![Page 1: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/1.jpg)
Chapter 13: Regulatory Compliance for the Healthcare Sector
![Page 2: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/2.jpg)
2
Objectives
Understand the security regulations required of the healthcare sector by the HIPAA Security Rule.
Write HIPAA-compliant policies and procedures. Execute the HIPAA implementation specifications. Conduct a compliance audit. Relate the ISO 17799 security framework to HIPAA
security compliance.
![Page 3: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/3.jpg)
3
Introduction
Title II of HIPAA mandated the creation of rules to address how electronic healthcare transactions are transmitted and stored.
The resulting HIPAA Security Rule establishes a standard for the security of electronic protected health information, or ePHI.
![Page 4: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/4.jpg)
4
Understanding the Security Rule
The HIPAA Security Rule focuses on safeguarding ePHI:
Any individually identifiable health information that is stored, processed, or transmitted electronically or digitally
Applies to both public and private sector entities that process, store, or transmit such information
![Page 5: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/5.jpg)
5
HIPAA Goals and Objectives
Main goal of HIPAA Security Rule is to protect the Confidentiality Integrity Availability
of all electronic protected health information.
![Page 6: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/6.jpg)
6
Covered Entities
The Security Rule applies to any entity that stores or transmits ePHI, including: Healthcare Providers Health Plans Healthcare Clearinghouses Medicare Prescription Drug Card Sponsors
![Page 7: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/7.jpg)
7
HIPAA Key Principles
The standards are intentionally nonspecific and scalable.
Covered entities choose the appropriate technology and controls for their own unique environment, taking into consideration Their size and capabilities Their technical infrastructure The cost of the security measures The probability of risk
![Page 8: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/8.jpg)
8
Penalties for Noncompliance
April 21, 2006 is the final date for compliance Covered entities must achieve and maintain
compliance There are various civil and criminal penalties Noncompliance may be used in liability
cases; attorneys may sue on behalf of clients who believe their rights have been violated
![Page 9: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/9.jpg)
9
Security Rule Organization
Administrative Safeguards:The documented policies and procedures for managing operations conduct and access of workforce to ePHI selection, development, and use of security
controls
![Page 10: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/10.jpg)
10
Security Rule Organization Cont.
Physical Safeguards: requirements for protecting ePHI from
unauthorized physical access
Technical Safeguards: the use of technology to control access to
ePHI
![Page 11: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/11.jpg)
11
Security Rule Organization Cont.
Organizational Requirements: includes standards for business associate
contracts and requirements for group health plans
Documentation Requirements: includes policies and procedures regarding
documentation and records and their retention and availability
![Page 12: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/12.jpg)
12
Administrative Safeguards
The Security Management Process includes: Conducting a risk assessment Implementing a risk management program;
identifying all threats to ePHI Developing and implementing a sanction policy
for security violations; applies to employees, contractors, and vendors
Developing and deploying an information system activity review
![Page 13: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/13.jpg)
13
Administrative Safeguards Cont.
Assigned Security Responsibility: Appoint a responsible security official to
oversee complianceWorkforce Security: Implement procedures for authorization and
supervision of workforce members Establish a workforce clearance procedure
for hiring and assigning tasks Establish termination procedures
![Page 14: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/14.jpg)
14
Administrative Safeguards Cont.
Information Access Management: Isolate healthcare clearinghouse functions Implement policies and procedures to
authorize access Implement policies and procedures to
establish access
![Page 15: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/15.jpg)
15
Administrative Safeguards Cont.
Security Awareness and Training: Establish a security awareness program to
remind users of potential threats Provide training on recognizing malicious
software (malware) Provide training on login monitoring
procedures Provide training on password management
![Page 16: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/16.jpg)
16
Administrative Safeguards Cont.
Security Incident Procedures: Addresses reporting of and responding to
security incidents Training users to recognize incidents Implementing a reporting system Follow through with investigations and report back
to the user
![Page 17: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/17.jpg)
17
Administrative Safeguards Cont.
Contingency Plans: Conduct an application and data criticality
analysis Establish and implement a data backup plan Establish and implement a disaster recovery
plan Establish an emergency mode operation plan Test and revise procedures
![Page 18: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/18.jpg)
18
Administrative Safeguards Cont.
Evaluation: All covered entities must develop criteria and
metrics for evaluating their own compliance
Business Associate Contracts: Business associates and third parties must
also comply Based on written contract or other form of
agreement
![Page 19: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/19.jpg)
19
Physical Safeguards
Facility Access Controls include: Create a facility security plan; prevent
unauthorized access, tampering, and theft Implement access control and validation
procedures Keep maintenance records, including
modifications to doors, locks, etc. Establish contingency operations
![Page 20: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/20.jpg)
20
Physical Safeguards Cont.
Workstation Use: Covers proper use of workstations,
particularly laptops
Workstation Security: Covers restricting workstation access to
authorized users
![Page 21: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/21.jpg)
21
Physical Safeguards Cont.
Device and Media Controls: Implement disposal policies and procedures Implement reuse policies and procedures Maintain accountability for hardware and
electronic media Develop data backup and storage
procedures
![Page 22: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/22.jpg)
22
Technical Safeguards
Access Control: Require unique user identification Establish emergency access procedures Implement automatic logoff procedures that
terminate a session after a period of inactivity Encrypt and decrypt information at rest
![Page 23: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/23.jpg)
23
Technical Safeguards Cont.
Audit Controls: Organizations must be able to monitor
system activity
Integrity Controls: To protect ePHI from improper alteration or
destruction Includes antivirus and antispyware, firewalls,
e-mail scanning
![Page 24: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/24.jpg)
24
Technical Safeguards Cont.
Person or Entity Authentication: Requires unique user identification, such as
password, PIN, biometric ID, etc.
Transmission Security: Implement integrity controls Implement encryption
![Page 25: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/25.jpg)
25
Organization Requirements
Business Associates Contracts: Contracts must meet specific requirements to
ensure the confidentiality, integrity, and availability of ePHI
Covered entities, business associates, and their agents must protect ePHI and report security incidents, or risk termination
![Page 26: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/26.jpg)
26
Organization Requirements Cont.
Standard Requirements for Group Health Plans:
Applies only to group health plan sponsors Requirements for ensuring the confidentiality,
integrity, and availability of ePHI must be met by the plan sponsors and any of its agents
![Page 27: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/27.jpg)
27
Policies and Procedures
Policies and Procedures to ensure that: Standards and implementation specifications
are met Actual activities of the covered entity are
reflected
![Page 28: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/28.jpg)
28
Policies and Procedures Cont.
Documentation: Retain documentation for six years Make documentation available to necessary
personnel Update documentation as necessary to
reflect changes that may affect the security of ePHI
![Page 29: Chapter 13: Regulatory Compliance for the Healthcare Sector](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816882550346895ddefb50/html5/thumbnails/29.jpg)
29
Summary
HIPAA Security Rule was designed to ensure that ePHI is safe from breaches of confidentiality, integrity, and availability
The regulations mirror what is now considered basic security best practices
Both providers and patients benefit