hipaa’s security regulations
DESCRIPTION
HIPAA’s Security Regulations. John Parmigiani National Practice Director HIPAA Compliance Services CTG HealthCare Solutions, Inc. Presentation Overview. Introduction HIPAA and Privacy/Security Impacts and Benefits Steps & Tools Toward Compliance Conclusions. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/1.jpg)
HIPAA’s Security Regulations
HIPAA’s Security Regulations
John Parmigiani National Practice DirectorHIPAA Compliance Services
CTG HealthCare Solutions, Inc.
![Page 2: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/2.jpg)
2
Introduction
HIPAA and Privacy/Security
Impacts and Benefits
Steps & Tools Toward Compliance
Conclusions
![Page 3: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/3.jpg)
3
![Page 4: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/4.jpg)
4
John ParmigianiJohn Parmigiani
CTGHS National Director of HIPAA Compliance Services HCS Director of Compliance Programs HIPAA Security Standards Government Chair/ HIPAA
Infrastructure Group Directed development and implementation of security initiatives
for HCFA (now CMS) Security architecture Security awareness and training program Systems security policies and procedures E-commerce/Internet
Directed development and implementation of agency-wide information systems policy and standards and information resources management
AMC Workgroup on HIPAA Security and Privacy;Content Committee of CPRI Security and Privacy Toolkit; Editorial Advisory Boards of HIPAA Compliance Alert’s HIPAA Answer Book and HIPAA Training Line; Chair,HIPAA-Watch Advisory Board; Train for HIPAA Advisory Board
![Page 5: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/5.jpg)
5
![Page 6: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/6.jpg)
6
Title II: Subtitle F Administrative Simplification
Title II: Subtitle F Administrative Simplification
Reduce healthcare administrative costs by standardizing electronic data interchange (EDI) for claims submission, claims status, referrals and eligibility
Establish patient’s right to Privacy
Protect patient health information by setting and enforcing Security Standards
Promote the attainment of a complete Electronic Medical Record (EMR)
![Page 7: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/7.jpg)
7
HIPAA CharacteristicsHIPAA Characteristics
HIPAA is forever and compliance is an ever-changing target
HIPAA is more about process than technology
HIPAA is about saving $$ and delivering improved healthcare
HIPAA is policy-based (documentation is the key)
HIPAA advocates cost-effective, reasonable solutions
HIPAA should be applied with a great deal of “common sense”
![Page 8: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/8.jpg)
8
Privacy - information about one person
Confidentiality - keeping private information shared with a second person a secret
Security - controls used to protect confidential information from unauthorized people
“A right”
“A condition”…and a responsibility
“A safeguard”
Privacy vs. Confidentiality vs. SecurityPrivacy vs. Confidentiality vs. Security
![Page 9: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/9.jpg)
9
If SECURITYSECURITY fails,
a breach of CONFIDENTIALITYCONFIDENTIALITY occurs,
and PRIVACYPRIVACY of the individual is breached.
Privacy vs. Confidentiality vs. SecurityPrivacy vs. Confidentiality vs. Security
![Page 10: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/10.jpg)
10
Protecting Confidential InformationProtecting Confidential Information
Providing patients with quality healthcare also includes protecting their confidential information.
![Page 11: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/11.jpg)
11
Security – The Privacy RuleSecurity – The Privacy Rule 164.530 (c)
Standard: safeguards. A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information
Implementation specification: safeguards. A covered entity must reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.
![Page 12: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/12.jpg)
12
HIPAA Statutory- Security [USC 1320d-2(d)(2)]HIPAA Statutory- Security [USC 1320d-2(d)(2)] “Each covered entity who maintains or
transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards : (A) to ensure the integrity and confidentiality of the information; and (B) to protect against any reasonably anticipated (i) threats or hazards to the security or integrity of the information; and (ii) unauthorized uses or disclosures of the information; and (C) otherwise to ensure compliance with this part by the officers and employees of such person”
Is in Effect Now!
![Page 13: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/13.jpg)
13
Final Privacy vs. SecurityFinal Privacy vs. Security
“There should be no potential for conflict between the safeguards required by the Privacy Rule and the final Security Rule… First, while the Privacy Rule applies to protected health information in all forms, the Security Rule will apply only to electronic health information systems that maintain or transmit individually identifiable health information. Thus, all safeguards for protected health information in oral, written, or other non-electronic forms will be unaffected by the Security Rule.”
Therefore, PHI in both electronic and paper formats must be secure !!
![Page 14: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/14.jpg)
14
Privacy Rule vs. Security Rule
Privacy Rule vs. Security Rule
Privacy Standard Minimum use- payment
& operations, not treatment
Notice of Privacy Practices/Designated Record Set
Incidental use and disclosure if and only if…
Verification of requestor
Sanctions Business Associate
Contracts
Security Requirement Access control Authentication Network Controls Training Reasonable safeguards Workstation controls: use;
location (physical and technical)
Authentication/ Authorization Audit trails Chain-of-Trust Agreements
![Page 15: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/15.jpg)
15
![Page 16: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/16.jpg)
16
Security FrameworkSecurity Framework
Are based upon good business practices
Tell you What to do not How to do it
Each affected entity Must assess own security needs and risks
and
Devise, implement, and maintain appropriate security to address business requirements
HIPAA
![Page 17: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/17.jpg)
17
Security GoalsSecurity Goals
Confidentiality
Integrity
Availability
of protected health information
![Page 18: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/18.jpg)
18
BS 7799/ISO 17799BS 7799/ISO 17799
Security Policy Security Organization Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations
Management Access Control Systems Development and Maintenance Business Continuity Management Compliance
Standard Areas of Business Security
![Page 19: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/19.jpg)
19
Security is Good BusinessSecurity is Good Business
No such thing as 100% security “Reasonable measures” need to
be taken to protect confidential information (due diligence)
A balanced security approach provides due diligence without impeding health care
Good security can reduce liabilities- patient safety, fines, lawsuits, bad public relations
![Page 20: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/20.jpg)
20
Benefits of SecurityBenefits of Security
Security can protect confidential information {Can have security by itself, but Cannot have Privacy without Security}
Health care organizations can build patient trust by protecting their confidential information.
Trust between patient and provider improves the quality of health care
![Page 21: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/21.jpg)
21
Security Standards Security Standards can be grouped into four categories:• Administrative safeguards -
comprehensive security policies and procedures; security training
• Physical safeguards -data integrity, backup, access, workstation location
• Technical security services -measures to protect patient information and control individual access to such information when it is at rest
• Technical security mechanisms -security measures to guard against unauthorized access to data when it is transit
![Page 22: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/22.jpg)
22
HIPAA = Culture ChangeHIPAA = Culture Change
Organizational
Culture
Technology
Organizational culture will have a greaterimpact on security than technology.
![Page 23: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/23.jpg)
23
Security Standards Security StandardsWhat do they mean for covered entities? Procedures and systems must be updated to
ensure that health care data is protected. Written security policies and procedures must be
created and/or reviewed to ensure compliance. Employees must receive training on those policies
and procedures. Access to data must be controlled through
appropriate mechanisms (for example: passwords, automatic tracking of when patient data has been created, modified, or deleted).
Security procedures/systems must be certified (self-certification is acceptable) to meet the minimum standards.
![Page 24: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/24.jpg)
24
Consequences of Inadequate Security
Civil Lawsuit Financial loss Criminal Penalties
Fines and prison time Reputation Lack of confidence and trust
Violation of patient privacy may result in:
![Page 25: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/25.jpg)
25
Or Worse…Or Worse…
A breach in security could damage your organization’s reputation and continued viability.
“There is a news crew from 60 Minutes in the lobby. They want to speak to to you about an incident that violated a patient’s privacy.”
![Page 26: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/26.jpg)
26
![Page 27: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/27.jpg)
27
Steps Toward Compliance…Steps Toward Compliance… Establish good security practices
Train the workforce Update policies and procedures
Make sure your business associates and vendors help enable your compliance efforts
![Page 28: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/28.jpg)
28
Administrative Procedures Checklist
Administrative Procedures Checklist
Contracts with every business partner who processes PHI (Confidentiality)
Contingency Plans (Availability/Integrity)
Written Policies regarding routine and non-routine handling of PHI (Confidentiality)
Audit logs and reports of system access (Confidentiality)
Information Systems Security Officer
![Page 29: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/29.jpg)
29
Administrative Procedures Checklist…
Administrative Procedures Checklist…
HR policies re security clearances, sanctions, terminations (Confidentiality)
Security Training (Confidentiality) Security Plans for each system-all phases
of SDLC; periodic recertification of requirements (Confidentiality/Integrity/Availability)
Risk Management (Risk Analysis) Process (Confidentiality/Integrity/Availability)
Security Incident reporting process (Confidentiality)
![Page 30: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/30.jpg)
30
Physical Security Safeguards Checklist
Physical Security Safeguards Checklist
Policies and Procedures regarding data, software, hardware into and out of facilities (Integrity/Confidentiality/Availability)
Physical access limitations- equipment, visitors, maintenance personnel (Confidentiality)
Secure computer room/data center (Confidentiality)
![Page 31: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/31.jpg)
31
Physical Security Safeguards Checklist…
Physical Security Safeguards Checklist…
Workstation policies and procedures (Confidentiality)
Workstation location to isolate PHI from unauthorized view/use (Confidentiality)
![Page 32: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/32.jpg)
32
Technical Security Services (data @ rest)
Checklist
Technical Security Services (data @ rest)
Checklist Authentication Policies and
Procedures- one factor/two factor/three factor (Confidentiality)
Access Controls (Confidentiality) Data Verification and Validation
Controls (Integrity) Audit Controls Emergency Access (Availability)
Procedures
![Page 33: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/33.jpg)
33
Technical Security Mechanisms (data in transit)
Checklist
Technical Security Mechanisms (data in transit)
Checklist VPN or Internet; Intranet/Extranet (Confidentiality/Integrity/Availability)
Closed or Open System (Confidentiality/Integrity)
Encryption Capabilities (Confidentiality/Integrity)
Alarm features to signal abnormal activity or conditions- event reporting (Confidentiality/Integrity/Availability)
![Page 34: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/34.jpg)
34
Technical Security Mechanisms (data in transit)
Checklist…
Technical Security Mechanisms (data in transit)
Checklist…
Audit trails (Confidentiality) Determine that the message is
intact, authorized senders and recipients, went through unimpeded (Integrity)
Messages that transmission signaling completion and/or operational irregularities (Integrity/Availability)
![Page 35: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/35.jpg)
35
Security Compliance Areas: Security Compliance Areas: Training and Awareness Policy and Procedure Review System Review Documentation Review Contract Review Infrastructure and Connectivity
Review Access Controls Authentication Media Controls
![Page 36: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/36.jpg)
36
Security Compliance Areas…:Security Compliance Areas…: Workstation Emergency Mode Access Audit Trails Automatic Removal of Accounts Event Reporting Incident Reporting Sanctions
![Page 37: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/37.jpg)
37
New Security Practices RequiredNew Security Practices Required
Media Controls Automatic Logoff Personnel Security Practices
Clearances Terminations
Technical Security Policies Protection of Data at Rest Data in Transmission
![Page 38: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/38.jpg)
38
Existing Practices to EvaluateExisting Practices to Evaluate Trash/Recycle/Shred
Unattended Computers Wireless Technology E-Mail
![Page 39: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/39.jpg)
39
System ReviewSystem Review
Inventory of Systems (updated from Y2K)
Data flows of all patient-identifiable information both internally and externally
Identify system sources and sinks of patient data and associated system vendors/external business partners
![Page 40: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/40.jpg)
40
Documentation Review- “if it has been documented, it hasn’t been done”!
Documentation Review- “if it has been documented, it hasn’t been done”! Policies and Procedures dealing
with accessing, collecting, manipulating, disseminating, transmitting, storing, disposing of, and protecting the confidentiality of patient data both internally (e-mail) and externally
Medical Staff By-laws Disaster Recovery/Business
Continuity Plans
![Page 41: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/41.jpg)
41
Contract ReviewContract Review
Vendor responsibility for enabling HIPAA compliance both initially and with upgrades as the regulations change
Business Associate Contracts/Chain of Trust not only with systems vendors but also with billing agents, transcription services, outsourced IT, etc.
Confidentiality agreements with vendors who must access patient data for system installations and maintenance (pc Anywhere)
![Page 42: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/42.jpg)
42
Infrastructure & Connectivity Review
Infrastructure & Connectivity Review
System Security Plans exist for all applications
Hardware/Software Configuration Management/Change Control Procedures- procedures for installing security patches
Security is one of the mandated requirements of the Systems Development Life Cycle
Network security- firewalls, routers, servers, intrusion detection regularly tested with penetration attempts, e-mail, Internet connectivity
E-commerce initiatives involving patient data PDAs
![Page 43: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/43.jpg)
43
Access/Authorization ControlsAccess/Authorization Controls
Only those with a “need to know”- principle of least privilege
Based on user, role, or context determines level
Must encrypt on Internet or open system
Procedure to obtain consent to use and disclose PHI
Physical access controls- keypads, card reader/proximity devices, escort procedures, sign-in logs
![Page 44: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/44.jpg)
44
Media ControlsMedia Controls
Policy/Procedure for receipt and removal of hardware and software (virus checking, “foreign” software); wipe or remove PHI from systems or media prior to disposal
Disable print capability, A drive, Read Only
Limit e-mail distribution/Internet access E-fax as an alternative Encourage individual back-up or store on
network drive/ password protect confidential files
![Page 45: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/45.jpg)
45
Workstation* UseWorkstation* Use
* (Applies to monitors, fax machines, printers, copy machines)
Screen Savers/Automatic Log Off Secure location to minimize the
possibility of unauthorized access to individually identifiable health information
Install covers, anti-glare screens, or enclosures if unable to locate in a controlled access area
Regular updates of anti-virus software
![Page 46: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/46.jpg)
46
Web - Hype Vs. RealityWeb - Hype Vs. Reality
Sandra Bullock - “The Net”
What is the real threat?
![Page 47: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/47.jpg)
47
Server ChecklistServer Checklist
In a locked room? Connected to UPS?-surge protector?-
regular tests conducted? Protected from environmental
hazards? Are routine backups done?- how
often?-where are they stored?- tested regularly?- has the server ever been restored from backup media?
Anti-virus software running on server? Is access control monitored? etc., etc.
![Page 48: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/48.jpg)
48
Strong Passwords (guidelines)Strong Passwords (guidelines) At least 6 characters in length (with
at least one numeric or special character)
Easy to remember Difficult to guess (by a hacker) Don’t use personal data, words
found in a dictionary, common abbreviations, team names, pet names, repeat characters
Don’t index your password each time you change it
![Page 49: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/49.jpg)
49
Termination ProceduresTermination Procedures
Documentation for ending access to systems when employment ends
Policies and Procedures for changing locks, turning in hardware, software, remote access capability
Removal from system accounts
![Page 50: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/50.jpg)
50
SanctionsSanctions
Must be spelled out Punishment should fit the crime Enforcement Documentation “Teachable Moment”- Training
Opportunity
![Page 51: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/51.jpg)
51
Incident Report and HandlingIncident Report and Handling
Can staff identify an unauthorized use of patient information?
Do staff know how to report security incidents?
Will staff report an incident? Do those investigating security
incidents know how to preserve evidence?
Is the procedure enforced?
Security Incident Reporting: Categorizing Incident Severity & Resolution
![Page 52: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/52.jpg)
52
Steps Toward Compliance…Steps Toward Compliance…
Identify Business Associates Query department directors Compare against contracts file Compare information against
accounts payable files
Develop Business Associate Contract (BAC) language, then negotiate BACs
![Page 53: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/53.jpg)
53
Business & Technology VendorsBusiness & Technology Vendors
Billing and Management Services Data Aggregation Services Software Vendors Biomedical Equipment Vendors PDA Vendors Application Service
Providers/Hosting Services Transcription Services
![Page 54: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/54.jpg)
54
Vendor/Covered Entities IssuesVendor/Covered Entities Issues
New risks for both sides Vendor cannot make a Covered Entity
“HIPAA Compliant” Only Covered Entities and Business
Associates can be HIPAA compliant HIPAA Security compliance is a
combination of business process + human interaction + technology
Vendors may ask for indemnification if covered entities do not implement systems completely to utilize all “features”
![Page 55: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/55.jpg)
55
Vendor QuestionsVendor Questions
What features specifically have you incorporated into your products to support HIPAA Security and Privacy requirements; e.g., session time-outs, access controls, authorizations, backups and recovery, reporting of attempted intrusions, data integrity, audit trails, encryption algorithms, digital signatures, password changes?
![Page 56: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/56.jpg)
56
Vendor QuestionsVendor Questions
Virus checks each time a PDA is synchronized with a laptop or desktop to avoid transmitting garbled information, missed appointments, faulty diagnoses, erroneous prescriptions…; authenticating access; encryption to guard against intercepts
Encryption software updates as the technology develops
Smart card or biometrics to log on and access files and information on PDAs, desktops, and laptops
![Page 57: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/57.jpg)
57
Vendor QuestionsVendor Questions
Will any of these features have an adverse impact on system
performance- response time, throughput,
availability?
![Page 58: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/58.jpg)
58
Vendor QuestionsVendor Questions
Are these capabilities easily upgradeable without scrapping the current system as HIPAA matures?;
Will I have to pay for them or will they
be part of regular maintenance?
![Page 59: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/59.jpg)
59
Vendor QuestionsVendor Questions
Are you participating in any of the national forums like WEDI SNIP,
CPRI, NCHICA, etc. that are attempting to identify best practices for HIPAA compliance?
![Page 60: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/60.jpg)
60
VendorsVendors
Vendors cannot make you HIPAA-compliant- will “enable”
You need to be an informed buyer
Create a business associate contract that is favorable to you
HIPAA will be continuously fine-tuned- build growth potential in your systems at no or minimal cost
![Page 61: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/61.jpg)
61
Task Status
Designate a privacy and security officer or manager
Communicate the privacy and security officer designation to the workforce
Appoint a HIPAA project manager
Appoint a cross-functional HIPAA project steering committee
Establish HIPAA subcommittees
Conduct a HIPAA readiness assessment
The clock is running. What is your readiness?
Key: = Done = In Progress
HIPAA Security Readiness Scorecard
..\HIPAA Security Readiness Scorecard Doc3.doc
![Page 62: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/62.jpg)
62
![Page 63: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/63.jpg)
63
Reasonableness/Common Sense Reasonableness/Common Sense
Administrative Simplification Provisions are aimed at process improvement and saving money
Healthcare providers and payers should not have to go broke becoming HIPAA-compliant
Expect fine-tuning adjustments over the years
![Page 64: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/64.jpg)
64
A Balanced Approach
$Risk
Cost of safeguards vs. the value of the information to protect
Security should not impede care Security and Privacy are inextricably linked Your organization’s risk aversion
![Page 65: HIPAA’s Security Regulations](https://reader031.vdocuments.us/reader031/viewer/2022032709/568131c8550346895d983033/html5/thumbnails/65.jpg)
65
Due Diligence!Due Diligence!
Remember: