Download presentation
Presentation is loading. Please wait.
Published byDouglas Sims Modified over 9 years ago
2
What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions & Code Sets –Security
3
Administrative Simplification nPrivacy – April 14, 2003 - implemented nTransaction Standards and Code Sets – October 16, 2003 - implemented nSecurity – April 20, 2005 – it’s right around the corner
4
Goals of Administrative Simplification nProtect the security and privacy of patient information nImprove efficiency and effectiveness by standardizing electronic transmissions of: –Financial transactions –Administrative transactions
5
Who is covered by HIPAA? n“Covered Entity” –Health Care Providers –Clearinghouses –Health Plans nBusiness Associates –Entity that does a task on our behalf and, –Utilizes Protected Health Information (PHI) –Examples: Temp agencies, Medical Director, Pharmacy consultant
6
What does HIPAA Protect? nProtected Health Information PHI –Created or received by a health care provider AND –Involves past, present, or future treatment OR –Payment for such services, AND –Identifies the individual (IIHI) AND –Transmitted or maintained in ANY form
7
What is the Security Rule?
8
Important Security Facts nOnly applies to e-PHI nRequires a Risk Assessment nRequires a more Technical Solution nEffective April 20, 2005
9
What does the Security Rule Protect? nElectronic Protected Health Information (e-PHI) –Created or received by a health care provider AND –Involves past, present, or future treatment OR –Payment for such services, AND –Identifies the individual AND –Transmitted by or maintained in ELECTRONIC MEDIA
10
Security Rule Core Requirements Covered Entities must ensure the confidentiality, integrity, and availability (CIA) of e-PHI they create, receive, maintain, or transmit.
11
Security Rule Core Requirements Covered Entities must protect against any reasonably anticipated threat or hazard to the security or integrity of e-PHI.
12
Security Rule Core Requirements Covered Entities must protect against any anticipated uses or disclosures of e-PHI that are not permitted under the law.
13
Security Rule Core Requirements Covered Entities must ensure compliance with the Security rule by all it’s workforce members.
14
Security Rule Components Three Categories: nAdministrative Safeguards nPhysical Safeguards nTechnical Safeguards
15
Security Rule Components nStandards – General requirement that must be complied with. Example: Contingency Planning nImplementation Specifications – Detailed or specific method or approach to meet a Standard. Example: Data backup plan, disaster recovery plan nImplementation Specifications can be either Required or Addressable. (But none are optional)
16
Security Rule - Administrative Focuses on Security Management Process designed to: –Prevent –Detect –Contain –and Correct Security Violations
17
Security Rule - Administrative nStandards Include: –Security Management Process –Assigning Security Responsibility –Workforce Security –Information Access Management –Security Awareness/Training –Security Incident Reporting –Contingency Planning –Evaluation of Security Measures
18
Security Rule - Physical Focuses on protecting e-PHI from: –Unauthorized Disclosure –Modification –Destruction
19
Security Rule - Physical nStandards include: –Facility Access Controls –Workstation Use –Workstation Security –Device and Media Controls
20
Security Rule - Technical Focuses on Technological Measures to ensure: –Confidentiality –Integrity –Availability
21
Security Rule - Technical nStandards Include: –Access Control Measures –Audit Controls –Integrity Controls –Person or Entity Authentication Controls –Transmission Security Measures
22
Where do we begin? Conduct a Risk Assessment
23
What is a Risk Assessment? A Risk Assessment will provide information needed to make risk management decisions regarding the degree of security remediation.
24
Components of the Risk Assessment nIdentifies Risks, Threats and Vulnerabilities that may occur if appropriate security measures are not put in place nIdentifies potential confidentiality, integrity and availability issues nIdentifies the impact and probability of a risk nIdentifies mitigation options
25
What is a Risk, Threat and Vulnerability? n Risk – What can happen if a threat exploits a vulnerability. n Threat – Who or what can cause an undesirable event. n Vulnerability – How a weakness in technology or organizational process can be exploited by a threat.
26
What is CIA? n Confidentiality – e-PHI disclosed to unauthorized persons n Integrity – e-PHI modified by unauthorized persons n Availability – e-PHI unavailable to authorized persons
27
What is Impact and Probability? n Impact – The effect a particular incident would have. Measured high, medium or low. n Probability – Likelihood of an incident occurring. Measured high, medium or low.
28
Risk Assessment Let’s discuss an example of a risk, threat and vulnerability.
29
Scenario nYou are in an unfamiliar City nDecide to take a night time walk nStreet is dark – no pedestrians; no traffic nYou are all alone nExcessive Graffiti on the walls
30
Scenario nWhat is the Risk? –(What might happen) nWhat is the Threat? –(Who) nWhat is the Vulnerability? –(How could it happen)
31
Scenario nWhat is the Risk? (What might happen) –You might be attacked –You might be robbed nWhat is the Threat? (Who) –A mugger nWhat is the Vulnerability? (How could it happen) –You are in a strange location –You don’t know your way around
32
Where do we document the findings? Risk Assessment Matrix
33
What is the Risk Assessment Matrix? nDocuments the analysis performed for each Standard and Implementation Specification. nOne Matrix for each e-PHI instance.
34
Risk Assessment Let’s look at the Risk Assessment Matrix
35
Risk Assessment
36
What is My Role in the Risk Assessment? nIdentify Risks, Threats and Vulnerabilities nIdentify potential Confidentiality, Integrity and Availability outcomes nDetermine Potential and Impact of Risks nIdentify Mitigation Alternatives nHelp Implement Solutions
37
Now what? nIdentify Teams for each e-PHI Application nConduct Brainstorming Sessions nComplete the Risk Assessment Matrix nSelect Mitigation Plans nImplement Corrective Actions nMonitor to Ensure Compliance
38
Anything Else? Work together to ensure our organization is HIPAA Compliant by April 20, 2005
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.