Educate Staff and Security Personnel (2/2)

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

xxxviii Educate Staff and Security Personnel

institutions, such as banks and savings and loans, are regulated by either the

Ofﬁce of the Comptroller of Currency (OCC), the Federal Reserve, the

Federal Deposit Insurance Corporation (FDIC), or the Ofﬁce of Thrift

Supervision (OTS). These four agencies enacted joint regulations that

became effective July 1, 2001 under 12 CFR part 30 et al. to guide audit

and compliance certiﬁcation processes.

There are also many other nondepository institutions that are regulated

by the Federal Trade Commission (FTC), which speciﬁcally claims author-

ity over ﬁnancial institutions not otherwise subject to the enforcement author-

ity of another regulator, as outlined in 16 CFR part 313.1 (b). The FTC

information security requirements were published May 23, 2002 as 16

CFR part 314, and are available from the FTC. Finally, the Ofﬁce for Reg-

ulatory Audits and Compliance (OFRAC) is an Atlanta-based organization

set up to conduct compliance surveys and audits for regulations effecting

businesses regulated by GLBA, Department of Transportation (DOT),

HIPAA, HHS, CFR 42, 49, 67, the USA PATRIOT ACT and the Public

Health Security and Bioterrorism Preparedness Response Act of 2002

(HR 3448). Their services are designed to meet the testing requirements of

both GLBA and HIPAA. This is extremely important, as the penalties for

not complying with the aforementioned laws are quite severe. Individuals

failing to fully comply with the regulations are subject to a $250,000 ﬁne,

and any other person (facility or organization) failing to follow the regula-

tions is subject to a ﬁne of $500,000. Prison terms can be up to ﬁve years

for each violation. As you can see, privacy security has become a very seri-

ous issue that mandates business attention at the risk of huge penalty.

HIPAA

The Health Insurance Portability and Accountability Act [21] (HIPAA) was

enacted in order to accomplish several goals. These goals intended to:

1. Improve portability and continuity of health insurance coverage

in group and individual markets;

2. Combat waste, fraud, and abuse in health insurance and health

care delivery;

3. Promote the use of medical savings accounts;

4. Improve access to long-term care services and coverage; and

5. Simplify the administration of health insurance.

Educate Staff and Security Personnel xxxix

Introduction

In order to comprehend the total impact of HIPAA, it is important to

understand the protections it has created for millions of working Ameri-

cans and their families. HIPAA includes provisions that may increase an

individual’s ability to get health coverage for himself and his dependents if

he starts a new job. HIPAA can lower an individual’s chance of losing

existing health care coverage, regardless of whether the individual has that

coverage through a job or through individual health insurance. HIPAA can

help an individual maintain continuous health coverage for herself and her

dependents when she changes jobs. HIPAA also can help an individual buy

health insurance coverage on an his or her own if he or she loses coverage

under an employer’s group health plan and has no other health coverage

available. Among its speciﬁc protections, HIPAA limits the use of preexist-

ing condition exclusions and prohibits group health plans from discrimi-

nating by denying someone coverage or charging extra for coverage based

on a covered member’s past or present poor health. HIPAA guarantees cer-

tain small employers, and certain individuals who lose job-related cover-

age, the right to purchase health insurance; and it guarantees (in most

cases) that employers or individuals who purchase health insurance can

renew the coverage regardless of any health conditions of individuals cov-

ered under the insurance policy. In short, HIPAA may lower an individ-

ual’s chance of losing existing coverage, ease an individual’s ability to

switch health plans, and/or help him or her to buy coverage on his or her

own if he or she were to lose coverage under an employer’s plan and have

no other coverage available.

In setting out to achieve each of the aforementioned six goals, the ﬁnal

bill that was enacted can be summarized into ﬁve areas where action was

mandated. We will discuss each of these ﬁve areas next:

1. Standards for electronic health information transactions.

Within 18 months of enactment, the Secretary of Health and

Human Services was required to adopt standards from among

those already approved by private standards–developing organiza-

tions (such as NAIC) for certain electronic health transactions,

including claims, enrollment, eligibility, payment, and coordina-

tion of beneﬁts. These standards were required to address the security

of electronic health information systems. This last sentence is of par-

ticular concern to security professionals, who must enable organi-

zations to enforce such privacy rules.

2. Mandate on providers and health plans, and timetable. Pro-

viders and health plans were required to use the standards for the

xl Educate Staff and Security Personnel

speciﬁed electronic transactions 24 months after they were adopted.

Plans and providers were given the option to comply directly or

to make use of a health care clearinghouse. Certain health plans,

in particular workers’ compensation, were not covered.

3. Privacy. The Secretary of Health and Human Services (HHS) was

required to recommend privacy standards for health information

to Congress 12 months after HIPAA was enacted. There was a

provision that stated that if Congress did not enact privacy legisla-

tion within three years of enacting HIPAA, the Secretary of HHS

should promulgate privacy regulations for individually identiﬁable

electronic health information.

4. Preemption of State Law. The HIPAA bill superseded state laws,

except where the Secretary of HHS determined the state law was

necessary to prevent fraud and abuse, to ensure the appropriate

regulation of insurance or health plans, or to address concerns

about the use of controlled substances. If the Secretary promul-

gates privacy regulations, those regulations could not preempt

state laws that imposed more stringent requirements. These pro-

visions did not limit a state’s ability to require health plan report-

ing or audits.

5. Penalties. The bill imposed civil money penalties and prison for

certain violations. Individuals failing to fully comply with the reg-

ulations are subject to a $250,000 ﬁne, and any other person

(facility or organization) failing to follow the regulations is sub-

ject to a ﬁne of $500,000. Prison terms can be up to ﬁve years for

each violation.

As you can see, items 1, 2, and 3 above have speciﬁc provisions for

protection of electronic data. This is the area of HIPAA that is most

concerned with cybersecurity. The preceding sections have been concen-

trated on standards, laws, and enforcement issues related to security and

privacy. In the actual implementation of security measures needed to

comply with such regulatory guidance, a security professional relies on

adoption of good practices that have been evaluated and adopted as “best

practices” across the industry.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Educate Staff and Security Personnel (2/2)

Create new playlist

Sign In

Sign Up

Table of Contents for
Educate Staff and Security Personnel (2/2)