The Health
Insurance Portability and Accountability Act (HIPAA)
is a federal law that calls for regulations to protect
the privacy, security and integrity of medical
records. These regulations, drafted by the Health and
Human Services Administration (HHS) in collaboration
with the healthcare industry, cover all aspects of the
handling, storage and transmission of patient
healthcare information.
Who must comply?
HIPAA does not
apply solely to healthcare providers. Any organization
handling or storing personally-identifiable data
relating to an individual’s health and treatment is
subject to the HIPAA regulations. These organizations
include insurance companies, hospitals, healthcare
providers, and employers among others.
When does it take
effect?
The Transaction
and Code Set regulations compliance deadline was delayed to October 16, 2003; a detailed Transaction
Regulation Compliance Plan must be submitted to HHS by
October 16, 2002.
The Privacy
regulations compliance deadline is April 14, 2003 (or
2004 for "small health plans").
Regulations for
Security and Identifiers have been proposed but not
finalized, and there are no deadlines for them as yet.
Why should you be
concerned?
Failure to comply
with the HIPAA regulations carries both financial and
criminal penalties. Identifying the most efficient and
cost-effective way to achieve compliance requires an
early and comprehensive approach.
How can we assist
you?
Our HIPAA
Compliance Practice Group works with you to meet the challenges
posed by the sweeping HIPAA regulations, protect your
patients’ and employees’ privacy, improve security
and meet the demands of your customers for improved
protection of personal data. We leverage our extensive
knowledge of and experience with security, systems
integration, application development, access control,
database administration and records management to
offer a range of solutions:
Education and
Compliance Awareness
Gap and Risk
Assessments
Strategy and
Remediation Planning
Complete
End-to-end Remediation Solutions
Ongoing
Compliance Management
24x7 Managed
Compliance Services
Because we
combine technological know-how with our partner firms'
legal expertise, we can identify and solve your
problems relating to the use, management, transmission
and storage of medical data under the new HIPAA
regulations. We are a full-service technology
consulting company and can provide strategies and
technologies to improve reliability, performance and
efficiency as we work together to deliver HIPAA
compliance.
Tiburon Technical
HIPAA Service Offerings
Education and
Compliance Awareness
To help you
understand the impact of HIPAA on your organization,
we offer both executive/management and employee
training seminars to educate members of your
organization about HIPAA and to work with those in
charge of compliance to understand the choices and
strategies available to them.
Gap and Risk
Assessments
Our Gap
Assessment delivers a clear understanding of the gaps
that exist in your major technical systems (e.g.
records management, billing, accounts receivable,
etc.) under the HIPAA regulations.
We perform
information, physical systems and investigative audits
on technology systems to produce an assessment of the
existing gaps. Our clients receive an executive
summary as well as a comprehensive report that
includes audit results, cost/benefit analysis and an
assessment of major risk areas.
Our Risk
Assessment helps clients prioritize scarce dollars by
analyzing risk versus cost.
Strategy and
Remediation Planning
In helping to
create a road map for HIPAA compliance, we emphasize
selecting the ‘right solution’ in light of both
technical needs and cost considerations. With our
technologically agnostic approach, we use our
expertise to help you make the choice that best meets
the needs and constraints of your organization.
Tiburon Technical
project managers have the training and experience to
work alongside you to develop your plans in an
efficient and structured way so that implementation is
easy to direct and control.
We deliver a
phased implementation plan, including scope,
alternatives, costs, and timeframes. This deliverable,
along with the Gap Assessment, provides a full picture
of both the scope of the compliance problem and
recommended solutions.
Remediation
Implementation
Our Remediation
program leverages the knowledge gained in the Gap
Assessment and the Strategy and Remediation Planning
phases and our years of technology expertise to
implement the appropriate technology solution for your
HIPAA compliance needs.
Tiburon Technical's
experienced project managers can provide the direction
and control necessary to make sure your remediation
achieves its goals quickly and economically.
Upon completion
of the engagement, we transfer the knowledge we have
gained about your systems to your IT team. This
ensures a cost-effective on-going compliance
management process and provides tremendous value your
ongoing IT strategy.
Compliance
Management
Most
organizations add new systems or modify current ones
on an ongoing basis. All of this activity has an
impact on HIPAA compliance.
In order to help
ensure HIPAA compliance on an ongoing basis, we offer
compliance management and maintenance services. We
proactively review systems and infrastructure for
HIPAA compliance, update security patches, manage
firewalls, perform regular security audits, and
otherwise reduce the risk of failing to comply with
the HIPAA regulations, not to mention preventing
unwanted systems intrusions or security breaches.
The end result is
reduced compliance costs as well as potentially
significant cost savings from reduced liability.
Access Control, Logging, Audit, and Single Sign-On
The
Requirements…
One of the areas most
often in need of immediate remediation for both HIPAA
compliance and for overall system security is specified
within the HIPAA Privacy Regulations. Specifically, we
have found that that healthcare organizations fail – and
are therefore vulnerable – in the requirements to
control access to Protected Health Information, and to
record (log) which person accesses which records so that
accesses can be audited.
Architecting a
Solution...
The Problem…
In order to satisfy
these requirements, systems will need to require unique
identification of the person making an inquiry. In
current scenarios at many healthcare institutions, such
identification is not recorded, usually because of the
onerous nature of traditional logon procedures. The
problem is compounded by the fact that many individuals
often need to access multiple systems, each requiring
its own logon and password regime. Furthermore, in order
to be compliant with the regulations, systems are
required to record all Protected Healthcare Information
access (logging) and to audit the information as
appropriate.
The Questions…
How can compliance
be achieved without requiring everyone to know several
passwords or change how they perform their work? How can
compliant systems provide easy sign-on and sign-off
functionality so that only authorized individuals access
information, and so that all information access are
correctly tracked? How can all those systems be
economically upgraded to support the required logging
and auditing capabilities?
The Solution...
Access control,
logging, and auditing problems can all be solved through
the adoption of an integrated, universal access control
system using authorization-based rules tied to
authentication devices, including a combination of
biometric and proximity card-reader devices. These
systems provide an easy, uniform means for staff to gain
the proper access while denying improper access, and
provide the necessary level of access logging to enable
the required audit functions under the regulations.
Furthermore, a universal access control system works on
top of the systems already in place, minimizing the
number of systems that must be modified to attain
compliance.
Implementing the
Solution...
Authentication:
To obtain universal compliance with proper logon
procedures, authentication for login has to be easy,
fast, and unobtrusive, and logging off has to be
automatic to prevent use of a logged-in terminal by an
unauthorized person. Modern biometric scanners
(fingerprint, hand scan, iris scan, face scan) are
increasingly inexpensive and easy to deploy, and provide
a high level of certainty for user identification. Using
a proximity card to regulate access provides a second
layer of security in the logon process, and provides a
means for automatic log-off when a user leaves the area
of the terminal. This combination provides a high level
of security.
Authorization
– Single Sign-On: To implement the automatic logon
and log-off, there needs to be a facility to provide
access to whatever systems and information the user is
authorized to access. This requirement defines a need
for the use of Single Sign-On (SSO) technology, whereby
an authorization process, through a single login,
provides access to various systems depending on each
user’s identification, role, or context.
Logging and
Auditing: In addition to access control, many
authorization management products can also perform the
required logging and audit capabilities, solving that
problem simultaneously without having to deal with the
problem on a system-by-system basis.
Flexibility:
Since not all patient’s information will be subject to
the same access limitations, and since the limitations
may change from time-to-time as patients are permitted
to grant or rescind access at will, the authorization
management tool must be able to recognize differences
both in users and in data within systems.
Following the
Standard: Any solution implemented should conform to
the Object Management Group (OMG) Resource Access
Decision (RAD) standard, designed by security
specialists specifically for healthcare industry
requirements.
Tiburon Technical
Can Help...
Tiburon Technical
can help you design, specify, and implement HIPAA-compliant
technologies to create the required levels of
authentication, authorization control, logging and
auditing capabilities. We can assist with the selection
of the right products and tools from a range of vendors
to create the best OMG-RAD compliant access control and
SSO solutions for our Healthcare clients.
HIPAA Training
Security Management Practice
Security Principles
Risk Assessment and Analysis
Certification
Gap Analysis
Data Classification
Hiring Practices
Policies, Procedures, Standards and Guidelines
Security Management
Sanction Policy
Training
Security Models and Architecture
Security Perimeter
Layered Security Design
Security Policy
Disaster Recovery and Business Continuity
Contingency Planning Requirements
Determining Goals
Analyzing Critical Business Functions
Identifying Resources and Systems to Support Critical
Functions