Eliza de Guzman HTM 520 Health Information Exchange

INTRODUCTION The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop a regulations that will protect the privacy and security of certain health information. HHS published the most commonly known as the HIPAA Privacy Rule and HIPAA Security Rule to fulfill the required regulations. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) established a national set of security standards to protect certain health information that is held or transferred in electronic form. The Security Rule can be measured by protecting that contains in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “cover- entities” that will put in place to secure individuals “electronic protected health information” (e-PHI).

WHO IS COVERED BY THE SECURITY RULE? Health care provider Health plans Health care clearinghouses Medicare Prescription Drug Card Sponsors

WHAT INFORMATION IS PROTECTED? Electronic Protected Health Information.

GENERAL RULES – COVERED ENTITIES 1.Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; 2.Identify and protect against reasonably anticipated threats to the security or integrity of the information; 3.Protect against reasonably anticipated, impermissible uses or disclosures; and 4.Ensure compliance by their workforce.

Cont. Covered Entity – security measures to use: Its size, complexity, and capabilities, Its technical, hardware, and software infrastructure, The costs of security measures, and The likelihood and possible impact of potential risks to e-PHI.

RISK ANALYSIS AND MANAGEMENT Evaluate the likelihood and impact of potential risks to e- PHI; Implement appropriate security measures to address the risks identified in the risk analysis; Document the chosen security measures and, where required, the rationale for adopting those measures; Maintain continuous, reasonable, and appropriate security protections.

SECURITY RULE COMPLIANCE CONSIDERATIONS HIPAA compliance audits should be based on three things:  An Identification of the organization governance model.  A traditional screening  An Identification of the master rules Compliance Date : April 20, 2005 – April 20, 2006

HIPAA Security Rule audit process

SECURITY SAFEGUARDS Administrative Safeguards o Security Management Process o Assigned Security Responsibility o Workforce Security o Security Awareness and Training o Information Access Management o Security Incident Procedures o Contingency Plan o Evaluation o Business Associate Contracts and Other Arrangements

Cont. Physical Safeguards : o Facility Access Control o Workstation and Device Security Technical Safeguards o Access Control o Audit Control o Integrity Control o Person or Entity Authentication o Transmission Security

ORGANIZATIONAL REQUIREMENTS Covered Entity Responsibilities Business Associate Contracts

CHALLENGES Rapid increase of mobile devices User Training

SUMMARY OF THE HIPAA SECURITY RULE This is a summary of key elements of the Security Rule including who is covered, what information is protected, and what safeguards must be in place to ensure appropriate protection of electronic protected health information.

HIPAA SECURITY GAME