Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | douglas-sims |
View: | 216 times |
Download: | 2 times |
What is HIPAA?
Health Insurance Portability and
Accountability Act (Kennedy-Kassenbaum Bill)
Administrative Simplification
– Privacy
– Transactions & Code Sets
– Security
Administrative Simplification
Privacy – April 14, 2003 - implemented
Transaction Standards and Code Sets – October 16, 2003 - implemented
Security – April 20, 2005 – it’s right around the corner
Goals of Administrative Simplification
Protect the security and privacy of patient information
Improve efficiency and effectiveness by standardizing electronic transmissions of:
– Financial transactions
– Administrative transactions
Who is covered by HIPAA?
“Covered Entity”
– Health Care Providers
– Clearinghouses
– Health Plans
Business Associates
– Entity that does a task on our behalf and,
– Utilizes Protected Health Information (PHI)
– Examples: Temp agencies, Medical Director, Pharmacy consultant
What does HIPAA Protect?
Protected Health Information PHI
– Created or received by a health care provider AND
– Involves past, present, or future treatment OR
– Payment for such services, AND
– Identifies the individual (IIHI) AND
– Transmitted or maintained in ANY form
What is the Security Rule?
Important Security Facts
Only applies to e-PHI
Requires a Risk Assessment
Requires a more Technical Solution
Effective April 20, 2005
What does the Security Rule Protect?
Electronic Protected Health Information (e-PHI)
– Created or received by a health care provider AND
– Involves past, present, or future treatment OR
– Payment for such services, AND
– Identifies the individual AND
– Transmitted by or maintained in ELECTRONIC MEDIA
Security Rule Core Requirements
Covered Entities must ensure the confidentiality, integrity, and availability (CIA) of e-PHI they create, receive, maintain, or
transmit.
Security Rule Core Requirements
Covered Entities must protect against any reasonably
anticipated threat or hazard to the security or integrity of e-PHI.
Security Rule Core Requirements
Covered Entities must protect against any anticipated uses or disclosures of e-PHI that are not
permitted under the law.
Security Rule Core Requirements
Covered Entities must ensure compliance with the Security rule
by all it’s workforce members.
Security Rule Components
Three Categories:
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Security Rule Components
Standards – General requirement that must be complied with. Example: Contingency Planning
Implementation Specifications – Detailed or specific method or approach to meet a Standard. Example: Data backup plan, disaster recovery plan
Implementation Specifications can be either Required or Addressable. (But none are optional)
Security Rule - Administrative
Focuses on Security Management Process designed to:
– Prevent
– Detect
– Contain
– and Correct Security Violations
Security Rule - Administrative
Standards Include:
– Security Management Process
– Assigning Security Responsibility
– Workforce Security
– Information Access Management
– Security Awareness/Training
– Security Incident Reporting
– Contingency Planning
– Evaluation of Security Measures
Security Rule - Physical
Focuses on protecting e-PHI from:
– Unauthorized Disclosure
– Modification
– Destruction
Security Rule - Physical
Standards include:
– Facility Access Controls
– Workstation Use
– Workstation Security
– Device and Media Controls
Security Rule - Technical
Focuses on Technological Measures to ensure:
– Confidentiality
– Integrity
– Availability
Security Rule - Technical
Standards Include:
– Access Control Measures
– Audit Controls
– Integrity Controls
– Person or Entity Authentication Controls
– Transmission Security Measures
Where do we begin?
Conduct a
Risk Assessment
What is a Risk Assessment?
A Risk Assessment will provide information needed to make risk management
decisions regarding the degree of security
remediation.
Components of the Risk Assessment
Identifies Risks, Threats and Vulnerabilities that may occur if appropriate security measures are not put in place
Identifies potential confidentiality, integrity and availability issues
Identifies the impact and probability of a risk
Identifies mitigation options
What is a Risk, Threat and Vulnerability?
Risk – What can happen if a threat exploits a vulnerability.
Threat – Who or what can cause an undesirable event.
Vulnerability – How a weakness in technology or organizational process can be exploited by a threat.
What is CIA?
Confidentiality – e-PHI disclosed to unauthorized persons
Integrity – e-PHI modified by unauthorized persons
Availability – e-PHI unavailable to authorized persons
What is Impact and Probability?
Impact – The effect a particular incident would have. Measured high, medium or low.
Probability – Likelihood of an incident occurring. Measured high, medium or low.
Risk Assessment
Let’s discuss an example of a risk, threat and vulnerability.
Scenario
You are in an unfamiliar City
Decide to take a night time walk
Street is dark – no pedestrians; no traffic
You are all alone
Excessive Graffiti on the walls
Scenario
What is the Risk?
– (What might happen)
What is the Threat?
– (Who)
What is the Vulnerability?
– (How could it happen)
Scenario
What is the Risk? (What might happen)
– You might be attacked
– You might be robbed
What is the Threat? (Who)
– A mugger
What is the Vulnerability? (How could it happen)
– You are in a strange location
– You don’t know your way around
Where do we document the findings?
Risk Assessment
Matrix
What is the Risk Assessment Matrix?
Documents the analysis performed for each Standard and Implementation Specification.
One Matrix for each e-PHI instance.
Risk Assessment
Let’s look at the Risk
Assessment Matrix
Risk Assessment
What is My Role in the Risk Assessment?
Identify Risks, Threats and Vulnerabilities
Identify potential Confidentiality, Integrity and Availability outcomes
Determine Potential and Impact of Risks
Identify Mitigation Alternatives
Help Implement Solutions
Now what?
Identify Teams for each e-PHI Application
Conduct Brainstorming Sessions
Complete the Risk Assessment Matrix
Select Mitigation Plans
Implement Corrective Actions
Monitor to Ensure Compliance
Anything Else?
Work together to ensure our organization is HIPAA
Compliant by April 20, 2005