Presentation is loading. Please wait.

Presentation is loading. Please wait.

The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

Published byLauren Campbell Modified over 8 years ago

Similar presentations

Presentation on theme: "The IT Vendor: HIPAA Security Savior for Smaller Health Plans?"— Presentation transcript:

1 The IT Vendor: HIPAA Security Savior for Smaller Health Plans?

2 Milliman USA Agenda Definitions Definitions Problem Problem Expectations Expectations Responsibilities by specification Responsibilities by specification Collaboration Benefits Collaboration Benefits Implementation process Implementation process

3 Milliman USA Vendor Defined Benefits System vendor Benefits System vendor TPA TPA

4 Milliman USA Smaller Health plan defined Self-insured with 100 to 100,000 participants Self-insured with 100 to 100,000 participants Activities Activities – Enrollment – PHI management – Claims – Miscellaneous other Often single employer or multi- employer plans Often single employer or multi- employer plans

5 Milliman USA Flexibility in Rule Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications -- §164.306 (b)(1) -- §164.306 (b)(1)

6 Milliman USA Problem: Issue I What measures are: “Reasonable and Appropriate”?

7 Milliman USA Problem: Issue II Are the costs of determining “reasonable and appropriate,” measures reasonable and appropriate?

8 Milliman USA Problem: Issue III HIPAA requires Actions and Documentation

9 Milliman USA Problem: Health Plan Perspective Limited internal capabilities Limited internal capabilities Consultants too expensive Consultants too expensive Boilerplates general and open- ended Boilerplates general and open- ended Vendor dependency for IT Vendor dependency for IT Document, document, document Document, document, document Who cares? Who cares?

10 Milliman USA Problem: Vendor Perspective Not the covered entity Not the covered entity Assume compliance Assume compliance Other client service priorities Other client service priorities Who pays? Who pays? Who cares? Who cares?

11 Milliman USA Expectations Health plan: vendor has solved this Health plan: vendor has solved this Vendor: health plan is the covered entity Vendor: health plan is the covered entity Both: little chance of enforcement Both: little chance of enforcement

12 Milliman USA Single Systems According to NIST Be under the same direct management control Be under the same direct management control Have the same function or mission objective Have the same function or mission objective Have essentially the same operating characteristics and security needs Have essentially the same operating characteristics and security needs Reside in the same general operating environment Reside in the same general operating environment

13 Milliman USA Opportunity Overlapping features among installations and similar clients Overlapping features among installations and similar clients Half of requirements technical Half of requirements technical Vendor natural focus for plans Vendor natural focus for plans Documentation similar among installations Documentation similar among installations

14 Milliman USA Shortcoming of Collaborative approach Management control divided between vendor and healthplan Management control divided between vendor and healthplan Installation specific issues Installation specific issues Coordination of implementation process Coordination of implementation process Responsibility = liability? Responsibility = liability? Still not resource free Still not resource free

15 Milliman USA Responsibility by Specification Administrative (shared) Administrative (shared) Physical (primarily healthplan) Physical (primarily healthplan) Technical (primarily vendor) Technical (primarily vendor)

16 Milliman USA Administrative Safeguards Security management process (V/HP) Security management process (V/HP) Assigned security responsibility (HP) Assigned security responsibility (HP) Information access management (V/HP) Information access management (V/HP) Training (HP) Training (HP) Incident procedures (V/HP) Incident procedures (V/HP) Contingency plan (V/HP) Contingency plan (V/HP) Evaluation (V/HP) Evaluation (V/HP) Business associate contracts (HP) Business associate contracts (HP)

17 Milliman USA Physical Safeguards Facility access controls (HP) Facility access controls (HP) Workstation use and security (HP) Workstation use and security (HP) Device and media controls Device and media controls (HP primarily—vendor may provide DB backup)

18 Milliman USA Technical Safeguards Access controls (V) Access controls (V) Audit controls (V) Audit controls (V) Data integrity (V) Data integrity (V) Entity authentication (V) Entity authentication (V) Transmission security (V) Transmission security (V)

19 Milliman USA Example: Risk Assessment Exceeds technical capabilities of smaller healthplansExceeds technical capabilities of smaller healthplans Much of assessment similar for comparable plans with same systemMuch of assessment similar for comparable plans with same system

20 Milliman USA Example: Risk Assessment: Components 1.EPHI boundary definition 2.Threat identification 3.Vulnerability identification 4.Security control analysis 5.Risk likelihood determination 6.Impact analysis 7.Risk determination 8.Security control recommendations

21 Milliman USA Example: Assigned responsibility Boilerplate job description can be edited by each healthplan

22 Milliman USA Example: Security Management Process Risk analysis focuses on vendor system Risk analysis focuses on vendor system Risk management focuses on vendor system Risk management focuses on vendor system Healthplan determines sanction policy Healthplan determines sanction policy Vendor provides tool or performs system activity review Vendor provides tool or performs system activity review

23 Milliman USA Example: Security Awareness and Training Vendor could provide: Vendor could provide: – Security reminders – Protection from malicious software – Log-in monitoring – Password management controls Training program options Training program options

24 Milliman USA Example: Device and Media Controls Disposal and media reuse; accountability systems Disposal and media reuse; accountability systems – Vendor provides proposed guidelines to clients – Clients edit and implementation guidelines Data backup and storage: Vendor may propose Internet and ASP options Data backup and storage: Vendor may propose Internet and ASP options

25 Milliman USA Example: Access Controls Vendor system includes: Vendor system includes: – Unique User Identification – Emergency Access Procedure – Automatic Logoff – Encryption and Decryption

26 Milliman USA Collaboration Benefits: Vendor Leadership Leadership Value added service to client Value added service to client Controlling healthplan consultants Controlling healthplan consultants Resolution of system security issues Resolution of system security issues Improved market positioning Improved market positioning

27 Milliman USA New vendor opportunities Secure backup services Secure backup services Installation specific assistance Installation specific assistance Intrusion detection services Intrusion detection services Secure messaging and encryption Secure messaging and encryption Ongoing security management Ongoing security management

28 Milliman USA Collaboration Benefits: Health Plan Spreading costs Spreading costs Managing HIPAA realistically Managing HIPAA realistically Synergies Synergies

29 Milliman USA Vendor Implementation Options Serial Approach: Implement internal solution then involve clients Serial Approach: Implement internal solution then involve clients Group solutions Group solutions – User groups – Target clients – Workshops

30 Milliman USA Stumbling Blocks Variations on installs Variations on installs Health plan specific issues Health plan specific issues Coordination Coordination Vendor apathy Vendor apathy Resources Resources

31 Milliman USA Implementation Process Vendor acceptance Vendor acceptance Determine strategy Determine strategy Assess resource needs Assess resource needs Evaluate vendor system Evaluate vendor system Modify system as needed Modify system as needed Prepare template policies Prepare template policies Implement policies at installations Implement policies at installations

32 Milliman USA Strategic issues Healthplan or vendor centered approach Healthplan or vendor centered approach Security program structure Security program structure Implementation sequence Implementation sequence Cost structure Cost structure Kick-off Kick-off

33 Milliman USA Next Steps: Vendor Conduct preliminary system assessment Conduct preliminary system assessment Develop client participation strategy Develop client participation strategy Develop cost strategy Develop cost strategy Prepare boilerplate materials Prepare boilerplate materials Communicate program Communicate program

34 Milliman USA Next Steps: Healthplan Develop proposal Develop proposal Approach vendor Approach vendor Approach other vendor users Approach other vendor users

35 Questions? The IT Vendor?

36 John L. Phelan, Ph.D. Health Management and Technology Consultant Telephone: 818/707-7818 E-mail: john.phelan@milliman.com

Download ppt "The IT Vendor: HIPAA Security Savior for Smaller Health Plans?"

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.
David Assee BBA, MCSE Florida International University

David Assee BBA, MCSE Florida International University
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.

Bringing HIPAA to Hospital Systems HIPAA impact on hospital systems viaMD solution for HIPAA compliance W e b e n a b l i n g Pa t i e n t A d m i t t.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.

CAMP Med Building a Health Information Infrastructure to Support HIPAA Rick Konopacki, MSBME HIPAA Security Coordinator University of Wisconsin-Madison.
Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.

Probabilistic Risk Analysis Farrokh Alemi, Ph.D. April 12, 2004.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Similar presentations

Ads by Google