1、HIPAA法案介绍Homeland Former Vice President Dick Cheney came clean in an interview to CBS 60Minutes, revealing that when he had a device implanted to regulate his heartbeatin 2007, he had his doctors disable its wireless capabilities to prevent against apossible assassination attempt. The agency said in
2、 a statementthat there was no cause foralarm for the nearly 3 millionAmericans with pacemakers.Cyber Attacks and SecurityFBI Warns Health Care Sector Is More Vulnerable to Cyber attacks Anthem Cyber Attack: 80 Million Personal Records Burglarized,2015.2.4 Cyberattack exposes data of 11 million Preme
3、ra Blue Cross members 2015.3.18 Breaches Affecting 500 or More Individuals (10/21/2009,1562)https:/ocrportal.hhs.gov/ocr/breach/breach_report.jsf 在信息技术深入广泛应用环境下医疗卫生数据安全的政策研究 医疗机构临床数据安全管控框架研究Rise of Data Analytics HeightensNeed for PHI Security2013 significantly changed the context of the healthcare
4、security and privacyconversation. From the Snowden NSA revelations, to HIPAA Omnibus rule,changes in breach characteristics, to connected devices, mhealth, IoT andincreasing use of cloud and corporate BYOD policies, one thing is clear: securityby obscurity equals no security at all. The burden of pr
5、otecting PHI is now spreadacross all data holders, patients, providers and payers alike. Outlined below aresome of the unique security issues that will need addressing as healthcaretechnology moves into a data analytics mindset.Breach Characteristics: More than 7 million patient records were exposed
6、 in 2013alone, marking a perceived 138% increase from reported 2012 healthcare databreaches.Federal Laws,Regulations and Policiesin USA The Computer Security Act of 1987 (PL 100-235) The Privacy Act of 1974 (PL 93-579) The Freedom of Information Act (PL 90-23) The Computer Fraud and Abuse Act of 198
7、6 (PL 99-474) The Copyright Act of 1976 (PL 94-553) OMB Circular A-130, Appendix III, Revised Health Insurance Portability and Accountability Act of 1996 (PL 104-191) Presidential Decision Directive 63 Critical Infrastructure ProtectionThe ThreeHIPAA-HISTORYHIPAA of 1996 In August 1996, President Cl
8、inton signed into law the Public Law 104-91,Health Insurance Portability and Accountability Act (HIPAA). The Actincluded provisions for health insurance portability, fraud and abuse control, taxrelated provisions, group health plan requirements, revenue offset provisions,and administrative simplific
9、ation requirements. Purpose: To improve the portability of health insurance coverage; combatwaste, fraud and abuse; and simplify health care administration. The HIPAA Privacy Rule institutes business processes to protect the use anddisclosure of protected health information (PHI). The compliance dat
10、e for the HIPAA Privacy rule was April 14, 2003.HIPAA Titles OverviewHIPAA Titles OverviewARRA HITECH - MUFrom HIPAA to HIPAA Omnibus Rule The way we share and access information has changeddrastically since it was established in 1996. The recent changes are meant to STRENGTHEN the privacy andsecuri
11、ty protections mandated by HIPAA. The rule went into effect March 26, 2013 and has a MANDATORYcompliance date of Sept. 23, 2013.Major Changes Increased Business Associate liability Updates data security guidelines. Increases penalties for violators. Enhanced breach notification requirements.(Securit
12、y breaches must be reported to the Office for Civil Rights.) Extension of GINA to all plans subject to HIPAA (GI is HI)Enforcement Regulated by Health and Human Service (HHS),Office for CivilRights(OCR) Audits start September 23,2013 ASET(Administrative Simplification Enforcement Tool)Key Terms and
13、DefinitionsDefinition - Privacy The desire of a person to control the disclosure of personal health informationDefinition - Confidentiality The property that data or information is not made available or disclosed tounauthorized persons or processes.Must protect against unauthorized:-Access-Uses-Disc
14、losuresKey Terms and DefinitionsDefinition - Availability The property that data or information is accessible and usable upon demand by anauthorized person.-Must provide for ready availability to authorized personnel-Must guard against threats and hazards that may deny access to data or render theda
15、ta unavailable when needed.-Must provide appropriate backup in the event of a threat, hazard, or natural disaster-Must provide appropriate disaster recovery and business continuity plans fordepartmental operations involving ePHI.Key Terms and DefinitionsDefinition - Security Protection of privacy an
16、d confidentiality through policies, procedures andsafeguards.Definition Safety (Patient Safety)Patient safety is a new healthcare discipline that emphasizes the reporting,analysis, and prevention of medical error that often leads to adverse healthcareevents.Key Terms and DefinitionsDefinition - Vuln
17、erability Vulnerability is defined in NIST Special Publication (SP) 800-30 as “a flawor weakness in system security procedures, design, implementation, or internalcontrols that could be exercised (accidentally triggered or intentionallyexploited) and result in a security breach or a violation of the
18、 systemssecurity policy.” Vulnerabilities, whether accidentally triggered or intentionally exploited,could potentially result in a security incident, such as inappropriate accessto or disclosure of e- PHI. Vulnerabilities may be grouped into two generalcategories, technical and non- technical. Non-t
19、echnical vulnerabilities mayinclude ineffective or non-existent policies, procedures, standards orguidelines. Technical vulnerabilities may include: holes, flaws or weaknessesin the development of information systems; or incorrectly implemented and/orconfigured information systems.Key Terms and Defi
20、nitionsDefinition ThreatAn adapted definition of threat, from NIST SP 800-30, is “the potential for a person orthing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”There are several types of threats that may occur within an information system or operatingenviro
21、nment. Threats may be grouped into general categories such as natural, human, andenvironmental. Examples of common threats in each of these general categories include: Natural threats such as floods, earthquakes, tornadoes, and landslides. Human threats are enabled or caused by humans and may includ
22、e intentional (e.g., networkand computer based attacks, malicious software upload, and unauthorized access to e-PHI) orunintentional (e.g., inadvertent data entry or deletion and inaccurate data entry)actions. Environmental threats such as power failures, pollution, chemicals, and liquid leakage.Key
23、 Terms and DefinitionsDefinition RiskAn adapted definition of risk, from NIST SP 800-30, is:“The net mission impact considering (1) the probability that a particular threat will exercise(accidentally trigger or intentionally exploit) a particular vulnerability and (2) the resultingimpact if this sho
24、uld occur . . . . Risks arise from legal liability or mission loss due to1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information2. Unintentional errors and omissions3. IT disruptions due to natural or man- made disasters4. Failure to exercise due care and di
25、ligence in the implementation and operation of the IT system.”Risk can be understood as a function of 1) the likelihood of a given threat triggering or exploitinga particular vulnerability, and 2) the resulting impact on the organization. This means that risk isnot a single factor or event, but rath
26、er it is a combination of factors or events (threats andvulnerabilities) that, if they occur, may have an adverse impact on the organization.Covered EntitiesCovered EntitiesCovered EntitiesEnforcement Regulated by Health and Human Service(HHS),Office for Civil Rights(OCR) Audits start September 23,2
27、013 ASET(Administrative SimplificationEnforcement Tool)What is protected?PHIWhat is protected?PHIWhat Information Must Be Protected? You must protect an individuals PHI(Protected Health Information)which iscollected or created as a consequence of ahealth care provision.Name Postal addressAll element
28、s of dates except year Telephone number Fax numberEmail address URL address IP address Social security number Account numbers License numbers Medical record numberHealth plan beneficiary # Device identifiers and their serial numbers Vehicle identifiers and serial number Biometric identifiers Any hea
29、lth information with identifiers (18Identifiers defined by HIPAA at right) is PHI.PHI Includes: Verbal information Information on paper(finger and voice prints) Recorded information Electronic information (faxes, e-mails, etc.) Full face photos and other comparableimages Any other unique identifying
30、 number, code,or characteristicWhat is protected?e-PHIDe-Identified Information PHI is de-identified by removing, coding, encryption,or otherwise eliminating or concealing(隐藏)individually identifiable information Regulations do not apply to de-identified information- May be used or disclosed freely
31、as long as the code to re-identify the information is not accessiblePatient Rights under HIPAAPatients have these basic rights under HIPAA: Right to Request Amendment to Medical Record Right to Access PHI Patients can Request a Summary of Disclosures of their PHI during the past sixyears Right to Co
32、nfidential and Alternative Communications Right to Further Restrict Disclosure of PHI Right to Complain about Privacy and Security PracticesHIPAA Patient Consent FormNotice of Privacy PracticesHIPAA(Omnibus Rule) & MUWhy Does Privacy & Security Matter? HIPAA Privacy and Security Rules Build Patients
33、 trust. Patients are unlikely to share sensitive information unless they trust that you willhonor their confidentiality. Core requirement for the CMS Meaningful Use / Medicare and Medicaid EHRs incentive Programs.Ensuring privacy and security of health information, including information in EHR is th
34、e key componentto building the trust required to realize the potential benefits of electronic health informationexchange. Your practice, not your EHR vendor, is responsible for taking the steps needed to protect theconfidentiality, integrity, and availability of health information in your EHR. The p
35、reservation of confidentiality assists research which in turn assists patients.HIPAA(Omnibus Rule) & GINAWorried About HIPAA? Dont Forget GINA In addition to HIPAA, the Genetic Information Nondiscrimination Act (GINA) may become a factor inhow we handle EMR data security. President Bush Signs Geneti
36、c Information Nondiscrimination Act of 2008 Regulations have already been promulgated which restrict access to occupational health information. GINA is primarily aimed at the workplace, as its purpose is to bar an employer from requesting orobtaining an individuals genetic information at any stage o
37、f employment. Since GINA construes this to mean not only the results of genetic tests, but anything related to familymedical history, even providers who dont do occupational medicine may have some serious datasecurity issues to consider.Administrative SimplificationPrivacy RuleThe HIPAA Privacy Rule
38、 provides federal protections for individually identifiable healthinformation held by covered entities and their business associates and gives patients an array ofrights with respect to that information.At the same time, the Privacy Rule is balanced so that it permits the disclosure of healthinforma
39、tion needed for patient care and other important purposes. Key Points: Establishes standards on the use and disclosure of PHI (Require “minimumnecessary” use and disclosure); Provides patients with access to their own medical records; Require providers to obtain a signed consent form in order to use
40、 and disclose PHIfor activities related to treatment, payment and health care operations (TPO). Need separate authorization to use or disclose PHI for any other purposes (e.g.,marketing).Privacy Rule Direct access to patient information shall only bepermitted to those employees who have a “needto kn
41、ow” to perform their job functionsPHI can be used or disclosed for: Treatment, payment, and healthcare operations With authorization/agreement from patient For disclosure to patientPrivacy RuleThe “need to know” is defined as MinimumNecessary Information.“Need to Know” is when you need information t
42、o:1. Document the patients treatment2. Facilitate communication between physicians and otherprofessionals contributing to the patients care3. Provide continuity of patient care4. Provide a basis for review, study, and evaluation of patient careprocesses5. Provide clinical data for approved research,
43、 study, and education;and for legitimate business purposes.Privacy RuleWhat are legitimate business purposes?Legitimate business purposes include provision of:1. Statistical data for decision making and planning2. Data to third parties as specified by law (e.g. communicablediseases, coroners cases(验
44、尸), burns, cancer registryreporting, etc.)3. Documentation for billing and insurance claims processing4. Appropriate access to medical records and data as requiredfor licensing and accreditation purposes.Security RuleSecurity refers to a covered entitys specific efforts to protect the integrity of t
45、hehealth information (especially e-PHI) it holds and prevent unauthorized breaches ofprivacy such as might occur if data are lost or destroyed by accident, stolen by intentor sent to the wrong person in error.The HIPAA Security Rule requires three kinds of safeguards: administrative,physical, and te
46、chnical: Administrative (e.g., policies and procedures covering access to information,user IDs and passwords, or punishments for violations of these) Physical (e.g., locking rooms and storage facilities) Technical (e.g., encryption of electronic data and use of digital signatures toauthenticate user
47、s logging into a computer system)Administrative SafeguardsAdministrative safeguardsThese safeguards establish standards and specifications for your healthinformation security program that include the following: Security management processes to identify and analyze risks to e-PHI andimplementing secu
48、rity measures to reduce risks Staff training to ensure knowledge of and compliance with your policies andprocedures Information access management to limit access to electronic health records toprotect health information, including the information in EHRs Contingency plan to respond to emergencies or
49、 restore lost dataAdministrative SafeguardsAdministrative SafeguardsAdministrative SafeguardsPhysical SafeguardsThese safeguards control physical access to your office and computer systems.Examples of required physical safeguards include: Facility access controls, such as locks and alarms, to ensure
50、 only authorizedpersonnel have access into facilities that house systems and data(Data Center) Workstation security measures, such as cable locks and computer monitorprivacy filters(隐私过滤防窥屏 ), to guard against theft and restrict access toauthorized users Workstation use policies to ensure proper acc
