C.T. Hellmuth & Associates, Inc.



Similar documents
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

HIPAA Information Security Overview

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

HIPAA Compliance Guide

HIPAA Security Alert

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Security Checklist

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Security Series

How To Protect Your Health Care From Being Hacked

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA Security Rule Compliance

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA and Mental Health Privacy:

VMware vcloud Air HIPAA Matrix

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

New HIPAA regulations require action. Are you in compliance?

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Policies and Compliance Guide

Datto Compliance 101 1

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security COMPLIANCE Checklist For Employers

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA Compliance: Are you prepared for the new regulatory changes?

State HIPAA Security Policy State of Connecticut

8.03 Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Compliance Guide

HIPAA: In Plain English

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

How To Write A Health Care Security Rule For A University

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Healthcare Compliance Solutions

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Overview of the HIPAA Security Rule

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Preparing for the HIPAA Security Rule

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA Training for Hospice Staff and Volunteers

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

FINAL May Guideline on Security Systems for Safeguarding Customer Information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Plan Sponsor s Guide to the HIPAA Security Rule

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements

M E M O R A N D U M. Definitions

Policy Title: HIPAA Security Awareness and Training

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

General HIPAA Implementation FAQ

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

HIPAA Security Education. Updated May 2016

CHIS, Inc. Privacy General Guidelines

HIPAA Security and HITECH Compliance Checklist

The Second National HIPAA Summit

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA Compliance and the Protection of Patient Health Information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

SUMMARY OF HIPAA PRIVACY RULES

HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Montclair State University. HIPAA Security Policy

Joseph Suchocki HIPAA Compliance 2015

Transcription:

Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter. Generally, these Monographs explore historical developments and review the current status of subjects concerned with Corporate and Personal Financial Planning, Employee Benefit Plans, including Group Life and Medical Expense, Retirement and Profit Sharing, Long Term Disability Income, Executive Deferred Compensation, Tax-Deferred Investment Plans and Individual Life and Health Insurance Plans. Suite 1200, 8401 Connecticut Avenue, Chevy Chase, Maryland 20815 (301) 986-6500 No. 59 July 2003 HIPAA SECURITY RULE On February 20, 2003, the U.S. Department of Health & Human Services (HHS) published the Final Security Rule under the Health Insurance Portability & Accountability Act of 1996 (HIPAA). BACKGROUND Title II of HIPAA contains the Administrative Simplification Provisions, a title that in light of its detailed requirements is considered an oxymoron. The three primary mandates of the Administrative Simplification Provisions are: the Electronic Transaction Standards, the Privacy Rule, and the Security Rule. Compliance dates differ for the different types of Administrative Simplification Provisions based on the date that final regulations were published in the Federal Register. The Electronic Transactions Standards had an implementation date of October 16, 2002 (October 16, 2003 for small Group Health Plans and for large Group Health Plans that filed a compliance plan with HHS by October 15, 2002). The Electronic Transaction Standards created a standard format for certain electronic data interchange (EDI) among covered entities. Large Group Health Plans were subject to the Privacy Rule on April 14, 2003, while small Group Health Plans have until April 14, 2004 to comply. The Privacy Rule mandates that covered entities safeguard Protected Health Information (PHI) in all forms, i.e., oral, written or other non-electronic form, as well as PHI in electronic form. The Security Rule became effective on April 21, 2003, however, covered entities have until April 21, 2005 to comply (April 21, 2006 for small Group Health Plans). The Security Rule requires covered entities to safeguard PHI in electronic form only, or ephi. This Technical Monograph will focus specifically on the Security Rule.

WHAT IS THE SECURITY RULE AND WHO ARE THE COVERED ENTITIES Electronic Protected Health Information (ephi) is defined as health information that is individually identifiable, maintained or transmitted by electronic media, and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual. Covered entities under HIPAA s Security Rule are the same as the Privacy Rule and include: Health care providers who engage in electronic transactions; Health care clearinghouses; and Health Plans (including employer sponsored Group Health Plans). The Security Rule requires that covered entities adopt administrative, physical, and technical safeguards to: Ensure the integrity, confidentiality and availability of ephi; Protect against reasonably anticipated threats or hazards to the security or integrity of ephi; and Protect against unauthorized use or disclosure of ephi. The Security Rule applies to ephi in storage and during transmission. Electronic transmissions include Internet, extranet, leased lines, dial-up lines, private networks, and physical movement of removable/transportable media including magnetic tape, disk, or other machine-readable media. Transmissions via paper, basic facsimile, voice communications and telephone communications are excluded from the Security Rule, but are subject to the security provisions of the Privacy Rule. No distinction is made between internal corporate communications or communication external to the corporate entity. The language in the Security Rule is careful to point out that it is technology neutral, flexible and scalable in order to allow covered entities the opportunity to implement any technological changes as appropriate for their organization. Covered entities must consider their size, technical infrastructure, costs of security measures and the probability of potential risks to ephi when conducting their security analysis. In addition, the Security Rule lists several implementation specifications each labeled as either required or addressable. Covered entities must implement any required specifications, but are free to determine whether the addressable specifications are reasonable and appropriate. For any implementation specification that is not appropriate, covered entities must document why it is not, and implement an equivalent measure if possible. C.T. HELLMUTH & ASSOCIATES, INC. 2

Covered entities that violate the Security Rule may face up to $250,000 in fines and ten years in jail (for willful violations), as well as lawsuits from individuals. Consequences of security violations will depend on whether the violation was hapless or willful. GROUP HEALTH PLAN ACTION ITEMS The Security Rule is viewed as a logical outgrowth of the Privacy Rule since the administrative requirements are largely the same, and the Privacy Rule already calls for Group Health Plans to implement technical safeguards for PHI, both in paper and electronic form. Therefore, it is difficult to satisfy the Privacy Rule s requirement for technical security without implementing the specifications contained in the Security Rule. Employers sponsoring a Group Health Plan must determine if they maintain PHI electronically and, if so, they are subject to the Security Rule. For example, employers sponsoring fully insured Group Health Plans that do not create, receive, or maintain ephi beyond enrollment data or summary health information are exempt from the administrative, physical and technical requirements of the Security Rule. In contrast, employers sponsoring a fully insured Group Health Plan with access to ephi, or employers sponsoring a selffunded Group Health Plan, must comply with all of the administrative, physical and technical requirements. Group Health Plans that use or disclose PHI, but do not do so electronically, are subject to the Privacy Rule but not the Security Rule. It is important to remember that ephi does NOT include employment records. Individually identifiable health information in electronic form received from a source other than the Group Health Plan (such as workers comp records, FMLA health data, ADA health data, drug tests, or pre-employment physical records) is considered to be in the hands of the employer and not the Group Health Plan. Therefore, this health information is not ephi or covered by the Security Rule. Once a Group Health Plan determines that they must comply with the Security Rule, covered entities must: Appoint a Security Official. This person may be the same as the Privacy Official, but is not required to be the same individual; Develop or amend Business Associate Agreements, or contracts, with service providers who create, receive or maintain ephi on their behalf; Implement written security policies and procedures after conducting an analysis of the required and addressable implementation specifications. Policies and procedures must be documented for six years; and, C.T. HELLMUTH & ASSOCIATES, INC. 3

Amend Plan Documents so that the Plan Sponsor is eligible to receive ephi from the Group Health Plan. The Security Rule also applies to employees who perform plan administrative functions at home. HHS has stated that a covered entity must include at-home functions in its security processes. Significantly, plan sponsors must make sure that employees who have access to ephi from their home computers comply with the security requirements, e.g., encryption and/or secured line if deemed necessary. REQUIRED SPECIFICATIONS The following table outlines the required administrative, physical and technical specifications that covered entities must implement by April 21, 2005 (or April 21, 2006 for small Health Plans): ADMINISTRATIVE SAFEGUARDS Security Management Security Official Information Access Management Security Incidents Contingency Plan Evaluation Conduct a risk analysis to assess potential risks to ephi, implement security measures, apply sanctions to employees who violate security policies and procedures, and conduct periodic audits. Appoint an individual to be the Security Official. This person may be the same person as the Privacy Official under the Privacy Rule, but it is not required to be the same person. Implement policies and procedures for authorizing access to ephi. For example, develop procedures for role-based access to terminals or programs. Implement policies and procedures for identifying and responding to security incidents (i.e. security breaches). Implement a data back-up, disaster recovery, and emergency mode operation plan. For example, develop procedures for offsite storage or assessing damage as a result of a fire. Perform periodic technical evaluations based upon the standards implemented under the Security Rule. C.T. HELLMUTH & ASSOCIATES, INC. 4

PHYSICAL SAFEGUARDS Workstation Use Workstation Security A workstation is defined as an electronic computing device such as a desktop or laptop. For example, develop procedures for logging off a computer when left unattended or password protecting screensavers. Implement physical safeguards for all workstations with access to ephi. For example, a computer room may be locked so as to limit access to authorized individuals, removable media (e.g. diskettes) must be locked up, and prohibit writing down passwords where others can find them (such as on post-it notes). TECHNICAL SAFEGUARDS Access Controls Audit Controls Entity Authentication Implement policies and procedures to allow ephi access only to individuals granted access rights. For example, develop procedures to remove ephi from shared networks or desktops. Maintain hardware, software, and procedural mechanisms that record activity in the information system. For example, add system activity logging software on systems, networks or applications that process or store ephi. Implement policies and procedures which verify that a person or entity seeking access to ephi is the one claimed. For example, utilizing a unique user identifier or password that is removed upon termination of the individual s employment. ADDRESSABLE SPECIFICATIONS In addition to the required implementation specifications, the Security Rule requires that covered entities review the addressable specifications and implement any that are reasonable and appropriate. For any specifications deemed inappropriate, covered entities should document their decision and implement a similar measure if possible. The following table outlines the addressable administrative, physical and technical specifications that covered entities must implement by April 21, 2005 (or April 21, 2006 for small Health Plans): C.T. HELLMUTH & ASSOCIATES, INC. 5

ADMINISTRATIVE SAFEGUARDS Workforce Security Security Awareness Determine whether authorization and supervision policies and procedures are appropriate, and determine whether a procedure for terminating access to ephi when an employee leaves employment is appropriate. For example, develop procedures to remove employees from an access list within a reasonable amount of time after employment terminates. Conduct training through periodic reminders, in-class or on-line training. For example, user education in password management covering rules in creating and changing passwords and keeping them confidential. PHYSICAL SAFEGUARDS Facility Access Controls Device & Media Controls Implement policies and procedures which limit access to electronic information systems. For example, develop visitor sign-in and escort procedures. Implement policies and procedures to control the receipt and removal of hardware and electronic media containing ephi. For example, develop procedures for designating employees who have responsibility for the removal or disposal of hardware/software. TECHNICAL SAFEGUARDS Integrity Transmission Security Implement policies and procedures to protect ephi from improper alteration or destruction. For example, address whether mechanisms to authenticate ephi, such as electronic mechanisms to corroborate that ephi has not been altered in an unauthorized manner, are appropriate. Take measures to guard against unauthorized access to ephi that is transmitted over an electronic communications network. For example, determine whether encryption is appropriate for e-mail communications. C.T. HELLMUTH & ASSOCIATES, INC. 6

CONCLUSION Compliance with the Security Rule will likely involve cooperation from many parts of a covered entity s organization, particularly internal Information Technology professionals. The Workgroup for Electronic Data Interchange (WEDI), an organization named in the HIPAA statute to consult with the Secretary of the U.S. Department of Health & Human Services on HIPAA issues, has developed a variety of resources designed to assist covered entities in compliance with the Rule. This organization can be accessed through its web site at http://www.wedi.org/snip/. HRCertification.com also has a HIPAA Privacy Rule Training & Certification Program with useful information on both the Privacy and Security Rules. Lastly, the U.S. Department of Health & Human Services has excellent information, including the text of the Security Rule, on its web site at http://www.hhs.gov/ocr/hipaa/. As always, we stand ready to be helpful in any way that we may. C.T. HELLMUTH & ASSOCIATES, INC. This Publication is designed to provide accurate and authoritative information in regard to the subject matter covered with the understanding that C.T. Hellmuth & Associates, Inc. is not engaged in rendering legal or accounting services.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information