Presentation is loading. Please wait.

Presentation is loading. Please wait.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Gary De Clute, IT Policy Consultant, UW-Madison, Division of Information Technology.

Published byAbner Evans Modified over 9 years ago

Similar presentations

Presentation on theme: "CAMP Med Building a Health Information Infrastructure to Support HIPAA Gary De Clute, IT Policy Consultant, UW-Madison, Division of Information Technology."— Presentation transcript:

1 CAMP Med Building a Health Information Infrastructure to Support HIPAA Gary De Clute, IT Policy Consultant, UW-Madison, Division of Information Technology Richard Konopacki, Network Group Manager, UW-Madison, Medical School Copyright © 2005 University of Wisconsin Board of Regents. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Contact Gary De Clute, gdeclute@doit.wisc.edu or Richard Konopacki, konopacki@waisman.wisc.edu.

2 CAMP Med 2 Brief Overview of HIPAA HIPAA is the “Health Insurance Portability and Accountability Act of 1996” Two major parts:  Insurance reform  Administrative simplification

3 CAMP Med 3 Insurance Reform Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.  Limits “preexisting condition” exclusions  Prohibits discrimination  Guarantees availability  Guarantees renewability

4 CAMP Med 4 Administrative Simplification Title II of HIPAA is “administrative simplification” Grew by accretion and now includes several parts: +Transaction and Code Set Standards +Identifier Standards +Privacy Standards +Security Standards

5 CAMP Med 5 Transaction and Code Sets Titled: “ Health Insurance Reform: Standards for Electronic Transactions” “...adopts standards for eight electronic transactions and code sets to be used in those transactions...” Published by HHS in the Federal Register on August 17 th, 2000.

6 CAMP Med 6 Identifier Standards Employer identifier, Published, May 31 st, 2002, effective July 30 th, 2004* Provider identifier, Published, Jan. 23 rd, 2004, effective May 23 rd, 2007 * Health plan identifier, (under development) * All except “small health plans”

7 CAMP Med 7 Privacy Regulation Titled: “Standards for Privacy of Individually Identifiable Health Information” “...to protect the privacy of individually identifiable health information...” Proposed rule was published for comment on Nov. 3 rd, 1999 Received 52,000 comments, many from individual consumers

8 CAMP Med 8 Privacy Regulation Final rule was published on Dec. 28 th, 2000 Afterward there were concerns about: “...unintended negative effects of the Privacy Rule on health care quality or access to health care, and... unintended administrative burdens...”

9 CAMP Med 9 Privacy Regulation Congress passed a law to extend the deadline for implementation ‘Revised’ final rule published on August 14 th, 2002 Deadline for implementation for all except “small health plans” was April 14 th, 2003

10 CAMP Med 10 Security Regulation Proposed security rule was published by HHS for comment on Aug. 12 th, 1998 Of note: Proposed privacy rule was published for comment on Nov. 3 rd, 1999, a year later. There was recognition that security is necessary to protect privacy It was a good thought...

11 CAMP Med 11 Security Regulation Proposed security regulation was extensive and complex. Caused much concern and confusion. Took a long time to resolve. In the final regulation, the responses to the comments are important in understanding what is intended.

12 CAMP Med 12 Security Regulation Final security regulation was published on February 20 th, 2003. Was much simpler. Sigh of relief. Compliance required by April 20 th, 2005. But... the privacy rule deadline was April 14 th, 2003 (just two months away!) How to assure privacy without security???

13 CAMP Med 13 Security Regulation The solution at UW-Madison was to have each unit of the “health care component” produce transition plans describing how the security regulation would be implemented and how security would be maintained in the interim Do the best we can Show due diligence

14 CAMP Med 14 Health Care Component (HCC) A hybrid organization is one in which some units are under HIPAA and some are not. For a hybrid organization, the units to which HIPAA applies are in the “health care component” (HCC).

15 CAMP Med 15 Security Regulation Organization There are administrative, physical and technical “safeguards”. There are 18 “standards”, some of which have multiple “implementation specifications” There are 42 implementation specifications. Each implementation specification is either, “required” or “addressable”.

16 CAMP Med 16 Required Safeguards the regulators state that these are “...so basic that no covered entity could effectively protect electronic protected health information without implementing them” “When a standard includes required implementation specifications, a covered entity must implement the implementation specifications”

17 CAMP Med 17 Required Safeguards In the “general rules” of the regulation, the following applies to all safeguards: “Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications...”

18 CAMP Med 18 Addressable Safeguards Addressable does not mean “not required”. “When a standard includes addressable implementation specifications, a covered entity must-- (i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and

19 CAMP Med 19 Addressable Safeguards (ii) As applicable to the entity-- (A) Implement the implementation specification if reasonable and appropriate; or (B) If implementing the implementation specification is not reasonable and appropriate-- (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate.”

20 CAMP Med 20 Reasonable or Appropriate Everything one does for compliance with HIPAA should be “reasonable or appropriate” That includes both required and addressable safeguards

21 CAMP Med 21 Required vs. Addressable The options selected for implementation of required safeguards need to fall within the scope of the actual language of the regulation for that safeguard The options selected for addressable safeguards can fall outside the scope of that language, but only if complying with the actual language would not be “reasonable or appropriate”

22 CAMP Med 22 HIPAA Increases Risk Why aren’t we already employing such best practices? There is always a trade off between cost and risk. Best practices are difficult (expensive). HIPAA increases risk. How? The new risk is from audits, lawsuits, and criminal prosecutions

23 CAMP Med 23 Two Distinct Problems How to further mitigate the existing risk posed by attackers, thieves, etc. How to mitigate the new risk posed by audits, lawsuits and prosecutions.

24 CAMP Med 24 Striking a Balance How to focus on the primary problem (attackers, thieves) without neglecting the secondary problem (audits, lawsuits?)

25 CAMP Med 25 Good News! The security regulation is based on best practices It asks us to do what we ought to be doing anyway in order to protect sensitive information The exception is some HIPAA-specific paperwork

26 CAMP Med 26 General Solution: Risk Assessment What are the threats (probabilities?) What are the vulnerabilities (probabilities?) What of value are we protecting (impact on privacy, reputation, time, money?) Risk = threats X vulnerabilities X values

27 CAMP Med 27 Risk Assessment Inventory Originally intended to help units of the HCC at Wisconsin to create their transition plan for reaching compliance. Measures compliance with the security regulation. Shows where improvement is needed. Demonstrates the start of due diligence. Also shows where we’re doing well.

28 CAMP Med 28 Risk Assessment Inventory Instructions are to “Grade” compliance on each safeguard using an A to F scale. A’s, B’s and C’s are where we are doing well. Work on the D’s and F’s first. That’s where we’re probably not doing something “reasonable or appropriate”. The net effect is that additional best practices get implemented in those places where they are needed the most.

29 CAMP Med 29 Risk Assessment Inventory At Wisconsin, the information security folks were ecstatic when they realized HIPAA would have that effect From a information security perspective, HIPAA is not a distraction, it’s an opportunity

30 CAMP Med 30 Risk Assessment Inventory Overview  The model of a unit of the HCC.  What are: technical assets, physical sites, and administrative subunits.  How to identify a HCC unit's physical sites and administrative subunits.

31 CAMP Med 31 Risk Assessment Inventory Process  The process of filling out the instrument.  The suggested grading scale.  The need for a descriptive narrative.  Some criteria for prioritizing risks.  Delivery instructions.

32 CAMP Med 32 Risk Assessment Inventory Instructions  A description of the four sheets which form the actual inventory.  Descriptions of the fields found on each of those sheets.  How to score risks on each sheet.

33 CAMP Med 33 I. HCC UnitNames of the HCC Unit, Physical Site(s) and Admin Subunit(s) II. Tech AssetsInventory of technical assets (servers, networks, workstations, peripherals, portables, and applications) III. Phys Site(s)Inventory of physical sites, (server rooms, office buildings, utility closets, etc.) IV. Admin Subunit(s) Inventory of administrative subunits (different departments, research centers, etc.)

34 CAMP Med 34 HIPAA Security Safeguards Summary is on the sheet labeled ‘HIPAA Security Regs’ (last one in the workbook) Uses some actual language from the security regulation. One must read more, however, to understand what the regulators are really getting at, (in particular: the definitions, and the comments and responses.)

35 CAMP Med 35 ‘HIPAA Security Regs’ Standards: “Security Management Process Implement policies and procedures to prevent, detect, contain, and correct security violations.”

36 CAMP Med 36 ‘HIPAA Security Regs’ Section (Sec.) “164.308(a)(1)” Implementation “Risk Analysis (R)”

37 CAMP Med 37 ‘HIPAA Security Regs’ Definition “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI held by the covered entity.”

38 CAMP Med 38 ‘HIPAA Security Regs’ Possible Grading Scale for Required Safeguards A. RA completed. Risks fully prioritized and follow up actions scheduled. B. RA completed. Risks not yet prioritized and follow up actions not scheduled. C. RA started but not completed. Top risk areas identified. D. RA planned and method being developed. F. RA not started

39 CAMP Med 39 Parting Thought The HIPAA security regulation is only really asking us to do what we ought to be doing anyway in order to protect sensitive information. It is not a distraction, (unless we get distracted!) It is an opportunity for improvement.

40 CAMP Med 40 References http://www.cms.hhs.gov/hipaa/ http://wiscinfo.doit.wisc.edu/policy/hipaa/

Download ppt "CAMP Med Building a Health Information Infrastructure to Support HIPAA Gary De Clute, IT Policy Consultant, UW-Madison, Division of Information Technology."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.

1 Health Insurance Portability and Accountability Act of 1996 IS&C Expo October 16 & 17, 2002 John Wagner Governor’s Office of Technology.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
HIPAA What’s New? 2010. What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.

HIPAA What’s New? What Is HIPAA Health Insurance Portability and Accountability Act of 1996 Health Insurance Portability and Accountability Act.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept. 2004.

ITEC 6324 Health Insurance Portability and Accountability (HIPAA) Act of 1996 Instructor: Dr. E. Crowley Name: Victor Wong Date: 2 Sept
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.

EHR Privacy & Security. Missouri’s Federally-designated Regional Extension Center  University of Missouri:  Department of Health Management and Informatics.

Similar presentations

Ads by Google