Featured Speaker: Subrata Guha, UL DQS Inc. IT Services Director Subrata Guha, UL DQS Inc IT Services Director, hosts this on-demand webinar that will focus on Information Security Management Systems (ISMS) and HIPAA. The presentation includes: Changes in the HIPAA privacy rules introduced in January 2013 Role of information security in the HITECH Act applicable to the Health Care sector HIPAA risk assessment How to achieve HIPAA compliance

1. DQS–ULGroup
Security Requirements for HIPAA
and HITECH Act
Subrata Guha
Program Manager – IT Certification

2. DQS–ULGroup
Questions
What are the HIPAA Security Rules?
What is HITECH Act?
How to achieve compliance?
Any other questions?

3. DQS–ULGroup
What are the HIPAA
Security Rules?

4. DQS–ULGroup
Background
 HIPAA - Health Insurance Portability and Accountability Act
introduced in 1996
 Rules updated in 2013
 Objectives:
 Security - Protection of Electronic Protected Health Information
(EPHI)
 Privacy – Protection of Protected Health Information (PHI)
 Scope :Covered Entities and Business Associates
 Healthcare Providers
 Health Insurance Providers
 Healthcare Clearinghouses
 Medicare Prescription Drug Card Sponsors
 Suppliers / partners of covered entities

5. DQS–ULGroup
Players involved in HIPAA
Department of Health and Human Services (HHS)
Covered Entities
Business
Associates
Patients

6. DQS–ULGroup
Components of HIPAA
HIPAA
Health Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V
Health Care
Access,
Portability
and
Renewability
Preventing
Health Care
Fraud and
Abuse
Medical
Library
Reform
Administrative
Simplification
Tax
Related
Health
Provision
Group
Health
Plan
Revenue
Offsets
General
Administrative
Requirements
Administrative
Requirements
Security and
Privacy
Source: NIST SP-800-66

7. DQS–ULGroup
Components of HIPAA
HIPAA
Health Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V
Health Care
Access,
Portability
and
Renewability
Preventing
Health Care
Fraud and
Abuse
Medical
Library
Reform
Administrative
Simplification
(Updated
March 2013)
Tax
Related
Health
Provision
Group
Health
Plan
Revenue
Offsets
General
Administrative
Requirements
Administrative
Requirements
Security and
Privacy
Source: NIST SP-800-66

8. DQS–ULGroup
What is HITEC Act.?

9. DQS–ULGroup
HITECH Act.
 Health Information Technology for Economic and Clinical
Health (HITECH) Act introduced in 2009.
 Objective is to strengthen the privacy and security protections
for HIPAA
 Extended HIPAA privacy and security requirements to the
business associates.
 Increased penalties for violation
 Other objective of HITECH Act is to promote use of Electronic
Health Records (HER)

10. DQS–ULGroup
Components of HIPAA
HIPAA
Health Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V
Health Care
Access,
Portability
and
Renewability
Preventing
Health Care
Fraud and
Abuse
Medical
Library
Reform
Administrative
Simplification
(Updated
March 2013)
Tax
Related
Health
Provision
Group
Health
Plan
Revenue
Offsets
General
Administrative
Requirements
Administrative
Requirements
Security and
Privacy
Source: NIST SP-800-66

11. DQS–ULGroup
General Provisions
Preemption of State Laws
Compliance and Investigations
Imposition of Civil Money
Penalties
Procedures for Hearing
Code of Federal
Regulation (CFR) Title
45 Part 160.101-514
General Administrative Requirements

12. DQS–ULGroup
General Provisions
Standard Unique Health Identifier for Health Care Providers
Standard Unique Health Identifier for Health Plans
Standard Unique Employer Identifier
General Provisions for Transactions
Code of Federal
Regulation (CFR)
Title 45 Part
162.100-1902
Administrative Requirements
Code Sets
Health Care Claims or Equivalent Encounter Information
Eligibility for Health Plan
Referral Certification and Authorization
Health Care Claim Status
Enrolment and Disenrollment In A Health Plan
( More..)

13. DQS–ULGroup
HIPAA Security Rules
Security Standards:
General Rules
Administrative Safeguards
Technical Safeguards
Physical Safeguards
Organizational Requirements
Documentation Requirements
Code of Federal
Regulation (CFR) Title
45 Part 164.306-316
define security rules

14. DQS–ULGroup
Structure of HIPAA Security Rules
Standard
Describes the rule. Example: A covered entity or business
associate must comply with the applicable standards as
provided ……….
Implementation
specifications
Key activities to be performed to meet the
intent of the standard
Required Mandatory activity
Addressable
Can be excluded with justification or
implement an alternative practice.

15. DQS–ULGroup
Security Standard: General Rules
 Ensure Confidentiality, Integrity and Availability of EPHIs
 Protect EPHIs against anticipated threats and hazards
 Ensure compliance by the work force
Scope: EPHI the covered entity or business associate creates,
receives, maintains, or transmits.
Implementation: Security measures depending on the
 Size, complexity and type of business functions
 Size of IT infrastructure
 Anticipated risk and impact

16. DQS–ULGroup
Administrative Safeguards (1/2)
Standard Implementation specification
Security management process • Risk analysis (R)
• Risk management (R)
• Sanction policy (R)
• Information System activity review (R)
Assigned security responsibilities None
Workforce security • Authorization and/or supervision (A)
• Workforce clearance procedure (A)
• Termination procedure (A)
Information access management • Isolating healthcare clearance house
functions (R)
• Access authorization (A)
• Access establishment and modification (A)
Security awareness and training • Security reminders (A)
• Protection from malicious software (A)
• Login monitoring (A)
• Password management (A)

17. DQS–ULGroup
Administrative Safeguards (2/2)
Standard Implementation specification
Security incident procedure • Response and reporting (R)
Contingency plan • Data backup plan (R)
• Disaster recovery plan (R)
• Emergency mode operation plan (R)
• Testing and revision procedure (A)
• Application and data criticality analysis (A)
Evaluation – Business associates
contract or other arrangements
• Perform periodic technical and non-
technical evaluation of Written contracts
or other arrangements (R)

18. DQS–ULGroup
Physical Safeguards
Standard Implementation specification
Facility access control • Contingency operation (A)
• Facility security plan (A)
• Access control and validation procedure (A)
• Maintenance records (A)
Workstation use • None
Workstation security • None
Device and media control • Disposal (R)
• Media re-use (R)
• Accountability (A)
• Data backup and storage (A)

19. DQS–ULGroup
Technical Safeguards
Standard Implementation specification
Access control • Unique user identification (R)
• Emergency access procedure (R)
• Automatic logoff (A)
• Encryption and decryption (A)
Audit control • None
Integrity • Mechanism to authenticate EPHI (A)
Person or entity authentication • None
Transmission security • Integrity control (A)
• Encryption (A)

20. DQS–ULGroup
Organizational Requirements
Standard Implementation specification
Business associates contract or
other arrangements
• Business associate contract (R)
• Reporting of incidents (R)
• Other arrangements (A)
• Contract with sub-contractors (R)
Requirements for group health
plans
• Implement administrative, physical and
technical safeguards (R)
• Ensure adequate separation (R)
• Ensure adequate security measures by
agents (R)
• Report incidents to group health plan (R)

21. DQS–ULGroup
Policies, Procedures and Documentation Requirements
Standard Implementation specification
Policies and procedures • None
Documentation • Retention period (R)
• Availability (R)
• Updates (R)

22. DQS–ULGroup
Notification to Individuals
Notification to Media
Notification to the Secretary
Notification by a Business
Associate
Law Enforcement Delay
Code of Federal
Regulation (CFR) Title
45 Part 164.404-414
Breach Notifications
Administrative Requirements
and Burden of Proof

23. DQS–ULGroup
Use and Disclosure of PHI: General Rules
Use and Disclosure : Organizational Requirements
Use and Disclosure to Cary Out Treatment, Payment etc.
Use and Disclosure : Individual to Agree or Object
Use and Disclosure : Authorization not Required
Code of Federal
Regulation (CFR)
Title 45 Part
164.504-530
HIPAA Privacy Rules
Use and Disclosure of PHI: Other Requirements
Notice of Privacy Practice
Right to request Privacy Protection
Access of Individual to PHI
Amendment of PHI
Accounting of Disclosure of PHI

24. DQS–ULGroup
Enforcement Process
Intake and
Review
Office of Civil Rights (OCR)
Complain
Criminal
violation
Department
of Justice
HIPAA
violation
Resolution Yes
No
No
Investigation
OCR issues
corrective actions
CAR
closed
Yes
No
Yes
OCR imposes
penalty

25. DQS–ULGroup
How to Achieve
Compliance?

26. DQS–ULGroup
HIPAA Compliance Process
 Identify EPHIs and/or PHIs your organization creates,
receives, maintains or transmits
 Conduct Risk Assessment
 Establish policies and procedures following HIPAA security
standards to address risks
 Monitor compliance
 Report breaches

27. DQS–ULGroup
Pitfalls
 Compliance is self declaration – no third-party certification
available
 Set of rules does not provide a governance structure to
maintain the system
 Investigations are triggered by complaints – burden of proof
on the covered entity or business associates
 Penalty can be as high as $1.5 million

28. DQS–ULGroup
Other options
Adoption of Management System Framework e.g.
ISO IEC 27001 standard

29. DQS–ULGroup
ISO IEC 27001:2013
Context of the
Organization
Leadership
Planning
OperationImprovement
Performance
Evaluation
Support
Annex A
Recommended
Controls

30. DQS–ULGroup
Why ISO 27001:2013?
 Establish governance structure to establish, monitor and
improve security
 Annex A controls covers ~90% of HIPAA security rules
 Additional controls from 45 CFR 164 can be added to the
Statement of Applicability
 ISO 27002 provides implementation guideline for the controls
 Third party certification increases credibility
 Annual surveillance ensures continued compliance

31. DQS–ULGroup
Questions ?