Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Standards Update

Published byReginald Gregory Modified over 6 years ago

Similar presentations

Presentation on theme: "HIPAA Standards Update"— Presentation transcript:

1 HIPAA Standards Update
11/24/2018 HIPAA Standards Update Centers for Medicare and Medicaid Services Office of eHealth Standards and Services March 2007 11/24/2018

2 Claims Attachment Final rule in process
11/24/2018 Claims Attachment Final rule in process HL7 process – technical comments Policy issues Unsolicited attachments Attachments in COB process 11/24/2018

3 ICD-10 Policy discussions continue Issues 5010 status Compliance date
11/24/2018 ICD-10 Policy discussions continue Issues Compliance date Cost to industry 5010 status 11/24/2018

4 Remote Access Security Guidance
11/24/2018 Remote Access Security Guidance Supports policies and strategies for compliance with the HIPAA Security Rule Highlights three activities: Conducting Security Risk Assessments Developing and Implementing Policies and Procedures Implementing Mitigation Strategies Released December 28, 2006 at: 11/24/2018

5 Why a new guidance? Since the original rule there has been:
11/24/2018 Why a new guidance? Since the original rule there has been: Changes in Technology Increases in mobile devices Increased workforce mobility Increased use of portable media Recent Security Incidents Reports of thefts of laptops and media containing EPHI Reports of access to EPHI by unauthorized users The original rule was intentionally broad Technology changes allow for greater specificity in guidances, as standards and best practices have evolved since the original HIPAA Security Rule was promulgated. 11/24/2018

6 What’s Affected? Laptops Home PCs PDAs Smart Phones
11/24/2018 What’s Affected? Devices, Media and Connectivity Tools: Laptops Home PCs PDAs Smart Phones Library, Hotel, and other public PCs Wireless Access Points USB Flash Drives CDs and DVDs Floppy Disks Backup Media Smart Cards Remote Access Devices Etc. Remote Access Devices: usually “second factor” devices like RSA’s SecureID card, which provides a cryptographic token used to log into a secure network. Can be very serious if lost, particularly if the owner has not followed good security procedures and, for instance, affixed their username and password to the card. This is not a complete list. 11/24/2018

7 Guiding Principles Be deliberate about EPHI release
11/24/2018 Guiding Principles Be deliberate about EPHI release EPHI release should have a valid operational justification EPHI Release Requires: Risk Analysis Policy & Procedure Development Risk Mitigation Strategies The next seven slides will discuss each of these in more detail, including the three areas of risk mitigation 11/24/2018

8 11/24/2018 Risk Analysis Security compliance requires analysis of risks and mitigation factors Factors to consider in risk assessments, per § (b)(2): The size, complexity, and capabilities of the covered entity. The covered entity's technical infrastructure, hardware, and software security capabilities. The costs of security measures. The probability and criticality of potential risks to [EPHI]. 11/24/2018

9 Policy Development Requires training and compliance
11/24/2018 Policy Development Requires training and compliance Ongoing workforce awareness programs Guidance discusses three key areas: Data Access Data Storage Data Transmission Data access policies and procedures focus on ensuring that users only access data for which they are appropriately authorized. Remote access to EPHI should only be granted to authorized users based on their role within the organization and their need for access to EPHI. Storage policies and procedures address the security requirements for media and devices which contain EPHI and are moved beyond the covered entity’s physical control. Such media and devices include laptops, hard drives, backup media, USB flash drives and any other data storage item which could potentially be removed from the organization’s facilities. Transmission policies focus on ensuring the integrity and safety of EPHI sent over networks, and include both the direct exchange of data (for example, in trading partner relationships) and the provisioning of remote access to applications hosted by the organization (such as a provider’s home access to ePrescribing systems or “web mail” in organizations where EPHI might be included in internal communications). The next three slides discuss risks and mitigation strategies for each of these three areas. 11/24/2018

10 Example Data Access Strategies
11/24/2018 Example Data Access Strategies Risks Potential Mitigation Strategies Lost passwords Unauthorized access Unattended workstations and home computers Failure to log off public machines Viruses Two-factor authentication Secure user names Clearance and training procedures for data use Limiting access to EPHI to users with specific requirements and authorization Session termination and timeouts for remote applications Personal firewall and antivirus software 11/24/2018

11 11/24/2018 Next Steps Notice of Proposed Rule Making to incorporate guidance into the Security Rule 11/24/2018

12 NPI Implementation Status
11/24/2018 NPI Implementation Status May 23, 2007 compliance date (for all but small plans) Over 1.9 million providers enumerated (of an estimated 2.3 million universe) Data dissemination notice under review by OMB 11/24/2018

13 NCVHS Hearings Testimony from broad spectrum of stakeholders
11/24/2018 NCVHS Hearings Testimony from broad spectrum of stakeholders Consensus: Much progress toward compliance BUT Many covered entities will not meet May 23 date Situation is similar to 2003, when HHS declared contingency for transactions and code set standards 11/24/2018

14 11/24/2018 Specific Issues Complexity of building and testing crosswalks between NPIs and legacy ID’s Some providers have not gotten their NPIs, most are not submitting them on transactions Outreach and education efforts have not reached all affected entities 11/24/2018

15 Specific Issues (cont’d)
11/24/2018 Specific Issues (cont’d) Mechanisms needed to promote easy access for providers to NPIs of other providers Labs and DME suppliers need NPI of referring provider Hospitals need NPI of operating physician Pharmacies need NPI of prescriber 11/24/2018

16 NCVHS Recommendations
11/24/2018 NCVHS Recommendations Adopt contingency guidance similar to 2003 Covered entities can adopt contingency plans to work with noncompliant trading partners to work toward compliance without jeopardizing cash flows In event of complaint, CMS would assess “good faith efforts” 11/24/2018

17 NCVHS Recommendations (cont’d)
11/24/2018 NCVHS Recommendations (cont’d) Contingency period would end 6 months after later of: May 23, 2007 First date where NPPES data available Time limited contingency encourages continued movement toward compliance 11/24/2018

18 NCVHS Recommendations (cont’d)
11/24/2018 NCVHS Recommendations (cont’d) Did not specify what a contingency plan would look like (e.g., did not require ability to process both NPI and legacy ID’s) Did reflect expectation that providers should obtain and use NPI asap and that plans should be ready to accept them asap 11/24/2018

19 NCVHS Recommendations (cont’d)
11/24/2018 NCVHS Recommendations (cont’d) Publish Data Dissemination Notice asap AND make data available as soon thereafter as possible Continue outreach and education, in particular to provider community 11/24/2018

20 Next Steps Watch CMS website, listservs, etc. for further information
11/24/2018 Next Steps Watch CMS website, listservs, etc. for further information Plans should consider possibility of contingency in event of guidance What would contingency be, how would it be communicated? 11/24/2018

Download ppt "HIPAA Standards Update"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Security Training 2005

HIPAA Security Training 2005
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
New Data Regulation Law 201 CMR 17.00. TJX Video.

New Data Regulation Law 201 CMR TJX Video.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.

 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
N ational P rovider I dentifier Type 1 Workforce Training Month Day, Year The NPI will become the standard, unique identifier for health care providers.

N ational P rovider I dentifier Type 1 Workforce Training Month Day, Year The NPI will become the standard, unique identifier for health care providers.

Similar presentations

Ads by Google