1 #!@

HIPAA Security OverviewFrank P. BreszFrank.Bresz@ey.com

2 #!@- Unlikely to be finalized

UNIQUE HEALTH IDENTIFIERS

EMPLOYER

HEALTH PLAN(NO NPRM ISSUED)

INDIVIDUAL

PROVIDER

- Single NPI: 10 position numeric, one digit checksum (no location code)

- 10+3 position numeric, one digit checksum

- Sub-ID may appear on health card & direct EDI

- Minimum uses and disclosures- Consents optional for non-

routine and authorizations required for routine uses and disclosures

- Individual rights: access, amendment, restriction and accounting

- Notice of privacy practices mandated

- Business associate contracts required

- Designated Privacy Official

STANDARDCODE SETS

TRANSACTION STANDARDS

PRIVACY

DATA ELEMENT

- ASC X12N version 4010 mandated- Eligibility - 270/271- Referral Certification and Authorization – 278- Claims - 837- Claim Status - 276/277- Claim Payment and Remittance Advice – 835- Benefit Enrollment and Maintenance - 834- Premium Payments - 820- Additional Information to Support Claims/Encounters (not

yet final) - 275- First Report of Injury (not yet final) – 148

- NCPDP 5.1 mandated for pharmacy transactions (claims, eligibility and payment/remittance)

TRANSACTION SETS

LIMITATIONS

KEY ELEMENTS

MEDICAL CODES

HIPAA

- Required vs. Optional- Format- Codes- Values

- Covers protected health information (PHI) stored or transmitted in any form or medium: electronic, paper and oral

- ICD-9-CM- CPT -4- HCPCS- CDT- NDC(retail pharmacy)- No local codes

- Taxpayer ID Number assigned by the IRS

- Alphanumeric field in standard transactions

- Security Management- Designated Security Official- Workforce Security- Access Management- Awareness and Training- Security Incident Procedures- Contingency Plan- Evaluation- Business Associate Contracts

- Access and Audit Controls- Integrity- Person/Entity Authentication- Transmission Security

- Facility Access Controls- Workstation Use and Security- Device and Media Controls

SECURITY

ADMINISTRATIVESAFEGUARDS

TECHNICAL SAFEGUARDS

PHYSICALSAFEGUARDS

ORGANIZATIONALREQUIREMENTS

POLICIES, PROCS& DOCUMENTATION

REQUIREMENTS

TITLE I PORTABILITYTITLE II

ADMINISTRATIVE SIMPLIFICATION

TITLES III, IV, AND V

- Unlikely to be established

HIPAA at a Glance

3 #!@Practices for Monitoring the Security and Use of IIHI

Security Program Compliance and Reporting Security Program Compliance and Reporting

Technical Security ArchitectureTechnical Security Architecture

Processes and Processes and Operational PracticesOperational Practices

TechnologyTechnologySpecificationsSpecifications

Asset Profile Asset Profile

People and People and OrganizationalOrganizationalManagementManagement

Integrity

BusinessBusinessDriversDrivers

Governance, Governance, Policies and StandardsPolicies and Standards

Avail

abilit

y

HIPAA Privacy and Security Architecture

Peop

le Process

Technology

Business StrategiesIndustry Regulations

Acceptable Risk

Governance StructurePolicies

Technology-Independent Standards

BCP/DR/Crisis MgmtIncident ResponseIdentity & Access MgmtAsset ManagementCertification & AccreditationSecurity Awareness/EducationSLA Definition / MgmtSecurity Development/ Deployment

Minimum Security BaselinesOrganizational Structure

Functional Definition

Roles and Responsibilities

Skills/Resource Plan

Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality

Technology Physical InformationInventory, Ownership, Risk Profile, Classification

Asset ProfileAsset Profile

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd party Security

Operating Systems

Databases

Applications

Networks

4 #!@

HIPAA, NAIC, HEDIS, CMS and JCAHO Compliance

Risk Management, Efficiency Enhancement, Business Process Enablement

Identification of IIHI and Where It Resides

Rules for Using and Protecting IIHI

Network and System Architecture and other Tools to Protect IIHI

Security Configuration and Management of Systems Hosting IIHI

Practices for Supporting Operations (Tape Backup, Application Execution, Etc.) on Systems Hosting IIHI

Roles, Responsibilities, and Practices for Handling and Using IIHI

Practices for Monitoring the Security and Use of IIHI

Rule for Protection and Use of Enterprise Information

Identification of Sensitive Business Information such as Legal, Financial, Strategic, HR, Etc. and Where it Resides

Security Impact of Enterprise Network and System Architecture -Vulnerabilities on non-PHI systems may Expose PHI

Security Program Compliance and Reporting Security Program Compliance and Reporting

Technical Security ArchitectureTechnical Security Architecture

Processes and Processes and Operational PracticesOperational Practices

TechnologyTechnologySpecificationsSpecifications

Asset Profile Asset Profile

People and People and OrganizationalOrganizationalManagementManagement

Integrity

BusinessBusinessDriversDrivers

Governance, Governance, Policies and StandardsPolicies and Standards

People Element of Information and Systems Management

Process Element of Information and Systems Management

Technology Element of Information and Systems Management

Method to Monitor and Maintain Architecture Integrity

Avail

abilit

y

HIPAA Privacy and Security Architecture

Peop

le Process

Technology

Business StrategiesIndustry Regulations

Acceptable Risk

Governance StructurePolicies

Technology-Independent Standards

BCP/DR/Crisis MgmtIncident ResponseIdentity & Access MgmtAsset ManagementCertification & AccreditationSecurity Awareness/EducationSLA Definition / MgmtSecurity Development/ Deployment

Minimum Security BaselinesOrganizational Structure

Functional Definition

Roles and Responsibilities

Skills/Resource Plan

Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality

Technology Physical InformationInventory, Ownership, Risk Profile, Classification

Asset ProfileAsset Profile

Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd party Security

Operating Systems

Databases

Applications

Networks

5 #!@

HIPAA Security Overview• Security regulations published in Federal Register February 20, 2003

– HIPAA privacy rule focuses on confidentiality of protected health information (PHI)

– HIPAA security rule focuses on confidentiality, integrity, and availability of electronic PHI (ePHI)

– Standard terminology between security and privacy in the two rules

– Implementation date of April 21, 2005

• Contains 18 standards under three major categories

– 14 “required” implementation specifications

– 22 “addressable” implementation specifications

• Two additional categories

– Organizational requirements

– Policies, procedures, and documentation

• Starts with Completing a Risk Analysis

6 #!@

ü Access Controlsü Audit Controlsü Integrityü Person or Entity

Authenticationü Transmission Security

HIPAA Security Overview

ü Facility Access Controlsü Workstation Useü Workstation Securityü Device and Media

Controls

ü Business Associate Contract and Other Arrangementsü Requirements for Group Health

Plans

ü Policies and Proceduresü Documentation

ü Security Management Processü Assigned Security Responsibilityü Workforce Securityü Information Access Managementü Security Awareness and Trainingü Security Incident Proceduresü Contingency Planü Evaluationü Business Associate Contracts and Other

Arrangements

7 #!@

HIPAA Security General Requirements

• Section 164.306(a) of the Final Security Rule requires that all covered entities must:– Ensure the confidentiality, integrity, and availability of all

electronic protected health information the covered entity creates, receives, maintains, or transmits.

– Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

– Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the final HIPAA privacy rule.

– Ensure compliance with the HIPAA security rule by its workforce.

8 #!@

Flexibility of Approach

• Section 164.306 (b) provides additional guidance:– Covered entities may use any security measures that allow the

covered entity to reasonably and appropriately implement the standards and implementation specifications as specific in this subpart.

– In deciding which security measures to use, a covered entity must take into account the following factors:• The size, complexity, and capabilities of the covered entity• The covered entity’s technical infrastructure, hardware, and

software security capabilities• The costs of security measures• The probability and criticality of potential risks to electronic

protected health information

9 #!@

“Required” vs. “Addressable”

• HIPAA creates two categories of implementation specifications–“required” and “addressable”

• “Addressable” does NOT mean optional – it only gives you flexibility in implementing a security measure based on the following criteria

• In deciding which security measures to use, a covered entity must take into account the following factors:– The size, complexity, and capabilities of the covered entity– The covered entity’s technical infrastructure, hardware, and software

security capabilities– The costs of security measures– The probability and criticality of potential risks to electronic protected

health information

10 #!@

Risk Analysis

• Intended to be foundational step for security compliance

• Limited guidance on preferred methodologyqAsset-based >> some cannot locate and/or classify their

assetsqRegulatory-based >> may not address real risks within

the organizationqThreat-based >> predicated on defining realistic risks

which may not be readily apparent

• Risk Analysis is a one-time effort; on-going risk management function should be established

11 #!@

Detailed Standard Review

12 #!@

Administrative Safeguards

• Security Management Process

• Assigned Security Responsibility

• Workforce Security

• Information Access Management

• Security Awareness and Training

13 #!@

Administrative Safeguards (continued)

• Security Incident Procedures

• Contingency Plan

• Evaluation

• Business Associate Contracts and Other Arrangements

14 #!@

Technical Safeguards

• Access Controls

• Audit Controls

• Integrity

• Person or Entity Authentication

• Transmission Security

15 #!@

Physical Safeguards

• Facility Access Controls

• Workstation Use

• Workstation Security

• Device and Media Controls

16 #!@

Policies, Procedures and Documentation

• Policies and Procedures

• Documentation

17 #!@

Organizational Requirements

• Business Associate Contract and Other Arrangements

• Requirements for Group Health Plans

18 #!@

Questions

• What Questions do you have?