Presentation is loading. Please wait.

Presentation is loading. Please wait.

What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions.

Similar presentations


Presentation on theme: "What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions."— Presentation transcript:

1

2 What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions & Code Sets –Security

3 Administrative Simplification nPrivacy – April 14, 2003 - implemented nTransaction Standards and Code Sets – October 16, 2003 - implemented nSecurity – April 20, 2005 – it’s right around the corner

4 Goals of Administrative Simplification nProtect the security and privacy of patient information nImprove efficiency and effectiveness by standardizing electronic transmissions of: –Financial transactions –Administrative transactions

5 Who is covered by HIPAA? n“Covered Entity” –Health Care Providers –Clearinghouses –Health Plans nBusiness Associates –Entity that does a task on our behalf and, –Utilizes Protected Health Information (PHI) –Examples: Temp agencies, Medical Director, Pharmacy consultant

6 What does HIPAA Protect? nProtected Health Information PHI –Created or received by a health care provider AND –Involves past, present, or future treatment OR –Payment for such services, AND –Identifies the individual (IIHI) AND –Transmitted or maintained in ANY form

7 What is the Security Rule?

8 Important Security Facts nOnly applies to e-PHI nRequires a Risk Assessment nRequires a more Technical Solution nEffective April 20, 2005

9 What does the Security Rule Protect? nElectronic Protected Health Information (e-PHI) –Created or received by a health care provider AND –Involves past, present, or future treatment OR –Payment for such services, AND –Identifies the individual AND –Transmitted by or maintained in ELECTRONIC MEDIA

10 Security Rule Core Requirements Covered Entities must ensure the confidentiality, integrity, and availability (CIA) of e-PHI they create, receive, maintain, or transmit.

11 Security Rule Core Requirements Covered Entities must protect against any reasonably anticipated threat or hazard to the security or integrity of e-PHI.

12 Security Rule Core Requirements Covered Entities must protect against any anticipated uses or disclosures of e-PHI that are not permitted under the law.

13 Security Rule Core Requirements Covered Entities must ensure compliance with the Security rule by all it’s workforce members.

14 Security Rule Components Three Categories: nAdministrative Safeguards nPhysical Safeguards nTechnical Safeguards

15 Security Rule Components nStandards – General requirement that must be complied with. Example: Contingency Planning nImplementation Specifications – Detailed or specific method or approach to meet a Standard. Example: Data backup plan, disaster recovery plan nImplementation Specifications can be either Required or Addressable. (But none are optional)

16 Security Rule - Administrative Focuses on Security Management Process designed to: –Prevent –Detect –Contain –and Correct Security Violations

17 Security Rule - Administrative nStandards Include: –Security Management Process –Assigning Security Responsibility –Workforce Security –Information Access Management –Security Awareness/Training –Security Incident Reporting –Contingency Planning –Evaluation of Security Measures

18 Security Rule - Physical Focuses on protecting e-PHI from: –Unauthorized Disclosure –Modification –Destruction

19 Security Rule - Physical nStandards include: –Facility Access Controls –Workstation Use –Workstation Security –Device and Media Controls

20 Security Rule - Technical Focuses on Technological Measures to ensure: –Confidentiality –Integrity –Availability

21 Security Rule - Technical nStandards Include: –Access Control Measures –Audit Controls –Integrity Controls –Person or Entity Authentication Controls –Transmission Security Measures

22 Where do we begin? Conduct a Risk Assessment

23 What is a Risk Assessment? A Risk Assessment will provide information needed to make risk management decisions regarding the degree of security remediation.

24 Components of the Risk Assessment nIdentifies Risks, Threats and Vulnerabilities that may occur if appropriate security measures are not put in place nIdentifies potential confidentiality, integrity and availability issues nIdentifies the impact and probability of a risk nIdentifies mitigation options

25 What is a Risk, Threat and Vulnerability? n Risk – What can happen if a threat exploits a vulnerability. n Threat – Who or what can cause an undesirable event. n Vulnerability – How a weakness in technology or organizational process can be exploited by a threat.

26 What is CIA? n Confidentiality – e-PHI disclosed to unauthorized persons n Integrity – e-PHI modified by unauthorized persons n Availability – e-PHI unavailable to authorized persons

27 What is Impact and Probability? n Impact – The effect a particular incident would have. Measured high, medium or low. n Probability – Likelihood of an incident occurring. Measured high, medium or low.

28 Risk Assessment Let’s discuss an example of a risk, threat and vulnerability.

29 Scenario nYou are in an unfamiliar City nDecide to take a night time walk nStreet is dark – no pedestrians; no traffic nYou are all alone nExcessive Graffiti on the walls

30 Scenario nWhat is the Risk? –(What might happen) nWhat is the Threat? –(Who) nWhat is the Vulnerability? –(How could it happen)

31 Scenario nWhat is the Risk? (What might happen) –You might be attacked –You might be robbed nWhat is the Threat? (Who) –A mugger nWhat is the Vulnerability? (How could it happen) –You are in a strange location –You don’t know your way around

32 Where do we document the findings? Risk Assessment Matrix

33 What is the Risk Assessment Matrix? nDocuments the analysis performed for each Standard and Implementation Specification. nOne Matrix for each e-PHI instance.

34 Risk Assessment Let’s look at the Risk Assessment Matrix

35 Risk Assessment

36 What is My Role in the Risk Assessment? nIdentify Risks, Threats and Vulnerabilities nIdentify potential Confidentiality, Integrity and Availability outcomes nDetermine Potential and Impact of Risks nIdentify Mitigation Alternatives nHelp Implement Solutions

37 Now what? nIdentify Teams for each e-PHI Application nConduct Brainstorming Sessions nComplete the Risk Assessment Matrix nSelect Mitigation Plans nImplement Corrective Actions nMonitor to Ensure Compliance

38 Anything Else? Work together to ensure our organization is HIPAA Compliant by April 20, 2005

39


Download ppt "What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions."

Similar presentations


Ads by Google