The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. HIPAA Security Rule list 28 adminstrative safeguards, 12 Physical safeguards, 12 technical safeguards along with specific organization and policies and procedures requirements. EHR 2.0 HIPAA security assessment services help covered entities to discover the gap areas based on the required and addressable requirements. There are two main rules for HIPAA. One is a rule on privacy and the other on Security. The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164. How often the security should be reviewed? Security standard mentioned under HIPAA should be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information. Confidentiality Limiting information access and disclosure to authorized users (the right people) Integrity Trustworthiness of information resources (no inappropriate changes) Availability Availability of information resources (at the right time) http://ehr20.com/services/hipaa-security-assessment/

1. HIPAA/HITECH Security
Assessment

2. Webinar Objectives
• Understand HIPAA/HITECH security principles
• Learn HIPAA security safeguards
• Learn tools and methodologies for
HIPAA/HITECH Assessment
2

3. Who we are …
EHR 2.0 Mission: To assist healthcare
organizations develop and implement
practices to secure IT systems and comply
with HIPAA/HITECH regulations.
 Education
 Consulting
 Toolkit(Tools, Best Practices & Checklist)
Goal: To make compliance an enjoyable and
painless experience, while building capability
and confidence.

4. Glossary
1. PHI: Protected Health Information
2. HHS: Health and Human Services
3. OCR: Office for Civil Rights
4. HIPAA: Health Insurance Portability and Accountability
Act
5. HITECH: Health Information Technology for Economic
and Clinical Health Act
4

5. The American Recovery and
Reinvestment Act of 2009 and HITECH
5

6. HITECH modifications to HIPAA
 Creating incentives for developing a meaningful use of
electronic health records
 Changing the liability and responsibilities of Business
Associates
 Redefining what a breach is
 Creating stricter notification standards
 Tightening enforcement
 Raising the penalties for a violation
 Creating new code and transaction sets (HIPAA 5010,
ICD10)
6

7. Business Associate Cycle
Covered
BA HHS/OCR
Entity
• BA Contract • HIPAA Privacy and
• Breach Notification Security Rule
• Minimum Necessary
• Breach Notification
Sub-
contractors
7

8. HIPAA Titles - Overview
8

9. HIPAA
The two main rules of HIPAA are:
 Privacy Rule: Organizations must identify the uses and
disclosures of protected health information (PHI) and put
into effect appropriate safeguards to protect against an
unauthorized use or disclosure of that PHI. When
material breaches or violations of privacy are identified,
the organizations must take reasonable steps to solve
those problems in order to limit exposure of PHI.
 Security Rule: Defines the administrative, physical and
technical safeguards to protect the confidentiality,
integrity and availability of electronic protected health
information.
(45 CFR Part 160 and Subparts A and C of Part 164) 9

10. HIPAA Security Rule
10

11. Information Security Model
Confidentiality
Limiting information access and
disclosure to authorized users (the right
people)
Integrity
Trustworthiness of information
resources (no inappropriate changes)
Availability
Availability of information resources (at
the right time)
11

12. Protected Health Information(PHI)
Health
Information
Individually
Identifiable
Health
Information
PHI
12

13. ePHI – 18 Elements
Elements Examples
Name Max Bialystock
1355 Seasonal Lane
Address (all geographic subdivisions smaller than state,
including street address, city, county, or ZIP code)
Dates related to an individual Birth, death, admission, discharge
212 555 1234, home, office, mobile etc.,
Telephone numbers
212 555 1234
Fax number
Email address LeonT@Hotmail.com, personal, official
Social Security number 239-68-9807
Medical record number 189-88876
Health plan beneficiary number 123-ir-2222-98
Account number 333389
Certificate/license number 3908763 NY
Any vehicle or other device serial number SZV4016
Device identifiers or serial numbers Unique Medical Devices
Web URL www.rickymartin.com
Internet Protocol (IP) address numbers 19.180.240.15
Finger or voice prints finger.jpg
Photographic images mypicture.jpg
Any other characteristic that could uniquely 13
identify the individual

14. Examples of ePHI (and not ePHI)
Examples of ePHI: Examples of NOT ePHI:
 magnetic tape  paper files
 disk or optical disk  “paper to paper” faxes
 computerized information  person-to-person
 internet transmission telephone calls
 network information  video teleconferencing
 telephone response and  voicemail messages
“fax back” (a request for
information from a
computer made via voice
or telephone keypad input
with the requested
information returned as a 14
fax)

15. Security Standards: General Rules
§ 164.306
What are “Required” Standards?
If the standard is stated as “Required” , A covered entity and
business associate must comply with that standard.
What are “Addressable” standards?
If the standard is stated as “Addressable”, the covered entity or
business associate must assess if the implementation specification
is a reasonable and appropriate safeguard in its environment with
reference to e-PHI. If application then take measures to implement
it.
15

16. Security Standards: General Rules
§ 164.306
What if “Addressable” standards are not applicable to the
covered entities environment?
Document why it is not applicable and implement an equivalent
alternative measure if reasonable and appropriate.
How often the security should be reviewed?
Security standard mentioned under HIPAA should be reviewed and
modified as needed to continue provision of reasonable and
appropriate protection of electronic protected health information.
16

17. HIPAA Security Rule
17

18. HIPAA Security Rule – Administrative
Safeguards § 164.308
18

19. HIPAA Security Rule – Administrative
Safeguards § 164.308 ( Contd.)
19

20. HIPAA Act
20

21. HIPAA Security Rule – Physical
Safeguards § 164.310
21

22. HIPAA Security Rule
22

23. HIPAA Security Rule – Technical
Safeguards § 164.312
23

24. Healthcare Infrastructure
 Computers
 Storage Devices
 Networking devices (Routers,
Switches & Wireless)
 Medical Devices
 Scanners, fax and
Any device that photocopiers
electronically stores or  VoIP
transmits information  Smart-phones, Tablets (ipad,
using a software
PDAs)
program 24
 Cloud-based services

25. Trends in Healthcare IT
Informatics Collaboration
Mobile EHR
Computing HIE
25

26. Handheld Usage in Healthcare
• 25% usage with providers
• Another 21% expected to use
• 38% physicians use medical
apps
• 70% think it is a high priority
• 1/3 use hand-held for accessing EMR/EHR
26
compTIA 2011 Survey

27. EMR and EHR systems
27

28. Health Information Exchange (HIE)
28

29. Social Media
 How does your practice use it?
 How do your employees use it?
 Do you have policies?
29

30. Cloud-based services
 Public Cloud
 EHR Applications
HIPAA regulations  Private-label e-mail
remain barriers to full
cloud adoption
 Private Cloud
 Archiving of Images
 File Sharing
Cloud Computing is taking
all batch processing, and  On-line Backups
farming it out to a huge
central or virtualized
 Hybrid 30
computers.

31. Informatics
31

32. Sample Risk Analysis Template
Likelihood
High Medium Low
High Unencrypted Lack of auditing on Missing security
laptop ePHI EHR systems patches on web server
hosting patient
information
Impact
Medium Unsecured Outdated anti-virus External hard drives
wireless network software not being backed up
in doctor’s office
Sales presentation Web server backup Weak password on
Low on USB thumb tape not stored in a internal document
drive secured location server
32

33. HIPAA Security Rule Standard Implementati Yes/No/Comm
HIPAA Sections Implementation Specification on Requirement Description Solution ents
Policies and procedures to manage
164.308(a)(1)(i) Security Management Process Required security violations
164.308(a)(1)(ii)( Penetration test, vulnerability
A) Risk Analysis Required Conduct vulnerability assessment assessment
SIM/SEM, patch management,
164.308(a)(1)(ii)( Implement security measures to reduce vulnerability management, asset
B) Risk Management Required risk of security breaches management, helpdesk
164.308(a)(1)(ii)( Worker sanction for policies and Security policy document
C) Sanction Policy Required procedures violations management
164.308(a)(1)(ii)( Log aggregation, log analysis, security
D) Information System Activity Review Required Procedures to review system activity event management, host IDS
Identify security official responsible for
164.308(a)(2) Assigned Security Responsibility Required policies and procedures
Implement policies and procedures to
164.308(a)(3)(i) Workforce Security Required ensure appropriate PHI access
Mandatory, discretionary and role-
164.308(a)(3)(ii)( based access control: ACL, native OS
A) Authorization and/or Supervision Addressable Authorization/supervision for PHI access policy enforcement
164.308(a)(3)(ii)( Procedures to ensure appropriate PHI
B) Workforce Clearance Procedure Addressable access Background checks
164.308(a)(3)(ii)( Procedures to terminate PHI access Single sign-on, identity management,
C) Termination Procedures Addressable security policy document management access controls
Policies and procedures to authorize
164.308(a)(4)(i) Information Access Management Required access to PHI
164.308(a)(4)(ii)( Isolation Health Clearinghouse Policies and procedures to separate PHI Application proxy, firewall, mandatory
A) Functions Required from other operations UPN, SOCKS
164.308(a)(4)(ii)( Policies and procedures to authorize Mandatory, discretionary and role-
B) Access Authorization Addressable access to PHI based access control
164.308(a)(4)(ii)( Access Establishment and Policies and procedures to grant access Security policy document
C) Modification Addressable to PHI management
Training program for workers and
164.308(a)(5)(i) Security Awareness Training Required managers
164.308(a)(5)(ii)( Sign-on screen, screen savers,
A) Security Reminders Addressable Distribute periodic security updates monthly memos, e-mail, banners

34. Key Takeaways
 ePHI - Focus of HIPAA/HITECH Security &
Compliance
 HIPAA program secures technology
environments focusing on CIA
 HIPAA security assessment includes
administrative, technical and physical
safeguards
 The key HIPAA security requirement is to
conduct technical security analysis
34

35. Additional Resources
 Resources Section: ehr20.com/resources
 NIST toolkit
 HHS Website:
http://www.hhs.gov/ocr/privacy/hipaa/administrat
ive/securityrule/index.html
35

36. Next Steps
 Follow-us on social media
facebook.com/ehr20 (Like)
linkedin.com/company/ehr-2-0 (Follow us)
https://twitter.com/#!/EHR_20 (Follow)
 Next Live Webinars:
 OCR/HHS HIPAA/HITECH Audit Preparation ( 4/4/2012)
 Social Media Compliance for Healthcare Professionals(4/11/2012)
Sign-up at ehr20.com/webinars
 http://ehr20.com/services/
36

37. Questions?
E-mail: info@ehr20.com
37

38. Thank you!!
38