This document discusses the importance of HIPAA compliance for information security. It begins with an introduction of the author and agenda. It then explains what HIPAA is, why it was implemented, and who are covered entities and business associates. The three pillars of HIPAA compliance are described as the Privacy Rule, Security Rule, and Breach Notification Rule. Covered entities are defined as healthcare organizations that store, process or transmit personal health information. Business associates provide services to covered entities and must also comply with HIPAA. The document outlines key aspects of each HIPAA component and requirements for breach notification. It emphasizes the critical need for organizations to understand and follow HIPAA regulations to protect private health information and reduce liability
2. #aboutme
• Information Security Consultant
• Interested in Compliance and Penetration Testing
• Have a flair in writing for Information Security
• Like to learn and demonstrate latest security attack vectors and
technologies
3. Agenda
• What is HIPAA?
• Why HIPAA was needed?
• Who are the covered entities (CE) and Business Associates (BA) ?
• Three Pillars of HIPAA Compliance
• Critical success factor for achieving HIPAA compliance
• Actions to Reduce Liability & Risks
• Q&A
5. HIPAA Components in Focus
HIPAA is the Federal Health Insurance
Portability and Accountability Act of 1996.
Administered by the U.S. Department of
Health and Human Services (HHS).
Implementation and civil enforcement are overseen
by the HHS Office for Civil Rights (OCR).
HIPAA Privacy Rule, protects the privacy of
individually identifiable health information;
HIPAA Security Rule sets national standards for the security of
electronic protected health information;
HIPAA Breach Notification Rule, which requires covered entities and
business associates to provide notification following a breach of
unsecured protected health information
6. Why HIPAA was needed?
1. Insurance companies denied coverage to employees that had a pre-existing
condition, even if employees were previously covered by another employer.
2. No standardization for billing formats and codes used to file claims
3. No standardization for billing formats and codes used to file claims
Basic information, such as patient name and treatment date,
was formatted differently by each payer
4. Insurance coding was very complex, there were many errors
Companies often rejected many claims and delayed payments to providers
High cost for administration
HL7,
ICD-10
7. HIPAA Protects……
Individuals‘ personally identifiable health information.
Health conditions – diagnosis, test results
Demographic information – name, address, gender
Clinical data – vital signs, lab results, etc.
Treatments & procedures
Billing and payment information
Protected health information (PHI) which is:
Transmitted by electronic media;
Maintained in electronic media; or
Transmitted or maintained in any other form or medium.
8. Pillars of HIPAA
Privacy Rule
Notice of privacy practices
Rights over PHI
Access to PHI
Uses and disclosures
Accounting of disclosures
Security Rule
Administrative
Physical
Technical
Breach notification requirements for:
Covered Entities (CE) and
Business Associates (BA)
Breach Notification Rule
9. Extent of HIPAA Applicabilty
Covered Entities
Any healthcare organization
that stores, processes, or
transmits personal health
information
Entity that involve the use or
disclosure of protected health
information on behalf of, or provides
services to, a covered entity.
Business Associates
Business associate services can be in :
legal;
actuarial;
accounting;
consulting;
data aggregation;
management;
administrative;
accreditation; and
financial.
Covered Entities can be:
Health Plan
Health Care Provider
Health Care Clearinghouse
10. Breach Notification
What to do?
• Risk Assessment of Breach
• Notification to Individuals impacted by breach
• within 60 days of discovery of a breach
• It depends by State law, too
Focus on:
• Content of Notification
• Notification to the media
• Notification to the Secretary
• Notification by a business associate
• Law enforcement delay
• Burden of Proof
HHS – “Wall of Shame”
https://ocrportal.hhs.gov/ocr/breach/breach_r
eport.jsf
11. THANK YOU !!
- Manasdeephttp://reflect-infosec.blogspot.in/
https://twitter.com/manasdeep
https://in.linkedin.com/in/manasdeep