Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Slides:



Advertisements
Similar presentations
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA, Computer Security, and Domino/Notes Chuck Connell,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA and the GLB Connections Between Congress and Information Assurance.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations.
Security Controls – What Works
Information Security Policies and Standards
Chapter 19 Security.
Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices Presented by HIPAA Pros 5th Annual HIPAA.
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
The EHR: Benefits for Privacy and Security How the EHR Protects Health Information.
ELECTRONIC MEDICAL RECORDS By Group 5 members: Kinal Patel David A. Ronca Tolulope Oke.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Information Security Technological Security Implementation and Privacy Protection.
Security Core Training Presented by: DHHS HIPAA PMO Security Team and DIRM Networking Services.
HIPAA PRIVACY AND SECURITY AWARENESS.
HIPAA COMPLIANCE WITH DELL
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
Eliza de Guzman HTM 520 Health Information Exchange.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Design of Health Technologies lecture 22 John Canny 11/28/05.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
In Depth Security Review Martin Rogers Computer Horizons Corp. © Copyright eB Networks All rights reserved. No part of this presentation may be reproduced,
HIPAA Security Final Rule Overview
Health Insurance Portability and Accountability Act By Bradley Gleich.
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
1 Information Security Compliance System Owner Training Module 3 Supplement: Analysis of Policy Compliance Checklist Issues Richard Gadsden Information.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
© 2014 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or in part.
HIPAA Security Best Practices Clint Davies Principal BerryDunn
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
Junli M. Awit, RN.  Enacted by President Bill Clinton in 1996  Title I of HIPAA protects health insurance coverage for workers and their families when.
The Health Insurance Portability and Accountability Act 
iSecurity Compliance with HIPAA
Understanding HIPAA Dr. Jennifer Lu.
HIPAA.
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Health Care: Privacy in a Digital Age
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Security Standards Final Rule
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards

Introduction The proposed rule gives information security guidance that governs the storage, maintenance, and transmission of patient information. Guidance applies to health plans, health care clearinghouses, and health care providers. Guidance also addresses requirements for electronic signature standards. The proposed rule gives information security guidance that governs the storage, maintenance, and transmission of patient information. Guidance applies to health plans, health care clearinghouses, and health care providers. Guidance also addresses requirements for electronic signature standards.

Scope “Health Information”-- any info that: (1) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university, or health care clearinghouse, and (2) relates to the past, present, or future physical or mental health or condition of an individual, to the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Scope Covered electronic transmissions include those using all media, including magnetic tape, disk, compact disk, Internet, Extranet, private networks, and leased or dial-up lines. Telephone voice response and faxback (request for info made via voice using a fax machine and requesting that the info be returned via that same fax machine) are not covered under this rule.

ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY 1.Certification. 2.Chain of trust partner agreement. 3.Contingency plan (all listed implementation features must be implemented). 4.Formal mechanism for processing records. 1.Certification. 2.Chain of trust partner agreement. 3.Contingency plan (all listed implementation features must be implemented). 4.Formal mechanism for processing records. Applications and data criticality analysis. Data backup plan. Disaster recovery plan. Emergency mode operation plan. Testing and revision. Applications and data criticality analysis. Data backup plan. Disaster recovery plan. Emergency mode operation plan. Testing and revision. Requirement Implementation

ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY - Continued 5. Information access control (all listed implementation features must be implemented). 6.Internal audit. 7.Personnel security (all listed implementation features must be implemented). 5. Information access control (all listed implementation features must be implemented). 6.Internal audit. 7.Personnel security (all listed implementation features must be implemented). Access authorization. Access establishment. Access modification. Assure supervision of maintenance personnel by authorized, knowledgeable person. Maintenance of record of access authorizations. Operating, and in some cases, maintenance personnel have proper access authorization. Personnel clearance procedure. Personnel security policy/procedure. System users, including maintenance personnel, trained in security. Access authorization. Access establishment. Access modification. Assure supervision of maintenance personnel by authorized, knowledgeable person. Maintenance of record of access authorizations. Operating, and in some cases, maintenance personnel have proper access authorization. Personnel clearance procedure. Personnel security policy/procedure. System users, including maintenance personnel, trained in security. Requirement Implementation

ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY - Continued 8.Security configuration mgmt. (all listed implementation features must be implemented). 9.Security incident procedures (all listed implementation features must be implemented). 8.Security configuration mgmt. (all listed implementation features must be implemented). 9.Security incident procedures (all listed implementation features must be implemented). Documentation. Hardware/software installation & maintenance review and testing for security features. Inventory. Security Testing. Virus checking. Report procedures. Response procedures. Documentation. Hardware/software installation & maintenance review and testing for security features. Inventory. Security Testing. Virus checking. Report procedures. Response procedures. Requirement Implementation

ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY - Continued 10. Security management process (all listed implementation features must be implemented). 11. Termination procedures (all listed implementation features must be implemented). 10. Security management process (all listed implementation features must be implemented). 11. Termination procedures (all listed implementation features must be implemented). Risk analysis. Risk management. Sanction policy. Security policy. Combination locks changed. Removal from access lists. Removal of user account(s). Turn in keys, token or cards that allow access. Risk analysis. Risk management. Sanction policy. Security policy. Combination locks changed. Removal from access lists. Removal of user account(s). Turn in keys, token or cards that allow access. Requirement Implementation

ADMINISTRATIVE PROCEDURES TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY - Continued 12. Training (all listed implementation features must be implemented). 12. Training (all listed implementation features must be implemented). Awareness training for all personnel (including mgmt). Periodic security reminders. User education concerning virus protection. User education to importance of monitoring log in success/failure, and how to report discrepancies. User education in password management. Awareness training for all personnel (including mgmt). Periodic security reminders. User education concerning virus protection. User education to importance of monitoring log in success/failure, and how to report discrepancies. User education in password management. Requirement Implementation

PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY 1.Assigned security responsibility. 2.Media controls (all listed implementation features must be implemented). 1.Assigned security responsibility. 2.Media controls (all listed implementation features must be implemented). Access control. Accountability (tracking mechanism). Data backup. Data storage. Disposal. Access control. Accountability (tracking mechanism). Data backup. Data storage. Disposal. Requirement Implementation

PHYSICAL SAFEGUARDS TO GUARD DATA INTEGRITY, CONFIDENTIALITY, AND AVAILABILITY - Continued 3.Physical access control (limited access) (all listed implementation features must be implemented). 4.Policy/guideline on work station use. 3.Physical access control (limited access) (all listed implementation features must be implemented). 4.Policy/guideline on work station use. Disaster recovery. Emergency mode operation. Equipment control (into and out of site). Facility security plan. Procedures for verifying access authorizations prior to physical access. Maintenance records. Need-to-know procedures for personnel access. Sign-in for visitors and escort, if appropriate. Testing and revision. Secure work station location. Security awareness training. Disaster recovery. Emergency mode operation. Equipment control (into and out of site). Facility security plan. Procedures for verifying access authorizations prior to physical access. Maintenance records. Need-to-know procedures for personnel access. Sign-in for visitors and escort, if appropriate. Testing and revision. Secure work station location. Security awareness training. Requirement Implementation

TECHNICAL SECURITY SERVICES TO GUARD DATA INTEGRITY CONFIDENTIALITY, AND AVAILABILITY 1.Access control (The following implementation feature must be implemented: Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented: Context-based access, Roll-based access, User- based access. The use of Encryption is optional). 2.Audit controls. 3.Authorization Control (At least one of the listed implementation features must be implemented). 1.Access control (The following implementation feature must be implemented: Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented: Context-based access, Roll-based access, User- based access. The use of Encryption is optional). 2.Audit controls. 3.Authorization Control (At least one of the listed implementation features must be implemented). Context-based access. Encryption. Procedure for emergency access. Role-based access. User-based access. Role-based access. User-based access. Context-based access. Encryption. Procedure for emergency access. Role-based access. User-based access. Role-based access. User-based access. Requirement Implementation

TECHNICAL SECURITY SERVICES TO GUARD DATA INTEGRITY CONFIDENTIALITY, AND AVAILABILITY - Continued 4.Data Authentication. 5.Entity Authentication (The following implementation features must be implemented: Automatic logoff, Unique user identification. In addition, at least one of the other listed implementation features must be implemented). 4.Data Authentication. 5.Entity Authentication (The following implementation features must be implemented: Automatic logoff, Unique user identification. In addition, at least one of the other listed implementation features must be implemented). Automatic logoff. Biometric. Password. PIN. Telephone callback. Token. Unique user identification. Automatic logoff. Biometric. Password. PIN. Telephone callback. Token. Unique user identification. Requirement Implementation

TECHNICAL SECURITY MECHANISMS TO GUARD AGAINST UNAUTHORIZED ACCESS TO DATA THAT IS TRANSMITTED OVER A COMMUNICATIONS NETWORK Communications/network controls (The following implementation features must be implemented: Integrity controls, Message authentication. If communications or networking is employed, one of the following implementation features must be implemented: Access controls, Encryption. In addition, if using a network, the following four implementation features must be implemented: Alarm, Audit trial, Entity authentication, Event reporting). Communications/network controls (The following implementation features must be implemented: Integrity controls, Message authentication. If communications or networking is employed, one of the following implementation features must be implemented: Access controls, Encryption. In addition, if using a network, the following four implementation features must be implemented: Alarm, Audit trial, Entity authentication, Event reporting). Access controls. Alarm. Audit trail. Encryption. Entity authentication. Event reporting. Integrity controls. Message authentication. Access controls. Alarm. Audit trail. Encryption. Entity authentication. Event reporting. Integrity controls. Message authentication. Requirement Implementation

ELECTRONIC SIGNATURE Digital signature (if digital signature is employed, the following three implementation features must be implemented: Message integrity. Non-repudiation, User authentication. Other implementation features are optional). Digital signature (if digital signature is employed, the following three implementation features must be implemented: Message integrity. Non-repudiation, User authentication. Other implementation features are optional). Ability to add attributes. Continuity of signature capability. Counter signatures. Independent verifiability. Interoperability. Message integrity. Multiple Signatures. Non-repudiation. Transportability. User authentication. Ability to add attributes. Continuity of signature capability. Counter signatures. Independent verifiability. Interoperability. Message integrity. Multiple Signatures. Non-repudiation. Transportability. User authentication. Requirement Implementation

Compliance Deadline April 2003 (The rule became effective on April 14, 2001). April 2003 (The rule became effective on April 14, 2001).

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.