423
Appendix Q
HIPAA
Security
As discussed earlier in this book, the Health Insurance Portability and Accountability
Act (HIPAA) requirements encompass a wide variety of areas including:
•Transactions and codes
• Privacy
• Security
This questionnaire will focus only on the security requirements of HIPAA. The
security requirements in HIPAA are very similar to the concepts covered in this
book regarding what an information security program should look like. At a high
level, the HIPAA security requirements require health care–related companies (those
that meet certain criteria) to have sound information security programs that protect
electronic patient-identifiable health information. As will become evident in the rest
of the questionnaire, the regulations basically require health care companies to have
all the elements of an information security program in place — i.e., everything from
an initial risk analysis to policies and procedures and certain technologies. The
regulation is technology neutral, and the requirements allow some flexibility in
implementation. The security requirements are divided into three sections:
• Administrative procedures to guard data confidentiality, integrity, and
availability of data
•Physical security to guard data confidentiality, integrity, and availability
of data
•Technical security services to guard data confidentiality, integrity, and
availability of data
Each of these sections has its own set of requirements, which are discussed in detail
below.
USE OF THIS QUESTIONNAIRE
First, it is worth reiterating that this questionnaire is applicable only to the HIPAA
Security requirements and not to the Privacy or Technical Code Sets requirements.
The primary source for the questionnaire is the actual regulations, which should be
reviewed if you have further questions. That said, this questionnaire serves the same
AU1706_book.fm Page 423 Tuesday, August 17, 2004 11:02 AM
424
A Practical Guide to Security Assessments
purpose as the other questionnaires in this book. Although the questions are basically
from the regulations themselves, there is guidance with each of the sections to help
you understand why a given question is important. This questionnaire can facilitate
a conversation to do much of the initial fact-finding. You obviously must still test
and verify based on the client.
There are many software packages now on the market now that automate much
of what is being asked here. This questionnaire complements those software pack-
ages and each has its place. As you talk with senior or managerial-level individuals
at health care organizations, you should be armed with knowledge about the impor-
tance of a given regulation, the difference between a “required” specification and
an “addressable” specification (discussed in a subsequent section), and how the
HIPAA security requirement maps to information security best practices. This ques-
tionnaire will help you to become knowledgeable about the HIPAA security regu-
lations and help facilitate the information gathering process for the assessment.
Once you have the initial information, software packages might be appropriate
for collecting information in larger environments or to generate reports that are
customized for HIPAA security. Tools can save significant time and produce standard
reports that are useful for your client.
QUESTIONNAIRE STRUCTURE
The specific sections of the HIPAA security questionnaire are as follows:
• Is the entity subject to the HIPAA security regulations?
• What is the extent of the electronic protected health information?
• HIPAA security requirements
– Administrative security regulations
–Physical security regulations
–Technical security regulations
This HIPAA security questionnaire follows the regulations from the
Federal
Register
. Unlike the other questionnaires, the questions contain some guidance
information but no risks. One reason for this is that many of these questions have
been covered in other questionnaires where the risks have already been identified.
In addition, because HIPAA is something that is mandated, companies subject to
the regulation must comply.
For the questions in the HIPAA requirements section, the structure contains the
following:
• Specification directly from the HIPAA security regulation (as stated in
the
Federal Register
).
•For each requirement there are a set of questions to help determine whether
a client is in compliance with the requirement. These questions are an
initial list and, as with the other questionnaires, you should modify them
to fit the requirements of your client. These questions are there to help
you determine whether the company is in compliance with the specific
HIPAA regulation, so you can use them at your discretion.
AU1706_book.fm Page 424 Tuesday, August 17, 2004 11:02 AM
Appendix Q
425
In general, this questionnaire is meant to be comprehensive as it covers the entire
set of HIPAA security requirements. Although the requirements are fixed, the sup-
porting questions used to determine compliance may vary based on your client.
IS THE ENTITY A “COVERED ENTITY?”
The applicability of HIPAA comes into question when a company provides some
form of health care services. By providing health care services, the entity is most
likely dealing with some patient records, which may be in electronic format and
containing patient–identifiable information. In the
Federal Register
, the HIPAA
regulations state that the HIPAA security standards are applicable to “covered enti-
ties,” which are listed below. Note that further clarification of the regulation can be
found on the U.S. Department of Health and Human Services Web site:
•A health plan
•A health care clearinghouse
•A health care provider who transmits health information in electronic
form in connection with certain transactions (details provided in the ques-
tions below)
1. Is the entity a health plan?
Does the entity provide or pay the cost of medical care? (If so, the entity
is a health plan.) Examples of such entities include (from 45 CFR 160.103
Definitions):
•A group health plan
•A health insurance issuer
•A health maintenance organization (HMO)
•Part A or Part B of the Medicare program
• The Medicaid program
• An issuer of a Medicare supplemental policy (as defined in section
1882(g)(1) of the Act, 42 U.S.C. 1395ss(g)(1))
• An issuer of a long-term care policy, excluding a nursing home fixed-
indemnity policy
• An employee welfare benefit plan or any other arrangement that is
established or maintained for the purpose of offering or providing
health benefits to the employees of two or more employers
• The health care program for active military personnel under title 10 of
the United States Code
• The veterans health care program under 38 U.S.C. chapter 17
• The Civilian Health and Medical Program of the Uniformed Services
(CHAMPUS)(as defined in 10 U.S.C. 1072(4))
• The Indian Health Service program under the Indian Health Care
Improvement Act, 25 U.S.C. 1601, et seq.
• The Federal Employees Health Benefits Program under 5 U.S.C. 8902,
et seq.
AU1706_book.fm Page 425 Tuesday, August 17, 2004 11:02 AM
426
A Practical Guide to Security Assessments
• An approved State child health plan under title XXI of the Act, pro-
viding benefits for child health assistance that meet the requirements
of section 2103 of the Act, 42 U.S.C. 1397, et seq.
• The Medicare + Choice program under Part C of title XVIII of the
Act, 42 U.S.C. 1395w-21 through 1395w-28
•A high-risk pool that is a mechanism established under State law to
provide health insurance coverage or comparable coverage to eligible
individuals
•Any other individual or group plan, or combination of individual or
group plans, that provides or pays for the cost of medical care (as defined
in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2))
Health plan excludes (from 45 CFR 160.103 Definitions):
•A group health plan
•Any policy, plan, or program to the extent that it provides, or pays for
the cost of, excepted benefits that are listed in section 2791(c)(1) of
the PHS Act, 42 U.S.C. 300gg-91(c)(1); and
•A government-funded program (other than one listed in paragraph (i)-
(xvi) of this definition above):
– Whose principal purpose is other than providing, or paying the cost
of, health care; or
– Whose principal activity is:
– The direct provision of health care to persons; or
– The making of grants to fund the direct provision of health care
to persons
Guidance:
The list above provides guidance to determine whether the en-
tity is a health plan. This guidance is from the original HIPAA regulations.
Client Response:
2. Is the entity a health care clearinghouse?
Is the entity one of the following (from 45 CFR 160.103 Definitions):
•A billing service?
•A repricing company?
•A community health management information system or community
health information system?
•A value-added network and switch?
If the entity is one of the items listed above, does it perform one of the fol-
lowing functions (if so, the entity is a health care clearinghouse):
• Does it process or facilitate the processing of health information
received from another entity in a nonstandard format or containing
AU1706_book.fm Page 426 Tuesday, August 17, 2004 11:02 AM
Appendix Q
427
nonstandard data content into standard
data elements
or a standard
transaction?
• Does it receive a standard transaction from another entity and process
or facilitate the processing of health information into nonstandard
format or nonstandard data content for the receiving entity?
Guidance:
This guidance above is also directly from the regulation. To an-
swer the questions to determine applicability as a health care clearing-
house, knowledge of the standard transactions is required. Interaction with
those involved with implementation of the standard transaction code sets
may be required.
Client Response:
3. Is the entity a health care provider transmitting health information in
connection with certain transactions? (from 45 CFR 160.103 Definitions):
Does the entity transmit information with other parties to carry out finan-
cial or administrative activities related to health care where the following
types of information are transmitted (If so, entity is a health care provider):
• Health care claims or equivalent encounter information?
• Health care payment and remittance advice?
• Coordination of benefits?
• Health care claim status?
• Enrollment and disenrollment in a health plan?
• Eligibility for a health plan?
• Health plan premium payments?
• Referral certification and authorization?
• First report of injury?
• Health claims attachments?
• Other transactions that the Secretary may prescribe by regulation?
Client Response:
4. Is the entity a “business associate”?
Guidance:
Business associate relationships arise when a person or entity
provides services on behalf of a covered entity but is not a member of its
workforce. If the work performed involves the handling of protected health
information covered under HIPAA.
The activities can vary and can include
billing, claims processing, data analysis and others.
AU1706_book.fm Page 427 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.