2nd Edition
The Practical Guide to HIPAA Privacy and Security Compliance
Following in the footsteps of its bestselling predecessor, The Practical Guide to HIPAA Privacy and Security Compliance, Second Edition is a one-stop, up-to-date resource on Health Insurance Portability and Accountability Act (HIPAA) privacy and security, including details on the HITECH Act, the 2013 Omnibus Rule, and the pending rules. Updated and revised with several new sections, this edition defines what HIPAA is, what it requires, and what you need to do to achieve compliance.
The book provides an easy-to-understand overview of HIPAA privacy and security rules and compliance tasks. Supplying authoritative insights into real-world HIPAA privacy and security issues, it summarizes the analysis, training, and technology needed to properly plan and implement privacy and security policies, training, and an overall program to manage information risks. Instead of focusing on technical jargon, the book spells out what your organization must do to achieve and maintain compliance requirements on an ongoing basis.
HIPAA ESSENTIALS
Introduction to HIPAA
How HIPAA Came to Be
What HIPAA Covers
Current State of HIPAA Compliance
Overview of the Omnibus Rule Updates
What the HITECH Act Covers
Pending Proposed Rules
Organizations That Must Comply with HIPAA
Organizations That Must Comply with the HITECH Act
HIPAA Penalties and Enforcement
Insight into the Electronic Transactions and Code
Sets Rule
Conclusion
Practical Checklist
Related Regulations, Laws, Standards, and Guidance
Introduction
ARRA and the HITECH Act
Practical Checklist
Preparing for HIPAA, HITECH , and Other Compliance Changes
Background
Managing Change
Creating the Mind-Set
It Is Up to You
Practical Checklist
HIPAA Cost Considerations
Background
Privacy Implementation Costs
Privacy Ongoing Maintenance Costs
Costs Related to Providing Access to PHI
Privacy Officer Costs
Security Implementation Costs
Security Ongoing Maintenance Costs
Security Officer Costs
Practical Checklist
Relationship between Security and Privacy
Background
Privacy Rule and Security Rule Overlaps
Conclusion
Practical Checklist
HIPAA PRIVACY RULE
HIPAA Privacy Rule Requirements Overview
Background
Uses and Disclosures
Incidental Uses and Disclosures
Minimum Necessary Requirement
De-Identification
Business Associates
Marketing
Notice of Privacy Practices for PHI
Individual Rights to Request Privacy Protection for PHI
Individual Access to PHI
Amendment of PHI
Accounting Disclosures of PHI
PHI Restrictions Requests
Administrative Requirements
Personal Representatives
Minors
Transition Provisions
Compliance Dates and Penalties
Practical Checklist
Performing a Privacy Rule Gap Analysis and Risk Analysis
Introduction
Gap Analysis and Risk Analysis
Practical Checklist
Writing Effective Privacy Policies
Introduction
Notice of Privacy Practices
Example NPP
Organizational Privacy Policies
Practical Checklist
State Preemption
Introduction
What Is Contrary?
Exceptions to Preemption
Preemption Analysis
Conclusion
Practical Checklist
Crafting a Privacy Implementation Plan
Introduction
Some Points to Keep in Mind
Conclusion
Practical Checklist
Privacy Rule Compliance Checklist
Introduction
HIPAA SECURITY RULE
Security Rule Requirements Overview
Introduction to the Security Rule
General Rules for Security Rule Compliance
Insight into the Security Rule
Other Organizational Requirements
Reasons to Get Started on Security Rule Initiatives
Practical Checklist
Performing a Security Rule Risk Analysis
Background
Risk Analysis Requirements According to HIPAA
Risk Analysis Essentials
Stepping through the Process
Calculating Risk
Managing Risks Going Forward
Practical Checklist
Writing Effective Information Security Policies
Introduction to Security Policies
Critical Elements of Security Policies
Sample Security Policy Framework
Security Policies You May Need for HIPAA Security Rule Compliance
Managing Your Security Policies
Practical Checklist
Crafting a Security Implementation Plan
Background
Some Points to Keep in Mind
Conclusion
Practical Checklist
Security Rule Compliance Checklist
Introduction
COVERED ENTITY ISSUES
Health-Care Provider Issues
Background
Privacy Notices
Fees for Record Review
Mitigation Measures
Fax Use
Sign-In Sheets
Patient Charts
Business Associates
Authorizations
Practical Checklist
Health-Care Clearinghouse Issues
Background
Requirements
Transactions
Financial Institutions
Conclusion
Practical Checklist
Health Plan Issues
What Is a Health Plan?
What Is a Small Health Plan?
Health Plan Requirements
Marketing Issues
Notice of Privacy Practices
Types of Insurance Plans Excluded from HIPAA
Communications
Government and Law Enforcement
Practical Checklist
Employer Issues
Background
"Small" and "Large" Employers
Health Benefits
Enforcement and Penalties
Organizational Requirements
Health Information
Medical Surveillance
Workers’ Compensation
Training
Resources
Conclusion
Practical Checklist
Business Associate Issues
Is Your Organization a Business Associate?
Business Associate Requirements
What You Can Expect to See or Hear from Covered Entities
Common Business Associate Weaknesses
Issues to Consider
Moving Forward
Practical Checklist
HIPAA TECHNOLOGY CONSIDERATIONS
Building a HIPAA-Compliant Technology Infrastructure
Overview
Caution
Areas of Technology to Focus On
Looking Deeper into Specific Technologies
Mobile Computing
Additional Technology Considerations
Conclusion
Practical Checklist
Crafting Security Incident Procedures and Contingency Plans
Background
Handling Security Incidents
Security Incident Procedure Essentials
Basics of Contingency Planning
Moving Forward
Practical Checklist
Outsourcing Information Technology Services
Background
Reasons to Consider Outsourcing
What Functions to Outsource
What to Look For in Outsourcing Firms
Common Outsourcing Mistakes
Practical Checklist
MANAGING ONGOING HIPAA COMPLIANCE
HIPAA Training, Education, and Awareness
Creating an Effective Awareness Program
Identify Awareness and Training Groups
Training
Training Design and Development
Awareness Options
Document Training and Awareness Activities
Get Support
Measure Effectiveness
Conclusion
Practical Checklist
Performing Ongoing HIPAA Compliance Reviews and Audits
Background
Ongoing Cost of Compliance
Privacy Issues
Security Issues
Making Audits Work
Practical Checklist
APPENDICES
Appendix A: Enforcement and Sanctions
Appendix B: HIPAA Glossary
Appendix C: Model Incident and Privacy Response Procedures
Appendix D: HIPAA Resources
References
Further Reading
Index
Biography
Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia based Principle Logic, LLC. He has worked in IT since 1989 and specializes in performing information security assessments for corporations, security product vendors, independent software developers, universities, government agencies, and nonprofit organizations. Before starting his information security consulting practice in 2001, Kevin served in various information technology and security roles for several health care, e-commerce, financial, and educational institutions.
Kevin has appeared on CNN as an information security expert and has been quoted in The Wall Street Journal, Entrepreneur, Fortune Small Business, Men's Health, Women's Health, Woman's Day, and Inc. Magazine. His work has also been referenced by the PCI Security Standards Council in their PCI DSS Wireless Guidelines. He has given and participated in hundreds of highly rated presentations, panel discussions, seminars, and webcasts on information security and compliance.
Kevin has authored or coauthored 11 information security books, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance (Realtimepublishers.com). He has written dozens of whitepapers and hundreds of articles and guest blog posts, and he is a regular contributor to SearchSecurity.com, SearchEnterpriseDesktop.com, SearchWindowsServer.com, and Security Technology Executive magazine.
Kevin is the creator and producer of the Security On Wheels audiobooks, which provide security learning for IT professionals on the go (http://www.securityonwheels.com) and its associated blog (http:// www.securityonwheels.com/blog). He also covers information security and rela
Praise for the New Edition:
The HIPAA regulations are transforming how providers and insurers think about the individually identifiable health information they create and receive every minute of every day. ... There is a potential for serious harm to service levels and even to patient health if misunderstandings as to the dictates of these regulations choke off the exchange of patient-health information. This guide is a good step toward erasing many of those misunderstandings. I commend the authors for their fine efforts at translating a difficult subject into practical terms.
—Mark Lutes, Chairman, Epstein Becker Green, Washington, DCPraise for the Bestselling First Edition:
The book's main strength is its abundant and varied content. It thoroughly describes the main provisions of HIPAA's security and privacy requirements using actual language from the legislation interspersed with the authors' commentary. This format…helpfully guides readers through the labyrinthine HIPAA requirements.
—Scott Forbes, Microsoft
Rebecca and Kevin have compiled a wealth of knowledge in an easy-to-read, conversational style. This book is packed with useful facts and practical tips that grabs and keeps your attention as though you are listening to the authors in your own living room. The astute reader will keep a pad of paper and a pile of 'sticky notes' handy. You will no doubt come back to this valuable resource over and over again!
Michael J. Corby, CCP, CISSP, President and CEO, M. Corby & Associates, Inc.
This is a very comprehensive view of HIPAA privacy and security compliance which provides a pragmatic, step by step methodology for understanding and complying with the regulation. The practical checklists, the quizzes which
can be used in HIPAA awareness programs, and the pointers to valuable resources are all added benefits.
Micki Krause, CISSP, Chief Information Security Officer, Pacific Life Insurance