Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

Published byJazmine Gavin Modified over 9 years ago

Similar presentations

Presentation on theme: "1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel."— Presentation transcript:

1 1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel

2 2 Publication Information  Printed in Federal Register 2/20/03 –Volume 68, No. 34, pages 8334 - 8381  Effective Date 4/21/03  Compliance Date 4/21/05 (4/21/06 for Small Health Plans)  Document can be located at www.cms.hhs.gov/hipaa/hipaa2

3 3 Purpose  Ensure integrity, confidentiality and availability of electronic protected health information  Protect against reasonably anticipated threats or hazards, and improper use or disclosure

4 4 Scope  All electronic protected health information (EPHI)  In motion AND at rest  All covered entities

5 5 Security vs. Privacy  Closely linked  Security enables Privacy  Security scope larger – addresses confidentiality PLUS integrity and availability  Privacy scope larger – addresses paper and oral PHI

6 6 Security Standards General Concepts  Flexible, Scalable –Permits standards to be interpreted and implemented appropriately from the smallest provider to the largest plan  Comprehensive –Cover all aspects of security – behavioral as well as technical  Technology Neutral –Can utilize future technology advances in this fast- changing field

7 7 Standards  Standards are general requirements  Eighteen administrative, physical and technical standards  Four organizational standards (conditional) –Hybrid entity, affiliated entities, business associate contracts, group health plan requirements  Two overarching standards –Policies and procedures, documentation

8 8 Standards vs. Implementation Specifications  Implementation specifications are more specific measures that pertain to a standard  36 implementation specifications for administrative, physical and technical standards –14 mandatory, 22 addressable  Implementation specifications may be: –Required –Addressable

9 9 Required vs. Addressable  Required – Covered entity MUST implement the specification in order to successfully implement the standard  Addressable – Covered entity must: Consider the specification, and implement if appropriate If not appropriate, document reason why not, and what WAS done in its place to implement the standard

10 10 Administrative Safeguards StandardsSections Implementation Specifications (R)= Required, (A)=Addressable Security Management Process164.308(a)(1)Risk Analysis(R) Risk Management(R) Sanction Policy(R) Information System Activity Review(R) Assigned Security Responsibility164.308(a)(2) (R) Workforce Security164.308(a)(3)Authorization and/or Supervision(A) Workforce Clearance Procedure(A) Termination Procedures(A) Information Access Management164.308(a)(4)Isolating Health care Clearinghouse Function(R) Access Authorization(A) Access Establishment and Modification(A) Security Awareness and Training164.308(a)(5)Security Reminders(A) Protection from Malicious Software(A) Log-in Monitoring(A) Password Management(A) Security Incident Procedures164.308(a)(6)Response and Reporting(R) Contingency Plan164.308(a)(7)Data Backup Plan(R) Disaster Recovery Plan(R) Emergency Mode Operation Plan(R) Testing and Revision Procedure(A) Applications and Data Criticality Analysis(A) Evaluation164.308(a)(8) (R) Business Associate Contracts and Other Arrangement 164.308(b)(1)Written Contract or Other Arrangement(R)

11 11 Physical Safeguards Standards Sections Implementation Specifications (R)= Required, (A)=Addressable Facility Access Controls 164.310(a)(1)Contingency Operations(A) Facility Security Plan(A) Access Control and Validation Procedures(A) Maintenance Records(A) Workstation Use164.310(b) (R) Workstation Security164.310(c) (R) Device and Media Controls164.310(d)(1)Disposal(R) Media Re-use(R) Accountability(A) Data Backup and Storage(A)

12 12 Technical Safeguards (see § 164.312) Standards Sections Implementation Specifications (R)= Required, (A)=Addressable Access Control164.312(a)(1)Unique User Identification(R) Emergency Access Procedure(R) Automatic Logoff(A) Encryption and Decryption(A) Audit Controls164.312(b) (R) Integrity164.312(c)(1)Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication164.312(d)(R) Transmission Security164.312(e)(1)Integrity Controls(A) Encryption(A)

13 13 Bottom Line…  All standards MUST be implemented  Using a combination of required and addressable implementation specifications and other security measures  Need to document choices  This arrangement allows the covered entity to make its own judgments regarding risks and the most effective mechanisms to reduce risks

14 14 Risk Analysis  What PHI do you hold?  What do business associates hold on your behalf? –Examples: billing service, accountant, medical trancription service  What are the potential risks to that data? –Examples: “hackers”, loss of data due to not backing up  “Gap analysis”… –What measures are already in place to address risks vs. –What additional measures seem to be needed

15 15 Security is not an Exact Science  No one-size-fits-all approach  Enforcement will stress reasonableness and due diligence  Take advantage of flexibility  Security does not have to be expensive

16 16 Resources  CMS will be developing technical assistance materials –Security video in the works –Checklists and other informational papers  WEDI-SNIP has good resources –www.wedi.org/snip

17 17 Resources  CMS website –www.cms.hhs.gov/hipaa/hipaa2 –Contains news of upcoming events, FAQs, technical assistance documents  E-mail box –Askhipaa@cms.hhs.gov  HIPAA hotline –1-866-282-0659

18 18 Upcoming Events  Satellite broadcast of “HIPAA 101” Video –April 16  Next HIPAA Roundtable Audioconference –April 30  Details on CMS website

19 19  Questions?

Download ppt "1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA and the GLB Connections Between Congress and Information Assurance.

HIPAA and the GLB Connections Between Congress and Information Assurance.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Similar presentations

Ads by Google