HIPAA Security

1
HIPAA Security

• CMS - Office of HIPAA Standards (OHS)
• January 12, 2005
• Dianne Faup

2
Regulation Dates

• Published February 20, 2003
• Effective Date April 21, 2003
• Compliance Date
• No later than April 20, 2005 for all covered
  entities except small health plans
• No later than April 20, 2006 for small health
  plans (as HIPAA requires)

3
General Requirements - 164.306(a)

• Applies to Electronic Protected Health
  Information (PHI)
• That a Covered Entity Creates, Receives,
  Maintains, or Transmits

4
General Requirements

• Ensure
• Confidentiality (only the right people see it)
• Integrity (the information is what it is supposed
  to be no unauthorized alteration or
  destruction)
• Availability (the right people can see it when
  needed)

5
General Requirements

• Protect against reasonably anticipated threats or
  hazards to the security or integrity of
  information
• Protect against reasonably anticipated uses and
  disclosures not permitted by privacy rules
• Ensure compliance by workforce

6
Regulation Themes

• Scalability/Flexibility
• Covered entities can take into account
• Size
• Complexity
• Capabilities
• Technical Infrastructure
• Cost of security measures
• Potential security risks

7
Regulation Themes

• Technologically Neutral
• What needs to be done, not how
• Comprehensive
• Not just technical aspects, but behavioral as well

8
How Is This Accomplished

• Standards Are Required but
• Implementation specifications which provide more
  detail can be either required or addressable.

9
Addressability

• If an implementation specification is
  addressable, a covered entity can
• Implement, if reasonable and appropriate
• Implement an equivalent measure, if reasonable
  and appropriate
• Not implement it and document why
• Decisions based on sound, documented reasoning
  from a risk analysis

10
Maintenance

• Implemented security measures for compliance must
  be reviewed and modified as needed to continue
  reasonable and appropriate protections

11
What are the Standards?

• Six main Sections
• 164.306 Security Standards General Rules
• 164.308 Administrative Safeguards
• 164.310 Physical Safeguards
• 164.312 Technical Safeguards
• 164.314 Organizational Requirements
• 164.316 Policies and Procedures and
  Documentation Requirements

12
Appendix A in Regulation

• End of regulation, chart lists each standard, its
  associated implementation specifications, and if
  required or addressable

13
Example General Implementation Approach

• Do Risk Analysis Document
• Based on Risk Analysis, determine how to
  implement each standard and implementation
  specification Document
• Develop Security Policies and Procedures
  Document
• Implement Policies and Procedures
• Train Workforce
• Periodic Evaluation

14
CMS/OHS HIPAA Resources

• http//www.cms.hhs.gov/hipaa/hipaa2/ - CMS HIPAA
  Administrative Simplification Website for
  Electronic Transactions and Code Sets, Security,
  and Unique Identifiers
• AskHIPAA
• Roundtables

15
New HIPAA Security FAQs

• Published 13 new HIPAA Security FAQs to the CMS
  HIPAA A.S. website (8/12/04)
• Topics include
• PHI Coverage
• Compliance and Certification
• Risk Analysis, Management and System
  Vulnerabilities
• Physical Safeguards
• Encryption and other technical safeguards
• NIST publications

16
Summary

• Scalable, flexible, technology neutral approach
• First step is risk analysis
• Standards that make good business sense
• Provided two year implementation