HIPAA Security Standards Final Rule - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

HIPAA Security Standards Final Rule

Description:

Regulation Themes. Scalability/Flexibility. Covered entities can ... Regulation Themes. Technologically Neutral. What needs to be done, not how. Comprehensive ... – PowerPoint PPT presentation

Number of Views:37
Avg rating:3.0/5.0

less

Transcript and Presenter's Notes

Title: HIPAA Security Standards Final Rule


1
HIPAA Security Standards Final Rule
  • Stanley Nachimson
  • Office of HIPAA Standards
  • CMS

2
Regulation Dates
  • Published February 20, 2003
  • Effective Date April 21, 2003
  • Compliance Date
  • April 21, 2005 for all covered entities except
    small health plans
  • April 21, 2006 for small health plans (as HIPAA
    requires)

3
General Requirements(164.306(a))
  • Ensure
  • Confidentiality (only the right people see it)
  • Integrity (the information is what it is supposed
    to be it hasnt been changed)
  • Availability (the right people can see it when
    needed)

4
General Requirements
  • Applies to Electronic Protected Health
    Information
  • That a Covered Entity Creates, Receives,
    Maintains, or Transmits

5
General Requirements
  • Protect against reasonably anticipated threats or
    hazards to the security or integrity of
    information
  • Protect against reasonably anticipated uses and
    disclosures not permitted by privacy rules
  • Ensure compliance by workforce

6
Regulation Themes
  • Scalability/Flexibility
  • Covered entities can take into account
  • Size
  • Complexity
  • Capabilities
  • Technical Infrastructure
  • Cost of procedures to comply
  • Potential security risks

7
Regulation Themes
  • Technologically Neutral
  • What needs to be done, not how
  • Comprehensive
  • Not just technical aspects, but behavioral as well

8
How Did We Accomplish This
  • Standards Are Required but
  • Implementation specifications which provide more
    detail can be either required or addressable.

9
Addressability
  • If an implementation specification is
    addressable, a covered entity can
  • Implement, if reasonable and appropriate
  • Implement an equivalent measure, if reasonable
    and appropriate
  • Not implement it
  • Based on sound, documented reasoning from a risk
    analysis

10
What are the Standards?
  • Three types
  • Administrative
  • Physical
  • Technical

11
Administrative Standards
  • Security Management
  • Risk analysis (R)
  • Risk management (R)
  • Assigned Responsibility
  • Workforce Security
  • Termination procedures (A)
  • Clearance Procedures (A)

12
Administrative Standards
  • Information Access Management
  • Isolating Clearinghouse (R)
  • Access Authorization (A)
  • Security Awareness and Training
  • Security Incident Procedures
  • Contingency Plan
  • Evaluation
  • Business Associate Contracts

13
Physical Standards
  • Facility Access Controls
  • All addressable specifications
  • Contingency operations
  • Facility Security Plan
  • Access control
  • Maintenance Records
  • Workstation Use (no imp specs)
  • Workstation Security
  • Device and Media Controls

14
Technical Standards
  • Access Control
  • Unique User Id (R)
  • Emergency Access (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls
  • Integrity
  • Person or Entity Authentication
  • Transmission Security

15
Chart in Regulation
  • At end of the regulation, this chart lists each
    standard, its associated implementation
    specifications, and if they are required or
    addressable

16
Basic Changes from NPRM
  • Aligned with Privacy (Definitions, requirements
    for business associates)
  • Encryption now addressable
  • No requirement for certification
  • Standards simplified and redundancy eliminated.

17
Implementation Approach
  • Do Risk Analysis Document
  • Based on Analysis, determine how to implement
    each standard and implementation specification
    Document
  • Develop Security Policies and Procedures
    Document
  • Train Workforce
  • Implement Policies and Procedures
  • Periodic Evaluation

18
Summary
  • Scalable, flexible approach
  • Standards that make good business sense
  • Two years for implementation
  • First step is risk analysis
Write a Comment
User Comments (0)
About PowerShow.com