No Slide Title
Download
Report
Transcript No Slide Title
Preliminary Look at Final
HIPAA Security Regulations
NESNIP Security
February 18, 2003
James E. O’Connor
Baird Holm Law Firm
402-344-0500
www.bairdholm.com
1
©©2003
2003 BBAAI IRRDD, , HHOOLL M
H EE N
N, , PPEEDDEERRS SE ENN
AN
NN
E ILLP
M LLP
M ,, M
MC E A C H
, ,H H
AA
MM
AN
& &
ST ST
R ARS A
H SEH
IM
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Overview
Final regulations to be published
February 20, 2003
Compliance date April 21, 2005
18 Standards
42 Implementation specifications
– 20 Required
– 22 Addressable
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)
Covered entities must:
– Ensure the confidentiality, integrity and
availability of all ePHI
• That the CE creates, receives, maintains or
transmits
– Protect against any reasonably anticipated
threats or hazards to the security or
integrity of ePHI
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)
Covered entities must:
– Protect against any reasonably anticipated
uses or disclosures of ePHI not permitted
or required
– Ensure compliance by Workforce
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)
Flexibility:
– CEs may use any security measures that
allow the CE to “reasonably and
appropriately” implement the standards
and specifications
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)
Factors:
– Size, complexity and capabilities of CE
– CEs technical infrastructure, hardware and
software security capabilities
– Costs
– Probability and criticality of potential risks
to ePHI
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)
Implementation specifications:
– Required: CE must “implement the
implementation specification”
– Addressable:CE must assess whether
implementation specification is a
reasonable and appropriate safeguard
likely to contribute to the protection of
ePHI.
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)
Addressable specifications:
– If reasonable and appropriate then
implement
– If not reasonable and appropriate:
• Document why not
• Implement an equivalent alternative measure
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Electronic Protected Health
Information (ePHI)
(§164.306)
All PHI (individually identifiable health
information) maintained or transmitted
by a CE in electronic form
Standards for security of all PHI or
health information may be promulgated
at a later date.
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Electronic Media
(§160.103)
Electronic storage media including memory
devices in computers and any
removable/transportable digital memory
medium (tape, disk, memory card, etc.)
Transmission media used to exchange
information already in electronic storage
media (internet, extranet, leased lines, dialup, private networks and physical movement
of removable/transportable electronic storage
media).
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Security Management
Process §164.308(a)(1)
Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Assigned Security
Responsibility §164.308(a)(2)
Identify the security official who is
responsible for the development and
implementation of the policies and
procedures (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Workforce Security
§164.308(a)(3)
Authorization
Workforce
and/or Supervision (A)
Clearance Procedure (A)
Termination
Procedures (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Information Access
Management §164.308(a)(4)
Isolating Health Care Clearinghouse
Function (R)
Access Authorization (A)
Access Establishment and Modification
(A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Security Awareness and
Training §164.308(a)(5)
Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Security Incident
Procedures §164.308(a)(6)
Response and Reporting (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Contingency Plan
§164.308(a)(7)
Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis
(A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Evaluation §164.308(a)(8)
Technical & non-technical
evaluation (R)
Initial
In response to environmental or
operational changes
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Business Associate
Contracts and Other
Arrangement §164.308(b)(1)
Written Contract or other Arrangement (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Physical: Facility Access
Controls §164.310(a)(1)
Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures
(A)
Maintenance Records (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Physical: Workstation Use §164.310(b)
Policies and procedures that specify
the proper functions to be performed,
the manner in which those functions
are to be performed, and the physical
attributes of the surroundings of a
specific workstation or class of
workstation (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Physical: Workstation Security
§164.310(c)
Implement physical safeguards for all
workstations that access electronic
protected health information, to restrict
access to authorized users(R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Physical: Device and Media
Controls §164.310(d)(1)
Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Access Control
§164.312(a)(1)
Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Audit Controls §164.312(b)
Implement hardware, software, and/or
procedural mechanisms that record and
examine activity in information systems
that contain or use electronic protected
health information(R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Integrity §164.312(c)(1)
Mechanism to Authenticate Electronic
Protected Health Information (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Person or Entity
Authentication §164.312(d)
Implement procedures to verify that a
person or entity seeking access to
electronic protected health information
is the one claimed(R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Transmission
Security §164.312(e)(1)
Integrity Controls (A)
Encryption (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Preliminary Look at Final
HIPAA Security Regulations
NESNIP Security
February 18, 2003
James E. O’Connor
Baird Holm Law Firm
402-344-0500
www.bairdholm.com
1
©©2003
2003 BBAAI IRRDD, , HHOOLL M
H EE N
N, , PPEEDDEERRS SE ENN
AN
NN
E ILLP
M LLP
M ,, M
MC E A C H
, ,H H
AA
MM
AN
& &
ST ST
R ARS A
H SEH
IM