hipaa security final rule overview n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
HIPAA Security Final Rule Overview PowerPoint Presentation
Download Presentation
HIPAA Security Final Rule Overview

Loading in 2 Seconds...

play fullscreen
1 / 19

HIPAA Security Final Rule Overview - PowerPoint PPT Presentation


  • 97 Views
  • Uploaded on

HIPAA Security Final Rule Overview. April 9, 2003 Karen Trudel. Publication Information. Printed in Federal Register 2/20/03 Volume 68, No. 34, pages 8334 - 8381 Effective Date 4/21/03 Compliance Date 4/21/05 (4/21/06 for Small Health Plans)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HIPAA Security Final Rule Overview' - ignatius-mcleod


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
hipaa security final rule overview
HIPAA Security Final RuleOverview

April 9, 2003 Karen Trudel

publication information
Publication Information
  • Printed in Federal Register 2/20/03
    • Volume 68, No. 34, pages 8334 - 8381
  • Effective Date 4/21/03
  • Compliance Date 4/21/05 (4/21/06 for Small Health Plans)
  • Document can be located at www.cms.hhs.gov/hipaa/hipaa2
purpose
Purpose
  • Ensure integrity, confidentiality and availability of electronic protected health information
  • Protect against reasonably anticipated threats or hazards, and improper use or disclosure
scope
Scope
  • All electronic protected health information (EPHI)
  • In motion AND at rest
  • All covered entities
security vs privacy
Security vs. Privacy
  • Closely linked
  • Security enables Privacy
  • Security scope larger – addresses confidentiality PLUS integrity and availability
  • Privacy scope larger – addresses paper and oral PHI
security standards general concepts
Security Standards General Concepts
  • Flexible, Scalable
    • Permits standards to be interpreted and implemented appropriately from the smallest provider to the largest plan
  • Comprehensive
    • Cover all aspects of security – behavioral as well as technical
  • Technology Neutral
    • Can utilize future technology advances in this fast-changing field
standards
Standards
  • Standards are general requirements
  • Eighteen administrative, physical and technical standards
  • Four organizational standards (conditional)
    • Hybrid entity, affiliated entities, business associate contracts, group health plan requirements
  • Two overarching standards
    • Policies and procedures, documentation
standards vs implementation specifications
Standards vs. Implementation Specifications
  • Implementation specifications are more specific measures that pertain to a standard
  • 36 implementation specifications for administrative, physical and technical standards
    • 14 mandatory, 22 addressable
  • Implementation specifications may be:
    • Required
    • Addressable
required vs addressable
Required vs. Addressable
  • Required – Covered entity MUST implement the specification in order to successfully implement the standard
  • Addressable – Covered entity must:
      • Consider the specification, and implement if appropriate
      • If not appropriate, document reason why not, and what WAS done in its place to implement the standard
administrative safeguards

Standards

Sections

Implementation Specifications

(R)= Required, (A)=Addressable

Security Management Process

164.308(a)(1)

Risk Analysis

(R)

Risk Management

(R)

Sanction Policy

(R)

Information System Activity Review

(R)

Assigned Security Responsibility

164.308(a)(2)

(R)

Workforce Security

164.308(a)(3)

Authorization and/or Supervision

(A)

Workforce Clearance Procedure

(A)

Termination Procedures

(A)

Information Access Management

164.308(a)(4)

Isolating Health care Clearinghouse Function

(R)

Access Authorization

(A)

Access Establishment and Modification

(A)

Security Awareness and Training

164.308(a)(5)

Security Reminders

(A)

Protection from Malicious Software

(A)

Log-in Monitoring

(A)

Password Management

(A)

Security Incident Procedures

164.308(a)(6)

Response and Reporting

(R)

Contingency Plan

164.308(a)(7)

Data Backup Plan

(R)

Disaster Recovery Plan

(R)

Emergency Mode Operation Plan

(R)

Testing and Revision Procedure

(A)

Applications and Data Criticality Analysis

(A)

Evaluation

164.308(a)(8)

(R)

Business Associate Contracts and Other Arrangement

164.308(b)(1)

Written Contract or Other Arrangement

(R)

Administrative Safeguards
physical safeguards

Standards

Sections

Implementation Specifications

(R)= Required, (A)=Addressable

Facility Access Controls

164.310(a)(1)

Contingency Operations

(A)

Facility Security Plan

(A)

Access Control and Validation Procedures

(A)

Maintenance Records

(A)

Workstation Use

164.310(b)

(R)

Workstation Security

164.310(c)

(R)

Device and Media Controls

164.310(d)(1)

Disposal

(R)

Media Re-use

(R)

Accountability

(A)

Data Backup and Storage

(A)

Physical Safeguards
technical safeguards see 164 312

Standards

Sections

Implementation Specifications

(R)= Required, (A)=Addressable

Access Control

164.312(a)(1)

Unique User Identification

(R)

Emergency Access Procedure

(R)

Automatic Logoff

(A)

Encryption and Decryption

(A)

Audit Controls

164.312(b)

(R)

Integrity

164.312(c)(1)

Mechanism to Authenticate Electronic Protected Health Information (A)

Person or Entity Authentication

164.312(d)

(R)

Transmission Security

164.312(e)(1)

Integrity Controls

(A)

Encryption

(A)

Technical Safeguards (see § 164.312)
bottom line
Bottom Line…
  • All standards MUST be implemented
  • Using a combination of required and addressable implementation specifications and other security measures
  • Need to document choices
  • This arrangement allows the covered entity to make its own judgments regarding risks and the most effective mechanisms to reduce risks
risk analysis
Risk Analysis
  • What PHI do you hold?
  • What do business associates hold on your behalf?
    • Examples: billing service, accountant, medical trancription service
  • What are the potential risks to that data?
    • Examples: “hackers”, loss of data due to not backing up
  • “Gap analysis”…
    • What measures are already in place to address risks vs.
    • What additional measures seem to be needed
security is not an exact science
Security is not an Exact Science
  • No one-size-fits-all approach
  • Enforcement will stress reasonableness and due diligence
  • Take advantage of flexibility
  • Security does not have to be expensive
resources
Resources
  • CMS will be developing technical assistance materials
    • Security video in the works
    • Checklists and other informational papers
  • WEDI-SNIP has good resources
    • www.wedi .org/snip
resources1
Resources
  • CMS website
    • www.cms.hhs.gov/hipaa/hipaa2
    • Contains news of upcoming events, FAQs, technical assistance documents
  • E-mail box
    • Askhipaa@cms.hhs.gov
  • HIPAA hotline
    • 1-866-282-0659
upcoming events
Upcoming Events
  • Satellite broadcast of “HIPAA 101” Video
    • April 16
  • Next HIPAA Roundtable Audioconference
    • April 30
  • Details on CMS website