HIPAA Security Rules
A CE or BA should conduct
a financial analysis to determine the cost of compliance since implementing the Security rule may be a challenge for them.
in the later half of 2009
authority for oversight and enforcement of the Privacy and Security rule was consolidated under the OCR.
Confidentiality
data or information that is not made available or disclosed to unauthorized person or processes
To achieve these goals, HITECH
identified requirement to strengthen the privacy and security protection under HIPAA to ensure patient and healthcare providers that their electronic health information is kept private and secure.
The security rules applies to
individuals identified as CEs and, business associate BAs and the subcontractors of BAs.
Electronic Media 273
is defined as electronic storage media including memory devices in computer hard drives and any removable transported digital memory medium, such as magnetic-type storage or disk, optical storage media such as the intranet, extranet, leased lined, dial up lines, private networks, and physical, removable, transportable electronic storage media.
The flexibility and scalability of the standards
make it possible for any CE regardless of size, to comply with the Rule.
The role of the security officer 284
may be 100% of an individuals job responsibilities or only a fraction, depending on the size of the organization and the scope of its use of healthcare information technology and information system and networks for proper technological control and processes.
Health plans
ANy individual or group plan that provides or pays the cost of healthcare (health insurance issuer or Medicare and Medicaid programs)
Covered healthcare providers or covered entities CEs
Any provider of medical or other healthcare services or supplies that transmits any health information in electronic form in connection with a transition for which HHS has adopted a standard.
The Privace rules contains provision
that require CEs to adopt administrative, physical, and technical, safeguards for PHI.
Security Officer or Chief Security Officer
Is an individual in the organization responsible for overseeing privacy policies and procedures.
PHI Electronic Protected Health Info
Is transmuted by or maintained in some form of electronic media (that is the PHI)
HIPAA consists of 5 titles
Privacy Security Transaction code sets Unique National Provider identifiers Enforcement
Healthcare clearinghouses
Public or Private entities that process another entity's healthcare transaction form a standard format to another standard format, vice-versa
The Chief Security officer may report to
the chief information officer CIO or another administrator in the healthcare organization.
The HIPAA
Signed into Law April 21, 1996 requires the use of standards for electronic transactions containing healthcare data and information as way to improve the efficiency and effectiveness of the healthcare system.
Ultimately the security rules seeks
to ensure that CEs implement basic safeguards to protect ePHI from unauthorized access, alteration, deletion, and transmission, while at the same time ensuring data or information is accessible and usable on demand by authorized individuals
The scope of Security Rule is
to protect individually identifiable health information that is transmuted by or maintained in any form of electronic media.
Tittle II
was designed to protect privacy of healthcare data, information, and security.
HITECH Act
was promote widespread adoption of electronic health records and electronic health information exchange as a means of improving patient care and reducing healthcare cost.
Until 2009, Medicare and Medicaid
was responsible for oversight and enforcement of the Security Rule, while the Office of Civil Rights OCR within HHS oversaw and enforced the Privacy Rule.
The private and security rules
work in tandem to protect health information
The Security rules applies the following
...
Technical Safeguards 5 pg.282
1.Access Control 2.Audit Controls 3.Integrity 4.Person or Entity Authentication 5.Transmission Security
To assist CEs and BAs implementing security rule
1.Asses current security, risks, and gaps 2.Develop an implementation plan 3.Implement solutions 4.Document decisions 5.Reasses periodically
Organizational requirements 2 standards pg.282
1.Business associate contracts or other arrangements 2.Group Health Plans
Physical Safeguards there are 4 pg.281
1.Facility Access Controls 2.Workstation Use 3.Workstation Security 4.Device and Media Controls
Policies, Procedure, and Documentation 2 standards pg 283
1.Policies and procedure 2.Documentation
Administrative Safeguard pg.279
1.Security Management process 2.Assigned security responsibility 3.Workforce security 4.Information access management 5.Security Awareness training 6.Security Incident Reporting 7.Contigency plan 8.Evaluation 9.Business Associate Contracts & other arrangements
Purpose of the HIPAA Security Rules
1.To implement appropriate security safeguards to protect electronic health information that may be at risk. 2.To protect an individual's health information while permuting appropriate access and use of that information.
HIPAA Security Rules 3rd general rules is ÷ into 5 categories pay
3 standard are identified as safeguard (administrative, physical, and technical) and 2 deal with organizational requirement, policies, procedures, and documentation.
Integrity
Data of information that has not been altered or destroyed in an unauthorized manner
Electronic vs.paper vs. oral
The privacy rules applies to all forms of PHI, whether electronic, written, or oral. In contrast, the narrower security rules covers only that is in electronic form.
The security Rule comprises 5 general rules and nº of standard
a. general requirements b.flexibility of approach c.standards related to administrative, physical, and technical safeguard d.implementation specification e.maintenance of security measures
The HIPAA Security rules requires
covered entities (CEs) to ensure the integrity and confidentiality of information, to protect against any reasonable anticipated threats or risks to the security and integrity of info, and to protect against unauthorized uses or disclosure of info.
Security is
not one-time project but an outgoing process that requires constant analysis as the business practice of the CE and BA change, technologies advanced, and new system are implemented
In July 2010, HHS published a notice
of proposed rule-making (NPRM) to implement some of the HITECH provisions and modify other HIPAA requirements.
Key components of an information checklist
pg 276 Figure 10.2
The final rules includes
standards defined in general terms, focusing on what should be done rather than how it should be done.