1 / 19

HIPAA Security Final Rule Overview

HIPAA Security Final Rule Overview. April 9, 2003 Karen Trudel. Publication Information. Printed in Federal Register 2/20/03 Volume 68, No. 34, pages 8334 - 8381 Effective Date 4/21/03 Compliance Date 4/21/05 (4/21/06 for Small Health Plans)

judith-williamson
Download Presentation

HIPAA Security Final Rule Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Security Final RuleOverview April 9, 2003 Karen Trudel

  2. Publication Information • Printed in Federal Register 2/20/03 • Volume 68, No. 34, pages 8334 - 8381 • Effective Date 4/21/03 • Compliance Date 4/21/05 (4/21/06 for Small Health Plans) • Document can be located at www.cms.hhs.gov/hipaa/hipaa2

  3. Purpose • Ensure integrity, confidentiality and availability of electronic protected health information • Protect against reasonably anticipated threats or hazards, and improper use or disclosure

  4. Scope • All electronic protected health information (EPHI) • In motion AND at rest • All covered entities

  5. Security vs. Privacy • Closely linked • Security enables Privacy • Security scope larger – addresses confidentiality PLUS integrity and availability • Privacy scope larger – addresses paper and oral PHI

  6. Security Standards General Concepts • Flexible, Scalable • Permits standards to be interpreted and implemented appropriately from the smallest provider to the largest plan • Comprehensive • Cover all aspects of security – behavioral as well as technical • Technology Neutral • Can utilize future technology advances in this fast-changing field

  7. Standards • Standards are general requirements • Eighteen administrative, physical and technical standards • Four organizational standards (conditional) • Hybrid entity, affiliated entities, business associate contracts, group health plan requirements • Two overarching standards • Policies and procedures, documentation

  8. Standards vs. Implementation Specifications • Implementation specifications are more specific measures that pertain to a standard • 36 implementation specifications for administrative, physical and technical standards • 14 mandatory, 22 addressable • Implementation specifications may be: • Required • Addressable

  9. Required vs. Addressable • Required – Covered entity MUST implement the specification in order to successfully implement the standard • Addressable – Covered entity must: • Consider the specification, and implement if appropriate • If not appropriate, document reason why not, and what WAS done in its place to implement the standard

  10. Standards Sections Implementation Specifications (R)= Required, (A)=Addressable Security Management Process 164.308(a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility 164.308(a)(2) (R) Workforce Security 164.308(a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A) Information Access Management 164.308(a)(4) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training 164.308(a)(5) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures 164.308(a)(6) Response and Reporting (R) Contingency Plan 164.308(a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation 164.308(a)(8) (R) Business Associate Contracts and Other Arrangement 164.308(b)(1) Written Contract or Other Arrangement (R) Administrative Safeguards

  11. Standards Sections Implementation Specifications (R)= Required, (A)=Addressable Facility Access Controls 164.310(a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use 164.310(b) (R) Workstation Security 164.310(c) (R) Device and Media Controls 164.310(d)(1) Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A) Physical Safeguards

  12. Standards Sections Implementation Specifications (R)= Required, (A)=Addressable Access Control 164.312(a)(1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls 164.312(b) (R) Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication 164.312(d) (R) Transmission Security 164.312(e)(1) Integrity Controls (A) Encryption (A) Technical Safeguards (see § 164.312)

  13. Bottom Line… • All standards MUST be implemented • Using a combination of required and addressable implementation specifications and other security measures • Need to document choices • This arrangement allows the covered entity to make its own judgments regarding risks and the most effective mechanisms to reduce risks

  14. Risk Analysis • What PHI do you hold? • What do business associates hold on your behalf? • Examples: billing service, accountant, medical trancription service • What are the potential risks to that data? • Examples: “hackers”, loss of data due to not backing up • “Gap analysis”… • What measures are already in place to address risks vs. • What additional measures seem to be needed

  15. Security is not an Exact Science • No one-size-fits-all approach • Enforcement will stress reasonableness and due diligence • Take advantage of flexibility • Security does not have to be expensive

  16. Resources • CMS will be developing technical assistance materials • Security video in the works • Checklists and other informational papers • WEDI-SNIP has good resources • www.wedi .org/snip

  17. Resources • CMS website • www.cms.hhs.gov/hipaa/hipaa2 • Contains news of upcoming events, FAQs, technical assistance documents • E-mail box • Askhipaa@cms.hhs.gov • HIPAA hotline • 1-866-282-0659

  18. Upcoming Events • Satellite broadcast of “HIPAA 101” Video • April 16 • Next HIPAA Roundtable Audioconference • April 30 • Details on CMS website

  19. Questions?

More Related