Why HIPAA came into existence?

 In 2000, many patients that were newly diagnosed with depression

received free samples of anti- depressant medications in their mail.
 This left patients wondering how the pharmaceutical companies were
notified of their diseases.
 After a long and thorough investigation, the physician, the
pharmaceutical company and a well-known pharmacy chain were all
indicated on breach of confidentiality charges.
 This is one of the many reasons the Federal Government needed to step in
and create guidelines to protect patient privacy.
What is HIPAA? Mention the goals of HIPAA.
Health Insurance Portability and Accountability Act consist of standardized
electronic data interchange, transactions, codes, security of data system, privacy
protection for individual health information and standard identifiers. HIPAA is
divided into 2 sections
Portability: It allows individuals to carry their health insurance from one job to
another, so that they do not have a lapse in coverage and also restrict health
plans requiring pre-existing condition of an individuals who switch form one
health plan to another.
Administrative Simplification: It is used for receiving, transmitting and
maintaining the healthcare information and ensuring the privacy and security of
individual’s identifiable information.
The primary goal of HIPAA is:
 To make law easier for people to keep health insurance
 Protect the confidentiality and security of health care information
 Help healthcare industry to control administrative cost
Mention the 11 rules of HIPAA?
1. The Claims Attachment Standards Rule establishes national standards for
the format and content of electronic attachment transactions.
2. The Clinical Data Rules/Electronic Signature Standard establishes
national standard for clinical data and data transmission.
3. The Data Security Rule establishes physical, technical, and administrative
protocol for the security and integrity of electronic health data.
4. The Enforcement Rule establishes rules for how the government intends
to enforces HIPAA.
 5. The Standard Transaction for First Report of Injury Rule establishes
national standards for the format and content of electronic first-report-of-
injury transaction used in Worker’s compensation cases.
6. The Standard Unique Identifier for Employers Rule establishes the
federal tax identification number as an employer’s national unique
identifier.
7. The Unique Identifier for Individuals Rule mandates a single patient
identifier for all of an individual’s patient health information.
8. The Standard Unique National Health Plan/Payer Identifier Rule
establishes a national identifier for each health insurer.
9. The Standard Unique Healthcare Provider Identifier Rule establishes a
national identifier for each provider.
10.The Privacy Rule establishes guidelines for the use and disclosure of
patient health information.
11.The Transactions and Code Sets Rule establishes standard formats and
coding of electronic claims and related transactions.
Explain briefly about security rule in HIPAA?
The security lays out three types of security safeguards required for compliance:
administrative, physical and technical.
1. Administrative Safeguards: Policies and procedures designed to clearly
show how the entity will comply with the act.
 Covered entities must adopt a written set of privacy procedures and
designate a privacy officer to be responsible for developing and
implementing all required policies and procedures.
 The policies and procedures must reference management oversight and
organizational buy-in to compliance with the documented security
controls.
 Procedures should clearly identify employees or classes of employees
who will have access to protected health information.
 The procedures must address access authorization, establishment,
modification and termination.
 A contingency plan should be in place for responding to emergencies.
 Internal audits play a key role in HIPAA compliance by reviewing
operations with the goal of identifying potential security violations.
 Procedures should document instructions for addressing and responding
to security breaches that are identified either during the audit or the
normal course of operations.
 2. Technical Safeguards:
 Controlling access to computer systems and enabling covered entities
to protect communications containing PHI transmitted electronically
over open networks.
 Information systems housing PHI must be protected from intrusion.
When Information flows over open networks, some form of
encryption must be utilized.
 Each covered entity is responsible for ensuring that the data within its
systems has not been changed in an unauthorized manner.
 Data corroboration, including the use of check sum, double-keying,
message authentication and digital signature may be used to ensure
data integrity.
 Covered entities must also authenticate entities it communications
with authentication consists password system, two or three-way
handshakes, telephone call-back and token system.
3. Physical Safeguards:
 Controlling physical access to protect against inappropriate access to
protected data.
 Controls must govern the introduction and removal of hardware and
software from the network.
 Access to equipment containing health information should be carefully
controlled and monitored.
 Access to hardware and software must be limited to properly authorized
individuals.
Explain about administrative requirements?
 Every agency must:
 Appoint a privacy officer
 Develop policies and procedures that guide HIPAA implementation,
evaluation and revision
 Provide education on HIPAA and organizational policies and procedures
 Develop a process for handling privacy related complaints
 Ensure no retaliation occurs against someone who reports potential
violations in good faith
 Take appropriate action to minimize any harm that may result from
breach of privacy
 Ensure processes are in place to demonstrate compliance with
documentation and record keeping
Explain about privacy rule?
The privacy rule is designed to protect individual’s health information and
allows individual to:
 Get a copy of their medical records
 Ask for changes to their medical records
 Find out and limit how their PHI may be used
 Know who has received their PHI
 Have communications sent to an alternate location
 File complaints and participate in investigation
What are guidelines for using and disclosing PHI?
 If required by law, court order
 To public health officials, FDA
 For abuse or domestic violence
 To help law enforcement officials
 To notify of suspicious death
 To provide information for worker’s compensation
 To assist government action
 To help in disaster relief effort
 To avert a serious threat to health
 For health oversight activities
What are the responsibilities of patients in HIPAA Act?
 Disclose PHI – Limit the information you share with a person to what he
or she needs to know
 Use PHI according to HIPAA approved guidelines for access, accounting,
amendment and restriction of PHI
 Only access the PHI necessary to complete your job duties
 Maintain confidentiality and security of member information at all times
Mention HIPAA patient rights?
 Right to privacy
 Right to confidential use of their health information for their treatment,
billing process and other health care operations
 Right to access and amend their health information upon request
 Right to provide specific authorization for use of their health information
other than for treatment, billing process and other health care operations
What is CMM? Why it is used.
A capability maturity model is a formal archetype of the levels through which
an organization evolves as it defines, implements, measures, controls and
improve its processes in a particular area of operation. This model is used for
judging:
 The maturity of the software processes of organization
 Identifying the key practices that are required to increase the maturity of
these processes
 Describes the principles and practices underlying software process
maturity and is intended to help software organization
Describe the process of CMM?
1. Initial Maturity Level: The software process is characterized as
inconsistent and occasionally even chaotic. Defined processes and
standard practices that exist are abandoned during a crisis. Success of the
organization majorly depends on an individual effort, talent and heroics.
2. Repeatable Maturity Level: This level of software development
organization has a basic and consistent project management processes to
tack cost, schedule and functionality. The process is in place to repeat the
earlier successes on projects with similar applications. Program
management is a key characteristic of a level two maintaining the
application.
3. Managed Maturity Level: Management can effectively control the
software development effort using precise measurements. At this level,
organization set a quantitative quality goal for both software process and
software maintenance. At this maturity level, the performance of
processes is controlled using statistical and other quantitative techniques
and is quantitatively predictable.
4. Optimizing Maturity Level: The key characteristic of this level is
focusing on continually improving process performance through both
incremental and innovative technological improvements. At this level,
changes to the process are to improve the process performance and at the
same time maintaining statistical probability to achieve the established
quantitative process improvement objective.
What are the advantages of COBIT?
 COBIT is aligned with other standards and best practices and should be
used together with them.
  It’s framework and supporting best practices provide a well-managed and
flexible IT environment in an organization.
 COBIT provides a control environment that is responsive to business
needs and serves management and audit functions in terms of their
control responsibilities.
 It provides tools to help manage IT activities.
Mention the five IT governance areas of concentration in COBIT?
 Strategic alignment focuses on ensuring the linkage of business and IT
plans, defining, maintaining and validating the IT value proposition and
aligning IT operations with enterprise operations.
 Value delivery is about executing the value proposition throughout the
delivery cycle, ensuring that IT delivers the promised benefits against the
strategy, concentrating on optimizing costs and proving the intrinsic value
of IT.
 Resource management is about the optimal investment and the proper
management of critical IT resources applications, information,
infrastructure and people.
 Risk management is a clear understanding of the enterprise’s appetite for
risk, understanding of compliance requirements and transparency into the
organization.
 Performance measurement tracks and monitors strategy implementation,
project completion, resource usage, process performance and service
delivery for example, balanced scorecards that translate strategy into
action to achieve goals measurable beyond conventional accounting.
Explain the elements of IS audit?
Mention the categories of IS audit?
 Systems and Applications: To ensure valid, reliable, timely and secure
input, processing and output at all levels of a system’s activity.
 Information Processing Facilities: To ensure timely accurate and efficient
processing.
 System Development: To ensure that the systems under development
meet the objectives of the organization and to ensure that the systems are
developed in accordance with generally accepted standards.
 Management of IT and Enterprise Architecture: To verify that IT
management has developed an organizational structure and procedure to
ensure a controlled and efficient environment for information processing.
 Telecommunications Intranets and Extranets: To verify that controls are
in place on the client, server and on the network connecting client and
server.
Describe the security organization structure of ISMS?
Describe the scope of ISMS?