HIPAA Legislation

compliances , policies

March 16, 2010

Title I: Guarantees health insurance access, portability and renewal
Title II: Cost reduction provisions
- Fraud and abuse controls
- Administrative simplification
- Medical liability reform
Title III: Tax provisions principally for medical savings accounts
Title IV: Enforcement of group health plan provisions
Title V: Revenue offset provisions

Administrative Simplification

Purpose of administrative simplification
- Improve the efficiency and effectiveness of health information systems
- Establish a common set of standards and requirements for electronic information exchange of healthcare data
- Protect the security and privacy of transmitted information
Creates federal regulation of
- Electronic healthcare transactions (EDI)
- Healthcare identifiers — payer, provider, patient and employer
- Confidentiality and security practices

Financial “Metrics” of Administrative Simplification

Administration costs represent approximately 26% of total hospital costs (estimated $175 billion)
Workgroup for Electronic Data Interchange (WEDI) estimates the electronic data interchange (EDI) will lower administrative costs while improving the efficiency and enhancing the quality of healthcare services
- $9 billion per year for providers
- $26 billion per year for the healthcare system
Financial inaccuracies represent $0.11 of every healthcare dollar
- Fraud and abuse represent $0.03–$0.05 of every healthcare dollar

Final Security Rule

Workforce Administration

Workforce security
- Provide access to authorized users
- Prevent access for unauthorized users
- Ensure that access to electronic protected health information (ePHI) by a workforce member is appropriate
- Implement procedures for terminating access when employment has ended
Information access management
- Access authorization
- Access establishment and modification
Define user roles within the organization
Define authorization levels for each user role
Centralize role-based administration of user privileges across all platforms
Automate account creation through the human resources (HR) system
Integrate workflow into administrative policies for account set up and termination
Modify or suspend user privileges through a web interface

Access Control

Unique user identification — required
Emergency access procedure — required
Automatic log off — addressable
Additional administrative requirements
- Log-in monitoring
- Password management
Current barriers to meeting these requirements
- Balance security with convenience at the clinical workstations
- Limited security capabilities within current applications

Single Sign-On

Support policies
Provide access to all authorized applications through a single authentication
Utilize role-based authorization methods
Automate password management with strong passwords
Record application log-in attempts
Focus on the unique needs of workstations
- Direct authentication for quick change of users
- Secure station lock capability
- Create efficient single sign-off

Security Incident Tracking

Information system activity review — required
- Review records of information system activity
- Audit logs, access reports and security incident tracking reports
Security incident response and reporting — required
- Identify and respond to suspected or known security incidents
- Mitigate harmful effects of security incidents that are known to the covered entity
- Document security incidents and their outcomes
Audit controls — required
- Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain ePHI

Auditing

Security logs exist for systems that contain ePHI
- Database log files
- Operating system log files
- Application log files (sometimes)
Other enterprise components maintain security logs
Log files are too extensive and complex
Parse individual log files to extract key information and forward to a centralized secure remote repository
Run reports from this centralized system
Correlate log information from multiple systems
Prevent security incidents through proactive notification

System Access Controls

Risk management
- Reduce security risks and vulnerabilities to a reasonable and appropriate level
Isolating healthcare clearinghouse functions
- Allow systems administrators to access all components
Access control and validation procedures
- Control and validate access to software programs for testing and revision
Authenticating ePHI
- Help ensure ePHI has not been altered or destroyed in an unauthorized manner
Current barriers to proper access controls
- Provide superusers with global access to ePHI on distributed platforms

Security Management Process

Risk analysis — required
- Conduct an assessment of potential risks
Risk management — required
- Implement security measures to reduce risks
Information system activity review — required
- Regularly review records of information system activity
Additional requirements
- Protect against malicious software
- Implement policies and procedures that define proper functions and manner of workstation use
Gain the best of network protection, session monitoring and internet content blocking
Monitor and review network activity to determine potential risks
Protect against network attacks, including Denial of Service attacks
Detect
traffic that violates policy and automatically closes the offending session
Block access to external websites in line with company policy

Contingency Plan and Operations

Data backup plan — required
- Create and maintain retrievable exact copies of ePHI
Disaster recovery plan — required
- Establish procedures to restore any loss of data
- Must contain documented policies and procedures
Emergency mode operation plan — required
- Must provide for the protection of the security of ePHI while operating in an emergency mode
Time limit — required
- Maintain documentation for six years from the date when it was last in effect

Blog