The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules is a comprehensive manual to ensuring compliance with the implementation standards of the Privacy and Security Rules of HIPAA and provides recommendations based on other related regulations and industry best practices. The book is designed to assist you in reviewing the accessibility of electronic protected health information (EPHI) to make certain that it is not altered or destroyed in an unauthorized manner, and that it is available as needed only by authorized individuals for authorized use. It can also help those entities that may not be covered by HIPAA regulations but want to assure their customers they are doing their due diligence to protect their personal and private information. Since HIPAA/HITECH rules generally apply to covered entities, business associates, and their subcontractors, these rules may soon become de facto standards for all companies to follow. Even if you aren't required to comply at this time, you may soon fall within the HIPAA/HITECH purview. So, it is best to move your procedures in the right direction now.
The book covers administrative, physical, and technical safeguards; organizational requirements; and policies, procedures, and documentation requirements. It provides sample documents and directions on using the policies and procedures to establish proof of compliance. This is critical to help prepare entities for a HIPAA assessment or in the event of an HHS audit. Chief information officers and security officers who master the principles in this book can be confident they have taken the proper steps to protect their clients' information and strengthen their security posture. This can provide a strategic advantage to their organization, demonstrating to clients that they not only care about their health and well-being, but are also vigilant about protecting their clients' privacy.
HIPAA/HITECH Overview Definitions Required by Law Covered Entities Defined Covered Transactions Defined Are You a Covered Entity? Business Associates The Electronic Transactions and Code Sets Rule Overview National Provider Identifier Requirements Overview Security Rule Overview "Meaningful Use" Overview Breach Notification Rule Overview Enforcement Rule Overview Anti-Kickback Statute Patient Safety and Quality Improvement Act of 2005 (PSQIA) Consumer Privacy Bill of Rights Federal Rules of Civil Procedures The Relevance of HIPAA/HITECH to Healthcare Organizations Why Is Security Important? Are Healthcare Organizations Immune to Security Concerns? Suffering from Data Breaches Rise of Medical Identity Theft Internet Crimes Go Unpunished Social Engineering and HIPAA Social Engineering: What Is It? Threats in the Workplace Enforcement Activities Impediments to HIPAA/HITECH Compliance The God Complex Recommendations Critical Infrastructure Implications What the Future Holds Compliance Overview Interrelationship between Regulations, Policies, Standards, Procedures, and Guidelines Reasonable Safeguards Centers for Medicare and Medicaid Services Compliance Review HIPAA/HITECH Privacy and Security Audit Program The SAS 70/SSAE 16 Debate Corporate Governance Privacy Rule Detailed Minimum Necessary Individual Consent Permitted Uses and Disclosures Detailed Authorized Use and Disclosure Privacy Practices Notice Administrative Requirements Organizational Options Other Provisions: Personal Representatives and Minors State Laws Enforcement Compliance Dates The Electronic Transactions and Code Set Rule Detailed Definitions Standard Transactions Medical Code Sets Local Codes Nonmedical Code Sets Requirements for Covered Entities Additional Requirements for Health Plans Additional Rules for Healthcare Clearinghouses Exceptions from Standards to Permit Testing of Proposed Modifications The National Provider Identifier Requirements Detailed Definitions Compliance Dates Healthcare Provider's Unique Health Identifier National Provider System Implementation Specifications for Healthcare Providers Implementation Specifications for Health Plans Implementation Specifications for Healthcare Clearinghouses National Provider Identifier (NPI) Application "Meaningful Use" Detailed Meaningful Use Defined Meaningful Use Criteria Meaningful Use Requirements Meaningful Use Stage 1 (2011 and 2012) Clinical Quality Measures Meaningful Use Specification Sheets Proposed Changes to Stage 1 and Proposals for Stage 2 Breach Notification Detailed Definitions Individual Notification Media Notification Secretary Notification Business Associate Notification Notification Delay Request of Law Enforcement Burden of Proof Sample of Breach Notification Policy Sample of Breach Notification to Individuals Enforcement Rule Detailed General Penalty Affirmative Defenses Waiver Notice of Proposed Determination Security Rule Detailed Implementation Specifications Implementation Process Standards Are Flexible and Scalable Security Standards Defined Policy and Procedure Drafting Documentation Requirements Components of Policies Security Rule: Administrative Safeguards Security Management Process Workforce Security Information Access Management Security Awareness Training Security Incident Procedures Contingency Plan Evaluation-Required-45 CFR x 164.308(a)(8) Business Associate Contracts and Other Arrangements Security Rule: Risk Assessments Risk Assessment Overview System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Rating Impact Rating Risk Determination Risk Mitigation Risk Management Risk Assessment Report Security Rule: Security Awareness Training Security Rule: Incident Response Standard Format Steps Notification Incident Details Incident Handler Actions Taken or Recommended Actions Other Recommendations Security Rule: Business Continuity Planning and Disaster Recovery Contingency Plan-45 CFR x 164.308(a)(7)(i) Data Backup Plan-45 CFR x 164.308(a)(7)(ii)(A) Disaster Recovery Plan-45 CFR x 164.308(a)(7)(ii)(B) Emergency Mode Operation Plan-45 CFR x 164.308(a)(7)(ii)(C) Testing and Revision Procedures-Addressable-45 CFR x 164.308(a)(7)(ii)(D)(b) Applications and Data Criticality Analysis-Addressable-45 CFR x 164.308(a)(7)(ii)(E)(b) A Plan Addressing Both Operational and Regulatory Requirements Security Rule: Compliance Assessment Gap Analysis Develop or Modify Policies and Procedures Approve Policies and Procedures Policy and Procedure Implementation Test Plans Assessment Reassess Security Rule: Physical Safeguards Facility Access Controls Workstations Use-Required-45 CFR x 164.310(b) Workstation Security-Required-45 CFR x 164.310(c) Device and Media Controls Remote Use and Mobile Device Controls Security Rule: Technical Safeguards Access Control Audit Controls-Required-45 CFR x 164.312(b) Integrity Person or Entity Authentication-Required-45 CFR x 164.312(d) Transmission Security Security Rule: Organizational Requirements Business Associate Contracts-Required-45 CFR x 164.314(a)(2)(i) Other Arrangements-Required-45 CFR x 164.314(a)(2)(ii) Requirements for Group Health Plans-Implementation Specifications-Required-45 CFR x 164.314(b)(2) Frequently Asked Questions Checklists Policies and Procedures Document Request List Incident Handling Checklist Crisis Handling Steps Works Cited Additional Resources Acronyms Glossary Index