Preparing for the HIPAA Security Rule

Similar documents
Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

HIPAA Security Rule Compliance

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

HIPAA Security Alert

HIPAA Compliance and the Protection of Patient Health Information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

HIPAA COMPLIANCE AND

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

C.T. Hellmuth & Associates, Inc.

HIPAA Compliance Guide

Nine Network Considerations in the New HIPAA Landscape

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Guide: Meeting HIPAA Security Rules

HIPAA Security Series

Overview of the HIPAA Security Rule

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

HIPAA Compliance Guide

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA Security COMPLIANCE Checklist For Employers

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

How To Write A Health Care Security Rule For A University

YOUR HIPAA RISK ANALYSIS IN FIVE STEPS

HIPAA In The Workplace. What Every Employee Should Know and Remember

HIPAA Compliance: Are you prepared for the new regulatory changes?

FINAL May Guideline on Security Systems for Safeguarding Customer Information

CHIS, Inc. Privacy General Guidelines

Why Lawyers? Why Now?

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Double-Take in a HIPAA Regulated Health Care Industry

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

VMware vcloud Air HIPAA Matrix

Montclair State University. HIPAA Security Policy

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Datto Compliance 101 1

Can Your Diocese Afford to Fail a HIPAA Audit?

Top Ten Technology Risks Facing Colleges and Universities

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA: In Plain English

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Compliance & Privacy. What You Need to Know Now

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

2016 OCR AUDIT E-BOOK

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Healthcare Insurance Portability & Accountability Act (HIPAA)

Cybersecurity for Meaningful Use FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

OCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information

My Docs Online HIPAA Compliance

HIPAA Information Security Overview

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

New privacy and security requirements increase potential legal liability and jeopardize brand reputation.

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

REFERENCE 5. White Paper Health Insurance Portability and Accountability Act: Security Standards; Implications for the Healthcare Industry

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

What s New with HIPAA? Policy and Enforcement Update

Preemptive security solutions for healthcare

Business Associate Management Methodology

HIPAA Security Training Manual

Health Insurance Portability and Accountability Act (HIPAA) Compliance Audit Final Report

State HIPAA Security Policy State of Connecticut

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA in an Omnibus World. Presented by

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Audit Risk Assessment - Risk Factors

WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP

Plan Sponsor s Guide to the HIPAA Security Rule

1. Secure 128-Bit SSL Communication 2. Backups Are Securely Encrypted 3. We Don t Keep Your Encryption Key VERY IMPORTANT:

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

REMOTE ACCESS TO A HEALTHCARE FACILITY AND THE IT PROFESSIONAL S OBLIGATIONS UNDER HIPAA AND THE HITECH ACT

HIPAA Privacy & Security Health Insurance Portability and Accountability Act

Transcription:

A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions and code sets, privacy, and security. The goals of these standards are to: Simplify the administration of health insurance claims and lower costs. Give individuals more control over and access to their medical information. Protect individually identifiable medical information from threats of loss or disclosure. The HIPAA Security Final Rule, the last of the three HIPAA Rules, was published in the February 20, 2003 Federal Register with an effective date of April 21, 2003. Most Covered Entities (CEs) will have had two full years -- until April 21, 2005 -- to comply with these standards. In general, the Security Rule protects electronic patient health information (EPHI) whether it is stored in a computer or printed from a computer. The Security Rule is comprehensive including 18 standards defining what safeguards those covered by the Rule must implement and 35 specifications that describe how the standards must be implemented. The documentation requirements for the Security Rule are daunting. In fact, there are two standards in the Rule covering policies and procedures and documentation. In some cases, no guidance is provided for how the standards must be implemented. Most experts agree that the HIPAA Security Rule requirements are much more extensive than the HIPAA Privacy Rule! To make matters worse, most healthcare companies or medical practices covered by the Rule have limited staff resources to implement an initiative to comply with the Security Rule. And available information security consulting expertise in many communities may be limited and expensive. This white paper, presented in the form of Frequently Asked Questions, will help you prepare for the sweeping changes in the way you must do business under the terms of the HIPAA Security Rule. 2002-2009 Data Mountain LLC All Rights Reserved 1

Frequently Asked Questions about the HIPPA Security Rule Q1. Why do I need to be HIPAA Security compliant? The HIPAA law requires all health care Covered Entities (CEs) and their business associates to safeguard the privacy of patient health information. The HIPAA law also requires CEs and associates to implement required security measures to protect patient health information. Q2. What is a Covered Entity? Covered Entities (CEs) include all health care providers (doctors, dentists, therapists, psychologists, pharmacists, etc.), health care clearinghouses, and health plans that electronically store or transmit electronic patient health information (EPHI). In addition, any business associate of these CEs who by agreement has access to this EPHI will be required to comply with the Security Rule as well. This comprehensive requirement will help to ensure that the same level of security is consistent throughout whenever health information is accessed or exchanged between organizations. Q3. What are the objectives of the HIPPA Privacy and Security Rules? The objectives of these rules are to: Ensure confidentiality, integrity, and availability of all EPHI that a CE or CE business associate creates, receives, maintains, or transmits. Protect against any reasonably anticipated threats or hazards to the security or integrity of such EPHI. Protect against any reasonably anticipated losses or disclosures of EPHI. 2002-2009 Data Mountain LLC All Rights Reserved 2

Q4. What is the difference between the HIPAA Privacy Rule and the HIPAA Security Rule? The Security and Privacy Rules are distinct rules but they are inextricably linked. The privacy of information depends in large part upon existence of security measures. The HIPAA Security Rule defines the standards that CEs must implement to provide basic safeguards to protect EPHI. The Privacy Rule sets the standards spelling out how CEs should control EPHI. In general, the Privacy Rule covers protected health information (PHI) in all forms while the Security Rule only covers PHI in electronic form. Q5. What does HIPAA mean by EPHI and electronic media? In general, patient health information that has been converted to, stored in, or transmitted by electronic media is deemed to be EPHI and as such is to be controlled and protected under the HIPAA Privacy and Security Rules. Electronic media is defined as: Any electronic storage media including memory in computers (hard drives) Any removable or transportable digital memory medium (magnetic tapes or disk, optical disk, or memory card) Transmission media used to exchange information electronically (Internet, leased lines, dial-up, intranets, and private networks) Q6. Is all patient health information covered by the Security Rule? There is an exception. PHI transmitted by FAX or telephone is not covered by the HIPAA Security Rule, although this information is covered by the HIPAA Privacy Rule. Q7. What is the definition of common control? Common control exists if a CE has the power, directly or indirectly, to influence or direct the actions or policies of another entity (e.g., a business associate) in a significant way. This means that CEs as custodians of PHI must secure this information and take appropriate actions to ensure that outside vendors, they contracted with, also take the necessary safeguards to control and protect this PHI. 2002-2009 Data Mountain LLC All Rights Reserved 3

Q8. What is a standard as defined by the Security Rule? A standard is a provision of the Security Rule that all CEs must comply with, specifically with respect to EPHI. There are no exceptions. There are 19 standards defined in the Security Rule. Q9. What are implementation specifications? Generally, a standard defines what a CE must do while an implementation specification describes how it must be done. There are two types of specifications, those that are required and those that are addressable. Required implementation specifications are critical and CEs must implement them. Addressable implementation specifications may or may not be implemented depending on the outcome of a security risk analysis. For an addressable specification, a CE must: ASSESS whether the specification is a reasonable and appropriate safeguard, AND implement the specification if it is reasonable and appropriate, OR document why it is not reasonable and appropriate, AND implement an equivalent alternative measure if one can be identified as reasonable and appropriate. 2002-2009 Data Mountain LLC All Rights Reserved 4

Q10. What is a risk analysis? Risk is defined as the degree or likelihood that a certain threat or vulnerability will occur, resulting in a breach of safeguards designed to provide control or protection of patient health information. Risk is quantified by taking into account two factors involving (1) the likelihood and (2) the impact (criticality) of loss. A risk analysis is a systematic and comprehensive assessment of all aspects of information including electronic conversion, storage, or transmission that could potentially compromise the integrity of patient health information. Thus, the scope of a risk analysis should address all facets of the CE computer hardware, software, and networks and associated electronic equipment and systems. The initial risk analysis should also assess security policies and procedures and technical safeguards, to determine the extent to which they meet the standards contained in the Security Rule. Then CEs must perform ongoing risk analyses in response to environmental or operational changes. Risk analysis findings should identify levels of risk and make recommendations to reduce these risks to a reasonable and appropriate level. These findings and their remedies should be documented and retained as a permanent component of the HIPAA Security Rule compliance program. This documentation should take the form of: Security Gap Analysis (depicting the difference between the current and the optimal levels of risk) Risk Remediation Plan (outlining the process for achieving the optimal levels of risk) A CE can choose to have a third party perform the risk analysis and thus provide an independent assessment of the organization s security with respect to the HIPAA Security Standards. 2002-2009 Data Mountain LLC All Rights Reserved 5

Q11. What kinds of threats to security do CE s face today? The Security Rule was designed to protect the confidentiality, integrity, and availability of EPHI. Health information that is stored on a computer or transmitted across computer networks, including the Internet, is vulnerable to and must be protected from: Hacker and disgruntled employee abuse Untrained personnel mishandling Exploitation by people not having a need to know Unplanned system outages Burglary and theft Fire, flood, and other disasters The Security Rule requires CEs to assess their exposure to these and other threats. Q12. What safeguards does the Security Rule mandate for the protection of EPHI? The Security Rule mandates certain technology-neutral, flexible, and scalable administrative, physical, and technical safeguards that outline which technologies, policies, and procedures should be put in place to ensure adequate ongoing protection of EPHI. These are all based on information security best practices, many of which have been around for decades. 2002-2009 Data Mountain LLC All Rights Reserved 6

Q13. What are some of the electronic security techniques that CEs may have to consider to be compliant? The HIPAA Security Standards are technology-neutral. The rule lays out the requirements and it is up to each individual organization to determine how to best meet the requirements, including which specific security technologies to implement. In recent years, advances in information technology have resulted in the introduction of a number of security measures and devices that CEs may determine to be reasonable and appropriate means to control and protect their EPHI including: Firewalls Encryption Password authentication Digital signatures Secure, remote data backup Biometric access methods Anti-Spyware and Anti-virus software Security Auditing and Logging Smart cards Computer physician order entry (CPOE) systems Q14. When will CE s have to comply with the provisions of the Security Rule? Most covered entities will have to be in compliance with the Security Rule by April 21, 2005. However, a large portion of the Privacy Rule requires certain Security Rule components to be in place as of April 14, 2003. 2002-2009 Data Mountain LLC All Rights Reserved 7

Q15. What are the consequences for non-compliance? The proposed Security Rule listed penalties ranging from $100 for violations and up to $250,000 and a 10-year jail term in the case of malicious harm. However, the final Security Rule does not specify penalties but states that a separate regulation addressing enforcement will be issued at a later date. HIPAA sets a high standard of care that CEs should strive to uphold. As stated in the final rule, Congress intended for HIPAA to set an exceptionally high goal for the security of electronic protected health information. But there are other perhaps more serious consequences for CEs than potential penalties. These include the loss of the CE s reputation and expensive lawsuits. Should a security breach occur in which EPHI is accessed by an unauthorized user, a CE could lose the trust of its patients, members, physicians and partners, and so on. HIPAA s high standard could be cited in civil litigation thereby creating the potential for huge settlements. Q16. Where can I find the documented final Security Rule? The following link will take you directly to the final Security Rule in the Federal Register: http://www.datamountain.com/files/1202/file/hipaa_security_final_rule.pdf 2002-2009 Data Mountain LLC All Rights Reserved 8

Q17. In practical terms, what should I do first? Here is the short list of critically important actions you should take as soon as possible: Read the Rule to make sure you understand how it applies to you. Charter a formal HIPAA Security team of dedicated internal staff members and/or outside experts Conduct a comprehensive HIPAA Security Assessment to ascertain your current security state of affairs. Prepare a Preliminary Risk Remediation Plan outlining those actions requiring your immediate attention. Perform a thorough Risk Analysis as a basis for preparing a Security Gap Analysis and a Final Risk Remediation Plan Document all decisions made and risks that are deemed accepted Ensure that all employees (including doctors and upper management) are trained on their roles and responsibilities with respect to the Security Rule Develop your Confidential HIPAA Security Compliance Manual Maintain an ongoing program for monitoring your environment and operational processes for HIPAA Security Rule compliance. Q18. How can Data Mountain help? Data Mountain assists health care companies and medical practices throughout Middle Tennessee with all matters related to data protection, data backup and recovery, disaster recovery, and data security -- and in bringing our clients into compliance with HIPAA Security Rule standards. In anticipation of the burdensome impact of the HIPAA Security Rule on our clients, we have developed a complete set of tools and techniques to streamline the Security Rule compliance process. If you feel that retaining outside expertise in this area is the right approach for you, we offer a quick and cost-effective solution beginning with our HIPAA Security Assessment (HSA). For more information or to schedule an informative HSA presentation at your offices, please contact us on (800) 704-3394. Thank you. 2002-2009 Data Mountain LLC All Rights Reserved 9

In fact, 77% of the respondents to a recent Storage Magazine survey found their tapes failed while testing their backup. Don't bet your practice's future on those odds. Get a Jump On HIPAA Security Rule Compliance. Many sections of the Final Rule cite data protection. Section 106.308(a)(7), Contingency Plan, specifically calls for data protection. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. Two key REQUIRED standards call for a Data Backup Plan and a Disaster Recovery Plan. LiveVault, the premier provider of remote backup solutions, can provide secure, online backup solutions that provide exact, readily retrievable copies of EPHI that will help you meet these required standards. Eliminate Tapes. Eliminate Risk. With the LiveVault Online Backup Service you can eliminate business risk and the daily hassle of tape backup. The LiveVault Service will continuously backup your critical server data, archive it securely at an off-site data center, and make it immediately available for recovery 24 hours a day. Best of all, it's completely automated and online, so you never touch tape again! Explore Tape-Less Backup. Learn more about our tape-less backup service by calling us today at (800) 704-3394. Or visit, www.datamountain.com 2002-2009 Data Mountain LLC All Rights Reserved 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information