1 / 60

Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104

HIPAA: Introduction to the Security Rules Lorman Education Service August 22, 2007 Tacoma, Washington. Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 (206) 370-8126 stephen.rose@klgates.com. HIPAA: Introduction to the Security Rules.

mili
Download Presentation

Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA: Introduction to the Security Rules Lorman Education ServiceAugust 22, 2007Tacoma, Washington Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 (206) 370-8126 stephen.rose@klgates.com

  2. HIPAA: Introduction to the Security Rules Presentation By: Stephen D. Rose, J.D., M.B.A. K&L Gates 925 Fourth Avenue, Suite 2900 Seattle, Washington 98104 (206) 370-8126 stephen.rose@klgates.com

  3. “HIPAA” The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) Signed August 21, 1996 Title II Subtitle F—Administrative Simplification

  4. Perspectives Pythagorean Theorem 24 Words Archimedes’ Principle 67 Words The Ten Commandments 179 Words Lincoln’s Gettysburg Address 286 Words U.S. Declaration of Independence 1,300 Words HIPAA Privacy 401,034 Words . . . the square of the hypotenuse is equal to the sum of the squares of the other two sides: a2 + b2 = c2

  5. HIPAA Administrative Simplification Law HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Title II Title III Title IV Title V Administrative Simplification Insurance Portability Fraud and AbuseMedical Liability Reform Tax RelatedHealth Provision Group Health Plan Requirements RevenueOff-sets EDI Privacy Security Transactions Code Sets Identifiers

  6. Effective Dates of HIPAA Rules • Privacy Rules: April 14, 2003 • Security Rules: April 21, 2005

  7. Purpose of HIPAA Provisions Improve efficiency and effectiveness of the health care system by standardizing the electronic exchange of administrative and financial data

  8. Two Key Privacy Rule Goals • Provide strong Federal protections for privacy rights for health care information • Preserve (i.e., don’t interfere with) quality health care delivery

  9. Privacy Rules vs. Security Standards • Privacy Rules focus on the rights and expectations of patients with respect to how their private medical information is handled by providers and organizations. • Security Standards provide guidance to organizations and providers on how to protect the integrity and confidentiality of medical information.

  10. The Importance of Privacy and Security • In 2001 a NV woman purchased a used computer only to find its previous owner, a drugstore, left on it the pharmacy records of thousands of patients. • In 2000 a FL man purchased a laptop only to discover mental health records from a local institution on it – he contacted the news who interviewed patients about the matter.

  11. The Importance of Privacy and Security • In 2000 a hacker downloaded medical records, health information, and social security numbers on more than 5,000 patients at the University of Washington Medical Center. The hacker was motivated by a desire to expose the vulnerability of electronic medical records.(R. O’Harrow, "Hacker Accesses Patient Records," The Washington Post, 9 December 2000, p. E1) • The hacker claimed all the records were taken via the Internet and that the Institution lacked firewalls. The cracker was able to capture user ID and passwords by capturing key strokes.

  12. The Importance of Privacy and Security • In 2000 a teenage girl, while visiting her mother at work, retrieved the names and phone numbers of patients who had visited the ER from a hospital computer. As a prank, she called them and told them they were pregnant or had AIDS. One victim attempted suicide.

  13. The Importance of Privacy and Security • CD with Medical Data of 75,000 is Found • A missing CD containing confidential medical and personal information on 75,000 Empire Blue Cross and Blue Shield members was recovered Wednesday • A spokeswoman for a managed care company that monitors payments for mental health and substance abuse cases of insurers, said the company received a telephone call Wednesday morning saying that the CD was delivered by mistake to a residence in the Philadelphia area. The CD had been missing since January • No way to track whether copies of the CD were made

  14. The Importance of Privacy and Security • In 1994, administrators of a new computerized medical record system for an HMO in Oregon were shocked to find that 141 employees had peeked at the record of a celebrity who came in to be treated for a sprained wrist.

  15. The Importance of Privacy and Security • Most Data Breaches Traced to Company Errors • Research from the University of Washington, Seattle says that organizations are more often to blame for data security breaches than outside intruders • Looked at 550 data breaches that received media coverage between 1980 and 2006 • Two-thirds of the breaches could be traced to lost or stolen equipment and a variety of management or employee errors • Less than one-third of the breaches were the work of outside attackers

  16. Washington State Data Breach Notification LawRCW 19.255.010 • Businesses and individuals that own or license computerized data that includes “personal information” must notify state residents whose unencrypted personal information is reasonably believed to have been acquired by an unauthorized person. • Notice of the data breach must be sent in “the most expedient time possible and without unreasonable delay.”

  17. Other Federal Laws • The Computer Fraud and Abuse Act • 18 U.S.C. § 1030 • Penalizes intentionally accessing a computer without authorization (or exceeding authorization) and thereby causing damage. • Also contains a private right of action under 18 U.S.C. § 1030(g) designed to supplement the criminal sanctions under 18 U.S.C. § 1030(c).

  18. Regulation Themes • Scalability/Flexibility • Covered entities can take into account: • Size • Complexity • Capabilities • Technical Infrastructure • Cost of procedures to comply • Potential security risks

  19. Compliance • 162.530: a Covered Entity must develop and implement policies and procedures relating to PHI designed to comply with the [HIPAA] regulations. • Compliance is mandatory.

  20. Duty to Safeguard PHI • HIPAA requires a Covered Entity to have in place appropriate administrative, technical, and physical safeguards to protect the privacy and security of PHI.

  21. Assigning Responsibility • Privacy Officer 45 CFR 164.530(a)(1)(i) • Designated person to receive complaints 45 CFR 164.530(a)(1)(ii)

  22. The Security Rules Published: February 20, 2003 Effective Date: April 21, 2003 Compliance Date: April 21, 2005 for all covered entities except small health plans.

  23. CIA • Confidentiality • Integrity • Availability

  24. General Requirements164.306(a) • Confidentiality (only the right people see it) • Integrity (the information is what it is supposed to be – it hasn’t been changed) • Availability (the right people can see it when needed)

  25. Additional Requirements of the Security Rule • Protect against any reasonably anticipated threats or hazards to the security and integrity of ePHI. • Protect against any reasonably anticipated uses or disclosures of ePHI that are not permitted or required.

  26. Additional Requirements of the Security Rule • Ensure compliance by the workforce. • Investigate, mitigate, and document the resolution of any inadvertent release.

  27. “Required” versus “Addressable” • The HIPAA Security Rule requires standard implementation through written policies and procedures. • These standards have “required” and “addressable” implementation specifications.

  28. “Required” • Required implementation specifications are mandatory.

  29. “Addressable” • WARNING: “addressable” does NOT mean “optional.” • If a given addressable implementation specification is determined to be reasonable and appropriate, the entity must adopt it.

  30. “Addressable” • If a given “addressable” implementation specification is determined to be inappropriate or unreasonable, the entity may implement an alternative measure that accomplishes the same end. • This determination and its rationale must be documented.

  31. HIPAA Security Standards • Administrative Safeguards (55%) • 12 Required, 11 Addressable • Physical Safeguards (24%) • 4 Required, 6 Addressable • Technical Safeguards (21%) • 4 Required, 5 Addressable

  32. Administrative Safeguards • This section is concerned with the policies, procedures, and processes relating to the “workforce” and not the physical and technical security which is the subject of later sections.

  33. Administrative Safeguards • Security Management Process • Risk Analysis (R) • Risk Management (R) • Sanction Policy (R) • Information System Activity Review (R)

  34. Risk AssessmentRisk Analysis • Assess you own security risks • Determine your risk tolerance or risk aversion • Devise, implement, and maintain appropriate security to address your business requirements • Document your decisions

  35. Risk Analysis Two types: • Qualitative – (Easiest and most common) Rating risks on a scale such as: • Quantitative – (Most difficult to determine) Placing a dollar value on the risk based upon some formulas or calculations Medium Low High $

  36. H 7 8 9 Impact M 4 5 6 L 1 2 3 L M H Probability of Occurrence Risk Calculations The higher the number, the greater your risks.

  37. Administrative Safeguards • Assign a Security Officer who is responsible for HIPAA Security Rule compliance. • Can be same person as the HIPAA Privacy Officer or a different person.

  38. Administrative Safeguards • Workforce Security • Authorization and/or Supervision (A) • Workforce clearance procedures (A) • Termination Procedures (A)

  39. Administrative Safeguards • Information Access Management • Healthcare Clearinghouse Function (R) • Access authorization (A) • Access Establishment and Modification (A)

  40. Administrative Safeguards • Security Awareness and Training • Security Reminders (A) • Protection from malicious software (A) • Log-In Monitoring (A) • Password Management (A)

  41. Administrative Safeguards • Security Incident Procedures • Response and reporting (R)

  42. Administrative Safeguards • Contingency Planning • Data Backup Plan (R) • Disaster Recovery Plan (R) • Emergency Mode Operation Plan (R) • Testing and Revision Procedure (A) • Applications and Data Criticality Analysis (A)

  43. Administrative Safeguards • Evaluation (R) • Periodic review • Non-technical review • Technical review

  44. Administrative Safeguards • Business Associate Agreements and Other Arrangements

  45. Physical Safeguards • The Physical Safeguards (§ 164.310) relate to the physical actions the practice must undertake to implement the Security Rule. Small practices will want to focus on limiting physical access to electronic information within the office by unauthorized personnel by simple means such as physical barriers, locks, and supervision.

  46. Physical Safeguards • Facility Access Controls • Contingency Operations (A) • Facility Security Plan (A) • Access Control and Validation Procedures (A) • Maintenance Records (A)

  47. Physical Safeguards • Workstation Use • Workstation Security

  48. Physical Safeguards • Device and Media Controls • Disposal (R) • Media Re-use (R) • Accountability (A) • Data Backup and Storage (A)

  49. Technical Safeguards • This section of the Security Rule (§164.312) addresses technical items that need to be implemented to meet the requirements of the Security Rule.

More Related