The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.
Security Controls – What Works
Information Security Policies and Standards
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Computer Security: Principles and Practice
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.
The EHR: Benefits for Privacy and Security How the EHR Protects Health Information.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture a This material (Comp7_Unit7a) was developed by.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Lesson 5-Legal Issues in Information Security. Overview U.S. criminal law. State laws. Laws of other countries. Issues with prosecution. Civil issues.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Eliza de Guzman HTM 520 Health Information Exchange.
September 12, 2004 Simplifying the Administration of HIPAA Security Angel Hoffman, RN, MSN Director, Corporate Compliance University of Pittsburgh Medical.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Design of Health Technologies lecture 22 John Canny 11/28/05.
Working with Health IT Systems Protecting Privacy, Security, and Confidentiality in HIT Systems Lecture b This material (Comp7_Unit7b) was developed by.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Working with HIT Systems
Component 8/Unit 6aHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 6a System Security Procedures.
1 Security Planning (From a CISO’s perspective) by Todd Plesco 24OCT2007
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
HIPAA Security Final Rule Overview
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Working with HIT Systems Unit 7a Protecting Privacy, Security, and Confidentiality in HIT Systems This material was developed by Johns Hopkins University,
Case Study: Applying Authentication Technologies as Part of a HIPAA Compliance Strategy.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HIPAA Security Best Practices Clint Davies Principal BerryDunn
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
The Fallacy Behind “There’s Nothing to Hide” Why End-to-End Encryption Is a Must in Today’s World.
© 2016 Health Information Management Technology: An Applied Approach Chapter 10 Data Security.
The Health Insurance Portability and Accountability Act 
The Privacy Cycle A Five-Step Process to Improve Your Privacy Culture
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
Thursday, June 5 10: :45 AM Session 1.01 Tom Walsh, CISSP
HIPAA Privacy and Security Summit 2018 HIPAA Privacy Rule: Compliance Plans, Training, Internal Audits and Patient Rights Widener University Delaware.
HIPAA Security Standards Final Rule
Drew Hunt Network Security Analyst Valley Medical Center
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Strategies to Comply with the HPAA Privacy Rule Before the HIPAA Security and Enforcement Rules are Final Presented by: Steven S. Lazarus, PhD, FHIMSS.
Presentation transcript:

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Milliman USA Agenda Definitions Definitions Problem Problem Expectations Expectations Responsibilities by specification Responsibilities by specification Collaboration Benefits Collaboration Benefits Implementation process Implementation process

Milliman USA Vendor Defined Benefits System vendor Benefits System vendor TPA TPA

Milliman USA Smaller Health plan defined Self-insured with 100 to 100,000 participants Self-insured with 100 to 100,000 participants Activities Activities – Enrollment – PHI management – Claims – Miscellaneous other Often single employer or multi- employer plans Often single employer or multi- employer plans

Milliman USA Flexibility in Rule Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications -- § (b)(1) -- § (b)(1)

Milliman USA Problem: Issue I What measures are: “Reasonable and Appropriate”?

Milliman USA Problem: Issue II Are the costs of determining “reasonable and appropriate,” measures reasonable and appropriate?

Milliman USA Problem: Issue III HIPAA requires Actions and Documentation

Milliman USA Problem: Health Plan Perspective Limited internal capabilities Limited internal capabilities Consultants too expensive Consultants too expensive Boilerplates general and open- ended Boilerplates general and open- ended Vendor dependency for IT Vendor dependency for IT Document, document, document Document, document, document Who cares? Who cares?

Milliman USA Problem: Vendor Perspective Not the covered entity Not the covered entity Assume compliance Assume compliance Other client service priorities Other client service priorities Who pays? Who pays? Who cares? Who cares?

Milliman USA Expectations Health plan: vendor has solved this Health plan: vendor has solved this Vendor: health plan is the covered entity Vendor: health plan is the covered entity Both: little chance of enforcement Both: little chance of enforcement

Milliman USA Single Systems According to NIST Be under the same direct management control Be under the same direct management control Have the same function or mission objective Have the same function or mission objective Have essentially the same operating characteristics and security needs Have essentially the same operating characteristics and security needs Reside in the same general operating environment Reside in the same general operating environment

Milliman USA Opportunity Overlapping features among installations and similar clients Overlapping features among installations and similar clients Half of requirements technical Half of requirements technical Vendor natural focus for plans Vendor natural focus for plans Documentation similar among installations Documentation similar among installations

Milliman USA Shortcoming of Collaborative approach Management control divided between vendor and healthplan Management control divided between vendor and healthplan Installation specific issues Installation specific issues Coordination of implementation process Coordination of implementation process Responsibility = liability? Responsibility = liability? Still not resource free Still not resource free

Milliman USA Responsibility by Specification Administrative (shared) Administrative (shared) Physical (primarily healthplan) Physical (primarily healthplan) Technical (primarily vendor) Technical (primarily vendor)

Milliman USA Administrative Safeguards Security management process (V/HP) Security management process (V/HP) Assigned security responsibility (HP) Assigned security responsibility (HP) Information access management (V/HP) Information access management (V/HP) Training (HP) Training (HP) Incident procedures (V/HP) Incident procedures (V/HP) Contingency plan (V/HP) Contingency plan (V/HP) Evaluation (V/HP) Evaluation (V/HP) Business associate contracts (HP) Business associate contracts (HP)

Milliman USA Physical Safeguards Facility access controls (HP) Facility access controls (HP) Workstation use and security (HP) Workstation use and security (HP) Device and media controls Device and media controls (HP primarily—vendor may provide DB backup)

Milliman USA Technical Safeguards Access controls (V) Access controls (V) Audit controls (V) Audit controls (V) Data integrity (V) Data integrity (V) Entity authentication (V) Entity authentication (V) Transmission security (V) Transmission security (V)

Milliman USA Example: Risk Assessment Exceeds technical capabilities of smaller healthplansExceeds technical capabilities of smaller healthplans Much of assessment similar for comparable plans with same systemMuch of assessment similar for comparable plans with same system

Milliman USA Example: Risk Assessment: Components 1.EPHI boundary definition 2.Threat identification 3.Vulnerability identification 4.Security control analysis 5.Risk likelihood determination 6.Impact analysis 7.Risk determination 8.Security control recommendations

Milliman USA Example: Assigned responsibility Boilerplate job description can be edited by each healthplan

Milliman USA Example: Security Management Process Risk analysis focuses on vendor system Risk analysis focuses on vendor system Risk management focuses on vendor system Risk management focuses on vendor system Healthplan determines sanction policy Healthplan determines sanction policy Vendor provides tool or performs system activity review Vendor provides tool or performs system activity review

Milliman USA Example: Security Awareness and Training Vendor could provide: Vendor could provide: – Security reminders – Protection from malicious software – Log-in monitoring – Password management controls Training program options Training program options

Milliman USA Example: Device and Media Controls Disposal and media reuse; accountability systems Disposal and media reuse; accountability systems – Vendor provides proposed guidelines to clients – Clients edit and implementation guidelines Data backup and storage: Vendor may propose Internet and ASP options Data backup and storage: Vendor may propose Internet and ASP options

Milliman USA Example: Access Controls Vendor system includes: Vendor system includes: – Unique User Identification – Emergency Access Procedure – Automatic Logoff – Encryption and Decryption

Milliman USA Collaboration Benefits: Vendor Leadership Leadership Value added service to client Value added service to client Controlling healthplan consultants Controlling healthplan consultants Resolution of system security issues Resolution of system security issues Improved market positioning Improved market positioning

Milliman USA New vendor opportunities Secure backup services Secure backup services Installation specific assistance Installation specific assistance Intrusion detection services Intrusion detection services Secure messaging and encryption Secure messaging and encryption Ongoing security management Ongoing security management

Milliman USA Collaboration Benefits: Health Plan Spreading costs Spreading costs Managing HIPAA realistically Managing HIPAA realistically Synergies Synergies

Milliman USA Vendor Implementation Options Serial Approach: Implement internal solution then involve clients Serial Approach: Implement internal solution then involve clients Group solutions Group solutions – User groups – Target clients – Workshops

Milliman USA Stumbling Blocks Variations on installs Variations on installs Health plan specific issues Health plan specific issues Coordination Coordination Vendor apathy Vendor apathy Resources Resources

Milliman USA Implementation Process Vendor acceptance Vendor acceptance Determine strategy Determine strategy Assess resource needs Assess resource needs Evaluate vendor system Evaluate vendor system Modify system as needed Modify system as needed Prepare template policies Prepare template policies Implement policies at installations Implement policies at installations

Milliman USA Strategic issues Healthplan or vendor centered approach Healthplan or vendor centered approach Security program structure Security program structure Implementation sequence Implementation sequence Cost structure Cost structure Kick-off Kick-off

Milliman USA Next Steps: Vendor Conduct preliminary system assessment Conduct preliminary system assessment Develop client participation strategy Develop client participation strategy Develop cost strategy Develop cost strategy Prepare boilerplate materials Prepare boilerplate materials Communicate program Communicate program

Milliman USA Next Steps: Healthplan Develop proposal Develop proposal Approach vendor Approach vendor Approach other vendor users Approach other vendor users

Questions? The IT Vendor?

John L. Phelan, Ph.D. Health Management and Technology Consultant Telephone: 818/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.