Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

Similar presentations

Presentation on theme: "1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel."— Presentation transcript:

1 1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel

2 2 Publication Information  Printed in Federal Register 2/20/03 –Volume 68, No. 34, pages 8334 - 8381  Effective Date 4/21/03  Compliance Date 4/21/05 (4/21/06 for Small Health Plans)  Document can be located at

3 3 Purpose  Ensure integrity, confidentiality and availability of electronic protected health information  Protect against reasonably anticipated threats or hazards, and improper use or disclosure

4 4 Scope  All electronic protected health information (EPHI)  In motion AND at rest  All covered entities

5 5 Security vs. Privacy  Closely linked  Security enables Privacy  Security scope larger – addresses confidentiality PLUS integrity and availability  Privacy scope larger – addresses paper and oral PHI

6 6 Security Standards General Concepts  Flexible, Scalable –Permits standards to be interpreted and implemented appropriately from the smallest provider to the largest plan  Comprehensive –Cover all aspects of security – behavioral as well as technical  Technology Neutral –Can utilize future technology advances in this fast- changing field

7 7 Standards  Standards are general requirements  Eighteen administrative, physical and technical standards  Four organizational standards (conditional) –Hybrid entity, affiliated entities, business associate contracts, group health plan requirements  Two overarching standards –Policies and procedures, documentation

8 8 Standards vs. Implementation Specifications  Implementation specifications are more specific measures that pertain to a standard  36 implementation specifications for administrative, physical and technical standards –14 mandatory, 22 addressable  Implementation specifications may be: –Required –Addressable

9 9 Required vs. Addressable  Required – Covered entity MUST implement the specification in order to successfully implement the standard  Addressable – Covered entity must: Consider the specification, and implement if appropriate If not appropriate, document reason why not, and what WAS done in its place to implement the standard

10 10 Administrative Safeguards StandardsSections Implementation Specifications (R)= Required, (A)=Addressable Security Management Process164.308(a)(1)Risk Analysis(R) Risk Management(R) Sanction Policy(R) Information System Activity Review(R) Assigned Security Responsibility164.308(a)(2) (R) Workforce Security164.308(a)(3)Authorization and/or Supervision(A) Workforce Clearance Procedure(A) Termination Procedures(A) Information Access Management164.308(a)(4)Isolating Health care Clearinghouse Function(R) Access Authorization(A) Access Establishment and Modification(A) Security Awareness and Training164.308(a)(5)Security Reminders(A) Protection from Malicious Software(A) Log-in Monitoring(A) Password Management(A) Security Incident Procedures164.308(a)(6)Response and Reporting(R) Contingency Plan164.308(a)(7)Data Backup Plan(R) Disaster Recovery Plan(R) Emergency Mode Operation Plan(R) Testing and Revision Procedure(A) Applications and Data Criticality Analysis(A) Evaluation164.308(a)(8) (R) Business Associate Contracts and Other Arrangement 164.308(b)(1)Written Contract or Other Arrangement(R)

11 11 Physical Safeguards Standards Sections Implementation Specifications (R)= Required, (A)=Addressable Facility Access Controls 164.310(a)(1)Contingency Operations(A) Facility Security Plan(A) Access Control and Validation Procedures(A) Maintenance Records(A) Workstation Use164.310(b) (R) Workstation Security164.310(c) (R) Device and Media Controls164.310(d)(1)Disposal(R) Media Re-use(R) Accountability(A) Data Backup and Storage(A)

12 12 Technical Safeguards (see § 164.312) Standards Sections Implementation Specifications (R)= Required, (A)=Addressable Access Control164.312(a)(1)Unique User Identification(R) Emergency Access Procedure(R) Automatic Logoff(A) Encryption and Decryption(A) Audit Controls164.312(b) (R) Integrity164.312(c)(1)Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication164.312(d)(R) Transmission Security164.312(e)(1)Integrity Controls(A) Encryption(A)

13 13 Bottom Line…  All standards MUST be implemented  Using a combination of required and addressable implementation specifications and other security measures  Need to document choices  This arrangement allows the covered entity to make its own judgments regarding risks and the most effective mechanisms to reduce risks

14 14 Risk Analysis  What PHI do you hold?  What do business associates hold on your behalf? –Examples: billing service, accountant, medical trancription service  What are the potential risks to that data? –Examples: “hackers”, loss of data due to not backing up  “Gap analysis”… –What measures are already in place to address risks vs. –What additional measures seem to be needed

15 15 Security is not an Exact Science  No one-size-fits-all approach  Enforcement will stress reasonableness and due diligence  Take advantage of flexibility  Security does not have to be expensive

16 16 Resources  CMS will be developing technical assistance materials –Security video in the works –Checklists and other informational papers  WEDI-SNIP has good resources –

17 17 Resources  CMS website – –Contains news of upcoming events, FAQs, technical assistance documents  E-mail box –  HIPAA hotline –1-866-282-0659

18 18 Upcoming Events  Satellite broadcast of “HIPAA 101” Video –April 16  Next HIPAA Roundtable Audioconference –April 30  Details on CMS website

19 19  Questions?

Download ppt "1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel."

Similar presentations

Ads by Google