The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules: 1st Edition (Hardback) book cover

The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules

1st Edition

By John J. Trinckes, Jr.

Auerbach Publications

472 pages | 18 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781466507678
pub: 2012-12-03
SAVE ~$17.39

FREE Standard Shipping!


The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules is a comprehensive manual to ensuring compliance with the implementation standards of the Privacy and Security Rules of HIPAA and provides recommendations based on other related regulations and industry best practices.

The book is designed to assist you in reviewing the accessibility of electronic protected health information (EPHI) to make certain that it is not altered or destroyed in an unauthorized manner, and that it is available as needed only by authorized individuals for authorized use. It can also help those entities that may not be covered by HIPAA regulations but want to assure their customers they are doing their due diligence to protect their personal and private information. Since HIPAA/HITECH rules generally apply to covered entities, business associates, and their subcontractors, these rules may soon become de facto standards for all companies to follow. Even if you aren’t required to comply at this time, you may soon fall within the HIPAA/HITECH purview. So, it is best to move your procedures in the right direction now.

The book covers administrative, physical, and technical safeguards; organizational requirements; and policies, procedures, and documentation requirements. It provides sample documents and directions on using the policies and procedures to establish proof of compliance. This is critical to help prepare entities for a HIPAA assessment or in the event of an HHS audit. Chief information officers and security officers who master the principles in this book can be confident they have taken the proper steps to protect their clients’ information and strengthen their security posture. This can provide a strategic advantage to their organization, demonstrating to clients that they not only care about their health and well-being, but are also vigilant about protecting their clients’ privacy.

Table of Contents



Required by Law

Covered Entities Defined

Covered Transactions Defined

Are You a Covered Entity?

Business Associates

The Electronic Transactions and Code Sets Rule Overview

National Provider Identifier Requirements Overview

Security Rule Overview

"Meaningful Use" Overview

Breach Notification Rule Overview

Enforcement Rule Overview

Anti-Kickback Statute

Patient Safety and Quality Improvement Act of 2005 (PSQIA)

Consumer Privacy Bill of Rights

Federal Rules of Civil Procedures

The Relevance of HIPAA/HITECH to Healthcare Organizations

Why Is Security Important?

Are Healthcare Organizations Immune to Security Concerns?

Suffering from Data Breaches

Rise of Medical Identity Theft

Internet Crimes Go Unpunished

Social Engineering and HIPAA

Social Engineering: What Is It?

Threats in the Workplace

Enforcement Activities

Impediments to HIPAA/HITECH Compliance

The God Complex


Critical Infrastructure Implications

What the Future Holds

Compliance Overview

Interrelationship between Regulations, Policies, Standards,

Procedures, and Guidelines

Reasonable Safeguards

Centers for Medicare and Medicaid Services Compliance Review

HIPAA/HITECH Privacy and Security Audit Program

The SAS 70/SSAE 16 Debate

Corporate Governance

Privacy Rule Detailed

Minimum Necessary

Individual Consent

Permitted Uses and Disclosures Detailed

Authorized Use and Disclosure

Privacy Practices Notice

Administrative Requirements

Organizational Options

Other Provisions: Personal Representatives and Minors

State Laws


Compliance Dates

The Electronic Transactions and Code Set Rule Detailed


Standard Transactions

Medical Code Sets

Local Codes

Nonmedical Code Sets

Requirements for Covered Entities

Additional Requirements for Health Plans

Additional Rules for Healthcare Clearinghouses

Exceptions from Standards to Permit Testing of Proposed Modifications

The National Provider Identifier Requirements Detailed


Compliance Dates

Healthcare Provider’s Unique Health Identifier

National Provider System

Implementation Specifications for Healthcare Providers

Implementation Specifications for Health Plans

Implementation Specifications for Healthcare Clearinghouses

National Provider Identifier (NPI) Application

"Meaningful Use" Detailed

Meaningful Use Defined

Meaningful Use Criteria

Meaningful Use Requirements

Meaningful Use Stage 1 (2011 and 2012)

Clinical Quality Measures

Meaningful Use Specification Sheets

Proposed Changes to Stage 1 and Proposals for Stage 2

Breach Notification Detailed


Individual Notification

Media Notification

Secretary Notification

Business Associate Notification

Notification Delay Request of Law Enforcement

Burden of Proof

Sample of Breach Notification Policy

Sample of Breach Notification to Individuals

Enforcement Rule Detailed

General Penalty

Affirmative Defenses


Notice of Proposed Determination

Security Rule Detailed

Implementation Specifications

Implementation Process

Standards Are Flexible and Scalable

Security Standards Defined

Policy and Procedure Drafting

Documentation Requirements

Components of Policies

Security Rule: Administrative Safeguards

Security Management Process

Workforce Security

Information Access Management

Security Awareness Training

Security Incident Procedures

Contingency Plan

Evaluation—Required—45 CFR § 164.308(a)(8)

Business Associate Contracts and Other Arrangements

Security Rule: Risk Assessments

Risk Assessment Overview

System Characterization

Threat Identification

Vulnerability Identification

Control Analysis

Likelihood Rating

Impact Rating

Risk Determination

Risk Mitigation

Risk Management

Risk Assessment Report

Security Rule: Security Awareness Training

Security Rule: Incident Response

Standard Format



Incident Details

Incident Handler

Actions Taken or Recommended Actions

Other Recommendations

Security Rule: Business Continuity Planning and Disaster Recovery

Contingency Plan—45 CFR § 164.308(a)(7)(i)

Data Backup Plan—45 CFR § 164.308(a)(7)(ii)(A)

Disaster Recovery Plan—45 CFR § 164.308(a)(7)(ii)(B)

Emergency Mode Operation Plan—45 CFR § 164.308(a)(7)(ii)(C)

Testing and Revision Procedures—Addressable—45 CFR § 164.308(a)(7)(ii)(D)(b)

Applications and Data Criticality Analysis—Addressable—45 CFR § 164.308(a)(7)(ii)(E)(b)

A Plan Addressing Both Operational and Regulatory


Security Rule: Compliance Assessment

Gap Analysis

Develop or Modify Policies and Procedures

Approve Policies and Procedures

Policy and Procedure Implementation

Test Plans



Security Rule: Physical Safeguards

Facility Access Controls

Workstations Use—Required—45 CFR § 164.310(b)

Workstation Security—Required—45 CFR § 164.310(c)

Device and Media Controls

Remote Use and Mobile Device Controls

Security Rule: Technical Safeguards

Access Control

Audit Controls—Required—45 CFR § 164.312(b)


Person or Entity Authentication—Required—45 CFR § 164.312(d)

Transmission Security

Security Rule: Organizational Requirements

Business Associate Contracts—Required—45 CFR § 164.314(a)(2)(i)

Other Arrangements—Required—45 CFR § 164.314(a)(2)(ii)

Requirements for Group Health Plans—Implementation Specifications—Required—45 CFR § 164.314(b)(2)

Frequently Asked Questions


Policies and Procedures

Document Request List

Incident Handling Checklist

Crisis Handling Steps

Works Cited

Additional Resources




About the Author

John ("Jay") Trinckes, Jr., CISSP, CISM, CRISC, CEH, NSA-IAM/IEM, MCSE-NT, A+, is the chief information security officer (CISO) for Path Forward IT, a managed service provider of IT and security services for the healthcare industry. Jay has previously worked as a senior information security consultant and authored The Executive MBA in Information Security, published by CRC Press in 2009. Trinckes has developed enterprise-level information security management programs for multiple clients and conducted countless successful internal/external vulnerability/penetration assessments and other technical compliance audits. He has been instrumental in developing policies, procedures, audit plans, compliance assessments, business impact analyses, and business continuity and disaster recovery plans for many clients. He also conducts security awareness training and other presentations related to information security. He provides a unique perspective on compliance as a result of his previous work experience as an information security risk analyst, IT manager, system administrator, and law enforcement officer.

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General