Hipaa hitech requirements

864 views
662 views

Published on

Featured Speaker: Subrata Guha, UL DQS Inc. IT Services Director

Subrata Guha, UL DQS Inc IT Services Director, hosts this on-demand webinar that will focus on Information Security Management Systems (ISMS) and HIPAA. The presentation includes:

Changes in the HIPAA privacy rules introduced in January 2013
Role of information security in the HITECH Act applicable to the Health Care sector
HIPAA risk assessment
How to achieve HIPAA compliance

1 Comment
0 Likes
Statistics
Notes
  • Practical analysis ! Speaking of which , you require a a form , my colleague discovered a sample form here http://pdf.ac/aigGcy.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Views
Total views
864
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
29
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Hipaa hitech requirements

  1. 1. DQS–ULGroup Security Requirements for HIPAA and HITECH Act Subrata Guha Program Manager – IT Certification
  2. 2. DQS–ULGroup Questions What are the HIPAA Security Rules? What is HITECH Act? How to achieve compliance? Any other questions?
  3. 3. DQS–ULGroup What are the HIPAA Security Rules?
  4. 4. DQS–ULGroup Background  HIPAA - Health Insurance Portability and Accountability Act introduced in 1996  Rules updated in 2013  Objectives:  Security - Protection of Electronic Protected Health Information (EPHI)  Privacy – Protection of Protected Health Information (PHI)  Scope :Covered Entities and Business Associates  Healthcare Providers  Health Insurance Providers  Healthcare Clearinghouses  Medicare Prescription Drug Card Sponsors  Suppliers / partners of covered entities
  5. 5. DQS–ULGroup Players involved in HIPAA Department of Health and Human Services (HHS) Covered Entities Business Associates Patients
  6. 6. DQS–ULGroup Components of HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Title II Title III Title IV Title V Health Care Access, Portability and Renewability Preventing Health Care Fraud and Abuse Medical Library Reform Administrative Simplification Tax Related Health Provision Group Health Plan Revenue Offsets General Administrative Requirements Administrative Requirements Security and Privacy Source: NIST SP-800-66
  7. 7. DQS–ULGroup Components of HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Title II Title III Title IV Title V Health Care Access, Portability and Renewability Preventing Health Care Fraud and Abuse Medical Library Reform Administrative Simplification (Updated March 2013) Tax Related Health Provision Group Health Plan Revenue Offsets General Administrative Requirements Administrative Requirements Security and Privacy Source: NIST SP-800-66
  8. 8. DQS–ULGroup What is HITEC Act.?
  9. 9. DQS–ULGroup HITECH Act.  Health Information Technology for Economic and Clinical Health (HITECH) Act introduced in 2009.  Objective is to strengthen the privacy and security protections for HIPAA  Extended HIPAA privacy and security requirements to the business associates.  Increased penalties for violation  Other objective of HITECH Act is to promote use of Electronic Health Records (HER)
  10. 10. DQS–ULGroup Components of HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Title II Title III Title IV Title V Health Care Access, Portability and Renewability Preventing Health Care Fraud and Abuse Medical Library Reform Administrative Simplification (Updated March 2013) Tax Related Health Provision Group Health Plan Revenue Offsets General Administrative Requirements Administrative Requirements Security and Privacy Source: NIST SP-800-66
  11. 11. DQS–ULGroup General Provisions Preemption of State Laws Compliance and Investigations Imposition of Civil Money Penalties Procedures for Hearing Code of Federal Regulation (CFR) Title 45 Part 160.101-514 General Administrative Requirements
  12. 12. DQS–ULGroup General Provisions Standard Unique Health Identifier for Health Care Providers Standard Unique Health Identifier for Health Plans Standard Unique Employer Identifier General Provisions for Transactions Code of Federal Regulation (CFR) Title 45 Part 162.100-1902 Administrative Requirements Code Sets Health Care Claims or Equivalent Encounter Information Eligibility for Health Plan Referral Certification and Authorization Health Care Claim Status Enrolment and Disenrollment In A Health Plan ( More..)
  13. 13. DQS–ULGroup HIPAA Security Rules Security Standards: General Rules Administrative Safeguards Technical Safeguards Physical Safeguards Organizational Requirements Documentation Requirements Code of Federal Regulation (CFR) Title 45 Part 164.306-316 define security rules
  14. 14. DQS–ULGroup Structure of HIPAA Security Rules Standard Describes the rule. Example: A covered entity or business associate must comply with the applicable standards as provided ………. Implementation specifications Key activities to be performed to meet the intent of the standard Required Mandatory activity Addressable Can be excluded with justification or implement an alternative practice.
  15. 15. DQS–ULGroup Security Standard: General Rules  Ensure Confidentiality, Integrity and Availability of EPHIs  Protect EPHIs against anticipated threats and hazards  Ensure compliance by the work force Scope: EPHI the covered entity or business associate creates, receives, maintains, or transmits. Implementation: Security measures depending on the  Size, complexity and type of business functions  Size of IT infrastructure  Anticipated risk and impact
  16. 16. DQS–ULGroup Administrative Safeguards (1/2) Standard Implementation specification Security management process • Risk analysis (R) • Risk management (R) • Sanction policy (R) • Information System activity review (R) Assigned security responsibilities None Workforce security • Authorization and/or supervision (A) • Workforce clearance procedure (A) • Termination procedure (A) Information access management • Isolating healthcare clearance house functions (R) • Access authorization (A) • Access establishment and modification (A) Security awareness and training • Security reminders (A) • Protection from malicious software (A) • Login monitoring (A) • Password management (A)
  17. 17. DQS–ULGroup Administrative Safeguards (2/2) Standard Implementation specification Security incident procedure • Response and reporting (R) Contingency plan • Data backup plan (R) • Disaster recovery plan (R) • Emergency mode operation plan (R) • Testing and revision procedure (A) • Application and data criticality analysis (A) Evaluation – Business associates contract or other arrangements • Perform periodic technical and non- technical evaluation of Written contracts or other arrangements (R)
  18. 18. DQS–ULGroup Physical Safeguards Standard Implementation specification Facility access control • Contingency operation (A) • Facility security plan (A) • Access control and validation procedure (A) • Maintenance records (A) Workstation use • None Workstation security • None Device and media control • Disposal (R) • Media re-use (R) • Accountability (A) • Data backup and storage (A)
  19. 19. DQS–ULGroup Technical Safeguards Standard Implementation specification Access control • Unique user identification (R) • Emergency access procedure (R) • Automatic logoff (A) • Encryption and decryption (A) Audit control • None Integrity • Mechanism to authenticate EPHI (A) Person or entity authentication • None Transmission security • Integrity control (A) • Encryption (A)
  20. 20. DQS–ULGroup Organizational Requirements Standard Implementation specification Business associates contract or other arrangements • Business associate contract (R) • Reporting of incidents (R) • Other arrangements (A) • Contract with sub-contractors (R) Requirements for group health plans • Implement administrative, physical and technical safeguards (R) • Ensure adequate separation (R) • Ensure adequate security measures by agents (R) • Report incidents to group health plan (R)
  21. 21. DQS–ULGroup Policies, Procedures and Documentation Requirements Standard Implementation specification Policies and procedures • None Documentation • Retention period (R) • Availability (R) • Updates (R)
  22. 22. DQS–ULGroup Notification to Individuals Notification to Media Notification to the Secretary Notification by a Business Associate Law Enforcement Delay Code of Federal Regulation (CFR) Title 45 Part 164.404-414 Breach Notifications Administrative Requirements and Burden of Proof
  23. 23. DQS–ULGroup Use and Disclosure of PHI: General Rules Use and Disclosure : Organizational Requirements Use and Disclosure to Cary Out Treatment, Payment etc. Use and Disclosure : Individual to Agree or Object Use and Disclosure : Authorization not Required Code of Federal Regulation (CFR) Title 45 Part 164.504-530 HIPAA Privacy Rules Use and Disclosure of PHI: Other Requirements Notice of Privacy Practice Right to request Privacy Protection Access of Individual to PHI Amendment of PHI Accounting of Disclosure of PHI
  24. 24. DQS–ULGroup Enforcement Process Intake and Review Office of Civil Rights (OCR) Complain Criminal violation Department of Justice HIPAA violation Resolution Yes No No Investigation OCR issues corrective actions CAR closed Yes No Yes OCR imposes penalty
  25. 25. DQS–ULGroup How to Achieve Compliance?
  26. 26. DQS–ULGroup HIPAA Compliance Process  Identify EPHIs and/or PHIs your organization creates, receives, maintains or transmits  Conduct Risk Assessment  Establish policies and procedures following HIPAA security standards to address risks  Monitor compliance  Report breaches
  27. 27. DQS–ULGroup Pitfalls  Compliance is self declaration – no third-party certification available  Set of rules does not provide a governance structure to maintain the system  Investigations are triggered by complaints – burden of proof on the covered entity or business associates  Penalty can be as high as $1.5 million
  28. 28. DQS–ULGroup Other options Adoption of Management System Framework e.g. ISO IEC 27001 standard
  29. 29. DQS–ULGroup ISO IEC 27001:2013 Context of the Organization Leadership Planning OperationImprovement Performance Evaluation Support Annex A Recommended Controls
  30. 30. DQS–ULGroup Why ISO 27001:2013?  Establish governance structure to establish, monitor and improve security  Annex A controls covers ~90% of HIPAA security rules  Additional controls from 45 CFR 164 can be added to the Statement of Applicability  ISO 27002 provides implementation guideline for the controls  Third party certification increases credibility  Annual surveillance ensures continued compliance
  31. 31. DQS–ULGroup Questions ?

×