hipaa hitech requirements
DESCRIPTION
Featured Speaker: Subrata Guha, UL DQS Inc. IT Services Director Subrata Guha, UL DQS Inc IT Services Director, hosts this on-demand webinar that will focus on Information Security Management Systems (ISMS) and HIPAA. The presentation includes: Changes in the HIPAA privacy rules introduced in January 2013 Role of information security in the HITECH Act applicable to the Health Care sector HIPAA risk assessment How to achieve HIPAA complianceTRANSCRIPT
DQ
S –UL G
roup
Security Requirements for HIPAA and HITECH Act
Subrata Guha
Program Manager – IT Certification
DQ
S –UL G
roup
Questions
What are the HIPAA Security Rules?
What is HITECH Act?
How to achieve compliance?
Any other questions?
DQ
S –UL G
roup
What are the HIPAA Security Rules?
DQ
S –UL G
roup
Background
HIPAA - Health Insurance Portability and Accountability Act introduced in 1996
Rules updated in 2013
Objectives: Security - Protection of Electronic Protected Health Information
(EPHI) Privacy – Protection of Protected Health Information (PHI)
Scope :Covered Entities and Business Associates Healthcare Providers Health Insurance Providers Healthcare Clearinghouses Medicare Prescription Drug Card Sponsors Suppliers / partners of covered entities
DQ
S –UL G
roup
Players involved in HIPAA
Department of Health and Human Services (HHS)
Covered Entities BusinessAssociatesPatients
DQ
S –UL G
roup
Components of HIPAA
HIPAAHealth Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V
Health Care Access,
Portability and
RenewabilityPreventing Health Care Fraud and
Abuse
Medical Library Reform
Administrative Simplification
Tax Related Health
Provision
Group Health
Plan
Revenue Offsets
General Administrative Requirements
Administrative Requirements
Security and Privacy
Source: NIST SP-800-66
DQ
S –UL G
roup
Components of HIPAA
HIPAAHealth Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V
Health Care Access,
Portability and
RenewabilityPreventing Health Care Fraud and
Abuse
Medical Library Reform
Administrative Simplification
(Updated March 2013)
Tax Related Health
Provision
Group Health Plan
Revenue Offsets
General Administrative Requirements
Administrative Requirements
Security and Privacy
Source: NIST SP-800-66
DQ
S –UL G
roup
What is HITEC Act.?
DQ
S –UL G
roup
HITECH Act.
Health Information Technology for Economic and Clinical Health (HITECH) Act introduced in 2009.
Objective is to strengthen the privacy and security protections for HIPAA Extended HIPAA privacy and security requirements to the
business associates. Increased penalties for violation
Other objective of HITECH Act is to promote use of Electronic Health Records (HER)
DQ
S –UL G
roup
Components of HIPAA
HIPAAHealth Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V
Health Care Access,
Portability and
RenewabilityPreventing Health Care Fraud and
Abuse
Medical Library Reform
Administrative Simplification
(Updated March 2013)
Tax Related Health
Provision
Group Health Plan
Revenue Offsets
General Administrative Requirements
Administrative Requirements
Security and Privacy
Source: NIST SP-800-66
DQ
S –UL G
roup
General Provisions
Preemption of State Laws
Compliance and Investigations
Imposition of Civil Money Penalties
Procedures for Hearing
Code of Federal Regulation (CFR) Title 45 Part 160.101-514
General Administrative Requirements
DQ
S –UL G
roup
General Provisions
Standard Unique Health Identifier for Health Care Providers
Standard Unique Health Identifier for Health Plans
Standard Unique Employer Identifier
General Provisions for Transactions
Code of Federal Regulation (CFR)
Title 45 Part 162.100-1902
Administrative Requirements
Code Sets
Health Care Claims or Equivalent Encounter Information
Eligibility for Health Plan
Referral Certification and Authorization
Health Care Claim Status
Enrolment and Disenrollment In A Health Plan( More..)
DQ
S –UL G
roup
HIPAA Security Rules
Security Standards: General Rules
Administrative Safeguards
Technical Safeguards
Physical Safeguards
Organizational Requirements
Documentation Requirements
Code of Federal Regulation (CFR) Title 45 Part 164.306-316 define security rules
DQ
S –UL G
roup
Structure of HIPAA Security Rules
StandardDescribes the rule. Example: A covered entity or business associate must comply with the applicable standards as provided ……….
Implementation specifications
Key activities to be performed to meet the intent of the standard
Required Mandatory activity
AddressableCan be excluded with justification or implement an alternative practice.
DQ
S –UL G
roup
Security Standard: General Rules
Ensure Confidentiality, Integrity and Availability of EPHIs Protect EPHIs against anticipated threats and hazards Ensure compliance by the work force
Scope: EPHI the covered entity or business associate creates, receives, maintains, or transmits.
Implementation: Security measures depending on the Size, complexity and type of business functions Size of IT infrastructure Anticipated risk and impact
DQ
S –UL G
roup
Administrative Safeguards (1/2)Standard Implementation specification
Security management process • Risk analysis (R)• Risk management (R)• Sanction policy (R)• Information System activity review (R)
Assigned security responsibilities None
Workforce security • Authorization and/or supervision (A)• Workforce clearance procedure (A)• Termination procedure (A)
Information access management • Isolating healthcare clearance house functions (R)
• Access authorization (A)• Access establishment and modification (A)
Security awareness and training • Security reminders (A)• Protection from malicious software (A)• Login monitoring (A)• Password management (A)
DQ
S –UL G
roup
Administrative Safeguards (2/2)
Standard Implementation specification
Security incident procedure • Response and reporting (R)
Contingency plan • Data backup plan (R)• Disaster recovery plan (R)• Emergency mode operation plan (R)• Testing and revision procedure (A)• Application and data criticality analysis (A)
Evaluation – Business associates contract or other arrangements
• Perform periodic technical and non-technical evaluation of Written contracts or other arrangements (R)
DQ
S –UL G
roup
Physical Safeguards
Standard Implementation specification
Facility access control • Contingency operation (A)• Facility security plan (A)• Access control and validation procedure (A)• Maintenance records (A)
Workstation use • None
Workstation security • None
Device and media control • Disposal (R)• Media re-use (R)• Accountability (A)• Data backup and storage (A)
DQ
S –UL G
roup
Technical Safeguards
Standard Implementation specification
Access control • Unique user identification (R)• Emergency access procedure (R)• Automatic logoff (A)• Encryption and decryption (A)
Audit control • None
Integrity • Mechanism to authenticate EPHI (A)
Person or entity authentication • None
Transmission security • Integrity control (A)• Encryption (A)
DQ
S –UL G
roup
Organizational Requirements
Standard Implementation specification
Business associates contract or other arrangements
• Business associate contract (R)• Reporting of incidents (R)• Other arrangements (A)• Contract with sub-contractors (R)
Requirements for group health plans
• Implement administrative, physical and technical safeguards (R)
• Ensure adequate separation (R)• Ensure adequate security measures by
agents (R)• Report incidents to group health plan (R)
DQ
S –UL G
roup
Policies, Procedures and Documentation Requirements
Standard Implementation specification
Policies and procedures • None
Documentation • Retention period (R)• Availability (R)• Updates (R)
DQ
S –UL G
roup
Notification to Individuals
Notification to Media
Notification to the Secretary
Notification by a Business Associate
Law Enforcement Delay
Code of Federal Regulation (CFR) Title 45 Part 164.404-414
Breach Notifications
Administrative Requirements and Burden of Proof
DQ
S –UL G
roup
Use and Disclosure of PHI: General Rules
Use and Disclosure : Organizational Requirements
Use and Disclosure to Cary Out Treatment, Payment etc.
Use and Disclosure : Individual to Agree or Object
Use and Disclosure : Authorization not Required
Code of Federal Regulation (CFR)
Title 45 Part 164.504-530
HIPAA Privacy Rules
Use and Disclosure of PHI: Other Requirements
Notice of Privacy Practice
Right to request Privacy Protection
Access of Individual to PHI
Amendment of PHI
Accounting of Disclosure of PHI
DQ
S –UL G
roup
Enforcement Process
Intake and Review
Office of Civil Rights (OCR)
Complain
Criminal violation
Department of Justice
HIPAA violation
Resolution Yes
No
No
InvestigationOCR issues
corrective actions
CAR closed
Yes
No
Yes
OCR imposes penalty
DQ
S –UL G
roup
How to Achieve Compliance?
DQ
S –UL G
roup
HIPAA Compliance Process
Identify EPHIs and/or PHIs your organization creates, receives, maintains or transmits
Conduct Risk Assessment
Establish policies and procedures following HIPAA security standards to address risks
Monitor compliance
Report breaches
DQ
S –UL G
roup
Pitfalls
Compliance is self declaration – no third-party certification available
Set of rules does not provide a governance structure to maintain the system
Investigations are triggered by complaints – burden of proof on the covered entity or business associates
Penalty can be as high as $1.5 million
DQ
S –UL G
roup
Other options
Adoption of Management System Framework e.g. ISO IEC 27001 standard
DQ
S –UL G
roup
ISO IEC 27001:2013
Context of the Organization
Leadership
Planning
OperationImprovement
Performance Evaluation
Support
Annex ARecommended
Controls
DQ
S –UL G
roup
Why ISO 27001:2013?
Establish governance structure to establish, monitor and improve security
Annex A controls covers ~90% of HIPAA security rules
Additional controls from 45 CFR 164 can be added to the Statement of Applicability
ISO 27002 provides implementation guideline for the controls
Third party certification increases credibility
Annual surveillance ensures continued compliance
DQ
S –UL G
roup
Questions ?