HIPAA Security Final Rule Overview

Slides:

Advertisements

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Advertisements

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group

HIPAA Health Insurance Portability and Accountability Act.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

Security Controls – What Works

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.

Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.

2012 Audits of Covered Entity Compliance with HIPAA Privacy, Security and Breach Notification Rules Initial Analysis February 2013.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.

Eliza de Guzman HTM 520 Health Information Exchange.

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,

Policies for Information Sharing April 10, 2006 Mark Frisse, MD, MBA, MSc Marcy Wilder, JD Janlori Goldman, JD Joseph Heyman, MD.

1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.

Working with HIT Systems

Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

1 Privacy Plan of Action © HIPAA Pros 2002 All rights reserved.

HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.

1 © CHC Healthcare Solutions 2004 All rights reserved HIPAA Issues for Counties – PHI, Prisoners, Disaster Preparedness and Homeland Security March 9,

HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Security Final Rule Overview for HIPAA Summit West June 5, 2003Karen Trudel.

Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.

The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.

The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law

COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,

HIPAA Yesterday, Today and Tomorrow? Dianne S. Faup Office of HIPAA Standards Centers for Medicare & Medicaid Services.

Installation and Maintenance of Health IT Systems System Security Procedures and Standards Lecture a This material Comp8_Unit6a was developed by Duke University,

© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.

The Health Insurance Portability and Accountability Act

East Carolina University

Understanding HIPAA Dr. Jennifer Lu.

Paul T. Smith Davis Wright Tremaine LLP

Health Insurance Portability and Accountability Act

Disability Services Agencies Briefing On HIPAA

Final HIPAA Security Rule

Health Insurance Portability and Accountability Act

County HIPAA Review All Rights Reserved 2002.

Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP

HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.

HIPAA Security Standards Final Rule

Drew Hunt Network Security Analyst Valley Medical Center

National Congress on Health Care Compliance

Enforcement and Policy Challenges in Health Information Privacy

THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

HIPAA Compliance Services CTG HealthCare Solutions, Inc.

Introduction to the PACS Security

Presentation transcript:

HIPAA Security Final Rule Overview March 27, 2003 Karen Trudel

Publication Information Printed in Federal Register 2/20/03 Volume 68, No. 34, pages 8334 - 8381 Effective Date 4/21/03 Compliance Date 4/21/05 (4/21/06 for Small Health Plans) Document can be located at www.cms.hhs.gov/hipaa/hipaa2

Purpose Ensure integrity, confidentiality and availability of electronic protected health information Protect against reasonably anticipated threats or hazards, and improper use or disclosure

Scope All electronic protected health information (EPHI) In motion AND at rest All covered entities

Security vs. Privacy Closely linked Security enables Privacy Security scope larger – addresses confidentiality PLUS integrity and availability Privacy scope larger – addresses paper and oral PHI

Security Standards General Concepts Flexible, Scalable Permits standards to be interpreted and implemented appropriately from the smallest provider to the largest plan Comprehensive Cover all aspects of security – behavioral as well as technical Technology Neutral Can utilize future technology advances in this fast-changing field

Public Comments Widespread support for general concepts Need for more flexibility Too many requirements

Major Changes from NPRM Consolidated and tightened requirements Added flexibility Concept of “addressability” Coordinated with privacy “Chain of Trust” agreement now handled via business associate agreement

Standards Standards are general requirements Eighteen administrative, physical and technical standards Four organizational standards (conditional) Hybrid entity, affiliated entities, business associate contracts, group health plan requirements Two overarching standards Policies and procedures, documentation

Standards vs. Implementation Specifications Implementation specifications are more specific measures that pertain to a standard 36 implementation specifications for administrative, physical and technical standards 14 mandatory, 22 addressable Implementation specifications may be: Required Addressable

Required vs. Addressable Required – Covered entity MUST implement the specification in order to successfully implement the standard Addressable – Covered entity must: Consider the specification, and implement if appropriate If not appropriate, document reason why not, and what WAS done in its place to implement the standard

Standards May Have No separate implementation specification – in that case the standard is also the implementation specification (and must be implemented) One or more implementation specifications that are all required One or more implementation specifications that are all addressable A combination of required and addressable implementation specifications

Bottom Line… All standards MUST be implemented Using a combination of required and addressable implementation specifications and other security measures Need to document choices This arrangement allows the covered entity to make its own judgments regarding risks and the most effective mechanisms to reduce risks

Example: No Implementation Specification Assigned Security Responsibility No additional specifics needed

Example: All Implementation Specifications Required Security Management Process Requires risk analysis, risk management, sanction policy, and information system activity review

Example: All Implementation Specifications Addressable Security Awareness and Training Specific topics are addressable: security reminders, protection from malicious software, log-in monitoring and password management Even if none of those topics are relevant, the covered entity must still conduct training Covered entity has choices regarding – how training is provided (computer-based, formal classroom, at staff meetings, etc.) and relevant content

Example: Combination of Required and Addressable Device and Media Controls Disposal and media reuse specifications are required Accountability and data backup and storage are addressable

Other Changes Encryption over open network is now addressable Requirement for Certification changed to Evaluation Electronic signature standard not adopted at this time

Outreach Will develop technical assistance materials Working on security video Special target audience is small providers

Questions?