Overview: HIPAA Guidelines
for Security and Privacy
|
|
|
July, 2001 |
|
Jack Buchanan, MSEE MD |
|
University of Tennessee Health Science
Center |
|
|
HIPAA Security and Privacy
Regulations
|
|
|
|
Mandated by Congress via Health
Insurance Portability and Accountability Act of 1996. |
|
Requirements for: |
|
Data Interchange Standards |
|
Data Security |
|
Patient Privacy |
HIPAA Security and Privacy
Regulations
|
|
|
Regulations were to have been
established by separate Congressional act |
|
Escape clause mandated HHS to write
regulations if Congress didn’t act by a deadline |
|
Regulations issued during final days of
Clinton administration. |
|
Delayed, then affirmed by Bush
administration |
|
We now have “final” Privacy
Regulations, “preliminary” Security Regulations |
HIPAA Security and Privacy
Regulations-Purpose
|
|
|
To prevent inappropriate use of health
information associated with an individual patient |
|
To require organizations which use
health information to protect the information and the systems which store,
transmit, and process it |
|
Explicitly includes systems and
procedures belonging to associates and subcontractors; Requires “Chain of
Trust” agreements |
HIPAA Security and Privacy
Regulations-Who?
|
|
|
|
Definitely apply if you are (or have a
unit which is) a: |
|
Health provider |
|
Health plan |
|
Healthcare clearinghouse |
HIPAA Security and Privacy
Regulations-Who?
|
|
|
|
Maybe (probably) apply, if you are
affiliated with above as: |
|
Business Associate |
|
Contractor |
|
Consultant |
|
Researcher, if data personally
identifiable |
HIPAA Security and Privacy
Regulations-When?
|
|
|
Politics has made this a little
difficult to determine |
|
The argument that they will NEVER go
into effect has become MUCH less credible |
|
Working Deadline: Mid 2003 |
HIPAA Security and Privacy
Regulations
|
|
|
|
What’s a covered entity to do? |
|
Many requirements are specifically
spelled out: |
|
Assign responsibility for security to a
person or an organization |
|
Assess risks and determine the major
threats to the security and privacy of protected health information |
HIPAA Security and Privacy
Regulations
|
|
|
|
|
What’s a covered entity to do? |
|
Establish a security management program
that addresses: |
|
physical security |
|
personnel security |
|
technical security controls |
|
security incident response |
|
disaster recovery |
HIPAA Security and Privacy
Regulations
|
|
|
|
What’s a covered entity to do? |
|
Certify the effectiveness of new or
existing security controls |
|
Appoint a privacy officer and a point
of contact for receiving privacy complaints |
|
Adopt a privacy policy and publicize
the policy by giving notice to patients/partners |
|
|
HIPAA Security and Privacy
Regulations
|
|
|
|
|
What’s a covered entity to do? |
|
Privacy policies must have specific
provisions for |
|
Gaining consent and authorization, |
|
Restricting use and disclosure, |
|
Receiving and resolving complaints, |
|
as regards protected health information |
HIPAA Security and Privacy
Regulations
|
|
|
|
What’s a covered entity to do? |
|
Change contracts and business partner
agreements to include a contractual requirement that partners handle
protected health information properly |
|
Train the covered entity’s workforce
and business associates who work on the covered entity’s premises to follow
proper security and privacy policies and procedures |
HIPAA Security and Privacy
Regulations
|
|
|
|
|
|
What’s a covered entity to do? |
|
Document security and privacy policies
and procedures, as well as actions taken to ensure that policies and
procedures are enforced |
|
Minimum necessary information to be
provided to fulfill purpose of request |
|
Provision of patient care is exempted |
|
Clinical research information is NOT
exempt |
HIPAA Security and Privacy
Regulations
|
|
|
|
|
Penalties for non-compliance |
|
Civil monetary penalties on a
per-person, per-violation basis |
|
Very strong penalties for misuse with
knowledge |
|
Significant fines |
|
Prison |
|
Penalties potentially apply to |
|
Individual violator |
|
Organization |
|
Officers of organization |
What are the Guidelines ?
|
|
|
|
A document meant to help people in AMCs
who must form and run HIPAA-compliant operations. |
|
The guidelines contain a section for each point of compliance in
the HIPAA Privacy and Security regulations |
|
Each “point” section focuses on
explaining the regulation point and
guiding an analysis of impact on AMCs with guidance for compliance. |
|
Other sections focus on overall impact of the regulations for
AMCs |
|
Part
of the intended value of the
work is that it is a product of the key HIPAA leaders at several Academic
Medical Centers and several related organizations. (i.e. This comes from the
people who will have to make their organizations compliant.) |
|
|
Key motivations for creating
the Guidelines
|
|
|
|
HIPAA Security/Privacy is a complex
regulatory regime; |
|
Having several interested parties analyze the regs helps
ensure a thoughtful analysis. |
|
AMCs are complex organizations in which
to implement HIPAA; |
|
Having several parties who are
knowledgeable of this environment do the analysis helps ensure a relevant
analysis that is sensitive to the variety of circumstances in AMCs |
Key motivations for creating
the Guidelines
|
|
|
|
AMCs need an AMC group norm for what is
“reasonable”; |
|
This would help ensure high-quality rational cost implementations
that are in the spirit of the “adoption” principle in the HIPAA law. (WEDI is
being asked to recommend the Guidelines to HHS.) |
|
Walking the talk; |
|
The participating AMCs wanted the
guidelines for themselves and for the wider industry. |
|
The document is available at the
website (amc-hipaa.org). |
|
|
Why are AMC environments
worthy of special attention?
|
|
|
|
|
AMCs typically have
operations that provide challenges to security and privacy management
due to several factors. AMCs typically have: |
|
DECENTRALIZED MANAGEMENT: are composed
of facilities that are managed by a diverse group of people and interests, |
|
DIVERSE MISSIONS: are combined
clinical, educational, and research
efforts, |
|
HIGH PROFILE PATIENTS: care for VIPs,
celebrities, and other people at times when
their health status is of public interest, |
|
LARGE : are physically large and have a
large staff, |
|
SPECIALIZED: tend to have large numbers
of people involved in a single patient’s care, |
|
MULTI-PARTNERED: have partnerships and
special programs with industry,
government, and other AMCs that bear on activity in the clinical area. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
do implementation points |
|
-compliance ofcr scope change |
|
-controversy vs not. |
|
-20 minutes each |
|
-best practice |
|
|
|
-make slides |
|
|
|
|
How were the Guidelines
formed?
|
|
|
The idea: evolved from discussions
among people working with AAMC, WEDI, NLM, and Internet2 to bring
representatives from several academic medical centers together in a series of
workshops to create guidelines for implementing HIPAA Privacy and Security
regulations in AMCs. |
|
Also, use the workshops to explore what
AMC needs were in this area and how relevant organizations might find common
cause with the AMCs on this issue. |
|
The result: A series of workshops with
many nationally known AMCs and related organizations represented in which the
guidelines have been developed. |
Participating AMCs
|
|
|
Duke University Health System |
|
Emory University |
|
Johns Hopkins Medical Institutions |
|
Kaiser Permanente |
|
Mayo Clinic |
|
Oregon Health Sciences University |
|
Osaka Medical College |
|
Texas A&M University System Health
Science Center |
|
Texas A&M University |
|
University of Alabama at
Birmingham |
|
University of Arizona Medical
Center |
|
University of Michigan Health
System |
|
University of Pennsylvania |
|
University of Tennessee Health
Science Center |
|
University of Texas Southwestern Medical Center |
|
Veterans Health Administration |
|
Yale University School of
Medicine |
|
|
Sponsoring Organizations
|
|
|
Association of American Medical Colleges (AAMC) |
|
Internet2 |
|
National Library of Medicine (NLM) |
|
Object Management Group (OMG) |
Supporting Organizations
|
|
|
CPRI-HOST |
|
North Carolina Healthcare Information
and Communications (NCHICA) |
|
Health Care Financing Administration
(HCFA) |
|
Healthcare Computing Strategies, Inc.
(HCS) |
|
Southeastern University Research
Association (SURA) |
|
Workgroup on Electronic Data
Interchange (WEDI) |
The Goals of the Workshop
Process
|
|
|
Develop: To develop guidelines for
implementation of HIPAA Security and Privacy regulations which AMC
HIPAA leaders could use to guide their institutional approach. |
|
Share: To share the load and improve
the result in an area that we’d otherwise have to take up independently. |
|
Focus: To ensure focus on the special
issues that AMCs have with security and privacy. |
|
Self-regulate: To have the guidelines
submitted to WEDI for recommendation as part of their regulatory role in
HIPAA |
|
Norm: To foster a reasonable group norm
on HIPAA compliance for AMCs by creating and sharing guidelines that AMCs may
implement. |
|
Collaborate: To further develop the of
points of collaboration with related national groups. |
|
Guidance only: The process was designed to provide
guidance only; no advocacy for “stronger” or “weaker” regs is included. |
|
|
|
|
|
|
What’s Next for this
work/group?
|
|
|
Evolution – There is a general
expectation that changes in the regs and improvements in the content will
emerge over the next couple of years as others read and use the material. |
|
Use of materials: Anyone is free to use
the material provided that they preserve the copyright and note to
prospective users/customers of derivative material that the original document
and any updates will be freely available at amc-hipaa.org |
|
Follow-on activities – We expect there
to be value in having a group with continuing activities for AMCs in privacy
and security at the national level
and are pursuing opportunities related to this. |
|
|
|
|
What’s next here?
|
|
|
A tour of the document to give you a
better feel for the content and it utility. |
|
|
|
Thanks! |