what is hipaa? h ealth i nsurance p ortability and a ccountability a ct (kennedy-kassenbaum bill)...
TRANSCRIPT
![Page 1: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/1.jpg)
![Page 2: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/2.jpg)
What is HIPAA?
Health Insurance Portability and
Accountability Act (Kennedy-Kassenbaum Bill)
Administrative Simplification
– Privacy
– Transactions & Code Sets
– Security
![Page 3: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/3.jpg)
Administrative Simplification
Privacy – April 14, 2003 - implemented
Transaction Standards and Code Sets – October 16, 2003 - implemented
Security – April 20, 2005 – it’s right around the corner
![Page 4: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/4.jpg)
Goals of Administrative Simplification
Protect the security and privacy of patient information
Improve efficiency and effectiveness by standardizing electronic transmissions of:
– Financial transactions
– Administrative transactions
![Page 5: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/5.jpg)
Who is covered by HIPAA?
“Covered Entity”
– Health Care Providers
– Clearinghouses
– Health Plans
Business Associates
– Entity that does a task on our behalf and,
– Utilizes Protected Health Information (PHI)
– Examples: Temp agencies, Medical Director, Pharmacy consultant
![Page 6: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/6.jpg)
What does HIPAA Protect?
Protected Health Information PHI
– Created or received by a health care provider AND
– Involves past, present, or future treatment OR
– Payment for such services, AND
– Identifies the individual (IIHI) AND
– Transmitted or maintained in ANY form
![Page 7: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/7.jpg)
What is the Security Rule?
![Page 8: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/8.jpg)
Important Security Facts
Only applies to e-PHI
Requires a Risk Assessment
Requires a more Technical Solution
Effective April 20, 2005
![Page 9: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/9.jpg)
What does the Security Rule Protect?
Electronic Protected Health Information (e-PHI)
– Created or received by a health care provider AND
– Involves past, present, or future treatment OR
– Payment for such services, AND
– Identifies the individual AND
– Transmitted by or maintained in ELECTRONIC MEDIA
![Page 10: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/10.jpg)
Security Rule Core Requirements
Covered Entities must ensure the confidentiality, integrity, and availability (CIA) of e-PHI they create, receive, maintain, or
transmit.
![Page 11: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/11.jpg)
Security Rule Core Requirements
Covered Entities must protect against any reasonably
anticipated threat or hazard to the security or integrity of e-PHI.
![Page 12: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/12.jpg)
Security Rule Core Requirements
Covered Entities must protect against any anticipated uses or disclosures of e-PHI that are not
permitted under the law.
![Page 13: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/13.jpg)
Security Rule Core Requirements
Covered Entities must ensure compliance with the Security rule
by all it’s workforce members.
![Page 14: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/14.jpg)
Security Rule Components
Three Categories:
Administrative Safeguards
Physical Safeguards
Technical Safeguards
![Page 15: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/15.jpg)
Security Rule Components
Standards – General requirement that must be complied with. Example: Contingency Planning
Implementation Specifications – Detailed or specific method or approach to meet a Standard. Example: Data backup plan, disaster recovery plan
Implementation Specifications can be either Required or Addressable. (But none are optional)
![Page 16: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/16.jpg)
Security Rule - Administrative
Focuses on Security Management Process designed to:
– Prevent
– Detect
– Contain
– and Correct Security Violations
![Page 17: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/17.jpg)
Security Rule - Administrative
Standards Include:
– Security Management Process
– Assigning Security Responsibility
– Workforce Security
– Information Access Management
– Security Awareness/Training
– Security Incident Reporting
– Contingency Planning
– Evaluation of Security Measures
![Page 18: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/18.jpg)
Security Rule - Physical
Focuses on protecting e-PHI from:
– Unauthorized Disclosure
– Modification
– Destruction
![Page 19: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/19.jpg)
Security Rule - Physical
Standards include:
– Facility Access Controls
– Workstation Use
– Workstation Security
– Device and Media Controls
![Page 20: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/20.jpg)
Security Rule - Technical
Focuses on Technological Measures to ensure:
– Confidentiality
– Integrity
– Availability
![Page 21: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/21.jpg)
Security Rule - Technical
Standards Include:
– Access Control Measures
– Audit Controls
– Integrity Controls
– Person or Entity Authentication Controls
– Transmission Security Measures
![Page 22: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/22.jpg)
Where do we begin?
Conduct a
Risk Assessment
![Page 23: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/23.jpg)
What is a Risk Assessment?
A Risk Assessment will provide information needed to make risk management
decisions regarding the degree of security
remediation.
![Page 24: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/24.jpg)
Components of the Risk Assessment
Identifies Risks, Threats and Vulnerabilities that may occur if appropriate security measures are not put in place
Identifies potential confidentiality, integrity and availability issues
Identifies the impact and probability of a risk
Identifies mitigation options
![Page 25: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/25.jpg)
What is a Risk, Threat and Vulnerability?
Risk – What can happen if a threat exploits a vulnerability.
Threat – Who or what can cause an undesirable event.
Vulnerability – How a weakness in technology or organizational process can be exploited by a threat.
![Page 26: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/26.jpg)
What is CIA?
Confidentiality – e-PHI disclosed to unauthorized persons
Integrity – e-PHI modified by unauthorized persons
Availability – e-PHI unavailable to authorized persons
![Page 27: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/27.jpg)
What is Impact and Probability?
Impact – The effect a particular incident would have. Measured high, medium or low.
Probability – Likelihood of an incident occurring. Measured high, medium or low.
![Page 28: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/28.jpg)
Risk Assessment
Let’s discuss an example of a risk, threat and vulnerability.
![Page 29: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/29.jpg)
Scenario
You are in an unfamiliar City
Decide to take a night time walk
Street is dark – no pedestrians; no traffic
You are all alone
Excessive Graffiti on the walls
![Page 30: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/30.jpg)
Scenario
What is the Risk?
– (What might happen)
What is the Threat?
– (Who)
What is the Vulnerability?
– (How could it happen)
![Page 31: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/31.jpg)
Scenario
What is the Risk? (What might happen)
– You might be attacked
– You might be robbed
What is the Threat? (Who)
– A mugger
What is the Vulnerability? (How could it happen)
– You are in a strange location
– You don’t know your way around
![Page 32: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/32.jpg)
Where do we document the findings?
Risk Assessment
Matrix
![Page 33: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/33.jpg)
What is the Risk Assessment Matrix?
Documents the analysis performed for each Standard and Implementation Specification.
One Matrix for each e-PHI instance.
![Page 34: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/34.jpg)
Risk Assessment
Let’s look at the Risk
Assessment Matrix
![Page 35: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/35.jpg)
Risk Assessment
![Page 36: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/36.jpg)
What is My Role in the Risk Assessment?
Identify Risks, Threats and Vulnerabilities
Identify potential Confidentiality, Integrity and Availability outcomes
Determine Potential and Impact of Risks
Identify Mitigation Alternatives
Help Implement Solutions
![Page 37: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/37.jpg)
Now what?
Identify Teams for each e-PHI Application
Conduct Brainstorming Sessions
Complete the Risk Assessment Matrix
Select Mitigation Plans
Implement Corrective Actions
Monitor to Ensure Compliance
![Page 38: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/38.jpg)
Anything Else?
Work together to ensure our organization is HIPAA
Compliant by April 20, 2005
![Page 39: What is HIPAA? H ealth I nsurance P ortability and A ccountability A ct (Kennedy-Kassenbaum Bill) nAdministrative Simplification –Privacy –Transactions](https://reader035.vdocuments.mx/reader035/viewer/2022062717/56649e1a5503460f94b087b4/html5/thumbnails/39.jpg)