Overview of the HIPAA Security Rule



Similar documents
OCR UPDATE Breach Notification Rule & Business Associates (BA)

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

New HIPAA regulations require action. Are you in compliance?

My Docs Online HIPAA Compliance

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

When HHS Calls, Will Your Plan Be HIPAA Compliant?

M E M O R A N D U M. Definitions

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Security Rule Compliance

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

What do you need to know?

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

University Healthcare Physicians Compliance and Privacy Policy

COMPLIANCE ALERT 10-12

Isaac Willett April 5, 2011

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

SECURITY RISK ASSESSMENT SUMMARY

VMware vcloud Air HIPAA Matrix

Use & Disclosure of Protected Health Information by Business Associates

HIPAA Compliance: Are you prepared for the new regulatory changes?

Healthcare Compliance Solutions

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

HIPAA and HITECH Compliance for Cloud Applications

CHIS, Inc. Privacy General Guidelines

STANDARD ADMINISTRATIVE PROCEDURE

Lessons Learned from HIPAA Audits

The HIPAA Audit Program

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

BUSINESS ASSOCIATE AGREEMENT

The Impact of HIPAA and HITECH

HIPAA Compliance Guide

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

District of Columbia Health Information Exchange Policy and Procedure Manual

The Basics of HIPAA Privacy and Security and HITECH

What s New with HIPAA? Policy and Enforcement Update

BUSINESS ASSOCIATE AGREEMENT. Recitals

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

SAMPLE BUSINESS ASSOCIATE AGREEMENT

HIPAA and Mental Health Privacy:

2016 OCR AUDIT E-BOOK

The ReHabilitation Center Buffalo Street. Olean. NY

Business Associate Management Methodology

Five Rivers Medical Center, Inc Medical Center Drive Pocahontas, AR Notification of Security Breach Policy

HIPAA BUSINESS ASSOCIATE AGREEMENT

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

C.T. Hellmuth & Associates, Inc.

HIPAA/HITECH: A Guide for IT Service Providers

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Table of Contents INTRODUCTION AND PURPOSE 1

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Business Associate Liability Under HIPAA/HITECH

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

Joseph Suchocki HIPAA Compliance 2015

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

You Probably Don t Even Know

BUSINESS ASSOCIATE AGREEMENT

Regulatory Update with a Touch of HIPAA

HIPAA Security Education. Updated May 2016

Transcription:

Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS

Topics Upon completion of this session, you will be able to: Understand some of the basic requirements of the: HIPAA Security Rule HITECH Breach Notification Rule HIPAA Audit Program Key Areas for Compliance 2

A Culture of Compliance aggressively enforcing the HIPAA Privacy, Security, and Breach Notification Rules Covered entities and business associates should have robust HIPAA Privacy and Security compliance programs A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents 3

Who is Covered? HIPAA specifies that only Covered Entities are required to comply with the Privacy and Security Rules Covered Entities (CE) are defined as: Health care providers who transmit health information electronically in connection with a transaction for which there is a HIPAA standard Health plans Healthcare clearinghouses 4

Business Associates Agents, contractors, and others hired to do the work of, or to work for, the CE, and such work requires the use or disclosure of protected health information (PHI) The Privacy and Security Rules require a CE to receive satisfactory assurance Assurance usually takes the form of a contract Business associates (BA) only use or disclose PHI as permitted by agreement Safeguard PHI from unauthorized disclosure 5

HIPAA Security Rule Security Standards: General Rules Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements Policies and Procedures 6

The Guiding Principles of the Security Rule Ensure Electronic Protected Health Information (ephi) is used, stored, transmitted or received with: Confidentiality only the right people see it Integrity the information is what it is supposed to be no unauthorized alteration or destruction Availability the right people can see the ephi when needed 7

Security Standards: General Rules Applies to Electronic Protected Health Information (ephi) That a Covered Entity Creates Receives Maintains Transmits electronically 8

The Security Rule Requires CE s to Protect ephi Protect ephi against reasonably anticipated threats or hazards to the security or integrity of information Protect against reasonably anticipated uses and disclosures not permitted by the Privacy Rule or Security Rule Establish policies and procedures to ensure compliance by workforce 9

HHS Approach to HIPAA Security Standards to assure the confidentiality, integrity, and availability of ephi Thorough, reasonable, and appropriate safeguards Addressing vulnerabilities identified through analysis and management of risk Appropriate to the size and complexity of the organization and its information systems Technology neutral 10

General Implementation Approach Conduct (and document) risk analysis Determine how to implement each standard and implementation specification of the rule (document the analysis) based on risk analysis Develop security policies/procedures (document) Implement security policies/procedures Train workforce Periodic evaluation Have business associate agreement Have contingency plans in place 11

Key Administrative Safeguards Risk analysis Risk management Designated security official Workforce security Information access management Information security awareness and training Incident procedures and contingency plans Evaluation Business associate agreements 12

Key Physical Safeguards Facility access Workstation use Workstation security Device and media controls 13

Key Technical Safeguards Access control Audit controls Integrity Person or entity authentication Transmission security 14

Key Technical Safeguards Cont. Implement reasonable and appropriate safeguards to ensure the CIA (confidentiality, integrity, and availability) of data on systems that create, transmit or store ephi Encryption at rest Encryption during transmission Automatic logoff Strong authentication Properly configure wireless network access 15

What is a Breach? Impermissible use/disclosure which compromises privacy/security of PHI Poses a significant risk of harm Financial Reputational Other harm Determined through risk assessment 16

Breach Notification IFR Covered entities and business associates must provide notification of breaches of unsecured protected health information. HHS Breach Notification Guidance: PHI is unsecured if it is NOT Encrypted Destroyed 17

Breach Notification Requirements Covered entity must: Notify each affected individual of breach Notify Secretary via s website Notify media if more than 500 people affected in state/jurisdiction without unreasonable delay after discovery of breach can report small breaches annually 18

Appropriate Safeguards Prevent Breaches Evaluate the risk to ephi when at rest on removable media, mobile devices and computer hard drives Take reasonable and appropriate measures to safeguard ephi Store all ephi to a network Encrypt data stored on portable/movable devices & media Employ a remote device wipe to remove data when lost or stolen Train workforce members on how to effectively safeguard data and timely reporting of incidents 19

Breach Notification Highlights September 2009 through March 2012 409 reports involving a breach of over 500 individuals Theft and loss are 65% of large breaches (about 70% of these incidents involved ephi) Laptops and other portable storage devices account for 37% of large breaches Paper records are 24% of large breaches 50,000+ reports of breaches of under 500 individuals 20

Business Associates Under HITECH Act, business associates (BA) will be directly liable under HIPAA May not use or disclose PHI in violation of BA agreement or Privacy Rule Must fully comply with Security Rule, including risk analysis/mgmt, training of staff, limiting access to ephi, etc. Must report breaches of PHI to covered entities 21

Audits as Part of Compliance Oversight Enforcement - Investigation of complaints - Compliance reviews Audit - More systematic approach to compliance - Preventative (rather than reactive) to close vulnerabilities before they can be exploited - Risk-based considerations to selection - Increased potential for learning from others 22

Background Section 13411 of the HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards is piloting a program to perform up to 115 audits by 12/2012 of covered entities to assess HIPAA privacy and security performance 23

Program Objective Audits present a new opportunity to: Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews Encourage renewed attention to compliance activities 24

Elements of Audits Objective selection criteria for entities Standard protocols adapted to entity size/ type Advance notice Preliminary desk review and onsite components Reports drafting with findings, recommendations Reporting on corrective or other actions 25

Who Will be Audited? Every covered entity is eligible for an audit seeks to audit as wide a range of types and sizes of covered entities as possible which includes: Health plans of all sizes Health care clearinghouses Individual and organizational providers Business associates in later audit wave 26

Compliance Tools Risk Analysis Guidance website July 2010 http://www.hhs.gov/ocr/privacy/hipaa/ administrative/securityrule/ rafinalguidance.html NIST Security Rule Tool http://scap.nist.gov/hipaa/ Small Provider Guidance http://www.hhs.gov/ocr/privacy/hipaa/ administrative/securityrule/smallprovider.pdf 27

NIST HIPAA Security Rule Toolkit A toolkit to help covered entities and their business associates Better understand the requirements of the HIPAA Security Rule Implement those requirements Assess those implementations in their operational environments A self-contained, desktop based application that can support various operating environments (e.g. Microsoft Windows, Apple OS-X, Linux) http://scap.nist.gov/hipaa 28

Want More Information? The website, http://www.hhs.gov/ocr/privacy/ offers a wide range of helpful information about health information privacy including educational information, FAQ s, rule text and guidance for the Privacy, Security, and Breach Notification Rules. 29

Questions 30

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information