Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau creative-lizzy Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich
tableofcontents.htm   start.htm   securitysectiontwo.htm   securitysectionthree.htm   securitysectionone.htm   securitycategories.htm   references.htm   privacysectiontwo.htm   privacysectionthree.htm   privacysectionone.htm   privacysectionfour.htm   privacysectionfive.htm   privacycategories.htm   jobdescriptions.htm   introduction.htm   index.htm   hipaatrifold.htm   hipaasuppliment.htm   hipaaresources.htm   hipaaexecsummary.htm   guidelinesorganization.htm   generalpolicyguidelines.htm   generalcategories.htm   definitions.htm   contractsandpolicies.htm   contact.htm   amchipaasecurityandprivacyguidelines.htm   acronyms.htm   acknowledgements.htm  
Page 1
AMC/HIPAA Workgroup
iv
Executive Summary
The HIPAA security and privacy regulations exist for good reasons
Storing and transmitting health information in electronic form exposes it to risks that do not
exist, or exist to a lesser degree, when it is maintained in paper. Health information is a vital
business asset for a healthcare organization, and protecting it preserves the value of this asset. In
addition, securing patients' information protects their privacy and enhances the organization's
reputation for professionalism and trustworthiness. Healthcare organizations have long
recognized the value of health information, and are already taking many of the measures required
by the HIPAA security and privacy regulations. Nevertheless, complying with HIPAA will
require most covered entities (entities subject to the Security and Privacy regulations) to adopt
new policies and procedures for handling protected health information (individually identifiable
health information held by a covered entity) and to make some hard choices about how these
policies will be implemented. This report offers guidance in making those choices, and discusses
good healthcare security and privacy practices.
Covered entities should plan to comply within the next two years
The final HIPAA security and privacy regulations will become effective two years after the date
of their publication in the Federal Register.
The final HIPAA security rule has not been published at this time, so its compliance date has not
been set. Publication of the final security rule in the Federal Register is anticipated in the third
or fourth quarter of 2001; however, covered entities should plan to be in compliance by the
middle of 2003.
The final HIPAA privacy rule was published in the Federal Register on December 28, 2000, but
its official effective date was moved forward due to administrative issues. The compliance date
for large covered entities (such as AMCs) is April 14, 2003.
Many of the regulations' requirements are clear and specific
Although the HIPAA security and privacy regulations are long and complex, many of their
requirements are clear and specific. The major actions the regulations require a covered entity to
take are:
Assign responsibility for security to a person or an organization.
Assess risks and determine the major threats to the security and privacy of protected
health information.
Set up a security management program that addresses physical security, personnel
security, technical security controls, security incident response, and disaster recovery.
Certify the effectiveness of new or existing security controls.
Appoint a privacy officer and a point of contact for receiving privacy complaints.
Adopt a privacy policy and publicize the policy by giving notice. Privacy policies must
have specific provisions for gaining consent and authorization to use protected health
Page 2
AMC/HIPAA Workgroup
v
information, restricting use and disclosure of protected health information, and receiving
and resolving complaints.
Change contracts and business partner agreements to include a contractual requirement
that partners handle protected health information properly.
Train the covered entity's workforce (and business associates who work on the covered
entity's premises) to follow proper security and privacy policies and procedures.
Document security and privacy policies and procedures, as well as actions taken to ensure
that policies and procedures are enforced.
This document explains these requirements in more detail and gives specific recommendations
on how Academic Medical Centers can implement them.
Some of the regulations' provisions require covered entities to exercise judgment
While many of the provisions of the HIPAA security and privacy regulations require little
interpretation, some deliberately provide room for interpretation to allow covered entities the
flexibility they need to comply without making unnecessarily disruptive changes. This
document points out which of the regulations' requirements a covered entity will have to
interpret, and provides guidance on some of the options Academic Medical Centers should
consider. Topics addressed include:
Assignment of responsibilities
. The regulations require covered entities to assign
specific responsibilities. These requirements could be handled by creating new executive
positions or departments, or they could be handled by allocating new responsibilities to
existing positions and departments. This document discusses how to assign
responsibilities in the context of your existing organizational structure, and includes
sample job descriptions for some of the required positions.
Defining and introducing policies
. A broad range of security and privacy policies and
procedures could be used to safeguard protected health information. This document
discusses processes for defining and introducing policies and procedures that will be
effective in your organization. Sample security and privacy policies are included.
Risk analysis
. The regulations require covered entities to analyze risks to security and
privacy of health information, and to determine whether the risks are "acceptable." This
document discusses how to choose a risk analysis methodology and how to decide what
constitutes "acceptable risk," and gives references to several risk analysis methodologies.
Certification
. The regulation requires covered entities to certify security controls. An
internal organization or a third party can perform the required certification, and the
regulation does not mandate a specific certification process or regime. This report
discusses some of the certification options.
Scalability
. The regulations allow a covered entity to consider "scalability" (in other
words, the cost burden of implementation) when deciding how to implement certain
provisions. This document addresses "scalability" issues.
Minimum necessary information
. The privacy regulation requires covered entities to
restrict use and disclosures of private information to "the minimum use or disclosure
necessary to accomplish the purpose of the request." This document discusses how to
determine what information is necessary in a given situation.
Page 3
AMC/HIPAA Workgroup
vi
Managing consumer requests
. The privacy regulation requires covered entities to
implement a process for receiving and responding to complaints, as well as to requests to
restrict access to information. This document discusses some of the options for managing
these complaints and requests.
Contracts
. The regulations require that security and privacy provisions be incorporated
into contracts with other organizations. This document discusses options for doing so
and includes some model contract terms.
Disclosure
. The privacy regulation offers several options relating to the disclosure and
use of de-identified information. This document addresses how to choose an option.
Key activities for HIPAA security and privacy compliance
In addition to providing information about how to handle specific aspects of HIPAA security and
privacy compliance, this document outlines a framework for addressing the regulations. The
framework includes the following sequence of activities:
1) Recognize that HIPAA security and privacy compliance is a policy and compliance
effort, not a technology effort.
2) Assign responsibility for HIPAA compliance.
3) Consult widely with stakeholders.
4) Formulate job descriptions for the officials required by the HIPAA regulations (security
and privacy officials, complaint receivers).
5) Hire or appoint the required officials.
6) Perform an initial risk analysis, including an asset inventory.
7) Review the results of the risk analysis with senior management.
8) Create a HIPAA security and privacy compliance program. A compliance program must
include written policies and procedures, a compliance office reporting to senior executive
management, compliance training, a complaint process, an internal compliance audit
program, sanctions, and incident response and corrective action procedures.
9) Formulate or update security and privacy policies.
10) Update the risk analysis based on the new policies.
11) Create a detailed HIPAA security and privacy compliance plan, including security and
privacy procedures, security and privacy training, security and privacy evaluation and
certification, and disaster recovery procedures. This report suggests establishing a formal
security management program as part of the HIPAA security and privacy compliance
plan.
12) Review the compliance plan with senior management.
13) Execute the compliance plan (in phases if appropriate).
14) Document the compliance plan and its execution.
15) Operate the compliance plan and the security management program on a continuing
basis. Include regular reports to senior management. Update the risk analysis regularly.
Detailed advice on topics that organizations should consider as they perform these activities is
provided throughout the report.
Many will face serious organizational issues on the way to compliance
Page 4
AMC/HIPAA Workgroup
vii
Compliance with the HIPAA security and privacy regulations will raise a variety of issues. This
report describes some of the issues Academic Medical Centers are most likely to encounter, and
provides some options for dealing with these issues. Specifically, this report addresses:
Organizational structure
. Academic Medical Centers typically have a complex
organizational structure, with many sub-entities and affiliates in a complicated
governance arrangement. This report discusses which entities are covered by the HIPAA
security and privacy regulations and how a covered entity's structure influences the
activities required to bring it into compliance.
Changing practices
. Some HIPAA security and privacy compliance activities require
changing established patterns of thought and behavior. Healthcare workers use protected
health information in their day-to-day job activities. Some information use practices will
have to change in order to comply with the HIPAA security and privacy regulations'
requirements. This report discusses how a covered entity can introduce changes in long-
established information and system use practices by building awareness and encouraging
buy-in.
Financial
. Compliance activities cost money. This report discusses approaches to
funding compliance activities.
Locating resources
. Many healthcare organizations lack security and privacy expertise.
This report discusses where to find information about security and privacy.
Interpretation
. As already discussed, the HIPAA security and privacy regulations leave
room for interpretation in many areas. This report addresses how to interpret the
regulations' gray areas.
Research and education
. The HIPAA security and privacy regulations have special
provisions for research and educational uses of protected health information. This report
addresses how an Academic Medical Center's research and education activities will be
affected by the regulations.
Fundraising and marketing
. The HIPAA security and privacy regulations have
provisions relating to fundraising and marketing activities. This report addresses how an
Academic Medical Center's fundraising and marketing will be affected by the
regulations.
Compliance will carry significant costs, but it will also bring benefits
Complying with the HIPAA security and privacy regulations will require new policies,
procedures, and processes. It will increase the paperwork associated with disclosing protected
health information. It will also require new training and certification activities. None of this
comes for free.
The money and effort spent to comply with the HIPAA security and privacy regulations will,
however, buy significant benefits for the organization even above and beyond avoiding penalties
for non-compliance. Compliance with HIPAA security and privacy standards will play an
important role in preserving patients' trust in the healthcare system, the organization, and
individual healthcare providers. HIPAA security and privacy compliance can help healthcare
organizations avoid the adverse publicity and public image problems which disclosures of
Page 5
AMC/HIPAA Workgroup
viii
personal information have inflicted on web retailers recently. Covered entities should view
security and privacy as yet another benefit they can offer to patients who choose their services.
Compliance with the HIPAA security regulation can also reduce a covered entity's business risks
significantly. A strong security management program reduces the probability of interruption of
business, destruction of the organization's information assets, and damage to brand and
reputation due to vandalism of information systems. Compliance may also shield covered
entities from significant fines, loss of accreditation, and loss of consumer trust. Finally, it can
reduce exposure to liabilities associated with improper handling of protected health information.