Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

Similar presentations


Presentation on theme: "HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003."— Presentation transcript:

1 HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003

2 2 Important Dates Final rule published February 20, 2003 Compliance: – April 21, 2005 for all covered entities except small health plans – April 21, 2006 for small health plans (as required under HIPAA)

3 3 HIPAA Security HIPAA Privacy covers what information you protect – the use and disclosure of PHI HIPAA Security covers how you protect that information and when – Adopt national standards for safeguards to protect the confidentiality, integrity, and availability of the data?

4 4 General Requirements Ensure – Confidentiality: who can see the information – Integrity: the information has not been altered in any way – Availability: it can be accessed on a timely basis

5 5 General Requirements Applies to electronic protected health information – Note that privacy extends to oral and written communications Applies to the electronic PHI that a covered entity: – Creates – Maintains – Transmits

6 6 General Requirements Covered entities must: – Protect against reasonably anticipated threats or hazards to the security or integrity of information – Protect against reasonably anticipated uses and disclosures as outlined in the privacy rule – Ensure compliance by workforce – Develop business associate contracts as appropriate

7 7 Overarching Themes Security is technology neutral – Outlines what needs to be done to protect the information, but not how it should be done Security is comprehensive – Covers the technical, administrative, and behavioral aspects of compliance

8 8 Basic Changes from NPRM Aligned with privacy (definitions and requirements for business associate contracts) Encryption is now addressable No requirement for certification Standards simplified and redundancy eliminated

9 9 Regulation Approach Scalability (size) and flexibility (implementation) Organizational approaches should account for: – Size – Complexity – Technical Infrastructure – Cost – Potential Security Risks

10 10 Regulation Approach Developed standards – Administrative – Physical – Technical Within each standard are a series of implementation specifics that can be either required or addressable

11 11 Regulation Approach Required – A MUST Addressable – a covered after conducting a documented risk analysis, may: – Implement a solution if reasonable and appropriate – Implement an equivalent measure, if reasonable and appropriate – Not implement

12 12 Administrative Standards Security Management – Risk analysis (R) – Risk management (R) Assigned Responsibility – single point Workforce Security – Termination procedures (A) – Clearance procedures (A)

13 13 Administrative Standards Information Access Management – Isolating clearinghouse (R) – Access authorization (A) Security Awareness and Training Security Incident Procedures Contingency Plan – Disaster Recovery Plan (R) Evaluation Business Associate Contracts

14 14 Physical Standards Facility Access Controls – all addressable – Contingency operations – Facility Security Plan – Access control – Maintenance records Workstation Use Workstation Security Device and Media Controls

15 15 Technical Standards Access Control – Unique user ID (R) – Emergency access (R) – Automatic logoff (A) – Encryption and decryption (A) Audit Controls Integrity Person or Entity Authentication Transmission Security

16 16 Sample Industry Approach Determine organizational position Conduct and document risk analysis – Determine threats and likelihood Develop strategies to implement for each of the standards – Implementation plan inclusive of timeline – For situations where no solution is being implemented (e.g., low threat/low risk) document rationale Develop and document policies and procedures Train workforce Implement processes Monitor and Evaluate

17 17 Implementation Progressing Organizations are moving ahead with risk assessments and have set timelines for compliance – Due to the overlap in Privacy the ground work for security has been implemented in many entities WEDI workgroups are developing guidance for industry-wide distribution More questions are devoted to security Covered entities are still focused on TCS compliance and may be behind in security efforts

18 18 Challenges Implementation – Conducting risk analysis Developing an approach and completing the analysis with enough time to implement the recommendations – Accessing expertise Especially difficult for small providers – Balancing between cost and capabilities – Understanding the unknown – there is no right answer Compliance strategies will be different for all covered entities – Dealing with TCS, extending contingency plans may hinder security progress

19 19 Challenges Enforcement - complaint driven – The overlap between privacy and security When does it go from being a violation of one to a violation of another A complaint may be initially identified as a privacy complaint, but contain a security breach – No right answer

20 20 Appendix - Chart The implementation specifics are outlined in the appendix.


Download ppt "HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003."

Similar presentations


Ads by Google