HIPAA Regulations for Security and Privacy: How do they affect us PowerPoint PPT Presentation

presentation player overlay
1 / 22
About This Presentation
Transcript and Presenter's Notes

Title: HIPAA Regulations for Security and Privacy: How do they affect us


1
HIPAA Regulations for Security and Privacy How
do they affect us?
  • July, 2001
  • Jack Buchanan, MSEE, MD
  • University of Tennessee Health Science Center
    Memphis, TN
  • Internet2 Medical Middleware

2
HIPAA Security and Privacy Regulations
  • Mandated by Congress via Health Insurance
    Portability and Accountability Act of 1996.
  • Requirements for
  • Data Interchange Standards
  • Data Security
  • Patient Privacy

3
HIPAA Security and Privacy Regulations
  • Regulations were to have been established by
    separate Congressional act
  • Escape clause mandated HHS to write regulations
    if Congress didnt act by a deadline
  • Regulations issued during final days of Clinton
    administration
  • Delayed, then affirmed, by Bush administration
  • We now have final Privacy Regulations,
    preliminary Security Regulations

4
HIPAA Security and Privacy Regulations-Purpose
  • To prevent inappropriate use of health
    information associated with an individual patient
  • To require organizations which use health
    information to protect the information and the
    systems which store, transmit, and process it
  • Explicitly includes systems and procedures
    belonging to associates and subcontractors
    Requires Chain of Trust agreements

5
HIPAA Security and Privacy Regulations-Who?
  • Definitely apply if you are (or have a unit which
    is) a
  • Health provider
  • Health plan
  • Healthcare clearinghouse

6
HIPAA Security and Privacy Regulations-Who?
  • Maybe (probably) apply, if you are affiliated
    with above as
  • Business Associate
  • Contractor
  • Consultant
  • Researcher, if data identifiable as to person

7
HIPAA Security and Privacy Regulations-When?
  • Politics has made this a little difficult to
    determine
  • The argument that they will NEVER go into effect
    has become MUCH less credible
  • Working Deadline Mid 2003

8
HIPAA Security and Privacy Regulations
  • Whats a covered entity to do?
  • Many requirements are specifically spelled out
  • Assign responsibility for security to a person or
    an organization
  • Assess risks and determine the major threats to
    the security and privacy of protected health
    information

9
HIPAA Security and Privacy Regulations
  • Whats a covered entity to do?
  • Establish a security management program that
    addresses
  • physical security
  • personnel security
  • technical security controls
  • security incident response
  • disaster recovery

10
HIPAA Security and Privacy Regulations
  • Whats a covered entity to do?
  • Certify the effectiveness of new or existing
    security controls
  • Appoint a privacy officer and a point of contact
    for receiving privacy complaints
  • Adopt a privacy policy and publicize the policy
    by giving notice to patients/partners

11
HIPAA Security and Privacy Regulations
  • Whats a covered entity to do?
  • Privacy policies must have specific provisions
    for
  • Gaining consent and authorization
  • Restricting use and disclosure
  • Receiving and resolving complaints
  • as regards protected health information

12
HIPAA Security and Privacy Regulations
  • Whats a covered entity to do?
  • Change contracts and business partner agreements
    to include a contractual requirement that
    partners handle protected health information
    properly
  • Train the covered entitys workforce and business
    associates who work on the covered entitys
    premises to follow proper security and privacy
    policies and procedures

13
HIPAA Security and Privacy Regulations
  • Whats a covered entity to do?
  • Document security and privacy policies and
    procedures, as well as actions taken to ensure
    that policies and procedures are enforced
  • Minimum necessary information to be provided to
    fulfill purpose of request
  • Provision of patient care is exempted
  • Clinical research information is NOT exempt

14
HIPAA Security and Privacy Regulations
  • Penalties for non-compliance
  • Civil monetary penalties on a per-person,
    per-violation basis
  • Very strong penalties for misuse with knowledge
  • Significant fines
  • Prison
  • Penalties potentially apply to
  • Individual violator
  • Organization
  • Officers of organization

15
HIPAA Security and Privacy RegulationsImplication
s
  • Security and privacy regulations do not mention
    technology, BUT
  • Implementation will almost certainly involve
    technology
  • Requirement that an entity is responsible for
    security and privacy of affiliates and trading
    partners at least requires a coordinated approach

16
HIPAA Security and Privacy RegulationsImplication
s
  • HIPAA imposes an industry wide common set of
    business practices, at least as applied to
    security and privacy
  • HIPAA provides an opportunity for standards based
    mechanisms for secure and private use and
    transfer of dataclinical and administrative
    (billing)

17
HIPAA Security and Privacy RegulationsImplication
s
  • Almost all transactions in this arena involve
    data transfers across multiple administrative
    boundaries
  • Facilities for secure and private data transfer
    across administrative boundaries should be
    designed in from the start, particularly given
    the new legal requirements in this arena

18
HIPAA Security and Privacy RegulationsImplication
s
  • To be useful, standards should involve all
    medical transactionsvery broad scope
  • Internet2 consortium is seeking to address this
    probleminitially as extension of emerging
    standards for academic data interchange
  • We have been slow to make progressstill feeling
    our way

19
HIPAA Security and Privacy RegulationsImplication
s
  • Academic environment so far has not been
    conducive to rigorous development of needed
    standards and practices
  • OMG process may provide necessary discipline,
    particularly since
  • OMG, particularly Healthcare DTF, has already
    addressed many of these issuesRAD, PIDS, etc
  • Model Driven Architecture may provide opportunity
    for new approaches

20
HIPAA Security and Privacy RegulationsImplication
s
  • We think we are identifying and defining very
    important problems in this arenaWe need help
    with the solutions, and enlightenment if we have
    strayed
  • Could result in vendor-neutral, standards-based,
    approaches to data interchange in this very
    fragmented industry
  • Could provide a common base for vendors to add
    true value
  • Could ultimately provide a framework for
    open-source electronic patient record

21
(No Transcript)
22
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2026 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "HIPAA Regulations for Security and Privacy: How do they affect us" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!