Topic: HIPAA risk analysis of security incident procedures
Name:
Course:
Instructor’s Name:
Date:
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) that was passed by the United States congress and consequently signed by the then President Bill Clinton in 1996 has two titles that deal with issues in the health insurance sector. The first title aims at protecting health insurance for employees and their families if they change from one job to another or if they lose their jobs altogether.
The second title is also referred to as the Administrative Simplification provisions prescribes the formation of national standards for the health care transactions that are electronic and also some identifiers for the health insurance plans and the employers. This act also maintains a right to privacy to the people that are between the age of twelve and eighteen and they health insurance provider must get a consent from the person that is affected before disclosing any information about the healthcare that they sought even to the parents.
Security incident procedures (SIP)
The HIPAA has administrative safeguards that state that the entities that are covered are supposed to implement policies and measures that will be used to address any issues that are related to security. The security further describes a security incident as an effort that is made or a successful access to use or disclosure and modification or destroy the information in a manner that is not authorized and also the interference with the operations of the system in information systems.
The regulations go further to state what an information system is by stating that it is an interconnected set of resources that deal with information that are all under the direct administration control and share the same nature of functionality. The system will in the normal circumstances be comprised of hardware, software, information and raw data to be processed, applications that will process this data, communications and the people that will utilize these systems.
The standard is defined by a single implementation directive or specification that is the “response and reporting” which includes three steps. To start with there is the process of identifying the responding to the suspected or known incident of security, then there is mitigating the destructive outcomes of these security incidents that are known or are being suspected to the extents that are attainable. Lastly the incidents and the outcomes that came as a result of these incidences are documented.
Intent of the SIP
The overall purpose of the SIP is to provide a documented report and procedures that are formal which will be used in the response to security violations so that they can be reported and taken care of as fast as possible. The documentation process and the responses that are to be taken will be dependent on the nature of the security violation and will be specific to particular situations based on the entity of the environment and the information that is involved. DHHS (Final Rule, p.101,102). Here it only addresses the cases that involve internal reporting and response to these situations and does not address the external reporting since they will be regulated by business or legal rules like the requirements of the state law although the security incident documentation for this must remain available.
Regulation and the implementation of SIP
February 20, 2003 was the day the Final Rule on Security Standard was issued and consequently it started being applied on the 12st of April the same year with the prescribed date of compliance being the 21st of April 2005 for most of the entities that were covered and a year later for those that had plans that were smaller. This rule was developed to work with the privacy rule where the privacy rule deals with all the Health Information that is protected including those that are either recorded on paper or employ electronic recording, while the security rule deals particularly with the health information that is electronically protected.
It recommends three types of security measures that are needed for compliance the administrative, the physical and technical areas. For each of these categories, the rule recognizes certain standards where it clearly defines the implementation specifications that are required and those that can be addressed. The specifications that are required must be accepted and administered in the manner that the rule states while the addressable specifications have a more flexible characteristic.
The entities that are covered individually are given the power to assess their particular position and consequently make a decision on which is their preferred way of implementing this specifications that are addressable though some people have raised concern that this flexible nature may provide too much latitude to the entities that are covered.
Administrative procedures
The standards and the specifications entail having administrative procedures that are meant to come up with policies and procedures that are made to define clearly how the entity will be able to fulfill the act. These entities that are covered are required to comply with the HIPAA regulations through adopting a written set of rules that state the privacy procedures to be followed and entitle a privacy officer to take care of the process of coming up with the needed policies and resources and subsequently applying them.
The policies and procedures are supposed to unmistakably categorize employees or the classes of employees that will be granted the access to the electronic protected health information and this access is supposed to be regulated and restricted to those employees that must look at them so that they can be able to do their work. These procedures must look at the authorization, establishment, modification and the termination of the information that is concerned and the entities must demonstrate that an elaborate program for training on how PHI is handled is being given to the employees that are responsible for performing health plan administrative functions.
The covered entities that get some of the business processes by out-sourcing to a third party are required to certify that the party that they are dealing with has structure in existence that will act within the regulations of the HIPAA. The clauses that are in the contract that state that the vendor will comply with the data protection regulations that are being practiced by the covered entity should be present in the contract that will bind the two companies. The covered entity should very vigilant to find out if the vendor that is giving services also out-sources any data handling functions to other vendors so that it can be known if these vendors follow the same regulations that the covered entity follows that are required by the HIPAA.
An emergency plan that will be used to respond to any eventualities should always be present so that it can be used to respond to any emergencies that arise. It is the responsibility of the covered entity to make sure that their data has a backup and that there are disaster recovery procedures that exist. This emergency plan should be able to define the priority of data and analyze the any failures that may occur while at same time stating the testing activities that can be undertaken and the change control procedures.
There should also be internal audits which are vital in HIPAA compliance as they are used to review operations with the aim of pointing out the possible sources of security violations. The policies and procedures that are present should particularly define the depth, the number of times and the processes that will be used when taking audits as they should take place regularly and also when the circumstances dictate. The procedures should clearly state the guidelines that will be needed to address and respond to any security breach that will be pointed out as the audit goes on or when the normal day to day operations are being carried out.
Physical safeguards
These are put in place so that physical access can be regulated so as to avoid cases of unwarranted access to the data that is protected. This controls are supposed to guide any addition or removal of hardware from the network and when any part of the equipment in the network needs to be replaced for one reason or another, the method that will be used disposed should guarantee that PHI will not be compromised.
Any access to the equipment that contains any health information is supposed to be cautiously regulated and supervised and right to use hardware and software that is connected to the network should be a preserve of the people that are authorized to use them to avoid any breaches from the people that are unauthorized. The required access controls are supposed to incorporate the facility’s plans for security, records that are kept when maintenance takes place, the records of the visitors that went in and the people that went in with then if any.
The correct use of the workstations should also be addressed by the policy and they should be kept in places that will not experience a high traffic of people at the same time making sure that the screens cannot be seen directly by the people that are not supposed to have access to them. Training of any contractors or agents that the covered utility decides to employ is supposed to take place so that these contractors or agents can learn the physical access responsibilities that are part of the policy.
Technical safeguards
These are put in place so that they can be able to regulate the right to use of the computer systems and to allow the covered entities to safeguard the communications that carry PHI that are transmitted electronically using open networks from being captured and received by any other party that is not the intended recipient. The systems that hold the PHI should be safeguarded from any interference and disturbance by making sure that if the information is sent over networks that are open they are subjected to encryption but if there is a closed network then the access controls that are in place can be trusted to prevent any intrusion as the work sufficiently.
All covered entities have the responsibility of guaranteeing that the data that they have in their systems is not modified or deleted in a way that is not permitted and data integrity must be taken seriously using things like check sum and digital signatures to achieve this.
It is the obligation of the covered entity to make sure that the entities that they have communications with are the genuine and intended entities and this authentication will entail confirming the identity of the other entity by the use of passwords telephone or token systems that will be available for the genuine entities only. They are also required to avail certification of their HIPAA practices to the government so that it can be able to verify if they are complying.
The information technology documentation is supposed to cover the policies and procedures and the access record while including a record that is written which has all the arrangement setting of the constituents that are in the network since these components are dynamic and intricate. Risk analysis and risk management should be documented and availed by the covered entity and they should cautiously contemplate the risks that their systems face as they put up systems that will conform with the act while taking all precautions necessary (U.S. Department of Health & Human Services, n.d.).
Conclusion
This rule will not favor small providers since they will be forced to employ HIT consultants so thet they can be able to conform to the regulations that HITAA prescribes since all the standards have a specific way that they are supposed to be dealt with. This makes it unfair for thes small providers as the will have to incur the extra cost so that they can be able to comply.
References
U.S. Department of Health & Human Services. (n.d. )Summary of the HIPAA Privacy Rule. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html