T
HIPAAHealth Insurance Portability
& Accountability ActAdministrative Simplification
HIPAA 101
HIPAAHIPAAHealth Insurance Portability Health Insurance Portability
& Accountability Act& Accountability ActAAdministrative Simplificationdministrative Simplification
HIPAA 101
2 T
Presented by…
Ken Franz– Senior Manager– Ernst & Young LLP
Mike McDermand– VP Healthcare Solutions– Computer Associates
Ken Vander Wal– Partner– Ernst & Young LLP
3 T
HIPAA Background and Purpose
Transactions, Code Sets and National Health Identifiers
Privacy
Security
Getting Started
Presentation Overview
4 T
HIPAA Backgroundand Purpose
5 T
HIPAA is one of the most far reaching pieces of healthcare legislation ever enacted...
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets forth specific provisions for:– Standardized health information transactions– Standardization of code sets (e.g., CPT, ICD, etc.)– National identifiers for providers, health plans/payers and
employers– Security and privacy of health information
HIPAA regulations represent both risks and opportunities for healthcare payers and providers:– Risk of fines for exposure of health information – Payers
and Providers have the responsibility to comply with requirements that protect the privacy of health information -a topic of increasing concern to consumers and regulators
– Opportunity to leverage the intended simplification of HIPAA for administrative cost savings and implementation of eCommerce solutions
6 T
. . . and will affect ….
Health Plans, Healthcare Clearinghouses and Healthcare ProvidersThe goals of the Administrative Simplification are to:
Improve efficiency and effectiveness of the health care system
by standardizing
the electronic exchangeof administrative and
financial data
Privacy 04/14/03Transactions & Code Sets 10/16/03Employer ID 07/30/04Security 04/21/05
Single NPI: 10 position numeric, one digit checksum (no location code)
10+3 position numeric, one digit checksumSub-ID may appear on health card & direct EDI
Unlikely to be finalized
Security ManagementDesignated Security OfficialWorkforce SecurityAccess ManagementAwareness and TrainingSecurity Incident ProceduresContingency PlanEvaluationBusiness Associate Contracts
Access and Audit ControlsIntegrityPerson/Entity AuthenticationTransmission Security
Facility Access ControlsWorkstation Use and SecurityDevice and Media Controls
Required vs. OptionalFormatCodesValues
ASC X12N version 4010 mandated
Covers protected health information (PHI) stored or transmitted in any form or medium: electronic, paper and oral
Minimum uses and disclosuresConsents optional for non-routine and authorizations required for routine uses and disclosuresIndividual rights: access, amendment, restriction and accountingNotice of privacy practices mandatedBusiness associate contracts requiredDesignated Privacy Official
ICD-9-CMCPT-4HCPCSCDTNDC(retail pharmacy)No local codes
Title I Portability Title II Administrative Simplification Titles III, IV, and V
SecurityUnique Health Identifiers
Standard Code Sets
Transaction Standards
Privacy
Data Element
Transaction Sets
Limitations
Key Elements
AdministrativeSafeguards
Technical Safeguards
PhysicalSafeguards
Medical Codes Employer
HIPAA
Eligibility - 270/271Referral Certification and Authorization – 278Claims - 837Claim Status - 276/277Claim Payment and Remittance Advice – 835Benefit Enrollment and Maintenance - 834Premium Payments - 820Additional Information to Support Claims/Encounters (not yet final) - 275First Report of Injury (not yet final) – 148
Provider
Health Plan(no NPRM issued)
Individual
For more information on how HIPAA can create business opportunities for
your organization, please contact:• Ken Vander Wal (312) 879-2158• Ken Frantz (215( 448-5063• Sydney Schips (954) 888-8055• Frank O’Roark (804) 677-4383• Beth Pumo (216) 583-8061
© Ernst & Young LLP
NCPDP 5.1 mandated for pharmacy transactions (claims, eligibility and payment/remittance)
February 2003February 2003
Compliance Dates
Taxpayer ID Number assigned by the IRSAlphanumeric field in standard transactions
OrganizationalRequirements
Policies, Procs& Documentation
Requirements
T
HIPAA Quick Reference CardHIPAA Quick Reference Card
8 T
HIPAA impacts Physicians, Care Providers, Health Information Managers, Revenue Cycle Personnel, Patients, Health Plans
Physician Impact: Patient Care, Documentation,
and ConfidentialityOperations Impact: Health Information, Medical Records, Member, Patient and Physician Relations
Revenue Cycle Impact: Patient Accounts, Provider-Payer Communication, Administrative Simplification
Patient Impact: Increased focus on privacy, health information management, enhanced physician-hospital communication
9 T
HIPAA enables healthcare organizations to capitalize on, not just conform to, e-Business opportunities with key constituents ...
Connected CommunityBusiness Model
eCompany
eCommerce
eInformation
eConomy
HEALTHCARE ORGANIZATION
CustomersPatientsPhysiciansEmployersInfo Users
Partners PayersProvidersCommunity OrganizationsRegulators
SuppliersMedical suppliersPharmaceuticalsReference LabsFinancial svc. companies
EmployeesAdministrativeClinicalOperationsManagement
10 T
HIPAA is inextricably linked to an organization’s strategic business initiatives…The HIPAA requirements are inextricably linked to those businessobjectives which will help organizations achieve a strategic advantage within this new connected community business model:
– Enables entities to fully utilize the internet for e-Commerce including transmission of claims and other connectivity with business partners and users;
– Federally mandated new standards for Electronic Data Interchange (EDI) to support paperless patient account environments, improve cash flow, and reduce cost of billing and collections;
– Electronic Medical Record to provide enterprise-wide access to critical health information; and,
– Enterprise Decision Support Information
An organization simply will not be able to discuss these objectives without considering the compliance or enabling
implications of the HIPAA requirements.
11 T
Implications of HIPAA are significant across the health industry…
Assessment and implementation will take time, planning, resources, and change - this is not an overnight fix
Security and privacy are primary consumer concerns - not addressing them proactively will result in the loss of trust, credibility, and potentially revenue
Penalties and fines are modest for non-compliance with transactions; civil and criminal penalties for non-compliance with security and privacy are more severe.
However, major impact is on ability to do business
“Without safeguards to assure that obtaining health care will not endanger our privacy, public distrust could turn the clock
back on progress in our entire health care system.”- Former Secretary Shalala, Department of Health & Human Services
12 T
Transactions, Code Sets and National Health
Identifiers
13 T
Transactions, Code Sets and National Health Identifiers - Overview
Substantive “meat” of the activity within the Department of Health and Human Services for rule making since the legislation was passed.Constitutes the means for Administrative Simplification and Portability.Will affect both Payers and Providers to a differing degree.Payers, clearinghouses and software vendors will clearly have the majority of the burden to remediate their information systems.Providers should be aware of the “state of readiness” of these third parties and be prepared for changes they must make to their infrastructure.Also, to the extent they may develop and maintain custom applications, Providers will have a responsibility to remediate their own applications, or customization to vendor-supplied applications.Organizations should also anticipate impacts on key business processes.
14 T
270/271Inquiry/Response for
Eligibility
270/271270/271Inquiry/Response for Inquiry/Response for
EligibilityEligibility
Inquiry/ response for verification of an individual’s eligibility, benefits and coverage.
Inquiry/ response for verification of an individual’s eligibility, benefits and coverage.
276/277Inquiry/Response for
Claims Status
276/277276/277Inquiry/Response for Inquiry/Response for
Claims StatusClaims Status
Request/response for health claim status.
Request/response for health claim status.
277Unsolicited Request for
Additional Info
277277Unsolicited Request for Unsolicited Request for
Additional InfoAdditional Info
Health care claim request for additional information needed to complete adjudication process.
Health care claim request for additional information needed to complete adjudication process.
275Request for Additional Support
for Claim
275275Request for Additional SupportRequest for Additional Support
for Claimfor Claim
Request for additional information to support a health care claim and/ or encounter.This transaction has finalized the HL7 embedded portion of the standard but has not finalized the ANSI portion.NOTE: This transaction is scheduled to be finalized at a later date.
Request for additional information to support a health care claim and/ or encounter.This transaction has finalized the HL7 embedded portion of the standard but has not finalized the ANSI portion.NOTE: This transaction is scheduled to be finalized at a later date.
The transaction standards include:
835Health Care Payment/
Advice
835835Health Care Payment/Health Care Payment/
AdviceAdvice
Payment of healthcare claims and transfer of admittance advice (EOB) to providers.
Payment of healthcare claims and transfer of admittance advice (EOB) to providers.
834Benefit and Enrollment
Maintenance
834834Benefit and Enrollment Benefit and Enrollment
MaintenanceMaintenance
Receive enrollment information for insurance coverage benefits or policy from other sponsors of insurance coverage.
Receive enrollment information for insurance coverage benefits or policy from other sponsors of insurance coverage.
820Premium Payment/Order
Remittance Advice
820820Premium Payment/Order Premium Payment/Order
Remittance AdviceRemittance Advice
Receive payroll deductions & other group premium payments from employers for insurance products.
Additionally there is an 811 transaction (Consolidated Billing) that is complementary to the 820 transaction, but is not required as part of HIPAA.
Receive payroll deductions & other group premium payments from employers for insurance products.
Additionally there is an 811 transaction (Consolidated Billing) that is complementary to the 820 transaction, but is not required as part of HIPAA.
837Health Care Claim
837837Health Care ClaimHealth Care Claim
Receive health careclaims and encounters from providers.
Receive health careclaims and encounters from providers.
First Report of InjuryFirst Report of InjuryFirst Report of Injury
This transaction set has not yet been finalized.
This transaction set has not yet been finalized.
Frequently Asked Questions (FAQs)
1. Can health care providers/payers selectively implement transaction statements? No, all transactions will be covered including: health claims, enrollment & disenrollment, eligibility, payment and remittance advice, premium payments, claim status, referral, certification & authorization and COB. Standards for first report of injury will be proposed at a later date.
278Authorizations and
Referrals
278278Authorizations andAuthorizations and
ReferralsReferrals
Receive and respond to requests for authorization or certification from providers.
Receive and respond to requests for authorization or certification from providers.
15 T
Provider
Patient Information
SubscriberPatient
InformationSubscriber
Information
Prior Authorization/ Referral/CMN
Prior Authorization/ Referral/CMN
Claim/Encounter
Claim Status Claim Status
Payer Sponsor
Premium Payment
Premium Payment
Enrollment 834
Premium Payment 820
Eligibility Response 271
Eligibility Inquiry 270
Request for Review 278
Review Response 278
Claim/Encounter 837
Remittance Advice 835
Status Inquiry 276
Status Response 277
HIPAA Transactions
ASC X12N (Insurance) TG3 WG2
(Task Group 3 (Modeling) Work Group 2 (Health Care
Insurance))
Summary of HIPAA TransactionsCOB Claim Claim/
Encounter
Attachments 275/HL7Request Additional Information 277
16 T
First Set of Transactions
Based on existing X12N (version 40.10), NCPDP and ADA transactions.The X12N standard for claims includes standard information for coordination of benefits.Final rules on transactions were published 8/17/00 and became effective 10/16/00. HR 3323 was signed into law on 12/27/2001 allowing for a one-year extension if a compliance plan was submitted to DHHS by 10/15/2002.Implementation required by 10/16/2002 if no compliance plan was submitted and 10/16/2003 if a compliance plan was submitted (small health plans are to be compliant by 10/16/2004)Changes in the standards can occur as often as oncea year with 6 months notice.
17 T
Do not under estimate the effort to achieve transactions, code sets, identifiers compliance…
ResponsibilityCompliance Remediation Activity Package
Vendor ProviderBase SoftwareTesting Base Software RemediationOperational processes, policies, proceduresSoftware adaptations using vendor toolsCustom queriesReport writing subsystemsInhouse converter/translation tables, databases,repositories, warehousesInterfaces
18 T
ICD-9-CMICDICD--99--CMCM
International classification of diseases and diagnosis. This code is used to identify an individual’s disease and/ or diagnosis on a health care claim or encounter.
There are three levels of ICD-9 codes:Level I - Diagnoses Level II - DiagnosesLevel III - Procedures
International classification of diseases and diagnosis. This code is used to identify an individual’s disease and/ or diagnosis on a health care claim or encounter.
There are three levels of ICD-9 codes:Level I - Diagnoses Level II - DiagnosesLevel III - Procedures
HCPCSHCPCSHCPCS
Standard codes usedby Medicare to identify procedures performed by a provider on an individual an a health care claim and encounter.
Standard codes usedby Medicare to identify procedures performed by a provider on an individual an a health care claim and encounter.
CPT 4CPT 4CPT 4
Standard procedurecode used by the health care industry to identify the procedure performed on the individual by theprovider on a health careclaim and encounter.
Standard procedurecode used by the health care industry to identify the procedure performed on the individual by theprovider on a health careclaim and encounter.
CDTCDTCDT
National standard dental codes and terminology used to identify dental diagnosis on dental claims.
National standard dental codes and terminology used to identify dental diagnosis on dental claims.
NDCNDCNDC
National standard drug codes used to identify drugs on a health careclaim or encounter.
National standard drug codes used to identify drugs on a health careclaim or encounter.
Code sets are unique coding standards used to identify diagnostic procedures, diagnosis and medical supplies on health care claims and billing forms.
Frequently Asked Questions (FAQs)
1. Can local codes continue to be used? All local codes will be eliminated once the new standard codes are implemented.
2. Will health organizations be able to apply for exceptions? Organizations will be able to apply to Health and Human Services (HHS) for exceptions in unusual cases where codes are required but do not currently exist.
3. Will the implementation of new code set standards eliminate state specific codes? The new code sets are not intended to eliminate state specific codes but will eliminate redundant codes. States will have to apply for an HHS exception to continue to use state specific codes.
4. When will ICD-10 and CPT-5 codes be implemented? ICD-10 and CPT-5 code sets will not be implemented before 2005.
19 T
Plan ID (Health Plan)Plan ID (Health Plan)Plan ID (Health Plan)
National standard plan identification number to be used by all health plans, employers and other health care participants to provide efficient electronic data interchange and health care administrative process.
National standard plan identification number to be used by all health plans, employers and other health care participants to provide efficient electronic data interchange and health care administrative process.
NPI (Provider)NPI (Provider)NPI (Provider)
Unique identification number for health care provider that will used by all health plans. Health care providers, all health plans and clearinghouses will use the NPIs in administrative and financial transactions specified by HIPAA.
Unique identification number for health care provider that will used by all health plans. Health care providers, all health plans and clearinghouses will use the NPIs in administrative and financial transactions specified by HIPAA.
EIN (Employer)EIN (Employer)EIN (Employer)
Unique identification number (the employer tax ID Tax number) used to identify employers and employer groups. EIN is used to simplify administrative and financial transactions specified by HIPAA.
Unique identification number (the employer tax ID Tax number) used to identify employers and employer groups. EIN is used to simplify administrative and financial transactions specified by HIPAA.
Frequently Asked Questions (FAQs)
1. What is the NPI? The NPI is a unique identification number for health care providers. As of the most recent information available, the NPI will be a 10 digit numeric code randomly assigned to health providers.
2. Does the NPI replace the Tax Identification Number? The NPI will not replace the TIN but will eventually replace the UPIN.
3. Will the NPI contain embedded logic or local designation codes? The NPI will not contain any embedded logic. At this time, local designations are being considered but it is unlikely they will be included in the final ruling.
Health Identifiers are assigned numbers and/or alpha numeric characters used to identify a provider, provider group or organization, health plan (payer) and employer needed to processall health encounter and claim information.
20 T
Privacy and Security
21 T
There are a multitude of privacy and security violations
A Michigan health care system accidentally posted medical records of thousands of patients on the Internet.An employee of the Tampa health department took a computer disk containing names of 4000 HIV positive patients. The disks went to two newspapers.HCFA 1500 billing forms “blew out” of a truck going down I-95 in Connecticut.Two health care organizations in Washington state were found discarding medical reports in unlocked dumpsters.More listed on the Health Privacy Project website (Institute for Health Care Research and Policy from Georgetown University) at www.healthprivacy.org.
22 T
HIPAA Privacy/Security ArchitectureHIPAA, NAIC, HEDIS, CMS, and JCAHO Compliance
Risk Management, Efficiency Enhancement, Business Process Enablement
Identification of IIHI and Where It Resides
Rules for Using and Protecting IIHI
Network and System Architecture and other Tools to Protect IIHI
Practices for Monitoring the Security and Use of IIHI
Rule for Protection and Use of Enterprise Information
Identification of Sensitive Business Information such as Legal, Financial, Strategic, HR, Etc. and Where it Resides
Security Impact of Enterprise Network and System Architecture -Vulnerabilities on non-PHI Systems may Expose PHI
Compliance Metrics, Certification, and Monitoring, Compliance Metrics, Certification, and Monitoring,
Technical Security ArchitectureTechnical Security Architecture
OperationsOperationsManagementManagement
TechnologyTechnologyManagementManagement
Technology Profile Technology Profile Information Profile Information Profile
OrganizationalOrganizationalManagementManagement
Integrity
BusinessBusinessStrategyStrategy
GovernanceGovernancePolicy & StandardsPolicy & Standards
People Element of Information and Systems Management
Process Element of Information and Systems Management
Technology Element of Information and Systems Management
Method to Monitor and Maintain Architecture Integrity
Avail
abilit
y
Peop
le Process
Technology
Roles, Responsibilities, and Practices for Handling and Using IIHI
Security configuration and management of systems hosting IIHI
Practices for Supporting Operations (Tape Backup, Application Execution, Etc.) on Systems Hosting IIHI
23 T
Highlights of Privacy Rule
HHS Secretary Thompson - August 14, 2002The Privacy Rule “strikes a common sense balance by providing consumers with personal privacy protections and access to high quality health care.”
Privacy Rule is:– Flexible and Scalable– Workable– Balanced
24 T
HIPAA Privacy Regulations
Final rules were published 12/28/00 and became effective 04/14/01Implementation date of 04/14/03 (4/14/04 for Small Health Plans)Applies to: Any entity collecting, creating, maintaining or dis-seminating individually identifiable health information (IIHI)
25 T
Privacy - OverviewThe burden of ensuring privacy of protected health information (PHI) will disproportionately lie with the providers and is the most far-reaching of the HIPAA requirements to implement.It is important for an organization to consider the potential impact of changes implemented to comply with the privacy (and security) requirements, and to consider other important organization values and objectives when designing solution alternatives, such as:
– Support the necessary flow of patient information to physicians and other caregivers for the purposes of continuity of care
– Support the needs of legitimate research and quality management initiatives
– Manage accounts receivable– Manage the cost of clinical and support operations– Maintain fair and collegial relationships with business associates
It is important to engage internal or external legal counsel and risk management or compliance departments in the planning process for purposes of legal interpretation and insuring that policies or practices recommended are consistent with the organization’s overall ideals.
26 T
Individually Identifiable Health Information
any information, including demographic information collected from an individual, that
– is created or received by a health care provider, health plan, employer or health care clearinghouse, and
– relates to • the past, present or future physical or mental health or
condition of an individual, • the provision of health care to an individual, or • the past, present or future payment for the provision
of health care to an individual– and identifies the individual or with respect to which
there is a reasonable basis to believe that the information can be used to identify the individual.
27 T
PHI – Individually Identifiable Data Elements
NameAddress (Street Address, City, County, Zip Code or Other Geographic Codes)Names of RelativesNames of EmployersBirth DateTelephone NumberFax NumberEmail AddressesSocial Security NumberMedical Record Number
Health Plan Beneficiary NumberAccount NumberCertificate/License NumberVehicle or Device Serial NumberWeb URLInternet Protocol (IP) AddressFinger or Voice PrintsPhotographic ImagesAny other unique identifying number, characteristic, or code (whether generally available in the public realm or not)
28 T
Information used only for intended purposeConsumer disclosure statement
Information used only for intended purposeConsumer disclosure statement
Boundaries
Administrative, techni-cal, and physical safe-guards to keep informa-tion confidential, private and secure within inter-nal systems and internal/ external communications networks.
Administrative, techni-cal, and physical safe-guards to keep informa-tion confidential, private and secure within inter-nal systems and internal/ external communications networks.
Security
Informed consent to use informationRight to access and amend informationRecord of disclosures
Informed consent to use informationRight to access and amend informationRecord of disclosures
Consumer Control
Federal penalties for violationsEffective compliance activities to deter, identify, and punish violations
Federal penalties for violationsEffective compliance activities to deter, identify, and punish violations
Accountability
Process for disclosing information for public health, research & legal purposes
Process for disclosing information for public health, research & legal purposes
Public Responsibility
Five Key Areas of Privacy Standards
Frequently Asked Questions (FAQs)1. What is the Protected Health Information covered in HIPAA? PHI is
individually identifiable health information electronically maintained or transmitted, or in any other media or form. Identifiable information includes: name, address, employer, relatives’ names, DOB, telephone and fax numbers, e-mail addresses, IP addresses, SSN, medical record number, member or account number, certificate/license number, voice/fingerprints, photos, or other number, code or characteristics (e.g., occupation).
2. What kind of official oversight will organizations need? Each organization will be required to have a Privacy Official.
3. Where can I go to learn more about the privacy standards? You may visit the Ernst & Young HIPAA web page... http://www.ey.com/us/hipaa.
29 T
Patient Rights– Patients must be informed of their rights– Patients will have the right to inspect and amend their information– Defined process for handling patient complaints
Patient Access– Opportunity to reduce costs and increase customer satisfaction
regarding eligibility, verification, and referral authorization– Caregivers will generally have burden of responsibility for securing
the “general consent” and providing the notice of privacy practices Health Information Management (Medical Records)– New rules for disclosing patient information– New mechanisms for accounting for certain types of disclosures– Will affect all areas responsible for managing medical records and/or
disclosures of patient information– Audit trails to monitor access/modifications to patient information
Examples of Operational ImpactRelating to Privacy
30 T
HIPAA Security - The Final Voyage
Published in Federal Register February 20, 2003– Effective Date of April 21, 2003– Implementation Date of April 21, 2005
Contains 18 Standards under Three Major Categories– 14 “Required” Implementation Specifications– 22 “Addressable” Implementation Specifications
Two Additional Categories– Organizational Requirements– Policies, Procedures and Documentation
Starts with Completing a Risk Analysis
31 T
Core Requirements of the Rule
Ensure the confidentiality, integrity, and availability of all electronic PHI the Covered Entity creates, receives, maintains, or transmits. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the privacy ruleEnsure compliance of the security rule by its workforce.
32 T
Due Diligence Taken to a Higher Level
Standards indicate what to do, but not how to do itRisk analysis is the key for determining how to implement security– creates the roadmap for implementing the security
standardsUse of terms such as “ensure” and “best of ability” sets a high standard for complianceRecognition that cost of implementing security is a factor in security decisions– HHS cautions that cost does not justify ineffective
security
33 T
Other Highlights
Scalability, Flexibility, Cost, Capabilities and Technology Neutrality are key criteria for determining how to comply
Emphasis on Documented Policies and Procedures for Many of the Standards
Significant Reliance on Risk Analysis and Risk Management
Applicable only to Electronic PHI
34 T
Security and Privacy
Privacy is the “Crown Jewels” - Security Defines How to Protect ThemHIPAA Privacy Rule Focuses on ConfidentialityHIPAA Security Rule Focuses on Confidentiality, Integrity and AvailabilityEffective Security is Possible Without Privacy; Effective Privacy is NOT Possible without SecurityStandard Terminology Between Security and Privacy in the Two Rules
35 T
Key Areas of Security Standards
• Security Management Process
• Assigned Security Responsibility
• Workforce Security• Information Access
Management• Security Awareness and
Training• Security Incident
Procedures• Contingency Plan• Evaluation• Business Associate
Contracts and Other Arrangements
Administrative Safeguards
Physical Safeguards
• Facility Access Controls
• Workstation Use• Workstation Security• Device and Media
Controls
Technical Safeguards
• Access controls• Audit controls• Integrity• Person or Entity
Authentication• Transmission Security
• Business Associate Contract and Other Arrangements
• Requirements for Group Health Plans
OrganizationalRequirements
Policies, Procedures, and Documentation
• Policies and Procedures• Documentation
36 T
Administrative Safeguards Implementation Specifications
37 T
Security Management Process
Risk Analysis (required)Risk Management (required)Sanction Policy (required)Information System Activity Review (required)
“Implement policies and procedures to prevent, detect, contain, and correct security violations.”
38 T
Assigned Security Responsibility
Implementation specifications were not developed for this standard
“Identify the security official who is responsible for the development and implementation of the policies and procedures required by the security rule for the entity. ”
39 T
Workforce Security
Authorization and/or Supervision (addressable)Workforce Clearance Procedure (addressable)Termination Procedures (addressable)
“Implement policies and procedures to ensure that all members of its workforce have appropriate access to Electronic Protected Health Information, …… and to prevent those workforce members who do not have access …… from obtaining access to Electronic Protected Health Information.”
40 T
Information Access Management
Isolating Health Care Clearinghouse Functions (required)Access Authorization (addressable)Access Establishment and Modification (addressable)
“Implement policies and procedures for authorizing access to Electronic Protected Health Information that are consistent with the applicable requirements of the privacy rule.”
41 T
Security Awareness and Training
Security Reminders (addressable)Protection from Malicious Software (addressable)Log-in Monitoring (addressable)Password Management (addressable)
“Implement a security awareness and training program for all members of its workforce (including management).”
42 T
Security Incident Procedures
Response and Reporting (required)
“Implement policies and procedures to address security incidents.”
43 T
Contingency Plan
Data Backup Plan (required)Disaster Recovery Plan (required)Emergency Mode Operation Plan (required)Testing and Revision Procedures (addressable)Applications and Data Criticality Analysis (addressable)
“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain Electronic Protected Health Information.”
44 T
Evaluation
Implementation specifications were not developed for this standard
“Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of Electronic Protected Health Information, that establishes the extent to which an entity’s security policies and procedures meet the requirements.”
45 T
Business Associate Contractsand Other Arrangements
Written Contract or Other Arrangement (required)
“A Covered Entity, in accordance with ……, may permit a Business Associate to create, receive, maintain, or transmit Electronic Protected Health Information on the Covered Entity’s behalf only if the Covered Entity obtains satisfactory assurances, in accordance with ……, that the Business Associate will appropriately safeguard the information.”
46 T
Physical SafeguardsImplementation Specifications
47 T
Facility Access Controls
Contingency Operations (addressable) Facility Security Plan (addressable) Access Control and Validation Procedures (addressable) Maintenance Records (addressable)
“Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed.“
48 T
Workstation Use
Implementation specifications were not developed for this standard
“Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access Electronic Protected Health Information. ”
49 T
Workstation Security
Implementation specifications were not developed for this standard
“Implement physical safeguards for all workstations that access Electronic Protected Health Information, to restrict access to authorized users.”
50 T
Device and Media Controls
Disposal (required) Media Re-use (required) Accountability (addressable) Data Backup and Storage (addressable)
“Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain Electronic Protected Health Information into and out of a facility, and the movement of these items within the facility.”
51 T
Technical SafeguardsImplementation Specifications
52 T
Access Controls
Unique User Identification (required) Emergency Access Procedure (required) Automatic Logoff (addressable) Encryption and Decryption (addressable)
“Implement technical policies and procedures for electronic information systems that maintain Electronic Protected Health Information to allow access only to those persons or software programs that have been granted access rights as specified in …….”
53 T
Audit Controls
Implementation specifications were not developed for this standard
“Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use Electronic Protected Health Information.”
54 T
Integrity
Mechanism to Authenticate Electronic Protected Health Information (addressable)
“Implement policies and procedures to protect Electronic Protected Health Information from improper alteration or destruction.”
55 T
Person or Entity Authentication
Implementation specifications were not developed for this standard
“Implement procedures to verify that a person or entity seeking access to Electronic Protected Health Information is the one claimed.”
56 T
Transmission Security
Integrity Controls (addressable)Encryption (addressable)
“Implement technical security measures to guard against unauthorized access to Electronic Protected Health Information that is being transmitted over an electronic communications network.”
57 T
Organizational Requirements
58 T
Business Associate Contractsor Other Arrangements
Business Associate Contract (required) Other Arrangements (required)
“The contract or other arrangement between the Covered Entity and its Business Associate …… must meet the requirements …… as applicable.”
59 T
Requirements for GroupHealth Plans
Plan Documents Must be Amended accordingly (required)
“Except when the only Electronic Protected Health Information disclosed to a Plan Sponsor is disclosed pursuant to ……, or as authorized under ……, a Group Health Plan must ensure that its Plan Documents provide that the Plan Sponsor will reasonably and appropriately safeguard Electronic Protected Health Information created, received, maintained, or transmitted to or by the Plan Sponsor on behalf of the Group Health Plan.”
60 T
Policies, Procedures and Documentation Requirements
61 T
Policies and Procedures
Implementation specifications were not developed for this standard
“Implement reasonable and appropriate policies and procedures to comply with the standards, implemen-tation specifications, or other requirements of the security rule, taking into account those factors specified in …… This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of the security rule. A Covered Entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with the Security Rule.”
62 T
Documentation
Time Limit (required)Availability (required)Updates (required)
“(i) Maintain the policies and procedures implemented to comply with the security rule in written (which may be electronic) form; and
(ii) If an action, activity or assessment is required by the security rule to be documented, maintain a written (which may be electronic) record of the action, activity, assessment, or designation.”
63 T
Summary
Security Rule Written to Apply to a Small Provider Practice, Small Rural Hospital, as well as Large Scale Practices, Hospital Systems, and Health PlansHow to comply should be “proportional” to the size and complexity of the covered entity– The larger and more complex, the more involved and
complex the compliance strategy will most likely be.Risk analysis is key for developing and justifying the roadmap for complianceDocumenting compliance decisions and the reasons behind them will be critical for demonstrating due diligence any time in the future
64 T
Examples of Operational ImpactRelating to Security
Conduct a Risk Analysis and Implement Risk Management Measures
Identify a Security OfficialImplement Procedures to
– Review Information System Activity– Provide for Authorization/Supervision of Workforce– Grant and Terminate Access to Electronic PHI– Create, Change and Safeguard Passwords– Respond to Suspected Security Incidents
Establish and Implement Contingency Plan– Maintain Retrievable Copy of Data– Recover from Loss of Data– Establish Emergency Mode Operations Plan– Implement Testing and Revision Procedures
65 T
Changes in processes and cultureare essential...
The effective use of technology is also critical...
66 T
Example: Workforce Administration
Workforce security– Provide access to authorized users– Prevent access for unauthorized users– Ensure that access to ePHI by a workforce member
is appropriate– Implement procedures for terminating access when
employment has endedInformation Access Management– Access authorization – Access establishment and modification
67 T
Solution: Centralized User Administration
Define user roles within the organizationDefine authorization levels for each user roleCentralize role-based administration of user privileges across all platformsConsider automating account creation through HR Integrate workflow into administrative policies for account set up and terminationInclude remote (web) interface for modification or suspension of user privileges
68 T
Example: Access Control
Unique user identification – RequiredEmergency access procedure - RequiredAutomatic log-off - AddressableAdditional Administrative Requirements– Log-in monitoring– Password managementCurrent barriers to meeting these requirements– Balance security with convenience at the
clinical workstations– Limited security capabilities within current
applications
69 T
Solution: Single Sign-On for Workstations
Enable a system that allows policies to be followedSingle authentication event provides access to all authorized applicationsUtilize role-based authorization methodsReduce password management to single eventAutomatically generate strong passwordsRecord application log-in attemptsFocus on the unique needs of workstations– Direct (strong) authentication for quick change of users– Secure station lock capability– Create efficient single sign-off
70 T
Example: Security Auditing and Incident Tracking
Information System Activity Review – Required– Review records of information system activity– Audit logs, access reports, security incident tracking reports
Security Incident Response and Reporting - Required– Identify and respond to suspected or known security
incidents– Mitigate harmful effects of security incidents that are known
to the covered entity– Document security incidents and their outcomes
Audit Controls - Required– Implement hardware, software, and/or procedural
mechanisms that record and examine activity in information systems that contain electronic PHI
71 T
The Solution: Centralized Security/Event Auditing
Security Logs exist for systems that contain ePHI– Database log files– OS log files– Application log files (sometimes)
Other enterprise components maintain security logsLog files are too extensive and complexParse individual log files to extract key information and forward to a centralized secure remote repositoryReports can be run from this centralized systemLog information can be correlated from multiple systemsProactive notification can head off security incidents
72 T
Healthcare Access Control
HR System
Admin Policy Engine
Audit Repository
SSO
App/DB/OS App/DB/OS App/DB/OS
Web GUI
73 T
Example: Maintain Proper System Access Controls For …Risk Management– Reduce risks and vulnerabilities to a reasonable and
appropriate levelIsolating Healthcare Clearinghouse Functions– Systems Administrators may access all components
Access Control and Validation Procedures– Procedures to control and validate access to software
programs for testing and revisionMechanism to Authenticate ePHI– Ensure ePHI has not been altered or destroyed in an
unauthorized mannerCurrent Barriers to Proper Access Controls– Root users have global access to ePHI on distributed
platforms
74 T
Solution: Enhanced OS Level Security
Centralize access control across the entire enterpriseCreate policy-based control of who does what and whenCustomize security policies for application-level securityHarden distributed OS security similar to mainframe level securityProvide a true audit trail for complete audit ability
75 T
Example: Security Management Process
Risk Analysis – Required– Conduct an assessment of potential risks
Risk Management – Required– Implement security measures to reduce risks
Information System Activity Review - Required– Regularly review records of information system activity
Additional Requirements– Protection from malicious software– Implement policies and procedures that define proper
functions and manner of workstation use
76 T
Solution: Proactive Network Monitoring
Automatically detect known network hacking techniquesProtect from unauthorized network use, to the URL level Allow unobstructed access to resources for legitimate business purposesDefend against DDOS attacksProvide an easy to understand snapshot of all network activityCentralize administration across your enterprise
77 T
Example: Contingency Plan & Operations
Data Back-up Plan – Required– Create and maintain retrievable exact copies of ePHI
Disaster Recovery Plan - Required– Establish procedures to restore any loss of data
Must contain documented policies and proceduresEmergency Mode Operation Plan – Required
– Must provide for the protection of the security of ePHI while operating in an emergency mode
Time Limit – Required– Maintain documentation for 6 years from the date when
it was last in effect
78 T
Solution: Policy-Based Data Protection
Conduct data and application criticality analysisInsure reliable off-site storage for disaster recoveryDevelop emergency mode operation proceduresEnterprise-wide, policy based data protection solutionsCentralized monitoring of data protection processes including hardware and softwareEnsure existing hardware is utilized to fullest extent possible
79 T
Wireless Brings its Own Set of Issues
A diverging set of client platformsNew management issues both from an end user perspective (change management) and technology (wireless application architecture)New security concerns with data access as well as physical concerns with device location
80 T
Managing the Wireless LAN
• Wireless LAN management– Discover and map the access points– Show signal strengths, health and alerts– Show devices associated with each access point– Remote administration, configuration and bios flash updates– Provide centralized access control management
• Support for software distribution to handheld devices.
81 T
Mobile Device Management
Mobile device management to manage wireless PDA devices
• Monitor PDA Health and Welfare– Discovery– Battery Levels– OS versions– Application Versions and Updates– Available Memory
• Asset Management• Software Delivery
0101010001010010101010001010101110
0101010001010010101010001010101110
01010100010100101010100010
82 T
How far does your Access Point transmit?
Parts list:Of course, buying in bulk helps a lot. You probably won't be able to find a 6" piece of all-thread; buy the standard size (usually one or two feet) and a 10-pack of washers and nuts while you're at it. Then, you'll have enough for two, for about $10.Tools required:RulerScissorsPipe cutter (or hacksaw or dremel tool, in a pinch)Heavy duty cutters (or dremel again, to cut the all-thread)Something sharp to pierce the plastic (like an awl or a drill bit)Hot glue gunSoldering Iron
Construction time: about an hour
83 T
Can Hackers Inventory Your Access Points ?
And then put them on the Internet?
84 T
Recommended Architecture
Intranet(existing infrastructure)
Routerand/orFirewall
Router/Firewall
Audit
Auth.Databases
Internet
WLAN
•Separate Wireless LANs from Intranet for now
•Specific security standards and policy for Wireless Environment
•Managing security for the entire environment consistently
•Patient or other sensitive data stored on Wired side
•Audit and policy enforcement
Intrusion Detection
AV
Enhance OS Security
Security/Privacy Central
Administration
Authentication
Encrypt
Policy Monitoring
Device Mgmt.
Security and Privacy
Audit
85 T
Getting Started
86 T
Developing an Enterprise HIPAA StrategyThe strategy should consider:– E-Commerce– Technology– Processes– Policies (incorporate as part of corporate compliance)
Establish HIPAA Task Force with an enterprise-wide focus
Perform Risk Analysis and Current State Assessment of readiness
Develop and deliver HIPAA awareness program
Establish budgeted resources and dollars
Develop a plan for action, including prioritized remediation efforts, infrastructure changes, resource needs
87 T
A Total Solution
Risk AnalysisGap Assessment Implementation PlanningImplementation ExecutionBusiness processes, policies, proceduresPackage and custom applicationsOrganizational change managementLearning solutionsProgram managementForming alliances with key vendors, especially those providing alternative solutions
88 T
Case Study
Risk Analysis
Gap Assessment
Implementation Planning
Implementation Execution
89 T
QUESTIONS and
DISCUSSION
90 T
Contact Information
• Ken Frantz: 215/448-5063 [email protected]
• Mike McDermand: 904/371-6230 [email protected]
• Ken Vander Wal: 312/879-2158 [email protected]