1 / 29

Chapter 13: Regulatory Compliance for the Healthcare Sector

Chapter 13: Regulatory Compliance for the Healthcare Sector. Objectives. Understand the security regulations required of the healthcare sector by the HIPAA Security Rule. Write HIPAA-compliant policies and procedures. Execute the HIPAA implementation specifications.

moe
Download Presentation

Chapter 13: Regulatory Compliance for the Healthcare Sector

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 13: Regulatory Compliance for the Healthcare Sector

  2. Objectives • Understand the security regulations required of the healthcare sector by the HIPAA Security Rule. • Write HIPAA-compliant policies and procedures. • Execute the HIPAA implementation specifications. • Conduct a compliance audit. • Relate the ISO 17799 security framework to HIPAA security compliance.

  3. Introduction • Title II of HIPAA mandated the creation of rules to address how electronic healthcare transactions are transmitted and stored. • The resulting HIPAA Security Rule establishes a standard for the security of electronic protected health information, or ePHI.

  4. Understanding the Security Rule The HIPAA Security Rule focuses on safeguarding ePHI: • Any individually identifiable health information that is stored, processed, or transmitted electronically or digitally • Applies to both public and private sector entities that process, store, or transmit such information

  5. HIPAA Goals and Objectives Main goal of HIPAA Security Rule is to protect the • Confidentiality • Integrity • Availability of all electronic protected health information.

  6. Covered Entities The Security Rule applies to any entity that stores or transmits ePHI, including: • Healthcare Providers • Health Plans • Healthcare Clearinghouses • Medicare Prescription Drug Card Sponsors

  7. HIPAA Key Principles The standards are intentionally nonspecific and scalable. Covered entities choose the appropriate technology and controls for their own unique environment, taking into consideration • Their size and capabilities • Their technical infrastructure • The cost of the security measures • The probability of risk

  8. Penalties for Noncompliance • April 21, 2006 is the final date for compliance • Covered entities must achieve and maintain compliance • There are various civil and criminal penalties • Noncompliance may be used in liability cases; attorneys may sue on behalf of clients who believe their rights have been violated

  9. Security Rule Organization Administrative Safeguards: The documented policies and procedures for • managing operations • conduct and access of workforce to ePHI • selection, development, and use of security controls

  10. Security Rule Organization Cont. Physical Safeguards: • requirements for protecting ePHI from unauthorized physical access Technical Safeguards: • the use of technology to control access to ePHI

  11. Security Rule Organization Cont. Organizational Requirements: • includes standards for business associate contracts and requirements for group health plans Documentation Requirements: • includes policies and procedures regarding documentation and records and their retention and availability

  12. Administrative Safeguards The Security Management Process includes: • Conducting a risk assessment • Implementing a risk management program; identifying all threats to ePHI • Developing and implementing a sanction policy for security violations; applies to employees, contractors, and vendors • Developing and deploying an information system activity review

  13. Administrative Safeguards Cont. Assigned Security Responsibility: • Appoint a responsible security official to oversee compliance Workforce Security: • Implement procedures for authorization and supervision of workforce members • Establish a workforce clearance procedure for hiring and assigning tasks • Establish termination procedures

  14. Administrative Safeguards Cont. Information Access Management: • Isolate healthcare clearinghouse functions • Implement policies and procedures to authorize access • Implement policies and procedures to establish access

  15. Administrative Safeguards Cont. Security Awareness and Training: • Establish a security awareness program to remind users of potential threats • Provide training on recognizing malicious software (malware) • Provide training on login monitoring procedures • Provide training on password management

  16. Administrative Safeguards Cont. Security Incident Procedures: • Addresses reporting of and responding to security incidents • Training users to recognize incidents • Implementing a reporting system • Follow through with investigations and report back to the user

  17. Administrative Safeguards Cont. Contingency Plans: • Conduct an application and data criticality analysis • Establish and implement a data backup plan • Establish and implement a disaster recovery plan • Establish an emergency mode operation plan • Test and revise procedures

  18. Administrative Safeguards Cont. Evaluation: • All covered entities must develop criteria and metrics for evaluating their own compliance Business Associate Contracts: • Business associates and third parties must also comply • Based on written contract or other form of agreement

  19. Physical Safeguards Facility Access Controls include: • Create a facility security plan; prevent unauthorized access, tampering, and theft • Implement access control and validation procedures • Keep maintenance records, including modifications to doors, locks, etc. • Establish contingency operations

  20. Physical Safeguards Cont. Workstation Use: • Covers proper use of workstations, particularly laptops Workstation Security: • Covers restricting workstation access to authorized users

  21. Physical Safeguards Cont. Device and Media Controls: • Implement disposal policies and procedures • Implement reuse policies and procedures • Maintain accountability for hardware and electronic media • Develop data backup and storage procedures

  22. Technical Safeguards Access Control: • Require unique user identification • Establish emergency access procedures • Implement automatic logoff procedures that terminate a session after a period of inactivity • Encrypt and decrypt information at rest

  23. Technical Safeguards Cont. Audit Controls: • Organizations must be able to monitor system activity Integrity Controls: • To protect ePHI from improper alteration or destruction • Includes antivirus and antispyware, firewalls, e-mail scanning

  24. Technical Safeguards Cont. Person or Entity Authentication: • Requires unique user identification, such as password, PIN, biometric ID, etc. Transmission Security: • Implement integrity controls • Implement encryption

  25. Organization Requirements Business Associates Contracts: • Contracts must meet specific requirements to ensure the confidentiality, integrity, and availability of ePHI • Covered entities, business associates, and their agents must protect ePHI and report security incidents, or risk termination

  26. Organization Requirements Cont. Standard Requirements for Group Health Plans: • Applies only to group health plan sponsors • Requirements for ensuring the confidentiality, integrity, and availability of ePHI must be met by the plan sponsors and any of its agents

  27. Policies and Procedures Policies and Procedures to ensure that: • Standards and implementation specifications are met • Actual activities of the covered entity are reflected

  28. Policies and Procedures Cont. Documentation: • Retain documentation for six years • Make documentation available to necessary personnel • Update documentation as necessary to reflect changes that may affect the security of ePHI

  29. Summary • HIPAA Security Rule was designed to ensure that ePHI is safe from breaches of confidentiality, integrity, and availability • The regulations mirror what is now considered basic security best practices • Both providers and patients benefit

More Related