1 / 36

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?. Agenda. Definitions Problem Expectations Responsibilities by specification Collaboration Benefits Implementation process. Vendor Defined. Benefits System vendor TPA. Smaller Health plan defined.

drew
Download Presentation

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The IT Vendor:HIPAA Security Savior for Smaller Health Plans?

  2. Agenda • Definitions • Problem • Expectations • Responsibilities by specification • Collaboration Benefits • Implementation process Milliman USA

  3. Vendor Defined • Benefits System vendor • TPA Milliman USA

  4. Smaller Health plan defined • Self-insured with 100 to 100,000 participants • Activities • Enrollment • PHI management • Claims • Miscellaneous other • Often single employer or multi-employer plans Milliman USA

  5. Flexibility in Rule Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications -- §164.306 (b)(1) Milliman USA

  6. What measures are: “Reasonable and Appropriate”? Problem: Issue I Milliman USA

  7. Are the costs of determining “reasonable and appropriate,” measures reasonable and appropriate? Problem: Issue II Milliman USA

  8. Problem: Issue III HIPAA requires Actions and Documentation Milliman USA

  9. Problem: Health Plan Perspective • Limited internal capabilities • Consultants too expensive • Boilerplates general and open-ended • Vendor dependency for IT • Document, document, document • Who cares? Milliman USA

  10. Problem: Vendor Perspective • Not the covered entity • Assume compliance • Other client service priorities • Who pays? • Who cares? Milliman USA

  11. Expectations • Health plan: vendor has solved this • Vendor: health plan is the covered entity • Both: little chance of enforcement Milliman USA

  12. Single Systems According to NIST • Be under the same direct management control  • Have the same function or mission objective  • Have essentially the same operating characteristics and security needs • Reside in the same general operating environment Milliman USA

  13. Opportunity • Overlapping features among installations and similar clients • Half of requirements technical • Vendor natural focus for plans • Documentation similar among installations Milliman USA

  14. Shortcoming of Collaborative approach • Management control divided between vendor and healthplan • Installation specific issues • Coordination of implementation process • Responsibility = liability? • Still not resource free Milliman USA

  15. Responsibility by Specification • Administrative (shared) • Physical (primarily healthplan) • Technical (primarily vendor) Milliman USA

  16. Administrative Safeguards • Security management process (V/HP) • Assigned security responsibility (HP) • Information access management (V/HP) • Training (HP) • Incident procedures (V/HP) • Contingency plan (V/HP) • Evaluation (V/HP) • Business associate contracts (HP) Milliman USA

  17. Physical Safeguards • Facility access controls (HP) • Workstation use and security (HP) • Device and media controls (HP primarily—vendor may provide DB backup) Milliman USA

  18. Technical Safeguards • Access controls (V) • Audit controls (V) • Data integrity (V) • Entity authentication (V) • Transmission security (V) Milliman USA

  19. Example:Risk Assessment • Exceeds technical capabilities of smaller healthplans • Much of assessment similar for comparable plans with same system Milliman USA

  20. Example:Risk Assessment: Components • EPHI boundary definition • Threat identification • Vulnerability identification • Security control analysis • Risk likelihood determination • Impact analysis • Risk determination • Security control recommendations Milliman USA

  21. Example:Assigned responsibility Boilerplate job description can be edited by each healthplan Milliman USA

  22. Example: Security Management Process • Risk analysis focuses on vendor system • Risk management focuses on vendor system • Healthplan determines sanction policy • Vendor provides tool or performs system activity review Milliman USA

  23. Example:Security Awareness and Training • Vendor could provide: • Security reminders • Protection from malicious software • Log-in monitoring • Password management controls • Training program options Milliman USA

  24. Example:Device and Media Controls • Disposal and media reuse; accountability systems • Vendor provides proposed guidelines to clients • Clients edit and implementation guidelines • Data backup and storage: Vendor may propose Internet and ASP options Milliman USA

  25. Example:Access Controls • Vendor system includes: • Unique User Identification • Emergency Access Procedure • Automatic Logoff • Encryption and Decryption Milliman USA

  26. Collaboration Benefits: Vendor • Leadership • Value added service to client • Controlling healthplan consultants • Resolution of system security issues • Improved market positioning Milliman USA

  27. New vendor opportunities • Secure backup services • Installation specific assistance • Intrusion detection services • Secure messaging and encryption • Ongoing security management Milliman USA

  28. Collaboration Benefits: Health Plan • Spreading costs • Managing HIPAA realistically • Synergies Milliman USA

  29. Vendor Implementation Options • Serial Approach: Implement internal solution then involve clients • Group solutions • User groups • Target clients • Workshops Milliman USA

  30. Stumbling Blocks • Variations on installs • Health plan specific issues • Coordination • Vendor apathy • Resources Milliman USA

  31. Implementation Process • Vendor acceptance • Determine strategy • Assess resource needs • Evaluate vendor system • Modify system as needed • Prepare template policies • Implement policies at installations Milliman USA

  32. Strategic issues • Healthplan or vendor centered approach • Security program structure • Implementation sequence • Cost structure • Kick-off Milliman USA

  33. Next Steps: Vendor • Conduct preliminary system assessment • Develop client participation strategy • Develop cost strategy • Prepare boilerplate materials • Communicate program Milliman USA

  34. Next Steps: Healthplan • Develop proposal • Approach vendor • Approach other vendor users Milliman USA

  35. The IT Vendor? Questions?

  36. John L. Phelan, Ph.D. Health Management and Technology Consultant Telephone: 818/707-7818 E-mail: john.phelan@milliman.com

More Related