In 2000, many patients that were newly diagnosed with depression
received free samples of anti- depressant medications in their mail. This left patients wondering how the pharmaceutical companies were notified of their diseases. After a long and thorough investigation, the physician, the pharmaceutical company and a well-known pharmacy chain were all indicated on breach of confidentiality charges. This is one of the many reasons the Federal Government needed to step in and create guidelines to protect patient privacy. What is HIPAA? Mention the goals of HIPAA. Health Insurance Portability and Accountability Act consist of standardized electronic data interchange, transactions, codes, security of data system, privacy protection for individual health information and standard identifiers. HIPAA is divided into 2 sections Portability: It allows individuals to carry their health insurance from one job to another, so that they do not have a lapse in coverage and also restrict health plans requiring pre-existing condition of an individuals who switch form one health plan to another. Administrative Simplification: It is used for receiving, transmitting and maintaining the healthcare information and ensuring the privacy and security of individual’s identifiable information. The primary goal of HIPAA is: To make law easier for people to keep health insurance Protect the confidentiality and security of health care information Help healthcare industry to control administrative cost Mention the 11 rules of HIPAA? 1. The Claims Attachment Standards Rule establishes national standards for the format and content of electronic attachment transactions. 2. The Clinical Data Rules/Electronic Signature Standard establishes national standard for clinical data and data transmission. 3. The Data Security Rule establishes physical, technical, and administrative protocol for the security and integrity of electronic health data. 4. The Enforcement Rule establishes rules for how the government intends to enforces HIPAA. 5. The Standard Transaction for First Report of Injury Rule establishes national standards for the format and content of electronic first-report-of- injury transaction used in Worker’s compensation cases. 6. The Standard Unique Identifier for Employers Rule establishes the federal tax identification number as an employer’s national unique identifier. 7. The Unique Identifier for Individuals Rule mandates a single patient identifier for all of an individual’s patient health information. 8. The Standard Unique National Health Plan/Payer Identifier Rule establishes a national identifier for each health insurer. 9. The Standard Unique Healthcare Provider Identifier Rule establishes a national identifier for each provider. 10.The Privacy Rule establishes guidelines for the use and disclosure of patient health information. 11.The Transactions and Code Sets Rule establishes standard formats and coding of electronic claims and related transactions. Explain briefly about security rule in HIPAA? The security lays out three types of security safeguards required for compliance: administrative, physical and technical. 1. Administrative Safeguards: Policies and procedures designed to clearly show how the entity will comply with the act. Covered entities must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures. The policies and procedures must reference management oversight and organizational buy-in to compliance with the documented security controls. Procedures should clearly identify employees or classes of employees who will have access to protected health information. The procedures must address access authorization, establishment, modification and termination. A contingency plan should be in place for responding to emergencies. Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations. 2. Technical Safeguards: Controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks. Information systems housing PHI must be protected from intrusion. When Information flows over open networks, some form of encryption must be utilized. Each covered entity is responsible for ensuring that the data within its systems has not been changed in an unauthorized manner. Data corroboration, including the use of check sum, double-keying, message authentication and digital signature may be used to ensure data integrity. Covered entities must also authenticate entities it communications with authentication consists password system, two or three-way handshakes, telephone call-back and token system. 3. Physical Safeguards: Controlling physical access to protect against inappropriate access to protected data. Controls must govern the introduction and removal of hardware and software from the network. Access to equipment containing health information should be carefully controlled and monitored. Access to hardware and software must be limited to properly authorized individuals. Explain about administrative requirements? Every agency must: Appoint a privacy officer Develop policies and procedures that guide HIPAA implementation, evaluation and revision Provide education on HIPAA and organizational policies and procedures Develop a process for handling privacy related complaints Ensure no retaliation occurs against someone who reports potential violations in good faith Take appropriate action to minimize any harm that may result from breach of privacy Ensure processes are in place to demonstrate compliance with documentation and record keeping Explain about privacy rule? The privacy rule is designed to protect individual’s health information and allows individual to: Get a copy of their medical records Ask for changes to their medical records Find out and limit how their PHI may be used Know who has received their PHI Have communications sent to an alternate location File complaints and participate in investigation What are guidelines for using and disclosing PHI? If required by law, court order To public health officials, FDA For abuse or domestic violence To help law enforcement officials To notify of suspicious death To provide information for worker’s compensation To assist government action To help in disaster relief effort To avert a serious threat to health For health oversight activities What are the responsibilities of patients in HIPAA Act? Disclose PHI – Limit the information you share with a person to what he or she needs to know Use PHI according to HIPAA approved guidelines for access, accounting, amendment and restriction of PHI Only access the PHI necessary to complete your job duties Maintain confidentiality and security of member information at all times Mention HIPAA patient rights? Right to privacy Right to confidential use of their health information for their treatment, billing process and other health care operations Right to access and amend their health information upon request Right to provide specific authorization for use of their health information other than for treatment, billing process and other health care operations What is CMM? Why it is used. A capability maturity model is a formal archetype of the levels through which an organization evolves as it defines, implements, measures, controls and improve its processes in a particular area of operation. This model is used for judging: The maturity of the software processes of organization Identifying the key practices that are required to increase the maturity of these processes Describes the principles and practices underlying software process maturity and is intended to help software organization Describe the process of CMM? 1. Initial Maturity Level: The software process is characterized as inconsistent and occasionally even chaotic. Defined processes and standard practices that exist are abandoned during a crisis. Success of the organization majorly depends on an individual effort, talent and heroics. 2. Repeatable Maturity Level: This level of software development organization has a basic and consistent project management processes to tack cost, schedule and functionality. The process is in place to repeat the earlier successes on projects with similar applications. Program management is a key characteristic of a level two maintaining the application. 3. Managed Maturity Level: Management can effectively control the software development effort using precise measurements. At this level, organization set a quantitative quality goal for both software process and software maintenance. At this maturity level, the performance of processes is controlled using statistical and other quantitative techniques and is quantitatively predictable. 4. Optimizing Maturity Level: The key characteristic of this level is focusing on continually improving process performance through both incremental and innovative technological improvements. At this level, changes to the process are to improve the process performance and at the same time maintaining statistical probability to achieve the established quantitative process improvement objective. What are the advantages of COBIT? COBIT is aligned with other standards and best practices and should be used together with them. It’s framework and supporting best practices provide a well-managed and flexible IT environment in an organization. COBIT provides a control environment that is responsive to business needs and serves management and audit functions in terms of their control responsibilities. It provides tools to help manage IT activities. Mention the five IT governance areas of concentration in COBIT? Strategic alignment focuses on ensuring the linkage of business and IT plans, defining, maintaining and validating the IT value proposition and aligning IT operations with enterprise operations. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. Resource management is about the optimal investment and the proper management of critical IT resources applications, information, infrastructure and people. Risk management is a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements and transparency into the organization. Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. Explain the elements of IS audit? Mention the categories of IS audit? Systems and Applications: To ensure valid, reliable, timely and secure input, processing and output at all levels of a system’s activity. Information Processing Facilities: To ensure timely accurate and efficient processing. System Development: To ensure that the systems under development meet the objectives of the organization and to ensure that the systems are developed in accordance with generally accepted standards. Management of IT and Enterprise Architecture: To verify that IT management has developed an organizational structure and procedure to ensure a controlled and efficient environment for information processing. Telecommunications Intranets and Extranets: To verify that controls are in place on the client, server and on the network connecting client and server. Describe the security organization structure of ISMS? Describe the scope of ISMS?