Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Published byPrincess Lander Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona."— Presentation transcript:

1 Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona Hoffman School of Law Case Western Reserve University Cleveland, Ohio 44106

2 Health Insurance Portability and Accountability Act of 1996 (HIPAA) Addresses both health insurance reform and “administrative simplification” Portability reforms protect health insurance coverage for workers when they change or lose their jobs

3 HIPAA Administrative Simplification Provisions Electronic Transactions and Code Sets National Provider Identifiers Privacy Standards Security Standards Civil Money Penalties

4 Entities Covered by HIPAA Standards Health care providers Health plans (payers) Health care clearinghouses

5 Effects of HIPAA on Electronic Data Interchange in Health Care Industry Brought substantial uniformity to EDI, though interoperability problems persist Generated concern about compliance with security standards Gave rise to important new model for interactions between covered entities

6 Provider-Clearinghouse*-Payer Model

7 Security Threats in the PC*P Model External threats Hacking, interception, deception, denial of service, etc. by outsiders Internal threats Abuse of authorized access to electronically protected health information (EPHI) by covered entities, their employees, or business associates

8 Meta-Threat: A Market in Illicitly- Obtained EPHI EPHI potentially has great value to outsiders, e.g., Marketers Employers Insurers Blackmailers Once EPHI is dispersed Internet, it cannot be recovered Harm is potentially unlimited Not adequately addressed by HIPAA Only partially addressed by other laws

9 HIPAA Security Standards Intended to ensure confidentiality, integrity, and availability of EPHI Define administrative, physical, and technical safeguards Emphasize technological neutrality at the expense of specificity C.E. must implement “reasonable and appropriate” policies and procedures to comply with the standards and must document these

10 Implementation Specifications May be “required” or “addressable” C.E. may implement an alternative to addressable spec or choose not to implement either spec or alternative Decision is based on analysis of risks, costs, available resources Must document rationale

11 HIPAA Safeguards Against Insider Threats Administrative safeguards Workforce security policy Workforce sanctions Security training Access authorization policy Periodic evaluation Information system activity review Business associate contracts

12 HIPAA Safeguards Against Insider Threats (2) Physical safeguards Facility access controls Device and media controls

13 HIPAA Safeguards Against Insider Threats (3) Technical safeguards Access control Unique user identification Encryption Audit controls Integrity controls Person or entity authentication

14 Limitations of HIPAA Safeguards Employees with legitimate access to EPHI can easily provide it to outsiders or modify it No technical restrictions on employees’ ability to distribute or modify EPHI are specified Form of audit controls is not specified Addressed primarily by deterrents Dismissal Employer sanctions Fines Imprisonment

15 Recommended Mandatory Implementation Specifications Employees must be prevented technically from electronically distributing or modifying EPHI except as required for essential business reasons Employees who normally process EPHI must not have system administration privileges Each transfer or modification of EPHI must be securely and permanently logged Actors strongly identified Relevant items identified

16 Implications of the Recommendations Most employees handling EPHI must use restricted hardware and software Hardware, software, and administrative support for “dual-key” system administration is required

17 Preventing Trafficking in Illicitly Obtained EPHI Requires combination of technical and legal means Proposals: Regulate all entities that handle EPHI Require that such entities be able to prove the provenance and authenticity of EPHI they have handled Require use of strong identification and data integrity validation

18 HIPAA Enforcement Provisions

Download ppt "Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA Health Insurance Portability and Accountability Act.

HIPAA Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.

CHAPTER © 2012 The McGraw-Hill Companies, Inc. All rights reserved. 2 HIPAA, HITECH, and Medical Records.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
HIPAA COMPLIANCE FANTASTIC FOUR CASEY FORD MANINDER SINGH RANGER OLSOM Information Security in Real Business.

HIPAA COMPLIANCE FANTASTIC FOUR CASEY FORD MANINDER SINGH RANGER OLSOM Information Security in Real Business.

Similar presentations

Ads by Google