Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA and the GLB Connections Between Congress and Information Assurance.

Published byMohammed Gail Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA and the GLB Connections Between Congress and Information Assurance."— Presentation transcript:

1 HIPAA and the GLB Connections Between Congress and Information Assurance

2 The Basics HIPAA passed in 1996 Regulation authority by Health and Human Services Privacy rule in effect in 2003 Security rule in effect 2005 GLB passed in 1999 Scope is financial institutions and personal information Regulated by many agencies the Federal Trade Commission is the umbrella agency

3 Privacy Rule Information regarding medical condition or diagnosis must be kept separately from hiring/firing information Requires development of both internal and external security

4 Security Rule The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.

5 Appendix A to Subpart C of Part 164—Security Standards: Matrix Standards Sections Implementation Specifications (R)=Required, (A)=Addressable Administrative Safeguards Security Management Process................. 164.308(a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility.............. 164.308(a)(2) (R) Workforce Security.................................... 164.308(a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) Information Access Management............. 164.308(a)(4) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training............. 164.308(a)(5) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures.................... 164.308(a)(6) Response and Reporting (R) Contingency Plan...................................... 164.308(a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation................................................. 164.308(a)(8) (R) Business Associate Contracts and Other Arrangement. 164.308(b)(1) Written Contract or Other Arrangement (R) Physical Safeguards Facility Access Controls............................ 164.310(a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use........................................ 164.310(b) (R) Workstation Security................................. 164.310(c) (R) Device and Media Controls...................... 164.310(d)(1) Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A) Technical Safeguards (see § 164.312) Access Control.......................................... 164.312(a)(1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls........................................... 164.312(b) (R) Integrity..................................................... 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication................ 164.312(d) (R) Transmission Security............................... 164.312(e)(1) Integrity Controls (A) Encryption (A)

6 What’s Required? (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (C) Emergency mode operation plan Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

7 What’s Optional? (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.

8 Pros and Cons Flexible taking limited resources into account Steps are general and not technology specific Security 101, best practice Flexible allowing different interpretations to be made May slow technology in health field Lawsuits are feared by some

9 Gramm-Leach Bliley Protection of private personal information Obligations on disclosure of personal information Disclosure of institutions privacy policy

10 Specifics of the GLB Because the states are responsible for regulating the insurance industry, Gramm-Leach-Bliley (GLB) stipulates that the states pass legislation to enforce the requirements laid out in the law. Similar to these privacy requirements, GLB requires security provisions to be enforced by the states for the insurance industry. There is an exception in GLB that states that banks offering insurance products will be subject to the requirements and deadlines of their regulatory agency, as opposed to the state in which the institution resides. Currently, four states have passed personal financial information security laws, while several other states have proposed laws. It is important to note, however, that implementing and enforcing laws for the security of personal information is a requirement of GLB, and all states must eventually pass legislation for the insurance carriers in their state. It is a matter of time before all states have laws on the books implementing the security requirements of GLB.

11 Goals of Law Tighten customer protection Provide ‘Opt out’ rule Give people more control Companies in the financial sector have to let customers or consumers know what information it has on people who use its’ services, who has access in terms of other companies, and how it protects the information

12 Complications A month before the deadline to comply with sweeping privacy regulations, I asked a senior IT person responsible for compliance at a securities firm how things were going. He laughed. “Can you explain the regulations?” he asked. He was joking, I think, but his comment sums things up. As simply one factor backfiring, the companies are required to give customers an annual notice giving them their chance to opt out.

13 Still More Complications Inter-State Complications International Issues This has left global institutions confused about how to, say, and send information about a European employee to U.S. headquarters

14 Future Predictions Privacy and security are growing concerns as viruses and worm attacks become more numerous year by year, as identity theft costs more and more, and as the public leaders become more and more computer literate. In 2002 Identity theft cost the US an estimated 53 billion. A major incident will galvanize the government into passing some wider-scope or possibly more stringent than the current rather reasonable HIPAA standards.

15 Works Cited “Boulder Computer Services Firm Encourages Companies to Prevent Computer Hackers and Consumer Identity Theft” posted 10-17-2003 www.itsecurity.com/tecsnews/oct2003/oct181.htm.www.itsecurity.com/tecsnews/oct2003/oct181.htm Brewin, Bob. Computerworld “Health Care Group: Lack Of IT Leads to Deaths” 4-22-2002. Brewin, Bob. Computerworld “New HIPAA Security Rules could open door to litigation” 2-20-2003. Federal Register 45 Health Insurance Reform: Security Standards; Final Rule CFR Parts 160, 162, and 164 2-20-2003. Fonseca, Brian. Computerworld “Sun, Digex and Divine push outsourced HIPAA solutions” 1-30-2002. Glass, Michelle R. and Hoeg, Gregory J. “The Likely Impact of the Gramm-Leach-Bliley Financial Modernization Act of 1999” posted 6-22-2000 at www.amre.com/content/iw/hoeg_glass_gramm.htm www.amre.com/content/iw/hoeg_glass_gramm.htm Scalet, Sarah D. CSO “Managing HIPAA’s Pain” April 2004 www.csoonline.com/read/040104/hippa.html. www.csoonline.com/read/040104/hippa.html Watson Wyatt Insider “Bigger Than a Breadbox: The Impact of HIPAA on American Employers April 2003 www.watsonwyatt.com.www.watsonwyatt.com

Download ppt "HIPAA and the GLB Connections Between Congress and Information Assurance."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.
HIPAA, Computer Security, and Domino/Notes Chuck Connell, www.chc-3.comwww.chc-3.com.

HIPAA, Computer Security, and Domino/Notes Chuck Connell,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.

The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act (GLBA) UNDERSTANDING AND DEVELOPING A STRATEGIC PLAN TO BECOME COMPLIANT.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
Security Controls – What Works

Security Controls – What Works
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.

Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
BITS Proprietary and Confidential © BITS 2003. Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Similar presentations

Ads by Google