Transcript Document
"I haven't heard of HIPAA,
but I can hip hop."
HIPAA Security Standards
Final Rule
Some Tips & Updates for
HME/Rehab Providers
Mark J. Higley
Vice President - Development
The VGM Group
In this Presentation…
Privacy Rule Status
Quick Update on TCS
Introduction to the Security
Standards
Let’s Get Started!
By Now, You All Know what
HIPAA is…right?
Healthcare
In
Pain
And
Agony (again)
The Big Picture
HIPAA implementation of the
standards does not have to be any type
of major burden on the average
HME/Rehab provider, especially not
an economic burden.
Privacy Rule In Effect
The Privacy compliance date is
now effective (April 14, 2003).
Many providers are not yet
compliant.
As of February 2004, OCR, the HHS
division responsible for HIPAA
Privacy, received 4,266 complaints of
HIPAA privacy violations since the
law took effect.
Primary reasons for the
violations
Incidental disclosure of individually
identifiable health information
Lack of adequate safeguards
Not providing a copy of records to patients
Disclosure of more than necessary
information
Failure to give notice of privacy practice
But…
OCR has closed 42% of these cases.
Most situations were resolved, a
course of action was taken, or an
investigation took place but no
violation was found.
Bottom Line: No fines have been
levied as a result of a HIPAA privacy
violation!
Confused by some of the
details of the Privacy Rule?
The HIPAA Privacy Rule remains as
a source of great confusion among
providers and others within the health
care community.
VGM can help! Just call or email.
Consultation is free to all!
Training is Required!
All employees and members of your work
force who have access to protected health
information need HIPAA training! This
PowerPoint will assist you in satisfying the
training requirement!
For governmental
information on HIPAA……
e-mail your questions to
[email protected]
Call the CMS HIPAA HOTLINE 1-866627-7748
Log onto the CMS HIPAA web site:
http://www.cms.hhs.gov/hipaa
For Privacy inquiries only:
Log check out:
http://www.hhs.gov/ocr/hipaa
Call : 1-866-627-7748
For information on HIPAA
that you can understand
(!!)…
e-mail your questions to
[email protected]
Call : 1-800-642-6065
Before we discuss the
Security Standards….
Let’s Get A Quick Update
on TCS (that’s electronic
transactions and code
sets).
October 16, 2003 Electronic
Transactions…Many
Months Later
As many expected, there is trouble in
the government's “paradise of
standardization”.
Slower payments, poor customer
service and confusion over what is or
is not allowed in terms of paper claims
are just a smidgen of reported
problems
It will take more time to sort out
exactly what is going on
and where the problems lie.
Examples:
Published companion documents that
never came
Lack of published contingency plans
One large payer has stopped accepting
electronic claims due to discrepancies
in formats.
This has a negative impact
on HME providers who have
been used to submitting
electronically
Some are dropping back to paper
claims…and cash flows suffer as the
paper claims are processed.
But… As You Know…
Medicare & most state Medicaid
agencies still accept electronic claims
in a proprietary format (operating
under a “contingency plan”). For the
latest information on your particular
state’s contingency plan please review
its “HIPAA Implementation Status
Update and Contingency Plan
Information” at the appropriate
Medicaid website.
Let’s Discuss Medicaid
State contingency plans include
the capability to continue to
accept and process existing
formats, including data values and
codes within these formats.
Old Formats OK
States will continue to accept existing
formats and codes for a period of time
until its individual trading partners have
successfully completed testing the
HIPAA compliant electronic
transactions.
State contingency plans also include
accepting existing formats that have been
generated by converting HIPAA
compliant formats.
Testing Update
To date, testing of these transactions
has been limited. Consequently, the
conversion of data in these formats
will depend on the ability of the
clearinghouse or software vendor to
correctly translate the data required
for adjudication in a timely fashion..
Formats & Codes
Medicaid strongly encourages providers to
instruct their billing services and software
vendors to continue using current formats
and codes, until these entities have
demonstrated to the providers successful
HIPAA testing results with all parties
involved in transmitting electronic claims to
payers.
Let’s get back to the
Security Standards!
Introduction
To a great extent, the Security Rule
puts the HIPAA spotlight on your
information technology/systems
staff. Whether you have just one
information system manager or a
full CIO with I/T staff, these
“technical executives” must develop
and implement cost-effective
organization-wide security
programs.
Of course, your entire management
team should play an important
strategic planning role before practical
measures are implemented. As
healthcare organizations look toward
developing annual budgets, the
executive team should be asking such
questions as:
What are the security risks to my
organization - and which are the
highest priority?
What measures should be considered
for our plan to reduce risk and become
HIPAA Security compliant?
How much should we budget (money,
resources) for security?
Why Comply with the
Security Rule?
HIPAA and good business practices
dictate that we safeguard patient
information entrusted to us.
But…perhaps just as importantly, the
standards address security risks that
could severely affect your business
operations!
Potential Risks:
Loss of financial cash flow
Permanent loss or corruption of electronic
protected health information (ePHI)
Temporary loss or unavailability of medical
records
Loss of physical assets (computers, etc.)
Damage to reputation and public confidence
Threats to patient safety
Threats to employee safety
The Standards…
Will will be effective April 21, 2005
for healthcare providers
Applies only to “Electronic Protected
Health Information” (EPHI) that a
healthcare provider - and all covered
entities - “creates, receives, maintains,
or transmits”
The Standards…
Are separated into three groups:
Administrative Safeguards
Physical Safeguards
Technical Safeguards.
Less Specific Than the
Privacy Rule!
The final Security standards are
essentially a model for information
security, with less specific guidance
on how to implement it.
General Requirements
of the Standards…
Ensure:
Confidentiality (only the right people
see it)
Integrity (the information is what it is
supposed to be – it hasn’t been
changed)
Availability (the right people can see
it when needed)
General Requirements
Protect against reasonably anticipated
threats or hazards to the security or
integrity of information;
Protect against reasonably anticipated
uses and disclosures not permitted by
privacy rules
Ensure compliance by workforce
Regulation “Themes”
Scalability/Flexibility (*)
Healthcare providers can take into account:
• Size
• Complexity
• Capabilities
• Technical Infrastructure
• Cost of procedures to comply
• Potential security risks
(*) Remember these terms from the Privacy
Rule???)
Regulation “Themes”
Technologically Neutral
What needs to be done, not how
Comprehensive
Not just technical aspects, but
behavioral as well
How HHS Is Attempting To
Accomplished This
Develop Standards That Are
Required and Include:
“Implementation specifications”
which provide additional detail and
can be either required or addressable.
What did you just say???
(OK, We thought that
might confuse some
of you. Let’s try it
again!)
Try again:
The new Security rules, just like the
Privacy rules, have "standards" - what
must be done by healthcare providers
to comply….
And "implementation specifications" –
which include “how to do it”.
Before we get too detailed….
Q. What about some model forms,
policies and procedures - like we had
for the Privacy Rules???
A. Good question!. HHS has
promised more specifics in the future
and to provide model guidance
documents.
And…
VGM will compile these documents,
adapt them to HME/Rehab, and will
make them available to
providers…probably on the Web site.
As the compliance date is not until
2005, we have a little time!
OK…Back to the
specifics…what’s
“Addressable”?
If an implementation specification is
addressable, a healthcare provider
can:
Implement it…if it is reasonable and
appropriate
Implement an equivalent measure, if
that is reasonable and appropriate
Not implement it at all
Again…the standards are
separated into three groups:
(*)
Administrative Safeguards
Physical Safeguards
Technical Safeguards.
(*) We’ve
developed a chart that lists all of the
standards and includes whether
implementation is required or
“addressable”. See your handouts!
Administrative Safeguards…
Make up 50% of the Security Rule's
standards. In general, they require
documented policies and procedures
for day-to-day operations; managing
the conduct of employees with PHI;
and managing the selection,
development, and use of security
controls.
Give me an example of an
Administrative Safeguard
OK. All healthcare providers must
designate a "security official," to be
"responsible for the development and
implementation of the policies and
procedures" required by the Security
Rule
Physical Safeguards…
Are a series of security measures
meant to protect a healthcare
provider’s electronic information
systems, as well as related buildings
and equipment, from natural hazards,
environmental hazards, and
unauthorized intrusion. The measures
include both administrative policies
and physical controls.
Give me an example of a
Physical Safeguard
OK. Workstation security. This
standard "implementation of physical
safeguards for all workstations that
access electronic protected health
information to restrict access to
authorized users."
Technical Safeguards…
Are made up of several security
measures that specify how to use
technology to protect EPHI.
Give me an example of a
Technical Safeguard
OK. “Access controls”, which are
your technical policies and procedures
for electronic information systems
access that maintain EPHI to allow
access only to those persons or
software programs that have been
granted access rights.
“Implementation Specifications”
As noted before, these three safeguard
categories are further divided into
"implementation specifications" that
define how each of the standards is to
be implemented. In some cases, the
standard itself contains enough
information to describe
implementation requirements, so there
is no separate specification.
I Heard We Must Purchase
Encryption Software!!
First of all…encryption is addressed
in the Technical Safeguards under the
“transmission security” standards.
These include technical security
mechanisms to guard against
unauthorized access to EPHI that is
being transmitted over an electronic
communications network.
…
The standard has two implementation
specifications, both of which are
addressable: integrity controls, and
encryption.
The first includes "security measures to
ensure that electronically transmitted
electronic protected health information is
not improperly modified without detection
until disposed of." The second embraces
"mechanisms to encrypt electronic [PHI]
deemed appropriate."
Encryption not required!!
The standard does not mandate any
particular set of integrity controls,
such as encryption, for all
transmissions. Now the healthcare
provider must decide, following its
own risk analyses (*), what degree or
protection is appropriate in each
circumstance.
(*) We’ll discuss “risk analysis next…
Risk Analysis
The HIPAA Security Rule requires
healthcare providers to have a risk
management program in place to
evaluate the value of the assets, the
potential for a loss or disclosure, and
the cost of additional
countermeasures.
Risk Analysis
It is a Required specification!
Possible Resource: NIST Risk
Management Guide (#800-30)
http://www.nist.gov
Risk Analysis Steps
(we’ll go through each one of these
in a minute…)
Review data systems
Identify threats/vulnerabilities
Evaluate security controls
Assess likelihood
Consider impact
Determine risk
Review Data Systems
Hardware
Software
Data storage locations
Modes of data transit
Data sensitivity
Primary Users
Identify Threats
Natural/Environmental disasters, such
as electrical storms, flood, tornado,
chemical spills
Human threats, such as accidental
data erasure or entry, hackers,
computer viruses, theft
Vulnerabilities, such as internal
weaknesses or flaws
Evaluate Security Controls
Preventive:
Access restrictions
Password authentication
Effective staff training
Environmental controls
Detective:
Audit trails
Alarms
Assess likelihood
Of each identified threat
With consideration to controls
Accidental data erasure
but files are backed up every
night??
High, Moderate, Low ?
Consider Impact
Of data
release
manipulation
temporary or permanent
inaccessibility
Temporary data erasure
but files are backed up every night??
High, Moderate, Low ?
Determine Risk
Likelihood Determination
Impact Assessment
Moderate likelihood, low impact
Sufficient controls in place?
High likelihood, high impact
Additional protections needed.
Quick review of standards
Administrative Standards
Security Management
Risk analysis (R)
Risk management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Responsibility
Administrative Standards
Workforce Security
Authorization and/or Supervision (A)
Clearance Procedures (A)
Termination procedures (A)
Information Access Management
Isolate Clearinghouse Function (R)
Access Authorization (A)
Access Establishment/Modification
(A)
Administrative Standards
Security Awareness and Training
Security Reminders (A)
Protection from Malicious Software
(A)
Log-in Monitoring (A)
Password Management (A)
Security Incident Procedures
Response and Reporting (R)
Administrative Standards
Contingency Plan
Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Operations Plan (R)
Testing and Revision Procedure
(A)
Applications and Data Criticality
(A)
Administrative Standards
Evaluation
Business Associate Contracts
Written Contract (or other
arrangement) (R)
Physical Standards
Facility Access Controls
Contingency Operations (A)
Facility Security Plan (A)
Access Control & Validation
Procedures (A)
Maintenance Records (A)
Workstation Use
Physical Standards
Workstation Security
Device and Media Controls
Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup & Storage (A)
Technical Standards
Access Control
Unique User Id (R)
Emergency Access (R)
Automatic Logoff (A)
Encryption and Decryption (A)
Audit Controls
Technical Standards
Integrity
Mechanism to Authenticate ePHI
(A)
Person or Entity Authentication
Transmission Security
Integrity Controls (A)
Encryption (A)
Regulation Dates
Published February 20, 2003
http://aspe.hhs.gov/admnsimp/
Compliance Date: April 21, 2005 for
all covered entities except small health
plans
April 21, 2006 for small health plans
Implementation Approach
Do Risk Analysis – Document
Based on Analysis, determine how to
implement each standard and
implementation specification – Document!
Develop Security Policies and Procedures–
Document!
Train Workforce
Implement Policies and Procedures
Periodic Evaluation
Security Summary
Scalable, flexible approach
Standards that make good business
sense
One year, one month to
implementation!
You will want to begin to…
Establish and document policies and
procedures relating to information
security
Establish physical safeguards of computer
systems, equipment and buildings
Review technical security to protect the
confidentiality and integrity of
information and control and monitor
access
Safeguard systems against external threats
Important!
You should not panic and think
Security is going to cost you a
fortune. Don’t let vendors talk
you into purchasing encryption
and other “safeguards”. Think
before you buy and let common
sense and reason be your other
guide!
FINAL COMMENTS
And finally, remember :
Be Flexible
Be Scalable
(& Don’t forget
reasonable!)
It is 2004.
Remember the Privacy
Rule Is Now Effective!
START NOW!