Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT.

Published byEmery Barker Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT."— Presentation transcript:

1 HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT

2 HIPAA of 1996 Regulation Text: 45 CFR Parts 160, 162, and 164 [PDF 769KB]PDF (Unofficial version, as amended through February 16, 2006) Medical Privacy - National Standards to Protect the Privacy of Personal Health Information § 164.502 Uses and disclosure of protected health information. § 164.506 Uses and disclosure to carry out treatment, payment or health care operations.

3 Personal Health Information Covered Entity Business Associates Patient Parents Minors Relatives Public Release HIPAA Nurse Doctor Health Records Patient Prolog Policy Verifier

4 HIPAA translation HIPAA LAW: 164.502.a.1 (ii) For treatment, payment, or health care operations, as permitted by and in compliance with §164.506; PROLOG TRANSLATION: permitted_by_164_502_a_1_ii(A):- satisfy_164_502_a_1_ii(A), permitted_by_164_506(A). satisfy_164_502_a_1_ii(A):- has_purpose(A, healthcare); has_purpose(A, payment); has_purpose(A, treatment).

5 PROLOG TRANSLATION: inRole(shh, covered_entity). inRole(jd, intern). inRole(carla, nurse). inRole(j, janitor). %TRANSITIVE CLOSURES: inRole(intern, doctor). inRole(doctor, covered_entity). %RELATION: employee_of(jd, shh). parent_of(kid, cox). business_associate(seattle_gra ce, shh). LawyerJanitorNurseIntern Employees Business Associate Hospital Facts Covered Entities

6 Model All queries to prolog program consist of a message that is passed between entities. a(to, from, about, type, purpose, in Reply to, consented by) What medication to give lukemia kid? pbh(a(jd, carla, kid, phi, treatment, _, _)). NurseIntern

7 Assumptions Everything can be represented as messages. All fields are accurate. Ideal world with authenticated / authorized identities. All information is passed through the system. Few parts like the ‘doctor believes in good judgement’ could not be coded. The results and conclusions are based on the amount of HIPAA we interpreted and coded.

8 Properties Can unauthorized insider get phi? Can outsider get phi? Tests Verification of implementation. Runs individual test cases. Exhaustive search Law cases: Very elaborate to code. Simple ones were satisfied by HIPAA.

9

10 1. Insider gaining PHI § 164.506 Uses and disclosures to carry out treatment, payment, or health care operations.  (c) Implementation specifications: Treatment, payment, or health care operations. (1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. Covered Entity Nurse PHI Don’t go in that room as patient has SARS

11 2. Outsider gaining PHI § 164.502 Uses and disclosures of protected health information: general rules.  (a) Standard. A covered entity may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter. (2) Required disclosures. A covered entity is required to disclose protected health information:  (ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subpart. Entire database of personal health info For compliance verification doctorSecretary Covered Entity

12 3. Insider then Outsider doctor Covered Entity Freelance journalist In the PastPresent

13 Potential Shortcomings There are many such outside agents who could gain legitimate access to PHI and are not regulated by HIPAA after they gain access. HIPAA does not regulate information once it leaves their definition of covered entity. DISCLAIMER: All these shortcomings are based on what we looked at. Might be they are not there at all.

14 DOS Attack!! To say that a predicate is NOT permitted the prolog checker need to verify it with all the given clauses. Easy to implement a DOS attack on our implementation.

15 Rational reconstruction Law itself is well structured The purpose and relation of clauses are explicit Past can send a message if it was consented to in the past by the patient. Present Can send PHI to other covered entities for health care operations. Future If the individual has requested for his PHI the covered entity is required to send it.

16 Suggestions Cover all agents who hold phi of other people under HIPAA. Treat them as covered entities. During emergency the patient data should be available easily to any person who can help at that moment. Surprisingly there is no mention of emergency! The system implementation at a hospital should be resilient to id thefts along with having all the security features in place.

17 Prolog as a model for compliance checker Cons: Laws are not written to be logical!! HIPAA specifies what to implement not how. It definitely does not replace the human auditor Difficult to formalize exactly, its based on interpretation and requires a lot of iterations of corrections.

18 Prolog as a model for compliance checker Pros: Better than nothing Easy to understand Makes the job of the HIPAA auditor easy Requires interpretation of the query log to obtain the proper insights. Exhaustive search to test all the pathways in data transfer.

Download ppt "HIPAA HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT."

Similar presentations

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.

HIPAA. What Why Who How When What Is HIPAA? Health Insurance Portability & Accountability Act of 1996.
Confidentiality and HIPAA

Confidentiality and HIPAA
COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.

COBB/DOUGLAS COMMUNITY SERVICES BOARD Confidentiality and Privacy of Consumer Information.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Health Insurance Portability and Accountability Act 1.

HIPAA Health Insurance Portability and Accountability Act 1.
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
School-Based Health Centers & Confidentiality: Understanding FERPA & HIPAA Laurie Mesibov & Jill Moore UNC School of Government December 2012.

School-Based Health Centers & Confidentiality: Understanding FERPA & HIPAA Laurie Mesibov & Jill Moore UNC School of Government December 2012.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
TATA RESEARCH DEVELOPMENT AND DESIGN, PUNE, INDIA Automated HIPAA Compliance Checker STANFORD UNIVERSITY, CA, USA STANFORD UNIVERSITY, CA, USA Sharada.

TATA RESEARCH DEVELOPMENT AND DESIGN, PUNE, INDIA Automated HIPAA Compliance Checker STANFORD UNIVERSITY, CA, USA STANFORD UNIVERSITY, CA, USA Sharada.
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.

August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
Privacy & Personal Information -- Why do we care or do we?

Privacy & Personal Information -- Why do we care or do we?

Similar presentations

Ads by Google