This document provides an overview of the key aspects of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. It discusses who and what organizations are affected by HIPAA, the standards it sets for electronic health information transactions, and the penalties for non-compliance. It also summarizes the requirements of the HIPAA Privacy Rule regarding use and disclosure of protected health information and the HIPAA Security Rule regarding safeguarding electronic protected health information.
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Privacy & security in heath care it
1. TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
HIPAA - Privacy & Security in Heath Care IT
Ray Trygstad
ITM 478/578
Spring 2004
Master of Information Technology & Management Program
CenterforProfessional Development
2. ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson the
student should be able to:
– Discuss information security implications of
the Health Insurance Portability and
Accountability Act (HIPPA)
– Discuss information security impact of the
HIPAA Privacy Rule
– Describe key components and
implemetation of the HIPAA Security Rule
3. ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
What is HIPAA?
Health Insurance Portability and
Accountability Act (HIPAA)
– Signed into law August 1996
Part of this Act, Administrative
Simplification, intends to reduce
administrative costs and burdens
in the health care industry
Requires Department of Health and Human
Services to adopt national uniform standards
for electronic transmission of certain health
information
4. ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Who is Affected? (“covered entities”)
All healthcare
organizations
All health care
providers (even
1-physician offices)
Health plans
Employers
Public health
authorities
Life insurers
Clearinghouses
Billing agencies
Information
systems vendors
Service organizations
Universities with
health care curricula
or even just student
health services
Anyone that transmits any health information in electronic
formin connection with healthcare transactions
5. ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards for Electronic Transactions
Standards for electronic health information
transactions
Within 18 months HHS Secretary required to adopt
standards from among those already approved by
standards organizations for certain electronic health
transactions including:
– Claims
– Enrollment
– Eligibility
– Payment
– Coordination of benefits
Standards also must address security of electronic
health information systems.
6. ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
(18 Months?)
It’s now been six years and standards
are still not fully in place!
Will not go into full effect until 2005!
Isn’t government wonderful?)
7. ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
More on the HIPAA Bill
Providers and health plans required to use
standards for specified electronic transactions
24 months after adoption
Plans and providers may comply directly or
use a health care clearinghouse
HIPAA supersedes state laws except state
laws that impose more stringent
requirements
HIPPA imposes civil money penalties and
prison for certain violations
8. ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Penalties for Violations
Fines up to $25,000 for multiple
violations of the same standard in a
calendar year
Fines up to $250K and/or imprisonment
up to 10 years for knowing misuse of
individually identifiable health
information
!!!
9. ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy
HIPAA Privacy Rule went into effect
in April 2003
Restricts how covered entities may use
and disclose individually identifiable
health information
Requires security for such data
Grants individuals certain rights to
access and correct their personal
health information
10. ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements
HIPAA requires covered entities to:
– Have written privacy procedures, including
• Description of staff granted access to protected
information
• How it will be used
• When it may be disclosed
• Business associates (including IT vendors!) with access
to protected information must agree to same limitations
on use and disclosure of that information
– Train employees in privacy procedures
– Designate someone responsible for ensuring
procedures are followed (the “HIPAA czar”)
11. ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements
Rule permits covered entities to disclose health
information for specific public responsibilities:
– emergency circumstances
– identification of the body of a deceased person, or the cause
of death
– public health needs
– research that with limited data or independently approved
by a Review Board or privacy board
– oversight of the health care system
– judicial and administrative proceedings
– limited law enforcement activities
– activities related to national defense and security
Equivalent Requirements exist for Government
12. ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
First government-mandated framework
for an information security policy covering
non-governmental entities
Published in February 2003
Covered entities (CEs) must be in compliance
April 21, 2005
Portions of Security Rule that implement the
Privacy Rule were effective last April
13. ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
Covered entities required to observe
Privacy Rule requirements with
respect to all Patient Health
Information (PHI) in any form,
electronic or not, but the Security
Rule only applies to PHI in
electronic form
14. ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements of HIPAA Security Rule
Maintain reasonable & appropriate
administrative, technical and physical
safeguards to
– Ensure the integrity and confidentiality of
information
– Protect against
• any reasonably anticipated threats or hazards to the
security or integrity of the information
• unauthorized uses or disclosures of the information,
i.e. any reasonably anticipated uses or disclosures not
permitted by Privacy Rule
– Otherwise to ensure compliance with this part by
officers & employees
15. ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards
The rule outlines 3 categories of
safeguards to establish a minimum
level of protection:
– Administrative safeguards
– Physical safeguards
– Technical safeguards
16. ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards
Administrative safeguards: Ensures that
formal policies for overseeing
implementation and management of security
measures are established and implemented
Physical safeguards: Ensures facilities where
electronic information systems are stored are
protected from intrusions and other hazards
Technical safeguards: Ensures only
authorized access to electronic personal
health information is permitted, through
implementation of firewalls, passwords, and
other measures
17. ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule
Scalability
– Any size healthcare entity must be able to comply
with the rule
Comprehensiveness
– Meant to result in a unified system of protection
for PHI
– CEs must use a defense in depth security
approach
Technology neutral
– No specific technology recommendations (e.g.,
specific type of firewall, IDS, access control
system).
– Each CE must choose appropriate technology to
protect PHI.
18. ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule
Internal and external security threats
– Must protect PHI against both internal and
external threats
Minimum standard
– Defines the least that CEs must do to protect
PHI (they may choose to do more)
Risk analysis
– Requires CEs to conduct thorough & accurate
risk analysis that considers “all relevant losses”
that would be expected if specific security
measures are not in place
– “Relevant losses” include losses caused by
unauthorized use and disclosure of data and
unauthorized modification of data
19. ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts
Principle based
– Presents a series of security best practices and
principles with which CEs must comply
– Step by step checklists not provided
Reasonableness
– CEs must do everything appropriate to avert
all reasonably anticipated risks to PHI
– CEs must balance resources and business
requirements against risks to PHI
Full compliance
– All CE staff, including management and those
working at home, must comply
20. ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts
Developed from multiple security guidelines and
standards
– Those creating the rule found no existing single security
standard or best practice that described how to
comprehensively protect PHI
– Therefore the rule is based on many different security
guidelines, standards, and best practices
Documentation
– CEs must document a variety of security processes, policies,
and procedures
– CEs must document Security Rule implementation decisions
Ongoing compliance
– CEs must regularly train employees
– CEs must revise security policies and procedures as needed
21. ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards & Specifications
Rule breaks down into 18 standards and
36 implementation specifications
A standard explains what a CE must do
An implementation specification explains
how to do it
12 standards have associated
implementation specifications; 6 do not
14 implementation specifications are
required; 22 are addressable
22. ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements & Structure
Requirements (Physical, Administrative, Technical Safeguards)Requirements (Physical, Administrative, Technical Safeguards)
StandardsStandardswithwith ImplementationImplementation
Specifications (12)Specifications (12)
witho utwitho ut ImplementationImplementation
Specifications (6)Specifications (6)
Implementation SpecificationsImplementation Specifications
Required (14)Required (14)
Addressable (22)Addressable (22)
Source: Weil, Steven HIPAAConsensus ResearchProject SANS Institute, 2003; http://www.sans.org/projects/hipaa.php
23. ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Required and Addressable
Required specifications are, well, required
and must be implemented
Addressable implementation specifications
leave CEs with three possible choices
– Implement specification if reasonable and
appropriate
– Implement an alternative security measure to
accomplish purposes of the standard
– Implement nothing if specification is not
reasonable & appropriate and the standard
can still be met
24. ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
If implementation specification is reasonable
& appropriate, CE must implement it
If implementation specification not
reasonable & appropriate, but standards
cannot be met without an appropriate
security measure, CE must
– Document why it would not be reasonable &
appropriate to implement
– Implement & document alternative security
measure(s) that accomplishes the same purpose
25. ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
If implementation specifications not
reasonable & appropriate, but standards
can be met without an appropriate
security measure, CE must
– Document decision not to implement
– Document why it would not be reasonable &
appropriate to implement
– Document how the standard is being met
26. ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
Factors to take into account when deciding
how to respond to addressable
specifications:
– Size, complexity, & capabilities of the
organization
– Existing technical infrastructure, hardware,
and software security capabilities
– Costs of security measures
– Likelihood & seriousness of potential risks to
PHI
27. ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Implementing HIPAA
Specifications can be implemented in
any order, as long as standards are met
by the deadline
May use any security measures
allowing the CE to reasonably and
appropriately implement the rule
29. ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security management process
– Risk analysis (R)
– Risk management (R)
– Sanction policy (R)
– Information system activity review (R)
Assigned security responsibility
– One individual (not an organization)
with responsibility (R)
30. ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Assessment / Analysis
Each CE must:
– Assess security risks
– Determine risk tolerance or risk aversion
– Devise, implement, and maintain appropriate
security to address business requirements
• Does not imply that organizations are given complete
discretion to make their own rules
– Document security decisions
31. ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Assigned Security Responsibility
Chief Information Security Officer (CISO) or
Information Security Officer (ISO)
Large organizations may have site-security
coordinators working with CISO/ISO
Security standards extend to CE employees
even if they work at home as do many
transcriptionists
33. ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Workforce Security
Authorization controls verify identity
of employees permitted to access PHI
Clearance procedure describes types
of background checks that will be
conducted for employees
Termination procedures include
collecting access control devices or
changing door locks, etc.
34. ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security Awareness and Training
– Security Reminders (A)
– Protection from Malicious Software (A)
– Log-in Monitoring (A)
– Password Management (A)
Security Incident Procedures
– Response and Reporting (R)
35. ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Contingency Plan
– Data Backup Plan (R)
– Disaster Recovery Plan (R)
– Emergency Mode Operation Plan (R)
– Testing and Revision Procedure (A)
– Applications and Data Criticality
Analysis (A)
36. ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Awareness & Training
“Security awareness training is a critical
activity, regardless of an organization’s size.”
Training, Education and Awareness (TEA)
– Awareness training for all personnel (including
management)
– Periodic security reminders
– User education concerning virus protection
– User education in importance of monitoring login
success or failure, and how to report discrepancies
– User education in password management
37. ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Incident Procedures
Provides methods for users to report
unusual security occurrences or
breaches to patient confidentiality
Goals:
– Identify
– Contain
– Correct
– Prevent
38. ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Evaluation
– Periodic review of technical controls and
procedural review of the security program
Business Associate contracts
– Written Contract or Other Arrangement (R)
•Identify business associates who receive or
have access to PHI
•Tie efforts with Privacy initiative
•Establish rules for vendor remote access
39. ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Facility Access Controls
– Contingency operations (A)
– Facility Security Plan (A)
– Access Control and Validation
Procedures (A)
– Maintenance Records (A)
Workstation Use
– Includes portable devices
40. ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Facility Access Control
Goal is to protect buildings, systems,
and data media from natural and
environmental hazards and
unauthorized access or intrusions
Ensure records are kept of all
maintenance, especially locksmith
work
41. ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Workstation Security
Device and Media Controls
– Disposal (R)
– Media re-use (R)
– Accountability (A)
– Data backup and Storage (A)
42. ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Workstation Use & Security
Both standards could be covered in
one policy
Ensure workstation locations will not
allow casual viewing by unauthorized
personnel
Audit systems to ensure all PCs/laptops
have latest version of virus definitions
installed
43. ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Device & Media Controls
“Device” was included to address
storage devices such as PDAs
Media re-use requires sanitization of
media using DOD-style standards
(overwriting an entire disk with ones
and zeros repeatedly)
44. ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Access Control
– Unique user identification (R)
– Emergency access procedure (R)
– Automatic logoff (A)
– Encryption and decryption (A)
Audit Controls
45. ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Integrity
– Mechanism to Authenticate Electronic
PHI (A)
Person or entity authentication
Transmission security
– Integrity controls (A)
– Encryption (A)
46. ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Access Control
Unique user identification for accountability
is critical for clinical applications
– Disallows use of Windows 98/ME
(weak user identification & controls)
Automatic logoff permits an equivalent
measure to restrict access (Password
protected screen saver? XP user switching?)
Encryption serves as an access control
method for data at rest
47. ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Controls
Risk assessment and analysis can be used
to determine necessary intensity of audit
trails
Audit trail trigger events must be jointly
determined by the data owners and the
Privacy and Security Officers
Store audit logs on a separate server
Do not allow system administrator access
to audit logs
48. ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Transmission Security
“…When electronic protected health
information is transmitted from one
point to another, it must be protected
in a manner commensurate with the
associated risk.”
There is no simple, interoperable
solution to encrypting e-mail
containing PHI; hopefully HIPAA
compliance will drive better solutions
49. ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Organizational Requirements
Business Associate (BA) Agreements
– Contractual agreements required before
BAs can access PHI
– BAs must follow HIPAA Business
Associate rules (next slide)
– Applies to subcontractors of BAs as well
A CE may require a business associate
to meet even higher security standards
50. ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business Associates
Implement safeguards that
reasonably and appropriately protect
the confidentiality, integrity and
availability of PHI they access on
behalf of the CE
Ensure that anyone else to whom
they provide PHI agrees to
implement reasonable and
appropriate safeguards
Report any security incident to the
CE
51. ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business Associates
Make policies, procedures and
required documentation relating to
the safeguards available to HHS to
determine CE compliance with the
security rule
Authorize termination of the BA
contract by the CE if the CE
determines that the BA has violated
a material term of the contract
52. ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Policy & Procedure Documentation
Implement reasonable and
appropriate policies and procedures
Documentation
– Retain documents for 6 years
– Make documents available
– Review and update documentation
periodically
53. ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Resources
Works used in the preparation of this lecture:
– Beaver, Kevin (2003) HIPAA Security Rule FAQ. Principle Logic, accessed at
http://www.principlelogic.com/docs/HIPAA_Security_Rule_FAQ.pdf
– Birnbach, Deborah S. and Gametchu, Mayeti (2003) “How HIPAA's security rule
could affect IT” Computerworld April 30, 2003, accessed at
http://www.computerworld.com/securitytopics/security/story/0,10801,80816,00.html
– Higher Education Information Technology (HEIT) Alliance (undated) Privacy.
Accessed at http://www.heitalliance.org/issues/privacy.asp
– Hollander, Jay (2003) Medical Privacy: Understanding HIPAA's Security Rule.
Accessed at http://www.gigalaw.com/articles/2003-all/hollander-2003-04-all.html
– New Hampshire Developmental Disabilities Services System, Information
Technology Initiatives (undated) HIPAA Overview. Accessed at
http://www.nhdds.org/nhddsit/HIPAA/overview.html
– Walsh, Tom (2001) Developing an Effective Information Security Training and
Awareness Program. Healthcare Computing Strategies, Inc. , accessed at
http://www.himss.org/content/files/proceedings/2001/workshop/wslides/wksll.pdf
– Walsh, Tom (2003) HIPAA Security: Complying with the HIPAA Security Rule
Implementation Specifications – Are you Correctly Addressing Them? (Powerpoint
presentation) Tom Walsh Consulting LLC
– Weil, Steven (2003) HIPAA Consensus Research Project. The SANS Institute,
accessed at http://www.sans.org/projects/hipaa.php
Learning Objectives:
Upon completion of this material you should be able to:
Understand the conceptual need for physical security.
Identify threats to information security that are unique to physical security.
Describe the key physical security considerations for selecting a facility site.
Identify physical security monitoring components.
Grasp the essential elements of access control within the scope of facilities management.
Understand the criticality of fire safety programs to all physical security programs.
Describe the components of fire detection and response.
Grasp the impact of interruptions in the service of supporting utilities.
Understand the technical details of uninterruptible power supplies and how they are used to increase availability of information assets.
Discuss critical physical environment considerations for computing facilities.
Discuss countermeasures to the physical theft of computing devices.