1st Edition

The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules

By John J. Trinckes, Jr. Copyright 2013
    472 Pages 18 B/W Illustrations
    by Auerbach Publications

    The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules is a comprehensive manual to ensuring compliance with the implementation standards of the Privacy and Security Rules of HIPAA and provides recommendations based on other related regulations and industry best practices.

    The book is designed to assist you in reviewing the accessibility of electronic protected health information (EPHI) to make certain that it is not altered or destroyed in an unauthorized manner, and that it is available as needed only by authorized individuals for authorized use. It can also help those entities that may not be covered by HIPAA regulations but want to assure their customers they are doing their due diligence to protect their personal and private information. Since HIPAA/HITECH rules generally apply to covered entities, business associates, and their subcontractors, these rules may soon become de facto standards for all companies to follow. Even if you aren’t required to comply at this time, you may soon fall within the HIPAA/HITECH purview. So, it is best to move your procedures in the right direction now.

    The book covers administrative, physical, and technical safeguards; organizational requirements; and policies, procedures, and documentation requirements. It provides sample documents and directions on using the policies and procedures to establish proof of compliance. This is critical to help prepare entities for a HIPAA assessment or in the event of an HHS audit. Chief information officers and security officers who master the principles in this book can be confident they have taken the proper steps to protect their clients’ information and strengthen their security posture. This can provide a strategic advantage to their organization, demonstrating to clients that they not only care about their health and well-being, but are also vigilant about protecting their clients’ privacy.

    HIPAA/HITECH Overview
    Definitions
    Required by Law
    Covered Entities Defined
    Covered Transactions Defined
    Are You a Covered Entity?
    Business Associates
    The Electronic Transactions and Code Sets Rule Overview
    National Provider Identifier Requirements Overview
    Security Rule Overview
    "Meaningful Use" Overview
    Breach Notification Rule Overview
    Enforcement Rule Overview
    Anti-Kickback Statute
    Patient Safety and Quality Improvement Act of 2005 (PSQIA)
    Consumer Privacy Bill of Rights
    Federal Rules of Civil Procedures
    The Relevance of HIPAA/HITECH to Healthcare Organizations
    Why Is Security Important?
    Are Healthcare Organizations Immune to Security Concerns?
    Suffering from Data Breaches
    Rise of Medical Identity Theft
    Internet Crimes Go Unpunished
    Social Engineering and HIPAA
    Social Engineering: What Is It?
    Threats in the Workplace
    Enforcement Activities
    Impediments to HIPAA/HITECH Compliance
    The God Complex
    Recommendations
    Critical Infrastructure Implications
    What the Future Holds
    Compliance Overview
    Interrelationship between Regulations, Policies, Standards,
    Procedures, and Guidelines
    Reasonable Safeguards
    Centers for Medicare and Medicaid Services Compliance Review
    HIPAA/HITECH Privacy and Security Audit Program
    The SAS 70/SSAE 16 Debate
    Corporate Governance
    Privacy Rule Detailed
    Minimum Necessary
    Individual Consent
    Permitted Uses and Disclosures Detailed
    Authorized Use and Disclosure
    Privacy Practices Notice
    Administrative Requirements
    Organizational Options
    Other Provisions: Personal Representatives and Minors
    State Laws
    Enforcement
    Compliance Dates
    The Electronic Transactions and Code Set Rule Detailed
    Definitions
    Standard Transactions
    Medical Code Sets
    Local Codes
    Nonmedical Code Sets
    Requirements for Covered Entities
    Additional Requirements for Health Plans
    Additional Rules for Healthcare Clearinghouses
    Exceptions from Standards to Permit Testing of Proposed Modifications
    The National Provider Identifier Requirements Detailed
    Definitions
    Compliance Dates
    Healthcare Provider’s Unique Health Identifier
    National Provider System
    Implementation Specifications for Healthcare Providers
    Implementation Specifications for Health Plans
    Implementation Specifications for Healthcare Clearinghouses
    National Provider Identifier (NPI) Application
    "Meaningful Use" Detailed
    Meaningful Use Defined
    Meaningful Use Criteria
    Meaningful Use Requirements
    Meaningful Use Stage 1 (2011 and 2012)
    Clinical Quality Measures
    Meaningful Use Specification Sheets
    Proposed Changes to Stage 1 and Proposals for Stage 2
    Breach Notification Detailed
    Definitions
    Individual Notification
    Media Notification
    Secretary Notification
    Business Associate Notification
    Notification Delay Request of Law Enforcement
    Burden of Proof
    Sample of Breach Notification Policy
    Sample of Breach Notification to Individuals
    Enforcement Rule Detailed
    General Penalty
    Affirmative Defenses
    Waiver
    Notice of Proposed Determination
    Security Rule Detailed
    Implementation Specifications
    Implementation Process
    Standards Are Flexible and Scalable
    Security Standards Defined
    Policy and Procedure Drafting
    Documentation Requirements
    Components of Policies
    Security Rule: Administrative Safeguards
    Security Management Process
    Workforce Security
    Information Access Management
    Security Awareness Training
    Security Incident Procedures
    Contingency Plan
    Evaluation—Required—45 CFR § 164.308(a)(8)
    Business Associate Contracts and Other Arrangements
    Security Rule: Risk Assessments
    Risk Assessment Overview
    System Characterization
    Threat Identification
    Vulnerability Identification
    Control Analysis
    Likelihood Rating
    Impact Rating
    Risk Determination
    Risk Mitigation
    Risk Management
    Risk Assessment Report
    Security Rule: Security Awareness Training
    Security Rule: Incident Response
    Standard Format
    Steps
    Notification
    Incident Details
    Incident Handler
    Actions Taken or Recommended Actions
    Other Recommendations
    Security Rule: Business Continuity Planning and Disaster Recovery
    Contingency Plan—45 CFR § 164.308(a)(7)(i)
    Data Backup Plan—45 CFR § 164.308(a)(7)(ii)(A)
    Disaster Recovery Plan—45 CFR § 164.308(a)(7)(ii)(B)
    Emergency Mode Operation Plan—45 CFR § 164.308(a)(7)(ii)(C)
    Testing and Revision Procedures—Addressable—45 CFR § 164.308(a)(7)(ii)(D)(b)
    Applications and Data Criticality Analysis—Addressable—45 CFR § 164.308(a)(7)(ii)(E)(b)
    A Plan Addressing Both Operational and Regulatory
    Requirements
    Security Rule: Compliance Assessment
    Gap Analysis
    Develop or Modify Policies and Procedures
    Approve Policies and Procedures
    Policy and Procedure Implementation
    Test Plans
    Assessment
    Reassess
    Security Rule: Physical Safeguards
    Facility Access Controls
    Workstations Use—Required—45 CFR § 164.310(b)
    Workstation Security—Required—45 CFR § 164.310(c)
    Device and Media Controls
    Remote Use and Mobile Device Controls
    Security Rule: Technical Safeguards
    Access Control
    Audit Controls—Required—45 CFR § 164.312(b)
    Integrity
    Person or Entity Authentication—Required—45 CFR § 164.312(d)
    Transmission Security
    Security Rule: Organizational Requirements
    Business Associate Contracts—Required—45 CFR § 164.314(a)(2)(i)
    Other Arrangements—Required—45 CFR § 164.314(a)(2)(ii)
    Requirements for Group Health Plans—Implementation Specifications—Required—45 CFR § 164.314(b)(2)
    Frequently Asked Questions
    Checklists
    Policies and Procedures
    Document Request List
    Incident Handling Checklist
    Crisis Handling Steps
    Works Cited
    Additional Resources
    Acronyms
    Glossary
    Index

    Biography

    John ("Jay") Trinckes, Jr., CISSP, CISM, CRISC, CEH, NSA-IAM/IEM, MCSE-NT, A+, is the chief information security officer (CISO) for Path Forward IT, a managed service provider of IT and security services for the healthcare industry. Jay has previously worked as a senior information security consultant and authored The Executive MBA in Information Security, published by CRC Press in 2009. Trinckes has developed enterprise-level information security management programs for multiple clients and conducted countless successful internal/external vulnerability/penetration assessments and other technical compliance audits. He has been instrumental in developing policies, procedures, audit plans, compliance assessments, business impact analyses, and business continuity and disaster recovery plans for many clients. He also conducts security awareness training and other presentations related to information security. He provides a unique perspective on compliance as a result of his previous work experience as an information security risk analyst, IT manager, system administrator, and law enforcement officer.