understanding hipaa
TRANSCRIPT
![Page 2: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/2.jpg)
#aboutme
• Information Security Consultant
• Interested in Compliance and Penetration Testing
• Have a flair in writing for Information Security
• Like to learn and demonstrate latest security attack vectors and technologies
![Page 3: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/3.jpg)
Agenda• What is HIPAA?
• Why HIPAA was needed?
• Who are the covered entities (CE) and Business Associates (BA) ?
• Three Pillars of HIPAA Compliance
• Critical success factor for achieving HIPAA compliance
• Actions to Reduce Liability & Risks
• Q&A
![Page 4: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/4.jpg)
Structure of HIPAA
![Page 5: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/5.jpg)
HIPAA Components in FocusHIPAA is the Federal Health Insurance Portability and Accountability Act of 1996.
Administered by the U.S. Department of Health and Human Services (HHS).
Implementation and civil enforcement are overseen by the HHS Office for Civil Rights (OCR).
HIPAA Privacy Rule, protects the privacy of individually identifiable health information;
HIPAA Security Rule sets national standards for the security of electronic protected health information;
HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information
![Page 6: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/6.jpg)
Why HIPAA was needed?1. Insurance companies denied coverage to employees that had a pre-existing condition, even if employees were previously covered by another employer.
2. No standardization for billing formats and codes used to file claims
3. No standardization for billing formats and codes used to file claims
Basic information, such as patient name and treatment date, was formatted differently by each payer
4. Insurance coding was very complex, there were many errors
Companies often rejected many claims and delayed payments to providers
High cost for administration
HL7,ICD-10
![Page 7: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/7.jpg)
HIPAA Protects……Individuals‘ personally identifiable health information.
Health conditions – diagnosis, test results Demographic information – name, address, gender Clinical data – vital signs, lab results, etc. Treatments & procedures Billing and payment information
Protected health information (PHI) which is:
Transmitted by electronic media; Maintained in electronic media; or Transmitted or maintained in any other form or medium.
![Page 8: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/8.jpg)
Pillars of HIPAAPrivacy Rule
Notice of privacy practices Rights over PHI Access to PHI Uses and disclosures Accounting of disclosures
Security Rule Administrative Physical Technical
Breach notification requirements for: Covered Entities (CE) and Business Associates (BA)
Breach Notification Rule
![Page 9: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/9.jpg)
Extent of HIPAA Applicabilty
Covered Entities
Any healthcare organization that stores, processes, or transmits personal health information
Entity that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
Business Associates
Business associate services can be in :
legal; actuarial; accounting; consulting;
data aggregation; management; administrative; accreditation; and financial.
Covered Entities can be:
Health Plan
Health Care Provider
Health Care Clearinghouse
![Page 10: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/10.jpg)
Breach NotificationWhat to do?
• Risk Assessment of Breach• Notification to Individuals impacted by breach
• within 60 days of discovery of a breach• It depends by State law, too
Focus on:• Content of Notification• Notification to the media• Notification to the Secretary• Notification by a business associate • Law enforcement delay • Burden of Proof
HHS – “Wall of Shame” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
![Page 11: Understanding HIPAA](https://reader036.vdocuments.net/reader036/viewer/2022083104/587f51fb1a28ab0d378b5605/html5/thumbnails/11.jpg)
THANK YOU !!
- Manasdeephttp://reflect-infosec.blogspot.in/
https://twitter.com/manasdeep
https://in.linkedin.com/in/manasdeep