Transcript No Slide Title

Preliminary Look at Final
HIPAA Security Regulations
NESNIP Security
February 18, 2003
James E. O’Connor
Baird Holm Law Firm
402-344-0500
www.bairdholm.com
1
©©2003
2003 BBAAI IRRDD, , HHOOLL M
H EE N
N, , PPEEDDEERRS SE ENN
AN
NN
E ILLP
M LLP
M ,, M
MC E A C H
, ,H H
AA
MM
AN
& &
ST ST
R ARS A
H SEH
IM
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Overview




Final regulations to be published
February 20, 2003
Compliance date April 21, 2005
18 Standards
42 Implementation specifications
– 20 Required
– 22 Addressable
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)

Covered entities must:
– Ensure the confidentiality, integrity and
availability of all ePHI
• That the CE creates, receives, maintains or
transmits
– Protect against any reasonably anticipated
threats or hazards to the security or
integrity of ePHI
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)

Covered entities must:
– Protect against any reasonably anticipated
uses or disclosures of ePHI not permitted
or required
– Ensure compliance by Workforce
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)

Flexibility:
– CEs may use any security measures that
allow the CE to “reasonably and
appropriately” implement the standards
and specifications
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)

Factors:
– Size, complexity and capabilities of CE
– CEs technical infrastructure, hardware and
software security capabilities
– Costs
– Probability and criticality of potential risks
to ePHI
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)

Implementation specifications:
– Required: CE must “implement the
implementation specification”
– Addressable:CE must assess whether
implementation specification is a
reasonable and appropriate safeguard
likely to contribute to the protection of
ePHI.
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
General rule:
(§164.306)

Addressable specifications:
– If reasonable and appropriate then
implement
– If not reasonable and appropriate:
• Document why not
• Implement an equivalent alternative measure
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Electronic Protected Health
Information (ePHI)
(§164.306)

All PHI (individually identifiable health
information) maintained or transmitted
by a CE in electronic form

Standards for security of all PHI or
health information may be promulgated
at a later date.
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Electronic Media
(§160.103)

Electronic storage media including memory
devices in computers and any
removable/transportable digital memory
medium (tape, disk, memory card, etc.)

Transmission media used to exchange
information already in electronic storage
media (internet, extranet, leased lines, dialup, private networks and physical movement
of removable/transportable electronic storage
media).
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Security Management
Process §164.308(a)(1)

Risk Analysis (R)

Risk Management (R)

Sanction Policy (R)

Information System Activity Review (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Assigned Security
Responsibility §164.308(a)(2)

Identify the security official who is
responsible for the development and
implementation of the policies and
procedures (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Workforce Security
§164.308(a)(3)
Authorization
Workforce
and/or Supervision (A)
Clearance Procedure (A)
Termination
Procedures (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Information Access
Management §164.308(a)(4)

Isolating Health Care Clearinghouse
Function (R)

Access Authorization (A)

Access Establishment and Modification
(A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Security Awareness and
Training §164.308(a)(5)

Security Reminders (A)

Protection from Malicious Software (A)

Log-in Monitoring (A)

Password Management (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Security Incident
Procedures §164.308(a)(6)

Response and Reporting (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Contingency Plan
§164.308(a)(7)

Data Backup Plan (R)

Disaster Recovery Plan (R)

Emergency Mode Operation Plan (R)

Testing and Revision Procedure (A)

Applications and Data Criticality Analysis
(A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Evaluation §164.308(a)(8)

Technical & non-technical
evaluation (R)

Initial

In response to environmental or
operational changes
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Admin: Business Associate
Contracts and Other
Arrangement §164.308(b)(1)

Written Contract or other Arrangement (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Physical: Facility Access
Controls §164.310(a)(1)

Contingency Operations (A)

Facility Security Plan (A)

Access Control and Validation Procedures
(A)

Maintenance Records (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Physical: Workstation Use §164.310(b)

Policies and procedures that specify
the proper functions to be performed,
the manner in which those functions
are to be performed, and the physical
attributes of the surroundings of a
specific workstation or class of
workstation (R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Physical: Workstation Security
§164.310(c)

Implement physical safeguards for all
workstations that access electronic
protected health information, to restrict
access to authorized users(R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Physical: Device and Media
Controls §164.310(d)(1)

Disposal (R)

Media Re-use (R)

Accountability (A)

Data Backup and Storage (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Access Control
§164.312(a)(1)

Unique User Identification (R)

Emergency Access Procedure (R)

Automatic Logoff (A)

Encryption and Decryption (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Audit Controls §164.312(b)

Implement hardware, software, and/or
procedural mechanisms that record and
examine activity in information systems
that contain or use electronic protected
health information(R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Integrity §164.312(c)(1)

Mechanism to Authenticate Electronic
Protected Health Information (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Person or Entity
Authentication §164.312(d)

Implement procedures to verify that a
person or entity seeking access to
electronic protected health information
is the one claimed(R)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Technical: Transmission
Security §164.312(e)(1)

Integrity Controls (A)

Encryption (A)
© 2003 B A I R D , H O L M , M C E A C H E N , P E D E R S E N , H A M A N N & ST R A S H E I M LLP
Preliminary Look at Final
HIPAA Security Regulations
NESNIP Security
February 18, 2003
James E. O’Connor
Baird Holm Law Firm
402-344-0500
www.bairdholm.com
1
©©2003
2003 BBAAI IRRDD, , HHOOLL M
H EE N
N, , PPEEDDEERRS SE ENN
AN
NN
E ILLP
M LLP
M ,, M
MC E A C H
, ,H H
AA
MM
AN
& &
ST ST
R ARS A
H SEH
IM