I haven't heard of HIPAA, but I can hip hop. - PowerPoint PPT Presentation


PPT – I haven't heard of HIPAA, but I can hip hop. PowerPoint presentation | free to download - id: 6a1b7e-ZTE1O


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

I haven't heard of HIPAA, but I can hip hop.


Title: PowerPoint Presentation Last modified by: Mark Higley Created Date: 1/1/1601 12:00:00 AM Document presentation format: On-screen Show Other titles – PowerPoint PPT presentation

Number of Views:78
Avg rating:3.0/5.0
Slides: 82
Provided by: vgmCompres
Learn more at: http://www.vgm.com
Tags: hipaa | adjudication | haven | heard | hip | hop


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: I haven't heard of HIPAA, but I can hip hop.

"I haven't heard of HIPAA, but I can hip hop."
HIPAA Security Standards Final Rule Some Tips
Updates for HME/Rehab Providers
Mark J. Higley Vice President - Development The
VGM Group
In this Presentation
  • Privacy Rule Status
  • Quick Update on TCS
  • Introduction to the Security Standards

  • Lets Get Started!

By Now, You All Know what HIPAA isright?
  • Healthcare
  • In
  • Pain
  • And
  • Agony (again)

The Big Picture
  • HIPAA implementation of the standards does not
    have to be any type of major burden on the
    average HME/Rehab provider, especially not an
    economic burden.

Privacy Rule In Effect
  • The Privacy compliance date is now effective
    (April 14, 2003). Many providers are not yet
  • As of February 2004, OCR, the HHS division
    responsible for HIPAA Privacy, received 4,266
    complaints of HIPAA privacy violations since the
    law took effect.

Primary reasons for the violations
  • Incidental disclosure of individually
    identifiable health information
  • Lack of adequate safeguards
  • Not providing a copy of records to patients
  • Disclosure of more than necessary information
  • Failure to give notice of privacy practice

  • OCR has closed 42 of these cases.
  • Most situations were resolved, a course of action
    was taken, or an investigation took place but no
    violation was found.
  • Bottom Line No fines have been levied as a
    result of a HIPAA privacy violation!

Confused by some of the details of the Privacy
  • The HIPAA Privacy Rule remains as a source of
    great confusion among providers and others within
    the health care community.
  • VGM can help! Just call or email. Consultation
    is free to all!

Training is Required!
  • All employees and members of your work force who
    have access to protected health information need
    HIPAA training! This PowerPoint will assist you
    in satisfying the training requirement!

For governmental information on HIPAA
  • e-mail your questions to askhipaa_at_cms.hhs.gov
  • Call the CMS HIPAA HOTLINE 1-866-627-7748
  • Log onto the CMS HIPAA web site
  • For Privacy inquiries only
  • Log check out http//www.hhs.gov/ocr/hipaa
  • Call 1-866-627-7748

For information on HIPAA that you can understand
  • e-mail your questions to mark.higley_at_vgm.com
  • Call 1-800-642-6065

Before we discuss the Security Standards.
  • Lets Get A Quick Update on TCS (thats
    electronic transactions and code sets).

October 16, 2003 Electronic TransactionsMany
Months Later
  • As many expected, there is trouble in the
    government's paradise of standardization.
  • Slower payments, poor customer service and
    confusion over what is or is not allowed in terms
    of paper claims are just a smidgen of reported

It will take more time to sort out exactly what
is going on and where the problems lie.
  • Published companion documents that never came
  • Lack of published contingency plans
  • One large payer has stopped accepting electronic
    claims due to discrepancies in formats.

This has a negative impact on HME providers who
have been used to submitting electronically
  • Some are dropping back to paper claimsand cash
    flows suffer as the paper claims are processed.

But As You Know
  • Medicare most state Medicaid agencies still
    accept electronic claims in a proprietary format
    (operating under a contingency plan). For
    the latest information on your particular states
    contingency plan please review its HIPAA
    Implementation Status Update and Contingency Plan
    Information at the appropriate Medicaid website.

Lets Discuss Medicaid
  • State contingency plans include the capability to
    continue to accept and process existing formats,
    including data values and codes within these

Old Formats OK
  • States will continue to accept existing formats
    and codes for a period of time until its
    individual trading partners have successfully
    completed testing the HIPAA compliant electronic
  • State contingency plans also include accepting
    existing formats that have been generated by
    converting HIPAA compliant formats.

Testing Update
  • To date, testing of these transactions has been
    limited. Consequently, the conversion of data in
    these formats will depend on the ability of the
    clearinghouse or software vendor to correctly
    translate the data required for adjudication in a
    timely fashion..

Formats Codes
  • Medicaid strongly encourages providers to
    instruct their billing services and software
    vendors to continue using current formats and
    codes, until these entities have demonstrated to
    the providers successful HIPAA testing results
    with all parties involved in transmitting
    electronic claims to payers.

Lets get back to the Security Standards!
  • To a great extent, the Security Rule puts the
    HIPAA spotlight on your information
    technology/systems staff. Whether you have just
    one information system manager or a full CIO with
    I/T staff, these technical executives must
    develop and implement cost-effective
    organization-wide security programs.

  • Of course, your entire management team should
    play an important strategic planning role before
    practical measures are implemented. As
    healthcare organizations look toward developing
    annual budgets, the executive team should be
    asking such questions as

  • What are the security risks to my organization -
    and which are the highest priority?
  • What measures should be considered for our plan
    to reduce risk and become HIPAA Security
  • How much should we budget (money, resources) for

Why Comply with the Security Rule?
  • HIPAA and good business practices dictate that we
    safeguard patient information entrusted to us.
  • Butperhaps just as importantly, the standards
    address security risks that could severely affect
    your business operations!

Potential Risks
  • Loss of financial cash flow
  • Permanent loss or corruption of electronic
    protected health information (ePHI)
  • Temporary loss or unavailability of medical
  • Loss of physical assets (computers, etc.)
  • Damage to reputation and public confidence
  • Threats to patient safety
  • Threats to employee safety

The Standards
  • Will will be effective April 21, 2005 for
    healthcare providers
  • Applies only to Electronic Protected Health
    Information (EPHI) that a healthcare provider -
    and all covered entities - creates, receives,
    maintains, or transmits

The Standards
  • Are separated into three groups
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards.

Less Specific Than the Privacy Rule!
  • The final Security standards are essentially a
    model for information security, with less
    specific guidance on how to implement it.

General Requirements of the Standards
  • Ensure
  • Confidentiality (only the right people see it)
  • Integrity (the information is what it is
    supposed to be it hasnt been changed)
  • Availability (the right people can see it when

General Requirements
  • Protect against reasonably anticipated threats
    or hazards to the security or integrity of
  • Protect against reasonably anticipated uses and
    disclosures not permitted by privacy rules
  • Ensure compliance by workforce

Regulation Themes
  • Scalability/Flexibility ()
  • Healthcare providers can take into account
  • Size
  • Complexity
  • Capabilities
  • Technical Infrastructure
  • Cost of procedures to comply
  • Potential security risks
  • () Remember these terms from the Privacy

Regulation Themes
  • Technologically Neutral
  • What needs to be done, not how
  • Comprehensive
  • Not just technical aspects, but behavioral as

How HHS Is Attempting To Accomplished This
  • Develop Standards That Are Required and
  • Implementation specifications which provide
    additional detail and can be either required or

What did you just say???
  • (OK, We thought that might confuse some of you.
    Lets try it again!)

Try again
  • The new Security rules, just like the Privacy
    rules, have "standards" - what must be done by
    healthcare providers to comply.
  • And "implementation specifications" which
    include how to do it.

Before we get too detailed.
  • Q. What about some model forms, policies and
    procedures - like we had for the Privacy Rules???
  • A. Good question!. HHS has promised more
    specifics in the future and to provide model
    guidance documents.

  • VGM will compile these documents, adapt them to
    HME/Rehab, and will make them available to
    providersprobably on the Web site.
  • As the compliance date is not until 2005, we have
    a little time!

OKBack to the specificswhats Addressable?
  • If an implementation specification is
    addressable, a healthcare provider can
  • Implement itif it is reasonable and appropriate
  • Implement an equivalent measure, if that is
    reasonable and appropriate
  • Not implement it at all

Againthe standards are separated into three
groups ()
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards.
  • () Weve developed a chart that lists all of the
    standards and includes whether implementation
    is required or addressable. See your handouts!

Administrative Safeguards
  • Make up 50 of the Security Rule's standards. In
    general, they require documented policies and
    procedures for day-to-day operations managing
    the conduct of employees with PHI and managing
    the selection, development, and use of security

Give me an example of an Administrative Safeguard
  • OK. All healthcare providers must designate a
    "security official," to be "responsible for the
    development and implementation of the policies
    and procedures" required by the Security Rule

Physical Safeguards
  • Are a series of security measures meant to
    protect a healthcare providers electronic
    information systems, as well as related buildings
    and equipment, from natural hazards,
    environmental hazards, and unauthorized
    intrusion. The measures include both
    administrative policies and physical controls.

Give me an example of a Physical Safeguard
  • OK. Workstation security. This standard
    "implementation of physical safeguards for all
    workstations that access electronic protected
    health information to restrict access to
    authorized users."

Technical Safeguards
  • Are made up of several security measures that
    specify how to use technology to protect EPHI.

Give me an example of a Technical Safeguard
  • OK. Access controls, which are your technical
    policies and procedures for electronic
    information systems access that maintain EPHI to
    allow access only to those persons or software
    programs that have been granted access rights.

Implementation Specifications
  • As noted before, these three safeguard categories
    are further divided into "implementation
    specifications" that define how each of the
    standards is to be implemented. In some cases,
    the standard itself contains enough information
    to describe implementation requirements, so there
    is no separate specification.

I Heard We Must Purchase Encryption Software!!
  • First of allencryption is addressed in the
    Technical Safeguards under the transmission
    security standards. These include technical
    security mechanisms to guard against unauthorized
    access to EPHI that is being transmitted over an
    electronic communications network.

  • The standard has two implementation
    specifications, both of which are addressable
    integrity controls, and encryption.
  • The first includes "security measures to ensure
    that electronically transmitted electronic
    protected health information is not improperly
    modified without detection until disposed of."
    The second embraces "mechanisms to encrypt
    electronic PHI deemed appropriate."

Encryption not required!!
  • The standard does not mandate any particular set
    of integrity controls, such as encryption, for
    all transmissions. Now the healthcare provider
    must decide, following its own risk analyses (),
    what degree or protection is appropriate in each
  • () Well discuss risk analysis next

Risk Analysis
  • The HIPAA Security Rule requires healthcare
    providers to have a risk management program in
    place to evaluate the value of the assets, the
    potential for a loss or disclosure, and the cost
    of additional countermeasures.

Risk Analysis
  • It is a Required specification!
  • Possible Resource NIST Risk Management Guide
    (800-30) http//www.nist.gov

Risk Analysis Steps (well go through each one of
these in a minute)
  • Review data systems
  • Identify threats/vulnerabilities
  • Evaluate security controls
  • Assess likelihood
  • Consider impact
  • Determine risk

Review Data Systems
  • Hardware
  • Software
  • Data storage locations
  • Modes of data transit
  • Data sensitivity
  • Primary Users

Identify Threats
  • Natural/Environmental disasters, such as
    electrical storms, flood, tornado, chemical
  • Human threats, such as accidental data erasure
    or entry, hackers, computer viruses, theft
  • Vulnerabilities, such as internal weaknesses or

Evaluate Security Controls
  • Preventive
  • Access restrictions
  • Password authentication
  • Effective staff training
  • Environmental controls
  • Detective
  • Audit trails
  • Alarms

Assess likelihood
  • Of each identified threat
  • With consideration to controls
  • Accidental data erasure
  • but files are backed up every night??
  • High, Moderate, Low ?

Consider Impact
  • Of data
  • release
  • manipulation
  • temporary or permanent inaccessibility
  • Temporary data erasure
  • but files are backed up every night??
  • High, Moderate, Low ?

Determine Risk
  • Likelihood Determination
  • Impact Assessment
  • Moderate likelihood, low impact
  • Sufficient controls in place?
  • High likelihood, high impact
  • Additional protections needed.

Quick review of standards
Administrative Standards
  • Security Management
  • Risk analysis (R)
  • Risk management (R)
  • Sanction Policy (R)
  • Information System Activity Review (R)
  • Assigned Responsibility

Administrative Standards
  • Workforce Security
  • Authorization and/or Supervision (A)
  • Clearance Procedures (A)
  • Termination procedures (A)
  • Information Access Management
  • Isolate Clearinghouse Function (R)
  • Access Authorization (A)
  • Access Establishment/Modification (A)

Administrative Standards
  • Security Awareness and Training
  • Security Reminders (A)
  • Protection from Malicious Software (A)
  • Log-in Monitoring (A)
  • Password Management (A)
  • Security Incident Procedures
  • Response and Reporting (R)

Administrative Standards
  • Contingency Plan
  • Data Backup Plan (R)
  • Disaster Recovery Plan (R)
  • Emergency Operations Plan (R)
  • Testing and Revision Procedure (A)
  • Applications and Data Criticality (A)

Administrative Standards
  • Evaluation
  • Business Associate Contracts
  • Written Contract (or other arrangement) (R)

Physical Standards
  • Facility Access Controls
  • Contingency Operations (A)
  • Facility Security Plan (A)
  • Access Control Validation Procedures (A)
  • Maintenance Records (A)
  • Workstation Use

Physical Standards
  • Workstation Security
  • Device and Media Controls
  • Disposal (R)
  • Media Re-use (R)
  • Accountability (A)
  • Data Backup Storage (A)

Technical Standards
  • Access Control
  • Unique User Id (R)
  • Emergency Access (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls

Technical Standards
  • Integrity
  • Mechanism to Authenticate ePHI (A)
  • Person or Entity Authentication
  • Transmission Security
  • Integrity Controls (A)
  • Encryption (A)

Regulation Dates
  • Published February 20, 2003
  • http//aspe.hhs.gov/admnsimp/
  • Compliance Date April 21, 2005 for all covered
    entities except small health plans
  • April 21, 2006 for small health plans

Implementation Approach
  • Do Risk Analysis Document
  • Based on Analysis, determine how to implement
    each standard and implementation specification
  • Develop Security Policies and Procedures
  • Train Workforce
  • Implement Policies and Procedures
  • Periodic Evaluation

Security Summary
  • Scalable, flexible approach
  • Standards that make good business sense
  • One year, one month to implementation!

You will want to begin to
  • Establish and document policies and procedures
    relating to information security
  • Establish physical safeguards of computer
    systems, equipment and buildings
  • Review technical security to protect the
    confidentiality and integrity of information and
    control and monitor access
  • Safeguard systems against external threats

  • You should not panic and think Security is going
    to cost you a fortune. Dont let vendors talk you
    into purchasing encryption and other
    safeguards. Think before you buy and let
    common sense and reason be your other guide!


  • And finally, remember
  • Be Flexible
  • Be Scalable
  • ( Dont forget
  • reasonable!)

  • It is 2004. Remember the Privacy Rule Is Now


(No Transcript)
About PowerShow.com