The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.
HIPAA Security Rule list 28 adminstrative safeguards, 12 Physical safeguards, 12 technical safeguards along with specific organization and policies and procedures requirements. EHR 2.0 HIPAA security assessment services help covered entities to discover the gap areas based on the required and addressable requirements.
There are two main rules for HIPAA. One is a rule on privacy and the other on Security.
The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
How often the security should be reviewed?
Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.
Confidentiality
Limiting information access and disclosure to authorized users (the right people)
Integrity
Trustworthiness of information resources (no inappropriate changes)
Availability
Availability of information resources (at the right time)
http://ehr20.com/services/hipaa-security-assessment/
3. Who we are …
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
Education
Consulting
Toolkit(Tools, Best Practices & Checklist)
Goal: To make compliance an enjoyable and
painless experience, while building capability
and confidence.
4. Glossary
1. PHI: Protected Health Information
2. HHS: Health and Human Services
3. OCR: Office for Civil Rights
4. HIPAA: Health Insurance Portability and Accountability
Act
5. HITECH: Health Information Technology for Economic
and Clinical Health Act
4
6. HITECH modifications to HIPAA
Creating incentives for developing a meaningful use of
electronic health records
Changing the liability and responsibilities of Business
Associates
Redefining what a breach is
Creating stricter notification standards
Tightening enforcement
Raising the penalties for a violation
Creating new code and transaction sets (HIPAA 5010,
ICD10)
6
7. Business Associate Cycle
Covered
BA HHS/OCR
Entity
• BA Contract • HIPAA Privacy and
• Breach Notification Security Rule
• Minimum Necessary
• Breach Notification
Sub-
contractors
7
9. HIPAA
The two main rules of HIPAA are:
Privacy Rule: Organizations must identify the uses and
disclosures of protected health information (PHI) and put
into effect appropriate safeguards to protect against an
unauthorized use or disclosure of that PHI. When
material breaches or violations of privacy are identified,
the organizations must take reasonable steps to solve
those problems in order to limit exposure of PHI.
Security Rule: Defines the administrative, physical and
technical safeguards to protect the confidentiality,
integrity and availability of electronic protected health
information.
(45 CFR Part 160 and Subparts A and C of Part 164) 9
11. Information Security Model
Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)
Integrity
Trustworthiness of information
resources (no inappropriate changes)
Availability
Availability of information resources (at
the right time)
11
13. ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 13
identify the individual
14. Examples of ePHI (and not ePHI)
Examples of ePHI: Examples of NOT ePHI:
magnetic tape paper files
disk or optical disk “paper to paper” faxes
computerized information person-to-person
internet transmission telephone calls
network information video teleconferencing
telephone response and voicemail messages
“fax back” (a request for
information from a
computer made via voice
or telephone keypad input
with the requested
information returned as a 14
fax)
15. Security Standards: General Rules
§ 164.306
What are “Required” Standards?
If the standard is stated as “Required” , A covered entity and
business associate must comply with that standard.
What are “Addressable” standards?
If the standard is stated as “Addressable”, the covered entity or
business associate must assess if the implementation specification
is a reasonable and appropriate safeguard in its environment with
reference to e-PHI. If application then take measures to implement
it.
15
16. Security Standards: General Rules
§ 164.306
What if “Addressable” standards are not applicable to the
covered entities environment?
Document why it is not applicable and implement an equivalent
alternative measure if reasonable and appropriate.
How often the security should be reviewed?
Security standard mentioned under HIPAA should be reviewed and
modified as needed to continue provision of reasonable and
appropriate protection of electronic protected health information.
16
24. Healthcare Infrastructure
Computers
Storage Devices
Networking devices (Routers,
Switches & Wireless)
Medical Devices
Scanners, fax and
Any device that photocopiers
electronically stores or VoIP
transmits information Smart-phones, Tablets (ipad,
using a software
PDAs)
program 24
Cloud-based services
26. Handheld Usage in Healthcare
• 25% usage with providers
• Another 21% expected to use
• 38% physicians use medical
apps
• 70% think it is a high priority
• 1/3 use hand-held for accessing EMR/EHR
26
compTIA 2011 Survey
29. Social Media
How does your practice use it?
How do your employees use it?
Do you have policies?
29
30. Cloud-based services
Public Cloud
EHR Applications
HIPAA regulations Private-label e-mail
remain barriers to full
cloud adoption
Private Cloud
Archiving of Images
File Sharing
Cloud Computing is taking
all batch processing, and On-line Backups
farming it out to a huge
central or virtualized
Hybrid 30
computers.
32. Sample Risk Analysis Template
Likelihood
High Medium Low
High Unencrypted Lack of auditing on Missing security
laptop ePHI EHR systems patches on web server
hosting patient
information
Impact
Medium Unsecured Outdated anti-virus External hard drives
wireless network software not being backed up
in doctor’s office
Sales presentation Web server backup Weak password on
Low on USB thumb tape not stored in a internal document
drive secured location server
32
33. HIPAA Security Rule Standard Implementati Yes/No/Comm
HIPAA Sections Implementation Specification on Requirement Description Solution ents
Policies and procedures to manage
164.308(a)(1)(i) Security Management Process Required security violations
164.308(a)(1)(ii)( Penetration test, vulnerability
A) Risk Analysis Required Conduct vulnerability assessment assessment
SIM/SEM, patch management,
164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, asset
B) Risk Management Required risk of security breaches management, helpdesk
164.308(a)(1)(ii)( Worker sanction for policies and Security policy document
C) Sanction Policy Required procedures violations management
164.308(a)(1)(ii)( Log aggregation, log analysis, security
D) Information System Activity Review Required Procedures to review system activity event management, host IDS
Identify security official responsible for
164.308(a)(2) Assigned Security Responsibility Required policies and procedures
Implement policies and procedures to
164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access
Mandatory, discretionary and role-
164.308(a)(3)(ii)( based access control: ACL, native OS
A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement
164.308(a)(3)(ii)( Procedures to ensure appropriate PHI
B) Workforce Clearance Procedure Addressable access Background checks
164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,
C) Termination Procedures Addressable security policy document management access controls
Policies and procedures to authorize
164.308(a)(4)(i) Information Access Management Required access to PHI
164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatory
A) Functions Required from other operations UPN, SOCKS
164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-
B) Access Authorization Addressable access to PHI based access control
164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy document
C) Modification Addressable to PHI management
Training program for workers and
164.308(a)(5)(i) Security Awareness Training Required managers
164.308(a)(5)(ii)( Sign-on screen, screen savers,
A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners
34. Key Takeaways
ePHI - Focus of HIPAA/HITECH Security &
Compliance
HIPAA program secures technology
environments focusing on CIA
HIPAA security assessment includes
administrative, technical and physical
safeguards
The key HIPAA security requirement is to
conduct technical security analysis
34
36. Next Steps
Follow-us on social media
facebook.com/ehr20 (Like)
linkedin.com/company/ehr-2-0 (Follow us)
https://twitter.com/#!/EHR_20 (Follow)
Next Live Webinars:
OCR/HHS HIPAA/HITECH Audit Preparation ( 4/4/2012)
Social Media Compliance for Healthcare Professionals(4/11/2012)
Sign-up at ehr20.com/webinars
http://ehr20.com/services/
36