1 / 16

HIPAA Security

HIPAA Security. CMS - Office of HIPAA Standards (OHS) January 12, 2005 Dianne Faup. Regulation Dates. Published February 20, 2003 Effective Date April 21, 2003 Compliance Date: No later than April 20, 2005 for all covered entities except small health plans

dewei
Download Presentation

HIPAA Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Security CMS - Office of HIPAA Standards (OHS) January 12, 2005 Dianne Faup

  2. Regulation Dates • Published February 20, 2003 • Effective Date April 21, 2003 • Compliance Date: • No later than April 20, 2005 for all covered entities except small health plans • No later than April 20, 2006 for small health plans (as HIPAA requires)

  3. General Requirements - 164.306(a) • Applies to Electronic Protected Health Information (PHI) • That a Covered Entity Creates, Receives, Maintains, or Transmits

  4. General Requirements • Ensure • Confidentiality (only the right people see it) • Integrity (the information is what it is supposed to be – no unauthorized alteration or destruction) • Availability (the right people can see it when needed)

  5. General Requirements • Protect against reasonably anticipated threats or hazards to the security or integrity of information • Protect against reasonably anticipated uses and disclosures not permitted by privacy rules • Ensure compliance by workforce

  6. Regulation Themes • Scalability/Flexibility • Covered entities can take into account: • Size • Complexity • Capabilities • Technical Infrastructure • Cost of security measures • Potential security risks

  7. Regulation Themes • Technologically Neutral • What needs to be done, not how • Comprehensive • Not just technical aspects, but behavioral as well

  8. How Is This Accomplished • Standards Are Required but: • Implementation specifications which provide more detail can be either required or addressable.

  9. Addressability • If an implementation specification is addressable, a covered entity can: • Implement, if reasonable and appropriate • Implement an equivalent measure, if reasonable and appropriate • Not implement it and document why • Decisions based on sound, documented reasoning from a risk analysis

  10. Maintenance • Implemented security measures for compliance must be reviewed and modified as needed to continue reasonable and appropriate protections

  11. What are the Standards? • Six main Sections: • 164.306: Security Standards: General Rules • 164.308: Administrative Safeguards • 164.310: Physical Safeguards • 164.312: Technical Safeguards • 164.314: Organizational Requirements • 164.316: Policies and Procedures and Documentation Requirements

  12. Appendix A in Regulation • End of regulation, chart lists each standard, its associated implementation specifications, and if required or addressable

  13. Example General Implementation Approach • Do Risk Analysis – Document • Based on Risk Analysis, determine how to implement each standard and implementation specification – Document • Develop Security Policies and Procedures – Document • Implement Policies and Procedures • Train Workforce • Periodic Evaluation

  14. CMS/OHS HIPAA Resources • http://www.cms.hhs.gov/hipaa/hipaa2/ - CMS HIPAA Administrative Simplification Website for Electronic Transactions and Code Sets, Security, and Unique Identifiers • AskHIPAA • Roundtables

  15. New HIPAA Security FAQs • Published 13 new HIPAA Security FAQs to the CMS HIPAA A.S. website (8/12/04) • Topics include: • PHI Coverage • Compliance and Certification • Risk Analysis, Management and System Vulnerabilities • Physical Safeguards • Encryption and other technical safeguards • NIST publications

  16. Summary • Scalable, flexible, technology neutral approach • First step is risk analysis • Standards that make good business sense • Provided two year implementation

More Related