hipaa security overview...auditing and testing metrics definition and collection reporting...
TRANSCRIPT
1 #!@
HIPAA Security OverviewFrank P. [email protected]
2 #!@- Unlikely to be finalized
UNIQUE HEALTH IDENTIFIERS
EMPLOYER
HEALTH PLAN(NO NPRM ISSUED)
INDIVIDUAL
PROVIDER
- Single NPI: 10 position numeric, one digit checksum (no location code)
- 10+3 position numeric, one digit checksum
- Sub-ID may appear on health card & direct EDI
- Minimum uses and disclosures- Consents optional for non-
routine and authorizations required for routine uses and disclosures
- Individual rights: access, amendment, restriction and accounting
- Notice of privacy practices mandated
- Business associate contracts required
- Designated Privacy Official
STANDARDCODE SETS
TRANSACTION STANDARDS
PRIVACY
DATA ELEMENT
- ASC X12N version 4010 mandated- Eligibility - 270/271- Referral Certification and Authorization – 278- Claims - 837- Claim Status - 276/277- Claim Payment and Remittance Advice – 835- Benefit Enrollment and Maintenance - 834- Premium Payments - 820- Additional Information to Support Claims/Encounters (not
yet final) - 275- First Report of Injury (not yet final) – 148
- NCPDP 5.1 mandated for pharmacy transactions (claims, eligibility and payment/remittance)
TRANSACTION SETS
LIMITATIONS
KEY ELEMENTS
MEDICAL CODES
HIPAA
- Required vs. Optional- Format- Codes- Values
- Covers protected health information (PHI) stored or transmitted in any form or medium: electronic, paper and oral
- ICD-9-CM- CPT -4- HCPCS- CDT- NDC(retail pharmacy)- No local codes
- Taxpayer ID Number assigned by the IRS
- Alphanumeric field in standard transactions
- Security Management- Designated Security Official- Workforce Security- Access Management- Awareness and Training- Security Incident Procedures- Contingency Plan- Evaluation- Business Associate Contracts
- Access and Audit Controls- Integrity- Person/Entity Authentication- Transmission Security
- Facility Access Controls- Workstation Use and Security- Device and Media Controls
SECURITY
ADMINISTRATIVESAFEGUARDS
TECHNICAL SAFEGUARDS
PHYSICALSAFEGUARDS
ORGANIZATIONALREQUIREMENTS
POLICIES, PROCS& DOCUMENTATION
REQUIREMENTS
TITLE I PORTABILITYTITLE II
ADMINISTRATIVE SIMPLIFICATION
TITLES III, IV, AND V
- Unlikely to be established
HIPAA at a Glance
3 #!@Practices for Monitoring the Security and Use of IIHI
Security Program Compliance and Reporting Security Program Compliance and Reporting
Technical Security ArchitectureTechnical Security Architecture
Processes and Processes and Operational PracticesOperational Practices
TechnologyTechnologySpecificationsSpecifications
Asset Profile Asset Profile
People and People and OrganizationalOrganizationalManagementManagement
Integrity
BusinessBusinessDriversDrivers
Governance, Governance, Policies and StandardsPolicies and Standards
Avail
abilit
y
HIPAA Privacy and Security Architecture
Peop
le Process
Technology
Business StrategiesIndustry Regulations
Acceptable Risk
Governance StructurePolicies
Technology-Independent Standards
BCP/DR/Crisis MgmtIncident ResponseIdentity & Access MgmtAsset ManagementCertification & AccreditationSecurity Awareness/EducationSLA Definition / MgmtSecurity Development/ Deployment
Minimum Security BaselinesOrganizational Structure
Functional Definition
Roles and Responsibilities
Skills/Resource Plan
Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality
Technology Physical InformationInventory, Ownership, Risk Profile, Classification
Asset ProfileAsset Profile
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd party Security
Operating Systems
Databases
Applications
Networks
4 #!@
HIPAA, NAIC, HEDIS, CMS and JCAHO Compliance
Risk Management, Efficiency Enhancement, Business Process Enablement
Identification of IIHI and Where It Resides
Rules for Using and Protecting IIHI
Network and System Architecture and other Tools to Protect IIHI
Security Configuration and Management of Systems Hosting IIHI
Practices for Supporting Operations (Tape Backup, Application Execution, Etc.) on Systems Hosting IIHI
Roles, Responsibilities, and Practices for Handling and Using IIHI
Practices for Monitoring the Security and Use of IIHI
Rule for Protection and Use of Enterprise Information
Identification of Sensitive Business Information such as Legal, Financial, Strategic, HR, Etc. and Where it Resides
Security Impact of Enterprise Network and System Architecture -Vulnerabilities on non-PHI systems may Expose PHI
Security Program Compliance and Reporting Security Program Compliance and Reporting
Technical Security ArchitectureTechnical Security Architecture
Processes and Processes and Operational PracticesOperational Practices
TechnologyTechnologySpecificationsSpecifications
Asset Profile Asset Profile
People and People and OrganizationalOrganizationalManagementManagement
Integrity
BusinessBusinessDriversDrivers
Governance, Governance, Policies and StandardsPolicies and Standards
People Element of Information and Systems Management
Process Element of Information and Systems Management
Technology Element of Information and Systems Management
Method to Monitor and Maintain Architecture Integrity
Avail
abilit
y
HIPAA Privacy and Security Architecture
Peop
le Process
Technology
Business StrategiesIndustry Regulations
Acceptable Risk
Governance StructurePolicies
Technology-Independent Standards
BCP/DR/Crisis MgmtIncident ResponseIdentity & Access MgmtAsset ManagementCertification & AccreditationSecurity Awareness/EducationSLA Definition / MgmtSecurity Development/ Deployment
Minimum Security BaselinesOrganizational Structure
Functional Definition
Roles and Responsibilities
Skills/Resource Plan
Auditing and Testing Metrics Definition and Collectio n Reporting (management, regulatory, 3rd party) Program Quality
Technology Physical InformationInventory, Ownership, Risk Profile, Classification
Asset ProfileAsset Profile
Security MonitoringPhysical SecurityVulnerability MgmtRisk Management3rd party Security
Operating Systems
Databases
Applications
Networks
5 #!@
HIPAA Security Overview• Security regulations published in Federal Register February 20, 2003
– HIPAA privacy rule focuses on confidentiality of protected health information (PHI)
– HIPAA security rule focuses on confidentiality, integrity, and availability of electronic PHI (ePHI)
– Standard terminology between security and privacy in the two rules
– Implementation date of April 21, 2005
• Contains 18 standards under three major categories
– 14 “required” implementation specifications
– 22 “addressable” implementation specifications
• Two additional categories
– Organizational requirements
– Policies, procedures, and documentation
• Starts with Completing a Risk Analysis
6 #!@
ü Access Controlsü Audit Controlsü Integrityü Person or Entity
Authenticationü Transmission Security
HIPAA Security Overview
ü Facility Access Controlsü Workstation Useü Workstation Securityü Device and Media
Controls
ü Business Associate Contract and Other Arrangementsü Requirements for Group Health
Plans
ü Policies and Proceduresü Documentation
ü Security Management Processü Assigned Security Responsibilityü Workforce Securityü Information Access Managementü Security Awareness and Trainingü Security Incident Proceduresü Contingency Planü Evaluationü Business Associate Contracts and Other
Arrangements
7 #!@
HIPAA Security General Requirements
• Section 164.306(a) of the Final Security Rule requires that all covered entities must:– Ensure the confidentiality, integrity, and availability of all
electronic protected health information the covered entity creates, receives, maintains, or transmits.
– Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
– Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the final HIPAA privacy rule.
– Ensure compliance with the HIPAA security rule by its workforce.
8 #!@
Flexibility of Approach
• Section 164.306 (b) provides additional guidance:– Covered entities may use any security measures that allow the
covered entity to reasonably and appropriately implement the standards and implementation specifications as specific in this subpart.
– In deciding which security measures to use, a covered entity must take into account the following factors:• The size, complexity, and capabilities of the covered entity• The covered entity’s technical infrastructure, hardware, and
software security capabilities• The costs of security measures• The probability and criticality of potential risks to electronic
protected health information
9 #!@
“Required” vs. “Addressable”
• HIPAA creates two categories of implementation specifications–“required” and “addressable”
• “Addressable” does NOT mean optional – it only gives you flexibility in implementing a security measure based on the following criteria
• In deciding which security measures to use, a covered entity must take into account the following factors:– The size, complexity, and capabilities of the covered entity– The covered entity’s technical infrastructure, hardware, and software
security capabilities– The costs of security measures– The probability and criticality of potential risks to electronic protected
health information
10 #!@
Risk Analysis
• Intended to be foundational step for security compliance
• Limited guidance on preferred methodologyqAsset-based >> some cannot locate and/or classify their
assetsqRegulatory-based >> may not address real risks within
the organizationqThreat-based >> predicated on defining realistic risks
which may not be readily apparent
• Risk Analysis is a one-time effort; on-going risk management function should be established
11 #!@
Detailed Standard Review
12 #!@
Administrative Safeguards
• Security Management Process
• Assigned Security Responsibility
• Workforce Security
• Information Access Management
• Security Awareness and Training
13 #!@
Administrative Safeguards (continued)
• Security Incident Procedures
• Contingency Plan
• Evaluation
• Business Associate Contracts and Other Arrangements
14 #!@
Technical Safeguards
• Access Controls
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security
15 #!@
Physical Safeguards
• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and Media Controls
16 #!@
Policies, Procedures and Documentation
• Policies and Procedures
• Documentation
17 #!@
Organizational Requirements
• Business Associate Contract and Other Arrangements
• Requirements for Group Health Plans
18 #!@
Questions
• What Questions do you have?