150 likes | 269 Views
HIPAA and the GLB. Connections Between Congress and Information Assurance. HIPAA passed in 1996 Regulation authority by Health and Human Services Privacy rule in effect in 2003 Security rule in effect 2005. GLB passed in 1999 Scope is financial institutions and personal information
E N D
HIPAA and the GLB Connections Between Congress and Information Assurance
HIPAA passed in 1996 Regulation authority by Health and Human Services Privacy rule in effect in 2003 Security rule in effect 2005 GLB passed in 1999 Scope is financial institutions and personal information Regulated by many agencies the Federal Trade Commission is the umbrella agency The Basics
Privacy Rule • Information regarding medical condition or diagnosis must be kept separately from hiring/firing information • Requires development of both internal and external security
Security Rule The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
Appendix A to Subpart C of Part 164—Security Standards: Matrix • Standards Sections Implementation Specifications (R)=Required, (A)=Addressable • Administrative Safeguards • Security Management Process ................. 164.308(a)(1) Risk Analysis (R) • Risk Management (R) • Sanction Policy (R) • Information System Activity Review (R) • Assigned Security Responsibility .............. 164.308(a)(2) (R) • Workforce Security .................................... 164.308(a)(3) Authorization and/or Supervision (A) • Workforce Clearance Procedure • Termination Procedures (A) • Information Access Management ............. 164.308(a)(4) Isolating Health care Clearinghouse Function (R) • Access Authorization (A) • Access Establishment and Modification (A) • Security Awareness and Training ............. 164.308(a)(5) Security Reminders (A) • Protection from Malicious Software (A) • Log-in Monitoring (A) • Password Management (A) • Security Incident Procedures .................... 164.308(a)(6) Response and Reporting (R) • Contingency Plan ...................................... 164.308(a)(7) Data Backup Plan (R) • Disaster Recovery Plan (R) • Emergency Mode Operation Plan (R) • Testing and Revision Procedure (A) • Applications and Data Criticality Analysis (A) • Evaluation ................................................. 164.308(a)(8) (R) • Business Associate Contracts and Other • Arrangement. • 164.308(b)(1) Written Contract or Other Arrangement (R) • Physical Safeguards • Facility Access Controls ............................ 164.310(a)(1) Contingency Operations (A) • Facility Security Plan (A) • Access Control and Validation Procedures (A) • Maintenance Records (A) • Workstation Use ........................................ 164.310(b) (R) • Workstation Security ................................. 164.310(c) (R) • Device and Media Controls ...................... 164.310(d)(1) Disposal (R) • Media Re-use (R) • Accountability (A) • Data Backup and Storage (A) • Technical Safeguards (see § 164.312) • Access Control .......................................... 164.312(a)(1) Unique User Identification (R) • Emergency Access Procedure (R) • Automatic Logoff (A) • Encryption and Decryption (A) • Audit Controls ........................................... 164.312(b) (R) • Integrity ..................................................... 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) • Person or Entity Authentication ................ 164.312(d) (R) • Transmission Security ............................... 164.312(e)(1) Integrity Controls (A) • Encryption (A)
What’s Required? • (A) Data backup plan (Required). • Establish and implement procedures to • create and maintain retrievable exact • copies of electronic protected health • information. • (B) Disaster recovery plan (Required). • Establish (and implement as needed) • procedures to restore any loss of data. • (C) Emergency mode operation plan • Required). Establish (and implement as • needed) procedures to enable • continuation of critical business • processes for protection of the security • of electronic protected health • information while operating in • emergency mode.
What’s Optional? • (iii) Automatic logoff (Addressable). • Implement electronic procedures that • terminate an electronic session after a • predetermined time of inactivity. • (iv) Encryption and decryption • Addressable). Implement a mechanism • to encrypt and decrypt electronic • protected health information.
Flexible taking limited resources into account Steps are general and not technology specific Security 101, best practice Flexible allowing different interpretations to be made May slow technology in health field Lawsuits are feared by some Pros and Cons
Protection of private personal information Obligations on disclosure of personal information Disclosure of institutions privacy policy Gramm-Leach Bliley
Specifics of the GLB • Because the states are responsible for regulating the insurance industry, Gramm-Leach-Bliley (GLB) stipulates that the states pass legislation to enforce the requirements laid out in the law. Similar to these privacy requirements, GLB requires security provisions to be enforced by the states for the insurance industry. There is an exception in GLB that states that banks offering insurance products will be subject to the requirements and deadlines of their regulatory agency, as opposed to the state in which the institution resides. • Currently, four states have passed personal financial information security laws, while several other states have proposed laws. It is important to note, however, that implementing and enforcing laws for the security of personal information is a requirement of GLB, and all states must eventually pass legislation for the insurance carriers in their state. It is a matter of time before all states have laws on the books implementing the security requirements of GLB.
Goals of Law • Tighten customer protection • Provide ‘Opt out’ rule • Give people more control • Companies in the financial sector have to let customers or consumers know what information it has on people who use its’ services, who has access in terms of other companies, and how it protects the information
Complications • A month before the deadline to comply with sweeping privacy regulations, I asked a senior IT person responsible for compliance at a securities firm how things were going. He laughed. “Can you explain the regulations?” he asked. He was joking, I think, but his comment sums things up. • As simply one factor backfiring, the companies are required to give customers an annual notice giving them their chance to opt out.
Inter-State Complications International Issues This has left global institutions confused about how to, say, and send information about a European employee to U.S. headquarters Still More Complications
Future Predictions Privacy and security are growing concerns as viruses and worm attacks become more numerous year by year, as identity theft costs more and more, and as the public leaders become more and more computer literate. In 2002 Identity theft cost the US an estimated 53 billion. A major incident will galvanize the government into passing some wider-scope or possibly more stringent than the current rather reasonable HIPAA standards.
Works Cited • “Boulder Computer Services Firm Encourages Companies to Prevent Computer Hackers and Consumer Identity Theft” posted 10-17-2003 www.itsecurity.com/tecsnews/oct2003/oct181.htm . • Brewin, Bob. Computerworld “Health Care Group: Lack Of IT Leads to Deaths” 4-22-2002. • Brewin, Bob. Computerworld “New HIPAA Security Rules could open door to litigation” 2-20-2003. • Federal Register 45 Health Insurance Reform: Security Standards; Final Rule CFR Parts 160, 162, and 164 2-20-2003. • Fonseca, Brian. Computerworld “Sun, Digex and Divine push outsourced HIPAA solutions” 1-30-2002. • Glass, Michelle R. and Hoeg, Gregory J. “The Likely Impact of the Gramm-Leach-Bliley Financial Modernization Act of 1999” posted 6-22-2000 at www.amre.com/content/iw/hoeg_glass_gramm.htm • Scalet, Sarah D. CSO “Managing HIPAA’s Pain” April 2004 www.csoonline.com/read/040104/hippa.html. • Watson Wyatt Insider “Bigger Than a Breadbox: The Impact of HIPAA on American Employers April 2003 www.watsonwyatt.com.