HIPAA HiTech Security Assessment


Published on

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

HIPAA Security Rule list 28 adminstrative safeguards, 12 Physical safeguards, 12 technical safeguards along with specific organization and policies and procedures requirements. EHR 2.0 HIPAA security assessment services help covered entities to discover the gap areas based on the required and addressable requirements.

There are two main rules for HIPAA. One is a rule on privacy and the other on Security.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.

How often the security should be reviewed?

Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.


Limiting information access and disclosure to authorized users (the right people)

Trustworthiness of information resources (no inappropriate changes)

Availability of information resources (at the right time)


Published in: Health & Medicine, Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

HIPAA HiTech Security Assessment

  1. 1. HIPAA/HITECH SecurityAssessment
  2. 2. Webinar Objectives • Understand HIPAA/HITECH security principles • Learn HIPAA security safeguards • Learn tools and methodologies for HIPAA/HITECH Assessment 2
  3. 3. Who we are …EHR 2.0 Mission: To assist healthcareorganizations develop and implementpractices to secure IT systems and complywith HIPAA/HITECH regulations. Education Consulting Toolkit(Tools, Best Practices & Checklist)Goal: To make compliance an enjoyable andpainless experience, while building capabilityand confidence.
  4. 4. Glossary1. PHI: Protected Health Information2. HHS: Health and Human Services3. OCR: Office for Civil Rights4. HIPAA: Health Insurance Portability and Accountability Act5. HITECH: Health Information Technology for Economic and Clinical Health Act 4
  5. 5. The American Recovery andReinvestment Act of 2009 and HITECH 5
  6. 6. HITECH modifications to HIPAA Creating incentives for developing a meaningful use of electronic health records Changing the liability and responsibilities of Business Associates Redefining what a breach is Creating stricter notification standards Tightening enforcement Raising the penalties for a violation Creating new code and transaction sets (HIPAA 5010, ICD10) 6
  7. 7. Business Associate Cycle Covered BA HHS/OCR Entity • BA Contract • HIPAA Privacy and • Breach Notification Security Rule • Minimum Necessary • Breach Notification Sub- contractors 7
  8. 8. HIPAA Titles - Overview 8
  9. 9. HIPAAThe two main rules of HIPAA are: Privacy Rule: Organizations must identify the uses and disclosures of protected health information (PHI) and put into effect appropriate safeguards to protect against an unauthorized use or disclosure of that PHI. When material breaches or violations of privacy are identified, the organizations must take reasonable steps to solve those problems in order to limit exposure of PHI. Security Rule: Defines the administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information. (45 CFR Part 160 and Subparts A and C of Part 164) 9
  10. 10. HIPAA Security Rule 10
  11. 11. Information Security Model Confidentiality Limiting information access and disclosure to authorized users (the right people) Integrity Trustworthiness of information resources (no inappropriate changes) Availability Availability of information resources (at the right time) 11
  12. 12. Protected Health Information(PHI) Health Information Individually Identifiable Health Information PHI 12
  13. 13. ePHI – 18 Elements Elements ExamplesName Max Bialystock 1355 Seasonal LaneAddress (all geographic subdivisions smaller than state, including street address, city, county, or ZIP code)Dates related to an individual Birth, death, admission, discharge 212 555 1234, home, office, mobile etc.,Telephone numbers 212 555 1234Fax numberEmail address LeonT@Hotmail.com, personal, officialSocial Security number 239-68-9807Medical record number 189-88876Health plan beneficiary number 123-ir-2222-98Account number 333389Certificate/license number 3908763 NYAny vehicle or other device serial number SZV4016Device identifiers or serial numbers Unique Medical DevicesWeb URL www.rickymartin.comInternet Protocol (IP) address numbers or voice prints finger.jpgPhotographic images mypicture.jpgAny other characteristic that could uniquely 13identify the individual
  14. 14. Examples of ePHI (and not ePHI)Examples of ePHI: Examples of NOT ePHI: magnetic tape  paper files disk or optical disk  “paper to paper” faxes computerized information  person-to-person internet transmission telephone calls network information  video teleconferencing telephone response and  voicemail messages “fax back” (a request for information from a computer made via voice or telephone keypad input with the requested information returned as a 14 fax)
  15. 15. Security Standards: General Rules§ 164.306What are “Required” Standards? If the standard is stated as “Required” , A covered entity and business associate must comply with that standard.What are “Addressable” standards? If the standard is stated as “Addressable”, the covered entity or business associate must assess if the implementation specification is a reasonable and appropriate safeguard in its environment with reference to e-PHI. If application then take measures to implement it. 15
  16. 16. Security Standards: General Rules§ 164.306What if “Addressable” standards are not applicable to thecovered entities environment?Document why it is not applicable and implement an equivalentalternative measure if reasonable and appropriate.How often the security should be reviewed?Security standard mentioned under HIPAA should be reviewed andmodified as needed to continue provision of reasonable andappropriate protection of electronic protected health information. 16
  17. 17. HIPAA Security Rule 17
  18. 18. HIPAA Security Rule – AdministrativeSafeguards § 164.308 18
  19. 19. HIPAA Security Rule – AdministrativeSafeguards § 164.308 ( Contd.) 19
  20. 20. HIPAA Act 20
  21. 21. HIPAA Security Rule – PhysicalSafeguards § 164.310 21
  22. 22. HIPAA Security Rule 22
  23. 23. HIPAA Security Rule – TechnicalSafeguards § 164.312 23
  24. 24. Healthcare Infrastructure  Computers  Storage Devices  Networking devices (Routers, Switches & Wireless)  Medical Devices  Scanners, fax andAny device that photocopierselectronically stores or  VoIPtransmits information  Smart-phones, Tablets (ipad,using a software PDAs)program 24  Cloud-based services
  25. 25. Trends in Healthcare IT Informatics Collaboration Mobile EHR Computing HIE 25
  26. 26. Handheld Usage in Healthcare• 25% usage with providers• Another 21% expected to use• 38% physicians use medical apps• 70% think it is a high priority• 1/3 use hand-held for accessing EMR/EHR 26compTIA 2011 Survey
  27. 27. EMR and EHR systems 27
  28. 28. Health Information Exchange (HIE) 28
  29. 29. Social Media How does your practice use it? How do your employees use it? Do you have policies? 29
  30. 30. Cloud-based services  Public Cloud  EHR Applications HIPAA regulations  Private-label e-mail remain barriers to full cloud adoption  Private Cloud  Archiving of Images  File SharingCloud Computing is takingall batch processing, and  On-line Backupsfarming it out to a hugecentral or virtualized  Hybrid 30computers.
  31. 31. Informatics 31
  32. 32. Sample Risk Analysis Template Likelihood High Medium Low High Unencrypted Lack of auditing on Missing security laptop ePHI EHR systems patches on web server hosting patient informationImpact Medium Unsecured Outdated anti-virus External hard drives wireless network software not being backed up in doctor’s office Sales presentation Web server backup Weak password on Low on USB thumb tape not stored in a internal document drive secured location server 32
  33. 33. HIPAA Security Rule Standard Implementati Yes/No/CommHIPAA Sections Implementation Specification on Requirement Description Solution ents Policies and procedures to manage164.308(a)(1)(i) Security Management Process Required security violations164.308(a)(1)(ii)( Penetration test, vulnerabilityA) Risk Analysis Required Conduct vulnerability assessment assessment SIM/SEM, patch management,164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, assetB) Risk Management Required risk of security breaches management, helpdesk164.308(a)(1)(ii)( Worker sanction for policies and Security policy documentC) Sanction Policy Required procedures violations management164.308(a)(1)(ii)( Log aggregation, log analysis, securityD) Information System Activity Review Required Procedures to review system activity event management, host IDS Identify security official responsible for164.308(a)(2) Assigned Security Responsibility Required policies and procedures Implement policies and procedures to164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access Mandatory, discretionary and role-164.308(a)(3)(ii)( based access control: ACL, native OSA) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement164.308(a)(3)(ii)( Procedures to ensure appropriate PHIB) Workforce Clearance Procedure Addressable access Background checks164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,C) Termination Procedures Addressable security policy document management access controls Policies and procedures to authorize164.308(a)(4)(i) Information Access Management Required access to PHI164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatoryA) Functions Required from other operations UPN, SOCKS164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-B) Access Authorization Addressable access to PHI based access control164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy documentC) Modification Addressable to PHI management Training program for workers and164.308(a)(5)(i) Security Awareness Training Required managers164.308(a)(5)(ii)( Sign-on screen, screen savers,A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners
  34. 34. Key Takeaways ePHI - Focus of HIPAA/HITECH Security & Compliance HIPAA program secures technology environments focusing on CIA HIPAA security assessment includes administrative, technical and physical safeguards The key HIPAA security requirement is to conduct technical security analysis 34
  35. 35. Additional Resources Resources Section: ehr20.com/resources NIST toolkit HHS Website: http://www.hhs.gov/ocr/privacy/hipaa/administrat ive/securityrule/index.html 35
  36. 36. Next Steps Follow-us on social media facebook.com/ehr20 (Like) linkedin.com/company/ehr-2-0 (Follow us) https://twitter.com/#!/EHR_20 (Follow) Next Live Webinars:  OCR/HHS HIPAA/HITECH Audit Preparation ( 4/4/2012)  Social Media Compliance for Healthcare Professionals(4/11/2012) Sign-up at ehr20.com/webinars http://ehr20.com/services/ 36
  37. 37. Questions?E-mail: info@ehr20.com 37
  38. 38. Thank you!! 38