The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules  book cover
1st Edition

The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules

ISBN 9781466507678
Published December 3, 2012 by Auerbach Publications
472 Pages 18 B/W Illustrations

FREE Standard Shipping
USD $150.00

Prices & shipping based on shipping country


Book Description

The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules is a comprehensive manual to ensuring compliance with the implementation standards of the Privacy and Security Rules of HIPAA and provides recommendations based on other related regulations and industry best practices.

The book is designed to assist you in reviewing the accessibility of electronic protected health information (EPHI) to make certain that it is not altered or destroyed in an unauthorized manner, and that it is available as needed only by authorized individuals for authorized use. It can also help those entities that may not be covered by HIPAA regulations but want to assure their customers they are doing their due diligence to protect their personal and private information. Since HIPAA/HITECH rules generally apply to covered entities, business associates, and their subcontractors, these rules may soon become de facto standards for all companies to follow. Even if you aren’t required to comply at this time, you may soon fall within the HIPAA/HITECH purview. So, it is best to move your procedures in the right direction now.

The book covers administrative, physical, and technical safeguards; organizational requirements; and policies, procedures, and documentation requirements. It provides sample documents and directions on using the policies and procedures to establish proof of compliance. This is critical to help prepare entities for a HIPAA assessment or in the event of an HHS audit. Chief information officers and security officers who master the principles in this book can be confident they have taken the proper steps to protect their clients’ information and strengthen their security posture. This can provide a strategic advantage to their organization, demonstrating to clients that they not only care about their health and well-being, but are also vigilant about protecting their clients’ privacy.

Table of Contents

Required by Law
Covered Entities Defined
Covered Transactions Defined
Are You a Covered Entity?
Business Associates
The Electronic Transactions and Code Sets Rule Overview
National Provider Identifier Requirements Overview
Security Rule Overview
"Meaningful Use" Overview
Breach Notification Rule Overview
Enforcement Rule Overview
Anti-Kickback Statute
Patient Safety and Quality Improvement Act of 2005 (PSQIA)
Consumer Privacy Bill of Rights
Federal Rules of Civil Procedures
The Relevance of HIPAA/HITECH to Healthcare Organizations
Why Is Security Important?
Are Healthcare Organizations Immune to Security Concerns?
Suffering from Data Breaches
Rise of Medical Identity Theft
Internet Crimes Go Unpunished
Social Engineering and HIPAA
Social Engineering: What Is It?
Threats in the Workplace
Enforcement Activities
Impediments to HIPAA/HITECH Compliance
The God Complex
Critical Infrastructure Implications
What the Future Holds
Compliance Overview
Interrelationship between Regulations, Policies, Standards,
Procedures, and Guidelines
Reasonable Safeguards
Centers for Medicare and Medicaid Services Compliance Review
HIPAA/HITECH Privacy and Security Audit Program
The SAS 70/SSAE 16 Debate
Corporate Governance
Privacy Rule Detailed
Minimum Necessary
Individual Consent
Permitted Uses and Disclosures Detailed
Authorized Use and Disclosure
Privacy Practices Notice
Administrative Requirements
Organizational Options
Other Provisions: Personal Representatives and Minors
State Laws
Compliance Dates
The Electronic Transactions and Code Set Rule Detailed
Standard Transactions
Medical Code Sets
Local Codes
Nonmedical Code Sets
Requirements for Covered Entities
Additional Requirements for Health Plans
Additional Rules for Healthcare Clearinghouses
Exceptions from Standards to Permit Testing of Proposed Modifications
The National Provider Identifier Requirements Detailed
Compliance Dates
Healthcare Provider’s Unique Health Identifier
National Provider System
Implementation Specifications for Healthcare Providers
Implementation Specifications for Health Plans
Implementation Specifications for Healthcare Clearinghouses
National Provider Identifier (NPI) Application
"Meaningful Use" Detailed
Meaningful Use Defined
Meaningful Use Criteria
Meaningful Use Requirements
Meaningful Use Stage 1 (2011 and 2012)
Clinical Quality Measures
Meaningful Use Specification Sheets
Proposed Changes to Stage 1 and Proposals for Stage 2
Breach Notification Detailed
Individual Notification
Media Notification
Secretary Notification
Business Associate Notification
Notification Delay Request of Law Enforcement
Burden of Proof
Sample of Breach Notification Policy
Sample of Breach Notification to Individuals
Enforcement Rule Detailed
General Penalty
Affirmative Defenses
Notice of Proposed Determination
Security Rule Detailed
Implementation Specifications
Implementation Process
Standards Are Flexible and Scalable
Security Standards Defined
Policy and Procedure Drafting
Documentation Requirements
Components of Policies
Security Rule: Administrative Safeguards
Security Management Process
Workforce Security
Information Access Management
Security Awareness Training
Security Incident Procedures
Contingency Plan
Evaluation—Required—45 CFR § 164.308(a)(8)
Business Associate Contracts and Other Arrangements
Security Rule: Risk Assessments
Risk Assessment Overview
System Characterization
Threat Identification
Vulnerability Identification
Control Analysis
Likelihood Rating
Impact Rating
Risk Determination
Risk Mitigation
Risk Management
Risk Assessment Report
Security Rule: Security Awareness Training
Security Rule: Incident Response
Standard Format
Incident Details
Incident Handler
Actions Taken or Recommended Actions
Other Recommendations
Security Rule: Business Continuity Planning and Disaster Recovery
Contingency Plan—45 CFR § 164.308(a)(7)(i)
Data Backup Plan—45 CFR § 164.308(a)(7)(ii)(A)
Disaster Recovery Plan—45 CFR § 164.308(a)(7)(ii)(B)
Emergency Mode Operation Plan—45 CFR § 164.308(a)(7)(ii)(C)
Testing and Revision Procedures—Addressable—45 CFR § 164.308(a)(7)(ii)(D)(b)
Applications and Data Criticality Analysis—Addressable—45 CFR § 164.308(a)(7)(ii)(E)(b)
A Plan Addressing Both Operational and Regulatory
Security Rule: Compliance Assessment
Gap Analysis
Develop or Modify Policies and Procedures
Approve Policies and Procedures
Policy and Procedure Implementation
Test Plans
Security Rule: Physical Safeguards
Facility Access Controls
Workstations Use—Required—45 CFR § 164.310(b)
Workstation Security—Required—45 CFR § 164.310(c)
Device and Media Controls
Remote Use and Mobile Device Controls
Security Rule: Technical Safeguards
Access Control
Audit Controls—Required—45 CFR § 164.312(b)
Person or Entity Authentication—Required—45 CFR § 164.312(d)
Transmission Security
Security Rule: Organizational Requirements
Business Associate Contracts—Required—45 CFR § 164.314(a)(2)(i)
Other Arrangements—Required—45 CFR § 164.314(a)(2)(ii)
Requirements for Group Health Plans—Implementation Specifications—Required—45 CFR § 164.314(b)(2)
Frequently Asked Questions
Policies and Procedures
Document Request List
Incident Handling Checklist
Crisis Handling Steps
Works Cited
Additional Resources

View More



John ("Jay") Trinckes, Jr., CISSP, CISM, CRISC, CEH, NSA-IAM/IEM, MCSE-NT, A+, is the chief information security officer (CISO) for Path Forward IT, a managed service provider of IT and security services for the healthcare industry. Jay has previously worked as a senior information security consultant and authored The Executive MBA in Information Security, published by CRC Press in 2009. Trinckes has developed enterprise-level information security management programs for multiple clients and conducted countless successful internal/external vulnerability/penetration assessments and other technical compliance audits. He has been instrumental in developing policies, procedures, audit plans, compliance assessments, business impact analyses, and business continuity and disaster recovery plans for many clients. He also conducts security awareness training and other presentations related to information security. He provides a unique perspective on compliance as a result of his previous work experience as an information security risk analyst, IT manager, system administrator, and law enforcement officer.