Transcript HIPAA Security Final Rule Overview

HIPAA Security Final Rule
Overview
April 9, 2003
Karen Trudel
1
Publication Information
 Printed in Federal Register 2/20/03
– Volume 68, No. 34, pages 8334 - 8381
 Effective Date 4/21/03
 Compliance Date 4/21/05 (4/21/06 for
Small Health Plans)
 Document can be located at
www.cms.hhs.gov/hipaa/hipaa2
2
Purpose
 Ensure integrity, confidentiality and
availability of electronic protected health
information
 Protect against reasonably anticipated
threats or hazards, and improper use or
disclosure
3
Scope
 All electronic protected health information
(EPHI)
 In motion AND at rest
 All covered entities
4
Security vs. Privacy
 Closely linked
 Security enables Privacy
 Security scope larger – addresses
confidentiality PLUS integrity and
availability
 Privacy scope larger – addresses paper and
oral PHI
5
Security Standards General
Concepts
 Flexible, Scalable
– Permits standards to be interpreted and implemented
appropriately from the smallest provider to the largest
plan
 Comprehensive
– Cover all aspects of security – behavioral as well as
technical
 Technology Neutral
– Can utilize future technology advances in this fastchanging field
6
Standards
 Standards are general requirements
 Eighteen administrative, physical and
technical standards
 Four organizational standards (conditional)
– Hybrid entity, affiliated entities, business
associate contracts, group health plan
requirements
 Two overarching standards
– Policies and procedures, documentation
7
Standards vs. Implementation
Specifications
 Implementation specifications are more
specific measures that pertain to a standard
 36 implementation specifications for
administrative, physical and technical
standards
– 14 mandatory, 22 addressable
 Implementation specifications may be:
– Required
– Addressable
8
Required vs. Addressable
 Required – Covered entity MUST
implement the specification in order to
successfully implement the standard
 Addressable – Covered entity must:
• Consider the specification, and implement if
appropriate
• If not appropriate, document reason why not, and
what WAS done in its place to implement the
standard
9
Administrative Safeguards
Standards
Security Management Process
164.308(a)(1)
Assigned Security Responsibility
164.308(a)(2)
Workforce Security
164.308(a)(3)
Information Access Management
Security Awareness and Training
Implementation Specifications
(R)= Required, (A)=Addressable
Sections
164.308(a)(4)
164.308(a)(5)
Risk Analysis
(R)
Risk Management
(R)
Sanction Policy
(R)
Information System Activity Review
(R)
(R)
Authorization and/or Supervision
(A)
Workforce Clearance Procedure
(A)
Termination Procedures
(A)
Isolating Health care Clearinghouse Function
(R)
Access Authorization
(A)
Access Establishment and Modification
(A)
Security Reminders
(A)
Protection from Malicious Software
(A)
Log-in Monitoring
(A)
Password Management
(A)
Security Incident Procedures
164.308(a)(6)
Response and Reporting
(R)
Contingency Plan
164.308(a)(7)
Data Backup Plan
(R)
Disaster Recovery Plan
(R)
Emergency Mode Operation Plan
(R)
Testing and Revision Procedure
(A)
Applications and Data Criticality Analysis
(A)
Evaluation
164.308(a)(8)
Business Associate Contracts and Other
Arrangement
164.308(b)(1)
(R)
Written Contract or Other Arrangement
(R)
10
Physical Safeguards
Standards
Facility Access Controls
Implementation Specifications
(R)= Required, (A)=Addressable
Sections
164.310(a)(1)
Contingency Operations
(A)
Facility Security Plan
(A)
Access Control and Validation Procedures
(A)
Maintenance Records
(A)
Workstation Use
164.310(b)
(R)
Workstation Security
164.310(c)
(R)
Device and Media Controls
164.310(d)(1)
Disposal
(R)
Media Re-use
(R)
Accountability
(A)
Data Backup and Storage
(A)
11
Technical Safeguards (see § 164.312)
Standards
Access Control
Sections
164.312(a)(1)
Audit Controls
164.312(b)
Integrity
164.312(c)(1)
Person or Entity Authentication
164.312(d)
Transmission Security
164.312(e)(1)
Implementation Specifications
(R)= Required, (A)=Addressable
Unique User Identification
(R)
Emergency Access Procedure
(R)
Automatic Logoff
(A)
Encryption and Decryption
(A)
(R)
Mechanism to Authenticate Electronic Protected Health
Information
(A)
(R)
Integrity Controls
(A)
Encryption
(A)
12
Bottom Line…
 All standards MUST be implemented
 Using a combination of required and
addressable implementation specifications
and other security measures
 Need to document choices
 This arrangement allows the covered entity
to make its own judgments regarding risks
and the most effective mechanisms to
reduce risks
13
Risk Analysis
 What PHI do you hold?
 What do business associates hold on your behalf?
– Examples: billing service, accountant, medical
trancription service
 What are the potential risks to that data?
– Examples: “hackers”, loss of data due to not backing
up
 “Gap analysis”…
– What measures are already in place to address risks vs.
– What additional measures seem to be needed
14
Security is not an Exact Science
 No one-size-fits-all approach
 Enforcement will stress reasonableness and
due diligence
 Take advantage of flexibility
 Security does not have to be expensive
15
Resources
 CMS will be developing technical
assistance materials
– Security video in the works
– Checklists and other informational papers
 WEDI-SNIP has good resources
– www.wedi .org/snip
16
Resources
 CMS website
– www.cms.hhs.gov/hipaa/hipaa2
– Contains news of upcoming events, FAQs,
technical assistance documents
 E-mail box
– [email protected]
 HIPAA hotline
– 1-866-282-0659
17
Upcoming Events
 Satellite broadcast of “HIPAA 101” Video
– April 16
 Next HIPAA Roundtable Audioconference
– April 30
 Details on CMS website
18
Questions?
19