Professional Documents
Culture Documents
Hipaa 151214100920 PDF
Hipaa 151214100920 PDF
HIPAA
Outline
• Introduction
• Background
• HIPAA Basics
• EPHI Enforcement
• Breach Notifications
• Additional rules to HIPAA
• HIPAA and Governance Implementation
• HIPAA Challenges
• Conclusion
Introduction
• The privacy of health information becomes an important
concern for all intuitions delivering healthcare .
Administrative safeguards
“ are actions, and policies and procedures, to manage the
selection, development, implementation, and maintenance
of security measures to protect ePHI and to manage the
conduct of the covered entity’s workforce in relation to the
protection of that information” (HSS 2015).
HIPAA Security Rule (Cont.)
Physical safeguards
”are physical measures, policies, and procedures to protect a
covered entity’s electronic information systems and related
buildings and equipment, from natural and environmental
hazards, and unauthorized intrusion” (HSS 2015).
HIPAA Security Rule Cont.
Technical Safeguards
“The technology and related policies and procedures that
protect ePHI and control access to it. The Technical
Safeguards standards apply to all ePHI. The Rule requires
a covered entity to comply with the Technical Safeguards
standards and provides the flexibility to covered entities
to determine which technical security measures will be
implemented” (HSS 2015)
HIPAA Security Rule Cont.
Policies, Procedures and Documentation Requirements
● Policies and Procedures Standard:
It requires that covered entities to implement reasonable and appropriate
policies and procedures to comply with the standards and implementation
specifications.
● Documentation Standard has three implementation specifications, which are:
•Time Limit (R): Under Security Rule the minimum retention period for
essential documentation is six-year.
•Availability (R): Documentation must be available in printed manuals and/or
on portal in covered entities.
•Update (R): The management of documentation is necessary for showing the
status of security strategies of the covered entities.
HIPAA Security Rule Cont.
CIA of ePHI
HIPAA ensure all the
core objective of security
of all ePHI
✓ Confidentiality
✓ Integrity
✓ Availability
ePHI Enforcement
• There are penalties for non-compliance with
HIPAA
• Final rule in 2013
• Factors:
• The nature and extent of the violation
• The nature and extent of the harm
• The history of prior compliance
• The financial condition
ePHI Enforcement
Over $36 Million in resolution agreements and fines for
variety of issues
Breach Notifications
Breach
Impermissible acquisition, access, use, or disclosure of
PHI which compromises the security or privacy of the
PHI.
Aug 2014
• It consists of a set of standards that provide prescriptive guidance for securing and protecting PHI.
General Rules
Administrative, Physical, and Technical Safeguards
Policies and Procedures
Documentation Requirements
Thank You
References
[1] Massey, Aaron K., and Paul N. Otto. "Aligning Requirements with HIPAA in the iTrust System."
16th IEEE International Requirements Engineering Conference. IEEE, 2008.
[2] Otto, Paul N., and Annie Antón. "Addressing legal requirements in requirements engineering."
Requirements Engineering Conference, 2007. RE'07. 15th IEEE International. IEEE, 2007.
[3] Breaux, Travis D., and Annie Antón. "Analyzing goal semantics for rights, permissions, and
obligations." Requirements Engineering, 2005. Proceedings. 13th IEEE International Conference
on. IEEE, 2005.
[4]Chessman, John, and Alan R. Heminger. "A Study of US Battlefield Medical
Treatment/Evacuation Compliance with HIPAA Requirements." System Sciences, 2009. HICSS'09.
42nd Hawaii International Conference on. IEEE, 2009.
[5] Antognini, Richard L. "Law of Unintended Consequences: HIPAA and Liability Insurers." Def.
Counsel J. 69 (2002): 296.
[6]Soumyadeb Mitra, Trustworthy and Cost Effective Management of Compliance Records, 2008
[7] Choi, Young B., et al. "Challenges associated with privacy in health care industry:
implementation of HIPAA and the security rules." Journal of medical systems 30.1 (2006): 57-64.
[8] Kwon, Juhee, and M. Eric Johnson. "Healthcare Security Strategies for Regulatory Compliance
and Data Security." System Sciences (HICSS), 2013 46th Hawaii International Conference on.
IEEE, 2013.
[9] Chau, Minh, and Eric K. Clemons. "Individual Privacy and Online Services." System Sciences
(HICSS), 2011 44th Hawaii International Conference on. IEEE, 2011.
[10] Rezaeibagha, Fatemeh, Khin Than Win, and Willy Susilo. "A systematic literature review on
security and privacy of electronic health record systems: technical perspectives." The HIM journal
44.3 (2015): 23.
References
[11] Whitman, Michael E. "Enemy at the gate: threats to information security." Communications of the ACM 46.8 (2003): 91-95.
[12] Richardson, Robert. "CSI computer crime and security survey." Computer Security Institute 1 (2008): 1-30.
[13]He, Yuhong, and C. W. Johnson. "Generic security cases for information system security in healthcare systems." (2012): 21-21.
[14] J. Esq,"10 Trends in Healthcare Privacy You Need to Know Now", in TWENTY-THIRD NATIONAL HIPAA SUMMIT, 2015.
[15] Hhs.gov, 2015. [Online]. Available: http://www.hhs.gov/ocr/hipaa. [Accessed: 21- Nov- 2015].
[16] Alshugran, Tariq, and Julius Dichter. "Extracting and modeling the privacy requirements from HIPAA for healthcare applications."
Systems, Applications and Technology Conference (LISAT), 2014 IEEE Long Island. IEEE, 2014.
[17] Alshugran, Tariq, Julius Dichter, and Miad Faezipour. "Formally expressing HIPAA privacy policies for web services."
Electro/Information Technology (EIT), 2015 IEEE International Conference on. IEEE, 2015.
[18]Fda.gov, 'Medical Devices', 2015. [Online]. Available: http://www.fda.gov/MedicalDevices/default.htm. [Accessed: 21- Nov- 2015].
[19] Alshugran, Tariq, and Julius Dichter. "Toward a privacy preserving HIPAA-compliant access control model for web services."
Electro/Information Technology (EIT), 2014 IEEE International Conference on. IEEE, 2014.
[20] Cisco.com, 2015. [Online]. Available:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Compliance/HIPAA/default.html[Accessed: 21- Nov- 2015].
[21] Tulu, Bengisu, and Samir Chatterjee. "A new security framework for HIPAA-compliant health information systems." AMCIS 2003
Proceedings (2003): 116.
[22] Dey, Sukhen. "Impact of Affordable Care Act (ACA) on Health Informatics."Information and Computer Technology (GOCICT), 2014
Annual Global Online Conference on. IEEE, 2014.
[23]Tummala, R. Lal, and Manasa Chagantipati. "Technological challenges in health care." World Automation Congress (WAC), 2014.
IEEE, 2014.
[24] HIPAA.com, 'HIPAA.com - Compliance Made Easy', 2015. [Online]. Available: http://HIPAA.com. [Accessed: 21- Nov- 2015].
[25] Grossman, C. "Playing Russian roulette. The impact of HIPAA and HITECH on healthcare data governance." Health management
technology 35.9 (2014): 26.
[26]Stevens, Gina. "The Federal Trade Commission’s Regulation of Data Security under Its Unfair or Deceptive Acts or Practices (UDAP)
Authority." Congressional Research Service 11 (2014).
[27] Chang, Joyce LT. "Dark Cloud of Convenience: How the HIPAA Omnibus Rules Fail to Protect Electronic Personal Health
Information, The." Loy. LA Ent. L. Rev. 34 (2013): 119.
[28] Breaux, Travis D., and Annie Antón. "Analyzing regulatory rules for privacy and security requirements." Software Engineering, IEEE
Transactions on 34.1 (2008): 5-20.
[29] Nahra, Kirk J. "HIPAA security enforcement is here." Security & Privacy, IEEE6.6 (2008): 70-72.
[30] Fleming, Grace. "HIPAA-Cratic or HIPAA-Critical: US Privacy Protections Should Be Guaranteed by Covered Entities Working
Abroad." Minn. L. Rev. 98 (2013): 2375.