Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

Published byAlisha Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)"— Presentation transcript:

1 1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

2 2 Agenda  Role of CMS  Security Rule Overview  CMS’ HIPAA Security Strategy  Providence Resolution Agreement  Summary & Conclusion  Q&A

3 3 Role of CMS  CMS has delegated authority to enforce the non-privacy provisions of the HIPAA regulations:  Transactions and Code Sets  Identifiers (NPI, EIN)  Security  CMS is responsible for HIPAA enforcement as well as:  Regulatory/Policy Interpretation  Outreach and Education  Guidance and FAQs  New Regulations (including other ehealth related issues e.g. eRx)

4 4 Security Rule Overview  Applies to Electronic Protected Health Information (EPHI) that a covered entity creates, receives, maintains, or transmits  Scalability/Flexibility  Based on organization size, complexity, technical capabilities and infrastructure, cost of security measures and potential security risks  Technologically Neutral  Describes “what” needs to be done vs. “how” it is to be done  Standards are required but the implementation specifications may be either required or addressable

5 5 CMS’ HIPAA Security Strategy  CMS takes a three-prong approach to HIPAA Security. The three prongs are:  Outreach & Education  Enforcement  Compliance Reviews

6 6 Outreach and Education Efforts  Federal and Non-Federal Collaboration  Develop/Disseminate Educational & Guidance Materials  Security Papers 1. Administrative, Physical and Technical Safeguards 2. Basics of Risk Analysis and Risk Management 3. Implementation for the Small Provider  Frequently Asked Questions  Security Compliance Review Checklist  Remote Use and Access Guidance  The materials can be found on the CMS Website at: http://www.cms.hhs.govhttp://www.cms.hhs.gov (under the link for Regulations and Guidance).

7 7 Outreach & Education - Remote Use & Access Guidance Rationale  Increased risk to protected health information  Associated with increased remote access to EPHI  Increase in workforce mobility  Increase in use of portable media storage devices  Recent security related incidents  Reported loss or theft of devices containing EPHI  Reported access to health information by unauthorized users

8 8  Published December 28, 2006  Reiterates requirements of the HIPAA Security Rule  Identifies strategies consistent with organizational capabilities (Scalable and Flexible)  Pertains to Access, Storage and Transmission of EPHI  Three categories of action highlighted: 1. Conducting Security Risk Assessment 2. Developing and Implementing Policies and Procedures 3. Implementing Mitigation Strategies Outreach & Education - Highlights of Remote Access Guidance

9 9 HIPAA Security Enforcement – Current Process  Review complaint to determine validity and scope  Notify “Filed Against Entity” (FAE) of complaint  Request specific documents from the FAE  Assess documents to determine if they: 1. Demonstrate compliance 2. Demonstrate the need for a Corrective Action Plan (CAP)  Monitor CAPs to completion  Close complaint upon demonstration of compliance  Issue closure correspondence to all parties

10 10 HIPAA Security Enforcement – Overlapping Complaints  CMS and the Office for Civil Rights (OCR) collaborate on cases that overlap the Security and Privacy Rules  Approximately 70% of the CMS Security cases are referrals from OCR  Majority of Security complaints – allegation of inappropriate access and risk of inappropriate disclosure

11 11 HIPAA Security Enforcement - Complaint Categories  Unauthorized access to EPHI  Employees or relatives accessing EPHI  Loss or theft of devices containing EPHI  Small volume of complaints; large volume of records  Insufficient access controls for systems containing EPHI  Shared passwords  Encryption  CMS has received 350 Security Rule complaints  102 cases are open  248 case have been resolved

12 12 Onsite HIPAA Security Compliance Reviews  Contracted with Price Waterhouse Coopers (PwC) for 10 reviews in 2008  Reviews place emphasis on remote use and access issues  CMS publishes de-identified post-review information  Initial target:  Entities against whom a complaint has been filed and  Reported risk to security of large volume of records  The compliance reviews will be used as a tool to achieve voluntary compliance

13 13  Compliance reviews have revealed several key areas of vulnerability to include: 1. Lack of encryption for portable devices and media 2. Lack of verification of role-based access privileges  Reviews have resulted in CAPs that include: 1. Policies and procedures for remote use/access 2. Designation of internal security audit personnel  Compliance review cases are generally closed when CMS verifies completion of CAP Onsite HIPAA Security Compliance Reviews - Continued

14 14 OIG Security Audit Initiative  Objective is to determine if certain covered entities have implemented measures in accordance with provisions of the HIPAA Security Rule  The recent OIG review of Piedmont Hospital highlighted issues related to:  Technical safeguard vulnerabilities for wireless communications  Vulnerabilities involving physical access to electronic information systems and the facilities  Administrative safeguard vulnerability related to business associate contracts

15 15 Providence Resolution Agreement – What Does it Mean?  Background:  Case involved 386,000 unencrypted patient records  $100,000 resolution amount paid to HHS  3 year corrective action monitoring  Significance:  Landmark case – First resulting in monetary fine  Sets the stage for similar action for similar cases  Represents the evolution of CMS’ enforcement efforts

16 16 Summary & Conclusion  Security provides opportunity and obligation  CMS’ three-pronged approach:  Outreach and Education  Enforcement  Compliance Review  Consequences of non-compliance:  Loss of resources  Loss of time  Loss of TRUST

17 17 Discussion and Questions

Download ppt "1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)"

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.

HIPAA Security Risk Overview Lynne Shoemaker, RHIA, CHP, CHC OCHIN Integrity Officer Daniel M. Briley, CISSP, CIPP Summit Security Group.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
1 Electronic Transactions and Code Sets Enforcement CMS Office of HIPAA Standards.

1 Electronic Transactions and Code Sets Enforcement CMS Office of HIPAA Standards.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Implementing and Enforcing the HIPAA Privacy Rule.

Implementing and Enforcing the HIPAA Privacy Rule.

Similar presentations

Ads by Google