Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Introduction to
Health Insurance Portability and
Accountability Act (HIPAA)
Privacy and Security Rules
Speaker: Chenyu Lee...
HIPAA Background
• 1996. Health Insurance Portability and Accountability Act (HIPAA), Public
Law 104-191.
– Department of ...
HIPAA Regulations
• CFR 45 PART 160: General administrative requirements
• CFR 45 PART 162: Administrative requirements
• ...
DEFINITIONS
§ 160.103
4
Business Associate
• Business Associate includes the partners that may provide
legal, actuarial, accounting, consulting, d...
Covered Entity & Electronic Media
• Covered Entity means:
– A health plan
– A health care clearinghouse
– A health care pr...
Health Care & Health Care Provider
& Health information
• Health care means:
– Care, services, or supplies related to the ...
Individual &
Individually Identifiable Health Information &
Protected Health Information (PHI)
• Individual means:
– The p...
PHI Includes One or More of Identifiers
(§164.514(b)(2)(i))
– Names
– Addresses including Zip
Codes
– All Dates
– Telephon...
Use and Disclosure of PHI
• Use of PHI refers to how PHI is internally accessed, shared and
utilized by the covered entity...
Notice of Privacy Practices (NPP)
• Notice of Privacy Practices means:
– Providers and Health Plans must have a Notice of ...
Treatment, Payment and Operations (TPO)
• Treatment: Various activities related to patient care.
• Payment: Various activi...
SECURITY RULES
§ 164.3xx
13
General Rule (§164.306)
• General requirements:
– Ensure the confidentiality, integrity, and availability of all its ePHI....
Administrative Safeguards (§164.308(a))
– Security management process
– Assigned security
responsibility
– Workforce secur...
Physical Safeguards (§164.310)
• Facility access controls.
• Workstation use.
• Workstation security.
• Device and media c...
Policies and Procedures and Documentation
Requirements. (§164.316(b)(2))
• Time limit.
– Retain the documentation required...
Technical Safeguards (§164.312)
• Access control.
• Audit controls.
• Integrity.
• Person or entity authentication.
• Tran...
PRIVACY RULES
§ 164.5xx
19
Required/Addressable Specifications of
Security Standards
Standards Specifications Sections
Risk Analysis 164.308(a)(1)(ii...
Required/Addressable Specifications of
Security Standards
Standards Specifications Sections
Contingency Operations 164.310...
Minimum Necessary Rule (§164.502(b))
• Generally, the amount of PHI used, shared, accessed or
requested must be limited to...
Authorization (§164.508)
• A covered entity may not use or disclose protected health
information for reasons generally not...
Types of Disclosures
• No Authorization Required (§ 164.512)
• Authorization Required, but Must Give Opportunity to Object...
Uses and Disclosures for Which An Authorization or
Opportunity to Agree or Object Is Not Required
• To disclose PHI to the...
Uses and Disclosures for Which An Authorization
Is Required
• A covered entity may not use or disclose protected health
in...
Uses and Disclosures Requiring An Opportunity
for The Individual to Agree or to Object
• The Patient must be offered an op...
Breach (§164.402(b))
• Breach means the acquisition, access, use, or disclosure of
protected health information in a manne...
Companies & Fines
Entity Fined Fine Violation
CIGNET (Feb, 2011) $4,300,000 Online database application error.
Alaska Depa...
THANKS FOR LISTENING
30
Upcoming SlideShare
Loading in …5
×

HIPAA2

276 views

Published on

Introduction to HIPAA2

  • Be the first to comment

  • Be the first to like this

HIPAA2

  1. 1. Introduction to Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules Speaker: Chenyu Lee 1
  2. 2. HIPAA Background • 1996. Health Insurance Portability and Accountability Act (HIPAA), Public Law 104-191. – Department of Health and Human Services (HHS) adopts national standards for electronic health care transactions and code sets, unique health identifiers, and security. • 2009. Health Information Technology for Economic and Clinical Health Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA). • 2010. Patient Protection and Affordable Care Act of 2010 (ACA). • 2013. HIPAA Omnibus Rule makes changes to existing privacy, security and breach notification requirements. 2
  3. 3. HIPAA Regulations • CFR 45 PART 160: General administrative requirements • CFR 45 PART 162: Administrative requirements • CFR 45 PART 164: Security and privacy rules 3
  4. 4. DEFINITIONS § 160.103 4
  5. 5. Business Associate • Business Associate includes the partners that may provide legal, actuarial, accounting, consulting, data aggregation, management, administration or financial services wherein the services require the disclosure of individually identifiable health information. • A key concern, among many, is that some software vendors almost certainly will be categorized as Business Associates. 5
  6. 6. Covered Entity & Electronic Media • Covered Entity means: – A health plan – A health care clearinghouse – A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. • Electronic media means: – Electronic storage material on which data is or may be recorded electronically. – Transmission media used to exchange information already in electronic storage media. 6
  7. 7. Health Care & Health Care Provider & Health information • Health care means: – Care, services, or supplies related to the health of an individual. • Health care provider means: – A provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. • Health information means: – Any information, whether oral or recorded in any form or medium. 7
  8. 8. Individual & Individually Identifiable Health Information & Protected Health Information (PHI) • Individual means: – The person who is the subject of protected health information. • Individually identifiable health information that – Identifies the individual – Or with respect to which there is a reasonable basis to believe the information can be used to identify the individual. • Protected health information means: – Individually identifiable health information that is • Transmitted by electronic media • Maintained in electronic media • Transmitted or maintained in any other form or medium 8
  9. 9. PHI Includes One or More of Identifiers (§164.514(b)(2)(i)) – Names – Addresses including Zip Codes – All Dates – Telephone & Fax Numbers – Email Addresses – Social Security Numbers – Medical Record Numbers – Health Plan Numbers – License Numbers – Vehicle Identification Numbers – Account Numbers – Biometric Identifiers – Full Face Photos – Any Other Unique Identifying Number, Characteristic, or Code 9
  10. 10. Use and Disclosure of PHI • Use of PHI refers to how PHI is internally accessed, shared and utilized by the covered entity that maintains such information. • Disclosure of PHI refers to how PHI is shared with individuals or entities externally. 10
  11. 11. Notice of Privacy Practices (NPP) • Notice of Privacy Practices means: – Providers and Health Plans must have a Notice of Privacy Practices (NPP) • It provides a detailed description of the various uses and disclosures of PHI that are permissible without obtaining a patient’s authorization. – In general, anytime you release patient information for a reason unrelated to treatment, payment (e.g., billing) or healthcare operations (TPO), an authorization is required. 11
  12. 12. Treatment, Payment and Operations (TPO) • Treatment: Various activities related to patient care. • Payment: Various activities related to paying for or getting paid for health care services. • Health Care Operations: Generally refers to day-to-day activities of a covered entity, such as planning, management, training, improving quality, providing services, and education. • NOTE: – Research is not considered TPO. – Written patient authorization is required to access PHI for research unless authorization waiver is approved by the Institutional Review Board (IRB). 12
  13. 13. SECURITY RULES § 164.3xx 13
  14. 14. General Rule (§164.306) • General requirements: – Ensure the confidentiality, integrity, and availability of all its ePHI. – Protect against any reasonably anticipated threats or hazards of its ePHI. – Protect against any reasonably anticipated uses or disclosures of ePHI not permitted. • Implementation specifications. – Required specifications must be implemented. – Addressable specifications must be assessed and implemented as specified if reasonable and appropriate to the Covered Entity. • Maintenance. 14
  15. 15. Administrative Safeguards (§164.308(a)) – Security management process – Assigned security responsibility – Workforce security – Information access management – Security awareness and training – Security incident procedures – Contingency plan – Evaluation 15
  16. 16. Physical Safeguards (§164.310) • Facility access controls. • Workstation use. • Workstation security. • Device and media controls. 16
  17. 17. Policies and Procedures and Documentation Requirements. (§164.316(b)(2)) • Time limit. – Retain the documentation required for 6 years from the date of its creation or the date when it last was in effect, whichever is later. • Availability • Updates 17
  18. 18. Technical Safeguards (§164.312) • Access control. • Audit controls. • Integrity. • Person or entity authentication. • Transmission security. 18
  19. 19. PRIVACY RULES § 164.5xx 19
  20. 20. Required/Addressable Specifications of Security Standards Standards Specifications Sections Risk Analysis 164.308(a)(1)(ii)(A) Risk Management 164.308(a)(1)(ii)(B) Sanction Policy 164.308(a)(1)(ii)(C) Information System Activity Review 164.308(a)(1)(ii)(D) Assigned Security Responsibility Assigned Security Responsibility 164.308(a)(2) Authorization and/or Supervision 164.308(a)(3)(ii)(A) Workforce Clearance Procedure 164.308(a)(3)(ii)(B) Termination Procedures 164.308(a)(3)(ii)(C) Isolating Health care Clearinghouse Function 164.308(a)(4)(ii)(A) Access Authorization 164.308(a)(4)(ii)(B) Access Establishment and Modification 164.308(a)(4)(ii)(C) Security Reminders 164.308(a)(5)(ii)(A) Log-in Monitoring 164.308(a)(5)(ii)(B) Protection from Malicious Software 164.308(a)(5)(ii)(C) Password Management 164.308(a)(5)(ii)(D) Security Incident Procedures Response and Reporting 164.308(a)(6) Data Backup Plan 164.308(a)(7)(ii)(A) Disaster Recovery Plan 164.308(a)(7)(ii)(B) Emergency Mode Operation Plan 164.308(a)(7)(ii)(C) Testing and Revision Procedure 164.308(a)(7)(ii)(D) Applications and Data Criticality Analysis 164.308(a)(7)(ii)(E) Evaluation Evaluation 164.308(a)(8) Business Associate Contracts and Other Arrangement Written Contract or Other Arrangement 164.308(b)(3) Security Management Process Workforce Security Information Access Mangement Security Awareness and Training Contingency Plan 20
  21. 21. Required/Addressable Specifications of Security Standards Standards Specifications Sections Contingency Operations 164.310(a)(2)(i) Facility Security Plan 164.310(a)(2)(ii) Access Control and Validation Procedures 164.310(a)(2)(iii) Maintenance Records 164.310(a)(2)(iv) Workstation Use Workstation Use 164.310(b) Workstation Security Workstation Security 164.310(c) Disposal 164.310(d)(2)(i) Media Re-use 164.310(d)(1)(2)(ii) Accountability 164.310(d)(2)(iii) Data Backup and Storage 164.310(d)(2)(iv) Unique User Identification 164.312(a)(2)(i) Emergency Access Procedure 164.312(a)(2)(ii) Automatic Logoff 164.312(a)(2)(iii) Encryption and Decryption 164.312(a)(2)(iv) Audit Controls Audit Controls 164.312(b) Integrity Mechanism to Authenticate Electronic Protecte164.312(c)(1) Person or Entity Authentication Person or Entity Authentication 164.312(d) Integrity Controls 164.312(e)(2)(i) Encryption 164.312(e)(2)(ii) Time Limit 164.316(b)(2)(i) Avilability 164.316(b)(2)(ii) Update 164.316(b)(2)(iii) Documentation Device and Media Control Access Control Transmission Security Facility Access Control 21
  22. 22. Minimum Necessary Rule (§164.502(b)) • Generally, the amount of PHI used, shared, accessed or requested must be limited to only what is needed. • Workers should access or use only the PHI necessary to carry out their job responsibilities. 22
  23. 23. Authorization (§164.508) • A covered entity may not use or disclose protected health information for reasons generally not related to treatment, payment or healthcare operations without an authorization. • The Authorization must include: – A detailed description of the PHI to be disclosed, who will make the disclosure, to whom the disclosure will be made, expiration date, the purpose of the disclosure, and signature. – The individual's right to revoke, the ability or inability to condition usage, and the potential for information disclosed. 23
  24. 24. Types of Disclosures • No Authorization Required (§ 164.512) • Authorization Required, but Must Give Opportunity to Object (§ 164.510) • Authorization Required (§ 164.508) 24
  25. 25. Uses and Disclosures for Which An Authorization or Opportunity to Agree or Object Is Not Required • To disclose PHI to the patient (§ 164.502) • To use or disclose PHI for treatment, payment or healthcare operations. (§ 164.502) • Certain disclosures required by law (for example, public health reporting of diseases, child abuse/neglect cases, etc.) (§ 164.512(a)-(l)) 25
  26. 26. Uses and Disclosures for Which An Authorization Is Required • A covered entity may not use or disclose protected health information without an authorization. (§ 164.508(a)(1)) • To access, use or disclose PHI for research (§ 164.512(i)(1)(i)) • For marketing activities and sale of PHI (§ 164.508(a)(3)) 26
  27. 27. Uses and Disclosures Requiring An Opportunity for The Individual to Agree or to Object • The Patient must be offered an opportunity to object before discussing PHI with a patient’s family or friends. (§ 164.510(b)(1)(i)) • Limited PHI (e.g., patient’s hospital room/location number) is included in the “Hospital Directory” but patients are offered an “Opt Out” opportunity and certain disclosures to clergy members. (§ 164.510(b)(3)) • Exception: Emergency circumstances (§ 164.510(a)(3)) 27
  28. 28. Breach (§164.402(b)) • Breach means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under privacy rules. • Amount of a civil money penalty. – In the amount of less than $100 or more than $50,000 for each violation – In excess of $1,500,000 for identical violations during a calendar year • Criminal Liability – Offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000 and imprisonment for up to ten years. 28
  29. 29. Companies & Fines Entity Fined Fine Violation CIGNET (Feb, 2011) $4,300,000 Online database application error. Alaska Department of Health and Human Services (June, 2012) $1,700,000 Unencrypted USB hard drive stolen, poor policies and risk analysis. WellPoint (Sep, 2012) $1,700,000 Did not have technical safeguards in place to verify the person/entity seeking access to PHI in the database. Failed to conduct a technical evaluation in response to software upgrade. Blue Cross Blue Shield of Tennessee (Mar, 2012) $1,500,000 57 unencrypted hard drives stolen. Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates (Sep, 2012) $1,500,000 Unencrypted laptop stolen, poor risk analysis, policies. Affinity Health Plan (Aug, 2013) $1,215,780 Returned photocopiers without erasing the hard drives. South Shore Hospital (May, 2012) $750,000 Backup tapes went missing on the way to contractor. Idaho State University (May, 2013) $400,000 Breach of unsecured ePHI. 29
  30. 30. THANKS FOR LISTENING 30

×