hipaa security rule overview
play

HIPAA Security Rule Overview Jennings Aske, JD, CISSP, CIPP/US VP - PowerPoint PPT Presentation

Jun 11, 2023 •107 likes •256 views

HIPAA Security Rule Overview Jennings Aske, JD, CISSP, CIPP/US VP Chief Information Security Officer NewYork-Presbyterian Hospital The Use of Electronic Technology in Healthcare Over the past decade the health care industry began to rely

  1. HIPAA Security Rule Overview Jennings Aske, JD, CISSP, CIPP/US VP – Chief Information Security Officer NewYork-Presbyterian Hospital

  2. The Use of Electronic Technology in Healthcare Over the past decade the health care industry began to rely more heavily on the use of electronic information systems.  Providers use clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems.  Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient, the rise in the adoption rate of these technologies increases the potential security risks.

  3. 3 3

  4. The health care system cannot deliver effective and safe care without deeper digital connectivity. If the health care system is connected, but insecure, this connectivity could betray patient safety . . . . Our nation must find a way to prevent our patients from being forced to choose between connectivity and security. - Health Care Industry Cybersecurity Task Force, June 2017 Report On Improving Cybersecurity In The Health Care Industry 4 4

  5. HIPAA Security Rule Purpose Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry.  The Security Rule established a national set of security standards for protecting certain health information that is held or transferred in electronic form.  The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations covered entities must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules through voluntary compliance activities, audits, and civil money penalties.

  6. HIPAA Security Rule Overview A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule is designed to be reasonable and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI. The Security Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in a standardized electronic form, and to their business associates.

  7. HIPAA Security Rule General Requirements The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI. Specifically, covered entities must:  Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;  Identify and protect against reasonably anticipated threats to the security or integrity of the information;  Protect against reasonably anticipated, impermissible uses or disclosures; and  Ensure compliance by their workforce.

  8. Reasonable and Scalable Requirements Under the Security Rule, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:  Its size, complexity, and capabilities,  Its technical, hardware, and software infrastructure,  The costs of security measures, and  The likelihood and possible impact of potential risks to e-PHI. Covered entities must continually review and modify their security measures to continue protecting e-PHI in a changing environment.

  9. Risk Analysis: The Key to the Security Rule The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes.  A risk analysis helps a covered entity determine which security measures are reasonable and appropriate for a particular covered entity.  A risk analysis helps affects the implementation of all of the safeguards contained in the Security Rule.

  10. Risk Analysis: The Key to the Security Rule A risk analysis process includes, but is not limited to, the following activities:  Evaluate the likelihood and impact of potential risks to e-PHI;  Implement appropriate security measures to address the risks identified in the risk analysis;  Document the chosen security measures and, where required, the rationale for adopting those measures; and  Maintain continuous, reasonable, and appropriate security protections. Risk analysis should be an ongoing process, in which a covered entity periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

  11. Administrative Safeguards  Security Management Process – overall covered entity security program backed by policies and procedures  Security Personnel – a designated person at the covered entity with responsibility for compliance  Information Access Management – processes for ensuring that only authorized individuals can access e-PHI  Workforce Training and Management – education and awareness for all individuals as to their responsibility for security  Evaluation – mechanisms for evaluating compliance with the Security Rule, and the effectiveness of the covered entity’s security posture

  12. Physical Safeguards  Facility Access and Control – policies and procedures to limit physical access to e-PHI and computing systems  Contingency Operations – safeguards to secure e-PHI during a disaster or emergency  Facility Security Plan – overall plan for securing a covered entity’s facilities  Workstation and Device Security – policies procedures for securing access to computing devices

  13. Technical Safeguards  Access Control – the ability to technically restrict access to e-PHI and computers  Audit Controls – the ability to review and detect access to e-PHI, including potential unauthorized access  Integrity Controls – the ability to ensure that e-PHI hasn’t been altered  Transmission Security – the ability to protect e-PHI as it travels over an ”untrusted” network such as the internet

  14. Security Rule Summary  Protects e-PHI by establishing a general information security framework;  Provides flexibility of approach; and  Requires risk analysis and risk management, along with specific administrative, physical, technical safeguards

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to

Outline to HIPAA presentation I) Overview of the HIPAA Privacy Rule regulations that relate to obtaining a persons medical records for court proceedings and law enforcement purposes. A) Entities covered by HIPAA The medical records of a patient

405 views • 6 slides
Sources s of Law HIPAA AA (Health Insurance Portability and Accountability Act of

Sources s of Law HIPAA AA (Health Insurance Portability and Accountability Act of

How the City of Lewisville Has Complied in a Paperless World Sources s of Law HIPAA AA (Health Insurance Portability and Accountability Act of 1996) o Privacy Rule o Security Rule o Enforcement Rule o Genetic Information

416 views • 27 slides
Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule April 2019

Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule April 2019

Health Insurance Portability and Accountability Act (HIPAA): Breach Notification Rule April 2019 Alissa Smith 1 Outline of Presentation HIPAA Breach Notification Rule Overview Updates on OCR Enforcement Complaints

485 views • 36 slides
HIPAA SECURITY POLICIES AND PROCEDURES (P&P) AND COMPUTER NETWORK DOCUMENTATION (CND) Get it

HIPAA SECURITY POLICIES AND PROCEDURES (P&P) AND COMPUTER NETWORK DOCUMENTATION (CND) Get it

HIPAA SECURITY POLICIES AND PROCEDURES (P&P) AND COMPUTER NETWORK DOCUMENTATION (CND) Get it from DUMATEK ! Get you HIPAA Security P&P and CND here! ONLY $5040.00 This solution becomes ongoing and proprietary to your company. HIPAA

107 views • 10 slides
Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement

Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement

Research & HIPAA October, 2016 Overview HIPAA & Research Increased Enforcement HIPAA Security 2 HIPAA & Research HIPAA & Research 4 HIPAA & Research PHI Disclosure for PHI Use for Research Research

752 views • 59 slides
DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions apply to three types of entities, which are known as

111 views • 7 slides
Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy,

Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy,

Beyond HIPAA: Registries as an exemplar of health data Beyond HIPAA Privacy, Confidentiality & Security Subcommittee May 15, 2018 Beyond HIPAA Initiative Builds on NCVHSs past work and the work of other government and private

240 views • 10 slides
HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The

HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The

HIPAA In The Workplace What Every Employer Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security

575 views • 33 slides
EVV Security and Privacy Approach Marguerite Marsh, HIPAA Privacy Officer Matt Williams, Bureau

EVV Security and Privacy Approach Marguerite Marsh, HIPAA Privacy Officer Matt Williams, Bureau

EVV Security and Privacy Approach Marguerite Marsh, HIPAA Privacy Officer Matt Williams, Bureau Chief, Information Security and Technology 1 What is HIPAA? 2 HIPAA What: Health Insurance Portability and How: Congress mandated the establishment

444 views • 9 slides
HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and

HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and

Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance TUESDAY, FEBRUARY 5, 2013 1pm Eastern | 12pm Central | 11am

793 views • 53 slides
Lyn E. Beggs, Esq. Nutile Pitz & Associates HIPAA Final Omnibus Rule Patient

Lyn E. Beggs, Esq. Nutile Pitz & Associates HIPAA Final Omnibus Rule Patient

Lyn E. Beggs, Esq. Nutile Pitz & Associates HIPAA Final Omnibus Rule Patient Protection and Affordable Care Act (ACA) Trends in medicine: concierge practices/direct primary care; medical directorships, etc. Are you in

432 views • 25 slides
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Provisions Sets

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Provisions Sets

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule Provisions Sets boundaries on the use/release of health records Holds violators accountable with penalties Strikes a balance when public health

357 views • 12 slides
HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c.

HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c.

HIPAA COW Webinar: HIPAA, HITECH and Business Associates Heather Fields, J.D. Reinhart Boerner Van Deuren s.c. HIPAA COW Webinar November 11, 2010 Presentation Overview TOP 3 HIPAA Compliance Risks Unauthorized Use and Disclosure of

522 views • 28 slides
HIPAA/HITECH Omnibus Final Rule Secretarys Advisory Committee on Human Research Protections

HIPAA/HITECH Omnibus Final Rule Secretarys Advisory Committee on Human Research Protections

Office of the Secretary Office for Civil Rights (OCR) HIPAA/HITECH Omnibus Final Rule Secretarys Advisory Committee on Human Research Protections March 2013 Christina Heide, JD Senior Health Information Privacy Policy Specialist HHS

342 views • 15 slides
HIPAA Privacy and Security: y y Surviving Heightened Enforcement Crafting and Implementing Data

HIPAA Privacy and Security: y y Surviving Heightened Enforcement Crafting and Implementing Data

Presenting a live 90 minute webinar with interactive Q&A HIPAA Privacy and Security: y y Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches THURS DAY, MAY 5, 2011 1pm Eastern

836 views • 56 slides
Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA

Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA

Training Course HIPAA Health Insurance Portability and Accountability Act HIPAA initially went into effect April 14, 2003 HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

284 views • 25 slides
DEPARTMENT OF SAFETY & SECURITY OVERVIEW Embracing A New Direction JANUARY 2013 March

DEPARTMENT OF SAFETY & SECURITY OVERVIEW Embracing A New Direction JANUARY 2013 March

DEPARTMENT OF SAFETY & SECURITY OVERVIEW Embracing A New Direction JANUARY 2013 March 25, 2010 DEPARTMENT OF SAFETY & SECURITY WORKFLOW Public Safety Technical Security Cooperative Partnerships Emergency Management 2

335 views • 15 slides
Defence Industry Security Program May 2019 2 Security Environment Corporate Espionage

Defence Industry Security Program May 2019 2 Security Environment Corporate Espionage

Defence Industry Security Program May 2019 2 Security Environment Corporate Espionage Foreign Espionage and Interference Foreign Ownership, Control and Influence Cyber threats Insider threats Variable security

432 views • 16 slides
Corporate Security Culture View from the T op What do we mean by Corporate Culture? Refers

Corporate Security Culture View from the T op What do we mean by Corporate Culture? Refers

Corporate Security Culture View from the T op What do we mean by Corporate Culture? Refers to the shared values, attitudes, standards, and beliefs that characterize members of an organization and define its nature Rooted in an

329 views • 14 slides
Safety and Security Arkansas School Safety Commission Preliminary Report Issued July 10, 2018

Safety and Security Arkansas School Safety Commission Preliminary Report Issued July 10, 2018

Safety and Security Arkansas School Safety Commission Preliminary Report Issued July 10, 2018 Final to be issued on November 30, 2018 1. The Commission recommends that no campus should be without armed presence when staff and children are

249 views • 9 slides
RSCCD Update on Implementation Plan of Public Safety Task Force Security Recommendations Public

RSCCD Update on Implementation Plan of Public Safety Task Force Security Recommendations Public

RSCCD Update on Implementation Plan of Public Safety Task Force Security Recommendations Public Safety Task Force I n Se pte mb e r 2013 the Cha nc e llo r c re a te d a Pub lic Sa fe ty T a sk F o rc e (PST F ) T he purpo se

754 views • 25 slides
Investor Presentation January 8, 2020 NYSE: CVIA Forward Looking Statements Forward-Looking

Investor Presentation January 8, 2020 NYSE: CVIA Forward Looking Statements Forward-Looking

Investor Presentation January 8, 2020 NYSE: CVIA Forward Looking Statements Forward-Looking Statements This presentation contains forward-looking statements intended to qualify for the protection of the safe harbor provided by the Private

342 views • 17 slides
Fourth Quarter 2018 Conference Call Investor Presentation St. Paul, MN Jan. 17, 2019 2 Safe

Fourth Quarter 2018 Conference Call Investor Presentation St. Paul, MN Jan. 17, 2019 2 Safe

Fourth Quarter 2018 Conference Call Investor Presentation St. Paul, MN Jan. 17, 2019 2 Safe Harbor & Regulation G Safe Harbor Statement Certain matters discussed today may include 'forward looking statements' as that term is defined

584 views • 23 slides
Codan Shareholder Presentation Codan Shareholder Presentation Codan Shareholder Presentation

Codan Shareholder Presentation Codan Shareholder Presentation Codan Shareholder Presentation

Codan Shareholder Presentation Codan Shareholder Presentation Codan Shareholder Presentation Codan Shareholder Presentation Minelab Overview Minelab Overview October 2008 P t Peter Charlesworth Ch l th General Manager - Minelab Minelab

380 views • 14 slides

More recommend