HIPAA 101 Basic Session

HIPAA 101
Basic Session
HCCA Compliance Institute April 2005
1
GOUND RULES
THIS IS A BASIC SESSION
If you expected something beyond the
basics this is not the session to attend
„ You are welcome to stay
„ However, if you stay you cannot write on
your evaluation that this was too basic
„
Please turn your cell phones and
pagers to vibrate or off.
2
Agenda
1.
Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
2. Transaction Code Sets
3. National Provider Identifier (NPI)
4. Privacy Regulations
5. Security Regulations
3
Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
Health insurance access, portability,
and renewal
Attempts to prevent healthcare fraud
and abuse
Allows health insurance tax deduction
for self-employment
Promotes administrative simplification
4
Transactions Code Sets
Compliance Date:
Original October 16, 2002
(except small health plans – 2003)
Extension October 16, 2003
5
Transaction Code Sets
(1) Original:
Proposed: May 7, 1998
Published: August 17, 2000
„
Volume 65, Number 160 pp 50312-50372
Effective Date: October 16, 2000
(2) Modifications:
Proposed: May 31, 2002
Published: February 20, 2003
„
Volume 68, Number 34 pp 8381-8399
Effective Date: March 24, 2003
Document can be located at:
1.
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/transactions/finalrule/txfinal.pdf
2.
http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0003ofr2-10.pdf
6
Administrative Simplification
Defines standards for electronic
transaction submission
Establishes standard codes sets
Established unique identifiers
7
Administrative Simplification
Standard Electronic Transactions
„ 837I (institutional)
„ 837P(professional)
„ 835 (payment and remittance advice)
„ 270/271 (eligibility inquiry and response)
„ 276/277 (claim status inquiry and response)
„ 278 (referral certification and authorization)
„ 834 ( Health Plan enrollment / disenrollment)
„ 820 (Health Plan premium payment)
„ 275 (Proposed)
8
Administrative Simplification
Standard Code Sets
ICD-9-CM (diagnosis and procedures)
„ NDC (national drug codes)
„ CPT-4 (physician procedures)
„ HCPCS (ancillary services/procedures)
„ CDT (dental terminology)
„
No more local codes
9
Administrative Simplification
Standard Identifiers
Employer Identification Number (EIN)
„ National Provider Identifier (NPI)
„ Health Plan (Payer) Identifier
„
(forthcoming)
Claims Attachment Standards
(forthcoming)
10
837 (Institutional & Professional)
Requires
Billing provider employer identification number (EIN) or
Social Security number (SSN).
Pay-to provider EIN or SSN.
Rendering provider EIN or SSN.
Many physicians are refusing to give out this information where
they are not the billing or pay-to providers; i.e they are
performing a service for a hospital.
„
„
Hospitals have been substituting their own EIN where they can't get
the physicians.
Medicare is allowing a "dummy" EIN for the second reference when
the Physician EIN/SSN is unknown -- can substitute 999999999 for
the valid value
11
Enforcement Approach
Centers for Medicare & Medicaid Services (CMS) is
responsible for enforcing the electronic transactions
and code sets provisions of the law.
CMS will focus on obtaining voluntary compliance
and use a complaint-driven approach for enforcement
of HIPAA’s electronic transactions and code sets
provisions.
When CMS receives a complaint about a covered
entity, it will notify the entity in writing that a complaint
has been filed.
12
Enforcement Approach
Following notification from CMS, the
entity will have the opportunity to:
demonstrate compliance
„ document its good faith efforts to comply
with the standards, and/or
„ submit a corrective action plan.
„
13
Demonstrating Compliance
Covered entities will be given an
opportunity to demonstrate to CMS that
they submitted compliant transactions.
14
Good Faith Policy
CMS recognizes that transactions often require the
participation of two covered entities and that
noncompliance by one covered entity may put the
second covered entity in a difficult position.
CMS intends to look at both covered entities’ good
faith efforts to come into compliance with the
standards in determining, on a case-by-case basis,
whether reasonable cause for the noncompliance
exists and, if so, the extent to which the time for
curing the noncompliance should be extended.
15
Good Faith Policy
CMS will not impose penalties on covered entities that
deploy contingencies (in order to ensure the smooth
flow of payments) if they have made reasonable and
diligent efforts to become compliant and, in the case of
health plans, to facilitate the compliance of their
trading partners.
Specifically, as long as a health plan can demonstrate
to CMS its active outreach/testing efforts, it can
continue processing payments to providers. In
determining whether a good faith effort has been
made, CMS will place a strong emphasis on sustained
actions and demonstrable progress.
16
Examples of Good Faith
• Increased external testing with trading partners.
• Lack of availability of, or refusal by, the trading
partner(s) prior to October 16, 2003 to test the
transaction(s) with the covered entity whose
compliance is at issue.
• In the case of a health plan, concerted efforts in
advance of the October 16, 2003 and continued
efforts afterwards to conduct outreach and make
testing opportunities available to its provider
community.
17
CMS Complaint Form
Complaint Type
Non-Compliant Data Received
„ Compliant Data Sent and Rejected
„ Invalid Companion Guide
„ Privacy Violation
„ Other, HIPAA Administrative Simplification
Act Violation
„ Other
„
18
National Provider Identification
(NPI)
Health plans assign identification numbers to
health care providers -- individuals, groups, or
organizations that provide medical or other
health services or supplies. The result is that
providers who do business with multiple
health plans have multiple identification
numbers. The NPI is a unique identification
number for health care providers that will be
used by all health plans.
„
„
„
„
Final rule - January 23, 2004
Effective date – May 23, 2005
Compliance date – May 23, 2007
Small health plans – May 23, 2008
19
National Provider Identifier
(NPI)
The NPI is a 10-position numeric identifier
with a check digit in the last position to help
detect keying errors.
20
Uses of the NPI
The NPI must be used in connection with the electronic
transactions identified in HIPAA.
The NPI may be used in several other ways:
„ (1) by health care providers to identify themselves in health
care transactions identified in HIPAA or on related
correspondence;
„ (2) by health care providers to identify other health care
providers in health care transactions or on related
correspondence;
„ (3) by health care providers on prescriptions (however, the
NPI could not replace requirements for the Drug
Enforcement Administration number or State license
number);
„ (4) by health plans in their internal provider files to process
transactions and communicate with health care providers;
21
Uses of the NPI
„
„
„
„
„
(5) by health plans to coordinate benefits with other health
plans;
(6) by health care clearinghouses in their internal files to
create and process standard transactions and to
communicate with health care providers and health plans;
(7) by electronic patient record systems to identify treating
health care providers in patient medical records;
(8) by the Department of Health and Human Services to
cross reference health care providers in fraud and abuse
files and other program integrity files;
(9) for any other lawful activity requiring individual
identification of health care providers, including activities
related to the Debt Collection Improvement Act of 1996 and
the Balanced Budget Act of 1997.
22
Questions & Answers
23
What health care transactions are required
to use the standards under this regulation?
1.
2.
3.
4.
5.
6.
7.
8.
Health claims and equivalent encounter
information.
Enrollment and disenrollment in a health plan.
Eligibility for a health plan.
Health care payment and remittance advice.
Health plan premium payments.
Health claim status.
Referral certification and authorization.
Coordination of benefits.
24
Who is required to use the
standards?
All private sector health plans (including managed
care organizations and ERISA plans, and
government health plans (including Medicare, State
Medicaid programs, the Military Health System for
active duty and civilian personnel, the Veterans
Health Administration, and Indian Health Service
programs), all health care clearinghouses, and all
health care providers that choose to submit or
receive these transactions electronically are required
to use these standards.
25
Do I have to use standard transactions
when conducting business inside my
corporate boundaries?
The decision on when a standard must
be used does not depend on whether
the transaction is being sent inside or
outside corporate boundaries. Instead,
a simple two part test, in question form,
can be used to determine whether the
standards are required.
26
Two Part Test
Question 1: Is the transaction initiated by a
covered entity or its business associate? If no, the
standard need not be used.
Question 2: Is the transaction one for which the
Secretary had adopted a standard? If yes, the
standard must be used. If no, the standard need not
be used.
27
What is the effect on State law?
Section 1178 of the Social Security Act
provides that standards for the transactions
will supercede any State law that is contrary
to them, but allows for an exception process.
28
Does the law require physicians to
buy computers?
No, there is no such requirement. However,
more physicians may want to use computers
for submitting and receiving transactions such
as health care claims and
remittances/payments electronically.
Remember that submission of paper claims
to Medicare may result in slower payment.
29
How will the standards affect data
stored in my system?
The transaction standards will apply only to
electronic data interchange (EDI) -- when
data are transmitted electronically between
health care providers and health plans as part
of a standard transaction. Data may be stored
in any format as long as it can be translated
into the standard transaction when required.
Security standards, on the other hand, will
apply to electronic protected health
information.
30
Privacy Standards
I said to shred the document not the
person reading it!
31
What’s protected?
All medical records and other
individually identifiable health
information held or disclosed by a
covered entity in any form, whether
communicated electronically, on paper,
or orally.
32
HIPAA Identifiers
A) Names;
(B) Street address, city, county,
precinct, zip code, and
equivalent geo-codes
(C) All elements of dates
(except year) for dates directly
related to an individual and all
ages over 89
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial
numbers, including license plate
numbers;
(M) Device identifiers/serial
numbers;
(N) Web addresses (URLs);
(O) Internet IP addresses;
(P) Biometric identifiers, incl. finger
and voice prints;
(Q) Full face photographic images
and any comparable images; and
(R) Any other unique identifying
number, characteristic, or code.
(I) Health plan ID numbers;
(J) Account numbers;
33
Covered Entities
Health Plans
Health Care Clearinghouses
Health Care Providers
34
Uses & Disclosures
w/an opportunity
to object
Uses & Disclosures
for TPO
PHI
Authorization
Uses & Disclosures in
the public interest
35
How can a covered entity use and
disclose PHI?
Treatment, Payment & Healthcare
Operations (TPO)
Without an authorization if statutorily
excepted
After the patient has been given an
opportunity to object
Only with the patient’s explicit
permission
36
U & Ds without the patient’s
explicit permission.
Treatment, Payment & Health Care
Operations. 164.506
As required by law. 164.512
Marketing & fundraising (pursuant to
strict limitations)
37
U & Ds for TPO
Examples:
A healthcare provider can discuss the
patient’s case with her colleagues to
determine the best course of treatment
„ A health plan can share information with
the nursing home regarding payment for
services
„ A compliance office can obtain charts for
compliance audits
„
38
U & Ds that do not require an
authorization
Mandatory disclosures:
„
HIPAA only mandates disclosures in two
instances. 164.502(a)
To the patient with some exceptions
„ To the Secretary of DHHS to investigate an
alleged privacy violation
„
39
U & Ds for Other Purposes
Permissive disclosures 164.512
Public Health Activities
Health Oversight Activities
Law Enforcement
Organ & Tissue Donation
Avert Serious Threat
Workers’ Compensation
Report Abuse & Neglect
Legal Proceedings
Information about
Decedents
Research
Specialized Gov. Functions
40
Public Health Activities
Prevent or control disease, injury or disability
Vital statistics, birth & deaths
Public health surveillance
Public health investigations
Report child abuse or neglect
FDA reporting
Alert individual of possible exposure to
communicable disease
Employers under limited circumstances
41
Report Abuse or Neglect
Report to authorities authorized by law to
receive information about victims of abuse,
neglect or domestic violence
„
Based on reasonable belief
CE must inform the individual of the
disclosure unless
„
„
There is a reasonable belief this would place the
individual at risk for serious harm or
It would mean informing a personal representative
who is believed to be responsible for the abuse or
neglect
42
Health Oversight Activities
Disclosures may be made to entities
authorized by law to oversee:
The health care system
„ Government benefit programs for which
health information is relevant to beneficiary
eligibility
„ Entities subject to government regulatory
programs
„ Entities subject to civil rights laws
„
43
Health Oversight Activities
(cont.)
This does not include investigations
where the individual is the subject of the
investigation if it is not directly related
to:
The receipt of health care
„ A claim for public benefits related to health
or
„ Qualification or receipt of public benefit or
service if health is integral to the claim
„
44
Legal Proceedings
Court orders
„
Limited to the PHI expressly authorized
Subpoenas, discovery requests or other
lawful process if satisfactory assurances is
received that either:
„
„
„
Subject of information has been notified & given a
chance to object
A qualified protective order has been requested
The CE notifies the individual or seeks a
protective order
45
Law Enforcement
If pursuant to process or otherwise
required by law
Identification and location
Victims of a crime
Decedents – if suspicion that death was
result of criminal conduct
Crime on the premises
Report crime in an emergency
46
Information about Decedents
Coroners & Medical examiners
Determine cause of death
„ Identification
„ Other duties authorized by law
„
Funeral Directors
„
Information necessary to carry out their
duties
47
Organ and Tissue Donation
May disclose information necessary to
facilitate organ, eye, or tissue donation
48
Research
Waiver or alteration of authorization
approved by privacy board or IRB
Reviews preparatory to research
Research on decedents information
De-identified data
Limited data set used
49
De-identified data?
A) Names;
(B) Street address, city, county,
precinct, zip code, and
equivalent geo-codes
(C) All elements of dates
(except year) for dates directly
related to an individual and all
ages over 89
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan ID numbers;
(J) Account numbers;
(L) Vehicle identifiers and serial
numbers, including license plate
numbers;
(M) Device identifiers/serial
numbers;
(N) Web addresses (URLs);
(O) Internet IP addresses;
(P) Biometric identifiers, incl.
finger and voice prints;
(Q) Full face photographic
images and any comparable
images; and
(R) Any other unique identifying
number, characteristic, or code.
50
Avert a Serious Threat
May disclose PHI consistent with
applicable law & standards of ethical
conduct if
„
Good faith believes the disclosures is
necessary to avert a serious & imminent
threat to
The public
„ An individual
„
May not make the disclosure if the
information is learned under certain
conditions
51
Specialized Governmental
Functions
Military & veteran activities
National security
Protection of the President & others
Medical suitability determinations
Correctional institutions
CE that are governmental entities
providing public benefits
52
Workers’ Compensation
May disclose to the extent necessary to
comply with workers’ compensation
laws or other similar programs
53
U & Ds that require an opportunity
to object. 164.510
Facility Directories
Family, Friends and others
Involved in the patient’s care
„ Involved in payment for the patient’s care
„
Notification
54
U & Ds Requiring an
Authorization
All uses and disclosures of PHI that are
not explicitly required or allowed under
the regulations may only be done with
an authorization.
Marketing
„ Fundraising
„
55
Patient’s Rights Under HIPAA
Access and copy information 164.524
Request restriction of use for TPO or
under 164.510(b)
Request confidential communication
An account of disclosures
Receive a copy of the notice of privacy
practices
Request amendments
56
Request Restrictions
45 CFR 164.522(a)
Only applies to PHI used or disclosed
for TPO or pursuant to 164.510(b)
A covered entity is not required to agree
If the CE agrees, it is bound by the
restriction
57
Request Confidential
Communications
45 CFR 164.522(b)
Providers
„
Must accommodate reasonable requests
Health Plan
„
Must accommodate if the individual clearly
states that the disclosure or all or part of
the information could endanger the
individual
58
Access and Copy Information
45 CFR 164.524
Individuals have a right to access the
PHI about them in a DRS except
Psychotherapy notes
„ Prepared in reasonable anticipation of
litigation
„ Information to comply with CLIA if CLIA
prohibits access
„
59
Access and Copy Information
Denial of access is non-reviewable if
„
„
„
„
„
PHI is excepted from right to access
Individual is an inmate and access would
jeopardize the facility
Research information – if explained in research
authorization
Information is subject to the Privacy Act
Information obtained with promise of
confidentiality from someone other than a health
care provider
60
Access and Copy Information
Reviewable grounds for denial
Licensed health care professional believes
access would endanger the individual or
another person
„ Information was received from another
person and access could cause substantial
harm to that individual
„ Request is made by a personal
representative and access could cause
substantial harm to the individual
61
„
Access and Copy Information
Must have process for review
Requests for access must be acted
upon within 30 or 60 days
Can get one 30-day extension
Can charge for copies
62
Request an Amendment
Individual may have information in the
DRS amended
CE may deny the request if
Determines the information is correct
„ CE did not create the information
„ Information is not part of the DRS
„ Individual would not have the right to
access under 164.524
„
CE must respond to request in 60 days
63
Accounting of Disclosures
45 CFR 164.528
CE must account for all disclosures of PHI unless the
disclosure was made
„
„
„
„
„
„
„
„
„
For TPO
With an authorization
In a LDS
As an incidental disclosure
To the subject of the information
For national security purposes
Pursuant to 164.510
Prior to 4/14/03
To correctional institution
64
Receipt of Notice of Privacy
Practices
45 CFR 164.520
Individual has a right to receive the
notice of privacy practices at their first
encounter after 4/14/03 or upon request
65
Other HIPAA Issues
Minimal Necessary
Organizational Arrangements
„
„
„
Organized Health Care Arrangements
Affiliated Covered Entities
Hybrid Covered Entities
Business Associates
Group Health Plans
Miscellaneous issues
„
„
Psychotherapy notes
Verification processes
Preemption of state law
66
Minimal Necessity
Role based access
„
Assure that individuals only have access to the information
needed to do their job
Disclosures
„
„
Disclose on the minimal necessary for the purpose of the
disclosure
Does not apply to disclosures made
„
„
„
„
„
„
With an authorization
To a provider for treatment
To the subject of the information
To the Secretary of DHHS
As required by law
As required to comply with the regulations
67
Organizational Arrangements
Organized Health Care Arrangements
(OHCA)
„
„
Clinically integrated
More than one CE participates
Affiliated Covered Entities (ACE)
„
Legally separate CEs that are affiliated by
common ownership or control
Hybrid Covered Entity (HCE)
„
Single covered entity with non-health care
components
68
Business Associates
Business associates are entities that
perform services for or on behalf of a
CE involving PHI.
Must have a business associate
agreement
A CE can be the business associate of
another CE
69
Group Health Plans
Group health plans are covered entities
under HIPAA
The employer is not the covered entity
A GHP’s notice of privacy practices
requires a statement regarding the use
and disclosure for plan administrative
functions
70
Miscellaneous Issues
Psychotherapy notes
Part of the DRS
„ Require an authorization for uses and
disclosures even for TPO
„
Verification process
„
Must verify that individuals to whom you
are disclosing information are really who
they say they are
71
Administrative Requirements
Designate a privacy official
Train members of the workforce on
privacy requirements
Safeguard PHI
Develop sanctions for violations of the
privacy policies and procedures
Establish a means for individuals to
complain about privacy violations
72
Individual Protection
North Carolina resident
Positive review & raise
3 weeks later diagnosed with genetic
disorder
Self-insured employer
Fired to avoid projected expenses
The Washington Post - December 2, 2000 p. A1
73
HIPAA Security and Privacy
Incidents
California – UC Davis BA & survey
Washington – Criminal conviction of clinic
employee
California – UC San Diego
Kentucky – Nursing home records found in
street
Washington DC – Washington Hospital
Center patient records and payroll information
found behind National Auboretum Washington Post
6/25/04
74
Kaiser Permanente – prospective
member saw information from another
prospective member’s application
Pennsylvania – women suing Pinnacle
Health over use of med record in
commercial for breast cancer
awareness
75
Security of Information
Drug company inadvertently revealed
600 patient e-mail addresses used to
remind patients to take their Prozac.
At the end of the reminder service the
list was sent to all participants.
The Washington Post - July 4, 2001 p. E1
76
Marketing
Medical marketing service advertised a
database available to pharmaceutical
marketers.
4.3 million people with allergies
923,000 people with bladder control
problems
See www.mmslists.com
77
Researchers
Office of protection from research risks
suspends more than 1,000 studies
Failure to gain patient consent of
research subjects
Failure to safeguard data
The Washington Post - January 12, 2000 p. B7
78
Health Privacy Project
Institute For Health Care
Research and Policy
Georgetown University
www.healthprivacy.org
79
Questions & Answers
80
Security Standards
Compliance Date:
April 20, 2005
(Page 8376)
(except small health plans – 2006)
81
Security Standards
Proposed: August 12, 1998
Published: February 20, 2003
„
Volume 68, No. 34, pp 8334 - 8381
Effective Date: April 21, 2003
Document can be located at:
www.cms.hhs.gov/hipaa/hipaa2
82
Scope
All electronic PHI (ePHI)
In motion AND at rest (created, received,
maintained or transmitted)
To ensure confidentiality, integrity, and
availability
To protect against reasonably anticipated
threats or hazards, and improper use or
disclosure
(Page 8376)
83
Definitions
Confidentiality
„
Only the right people see it
Integrity
„
Only the right people change it
Availability
„
Accessible and usable upon demand
Reasonably
„
Your guess is as good as mine!
84
Who must comply?
A Covered Entity
(Same definition as T&Cs & Privacy)
A health plan
A health care clearinghouse
A health care provider*
*who transmits ePHI in a format covered by the EDI component of
HIPAA
(Page 8374)
85
Security vs. Privacy
Closely linked
Security enables Privacy
Security scope – addresses
electronic PHI
Privacy scope – addresses
electronic, paper and oral PHI
86
Security Threats
Active, evolving, never
static
Goal: Controlling threats, by
reasonable measures
„
„
„
people oriented
hackers, viruses, insiders,
disgruntled persons
must be actively managed
by IT professionals
87
Standards
Standards are general requirements
Permits standards to be interpreted and
implemented appropriately from the smallest
provider to the largest plan
Administrative, physical and technical
standards (APT)
Technology Neutral
Two overarching standards (APT)
„
Policies and procedures, documentation
88
Policies and Procedures
Corporate
Information Security
Policy
1.0.0
Record Processing
User Security
Incident Handling
2.0.0
3.0.0
4.0.0
Contingency
Planning
6.0.0
Information Security
Administration
7.0.0
Technical Security
Management
8.0.0
Physical Safeguards
For
Information Assets
5.0.0
Bio-Med Info
Asset Control
9.0.0
(See handout)
89
Implementation Specifications
Are more specific measures that pertain to a
standard (Page 8380)
Required (R) – Covered entity MUST
implement the specification in order to
successfully implement the standard
Addressable (A) – Covered entity must:
„
„
Consider the specification, and implement if
appropriate
If not appropriate, document reason why not, and
what WAS done in its place to implement the
standard
90
Safeguards
Administrative
Physical
Technical
91
Administrative Safeguards
45 CFR 164.308
Security Management Process - 164.308(a)(1)
„
„
„
„
Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security Responsibility - 164.308(a)(2) (R)
Workforce Security – 164.308(a)(3)
„
„
„
Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures (A)
(Page 8377-8378)
92
Administrative Safeguards, cont.
Information Access Management - 164.308(a)(4)
„
„
„
Isolating Health Care Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
Security Awareness and Training - 164.308(a)(5)
„
„
„
„
Security Reminders (A)
Protection from Malicious Software (A)
Log-In Monitoring (A)
Password Management (A)
93
Security Standards Training
Awareness training for all employees & staff
Vulnerabilities of the health information in the
entities possession
Policies/procedures that must be followed to
ensure the protection of that information
Periodic security reminders
Education concerning computer viruses
Education in login procedures and password
management
94
Administrative Safeguards, cont.
Security Incident Procedures – (164.308(a)(6)
„
Response and Reporting (R)
Contingency Plan - 164.308(a)(7)
„
„
„
„
„
Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency mode Operation Plan (R)
Testing and Revision Procedure (A)
Application and Data Criticality Analysis (A)
Evaluation - 164.308(a)(8) (R)
Business Associate Contracts and Other
Arrangements - 164.308(b)(1)
„
Written Contract or Other Arrangement (R)
95
Physical Safeguards
45 CFR 164.310
Facility Access Controls - 164.310(a)(1)
„
„
„
„
Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
(Page 8378)
96
Physical Safeguards, cont.
Workstation Use - 164.310(b) (R)
Workstation Security – 164.310(c) (R)
97
Physical Safeguards, cont.
Device and Media Controls - 164.310(d)(1)
„
„
„
„
Disposal (R)
Media Re-Use (R)
Accountability (A)
Data Backup and Storage (A)
98
Technical Safeguards
45 CFR 164.312
Access Controls - 164.312(a)(1)
„
„
„
„
Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (A)
Audit Controls - 164.312(b) (R)
Integrity - 164.312(c)(1)
„
Mechanism to Authenticate Electronic Protected Health
Information (A)
99
Technical Safeguards, cont.
Person or Entity Authentication 164.312(d) (R)
Transmission Security - 164.312(e)(1)
„
„
Integrity Controls (A)
Encryption (A)
100
Bottom Line…
Consideration MUST be given to implementing
all standards
Using a combination of required and
addressable implementation specifications
and other security measures
Need to document choices
This arrangement allows the covered entity to
make its own judgments regarding risks and
the most effective mechanisms to reduce risks
101
Other Laws (State/Federal)
State privacy laws have security
implications:
„
CA SB1386 – requires notification of
individuals if information contained in an
electronic format MAY have been
breached UNLESS the data is encrypted.
Sarbanes/Oxley (SOX)
102
Real Life Issues
Ongoing training and monitoring
„
„
Business Associates
Physicians and Physician Staff
Keeping up with both privacy and security
rules and laws
Keeping in compliance without shutting down
operations
103
Recent Breaches
Posted on Thu, Oct. 21, 2004
UC hacking may have gotten data on 600,000
SECURITY BREACH NOT REPORTED FOR WEEKS
Hacker breaches T-Mobile systems, reads US Secret Service email
By Kelly Martin, SecurityFocus
Published Wednesday 12th January 2005 09:47 GMT
Mercury News
Company Warns Customers About Possible Identity Theft
Identity Thieves Reportedly Steal Computers Filled With
Customer Information
POSTED: 8:16 am CDT April 8, 2004
Credit agency reports security breach
News Story by Carly Suppa
MARCH 17, 2004
Oops! Firm accidentally eBays customer database
By John Leyden
Published Monday 7th June 2004 20:51 GMT
8 Million Credit Accounts Exposed
FBI to Investigate Hacking of Database
By Jonathan Krim
Washington Post Staff Writer
Wednesday, February 19, 2003; Page E01
104
Questions & Answers
105
Contact Information
Marti Arvin, JD, CHC
Privacy Officer
University of Louisville
Phone (502) 852-3803
e-mail [email protected]
Connie Emery, CPA, CIA, CISA, CISSP, CIPP
Information Privacy/Security Officer
Tenet HealthSystem
Phone (469) 893-6709
e-mail [email protected]
John C. Falcetano, MA, CHC, CIA
Chief Audit & Compliance Officer
University Health Systems of Eastern Carolina
Phone (252) 847-0125
e-mail [email protected]
106