Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security Final Rule Overview

Published byLydia Whitehead Modified over 9 years ago

Similar presentations

Presentation on theme: "HIPAA Security Final Rule Overview"— Presentation transcript:

1 HIPAA Security Final Rule Overview
March 27, Karen Trudel

2 Publication Information
Printed in Federal Register 2/20/03 Volume 68, No. 34, pages Effective Date 4/21/03 Compliance Date 4/21/05 (4/21/06 for Small Health Plans) Document can be located at

3 Purpose Ensure integrity, confidentiality and availability of electronic protected health information Protect against reasonably anticipated threats or hazards, and improper use or disclosure

4 Scope All electronic protected health information (EPHI)
In motion AND at rest All covered entities

5 Security vs. Privacy Closely linked Security enables Privacy
Security scope larger – addresses confidentiality PLUS integrity and availability Privacy scope larger – addresses paper and oral PHI

6 Security Standards General Concepts
Flexible, Scalable Permits standards to be interpreted and implemented appropriately from the smallest provider to the largest plan Comprehensive Cover all aspects of security – behavioral as well as technical Technology Neutral Can utilize future technology advances in this fast-changing field

7 Public Comments Widespread support for general concepts
Need for more flexibility Too many requirements

8 Major Changes from NPRM
Consolidated and tightened requirements Added flexibility Concept of “addressability” Coordinated with privacy “Chain of Trust” agreement now handled via business associate agreement

9 Standards Standards are general requirements
Eighteen administrative, physical and technical standards Four organizational standards (conditional) Hybrid entity, affiliated entities, business associate contracts, group health plan requirements Two overarching standards Policies and procedures, documentation

10 Standards vs. Implementation Specifications
Implementation specifications are more specific measures that pertain to a standard 36 implementation specifications for administrative, physical and technical standards 14 mandatory, 22 addressable Implementation specifications may be: Required Addressable

11 Required vs. Addressable
Required – Covered entity MUST implement the specification in order to successfully implement the standard Addressable – Covered entity must: Consider the specification, and implement if appropriate If not appropriate, document reason why not, and what WAS done in its place to implement the standard

12 Standards May Have No separate implementation specification – in that case the standard is also the implementation specification (and must be implemented) One or more implementation specifications that are all required One or more implementation specifications that are all addressable A combination of required and addressable implementation specifications

13 Bottom Line… All standards MUST be implemented
Using a combination of required and addressable implementation specifications and other security measures Need to document choices This arrangement allows the covered entity to make its own judgments regarding risks and the most effective mechanisms to reduce risks

14 Example: No Implementation Specification
Assigned Security Responsibility No additional specifics needed

15 Example: All Implementation Specifications Required
Security Management Process Requires risk analysis, risk management, sanction policy, and information system activity review

16 Example: All Implementation Specifications Addressable
Security Awareness and Training Specific topics are addressable: security reminders, protection from malicious software, log-in monitoring and password management Even if none of those topics are relevant, the covered entity must still conduct training Covered entity has choices regarding – how training is provided (computer-based, formal classroom, at staff meetings, etc.) and relevant content

17 Example: Combination of Required and Addressable
Device and Media Controls Disposal and media reuse specifications are required Accountability and data backup and storage are addressable

18 Other Changes Encryption over open network is now addressable
Requirement for Certification changed to Evaluation Electronic signature standard not adopted at this time

19 Outreach Will develop technical assistance materials
Working on security video Special target audience is small providers

20 Questions?

Download ppt "HIPAA Security Final Rule Overview"

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Security Controls – What Works

Security Controls – What Works
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

Privacy and Security Tiger Team Subgroup Discussion: MU3 RFC July 29, 2013.

Similar presentations

Ads by Google