HIPAA Security Final Rule Overview
Download
Report
Transcript HIPAA Security Final Rule Overview
HIPAA Security Final Rule
Overview
April 9, 2003
Karen Trudel
1
Publication Information
Printed in Federal Register 2/20/03
– Volume 68, No. 34, pages 8334 - 8381
Effective Date 4/21/03
Compliance Date 4/21/05 (4/21/06 for
Small Health Plans)
Document can be located at
www.cms.hhs.gov/hipaa/hipaa2
2
Purpose
Ensure integrity, confidentiality and
availability of electronic protected health
information
Protect against reasonably anticipated
threats or hazards, and improper use or
disclosure
3
Scope
All electronic protected health information
(EPHI)
In motion AND at rest
All covered entities
4
Security vs. Privacy
Closely linked
Security enables Privacy
Security scope larger – addresses
confidentiality PLUS integrity and
availability
Privacy scope larger – addresses paper and
oral PHI
5
Security Standards General
Concepts
Flexible, Scalable
– Permits standards to be interpreted and implemented
appropriately from the smallest provider to the largest
plan
Comprehensive
– Cover all aspects of security – behavioral as well as
technical
Technology Neutral
– Can utilize future technology advances in this fastchanging field
6
Standards
Standards are general requirements
Eighteen administrative, physical and
technical standards
Four organizational standards (conditional)
– Hybrid entity, affiliated entities, business
associate contracts, group health plan
requirements
Two overarching standards
– Policies and procedures, documentation
7
Standards vs. Implementation
Specifications
Implementation specifications are more
specific measures that pertain to a standard
36 implementation specifications for
administrative, physical and technical
standards
– 14 mandatory, 22 addressable
Implementation specifications may be:
– Required
– Addressable
8
Required vs. Addressable
Required – Covered entity MUST
implement the specification in order to
successfully implement the standard
Addressable – Covered entity must:
• Consider the specification, and implement if
appropriate
• If not appropriate, document reason why not, and
what WAS done in its place to implement the
standard
9
Administrative Safeguards
Standards
Security Management Process
164.308(a)(1)
Assigned Security Responsibility
164.308(a)(2)
Workforce Security
164.308(a)(3)
Information Access Management
Security Awareness and Training
Implementation Specifications
(R)= Required, (A)=Addressable
Sections
164.308(a)(4)
164.308(a)(5)
Risk Analysis
(R)
Risk Management
(R)
Sanction Policy
(R)
Information System Activity Review
(R)
(R)
Authorization and/or Supervision
(A)
Workforce Clearance Procedure
(A)
Termination Procedures
(A)
Isolating Health care Clearinghouse Function
(R)
Access Authorization
(A)
Access Establishment and Modification
(A)
Security Reminders
(A)
Protection from Malicious Software
(A)
Log-in Monitoring
(A)
Password Management
(A)
Security Incident Procedures
164.308(a)(6)
Response and Reporting
(R)
Contingency Plan
164.308(a)(7)
Data Backup Plan
(R)
Disaster Recovery Plan
(R)
Emergency Mode Operation Plan
(R)
Testing and Revision Procedure
(A)
Applications and Data Criticality Analysis
(A)
Evaluation
164.308(a)(8)
Business Associate Contracts and Other
Arrangement
164.308(b)(1)
(R)
Written Contract or Other Arrangement
(R)
10
Physical Safeguards
Standards
Facility Access Controls
Implementation Specifications
(R)= Required, (A)=Addressable
Sections
164.310(a)(1)
Contingency Operations
(A)
Facility Security Plan
(A)
Access Control and Validation Procedures
(A)
Maintenance Records
(A)
Workstation Use
164.310(b)
(R)
Workstation Security
164.310(c)
(R)
Device and Media Controls
164.310(d)(1)
Disposal
(R)
Media Re-use
(R)
Accountability
(A)
Data Backup and Storage
(A)
11
Technical Safeguards (see § 164.312)
Standards
Access Control
Sections
164.312(a)(1)
Audit Controls
164.312(b)
Integrity
164.312(c)(1)
Person or Entity Authentication
164.312(d)
Transmission Security
164.312(e)(1)
Implementation Specifications
(R)= Required, (A)=Addressable
Unique User Identification
(R)
Emergency Access Procedure
(R)
Automatic Logoff
(A)
Encryption and Decryption
(A)
(R)
Mechanism to Authenticate Electronic Protected Health
Information
(A)
(R)
Integrity Controls
(A)
Encryption
(A)
12
Bottom Line…
All standards MUST be implemented
Using a combination of required and
addressable implementation specifications
and other security measures
Need to document choices
This arrangement allows the covered entity
to make its own judgments regarding risks
and the most effective mechanisms to
reduce risks
13
Risk Analysis
What PHI do you hold?
What do business associates hold on your behalf?
– Examples: billing service, accountant, medical
trancription service
What are the potential risks to that data?
– Examples: “hackers”, loss of data due to not backing
up
“Gap analysis”…
– What measures are already in place to address risks vs.
– What additional measures seem to be needed
14
Security is not an Exact Science
No one-size-fits-all approach
Enforcement will stress reasonableness and
due diligence
Take advantage of flexibility
Security does not have to be expensive
15
Resources
CMS will be developing technical
assistance materials
– Security video in the works
– Checklists and other informational papers
WEDI-SNIP has good resources
– www.wedi .org/snip
16
Resources
CMS website
– www.cms.hhs.gov/hipaa/hipaa2
– Contains news of upcoming events, FAQs,
technical assistance documents
E-mail box
– [email protected]
HIPAA hotline
– 1-866-282-0659
17
Upcoming Events
Satellite broadcast of “HIPAA 101” Video
– April 16
Next HIPAA Roundtable Audioconference
– April 30
Details on CMS website
18
Questions?
19