Understanding HIPAA

Impact and Importance in Information Security….

Manasdeep(manasdeeps@gmail.com)

#aboutme

• Information Security Consultant

• Interested in Compliance and Penetration Testing

• Have a flair in writing for Information Security

• Like to learn and demonstrate latest security attack vectors and technologies

Agenda• What is HIPAA?

• Why HIPAA was needed?

• Who are the covered entities (CE) and Business Associates (BA) ?

• Three Pillars of HIPAA Compliance

• Critical success factor for achieving HIPAA compliance

• Actions to Reduce Liability & Risks

• Q&A

Structure of HIPAA

HIPAA Components in FocusHIPAA is the Federal Health Insurance Portability and Accountability Act of 1996.

Administered by the U.S. Department of Health and Human Services (HHS).

Implementation and civil enforcement are overseen by the HHS Office for Civil Rights (OCR).

HIPAA Privacy Rule, protects the privacy of individually identifiable health information;

HIPAA Security Rule sets national standards for the security of electronic protected health information;

HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information

Why HIPAA was needed?1. Insurance companies denied coverage to employees that had a pre-existing condition, even if employees were previously covered by another employer.

2. No standardization for billing formats and codes used to file claims

3. No standardization for billing formats and codes used to file claims

Basic information, such as patient name and treatment date, was formatted differently by each payer

4. Insurance coding was very complex, there were many errors

Companies often rejected many claims and delayed payments to providers

High cost for administration

HL7,ICD-10

HIPAA Protects……Individuals‘ personally identifiable health information.

Health conditions – diagnosis, test results Demographic information – name, address, gender Clinical data – vital signs, lab results, etc. Treatments & procedures Billing and payment information

Protected health information (PHI) which is:

Transmitted by electronic media; Maintained in electronic media; or Transmitted or maintained in any other form or medium.

Pillars of HIPAAPrivacy Rule

Notice of privacy practices Rights over PHI Access to PHI Uses and disclosures Accounting of disclosures

Security Rule Administrative Physical Technical

Breach notification requirements for: Covered Entities (CE) and Business Associates (BA)

Breach Notification Rule

Extent of HIPAA Applicabilty

Covered Entities

Any healthcare organization that stores, processes, or transmits personal health information

Entity that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

Business Associates

Business associate services can be in :

legal; actuarial; accounting; consulting;

data aggregation; management; administrative; accreditation; and financial.

Covered Entities can be:

Health Plan

Health Care Provider

Health Care Clearinghouse

Breach NotificationWhat to do?

• Risk Assessment of Breach• Notification to Individuals impacted by breach

• within 60 days of discovery of a breach• It depends by State law, too

Focus on:• Content of Notification• Notification to the media• Notification to the Secretary• Notification by a business associate • Law enforcement delay • Burden of Proof

HHS – “Wall of Shame” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

THANK YOU !!

- Manasdeephttp://reflect-infosec.blogspot.in/

https://twitter.com/manasdeep

https://in.linkedin.com/in/manasdeep