Embed Size (px)
Citation preview
"I haven't heard of HIPAA, "I haven't heard of HIPAA, but I can hip hop." but I can hip hop."
HIPAA Security StandardsFinal Rule
Some Tips & Updates for Some Tips & Updates for HME/Rehab ProvidersHME/Rehab Providers
Mark J. Higley Vice President - Development
The VGM Group
In this Presentation…In this Presentation…
Privacy Rule StatusQuick Update on TCSIntroduction to the Security
Standards
Let’s Get Started!
By Now, You All Know what By Now, You All Know what HIPAA is…right?HIPAA is…right?
HealthcareInPain AndAgony (again)
The Big PictureThe Big Picture
HIPAA implementation of the standards does not have to be any type of major burden on the average HME/Rehab provider, especially not an economic burden.
Privacy Rule In EffectPrivacy Rule In EffectThe Privacy compliance date is
now effective (April 14, 2003). Many providers are not yet compliant.
As of February 2004, OCR, the HHS division responsible for HIPAA Privacy, received 4,266 complaints of HIPAA privacy violations since the law took effect.
Primary reasons for the Primary reasons for the violations violations
Incidental disclosure of individually identifiable health information
Lack of adequate safeguards Not providing a copy of records to patients Disclosure of more than necessary
information Failure to give notice of privacy practice
But…But…OCR has closed 42% of these cases. Most situations were resolved, a
course of action was taken, or an investigation took place but no violation was found.
Bottom Line: No fines have been levied as a result of a HIPAA privacy violation!
Confused by some of the Confused by some of the details of the Privacy Rule?details of the Privacy Rule?
The HIPAA Privacy Rule remains as a source of great confusion among providers and others within the health care community.
VGM can help! Just call or email. Consultation is free to all!
Training is Required!Training is Required!All employees and members of your work
force who have access to protected health information need HIPAA training! This PowerPoint will assist you in satisfying the training requirement!
For governmental For governmental information on HIPAA……information on HIPAA……
e-mail your questions to [email protected]
Call the CMS HIPAA HOTLINE 1-866-627-7748
Log onto the CMS HIPAA web site: http://www.cms.hhs.gov/hipaa
For Privacy inquiries only: Log check out:
http://www.hhs.gov/ocr/hipaa Call : 1-866-627-7748
For information on HIPAA For information on HIPAA that you can understand that you can understand
(!!)…(!!)…
e-mail your questions to [email protected]
Call : 1-800-642-6065
Before we discuss the Before we discuss the Security Standards….Security Standards….
Let’s Get A Quick Update on TCS (that’s electronic transactions and code sets).
October 16, 2003 Electronic October 16, 2003 Electronic Transactions…Many Transactions…Many
Months LaterMonths LaterAs many expected, there is trouble in
the government's “paradise of standardization”.
Slower payments, poor customer service and confusion over what is or is not allowed in terms of paper claims are just a smidgen of reported problems
It will take more time to sort out It will take more time to sort out exactly what is going onexactly what is going on
and where the problems lie. and where the problems lie.
Examples:Examples: Published companion documents that
never came Lack of published contingency plans One large payer has stopped accepting
electronic claims due to discrepancies in formats.
This has a negative impact This has a negative impact on HME providers who have on HME providers who have
been used to submitting been used to submitting electronically electronically
Some are dropping back to paper claims…and cash flows suffer as the paper claims are processed.
But… As You Know…But… As You Know…Medicare & most state Medicaid
agencies still accept electronic claims in a proprietary format (operating under a “contingency plan”). For the latest information on your particular state’s contingency plan please review its “HIPAA Implementation Status Update and Contingency Plan Information” at the appropriate Medicaid website.
Let’s Discuss MedicaidLet’s Discuss Medicaid
State contingency plans include the capability to continue to accept and process existing formats, including data values and codes within these formats.
Old Formats OKOld Formats OKStates will continue to accept existing
formats and codes for a period of time until its individual trading partners have successfully completed testing the HIPAA compliant electronic transactions.
State contingency plans also include accepting existing formats that have been generated by converting HIPAA compliant formats.
Testing UpdateTesting Update
To date, testing of these transactions has been limited. Consequently, the conversion of data in these formats will depend on the ability of the clearinghouse or software vendor to correctly translate the data required for adjudication in a timely fashion..
Formats & CodesFormats & Codes
Medicaid strongly encourages providers to instruct their billing services and software vendors to continue using current formats and codes, until these entities have demonstrated to the providers successful HIPAA testing results with all parties involved in transmitting electronic claims to payers.
Let’s get back to the Let’s get back to the Security Standards!Security Standards!
IntroductionIntroductionTo a great extent, the Security Rule
puts the HIPAA spotlight on your information technology/systems staff. Whether you have just one information system manager or a full CIO with I/T staff, these “technical executives” must develop and implement cost-effective organization-wide security programs.
Of course, your entire management team should play an important strategic planning role before practical measures are implemented. As healthcare organizations look toward developing annual budgets, the executive team should be asking such questions as:
What are the security risks to my organization - and which are the highest priority?
What measures should be considered for our plan to reduce risk and become HIPAA Security compliant?
How much should we budget (money, resources) for security?
Why Comply with the Why Comply with the Security Rule?Security Rule?
HIPAA and good business practices dictate that we safeguard patient information entrusted to us.
But…perhaps just as importantly, the standards address security risks that could severely affect your business operations!
Potential Risks:Potential Risks: Loss of financial cash flow Permanent loss or corruption of electronic
protected health information (ePHI) Temporary loss or unavailability of medical
records Loss of physical assets (computers, etc.) Damage to reputation and public confidence Threats to patient safety Threats to employee safety
The Standards… The Standards…
Will will be effective April 21, 2005 for healthcare providers
Applies only to “Electronic Protected Health Information” (EPHI) that a healthcare provider - and all covered entities - “creates, receives, maintains, or transmits”
The Standards…The Standards…
Are separated into three groups: Administrative Safeguards Physical Safeguards Technical Safeguards.
Less Specific Than the Less Specific Than the Privacy Rule!Privacy Rule!
The final Security standards are essentially a model for information security, with less specific guidance on how to implement it.
General RequirementsGeneral Requirementsof the Standardsof the Standards……
Ensure: Confidentiality (only the right people
see it) Integrity (the information is what it is
supposed to be – it hasn’t been changed)
Availability (the right people can see it when needed)
General RequirementsGeneral Requirements
Protect against reasonably anticipated threats or hazards to the security or integrity of information;
Protect against reasonably anticipated uses and disclosures not permitted by privacy rules
Ensure compliance by workforce
Regulation “Themes”Regulation “Themes” Scalability/Flexibility (*)
Healthcare providers can take into account:
• Size
• Complexity
• Capabilities
• Technical Infrastructure
• Cost of procedures to comply
• Potential security risks
(*) Remember these terms from the Privacy (*) Remember these terms from the Privacy Rule???)Rule???)
Regulation “Themes”Regulation “Themes”
Technologically Neutral What needs to be done, not how
Comprehensive Not just technical aspects, but
behavioral as well
How HHS Is Attempting To How HHS Is Attempting To Accomplished ThisAccomplished This
Develop Standards That Are Required and Include:
“Implementation specifications” which provide additional detail and can be either required or addressable.
What did you just say???What did you just say???
(OK, We thought that (OK, We thought that might confuse some might confuse some of you. Let’s try it of you. Let’s try it again!)again!)
Try again:Try again:The new Security rules, just like the
Privacy rules, have "standards" - what must be done by healthcare providers to comply….
And "implementation specifications" – which include “how to do it”.
Before we get too detailed….Before we get too detailed….
Q. What about some model forms, policies and procedures - like we had for the Privacy Rules???
A. Good question!. HHS has promised more specifics in the future and to provide model guidance documents.
And…And…
VGM will compile these documents, adapt them to HME/Rehab, and will make them available to providers…probably on the Web site.
As the compliance date is not until 2005, we have a little time!
OK…Back to the specifics…OK…Back to the specifics…what’s “Addressable”?what’s “Addressable”?
If an implementation specification is
addressable, a healthcare provider can:
Implement it…if it is reasonable and appropriate
Implement an equivalent measure, if that is reasonable and appropriate
Not implement it at all
Again…the standards are Again…the standards are separated into three groups: separated into three groups:
(*) Administrative Safeguards Physical Safeguards Technical Safeguards. (*) We’ve developed a chart that lists all of the
standards and includes whether implementation is required or “addressable”. See your handouts!
Administrative Safeguards… Administrative Safeguards… Make up 50% of the Security Rule's
standards. In general, they require documented policies and procedures for day-to-day operations; managing the conduct of employees with PHI; and managing the selection, development, and use of security controls.
Give me an example of an Give me an example of an Administrative SafeguardAdministrative Safeguard
OK. All healthcare providers must designate a "security official," to be "responsible for the development and implementation of the policies and procedures" required by the Security Rule
Physical Safeguards…Physical Safeguards…Are a series of security measures
meant to protect a healthcare provider’s electronic information systems, as well as related buildings and equipment, from natural hazards, environmental hazards, and unauthorized intrusion. The measures include both administrative policies and physical controls.
Give me an example of a Give me an example of a Physical SafeguardPhysical Safeguard
OK. Workstation security. This standard "implementation of physical safeguards for all workstations that access electronic protected health information to restrict access to authorized users."
Technical Safeguards…Technical Safeguards…
Are made up of several security measures that specify how to use technology to protect EPHI.
Give me an example of a Give me an example of a Technical SafeguardTechnical Safeguard
OK. “Access controls”, which are your technical policies and procedures for electronic information systems access that maintain EPHI to allow access only to those persons or software programs that have been granted access rights.
““Implementation Specifications”Implementation Specifications”
As noted before, these three safeguard categories are further divided into "implementation specifications" that define how each of the standards is to be implemented. In some cases, the standard itself contains enough information to describe implementation requirements, so there is no separate specification.
I Heard We Must Purchase I Heard We Must Purchase Encryption Software!!Encryption Software!!
First of all…encryption is addressed in the Technical Safeguards under the “transmission security” standards. These include technical security mechanisms to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network.
…… The standard has two implementation
specifications, both of which are addressable: integrity controls, and encryption.
The first includes "security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of." The second embraces "mechanisms to encrypt electronic [PHI] deemed appropriate."
Encryption not required!!Encryption not required!!The standard does not mandate any
particular set of integrity controls, such as encryption, for all transmissions. Now the healthcare provider must decide, following its own risk analyses (*), what degree or protection is appropriate in each circumstance.
(*) We’ll discuss “risk analysis next…
Risk AnalysisRisk AnalysisThe HIPAA Security Rule requires
healthcare providers to have a risk management program in place to evaluate the value of the assets, the potential for a loss or disclosure, and the cost of additional countermeasures.
Risk AnalysisRisk Analysis
It is a Required specification! Possible Resource: NIST Risk
Management Guide (#800-30) http://www.nist.gov
Risk Analysis StepsRisk Analysis Steps(we’ll go through each one of these (we’ll go through each one of these
in a minute…)in a minute…)Review data systems Identify threats/vulnerabilities Evaluate security controls Assess likelihood Consider impact Determine risk
Review Data SystemsReview Data Systems
Hardware Software Data storage locations Modes of data transit Data sensitivity Primary Users
Identify ThreatsIdentify Threats
Natural/Environmental disasters, such as electrical storms, flood, tornado, chemical spills
Human threats, such as accidental data erasure or entry, hackers, computer viruses, theft
Vulnerabilities, such as internal weaknesses or flaws
Evaluate Security ControlsEvaluate Security ControlsPreventive:
Access restrictions Password authentication Effective staff training Environmental controls
Detective: Audit trails Alarms
Assess likelihoodAssess likelihood
Of each identified threat With consideration to controls
Accidental data erasure but files are backed up every
night??
High, Moderate, Low ?
Consider ImpactConsider Impact
Of data release manipulation temporary or permanent
inaccessibility Temporary data erasure but files are backed up every night?? High, Moderate, Low ?
Determine RiskDetermine Risk
Likelihood Determination
Impact Assessment
Moderate likelihood, low impact Sufficient controls in place?
High likelihood, high impact Additional protections needed.
Quick review of standards Quick review of standards
Administrative Administrative StandardsStandards
Security Management Risk analysis (R) Risk management (R) Sanction Policy (R) Information System Activity Review (R)
Assigned Responsibility
Administrative StandardsAdministrative Standards Workforce Security
Authorization and/or Supervision (A) Clearance Procedures (A) Termination procedures (A)
Information Access Management Isolate Clearinghouse Function (R) Access Authorization (A) Access Establishment/Modification
(A)
Administrative StandardsAdministrative Standards Security Awareness and Training
Security Reminders (A) Protection from Malicious Software
(A) Log-in Monitoring (A) Password Management (A)
Security Incident ProceduresResponse and Reporting (R)
Administrative StandardsAdministrative Standards
Contingency Plan Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Operations Plan (R) Testing and Revision Procedure
(A) Applications and Data Criticality
(A)
Administrative StandardsAdministrative Standards
Evaluation
Business Associate Contracts Written Contract (or other
arrangement) (R)
Physical StandardsPhysical Standards
Facility Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control & Validation
Procedures (A) Maintenance Records (A)
Workstation Use
Physical StandardsPhysical Standards
Workstation Security
Device and Media Controls Disposal (R) Media Re-use (R) Accountability (A) Data Backup & Storage (A)
Technical StandardsTechnical Standards
Access Control Unique User Id (R) Emergency Access (R) Automatic Logoff (A) Encryption and Decryption (A)
Audit Controls
Technical StandardsTechnical Standards
Integrity Mechanism to Authenticate ePHI
(A)
Person or Entity Authentication
Transmission Security Integrity Controls (A) Encryption (A)
Regulation DatesRegulation DatesPublished February 20, 2003 http://aspe.hhs.gov/admnsimp/ Compliance Date: April 21, 2005 for
all covered entities except small health plans
April 21, 2006 for small health plans
Implementation ApproachImplementation Approach
Do Risk Analysis – Document Based on Analysis, determine how to
implement each standard and implementation specification – Document!
Develop Security Policies and Procedures– Document!
Train Workforce Implement Policies and Procedures Periodic Evaluation
Security SummarySecurity Summary
Scalable, flexible approach Standards that make good business
sense One year, one month to
implementation!
You will want to begin to…You will want to begin to…
Establish and document policies and procedures relating to information security
Establish physical safeguards of computer systems, equipment and buildings
Review technical security to protect the confidentiality and integrity of information and control and monitor access
Safeguard systems against external threats
Important!Important!You should not panic and think
Security is going to cost you a fortune. Don’t let vendors talk you into purchasing encryption and other “safeguards”. Think before you buy and let common sense and reason be your other guide!
FINAL COMMENTSFINAL COMMENTS
And finally, remember :
Be Flexible
Be Scalable
(& Don’t forget
reasonable!)
It is 2004.Remember the Privacy
Rule Is Now Effective!
START NOW!
