The Practical Guide to HIPAA Privacy and Security Compliance: 2nd Edition (Hardback) book cover

The Practical Guide to HIPAA Privacy and Security Compliance

2nd Edition

By Rebecca Herold, Kevin Beaver

Auerbach Publications

544 pages | 7 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781439855584
pub: 2014-10-20
eBook (VitalSource) : 9780429107825
pub: 2014-10-20
from $43.98

FREE Standard Shipping!


Following in the footsteps of its bestselling predecessor, The Practical Guide to HIPAA Privacy and Security Compliance, Second Edition is a one-stop, up-to-date resource on Health Insurance Portability and Accountability Act (HIPAA) privacy and security, including details on the HITECH Act, the 2013 Omnibus Rule, and the pending rules. Updated and revised with several new sections, this edition defines what HIPAA is, what it requires, and what you need to do to achieve compliance.

The book provides an easy-to-understand overview of HIPAA privacy and security rules and compliance tasks. Supplying authoritative insights into real-world HIPAA privacy and security issues, it summarizes the analysis, training, and technology needed to properly plan and implement privacy and security policies, training, and an overall program to manage information risks. Instead of focusing on technical jargon, the book spells out what your organization must do to achieve and maintain compliance requirements on an ongoing basis.


Praise for the New Edition:

The HIPAA regulations are transforming how providers and insurers think about the individually identifiable health information they create and receive every minute of every day. … There is a potential for serious harm to service levels and even to patient health if misunderstandings as to the dictates of these regulations choke off the exchange of patient-health information. This guide is a good step toward erasing many of those misunderstandings. I commend the authors for their fine efforts at translating a difficult subject into practical terms.

—Mark Lutes, Chairman, Epstein Becker Green, Washington, DC

Praise for the Bestselling First Edition:

The book's main strength is its abundant and varied content. It thoroughly describes the main provisions of HIPAA's security and privacy requirements using actual language from the legislation interspersed with the authors' commentary. This format…helpfully guides readers through the labyrinthine HIPAA requirements.

—Scott Forbes, Microsoft

Rebecca and Kevin have compiled a wealth of knowledge in an easy-to-read, conversational style. This book is packed with useful facts and practical tips that grabs and keeps your attention as though you are listening to the authors in your own living room. The astute reader will keep a pad of paper and a pile of 'sticky notes' handy. You will no doubt come back to this valuable resource over and over again!

Michael J. Corby, CCP, CISSP, President and CEO, M. Corby & Associates, Inc.

This is a very comprehensive view of HIPAA privacy and security compliance which provides a pragmatic, step by step methodology for understanding and complying with the regulation. The practical checklists, the quizzes which

can be used in HIPAA awareness programs, and the pointers to valuable resources are all added benefits.

Micki Krause, CISSP, Chief Information Security Officer, Pacific Life Insurance

Table of Contents


Introduction to HIPAA

How HIPAA Came to Be

What HIPAA Covers

Current State of HIPAA Compliance

Overview of the Omnibus Rule Updates

What the HITECH Act Covers

Pending Proposed Rules

Organizations That Must Comply with HIPAA

Organizations That Must Comply with the HITECH Act

HIPAA Penalties and Enforcement

Insight into the Electronic Transactions and Code

Sets Rule


Practical Checklist

Related Regulations, Laws, Standards, and Guidance


ARRA and the HITECH Act

Practical Checklist

Preparing for HIPAA, HITECH , and Other Compliance Changes


Managing Change

Creating the Mind-Set

It Is Up to You

Practical Checklist

HIPAA Cost Considerations


Privacy Implementation Costs

Privacy Ongoing Maintenance Costs

Costs Related to Providing Access to PHI

Privacy Officer Costs

Security Implementation Costs

Security Ongoing Maintenance Costs

Security Officer Costs

Practical Checklist

Relationship between Security and Privacy


Privacy Rule and Security Rule Overlaps


Practical Checklist


HIPAA Privacy Rule Requirements Overview


Uses and Disclosures

Incidental Uses and Disclosures

Minimum Necessary Requirement


Business Associates


Notice of Privacy Practices for PHI

Individual Rights to Request Privacy Protection for PHI

Individual Access to PHI

Amendment of PHI

Accounting Disclosures of PHI

PHI Restrictions Requests

Administrative Requirements

Personal Representatives


Transition Provisions

Compliance Dates and Penalties

Practical Checklist

Performing a Privacy Rule Gap Analysis and Risk Analysis


Gap Analysis and Risk Analysis

Practical Checklist

Writing Effective Privacy Policies


Notice of Privacy Practices

Example NPP

Organizational Privacy Policies

Practical Checklist

State Preemption


What Is Contrary?

Exceptions to Preemption

Preemption Analysis


Practical Checklist

Crafting a Privacy Implementation Plan


Some Points to Keep in Mind


Practical Checklist

Privacy Rule Compliance Checklist



Security Rule Requirements Overview

Introduction to the Security Rule

General Rules for Security Rule Compliance

Insight into the Security Rule

Other Organizational Requirements

Reasons to Get Started on Security Rule Initiatives

Practical Checklist

Performing a Security Rule Risk Analysis


Risk Analysis Requirements According to HIPAA

Risk Analysis Essentials

Stepping through the Process

Calculating Risk

Managing Risks Going Forward

Practical Checklist

Writing Effective Information Security Policies

Introduction to Security Policies

Critical Elements of Security Policies

Sample Security Policy Framework

Security Policies You May Need for HIPAA Security Rule Compliance

Managing Your Security Policies

Practical Checklist

Crafting a Security Implementation Plan


Some Points to Keep in Mind


Practical Checklist

Security Rule Compliance Checklist



Health-Care Provider Issues


Privacy Notices

Fees for Record Review

Mitigation Measures

Fax Use

Sheets

Patient Charts

Business Associates


Practical Checklist

Health-Care Clearinghouse Issues




Financial Institutions


Practical Checklist

Health Plan Issues

What Is a Health Plan?

What Is a Small Health Plan?

Health Plan Requirements

Marketing Issues

Notice of Privacy Practices

Types of Insurance Plans Excluded from HIPAA


Government and Law Enforcement

Practical Checklist

Employer Issues


"Small" and "Large" Employers

Health Benefits

Enforcement and Penalties

Organizational Requirements

Health Information

Medical Surveillance

Workers’ Compensation




Practical Checklist

Business Associate Issues

Is Your Organization a Business Associate?

Business Associate Requirements

What You Can Expect to See or Hear from Covered Entities

Common Business Associate Weaknesses

Issues to Consider

Moving Forward

Practical Checklist


Building a HIPAA-Compliant Technology Infrastructure



Areas of Technology to Focus On

Looking Deeper into Specific Technologies

Mobile Computing

Additional Technology Considerations


Practical Checklist

Crafting Security Incident Procedures and Contingency Plans


Handling Security Incidents

Security Incident Procedure Essentials

Basics of Contingency Planning

Moving Forward

Practical Checklist

Outsourcing Information Technology Services


Reasons to Consider Outsourcing

What Functions to Outsource

What to Look For in Outsourcing Firms

Common Outsourcing Mistakes

Practical Checklist


HIPAA Training, Education, and Awareness

Creating an Effective Awareness Program

Identify Awareness and Training Groups


Training Design and Development

Awareness Options

Document Training and Awareness Activities

Get Support

Measure Effectiveness


Practical Checklist

Performing Ongoing HIPAA Compliance Reviews and Audits


Ongoing Cost of Compliance

Privacy Issues

Security Issues

Making Audits Work

Practical Checklist


Appendix A: Enforcement and Sanctions

Appendix B: HIPAA Glossary

Appendix C: Model Incident and Privacy Response Procedures

Appendix D: HIPAA Resources


Further Reading


About the Authors

Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia based Principle Logic, LLC. He has worked in IT since 1989 and specializes in performing information security assessments for corporations, security product vendors, independent software developers, universities, government agencies, and nonprofit organizations. Before starting his information security consulting practice in 2001, Kevin served in various information technology and security roles for several health care, e-commerce, financial, and educational institutions.

Kevin has appeared on CNN as an information security expert and has been quoted in The Wall Street Journal, Entrepreneur, Fortune Small Business, Men’s Health, Women’s Health, Woman’s Day, and Inc. Magazine. His work has also been referenced by the PCI Security Standards Council in their PCI DSS Wireless Guidelines. He has given and participated in hundreds of highly rated presentations, panel discussions, seminars, and webcasts on information security and compliance.

Kevin has authored or coauthored 11 information security books, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance( He has written dozens of whitepapers and hundreds of articles and guest blog posts, and he is a regular contributor to,,, and Security Technology Executivemagazine.

Kevin is the creator and producer of the Security On Wheelsaudiobooks, which provide security learning for IT professionals on the go ( and its associated blog (http:// He also covers information security and related matters on Twitter (@kevinbeaver) and YouTube (PrincipleLogic). He earned his bachelor’s degree in computer engineering technology from Southern College of Technology and his master’s degree in management of technology from Georgia Tech. He obtained his CISSP certification in 2001 and also holds MCSE, Master CNE, and IT Project+ certifications.

Kevin can be reached through his website ( and invites you to connect to him via LinkedIn (

Rebecca Heroldhas over 25 years of information privacy, security, and compliance expertise. She is CEO of Privacy Professor® and is a partner for Compliance Helper®. She has led the NIST SGIP Smart Grid Privacy Subgroup since June 2009. She has been an adjunct professor for the Norwich University Master of Science in Information Security and Assurance (MSISA) program since 2005. She has written 17 books and hundreds of published articles. She has been invited to speak at a wide variety of events throughout the United States, and in other worldwide locations such as Melbourne, Australia; Bogotá, Colombia; and Naas, County Kildare, Ireland.

Rebecca is widely recognized and respected, and has been providing information privacy, security, and compliance services, tools, and products to organizations in an extensive range of industries for over two decades. Just a few of her awards and recognitions include the following:

  • Rebecca was ranked #2 in the "Top 25 Female Infosec Leaders to Follow on Twitter" in 2014 by Information Security Buzz.
  • Rebecca was named to the ISACA International Privacy Task Force in 2013.
  • Rebecca was named on Tripwire’s list of "InfoSec’s Rising Stars and Hidden Gems: The Top 15 Educators" in July 2013.
  • Rebecca was ranked #5 in the "Top 25 Female Infosec Leaders to Follow on Twiter" in 2013 by Information Security Buzz.
  • Rebecca has been named one of the "Best Privacy Advisers in the World" multiple times in recent years by Computerworld magazine, most recently ranking third in the world in the last rankings provided.
  • In 2012, Rebecca was named one of the most influential people and groups in online privacy by
  • In 2012, Rebecca was named a Privacy by Design Ambassador by the Ontario, Canada Data Privacy Commissioner.

Rebecca is a partner for the Compliance Helper services for health-care organizations and their business associates to meet their HIPAA, HITECH, and other legal requirements. She is a member of the IAPP Certification Advisory Board, and is an instructor for the IAPP’s CIPM, CIPP/IT, CIPP/US, and CIPP foundations classes.

Rebecca currently serves on multiple advisory boards for security, privacy, and high-tech technology organizations. She is frequently interviewed and quoted in diverse broadcasts and publications such as IAPP Privacy Advisor, BNA Privacy & Security Law Report, Wired, Popular Science, Computerworld, IEEE’s Security and Privacy Journal, NPR, and many others. She regularly appears on the Des Moines, Iowa-based Great Day morning television program on KCWI to discuss and provide advice for information security and privacy topics.

Rebecca was born and raised in Missouri and has degrees in math, computer science, and education. She has lived in Iowa on a farm with her family for the past couple of decades, where they raise corn, soy beans, and sunflowers, and make hay. They are currently renovating a house that is over 100 years. See more about Rebecca, her work, services, and products at:

  • The Privacy Professor ( and
  • Co-Owner, CPO, and CISO, SIMBUS (
  • Partner, Compliance Helper (
  • Adjunct Professor for the Norwich University Master of Science in Information Security and Assurance (MSISA) program (
  • Twitter ID: PrivacyProf (

Subject Categories

BISAC Subject Codes/Headings:
COMPUTERS / Information Technology
COMPUTERS / Security / General