Download presentation
Presentation is loading. Please wait.
Published byPrincess Lander Modified over 9 years ago
1
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona Hoffman School of Law Case Western Reserve University Cleveland, Ohio 44106
2
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Addresses both health insurance reform and “administrative simplification” Portability reforms protect health insurance coverage for workers when they change or lose their jobs
3
HIPAA Administrative Simplification Provisions Electronic Transactions and Code Sets National Provider Identifiers Privacy Standards Security Standards Civil Money Penalties
4
Entities Covered by HIPAA Standards Health care providers Health plans (payers) Health care clearinghouses
5
Effects of HIPAA on Electronic Data Interchange in Health Care Industry Brought substantial uniformity to EDI, though interoperability problems persist Generated concern about compliance with security standards Gave rise to important new model for interactions between covered entities
6
Provider-Clearinghouse*-Payer Model
7
Security Threats in the PC*P Model External threats Hacking, interception, deception, denial of service, etc. by outsiders Internal threats Abuse of authorized access to electronically protected health information (EPHI) by covered entities, their employees, or business associates
8
Meta-Threat: A Market in Illicitly- Obtained EPHI EPHI potentially has great value to outsiders, e.g., Marketers Employers Insurers Blackmailers Once EPHI is dispersed Internet, it cannot be recovered Harm is potentially unlimited Not adequately addressed by HIPAA Only partially addressed by other laws
9
HIPAA Security Standards Intended to ensure confidentiality, integrity, and availability of EPHI Define administrative, physical, and technical safeguards Emphasize technological neutrality at the expense of specificity C.E. must implement “reasonable and appropriate” policies and procedures to comply with the standards and must document these
10
Implementation Specifications May be “required” or “addressable” C.E. may implement an alternative to addressable spec or choose not to implement either spec or alternative Decision is based on analysis of risks, costs, available resources Must document rationale
11
HIPAA Safeguards Against Insider Threats Administrative safeguards Workforce security policy Workforce sanctions Security training Access authorization policy Periodic evaluation Information system activity review Business associate contracts
12
HIPAA Safeguards Against Insider Threats (2) Physical safeguards Facility access controls Device and media controls
13
HIPAA Safeguards Against Insider Threats (3) Technical safeguards Access control Unique user identification Encryption Audit controls Integrity controls Person or entity authentication
14
Limitations of HIPAA Safeguards Employees with legitimate access to EPHI can easily provide it to outsiders or modify it No technical restrictions on employees’ ability to distribute or modify EPHI are specified Form of audit controls is not specified Addressed primarily by deterrents Dismissal Employer sanctions Fines Imprisonment
15
Recommended Mandatory Implementation Specifications Employees must be prevented technically from electronically distributing or modifying EPHI except as required for essential business reasons Employees who normally process EPHI must not have system administration privileges Each transfer or modification of EPHI must be securely and permanently logged Actors strongly identified Relevant items identified
16
Implications of the Recommendations Most employees handling EPHI must use restricted hardware and software Hardware, software, and administrative support for “dual-key” system administration is required
17
Preventing Trafficking in Illicitly Obtained EPHI Requires combination of technical and legal means Proposals: Regulate all entities that handle EPHI Require that such entities be able to prove the provenance and authenticity of EPHI they have handled Require use of strong identification and data integrity validation
18
HIPAA Enforcement Provisions
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.