overview: hipaa guidelines for security and privacy july, 2001 jack buchanan, msee md university of...
TRANSCRIPT
Overview: HIPAA Guidelines for Security and Privacy
July, 2001
Jack Buchanan, MSEE MDUniversity of Tennessee Health Science
Center
HIPAA Security and Privacy Regulations
Mandated by Congress via Health Insurance Portability and Accountability Act of 1996.
Requirements for: Data Interchange Standards Data Security Patient Privacy
HIPAA Security and Privacy Regulations
Regulations were to have been established by separate Congressional act
Escape clause mandated HHS to write regulations if Congress didn’t act by a deadline
Regulations issued during final days of Clinton administration.
Delayed, then affirmed by Bush administration We now have “final” Privacy Regulations,
“preliminary” Security Regulations
HIPAA Security and Privacy Regulations-Purpose
To prevent inappropriate use of health information associated with an individual patient
To require organizations which use health information to protect the information and the systems which store, transmit, and process it
Explicitly includes systems and procedures belonging to associates and subcontractors; Requires “Chain of Trust” agreements
HIPAA Security and Privacy Regulations-Who?
Definitely apply if you are (or have a unit which is) a: Health provider Health plan Healthcare clearinghouse
HIPAA Security and Privacy Regulations-Who?
Maybe (probably) apply, if you are affiliated with above as: Business Associate Contractor Consultant Researcher, if data personally identifiable
HIPAA Security and Privacy Regulations-When?
Politics has made this a little difficult to determine
The argument that they will NEVER go into effect has become MUCH less credible
Working Deadline: Mid 2003
HIPAA Security and Privacy Regulations
What’s a covered entity to do? Many requirements are specifically spelled
out: Assign responsibility for security to a person
or an organization Assess risks and determine the major threats
to the security and privacy of protected health information
HIPAA Security and Privacy Regulations
What’s a covered entity to do? Establish a security management program
that addresses: physical security personnel security technical security controls security incident response disaster recovery
HIPAA Security and Privacy Regulations
What’s a covered entity to do? Certify the effectiveness of new or existing
security controls Appoint a privacy officer and a point of
contact for receiving privacy complaints Adopt a privacy policy and publicize the policy
by giving notice to patients/partners
HIPAA Security and Privacy Regulations
What’s a covered entity to do? Privacy policies must have specific
provisions for Gaining consent and authorization, Restricting use and disclosure, Receiving and resolving complaints,
as regards protected health information
HIPAA Security and Privacy Regulations
What’s a covered entity to do? Change contracts and business partner
agreements to include a contractual requirement that partners handle protected health information properly
Train the covered entity’s workforce and business associates who work on the covered entity’s premises to follow proper security and privacy policies and procedures
HIPAA Security and Privacy Regulations
What’s a covered entity to do? Document security and privacy policies and
procedures, as well as actions taken to ensure that policies and procedures are enforced
Minimum necessary information to be provided to fulfill purpose of request
Provision of patient care is exempted Clinical research information is NOT exempt
HIPAA Security and Privacy Regulations
Penalties for non-compliance Civil monetary penalties on a per-person, per-
violation basis Very strong penalties for misuse with knowledge
Significant fines Prison
Penalties potentially apply to Individual violator Organization Officers of organization
What are the Guidelines ? A document meant to help people in AMCs who must form
and run HIPAA-compliant operations. The guidelines contain a section for each point of compliance
in the HIPAA Privacy and Security regulations Each “point” section focuses on explaining the regulation point and
guiding an analysis of impact on AMCs with guidance for compliance. Other sections focus on overall impact of the regulations for AMCs
Part of the intended value of the work is that it is a product of the key HIPAA leaders at several Academic Medical Centers and several related organizations. (i.e. This comes from the people who will have to make their organizations compliant.)
Key motivations for creating the Guidelines HIPAA Security/Privacy is a complex
regulatory regime; Having several interested parties analyze the regs helps
ensure a thoughtful analysis.
AMCs are complex organizations in which to implement HIPAA; Having several parties who are knowledgeable of this
environment do the analysis helps ensure a relevant analysis that is sensitive to the variety of circumstances in AMCs
Key motivations for creating the Guidelines AMCs need an AMC group norm for what
is “reasonable”; This would help ensure high-quality rational cost
implementations that are in the spirit of the “adoption” principle in the HIPAA law. (WEDI is being asked to recommend the Guidelines to HHS.)
Walking the talk; The participating AMCs wanted the guidelines for themselves
and for the wider industry. The document is available at the website (amc-hipaa.org).
Why are AMC environments worthy of special attention?
AMCs typically have operations that provide challenges to security and privacy management due to several factors. AMCs typically have:
DECENTRALIZED MANAGEMENT: are composed of facilities that are managed by a diverse group of people and interests, DIVERSE MISSIONS: are combined clinical, educational, and research efforts, HIGH PROFILE PATIENTS: care for VIPs, celebrities, and other people at times when their health status is of public interest, LARGE : are physically large and have a large staff, SPECIALIZED: tend to have large numbers of people involved in a single patient’s care, MULTI-PARTNERED: have partnerships and special programs with industry, government, and other AMCs that bear on
activity in the clinical area.
do implementation points -compliance ofcr scope change -controversy vs not. -20 minutes each -best practice
-make slides
How were the Guidelines formed?
The idea: evolved from discussions among people working with AAMC, WEDI, NLM, and Internet2 to bring representatives from several academic medical centers together in a series of workshops to create guidelines for implementing HIPAA Privacy and Security regulations in AMCs.
Also, use the workshops to explore what AMC needs were in this area and how relevant organizations might find common cause with the AMCs on this issue.
The result: A series of workshops with many nationally known AMCs and related organizations represented in which the guidelines have been developed.
Participating AMCs Duke University Health System Emory University Johns Hopkins Medical Institutions Kaiser Permanente Mayo Clinic Oregon Health Sciences University Osaka Medical College Texas A&M University System Health Science Center Texas A&M University University of Alabama at Birmingham University of Arizona Medical Center University of Michigan Health System University of Pennsylvania University of Tennessee Health Science Center University of Texas Southwestern Medical Center Veterans Health Administration Yale University School of Medicine
Sponsoring Organizations
Association of American Medical Colleges (AAMC)
Internet2 National Library of Medicine (NLM) Object Management Group (OMG)
Supporting Organizations
CPRI-HOST North Carolina Healthcare Information and
Communications (NCHICA) Health Care Financing Administration (HCFA) Healthcare Computing Strategies, Inc. (HCS) Southeastern University Research Association
(SURA) Workgroup on Electronic Data Interchange
(WEDI)
The Goals of the Workshop Process
Develop: To develop guidelines for implementation of HIPAA Security and Privacy regulations which AMC HIPAA leaders could use to guide their institutional approach.
Share: To share the load and improve the result in an area that we’d otherwise have to take up independently.
Focus: To ensure focus on the special issues that AMCs have with security and privacy.
Self-regulate: To have the guidelines submitted to WEDI for recommendation as part of their regulatory role in HIPAA
Norm: To foster a reasonable group norm on HIPAA compliance for AMCs by creating and sharing guidelines that AMCs may implement.
Collaborate: To further develop the of points of collaboration with related national groups.
Guidance only: The process was designed to provide guidance only; no advocacy for “stronger” or “weaker” regs is included.
What’s Next for this work/group?
Evolution – There is a general expectation that changes in the regs and improvements in the content will emerge over the next couple of years as others read and use the material.
Use of materials: Anyone is free to use the material provided that they preserve the copyright and note to prospective users/customers of derivative material that the original document and any updates will be freely available at amc-hipaa.org
Follow-on activities – We expect there to be value in having a group with continuing activities for AMCs in privacy and security at the national level and are pursuing opportunities related to this.