Featured Speaker: Subrata Guha, UL DQS Inc. IT Services Director
Subrata Guha, UL DQS Inc IT Services Director, hosts this on-demand webinar that will focus on Information Security Management Systems (ISMS) and HIPAA. The presentation includes:
Changes in the HIPAA privacy rules introduced in January 2013
Role of information security in the HITECH Act applicable to the Health Care sector
HIPAA risk assessment
How to achieve HIPAA compliance
4. DQS–ULGroup
Background
HIPAA - Health Insurance Portability and Accountability Act
introduced in 1996
Rules updated in 2013
Objectives:
Security - Protection of Electronic Protected Health Information
(EPHI)
Privacy – Protection of Protected Health Information (PHI)
Scope :Covered Entities and Business Associates
Healthcare Providers
Health Insurance Providers
Healthcare Clearinghouses
Medicare Prescription Drug Card Sponsors
Suppliers / partners of covered entities
5. DQS–ULGroup
Players involved in HIPAA
Department of Health and Human Services (HHS)
Covered Entities
Business
Associates
Patients
6. DQS–ULGroup
Components of HIPAA
HIPAA
Health Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V
Health Care
Access,
Portability
and
Renewability
Preventing
Health Care
Fraud and
Abuse
Medical
Library
Reform
Administrative
Simplification
Tax
Related
Health
Provision
Group
Health
Plan
Revenue
Offsets
General
Administrative
Requirements
Administrative
Requirements
Security and
Privacy
Source: NIST SP-800-66
7. DQS–ULGroup
Components of HIPAA
HIPAA
Health Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V
Health Care
Access,
Portability
and
Renewability
Preventing
Health Care
Fraud and
Abuse
Medical
Library
Reform
Administrative
Simplification
(Updated
March 2013)
Tax
Related
Health
Provision
Group
Health
Plan
Revenue
Offsets
General
Administrative
Requirements
Administrative
Requirements
Security and
Privacy
Source: NIST SP-800-66
9. DQS–ULGroup
HITECH Act.
Health Information Technology for Economic and Clinical
Health (HITECH) Act introduced in 2009.
Objective is to strengthen the privacy and security protections
for HIPAA
Extended HIPAA privacy and security requirements to the
business associates.
Increased penalties for violation
Other objective of HITECH Act is to promote use of Electronic
Health Records (HER)
10. DQS–ULGroup
Components of HIPAA
HIPAA
Health Insurance Portability and Accountability Act of 1996
Title I Title II Title III Title IV Title V
Health Care
Access,
Portability
and
Renewability
Preventing
Health Care
Fraud and
Abuse
Medical
Library
Reform
Administrative
Simplification
(Updated
March 2013)
Tax
Related
Health
Provision
Group
Health
Plan
Revenue
Offsets
General
Administrative
Requirements
Administrative
Requirements
Security and
Privacy
Source: NIST SP-800-66
11. DQS–ULGroup
General Provisions
Preemption of State Laws
Compliance and Investigations
Imposition of Civil Money
Penalties
Procedures for Hearing
Code of Federal
Regulation (CFR) Title
45 Part 160.101-514
General Administrative Requirements
12. DQS–ULGroup
General Provisions
Standard Unique Health Identifier for Health Care Providers
Standard Unique Health Identifier for Health Plans
Standard Unique Employer Identifier
General Provisions for Transactions
Code of Federal
Regulation (CFR)
Title 45 Part
162.100-1902
Administrative Requirements
Code Sets
Health Care Claims or Equivalent Encounter Information
Eligibility for Health Plan
Referral Certification and Authorization
Health Care Claim Status
Enrolment and Disenrollment In A Health Plan
( More..)
13. DQS–ULGroup
HIPAA Security Rules
Security Standards:
General Rules
Administrative Safeguards
Technical Safeguards
Physical Safeguards
Organizational Requirements
Documentation Requirements
Code of Federal
Regulation (CFR) Title
45 Part 164.306-316
define security rules
14. DQS–ULGroup
Structure of HIPAA Security Rules
Standard
Describes the rule. Example: A covered entity or business
associate must comply with the applicable standards as
provided ……….
Implementation
specifications
Key activities to be performed to meet the
intent of the standard
Required Mandatory activity
Addressable
Can be excluded with justification or
implement an alternative practice.
15. DQS–ULGroup
Security Standard: General Rules
Ensure Confidentiality, Integrity and Availability of EPHIs
Protect EPHIs against anticipated threats and hazards
Ensure compliance by the work force
Scope: EPHI the covered entity or business associate creates,
receives, maintains, or transmits.
Implementation: Security measures depending on the
Size, complexity and type of business functions
Size of IT infrastructure
Anticipated risk and impact
16. DQS–ULGroup
Administrative Safeguards (1/2)
Standard Implementation specification
Security management process • Risk analysis (R)
• Risk management (R)
• Sanction policy (R)
• Information System activity review (R)
Assigned security responsibilities None
Workforce security • Authorization and/or supervision (A)
• Workforce clearance procedure (A)
• Termination procedure (A)
Information access management • Isolating healthcare clearance house
functions (R)
• Access authorization (A)
• Access establishment and modification (A)
Security awareness and training • Security reminders (A)
• Protection from malicious software (A)
• Login monitoring (A)
• Password management (A)
17. DQS–ULGroup
Administrative Safeguards (2/2)
Standard Implementation specification
Security incident procedure • Response and reporting (R)
Contingency plan • Data backup plan (R)
• Disaster recovery plan (R)
• Emergency mode operation plan (R)
• Testing and revision procedure (A)
• Application and data criticality analysis (A)
Evaluation – Business associates
contract or other arrangements
• Perform periodic technical and non-
technical evaluation of Written contracts
or other arrangements (R)
18. DQS–ULGroup
Physical Safeguards
Standard Implementation specification
Facility access control • Contingency operation (A)
• Facility security plan (A)
• Access control and validation procedure (A)
• Maintenance records (A)
Workstation use • None
Workstation security • None
Device and media control • Disposal (R)
• Media re-use (R)
• Accountability (A)
• Data backup and storage (A)
19. DQS–ULGroup
Technical Safeguards
Standard Implementation specification
Access control • Unique user identification (R)
• Emergency access procedure (R)
• Automatic logoff (A)
• Encryption and decryption (A)
Audit control • None
Integrity • Mechanism to authenticate EPHI (A)
Person or entity authentication • None
Transmission security • Integrity control (A)
• Encryption (A)
20. DQS–ULGroup
Organizational Requirements
Standard Implementation specification
Business associates contract or
other arrangements
• Business associate contract (R)
• Reporting of incidents (R)
• Other arrangements (A)
• Contract with sub-contractors (R)
Requirements for group health
plans
• Implement administrative, physical and
technical safeguards (R)
• Ensure adequate separation (R)
• Ensure adequate security measures by
agents (R)
• Report incidents to group health plan (R)
21. DQS–ULGroup
Policies, Procedures and Documentation Requirements
Standard Implementation specification
Policies and procedures • None
Documentation • Retention period (R)
• Availability (R)
• Updates (R)
22. DQS–ULGroup
Notification to Individuals
Notification to Media
Notification to the Secretary
Notification by a Business
Associate
Law Enforcement Delay
Code of Federal
Regulation (CFR) Title
45 Part 164.404-414
Breach Notifications
Administrative Requirements
and Burden of Proof
23. DQS–ULGroup
Use and Disclosure of PHI: General Rules
Use and Disclosure : Organizational Requirements
Use and Disclosure to Cary Out Treatment, Payment etc.
Use and Disclosure : Individual to Agree or Object
Use and Disclosure : Authorization not Required
Code of Federal
Regulation (CFR)
Title 45 Part
164.504-530
HIPAA Privacy Rules
Use and Disclosure of PHI: Other Requirements
Notice of Privacy Practice
Right to request Privacy Protection
Access of Individual to PHI
Amendment of PHI
Accounting of Disclosure of PHI
24. DQS–ULGroup
Enforcement Process
Intake and
Review
Office of Civil Rights (OCR)
Complain
Criminal
violation
Department
of Justice
HIPAA
violation
Resolution Yes
No
No
Investigation
OCR issues
corrective actions
CAR
closed
Yes
No
Yes
OCR imposes
penalty
26. DQS–ULGroup
HIPAA Compliance Process
Identify EPHIs and/or PHIs your organization creates,
receives, maintains or transmits
Conduct Risk Assessment
Establish policies and procedures following HIPAA security
standards to address risks
Monitor compliance
Report breaches
27. DQS–ULGroup
Pitfalls
Compliance is self declaration – no third-party certification
available
Set of rules does not provide a governance structure to
maintain the system
Investigations are triggered by complaints – burden of proof
on the covered entity or business associates
Penalty can be as high as $1.5 million
29. DQS–ULGroup
ISO IEC 27001:2013
Context of the
Organization
Leadership
Planning
OperationImprovement
Performance
Evaluation
Support
Annex A
Recommended
Controls
30. DQS–ULGroup
Why ISO 27001:2013?
Establish governance structure to establish, monitor and
improve security
Annex A controls covers ~90% of HIPAA security rules
Additional controls from 45 CFR 164 can be added to the
Statement of Applicability
ISO 27002 provides implementation guideline for the controls
Third party certification increases credibility
Annual surveillance ensures continued compliance