Privacy & security in heath care it

TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
HIPAA - Privacy & Security in Heath Care IT
Ray Trygstad
ITM 478/578
Spring 2004
Master of Information Technology & Management Program
CenterforProfessional Development

ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson the
student should be able to:
– Discuss information security implications of
the Health Insurance Portability and
Accountability Act (HIPPA)
– Discuss information security impact of the
HIPAA Privacy Rule
– Describe key components and
implemetation of the HIPAA Security Rule

ITM 578 3
What is HIPAA?
 Health Insurance Portability and
Accountability Act (HIPAA)
– Signed into law August 1996
 Part of this Act, Administrative
Simplification, intends to reduce
administrative costs and burdens
in the health care industry
 Requires Department of Health and Human
Services to adopt national uniform standards
for electronic transmission of certain health
information

ITM 578 4
Who is Affected? (“covered entities”)
 All healthcare
organizations
 All health care
providers (even
1-physician offices)
 Health plans
 Employers
 Public health
authorities
 Life insurers
 Clearinghouses
 Billing agencies
 Information
systems vendors
 Service organizations
 Universities with
health care curricula
or even just student
health services
Anyone that transmits any health information in electronic
formin connection with healthcare transactions

ITM 578 5
Standards for Electronic Transactions
 Standards for electronic health information
transactions
 Within 18 months HHS Secretary required to adopt
standards from among those already approved by
standards organizations for certain electronic health
transactions including:
– Claims
– Enrollment
– Eligibility
– Payment
– Coordination of benefits
 Standards also must address security of electronic
health information systems.

ITM 578 6
(18 Months?)
It’s now been six years and standards
are still not fully in place!
 Will not go into full effect until 2005!
Isn’t government wonderful?)

ITM 578 7
More on the HIPAA Bill
 Providers and health plans required to use
standards for specified electronic transactions
24 months after adoption
 Plans and providers may comply directly or
use a health care clearinghouse
 HIPAA supersedes state laws except state
laws that impose more stringent
requirements
 HIPPA imposes civil money penalties and
prison for certain violations

ITM 578 8
Penalties for Violations
Fines up to $25,000 for multiple
violations of the same standard in a
calendar year
Fines up to $250K and/or imprisonment
up to 10 years for knowing misuse of
individually identifiable health
information
!!!

ITM 578 9
HIPAA Privacy
HIPAA Privacy Rule went into effect
in April 2003
Restricts how covered entities may use
and disclose individually identifiable
health information
Requires security for such data
Grants individuals certain rights to
access and correct their personal
health information

ITM 578 10
HIPAA Privacy Requirements
 HIPAA requires covered entities to:
– Have written privacy procedures, including
• Description of staff granted access to protected
information
• How it will be used
• When it may be disclosed
• Business associates (including IT vendors!) with access
to protected information must agree to same limitations
on use and disclosure of that information
– Train employees in privacy procedures
– Designate someone responsible for ensuring
procedures are followed (the “HIPAA czar”)

ITM 578 11
HIPAA Privacy Requirements
 Rule permits covered entities to disclose health
information for specific public responsibilities:
– emergency circumstances
– identification of the body of a deceased person, or the cause
of death
– public health needs
– research that with limited data or independently approved
by a Review Board or privacy board
– oversight of the health care system
– judicial and administrative proceedings
– limited law enforcement activities
– activities related to national defense and security
 Equivalent Requirements exist for Government

ITM 578 12
HIPAA Security Rule
 First government-mandated framework
for an information security policy covering
non-governmental entities
 Published in February 2003
 Covered entities (CEs) must be in compliance
April 21, 2005
 Portions of Security Rule that implement the
Privacy Rule were effective last April

ITM 578 13
HIPAA Security Rule
Covered entities required to observe
Privacy Rule requirements with
respect to all Patient Health
Information (PHI) in any form,
electronic or not, but the Security
Rule only applies to PHI in
electronic form

ITM 578 14
Requirements of HIPAA Security Rule
 Maintain reasonable & appropriate
administrative, technical and physical
safeguards to
– Ensure the integrity and confidentiality of
information
– Protect against
• any reasonably anticipated threats or hazards to the
security or integrity of the information
• unauthorized uses or disclosures of the information,
i.e. any reasonably anticipated uses or disclosures not
permitted by Privacy Rule
– Otherwise to ensure compliance with this part by
officers & employees

ITM 578 15
Three Categories of Safeguards
The rule outlines 3 categories of
safeguards to establish a minimum
level of protection:
– Administrative safeguards
– Physical safeguards
– Technical safeguards

ITM 578 16
Three Categories of Safeguards
 Administrative safeguards: Ensures that
formal policies for overseeing
implementation and management of security
measures are established and implemented
 Physical safeguards: Ensures facilities where
electronic information systems are stored are
protected from intrusions and other hazards
 Technical safeguards: Ensures only
authorized access to electronic personal
health information is permitted, through
implementation of firewalls, passwords, and
other measures

ITM 578 17
Principles of the Security Rule
 Scalability
– Any size healthcare entity must be able to comply
with the rule
 Comprehensiveness
– Meant to result in a unified system of protection
for PHI
– CEs must use a defense in depth security
approach
 Technology neutral
– No specific technology recommendations (e.g.,
specific type of firewall, IDS, access control
system).
– Each CE must choose appropriate technology to
protect PHI.

ITM 578 18
Principles of the Security Rule
 Internal and external security threats
– Must protect PHI against both internal and
external threats
 Minimum standard
– Defines the least that CEs must do to protect
PHI (they may choose to do more)
 Risk analysis
– Requires CEs to conduct thorough & accurate
risk analysis that considers “all relevant losses”
that would be expected if specific security
measures are not in place
– “Relevant losses” include losses caused by
unauthorized use and disclosure of data and
unauthorized modification of data

ITM 578 19
Security Rule Key Concepts
 Principle based
– Presents a series of security best practices and
principles with which CEs must comply
– Step by step checklists not provided
 Reasonableness
– CEs must do everything appropriate to avert
all reasonably anticipated risks to PHI
– CEs must balance resources and business
requirements against risks to PHI
 Full compliance
– All CE staff, including management and those
working at home, must comply

ITM 578 20
Security Rule Key Concepts
 Developed from multiple security guidelines and
standards
– Those creating the rule found no existing single security
standard or best practice that described how to
comprehensively protect PHI
– Therefore the rule is based on many different security
guidelines, standards, and best practices
 Documentation
– CEs must document a variety of security processes, policies,
and procedures
– CEs must document Security Rule implementation decisions
 Ongoing compliance
– CEs must regularly train employees
– CEs must revise security policies and procedures as needed

ITM 578 21
Standards & Specifications
 Rule breaks down into 18 standards and
36 implementation specifications
 A standard explains what a CE must do
 An implementation specification explains
how to do it
 12 standards have associated
implementation specifications; 6 do not
 14 implementation specifications are
required; 22 are addressable

ITM 578 22
Requirements & Structure
Requirements (Physical, Administrative, Technical Safeguards)Requirements (Physical, Administrative, Technical Safeguards)
StandardsStandardswithwith ImplementationImplementation
Specifications (12)Specifications (12)
witho utwitho ut ImplementationImplementation
Specifications (6)Specifications (6)
Implementation SpecificationsImplementation Specifications
Required (14)Required (14)
Addressable (22)Addressable (22)
Source: Weil, Steven HIPAAConsensus ResearchProject SANS Institute, 2003; http://www.sans.org/projects/hipaa.php

ITM 578 23
Required and Addressable
 Required specifications are, well, required
and must be implemented
 Addressable implementation specifications
leave CEs with three possible choices
– Implement specification if reasonable and
appropriate
– Implement an alternative security measure to
accomplish purposes of the standard
– Implement nothing if specification is not
reasonable & appropriate and the standard
can still be met

ITM 578 24
Addressable Specification Choices
 If implementation specification is reasonable
& appropriate, CE must implement it
 If implementation specification not
reasonable & appropriate, but standards
cannot be met without an appropriate
security measure, CE must
– Document why it would not be reasonable &
appropriate to implement
– Implement & document alternative security
measure(s) that accomplishes the same purpose

ITM 578 25
 If implementation specifications not
reasonable & appropriate, but standards
can be met without an appropriate
security measure, CE must
– Document decision not to implement
– Document why it would not be reasonable &
appropriate to implement
– Document how the standard is being met

ITM 578 26
 Factors to take into account when deciding
how to respond to addressable
specifications:
– Size, complexity, & capabilities of the
organization
– Existing technical infrastructure, hardware,
and software security capabilities
– Costs of security measures
– Likelihood & seriousness of potential risks to
PHI

ITM 578 27
Implementing HIPAA
Specifications can be implemented in
any order, as long as standards are met
by the deadline
May use any security measures
allowing the CE to reasonably and
appropriately implement the rule

ITM 578 28
Breakdown of Specifications
Administrative Safeguards (55%)
– 12 Required, 11 Addressable
Physical Safeguards (24%)
– 4 Required, 6 Addressable
Technical Safeguards (21%)
– 4 Requirements, 5 Addressable

ITM 578 29
Administrative Safeguards
Security management process
– Risk analysis (R)
– Risk management (R)
– Sanction policy (R)
– Information system activity review (R)
Assigned security responsibility
– One individual (not an organization)
with responsibility (R)

ITM 578 30
Risk Assessment / Analysis
Each CE must:
– Assess security risks
– Determine risk tolerance or risk aversion
– Devise, implement, and maintain appropriate
security to address business requirements
• Does not imply that organizations are given complete
discretion to make their own rules
– Document security decisions

ITM 578 31
Assigned Security Responsibility
 Chief Information Security Officer (CISO) or
Information Security Officer (ISO)
 Large organizations may have site-security
coordinators working with CISO/ISO
 Security standards extend to CE employees
even if they work at home as do many
transcriptionists

ITM 578 32
Workforce Security
– Authorization and/or supervision (A)
– Workforce clearance procedure (A)
– Termination procedures (A)
Information access management
– Minimum necessary rule

ITM 578 33
Workforce Security
Authorization controls verify identity
of employees permitted to access PHI
Clearance procedure describes types
of background checks that will be
conducted for employees
Termination procedures include
collecting access control devices or
changing door locks, etc.

ITM 578 34
Security Awareness and Training
– Security Reminders (A)
– Protection from Malicious Software (A)
– Log-in Monitoring (A)
– Password Management (A)
Security Incident Procedures
– Response and Reporting (R)

ITM 578 35
Contingency Plan
– Data Backup Plan (R)
– Disaster Recovery Plan (R)
– Emergency Mode Operation Plan (R)
– Testing and Revision Procedure (A)
– Applications and Data Criticality
Analysis (A)

ITM 578 36
Awareness & Training
 “Security awareness training is a critical
activity, regardless of an organization’s size.”
 Training, Education and Awareness (TEA)
– Awareness training for all personnel (including
management)
– Periodic security reminders
– User education concerning virus protection
– User education in importance of monitoring login
success or failure, and how to report discrepancies
– User education in password management

ITM 578 37
Security Incident Procedures
Provides methods for users to report
unusual security occurrences or
breaches to patient confidentiality
Goals:
– Identify
– Contain
– Correct
– Prevent

ITM 578 38
Evaluation
– Periodic review of technical controls and
procedural review of the security program
Business Associate contracts
– Written Contract or Other Arrangement (R)
•Identify business associates who receive or
have access to PHI
•Tie efforts with Privacy initiative
•Establish rules for vendor remote access

ITM 578 39
Physical Safeguards
Facility Access Controls
– Contingency operations (A)
– Facility Security Plan (A)
– Access Control and Validation
Procedures (A)
– Maintenance Records (A)
Workstation Use
– Includes portable devices

ITM 578 40
Facility Access Control
Goal is to protect buildings, systems,
and data media from natural and
environmental hazards and
unauthorized access or intrusions
Ensure records are kept of all
maintenance, especially locksmith
work

ITM 578 41
Physical Safeguards
Workstation Security
Device and Media Controls
– Disposal (R)
– Media re-use (R)
– Accountability (A)
– Data backup and Storage (A)

ITM 578 42
Workstation Use & Security
Both standards could be covered in
one policy
Ensure workstation locations will not
allow casual viewing by unauthorized
personnel
Audit systems to ensure all PCs/laptops
have latest version of virus definitions
installed

ITM 578 43
Device & Media Controls
“Device” was included to address
storage devices such as PDAs
Media re-use requires sanitization of
media using DOD-style standards
(overwriting an entire disk with ones
and zeros repeatedly)

ITM 578 44
Technical Safeguards
Access Control
– Unique user identification (R)
– Emergency access procedure (R)
– Automatic logoff (A)
– Encryption and decryption (A)
Audit Controls

ITM 578 45
Technical Safeguards
Integrity
– Mechanism to Authenticate Electronic
PHI (A)
Person or entity authentication
Transmission security
– Integrity controls (A)
– Encryption (A)

ITM 578 46
Access Control
 Unique user identification for accountability
is critical for clinical applications
– Disallows use of Windows 98/ME
(weak user identification & controls)
 Automatic logoff permits an equivalent
measure to restrict access (Password
protected screen saver? XP user switching?)
 Encryption serves as an access control
method for data at rest

ITM 578 47
Audit Controls
 Risk assessment and analysis can be used
to determine necessary intensity of audit
trails
 Audit trail trigger events must be jointly
determined by the data owners and the
Privacy and Security Officers
 Store audit logs on a separate server
 Do not allow system administrator access
to audit logs

ITM 578 48
Transmission Security
“…When electronic protected health
information is transmitted from one
point to another, it must be protected
in a manner commensurate with the
associated risk.”
There is no simple, interoperable
solution to encrypting e-mail
containing PHI; hopefully HIPAA
compliance will drive better solutions

ITM 578 49
Organizational Requirements
Business Associate (BA) Agreements
– Contractual agreements required before
BAs can access PHI
– BAs must follow HIPAA Business
Associate rules (next slide)
– Applies to subcontractors of BAs as well
A CE may require a business associate
to meet even higher security standards

ITM 578 50
Rules for Business Associates
Implement safeguards that
reasonably and appropriately protect
the confidentiality, integrity and
availability of PHI they access on
behalf of the CE
Ensure that anyone else to whom
they provide PHI agrees to
implement reasonable and
appropriate safeguards
Report any security incident to the
CE

ITM 578 51
Rules for Business Associates
Make policies, procedures and
required documentation relating to
the safeguards available to HHS to
determine CE compliance with the
security rule
Authorize termination of the BA
contract by the CE if the CE
determines that the BA has violated
a material term of the contract

ITM 578 52
Policy & Procedure Documentation
Implement reasonable and
appropriate policies and procedures
Documentation
– Retain documents for 6 years
– Make documents available
– Review and update documentation
periodically

ITM 578 53
Resources
 Works used in the preparation of this lecture:
– Beaver, Kevin (2003) HIPAA Security Rule FAQ. Principle Logic, accessed at
http://www.principlelogic.com/docs/HIPAA_Security_Rule_FAQ.pdf
– Birnbach, Deborah S. and Gametchu, Mayeti (2003) “How HIPAA's security rule
could affect IT” Computerworld April 30, 2003, accessed at
http://www.computerworld.com/securitytopics/security/story/0,10801,80816,00.html
– Higher Education Information Technology (HEIT) Alliance (undated) Privacy.
Accessed at http://www.heitalliance.org/issues/privacy.asp
– Hollander, Jay (2003) Medical Privacy: Understanding HIPAA's Security Rule.
Accessed at http://www.gigalaw.com/articles/2003-all/hollander-2003-04-all.html
– New Hampshire Developmental Disabilities Services System, Information
Technology Initiatives (undated) HIPAA Overview. Accessed at
http://www.nhdds.org/nhddsit/HIPAA/overview.html
– Walsh, Tom (2001) Developing an Effective Information Security Training and
Awareness Program. Healthcare Computing Strategies, Inc. , accessed at
http://www.himss.org/content/files/proceedings/2001/workshop/wslides/wksll.pdf
– Walsh, Tom (2003) HIPAA Security: Complying with the HIPAA Security Rule
Implementation Specifications – Are you Correctly Addressing Them? (Powerpoint
presentation) Tom Walsh Consulting LLC
– Weil, Steven (2003) HIPAA Consensus Research Project. The SANS Institute,
accessed at http://www.sans.org/projects/hipaa.php

ITM 578 54
The End…
Questions?

Privacy & security in heath care it

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Destacado

Destacado (20)

Similar a Privacy & security in heath care it

Similar a Privacy & security in heath care it (20)

Más de Dhani Ahmad

Más de Dhani Ahmad (12)

Último

Último (20)

Privacy & security in heath care it

Notas del editor