstration.
No audio. Recording preparation.
Paul T. Smith Davis Wright Tremaine LLP
HIPAA PRIVACY AWARENESS, COMPLIANCE and ENFORCEMENT
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP
Drew Hunt Network Security Analyst Valley Medical Center
National Congress on Health Care Compliance
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Presentation transcript:

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003

2 Important Dates Final rule published February 20, 2003 Compliance: – April 21, 2005 for all covered entities except small health plans – April 21, 2006 for small health plans (as required under HIPAA)

3 HIPAA Security HIPAA Privacy covers what information you protect – the use and disclosure of PHI HIPAA Security covers how you protect that information and when – Adopt national standards for safeguards to protect the confidentiality, integrity, and availability of the data?

4 General Requirements Ensure – Confidentiality: who can see the information – Integrity: the information has not been altered in any way – Availability: it can be accessed on a timely basis

5 General Requirements Applies to electronic protected health information – Note that privacy extends to oral and written communications Applies to the electronic PHI that a covered entity: – Creates – Maintains – Transmits

6 General Requirements Covered entities must: – Protect against reasonably anticipated threats or hazards to the security or integrity of information – Protect against reasonably anticipated uses and disclosures as outlined in the privacy rule – Ensure compliance by workforce – Develop business associate contracts as appropriate

7 Overarching Themes Security is technology neutral – Outlines what needs to be done to protect the information, but not how it should be done Security is comprehensive – Covers the technical, administrative, and behavioral aspects of compliance

8 Basic Changes from NPRM Aligned with privacy (definitions and requirements for business associate contracts) Encryption is now addressable No requirement for certification Standards simplified and redundancy eliminated

9 Regulation Approach Scalability (size) and flexibility (implementation) Organizational approaches should account for: – Size – Complexity – Technical Infrastructure – Cost – Potential Security Risks

10 Regulation Approach Developed standards – Administrative – Physical – Technical Within each standard are a series of implementation specifics that can be either required or addressable

11 Regulation Approach Required – A MUST Addressable – a covered after conducting a documented risk analysis, may: – Implement a solution if reasonable and appropriate – Implement an equivalent measure, if reasonable and appropriate – Not implement

12 Administrative Standards Security Management – Risk analysis (R) – Risk management (R) Assigned Responsibility – single point Workforce Security – Termination procedures (A) – Clearance procedures (A)

13 Administrative Standards Information Access Management – Isolating clearinghouse (R) – Access authorization (A) Security Awareness and Training Security Incident Procedures Contingency Plan – Disaster Recovery Plan (R) Evaluation Business Associate Contracts

14 Physical Standards Facility Access Controls – all addressable – Contingency operations – Facility Security Plan – Access control – Maintenance records Workstation Use Workstation Security Device and Media Controls

15 Technical Standards Access Control – Unique user ID (R) – Emergency access (R) – Automatic logoff (A) – Encryption and decryption (A) Audit Controls Integrity Person or Entity Authentication Transmission Security

16 Sample Industry Approach Determine organizational position Conduct and document risk analysis – Determine threats and likelihood Develop strategies to implement for each of the standards – Implementation plan inclusive of timeline – For situations where no solution is being implemented (e.g., low threat/low risk) document rationale Develop and document policies and procedures Train workforce Implement processes Monitor and Evaluate

17 Implementation Progressing Organizations are moving ahead with risk assessments and have set timelines for compliance – Due to the overlap in Privacy the ground work for security has been implemented in many entities WEDI workgroups are developing guidance for industry-wide distribution More questions are devoted to security Covered entities are still focused on TCS compliance and may be behind in security efforts

18 Challenges Implementation – Conducting risk analysis Developing an approach and completing the analysis with enough time to implement the recommendations – Accessing expertise Especially difficult for small providers – Balancing between cost and capabilities – Understanding the unknown – there is no right answer Compliance strategies will be different for all covered entities – Dealing with TCS, extending contingency plans may hinder security progress

19 Challenges Enforcement - complaint driven – The overlap between privacy and security When does it go from being a violation of one to a violation of another A complaint may be initially identified as a privacy complaint, but contain a security breach – No right answer

20 Appendix - Chart The implementation specifics are outlined in the appendix.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.