the security rule
DESCRIPTION
HIPAA Week 3. The Security Rule. The Security Rule (SR) deals with ONLY electronic Protected Health Information ( ePHI ), which is essentially a subset of what the Privacy Rule encompasses (includes oral, hard copy and electronic PHI). Security Rule. - PowerPoint PPT PresentationTRANSCRIPT
THE SECURITY RULE
HIPAAWeek 3
SECURITY RULE
The Security Rule (SR) deals with ONLY electronic Protected Health Information (ePHI), which is essentially a subset of what the Privacy Rule encompasses (includes oral, hard copy and electronic PHI)
GOAL OF SECURITY RULE To ensure reasonable and appropriate
administrative, technical, and physical safeguards that insure the integrity, availability and confidentiality of health care information, and protect against reasonably foreseeable threats to the security or integrity of the information.
FOCUS OF SECURITY RULE Both external and internal threats Prevention of denial of service Theft of private information Integrity of information
FOUNDATION
Security protections are “reasonable and appropriate”
THE STANDARDS…Are separated into three groups: Administrative Safeguards Physical Safeguards Technical Safeguards
GENERAL REQUIREMENTSOF THE STANDARDS…
Ensure: Confidentiality (only the right people
see it) Integrity (the information is what it is
supposed to be – it hasn’t been changed)
Availability (the right people can see it when needed)
RULE HAS 4 CATEGORIES 1. Administrative Procedures 2. Physical Safeguards 3. Technical data security services 4. Technical security mechanisms
ADMINISTRATIVE PROCEDURES: 12 REQUIREMENTS
1. Certification 2. Chain of Trust
Agreements 3.Contingency Plan 4. Mechanism for
processing records 5. Information
Access Control 6. Internal Audit
7. Personnel Security 8. Security
configuration Management
9. Security Incident Procedures
10. Security Management
11. Termination Procedures
12. Training
PHYSICAL SAFEGUARDS: 6 REQUIREMENTS
1. Assigned Security Responsibility 2. Media Controls 3. Physical Access Controls 4. Policy on Workstation Use 5. Secure Workstation Location 6. Security Awareness Training
TECHNICAL DATA SECURITY SERVICES: 5 REQUIREMENTS
1. Access Control 2. Audit Controls 3. Authorization Control 4. Data Authentication 5. Entity Authentication
TECHNICAL SECURITY MECHANISM: 1 REQUIREMENT
1. Protections for health information transmitted over open networks via: Integrity controls, and Message authentication, and Access controls OR encryption
NEW RULES FOR BREACHES The new Privacy requirements apply if all of the following
are present in a Privacy Event: •There is a “Breach.” The Rule defines “Breach” to
mean (subject to certain exceptions) the unauthorized acquisition, access, use, or disclosure of protected health information (“PHI”).
•The PHI is “unsecured.” The Rule defines “unsecured protected health information” to mean PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by HHS guidance.
•The Breach “compromises the security of the PHI.” Under the Rule, this occurs when there is a significant risk of financial, reputational, or other harm to the individual who’s PHI has been compromised.
NOTIFICATION OF BREACHES Prior to HITECH Act, no mandated
reporting to outside authorities Since HITECH: notifications are
mandatory for breach of unsecured ePHI
BREACHES OCR received 7,116 complaints in
2009, a sharp decline from the 8,526 received in 2008 and 8,174 received in 2007. In 2006, OCR received 7,334 complaints.
PRIMARY REASONS FOR THE VIOLATIONS Incidental disclosure of individually
identifiable health information Lack of adequate safeguards Not providing a copy of records to
patients Disclosure of more than necessary
information Failure to give notice of privacy
practice
NOTIFICATION GUIDELINES: Notification to Individuals.
A covered entity must send the required notification to each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used, or disclosed as a result of the Breach, without unreasonable delay.
Must be in plain reasonable language If patient is deceased, must notify next of
kin.
NOTIFICATION GUIDELINES: Notification to Media. If a covered
entity discovers a Breach affecting 500 or more residents of a state or jurisdiction, it must provide notice to prominent media outlets serving that state or jurisdiction without unreasonable delay
NOTIFICATION GUIDELINES: Notification to HHS. If 500 or more
individuals are involved in the Breach, then the covered entity must notify HHS concurrently with the individual notifications.
HHS (through the HHS enforcement agency; The Office of Civil Rights or ‘OCR’) requires annual notification for Breaches involving less than 500 individuals per Event annually
ENFORCEMENT Enforcement and Penalties begins
February 2010 Projected to be increased enforcement
from OCR In the past CMS (Centers for Medicare
and Medicaid Services) has enforced HIPAA Security Rules while OCR has handled Privacy Rule compliance.
ENFORCEMNET CON’T Now: Privacy and Security enforcement
will be combined under one agency (OCR). This will eliminate duplication of work and
increase efficiency according to the HHS Secretary.
Another significant enforcement change is that under HITECH State Attorney Generals can now bring actions for Privacy violations in federal court.
NEW RULE The “Stimulus Act” requires that within
the next three years regulations are passed that will allow individual victims of a HIPAA violation to receive a percentage of any monetary penalty collected from the offense.
This monetary incentive could significantly increase the number of HIPAA complaints brought by individuals.
IMPLEMENTATION Implement the necessary safeguards
Perform a risk analysis Risk management Ensure policies are in place
Stay attuned to deadlines and changes in the law!
KEY IMPACTS OF HIPAA" INCLUDE
Development and documentation of policies and procedures Designation of a privacy official Identifying and contracting with business associates Development of patient consent and authorization forms Distributing and updating notice of privacy practices and
associated procedures Development and distribution of patient notice Capturing, tracking, and maintaining history of data disclosures Tracking and resolving individual complaint Training workforce members who have access to patient
identifiable information Altering the oral communication culture of the organization
REFERENCES:McLendon, K. (nd). HIPAA Privacy Summary, http://www.hixperts.com/HIX%20HIPAA%20Summary%20(01%2026%2010).pdf
Graham, D., & Stubbs, (2009). Significant HIPAA Modifications in the American Recovery and Reinvestment Act of 2009. Available from: http://www.dgslaw.com/documents/articles/HIPAA_Stimulus09_893166.html
Leyva, D, & Leyva, C.(nd). HITECH Survival Guide. Available from:
http://www.hipaasurvivalguide.com/hipaa-survival-guide-16.php