The Practical Guide to HIPAA Privacy and Security Compliance: 2nd Edition (Hardback) book cover

The Practical Guide to HIPAA Privacy and Security Compliance

2nd Edition

By Rebecca Herold, Kevin Beaver

Auerbach Publications

544 pages | 7 B/W Illus.

Purchasing Options:$ = USD
Hardback: 9781439855584
pub: 2014-10-20
$90.95
x
eBook (VitalSource) : 9780429107825
pub: 2014-10-20
from $43.98


FREE Standard Shipping!

Description

Following in the footsteps of its bestselling predecessor, The Practical Guide to HIPAA Privacy and Security Compliance, Second Edition is a one-stop, up-to-date resource on Health Insurance Portability and Accountability Act (HIPAA) privacy and security, including details on the HITECH Act, the 2013 Omnibus Rule, and the pending rules. Updated and revised with several new sections, this edition defines what HIPAA is, what it requires, and what you need to do to achieve compliance.

The book provides an easy-to-understand overview of HIPAA privacy and security rules and compliance tasks. Supplying authoritative insights into real-world HIPAA privacy and security issues, it summarizes the analysis, training, and technology needed to properly plan and implement privacy and security policies, training, and an overall program to manage information risks. Instead of focusing on technical jargon, the book spells out what your organization must do to achieve and maintain compliance requirements on an ongoing basis.

Reviews

Praise for the New Edition:

The HIPAA regulations are transforming how providers and insurers think about the individually identifiable health information they create and receive every minute of every day. … There is a potential for serious harm to service levels and even to patient health if misunderstandings as to the dictates of these regulations choke off the exchange of patient-health information. This guide is a good step toward erasing many of those misunderstandings. I commend the authors for their fine efforts at translating a difficult subject into practical terms.

—Mark Lutes, Chairman, Epstein Becker Green, Washington, DC

Praise for the Bestselling First Edition:

The book's main strength is its abundant and varied content. It thoroughly describes the main provisions of HIPAA's security and privacy requirements using actual language from the legislation interspersed with the authors' commentary. This format…helpfully guides readers through the labyrinthine HIPAA requirements.

—Scott Forbes, Microsoft

Rebecca and Kevin have compiled a wealth of knowledge in an easy-to-read, conversational style. This book is packed with useful facts and practical tips that grabs and keeps your attention as though you are listening to the authors in your own living room. The astute reader will keep a pad of paper and a pile of 'sticky notes' handy. You will no doubt come back to this valuable resource over and over again!

Michael J. Corby, CCP, CISSP, President and CEO, M. Corby & Associates, Inc.

This is a very comprehensive view of HIPAA privacy and security compliance which provides a pragmatic, step by step methodology for understanding and complying with the regulation. The practical checklists, the quizzes which

can be used in HIPAA awareness programs, and the pointers to valuable resources are all added benefits.

Micki Krause, CISSP, Chief Information Security Officer, Pacific Life Insurance

Table of Contents

HIPAA ESSENTIALS

Introduction to HIPAA

How HIPAA Came to Be

What HIPAA Covers

Current State of HIPAA Compliance

Overview of the Omnibus Rule Updates

What the HITECH Act Covers

Pending Proposed Rules

Organizations That Must Comply with HIPAA

Organizations That Must Comply with the HITECH Act

HIPAA Penalties and Enforcement

Insight into the Electronic Transactions and Code

Sets Rule

Conclusion

Practical Checklist

Related Regulations, Laws, Standards, and Guidance

Introduction

ARRA and the HITECH Act

Practical Checklist

Preparing for HIPAA, HITECH , and Other Compliance Changes

Background

Managing Change

Creating the Mind-Set

It Is Up to You

Practical Checklist

HIPAA Cost Considerations

Background

Privacy Implementation Costs

Privacy Ongoing Maintenance Costs

Costs Related to Providing Access to PHI

Privacy Officer Costs

Security Implementation Costs

Security Ongoing Maintenance Costs

Security Officer Costs

Practical Checklist

Relationship between Security and Privacy

Background

Privacy Rule and Security Rule Overlaps

Conclusion

Practical Checklist

HIPAA PRIVACY RULE

HIPAA Privacy Rule Requirements Overview

Background

Uses and Disclosures

Incidental Uses and Disclosures

Minimum Necessary Requirement

De-Identification

Business Associates

Marketing

Notice of Privacy Practices for PHI

Individual Rights to Request Privacy Protection for PHI

Individual Access to PHI

Amendment of PHI

Accounting Disclosures of PHI

PHI Restrictions Requests

Administrative Requirements

Personal Representatives

Minors

Transition Provisions

Compliance Dates and Penalties

Practical Checklist

Performing a Privacy Rule Gap Analysis and Risk Analysis

Introduction

Gap Analysis and Risk Analysis

Practical Checklist

Writing Effective Privacy Policies

Introduction

Notice of Privacy Practices

Example NPP

Organizational Privacy Policies

Practical Checklist

State Preemption

Introduction

What Is Contrary?

Exceptions to Preemption

Preemption Analysis

Conclusion

Practical Checklist

Crafting a Privacy Implementation Plan

Introduction

Some Points to Keep in Mind

Conclusion

Practical Checklist

Privacy Rule Compliance Checklist

Introduction

HIPAA SECURITY RULE

Security Rule Requirements Overview

Introduction to the Security Rule

General Rules for Security Rule Compliance

Insight into the Security Rule

Other Organizational Requirements

Reasons to Get Started on Security Rule Initiatives

Practical Checklist

Performing a Security Rule Risk Analysis

Background

Risk Analysis Requirements According to HIPAA

Risk Analysis Essentials

Stepping through the Process

Calculating Risk

Managing Risks Going Forward

Practical Checklist

Writing Effective Information Security Policies

Introduction to Security Policies

Critical Elements of Security Policies

Sample Security Policy Framework

Security Policies You May Need for HIPAA Security Rule Compliance

Managing Your Security Policies

Practical Checklist

Crafting a Security Implementation Plan

Background

Some Points to Keep in Mind

Conclusion

Practical Checklist

Security Rule Compliance Checklist

Introduction

COVERED ENTITY ISSUES

Health-Care Provider Issues

Background

Privacy Notices

Fees for Record Review

Mitigation Measures

Fax Use

Sign-In Sheets

Patient Charts

Business Associates

Authorizations

Practical Checklist

Health-Care Clearinghouse Issues

Background

Requirements

Transactions

Financial Institutions

Conclusion

Practical Checklist

Health Plan Issues

What Is a Health Plan?

What Is a Small Health Plan?

Health Plan Requirements

Marketing Issues

Notice of Privacy Practices

Types of Insurance Plans Excluded from HIPAA

Communications

Government and Law Enforcement

Practical Checklist

Employer Issues

Background

"Small" and "Large" Employers

Health Benefits

Enforcement and Penalties

Organizational Requirements

Health Information

Medical Surveillance

Workers’ Compensation

Training

Resources

Conclusion

Practical Checklist

Business Associate Issues

Is Your Organization a Business Associate?

Business Associate Requirements

What You Can Expect to See or Hear from Covered Entities

Common Business Associate Weaknesses

Issues to Consider

Moving Forward

Practical Checklist

HIPAA TECHNOLOGY CONSIDERATIONS

Building a HIPAA-Compliant Technology Infrastructure

Overview

Caution

Areas of Technology to Focus On

Looking Deeper into Specific Technologies

Mobile Computing

Additional Technology Considerations

Conclusion

Practical Checklist

Crafting Security Incident Procedures and Contingency Plans

Background

Handling Security Incidents

Security Incident Procedure Essentials

Basics of Contingency Planning

Moving Forward

Practical Checklist

Outsourcing Information Technology Services

Background

Reasons to Consider Outsourcing

What Functions to Outsource

What to Look For in Outsourcing Firms

Common Outsourcing Mistakes

Practical Checklist

MANAGING ONGOING HIPAA COMPLIANCE

HIPAA Training, Education, and Awareness

Creating an Effective Awareness Program

Identify Awareness and Training Groups

Training

Training Design and Development

Awareness Options

Document Training and Awareness Activities

Get Support

Measure Effectiveness

Conclusion

Practical Checklist

Performing Ongoing HIPAA Compliance Reviews and Audits

Background

Ongoing Cost of Compliance

Privacy Issues

Security Issues

Making Audits Work

Practical Checklist

APPENDICES

Appendix A: Enforcement and Sanctions

Appendix B: HIPAA Glossary

Appendix C: Model Incident and Privacy Response Procedures

Appendix D: HIPAA Resources

References

Further Reading

Index

About the Authors

Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia based Principle Logic, LLC. He has worked in IT since 1989 and specializes in performing information security assessments for corporations, security product vendors, independent software developers, universities, government agencies, and nonprofit organizations. Before starting his information security consulting practice in 2001, Kevin served in various information technology and security roles for several health care, e-commerce, financial, and educational institutions.

Kevin has appeared on CNN as an information security expert and has been quoted in The Wall Street Journal, Entrepreneur, Fortune Small Business, Men’s Health, Women’s Health, Woman’s Day, and Inc. Magazine. His work has also been referenced by the PCI Security Standards Council in their PCI DSS Wireless Guidelines. He has given and participated in hundreds of highly rated presentations, panel discussions, seminars, and webcasts on information security and compliance.

Kevin has authored or coauthored 11 information security books, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance(Realtimepublishers.com). He has written dozens of whitepapers and hundreds of articles and guest blog posts, and he is a regular contributor to SearchSecurity.com, SearchEnterpriseDesktop.com, SearchWindowsServer.com, and Security Technology Executivemagazine.

Kevin is the creator and producer of the Security On Wheelsaudiobooks, which provide security learning for IT professionals on the go (http://www.securityonwheels.com) and its associated blog (http:// www.securityonwheels.com/blog). He also covers information security and related matters on Twitter (@kevinbeaver) and YouTube (PrincipleLogic). He earned his bachelor’s degree in computer engineering technology from Southern College of Technology and his master’s degree in management of technology from Georgia Tech. He obtained his CISSP certification in 2001 and also holds MCSE, Master CNE, and IT Project+ certifications.

Kevin can be reached through his website (http://www.principlelogic.com) and invites you to connect to him via LinkedIn (http://www.linkedin.com/in/kevinbeaver).

Rebecca Heroldhas over 25 years of information privacy, security, and compliance expertise. She is CEO of Privacy Professor® and is a partner for Compliance Helper®. She has led the NIST SGIP Smart Grid Privacy Subgroup since June 2009. She has been an adjunct professor for the Norwich University Master of Science in Information Security and Assurance (MSISA) program since 2005. She has written 17 books and hundreds of published articles. She has been invited to speak at a wide variety of events throughout the United States, and in other worldwide locations such as Melbourne, Australia; Bogotá, Colombia; and Naas, County Kildare, Ireland.

Rebecca is widely recognized and respected, and has been providing information privacy, security, and compliance services, tools, and products to organizations in an extensive range of industries for over two decades. Just a few of her awards and recognitions include the following:

  • Rebecca was ranked #2 in the "Top 25 Female Infosec Leaders to Follow on Twitter" in 2014 by Information Security Buzz.
  • Rebecca was named to the ISACA International Privacy Task Force in 2013.
  • Rebecca was named on Tripwire’s list of "InfoSec’s Rising Stars and Hidden Gems: The Top 15 Educators" in July 2013.
  • Rebecca was ranked #5 in the "Top 25 Female Infosec Leaders to Follow on Twiter" in 2013 by Information Security Buzz.
  • Rebecca has been named one of the "Best Privacy Advisers in the World" multiple times in recent years by Computerworld magazine, most recently ranking third in the world in the last rankings provided.
  • In 2012, Rebecca was named one of the most influential people and groups in online privacy by Techopedia.com.
  • In 2012, Rebecca was named a Privacy by Design Ambassador by the Ontario, Canada Data Privacy Commissioner.

Rebecca is a partner for the Compliance Helper services for health-care organizations and their business associates to meet their HIPAA, HITECH, and other legal requirements. She is a member of the IAPP Certification Advisory Board, and is an instructor for the IAPP’s CIPM, CIPP/IT, CIPP/US, and CIPP foundations classes.

Rebecca currently serves on multiple advisory boards for security, privacy, and high-tech technology organizations. She is frequently interviewed and quoted in diverse broadcasts and publications such as IAPP Privacy Advisor, BNA Privacy & Security Law Report, Wired, Popular Science, Computerworld, IEEE’s Security and Privacy Journal, NPR, and many others. She regularly appears on the Des Moines, Iowa-based Great Day morning television program on KCWI to discuss and provide advice for information security and privacy topics.

Rebecca was born and raised in Missouri and has degrees in math, computer science, and education. She has lived in Iowa on a farm with her family for the past couple of decades, where they raise corn, soy beans, and sunflowers, and make hay. They are currently renovating a house that is over 100 years. See more about Rebecca, her work, services, and products at:

  • The Privacy Professor (http://www.privacyguidance.com and http://www.privacyprofessor.org)
  • Co-Owner, CPO, and CISO, SIMBUS (http://www.hipaacompliance.org)
  • Partner, Compliance Helper (http://www.compliancehelper.com)
  • Adjunct Professor for the Norwich University Master of Science in Information Security and Assurance (MSISA) program (http://infoassurance.norwich.edu/)
  • Twitter ID: PrivacyProf (http://twitter.com/PrivacyProf)

Subject Categories

BISAC Subject Codes/Headings:
BUS041000
BUSINESS & ECONOMICS / Management
COM032000
COMPUTERS / Information Technology
COM053000
COMPUTERS / Security / General