The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules

 Content: HIPAA/HITECH Overview Definitions Required by Law Covered Entities Defined Covered Transactions Defined Are You a Covered Entity? Business Associates The Electronic Transactions and Code Sets Rule Overview National Provider Identifier Requirements Overview Security Rule Overview "Meaningful Use" Overview Breach Notification Rule Overview Enforcement Rule Overview Anti-Kickback Statute Patient Safety and Quality Improvement Act of 2005 (PSQIA) Consumer Privacy Bill of Rights Federal Rules of Civil Procedures The Relevance of HIPAA/HITECH to Healthcare Organizations Why Is Security Important?  Are Healthcare Organizations Immune to Security Concerns?  Suffering from Data Breaches Rise of Medical Identity Theft Internet Crimes Go Unpunished  Social Engineering and HIPAA Social Engineering: What Is It? Threats in the Workplace Enforcement Activities Impediments to HIPAA/HITECH Compliance The God Complex Recommendations Critical Infrastructure Implications What the Future Holds Compliance Overview Interrelationship between Regulations, Policies, Standards, Procedures, and Guidelines Reasonable Safeguards Centers for Medicare and Medicaid Services Compliance Review HIPAA/HITECH Privacy and Security Audit Program The SAS 70/SSAE 16 Debate Corporate Governance Privacy Rule Detailed Minimum Necessary  Individual Consent Permitted Uses and Disclosures Detailed Authorized Use and Disclosure Privacy Practices Notice Administrative Requirements Organizational Options Other Provisions: Personal Representatives and Minors State Laws Enforcement Compliance Dates The Electronic Transactions and Code Set Rule Detailed Definitions  Standard Transactions  Medical Code Sets  Local Codes  Nonmedical Code Sets Requirements for Covered Entities Additional Requirements for Health Plans Additional Rules for Healthcare Clearinghouses Exceptions from Standards to Permit Testing of Proposed Modifications The National Provider Identifier Requirements Detailed Definitions Compliance Dates Healthcare Provider's Unique Health Identifier National Provider System Implementation Specifications for Healthcare Providers Implementation Specifications for Health Plans Implementation Specifications for Healthcare Clearinghouses National Provider Identifier (NPI) Application "Meaningful Use" Detailed Meaningful Use Defined Meaningful Use Criteria Meaningful Use Requirements Meaningful Use Stage 1 (2011 and 2012) Clinical Quality Measures Meaningful Use Specification Sheets Proposed Changes to Stage 1 and Proposals for Stage 2 Breach Notification Detailed Definitions  Individual Notification Media Notification  Secretary Notification  Business Associate Notification Notification Delay Request of Law Enforcement Burden of Proof Sample of Breach Notification Policy Sample of Breach Notification to Individuals Enforcement Rule Detailed General Penalty Affirmative Defenses Waiver Notice of Proposed Determination Security Rule Detailed Implementation Specifications Implementation Process Standards Are Flexible and Scalable Security Standards Defined Policy and Procedure Drafting Documentation Requirements Components of Policies Security Rule: Administrative Safeguards Security Management Process Workforce Security Information Access Management Security Awareness Training Security Incident Procedures Contingency Plan Evaluation-Required-45 CFR x 164.308(a)(8) Business Associate Contracts and Other Arrangements Security Rule: Risk Assessments Risk Assessment Overview System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Rating Impact Rating Risk Determination Risk Mitigation Risk Management Risk Assessment Report  Security Rule: Security Awareness Training Security Rule: Incident Response Standard Format Steps Notification Incident Details  Incident Handler Actions Taken or Recommended Actions Other Recommendations Security Rule: Business Continuity Planning and Disaster Recovery Contingency Plan-45 CFR x 164.308(a)(7)(i) Data Backup Plan-45 CFR x 164.308(a)(7)(ii)(A) Disaster Recovery Plan-45 CFR x 164.308(a)(7)(ii)(B) Emergency Mode Operation Plan-45 CFR x 164.308(a)(7)(ii)(C) Testing and Revision Procedures-Addressable-45 CFR x 164.308(a)(7)(ii)(D)(b) Applications and Data Criticality Analysis-Addressable-45 CFR x 164.308(a)(7)(ii)(E)(b) A Plan Addressing Both Operational and Regulatory Requirements Security Rule: Compliance Assessment Gap Analysis Develop or Modify Policies and Procedures  Approve Policies and Procedures  Policy and Procedure Implementation Test Plans Assessment Reassess  Security Rule: Physical Safeguards Facility Access Controls  Workstations Use-Required-45 CFR x 164.310(b) Workstation Security-Required-45 CFR x 164.310(c) Device and Media Controls Remote Use and Mobile Device Controls Security Rule: Technical Safeguards Access Control Audit Controls-Required-45 CFR x 164.312(b) Integrity Person or Entity Authentication-Required-45 CFR x 164.312(d) Transmission Security Security Rule: Organizational Requirements Business Associate Contracts-Required-45 CFR x 164.314(a)(2)(i) Other Arrangements-Required-45 CFR x 164.314(a)(2)(ii) Requirements for Group Health Plans-Implementation Specifications-Required-45 CFR x 164.314(b)(2) Frequently Asked Questions Checklists Policies and Procedures Document Request List Incident Handling Checklist Crisis Handling Steps Works Cited Additional Resources Acronyms Glossary Index
 Abstract:             "The security standards in HIPAA were developed to implement appropriate security safeguards for the protection of certain Electronic Protected Health Information (EPHI) that may be at risk while permitting authorized individuals to use this information. This book assists the health care provider in reviewing the accessibility of EPHI to verify that it is not altered or destroyed in an unauthorized manner and that it is available as needed by authorized individuals. The text covers implementation standards and provides recommendations on how to comply with these standards. "--
"Preface The Department of Health and Human Services (HHS) has published four major rules implementing a number of provisions and regulations set out by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 1999 as part of the American Recovery and Reinvestment Act (ARRA). These rules are the Privacy Rule; the Electronic Transactions and Code Sets Rule; the National Identifier requirements for employers, providers, and health plans; and the Security Rule. It also include more regulatory control over enforcement actions and stiffer penalties for noncompliance. There are many healthcare providers, healthcare clearinghouses, and health plans that are required to implement and comply with these rules, especially the Security Rule. Failure to implement or comply with these rules can leave the covered entity or others that need to comply open for large monetary fines, civil lawsuits, and other penalties. With the rise of security breaches and other high-profile incidences regarding successful hacking events, it is very apparent that information has become a valuable commodity. The United States has moved from a nation built on manufacturing and industry to an information/knowledge powerhouse. With the advancement in technology comes the opportunity for criminals to find another source of income by exploiting vulnerabilities within this technology. Retail, financial, and governmental entities have been the target and have fallen victim to these types of crimes; however, these industries are not the only industries susceptible. Technology has made companies more efficient and even now healthcare providers are required to submit Medicaid and"