Information Systems Department

IS 536 Information Security Governance

First Semester 2015

HIPAA
Outline
• Introduction
• Background
• HIPAA Basics
• EPHI Enforcement
• Breach Notifications
• Additional rules to HIPAA
• HIPAA and Governance Implementation
• HIPAA Challenges
• Conclusion
 Introduction
• The privacy of health information becomes an important
concern for all intuitions delivering healthcare .

• The shift toward interoperable electronic health record

leads patients to worried about their information privacy
and losing of control over their data .

• The healthcare provider s need to ensure effective level

of privacy and security policies that safeguard the
patient’s rights .
Introduction (Cont.)
• The health records need to be under strict control.

• There is need to implement the a global standard of

handling patient data and such standards for
electronic transfer of the medical information . Also
need some guidelines to control the patient records
both written and oral.

• The first and most considerable Federal legislation on

health privacy and security is the Health Insurance
Portability and Accountability Act known as the
HIPAA
Background
• HIPAA was in 1996 with two objectives.

• The first part “Health Insurance Portability part of the

Act”
• To ensure that individuals would be able to maintain their
health insurance between jobs.

• The second part of the Act is the "Accountability"

portion. To ensure the security and confidentiality of
patient information/data and mandates uniform standards
for electronic data transmission of administrative and
financial data relating to patient health information.
Source : http://www.winxnet.com/blog/blog-home/hipaa-key-dates/
HIPAA Basics
• Covered Entities
• It safeguard all patient data of any form.
Excluding some areas, the protected health
information comprises of personal health
data sent in any form
✓ Health plans,
✓ Healthcare clearinghouses
✓ Health care providers doctors, nurses, and
therapists.
 HIPAA Basics
• Protected Health Information (PHI)
• HIPAA protects all patient information whether it is
verbal, written or electronic.
• It includes all individually identifiable health information
that is transmitted or maintained in any form or
medium.
• It includes demographic information that ties the
identity of the individual to his or her health record.
• E.g. names, addresses, geographic codes smaller
than state, all dates (except year) elements related to
the person, telephone numbers, fax numbers, license
numbers, social security numbers, etc.
 HIPAA Basics
HIPAA has two parts

Privacy Rule Security Rule

Apply to Protected Health Information Monitor access to PHI
in +
all forms oral, written, and lays out specific requirements concerning
electronic. contracts between CE and their business
+ associates
PHI Disclose standards +
+ Policies and procedures to ensure the
Penalties for improper disclosure and health organization’s compliance with
misuse . HIPAA .
HIPAA Privacy Rule
• The objective
• Make sure that the policies are applied in a manner
that ensures proper protection of data and not
leaving room for mistakes.
• HIPAA set the rules of medical care in how to
govern, and use the PHI for handling patient issues .
• The health care institutions are charged with the role
of informing the patients and getting permission for
disclosing their personal data. Written permission is
vital and it accords them the right to access their
medical data.
To Understand HIPAA Privacy
HIPAA Security Rule
• The Objective
• Defines general standards and implementation
requirements to protect electronic personal health
information (ePHI), which is preserved by covered
entity.
• Provides appropriate controls such as administrative,
physical, technical and Policies, procedures and
documentation requirements in order to guarantee
the confidentiality, integrity, and availability of ePHI.
 Security Rule

Administrative safeguards
“ are actions, and policies and procedures, to manage the
selection, development, implementation, and maintenance
of security measures to protect ePHI and to manage the
conduct of the covered entity’s workforce in relation to the
protection of that information” (HSS 2015).
HIPAA Security Rule (Cont.)
Physical safeguards
”are physical measures, policies, and procedures to protect a
covered entity’s electronic information systems and related
buildings and equipment, from natural and environmental
hazards, and unauthorized intrusion” (HSS 2015).
HIPAA Security Rule Cont.

Technical Safeguards
“The technology and related policies and procedures that
protect ePHI and control access to it. The Technical
Safeguards standards apply to all ePHI. The Rule requires
a covered entity to comply with the Technical Safeguards
standards and provides the flexibility to covered entities
to determine which technical security measures will be
implemented” (HSS 2015)
 HIPAA Security Rule Cont.
Policies, Procedures and Documentation Requirements
● Policies and Procedures Standard:
It requires that covered entities to implement reasonable and appropriate
policies and procedures to comply with the standards and implementation
specifications.
● Documentation Standard has three implementation specifications, which are:
•Time Limit (R): Under Security Rule the minimum retention period for
essential documentation is six-year.
•Availability (R): Documentation must be available in printed manuals and/or
on portal in covered entities.
•Update (R): The management of documentation is necessary for showing the
status of security strategies of the covered entities.
HIPAA Security Rule Cont.
CIA of ePHI
HIPAA ensure all the
core objective of security
of all ePHI

✓ Confidentiality
✓ Integrity
✓ Availability
ePHI Enforcement
• There are penalties for non-compliance with
HIPAA
• Final rule in 2013
• Factors:
• The nature and extent of the violation
• The nature and extent of the harm
• The history of prior compliance
• The financial condition
ePHI Enforcement
Over $36 Million in resolution agreements and fines for
variety of issues
Breach Notifications
Breach
Impermissible acquisition, access, use, or disclosure of
PHI which compromises the security or privacy of the
PHI.

Act of breaking or failing to observe a law, agreement,

or code of conduct
Breach Notifications

Aug 2014

Source: HIPAA Conference

Breach Notifications
Aug 2015

Source: HHS Gov.

Breach Notifications
Aug 2015

Source: HHS Gov.

Breach Notification
Greatest Risk to PHI and other regulated data
Why Breach Notification?
Number of breaches up and number of people impacted up
Total breaches: 278
Record Lost: 12,503,190
Community health: 4.5 million records
Additional rules to HIPAA
• HITECH
•Obama signed the (HITECH) Act in 2009 due to lack of specificity in the regulations
Additional rules to HIPAA
• ACA
By President Barack Obama on
March 23, 2010
Approach to regulation that can
be properly described as “new
governance”
ACA updated HIPAA with new
expanded requirements
Additional rules to HIPAA
• FDA
Has the authority to regulate
medical devices before and
after they reach the marketplace
HIPAA and Governance Implementation
HIPAA Challenges
HIPAA Challenges
• Compliance must manage a complex and dynamic
information
HIPAA Challenges
• Regulated personal information and information at higher
risk of identity theft or cyber security attack across the
organization .
 Conclusion
• HIPAA is the federal Health Insurance Portability and Accountability Act

• It consists of a set of standards that provide prescriptive guidance for securing and protecting PHI.

• HIPAA provides standards for :

General Rules
Administrative, Physical, and Technical Safeguards
Policies and Procedures
Documentation Requirements
Thank You
References
[1] Massey, Aaron K., and Paul N. Otto. "Aligning Requirements with HIPAA in the iTrust System."
16th IEEE International Requirements Engineering Conference. IEEE, 2008.
[2] Otto, Paul N., and Annie Antón. "Addressing legal requirements in requirements engineering."
Requirements Engineering Conference, 2007. RE'07. 15th IEEE International. IEEE, 2007.
[3] Breaux, Travis D., and Annie Antón. "Analyzing goal semantics for rights, permissions, and
obligations." Requirements Engineering, 2005. Proceedings. 13th IEEE International Conference
on. IEEE, 2005.
[4]Chessman, John, and Alan R. Heminger. "A Study of US Battlefield Medical
Treatment/Evacuation Compliance with HIPAA Requirements." System Sciences, 2009. HICSS'09.
42nd Hawaii International Conference on. IEEE, 2009.
[5] Antognini, Richard L. "Law of Unintended Consequences: HIPAA and Liability Insurers." Def.
Counsel J. 69 (2002): 296.
[6]Soumyadeb Mitra, Trustworthy and Cost Effective Management of Compliance Records, 2008
[7] Choi, Young B., et al. "Challenges associated with privacy in health care industry:
implementation of HIPAA and the security rules." Journal of medical systems 30.1 (2006): 57-64.
[8] Kwon, Juhee, and M. Eric Johnson. "Healthcare Security Strategies for Regulatory Compliance
and Data Security." System Sciences (HICSS), 2013 46th Hawaii International Conference on.
IEEE, 2013.
[9] Chau, Minh, and Eric K. Clemons. "Individual Privacy and Online Services." System Sciences
(HICSS), 2011 44th Hawaii International Conference on. IEEE, 2011.
[10] Rezaeibagha, Fatemeh, Khin Than Win, and Willy Susilo. "A systematic literature review on
security and privacy of electronic health record systems: technical perspectives." The HIM journal
44.3 (2015): 23.
References
[11] Whitman, Michael E. "Enemy at the gate: threats to information security." Communications of the ACM 46.8 (2003): 91-95.
[12] Richardson, Robert. "CSI computer crime and security survey." Computer Security Institute 1 (2008): 1-30.
[13]He, Yuhong, and C. W. Johnson. "Generic security cases for information system security in healthcare systems." (2012): 21-21.
[14] J. Esq,"10 Trends in Healthcare Privacy You Need to Know Now", in TWENTY-THIRD NATIONAL HIPAA SUMMIT, 2015.
[15] Hhs.gov, 2015. [Online]. Available: http://www.hhs.gov/ocr/hipaa. [Accessed: 21- Nov- 2015].
[16] Alshugran, Tariq, and Julius Dichter. "Extracting and modeling the privacy requirements from HIPAA for healthcare applications."
Systems, Applications and Technology Conference (LISAT), 2014 IEEE Long Island. IEEE, 2014.
[17] Alshugran, Tariq, Julius Dichter, and Miad Faezipour. "Formally expressing HIPAA privacy policies for web services."
Electro/Information Technology (EIT), 2015 IEEE International Conference on. IEEE, 2015.
[18]Fda.gov, 'Medical Devices', 2015. [Online]. Available: http://www.fda.gov/MedicalDevices/default.htm. [Accessed: 21- Nov- 2015].
[19] Alshugran, Tariq, and Julius Dichter. "Toward a privacy preserving HIPAA-compliant access control model for web services."
Electro/Information Technology (EIT), 2014 IEEE International Conference on. IEEE, 2014.
[20] Cisco.com, 2015. [Online]. Available:
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Compliance/HIPAA/default.html[Accessed: 21- Nov- 2015].
[21] Tulu, Bengisu, and Samir Chatterjee. "A new security framework for HIPAA-compliant health information systems." AMCIS 2003
Proceedings (2003): 116.
[22] Dey, Sukhen. "Impact of Affordable Care Act (ACA) on Health Informatics."Information and Computer Technology (GOCICT), 2014
Annual Global Online Conference on. IEEE, 2014.
[23]Tummala, R. Lal, and Manasa Chagantipati. "Technological challenges in health care." World Automation Congress (WAC), 2014.
IEEE, 2014.
[24] HIPAA.com, 'HIPAA.com - Compliance Made Easy', 2015. [Online]. Available: http://HIPAA.com. [Accessed: 21- Nov- 2015].
[25] Grossman, C. "Playing Russian roulette. The impact of HIPAA and HITECH on healthcare data governance." Health management
technology 35.9 (2014): 26.
[26]Stevens, Gina. "The Federal Trade Commission’s Regulation of Data Security under Its Unfair or Deceptive Acts or Practices (UDAP)
Authority." Congressional Research Service 11 (2014).
[27] Chang, Joyce LT. "Dark Cloud of Convenience: How the HIPAA Omnibus Rules Fail to Protect Electronic Personal Health
Information, The." Loy. LA Ent. L. Rev. 34 (2013): 119.
[28] Breaux, Travis D., and Annie Antón. "Analyzing regulatory rules for privacy and security requirements." Software Engineering, IEEE
Transactions on 34.1 (2008): 5-20.
[29] Nahra, Kirk J. "HIPAA security enforcement is here." Security & Privacy, IEEE6.6 (2008): 70-72.
[30] Fleming, Grace. "HIPAA-Cratic or HIPAA-Critical: US Privacy Protections Should Be Guaranteed by Covered Entities Working
Abroad." Minn. L. Rev. 98 (2013): 2375.