Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
HIPAA - Privacy & Securi...
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson the
student should be able...
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
What is HIPAA?
 Health Insurance Portability and
Accountability Act (HIPAA)
– ...
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Who is Affected? (“covered entities”)
 All healthcare
organizations
 All heal...
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards for Electronic Transactions
 Standards for electronic health informa...
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
(18 Months?)
It’s now been six years and standards
are still not fully in plac...
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
More on the HIPAA Bill
 Providers and health plans required to use
standards f...
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Penalties for Violations
Fines up to $25,000 for multiple
violations of the sa...
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy
HIPAA Privacy Rule went into effect
in April 2003
Restricts how...
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements
 HIPAA requires covered entities to:
– Have writte...
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements
 Rule permits covered entities to disclose health
...
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
 First government-mandated framework
for an information s...
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
Covered entities required to observe
Privacy Rule require...
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements of HIPAA Security Rule
 Maintain reasonable & appropriate
admini...
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards
The rule outlines 3 categories of
safeguards t...
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards
 Administrative safeguards: Ensures that
forma...
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule
 Scalability
– Any size healthcare entity mus...
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule
 Internal and external security threats
– Mus...
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts
 Principle based
– Presents a series of security b...
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts
 Developed from multiple security guidelines and
s...
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards & Specifications
 Rule breaks down into 18 standards and
36 impleme...
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements & Structure
Requirements (Physical, Administrative, Technical Saf...
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Required and Addressable
 Required specifications are, well, required
and mus...
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
 If implementation specification is reasona...
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
 If implementation specifications not
reaso...
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
 Factors to take into account when deciding...
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Implementing HIPAA
Specifications can be implemented in
any order, as long as...
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Breakdown of Specifications
Administrative Safeguards (55%)
– 12 Required, 11...
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security management process
– Risk analysis (R)
– R...
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Assessment / Analysis
Each CE must:
– Assess security risks
– Determine ...
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Assigned Security Responsibility
 Chief Information Security Officer (CISO) o...
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Workforce Security
– Authorization and/or supervisi...
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Workforce Security
Authorization controls verify identity
of employees permit...
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security Awareness and Training
– Security Reminder...
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Contingency Plan
– Data Backup Plan (R)
– Disaster ...
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Awareness & Training
 “Security awareness training is a critical
activity, re...
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Incident Procedures
Provides methods for users to report
unusual sec...
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Evaluation
– Periodic review of technical controls ...
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Facility Access Controls
– Contingency operations (A)
– F...
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Facility Access Control
Goal is to protect buildings, systems,
and data media...
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Workstation Security
Device and Media Controls
– Disposa...
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Workstation Use & Security
Both standards could be covered in
one policy
Ens...
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Device & Media Controls
“Device” was included to address
storage devices such...
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Access Control
– Unique user identification (R)
– Emerge...
ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Integrity
– Mechanism to Authenticate Electronic
PHI (A)...
ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Access Control
 Unique user identification for accountability
is critical for...
ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Controls
 Risk assessment and analysis can be used
to determine necessa...
ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Transmission Security
“…When electronic protected health
information is trans...
ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Organizational Requirements
Business Associate (BA) Agreements
– Contractual ...
ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business Associates
Implement safeguards that
reasonably and approp...
ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business Associates
Make policies, procedures and
required document...
ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Policy & Procedure Documentation
Implement reasonable and
appropriate policie...
ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Resources
 Works used in the preparation of this lecture:
– Beaver, Kevin (20...
ITM 578 54
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Questions?
Nächste SlideShare
Wird geladen in …5
×

Privacy & security in heath care it

Information Technology & Management Program

  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Privacy & security in heath care it

  1. 1. TransformingLives. InventingtheFuture. www.iit.edu I ELLINOIS T UINS TI T OF TECHNOLOGY ITM 578 1 HIPAA - Privacy & Security in Heath Care IT Ray Trygstad ITM 478/578 Spring 2004 Master of Information Technology & Management Program CenterforProfessional Development
  2. 2. ITM 578 2 ILLINOIS INSTITUTE OF TECHNOLOGY Learning Objectives: Upon completion of this lesson the student should be able to: – Discuss information security implications of the Health Insurance Portability and Accountability Act (HIPPA) – Discuss information security impact of the HIPAA Privacy Rule – Describe key components and implemetation of the HIPAA Security Rule
  3. 3. ITM 578 3 ILLINOIS INSTITUTE OF TECHNOLOGY What is HIPAA?  Health Insurance Portability and Accountability Act (HIPAA) – Signed into law August 1996  Part of this Act, Administrative Simplification, intends to reduce administrative costs and burdens in the health care industry  Requires Department of Health and Human Services to adopt national uniform standards for electronic transmission of certain health information
  4. 4. ITM 578 4 ILLINOIS INSTITUTE OF TECHNOLOGY Who is Affected? (“covered entities”)  All healthcare organizations  All health care providers (even 1-physician offices)  Health plans  Employers  Public health  authorities  Life insurers  Clearinghouses  Billing agencies  Information  systems vendors  Service organizations  Universities with health care curricula or even just student health services Anyone that transmits any health information in electronic formin connection with healthcare transactions
  5. 5. ITM 578 5 ILLINOIS INSTITUTE OF TECHNOLOGY Standards for Electronic Transactions  Standards for electronic health information transactions  Within 18 months HHS Secretary required to adopt standards from among those already approved by standards organizations for certain electronic health transactions including: – Claims – Enrollment – Eligibility – Payment – Coordination of benefits  Standards also must address security of electronic health information systems.
  6. 6. ITM 578 6 ILLINOIS INSTITUTE OF TECHNOLOGY (18 Months?) It’s now been six years and standards are still not fully in place!  Will not go into full effect until 2005! Isn’t government wonderful?)
  7. 7. ITM 578 7 ILLINOIS INSTITUTE OF TECHNOLOGY More on the HIPAA Bill  Providers and health plans required to use standards for specified electronic transactions 24 months after adoption  Plans and providers may comply directly or use a health care clearinghouse  HIPAA supersedes state laws except state laws that impose more stringent requirements  HIPPA imposes civil money penalties and prison for certain violations
  8. 8. ITM 578 8 ILLINOIS INSTITUTE OF TECHNOLOGY Penalties for Violations Fines up to $25,000 for multiple violations of the same standard in a calendar year Fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information !!!
  9. 9. ITM 578 9 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Privacy HIPAA Privacy Rule went into effect in April 2003 Restricts how covered entities may use and disclose individually identifiable health information Requires security for such data Grants individuals certain rights to access and correct their personal health information
  10. 10. ITM 578 10 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Privacy Requirements  HIPAA requires covered entities to: – Have written privacy procedures, including • Description of staff granted access to protected information • How it will be used • When it may be disclosed • Business associates (including IT vendors!) with access to protected information must agree to same limitations on use and disclosure of that information – Train employees in privacy procedures – Designate someone responsible for ensuring procedures are followed (the “HIPAA czar”)
  11. 11. ITM 578 11 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Privacy Requirements  Rule permits covered entities to disclose health information for specific public responsibilities: – emergency circumstances – identification of the body of a deceased person, or the cause of death – public health needs – research that with limited data or independently approved by a Review Board or privacy board – oversight of the health care system – judicial and administrative proceedings – limited law enforcement activities – activities related to national defense and security  Equivalent Requirements exist for Government
  12. 12. ITM 578 12 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Security Rule  First government-mandated framework for an information security policy covering non-governmental entities  Published in February 2003  Covered entities (CEs) must be in compliance April 21, 2005  Portions of Security Rule that implement the Privacy Rule were effective last April
  13. 13. ITM 578 13 ILLINOIS INSTITUTE OF TECHNOLOGY HIPAA Security Rule Covered entities required to observe Privacy Rule requirements with respect to all Patient Health Information (PHI) in any form, electronic or not, but the Security Rule only applies to PHI in electronic form
  14. 14. ITM 578 14 ILLINOIS INSTITUTE OF TECHNOLOGY Requirements of HIPAA Security Rule  Maintain reasonable & appropriate administrative, technical and physical safeguards to – Ensure the integrity and confidentiality of information – Protect against • any reasonably anticipated threats or hazards to the security or integrity of the information • unauthorized uses or disclosures of the information, i.e. any reasonably anticipated uses or disclosures not permitted by Privacy Rule – Otherwise to ensure compliance with this part by officers & employees
  15. 15. ITM 578 15 ILLINOIS INSTITUTE OF TECHNOLOGY Three Categories of Safeguards The rule outlines 3 categories of safeguards to establish a minimum level of protection: – Administrative safeguards – Physical safeguards – Technical safeguards
  16. 16. ITM 578 16 ILLINOIS INSTITUTE OF TECHNOLOGY Three Categories of Safeguards  Administrative safeguards: Ensures that formal policies for overseeing implementation and management of security measures are established and implemented  Physical safeguards: Ensures facilities where electronic information systems are stored are protected from intrusions and other hazards  Technical safeguards: Ensures only authorized access to electronic personal health information is permitted, through implementation of firewalls, passwords, and other measures
  17. 17. ITM 578 17 ILLINOIS INSTITUTE OF TECHNOLOGY Principles of the Security Rule  Scalability – Any size healthcare entity must be able to comply with the rule  Comprehensiveness – Meant to result in a unified system of protection for PHI – CEs must use a defense in depth security approach  Technology neutral – No specific technology recommendations (e.g., specific type of firewall, IDS, access control system). – Each CE must choose appropriate technology to protect PHI.
  18. 18. ITM 578 18 ILLINOIS INSTITUTE OF TECHNOLOGY Principles of the Security Rule  Internal and external security threats – Must protect PHI against both internal and external threats  Minimum standard – Defines the least that CEs must do to protect PHI (they may choose to do more)  Risk analysis – Requires CEs to conduct thorough & accurate risk analysis that considers “all relevant losses” that would be expected if specific security measures are not in place – “Relevant losses” include losses caused by unauthorized use and disclosure of data and unauthorized modification of data
  19. 19. ITM 578 19 ILLINOIS INSTITUTE OF TECHNOLOGY Security Rule Key Concepts  Principle based – Presents a series of security best practices and principles with which CEs must comply – Step by step checklists not provided  Reasonableness – CEs must do everything appropriate to avert all reasonably anticipated risks to PHI – CEs must balance resources and business requirements against risks to PHI  Full compliance – All CE staff, including management and those working at home, must comply
  20. 20. ITM 578 20 ILLINOIS INSTITUTE OF TECHNOLOGY Security Rule Key Concepts  Developed from multiple security guidelines and standards – Those creating the rule found no existing single security standard or best practice that described how to comprehensively protect PHI – Therefore the rule is based on many different security guidelines, standards, and best practices  Documentation – CEs must document a variety of security processes, policies, and procedures – CEs must document Security Rule implementation decisions  Ongoing compliance – CEs must regularly train employees – CEs must revise security policies and procedures as needed
  21. 21. ITM 578 21 ILLINOIS INSTITUTE OF TECHNOLOGY Standards & Specifications  Rule breaks down into 18 standards and 36 implementation specifications  A standard explains what a CE must do  An implementation specification explains how to do it  12 standards have associated implementation specifications; 6 do not  14 implementation specifications are required; 22 are addressable
  22. 22. ITM 578 22 ILLINOIS INSTITUTE OF TECHNOLOGY Requirements & Structure Requirements (Physical, Administrative, Technical Safeguards)Requirements (Physical, Administrative, Technical Safeguards) StandardsStandardswithwith ImplementationImplementation Specifications (12)Specifications (12) witho utwitho ut ImplementationImplementation Specifications (6)Specifications (6) Implementation SpecificationsImplementation Specifications Required (14)Required (14) Addressable (22)Addressable (22) Source: Weil, Steven HIPAAConsensus ResearchProject SANS Institute, 2003; http://www.sans.org/projects/hipaa.php
  23. 23. ITM 578 23 ILLINOIS INSTITUTE OF TECHNOLOGY Required and Addressable  Required specifications are, well, required and must be implemented  Addressable implementation specifications leave CEs with three possible choices – Implement specification if reasonable and appropriate – Implement an alternative security measure to accomplish purposes of the standard – Implement nothing if specification is not reasonable & appropriate and the standard can still be met
  24. 24. ITM 578 24 ILLINOIS INSTITUTE OF TECHNOLOGY Addressable Specification Choices  If implementation specification is reasonable & appropriate, CE must implement it  If implementation specification not reasonable & appropriate, but standards cannot be met without an appropriate security measure, CE must – Document why it would not be reasonable & appropriate to implement – Implement & document alternative security measure(s) that accomplishes the same purpose
  25. 25. ITM 578 25 ILLINOIS INSTITUTE OF TECHNOLOGY Addressable Specification Choices  If implementation specifications not reasonable & appropriate, but standards can be met without an appropriate security measure, CE must – Document decision not to implement – Document why it would not be reasonable & appropriate to implement – Document how the standard is being met
  26. 26. ITM 578 26 ILLINOIS INSTITUTE OF TECHNOLOGY Addressable Specification Choices  Factors to take into account when deciding how to respond to addressable specifications: – Size, complexity, & capabilities of the organization – Existing technical infrastructure, hardware, and software security capabilities – Costs of security measures – Likelihood & seriousness of potential risks to PHI
  27. 27. ITM 578 27 ILLINOIS INSTITUTE OF TECHNOLOGY Implementing HIPAA Specifications can be implemented in any order, as long as standards are met by the deadline May use any security measures allowing the CE to reasonably and appropriately implement the rule
  28. 28. ITM 578 28 ILLINOIS INSTITUTE OF TECHNOLOGY Breakdown of Specifications Administrative Safeguards (55%) – 12 Required, 11 Addressable Physical Safeguards (24%) – 4 Required, 6 Addressable Technical Safeguards (21%) – 4 Requirements, 5 Addressable
  29. 29. ITM 578 29 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Security management process – Risk analysis (R) – Risk management (R) – Sanction policy (R) – Information system activity review (R) Assigned security responsibility – One individual (not an organization) with responsibility (R)
  30. 30. ITM 578 30 ILLINOIS INSTITUTE OF TECHNOLOGY Risk Assessment / Analysis Each CE must: – Assess security risks – Determine risk tolerance or risk aversion – Devise, implement, and maintain appropriate security to address business requirements • Does not imply that organizations are given complete discretion to make their own rules – Document security decisions
  31. 31. ITM 578 31 ILLINOIS INSTITUTE OF TECHNOLOGY Assigned Security Responsibility  Chief Information Security Officer (CISO) or Information Security Officer (ISO)  Large organizations may have site-security coordinators working with CISO/ISO  Security standards extend to CE employees even if they work at home as do many transcriptionists
  32. 32. ITM 578 32 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Workforce Security – Authorization and/or supervision (A) – Workforce clearance procedure (A) – Termination procedures (A) Information access management – Minimum necessary rule
  33. 33. ITM 578 33 ILLINOIS INSTITUTE OF TECHNOLOGY Workforce Security Authorization controls verify identity of employees permitted to access PHI Clearance procedure describes types of background checks that will be conducted for employees Termination procedures include collecting access control devices or changing door locks, etc.
  34. 34. ITM 578 34 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Security Awareness and Training – Security Reminders (A) – Protection from Malicious Software (A) – Log-in Monitoring (A) – Password Management (A) Security Incident Procedures – Response and Reporting (R)
  35. 35. ITM 578 35 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Contingency Plan – Data Backup Plan (R) – Disaster Recovery Plan (R) – Emergency Mode Operation Plan (R) – Testing and Revision Procedure (A) – Applications and Data Criticality Analysis (A)
  36. 36. ITM 578 36 ILLINOIS INSTITUTE OF TECHNOLOGY Awareness & Training  “Security awareness training is a critical activity, regardless of an organization’s size.”  Training, Education and Awareness (TEA) – Awareness training for all personnel (including management) – Periodic security reminders – User education concerning virus protection – User education in importance of monitoring login success or failure, and how to report discrepancies – User education in password management
  37. 37. ITM 578 37 ILLINOIS INSTITUTE OF TECHNOLOGY Security Incident Procedures Provides methods for users to report unusual security occurrences or breaches to patient confidentiality Goals: – Identify – Contain – Correct – Prevent
  38. 38. ITM 578 38 ILLINOIS INSTITUTE OF TECHNOLOGY Administrative Safeguards Evaluation – Periodic review of technical controls and procedural review of the security program Business Associate contracts – Written Contract or Other Arrangement (R) •Identify business associates who receive or have access to PHI •Tie efforts with Privacy initiative •Establish rules for vendor remote access
  39. 39. ITM 578 39 ILLINOIS INSTITUTE OF TECHNOLOGY Physical Safeguards Facility Access Controls – Contingency operations (A) – Facility Security Plan (A) – Access Control and Validation Procedures (A) – Maintenance Records (A) Workstation Use – Includes portable devices
  40. 40. ITM 578 40 ILLINOIS INSTITUTE OF TECHNOLOGY Facility Access Control Goal is to protect buildings, systems, and data media from natural and environmental hazards and unauthorized access or intrusions Ensure records are kept of all maintenance, especially locksmith work
  41. 41. ITM 578 41 ILLINOIS INSTITUTE OF TECHNOLOGY Physical Safeguards Workstation Security Device and Media Controls – Disposal (R) – Media re-use (R) – Accountability (A) – Data backup and Storage (A)
  42. 42. ITM 578 42 ILLINOIS INSTITUTE OF TECHNOLOGY Workstation Use & Security Both standards could be covered in one policy Ensure workstation locations will not allow casual viewing by unauthorized personnel Audit systems to ensure all PCs/laptops have latest version of virus definitions installed
  43. 43. ITM 578 43 ILLINOIS INSTITUTE OF TECHNOLOGY Device & Media Controls “Device” was included to address storage devices such as PDAs Media re-use requires sanitization of media using DOD-style standards (overwriting an entire disk with ones and zeros repeatedly)
  44. 44. ITM 578 44 ILLINOIS INSTITUTE OF TECHNOLOGY Technical Safeguards Access Control – Unique user identification (R) – Emergency access procedure (R) – Automatic logoff (A) – Encryption and decryption (A) Audit Controls
  45. 45. ITM 578 45 ILLINOIS INSTITUTE OF TECHNOLOGY Technical Safeguards Integrity – Mechanism to Authenticate Electronic PHI (A) Person or entity authentication Transmission security – Integrity controls (A) – Encryption (A)
  46. 46. ITM 578 46 ILLINOIS INSTITUTE OF TECHNOLOGY Access Control  Unique user identification for accountability is critical for clinical applications – Disallows use of Windows 98/ME (weak user identification & controls)  Automatic logoff permits an equivalent measure to restrict access (Password protected screen saver? XP user switching?)  Encryption serves as an access control method for data at rest
  47. 47. ITM 578 47 ILLINOIS INSTITUTE OF TECHNOLOGY Audit Controls  Risk assessment and analysis can be used to determine necessary intensity of audit trails  Audit trail trigger events must be jointly determined by the data owners and the Privacy and Security Officers  Store audit logs on a separate server  Do not allow system administrator access to audit logs
  48. 48. ITM 578 48 ILLINOIS INSTITUTE OF TECHNOLOGY Transmission Security “…When electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.” There is no simple, interoperable solution to encrypting e-mail containing PHI; hopefully HIPAA compliance will drive better solutions
  49. 49. ITM 578 49 ILLINOIS INSTITUTE OF TECHNOLOGY Organizational Requirements Business Associate (BA) Agreements – Contractual agreements required before BAs can access PHI – BAs must follow HIPAA Business Associate rules (next slide) – Applies to subcontractors of BAs as well A CE may require a business associate to meet even higher security standards
  50. 50. ITM 578 50 ILLINOIS INSTITUTE OF TECHNOLOGY Rules for Business Associates Implement safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of PHI they access on behalf of the CE Ensure that anyone else to whom they provide PHI agrees to implement reasonable and appropriate safeguards Report any security incident to the CE
  51. 51. ITM 578 51 ILLINOIS INSTITUTE OF TECHNOLOGY Rules for Business Associates Make policies, procedures and required documentation relating to the safeguards available to HHS to determine CE compliance with the security rule Authorize termination of the BA contract by the CE if the CE determines that the BA has violated a material term of the contract
  52. 52. ITM 578 52 ILLINOIS INSTITUTE OF TECHNOLOGY Policy & Procedure Documentation Implement reasonable and appropriate policies and procedures Documentation – Retain documents for 6 years – Make documents available – Review and update documentation periodically
  53. 53. ITM 578 53 ILLINOIS INSTITUTE OF TECHNOLOGY Resources  Works used in the preparation of this lecture: – Beaver, Kevin (2003) HIPAA Security Rule FAQ. Principle Logic, accessed at http://www.principlelogic.com/docs/HIPAA_Security_Rule_FAQ.pdf – Birnbach, Deborah S. and Gametchu, Mayeti (2003) “How HIPAA's security rule could affect IT” Computerworld April 30, 2003, accessed at http://www.computerworld.com/securitytopics/security/story/0,10801,80816,00.html – Higher Education Information Technology (HEIT) Alliance (undated) Privacy. Accessed at http://www.heitalliance.org/issues/privacy.asp – Hollander, Jay (2003) Medical Privacy: Understanding HIPAA's Security Rule. Accessed at http://www.gigalaw.com/articles/2003-all/hollander-2003-04-all.html – New Hampshire Developmental Disabilities Services System, Information Technology Initiatives (undated) HIPAA Overview. Accessed at http://www.nhdds.org/nhddsit/HIPAA/overview.html – Walsh, Tom (2001) Developing an Effective Information Security Training and Awareness Program. Healthcare Computing Strategies, Inc. , accessed at http://www.himss.org/content/files/proceedings/2001/workshop/wslides/wksll.pdf – Walsh, Tom (2003) HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications – Are you Correctly Addressing Them? (Powerpoint presentation) Tom Walsh Consulting LLC – Weil, Steven (2003) HIPAA Consensus Research Project. The SANS Institute, accessed at http://www.sans.org/projects/hipaa.php
  54. 54. ITM 578 54 ILLINOIS INSTITUTE OF TECHNOLOGY The End… Questions?

×