Presentation on theme: "HIPAA and the GLB Connections Between Congress and Information Assurance."— Presentation transcript:
HIPAA and the GLB Connections Between Congress and Information Assurance
The Basics HIPAA passed in 1996 Regulation authority by Health and Human Services Privacy rule in effect in 2003 Security rule in effect 2005 GLB passed in 1999 Scope is financial institutions and personal information Regulated by many agencies the Federal Trade Commission is the umbrella agency
Privacy Rule Information regarding medical condition or diagnosis must be kept separately from hiring/firing information Requires development of both internal and external security
Security Rule The Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on February 20, This final rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
Appendix A to Subpart C of Part 164—Security Standards: Matrix Standards Sections Implementation Specifications (R)=Required, (A)=Addressable Administrative Safeguards Security Management Process (a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (a)(2) (R) Workforce Security (a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) Information Access Management (a)(4) Isolating Health care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) Security Awareness and Training (a)(5) Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures (a)(6) Response and Reporting (R) Contingency Plan (a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation (a)(8) (R) Business Associate Contracts and Other Arrangement (b)(1) Written Contract or Other Arrangement (R) Physical Safeguards Facility Access Controls (a)(1) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use (b) (R) Workstation Security (c) (R) Device and Media Controls (d)(1) Disposal (R) Media Re-use (R) Accountability (A) Data Backup and Storage (A) Technical Safeguards (see § ) Access Control (a)(1) Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls (b) (R) Integrity (c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication (d) (R) Transmission Security (e)(1) Integrity Controls (A) Encryption (A)
What’s Required? (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (C) Emergency mode operation plan Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
What’s Optional? (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information.
Pros and Cons Flexible taking limited resources into account Steps are general and not technology specific Security 101, best practice Flexible allowing different interpretations to be made May slow technology in health field Lawsuits are feared by some
Specifics of the GLB Because the states are responsible for regulating the insurance industry, Gramm-Leach-Bliley (GLB) stipulates that the states pass legislation to enforce the requirements laid out in the law. Similar to these privacy requirements, GLB requires security provisions to be enforced by the states for the insurance industry. There is an exception in GLB that states that banks offering insurance products will be subject to the requirements and deadlines of their regulatory agency, as opposed to the state in which the institution resides. Currently, four states have passed personal financial information security laws, while several other states have proposed laws. It is important to note, however, that implementing and enforcing laws for the security of personal information is a requirement of GLB, and all states must eventually pass legislation for the insurance carriers in their state. It is a matter of time before all states have laws on the books implementing the security requirements of GLB.
Goals of Law Tighten customer protection Provide ‘Opt out’ rule Give people more control Companies in the financial sector have to let customers or consumers know what information it has on people who use its’ services, who has access in terms of other companies, and how it protects the information
Complications A month before the deadline to comply with sweeping privacy regulations, I asked a senior IT person responsible for compliance at a securities firm how things were going. He laughed. “Can you explain the regulations?” he asked. He was joking, I think, but his comment sums things up. As simply one factor backfiring, the companies are required to give customers an annual notice giving them their chance to opt out.
Still More Complications Inter-State Complications International Issues This has left global institutions confused about how to, say, and send information about a European employee to U.S. headquarters
Future Predictions Privacy and security are growing concerns as viruses and worm attacks become more numerous year by year, as identity theft costs more and more, and as the public leaders become more and more computer literate. In 2002 Identity theft cost the US an estimated 53 billion. A major incident will galvanize the government into passing some wider-scope or possibly more stringent than the current rather reasonable HIPAA standards.
Works Cited “Boulder Computer Services Firm Encourages Companies to Prevent Computer Hackers and Consumer Identity Theft” posted Brewin, Bob. Computerworld “Health Care Group: Lack Of IT Leads to Deaths” Brewin, Bob. Computerworld “New HIPAA Security Rules could open door to litigation” Federal Register 45 Health Insurance Reform: Security Standards; Final Rule CFR Parts 160, 162, and Fonseca, Brian. Computerworld “Sun, Digex and Divine push outsourced HIPAA solutions” Glass, Michelle R. and Hoeg, Gregory J. “The Likely Impact of the Gramm-Leach-Bliley Financial Modernization Act of 1999” posted at Scalet, Sarah D. CSO “Managing HIPAA’s Pain” April Watson Wyatt Insider “Bigger Than a Breadbox: The Impact of HIPAA on American Employers April 2003