2nd Edition

The Practical Guide to HIPAA Privacy and Security Compliance

By Rebecca Herold, Kevin Beaver Copyright 2015
    544 Pages 7 B/W Illustrations
    by Auerbach Publications

    544 Pages 7 B/W Illustrations
    by Auerbach Publications

    Following in the footsteps of its bestselling predecessor, The Practical Guide to HIPAA Privacy and Security Compliance, Second Edition is a one-stop, up-to-date resource on Health Insurance Portability and Accountability Act (HIPAA) privacy and security, including details on the HITECH Act, the 2013 Omnibus Rule, and the pending rules. Updated and revised with several new sections, this edition defines what HIPAA is, what it requires, and what you need to do to achieve compliance.

    The book provides an easy-to-understand overview of HIPAA privacy and security rules and compliance tasks. Supplying authoritative insights into real-world HIPAA privacy and security issues, it summarizes the analysis, training, and technology needed to properly plan and implement privacy and security policies, training, and an overall program to manage information risks. Instead of focusing on technical jargon, the book spells out what your organization must do to achieve and maintain compliance requirements on an ongoing basis.

    HIPAA ESSENTIALS

    Introduction to HIPAA
    How HIPAA Came to Be
    What HIPAA Covers
    Current State of HIPAA Compliance
    Overview of the Omnibus Rule Updates
    What the HITECH Act Covers
    Pending Proposed Rules
    Organizations That Must Comply with HIPAA
    Organizations That Must Comply with the HITECH Act
    HIPAA Penalties and Enforcement
    Insight into the Electronic Transactions and Code
    Sets Rule
    Conclusion
    Practical Checklist

    Related Regulations, Laws, Standards, and Guidance
    Introduction
    ARRA and the HITECH Act
    Practical Checklist

    Preparing for HIPAA, HITECH , and Other Compliance Changes
    Background
    Managing Change
    Creating the Mind-Set
    It Is Up to You
    Practical Checklist

    HIPAA Cost Considerations
    Background
    Privacy Implementation Costs
    Privacy Ongoing Maintenance Costs
    Costs Related to Providing Access to PHI
    Privacy Officer Costs
    Security Implementation Costs
    Security Ongoing Maintenance Costs
    Security Officer Costs
    Practical Checklist
    Relationship between Security and Privacy
    Background
    Privacy Rule and Security Rule Overlaps
    Conclusion
    Practical Checklist

    HIPAA PRIVACY RULE

    HIPAA Privacy Rule Requirements Overview

    Background
    Uses and Disclosures
    Incidental Uses and Disclosures
    Minimum Necessary Requirement
    De-Identification
    Business Associates
    Marketing
    Notice of Privacy Practices for PHI
    Individual Rights to Request Privacy Protection for PHI
    Individual Access to PHI
    Amendment of PHI
    Accounting Disclosures of PHI
    PHI Restrictions Requests
    Administrative Requirements
    Personal Representatives
    Minors
    Transition Provisions
    Compliance Dates and Penalties
    Practical Checklist

    Performing a Privacy Rule Gap Analysis and Risk Analysis
    Introduction
    Gap Analysis and Risk Analysis
    Practical Checklist

    Writing Effective Privacy Policies
    Introduction
    Notice of Privacy Practices
    Example NPP
    Organizational Privacy Policies
    Practical Checklist

    State Preemption
    Introduction
    What Is Contrary?
    Exceptions to Preemption
    Preemption Analysis
    Conclusion
    Practical Checklist

    Crafting a Privacy Implementation Plan
    Introduction
    Some Points to Keep in Mind
    Conclusion
    Practical Checklist

    Privacy Rule Compliance Checklist
    Introduction

    HIPAA SECURITY RULE

    Security Rule Requirements Overview
    Introduction to the Security Rule
    General Rules for Security Rule Compliance
    Insight into the Security Rule
    Other Organizational Requirements
    Reasons to Get Started on Security Rule Initiatives
    Practical Checklist

    Performing a Security Rule Risk Analysis
    Background
    Risk Analysis Requirements According to HIPAA
    Risk Analysis Essentials
    Stepping through the Process
    Calculating Risk
    Managing Risks Going Forward
    Practical Checklist

    Writing Effective Information Security Policies
    Introduction to Security Policies
    Critical Elements of Security Policies
    Sample Security Policy Framework
    Security Policies You May Need for HIPAA Security Rule Compliance
    Managing Your Security Policies
    Practical Checklist

    Crafting a Security Implementation Plan
    Background
    Some Points to Keep in Mind
    Conclusion
    Practical Checklist

    Security Rule Compliance Checklist
    Introduction

    COVERED ENTITY ISSUES

    Health-Care Provider Issues
    Background
    Privacy Notices
    Fees for Record Review
    Mitigation Measures
    Fax Use
    Sign-In Sheets
    Patient Charts
    Business Associates
    Authorizations
    Practical Checklist

    Health-Care Clearinghouse Issues
    Background
    Requirements
    Transactions
    Financial Institutions
    Conclusion
    Practical Checklist

    Health Plan Issues
    What Is a Health Plan?
    What Is a Small Health Plan?
    Health Plan Requirements
    Marketing Issues
    Notice of Privacy Practices
    Types of Insurance Plans Excluded from HIPAA
    Communications
    Government and Law Enforcement
    Practical Checklist

    Employer Issues
    Background
    "Small" and "Large" Employers
    Health Benefits
    Enforcement and Penalties
    Organizational Requirements
    Health Information
    Medical Surveillance
    Workers’ Compensation
    Training
    Resources
    Conclusion
    Practical Checklist

    Business Associate Issues
    Is Your Organization a Business Associate?
    Business Associate Requirements
    What You Can Expect to See or Hear from Covered Entities
    Common Business Associate Weaknesses
    Issues to Consider
    Moving Forward
    Practical Checklist

    HIPAA TECHNOLOGY CONSIDERATIONS

    Building a HIPAA-Compliant Technology Infrastructure
    Overview
    Caution
    Areas of Technology to Focus On
    Looking Deeper into Specific Technologies
    Mobile Computing
    Additional Technology Considerations
    Conclusion
    Practical Checklist

    Crafting Security Incident Procedures and Contingency Plans
    Background
    Handling Security Incidents
    Security Incident Procedure Essentials
    Basics of Contingency Planning
    Moving Forward
    Practical Checklist

    Outsourcing Information Technology Services
    Background
    Reasons to Consider Outsourcing
    What Functions to Outsource
    What to Look For in Outsourcing Firms
    Common Outsourcing Mistakes
    Practical Checklist

    MANAGING ONGOING HIPAA COMPLIANCE

    HIPAA Training, Education, and Awareness
    Creating an Effective Awareness Program
    Identify Awareness and Training Groups
    Training
    Training Design and Development
    Awareness Options
    Document Training and Awareness Activities
    Get Support
    Measure Effectiveness
    Conclusion
    Practical Checklist

    Performing Ongoing HIPAA Compliance Reviews and Audits
    Background
    Ongoing Cost of Compliance
    Privacy Issues
    Security Issues
    Making Audits Work
    Practical Checklist

    APPENDICES

    Appendix A: Enforcement and Sanctions
    Appendix B: HIPAA Glossary
    Appendix C: Model Incident and Privacy Response Procedures
    Appendix D: HIPAA Resources

    References
    Further Reading
    Index

    Biography

    Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia based Principle Logic, LLC. He has worked in IT since 1989 and specializes in performing information security assessments for corporations, security product vendors, independent software developers, universities, government agencies, and nonprofit organizations. Before starting his information security consulting practice in 2001, Kevin served in various information technology and security roles for several health care, e-commerce, financial, and educational institutions.

    Kevin has appeared on CNN as an information security expert and has been quoted in The Wall Street Journal, Entrepreneur, Fortune Small Business, Men's Health, Women's Health, Woman's Day, and Inc. Magazine. His work has also been referenced by the PCI Security Standards Council in their PCI DSS Wireless Guidelines. He has given and participated in hundreds of highly rated presentations, panel discussions, seminars, and webcasts on information security and compliance.

    Kevin has authored or coauthored 11 information security books, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance (Realtimepublishers.com). He has written dozens of whitepapers and hundreds of articles and guest blog posts, and he is a regular contributor to SearchSecurity.com, SearchEnterpriseDesktop.com, SearchWindowsServer.com, and Security Technology Executive magazine.

    Kevin is the creator and producer of the Security On Wheels audiobooks, which provide security learning for IT professionals on the go (http://www.securityonwheels.com) and its associated blog (http:// www.securityonwheels.com/blog). He also covers information security and rela

    Praise for the New Edition:

    The HIPAA regulations are transforming how providers and insurers think about the individually identifiable health information they create and receive every minute of every day. ... There is a potential for serious harm to service levels and even to patient health if misunderstandings as to the dictates of these regulations choke off the exchange of patient-health information. This guide is a good step toward erasing many of those misunderstandings. I commend the authors for their fine efforts at translating a difficult subject into practical terms.
    —Mark Lutes, Chairman, Epstein Becker Green, Washington, DC

    Praise for the Bestselling First Edition:

    The book's main strength is its abundant and varied content. It thoroughly describes the main provisions of HIPAA's security and privacy requirements using actual language from the legislation interspersed with the authors' commentary. This format…helpfully guides readers through the labyrinthine HIPAA requirements.
    —Scott Forbes, Microsoft

    Rebecca and Kevin have compiled a wealth of knowledge in an easy-to-read, conversational style. This book is packed with useful facts and practical tips that grabs and keeps your attention as though you are listening to the authors in your own living room. The astute reader will keep a pad of paper and a pile of 'sticky notes' handy. You will no doubt come back to this valuable resource over and over again!
    Michael J. Corby, CCP, CISSP, President and CEO, M. Corby & Associates, Inc.

    This is a very comprehensive view of HIPAA privacy and security compliance which provides a pragmatic, step by step methodology for understanding and complying with the regulation. The practical checklists, the quizzes which
    can be used in HIPAA awareness programs, and the pointers to valuable resources are all added benefits.
    Micki Krause, CISSP, Chief Information Security Officer, Pacific Life Insurance