Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Published byLauren Lamb Modified over 10 years ago

Similar presentations

Presentation on theme: "HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003."— Presentation transcript:

1 HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003

2 2 Important Dates Final rule published February 20, 2003 Compliance: – April 21, 2005 for all covered entities except small health plans – April 21, 2006 for small health plans (as required under HIPAA)

3 3 HIPAA Security HIPAA Privacy covers what information you protect – the use and disclosure of PHI HIPAA Security covers how you protect that information and when – Adopt national standards for safeguards to protect the confidentiality, integrity, and availability of the data?

4 4 General Requirements Ensure – Confidentiality: who can see the information – Integrity: the information has not been altered in any way – Availability: it can be accessed on a timely basis

5 5 General Requirements Applies to electronic protected health information – Note that privacy extends to oral and written communications Applies to the electronic PHI that a covered entity: – Creates – Maintains – Transmits

6 6 General Requirements Covered entities must: – Protect against reasonably anticipated threats or hazards to the security or integrity of information – Protect against reasonably anticipated uses and disclosures as outlined in the privacy rule – Ensure compliance by workforce – Develop business associate contracts as appropriate

7 7 Overarching Themes Security is technology neutral – Outlines what needs to be done to protect the information, but not how it should be done Security is comprehensive – Covers the technical, administrative, and behavioral aspects of compliance

8 8 Basic Changes from NPRM Aligned with privacy (definitions and requirements for business associate contracts) Encryption is now addressable No requirement for certification Standards simplified and redundancy eliminated

9 9 Regulation Approach Scalability (size) and flexibility (implementation) Organizational approaches should account for: – Size – Complexity – Technical Infrastructure – Cost – Potential Security Risks

10 10 Regulation Approach Developed standards – Administrative – Physical – Technical Within each standard are a series of implementation specifics that can be either required or addressable

11 11 Regulation Approach Required – A MUST Addressable – a covered after conducting a documented risk analysis, may: – Implement a solution if reasonable and appropriate – Implement an equivalent measure, if reasonable and appropriate – Not implement

12 12 Administrative Standards Security Management – Risk analysis (R) – Risk management (R) Assigned Responsibility – single point Workforce Security – Termination procedures (A) – Clearance procedures (A)

13 13 Administrative Standards Information Access Management – Isolating clearinghouse (R) – Access authorization (A) Security Awareness and Training Security Incident Procedures Contingency Plan – Disaster Recovery Plan (R) Evaluation Business Associate Contracts

14 14 Physical Standards Facility Access Controls – all addressable – Contingency operations – Facility Security Plan – Access control – Maintenance records Workstation Use Workstation Security Device and Media Controls

15 15 Technical Standards Access Control – Unique user ID (R) – Emergency access (R) – Automatic logoff (A) – Encryption and decryption (A) Audit Controls Integrity Person or Entity Authentication Transmission Security

16 16 Sample Industry Approach Determine organizational position Conduct and document risk analysis – Determine threats and likelihood Develop strategies to implement for each of the standards – Implementation plan inclusive of timeline – For situations where no solution is being implemented (e.g., low threat/low risk) document rationale Develop and document policies and procedures Train workforce Implement processes Monitor and Evaluate

17 17 Implementation Progressing Organizations are moving ahead with risk assessments and have set timelines for compliance – Due to the overlap in Privacy the ground work for security has been implemented in many entities WEDI workgroups are developing guidance for industry-wide distribution More questions are devoted to security Covered entities are still focused on TCS compliance and may be behind in security efforts

18 18 Challenges Implementation – Conducting risk analysis Developing an approach and completing the analysis with enough time to implement the recommendations – Accessing expertise Especially difficult for small providers – Balancing between cost and capabilities – Understanding the unknown – there is no right answer Compliance strategies will be different for all covered entities – Dealing with TCS, extending contingency plans may hinder security progress

19 19 Challenges Enforcement - complaint driven – The overlap between privacy and security When does it go from being a violation of one to a violation of another A complaint may be initially identified as a privacy complaint, but contain a security breach – No right answer

20 20 Appendix - Chart The implementation specifics are outlined in the appendix.

Download ppt "HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.

1 HIPAA Security Final Rule Overview April 9, 2003Karen Trudel.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.

HIPAA Security Regulations Jean C. Hemphill Ballard Spahr Andrews & Ingersoll, LLP November 30, 2004.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.

IT’S OFFICIAL: GOVERNMENT AUDITING OF SECURITY RULE COMPLIANCE Nancy Davis, MS, RHIA Director of Privacy/Security Officer, Ministry Health Care & Catherine.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google