Guide to HIPAA security and the law

Authors:Stephen S. Wu, American Bar Association

Edition:View all formats and editions

Physical Description:xviii, 324 pages ; 23 cm

ISBN:

9781590317488, 1590317483

OCLC Number / Unique Identifier:145431819

Subjects:

Computer Security legislation & jurisprudence

Confidential communications

Confidentiality

Data protection Law and legislation

Data protection Law and legislation United States

Dossiers médicaux Accès Contrôle États-Unis

Dossiers médicaux États-Unis Sécurité Mesures

Health Insurance Portability and Accountability Act of 1996 (United States)

Insurance, Health legislation & jurisprudence

Medical Records legislation & jurisprudence

Medical records Access control

Medical records Access control United States

Medical records Law and legislation

Medical records Law and legislation United States

Medical records Security measures United States

Secret professionnel

Security Measures

United States

Contents:

Preface

About the Editor

About the Contributors

xvii

Introduction

(4)

Kathryn Coburn

Background and History of HIPAA

(4)

Steven Fleisher

HIPAA Privacy and Security

(4)

Francoise Gilbert

Relationship Among HIPAA, the Privacy Rule, and the Security Rule

(1)

HIPAA Statutory Requirement for Security

(2)

Security Requirements in the Privacy Rule

(1)

Scope and Applicability of the Security Rule

(12)

John Christiansen

Scope of Information Protected Under the Security Rule

(3)

Entities Regulated by the Security Rule

(9)

Business Associates and Business Associate Contracts; Governmental Interagency Arrangements

(2)

Health Plan Sponsors

(1)

Hybrid Entities and Health Care Components

(1)

Affiliated Covered Entities

(1)

Organized Health Care Arrangements

(2)

The Security Rule

(70)

Mike Jerbic

Stephen Wu

General Rules

(2)

Administrative Safeguards---Section 164.308

(35)

Security Management Process (Standard)---Section 164.308(a)(1)(i)

(1)

Risk Analysis (Required)---Section 164.308(a)(1)(ii)(A)

(5)

Risk Management (Required)---Section 164.308(a)(1)(ii)(B)

(2)

Sanction Policy (Required)---Section 164.308(a)(1)(ii)(C)

(1)

Information System Activity Review (Required)---Section 164.308(a)(1)(ii)(D)

(1)

Assigned Security Responsibility (Standard)---Section 164.308(a)(2)

(1)

Workforce Security (Standard)---Section 164.308(a)(3)(i)

(1)

Authorization and/or Supervision (Addressable)---Section 164.308(a)(3)(ii)(A)

(1)

Workforce Clearance Procedure (Addressable)---Section 164.308(a)(3)(ii)(B)

(1)

Termination Procedures (Addressable)---Section 164.308(a)(3)(ii)(C)

(1)

Information Access Management (Standard)---Section 164.308(a)(4)(i)

(1)

Isolating Health Care Clearinghouse Functions (Required)---Section 164.308(a)(4)(ii)(A)

(1)

Access Authorization (Addressable)---Section 164.308(a)(4)(ii)(B)

(1)

Access Establishment and Modification (Addressable)---Section 164.308(a)(4)(ii)(C)

(1)

Security Awareness and Training (Standard)---Section 164.308(a)(5)(i)

(1)

Security Reminders (Addressable)---Section 164.308(a)(5)(ii)(A)

(1)

Protection from Malicious Software (Addressable)---Section 164.308(a)(5)(ii)(B)

(1)

Log-in Monitoring (Addressable)---Section 164.308(a)(5)(ii)(C)

(1)

Password Management (Addressable)---Section 164.308(a)(5)(ii)(D)

(1)

Security Incident Procedures and Responses---Section 164.308(a)(6)

(1)

Security Incident Procedures (Standard)---Section 164.308(a)(6)(i)

(2)

Response and Reporting (Required)---Section 164.308(a)(6)(ii)

(1)

Contingency Plan (Standard)---Section 164.308(a)(7)(i)

(1)

Data Backup Plan (Required)---Section 164.308(a)(7)(ii)(A)

(1)

Disaster Recovery Plan (Required)---Section 164.308(a)(7)(ii)(B)

(1)

Emergency Mode Operation Plan (Required)---Section 164.308(a)(7)(ii)(C)

(2)

Testing and Revision Procedures (Addressable)---Section 164.308(a)(7)(ii)(D)

(1)

Applications and Data Criticality Analysis (Addressable)---Section 164.308(a)(7)(ii)(E)

(1)

Evaluation (Standard)---Section 164.308(a)(8)

(3)

Imposing Security Requirements on Business Associates---Section 164.308(b)

(1)

Business Associate Contracts and Other Arrangements (Standard)---Section 164.308(b)(1)

(1)

Exceptions to the Business Associate Standard---Section 164.308(b)(2)

(1)

Violations of the Standard---Section 164.308(b)(3)

(1)

Implementation Specifications: Written Contract or Other Arrangement (Required)---Section 164.308(b)(4)

(1)

Conclusion Regarding Administrative Safeguards

(1)

Physical Safeguards---Section 164.310

(14)

Facility Access---Section 164.310(a)

(1)

Facility Access Controls (Standard)---Section 164.310(a)(1)

(3)

Facility Access Controls Implementation Specifications---Section 164.310(a)(2)

(1)

Contingency Operations (Addressable)---Section 164.310(a)(2)(i)

(1)

Facility Security Planning (Addressable)---Section 164.310(a)(2)(ii)

(1)

Access Control and Validation (Addressable)---Section 164.310(a)(2)(iii)

(1)

Maintenance Records (Addressable)---Section 164.310(a)(2)(iv)

(1)

Workstation Use (Standard)---Section 164.310(b)

(1)

Workstation Security (Standard)---Section 164.310(c)

(1)

Device and Media Controls---Section 164.310(d)

(1)

Device and Media Controls (Standard)---Section 164.310(d)(1)

(1)

Device and Media Controls Implementation Specifications---Section 164.310(d)(2)

(1)

Disposal (Required)---Section 164.310(d)(2)(i)

(1)

Media Re-Use (Required)---Section 164.310(d)(2)(ii)

(1)

Accountability (Addressable)---Section 164.310(d)(2)(iii)

(1)

Data backup and storage (Addressable)---Section 164.310(d)(2)(iv)

(1)

Conclusion Regarding Physical Safeguards

(1)

Technical Safeguards---Section 164.312

(13)

Access Control Safeguards---Section 164.312(a)

(1)

Access Control (Standard)---Section 164.312(a)(1)

(2)

Access Control Implementation Specifications---Section 164.312(a)(2)

(1)

Unique User Identification (Required)---Section 164.312(a)(2)(i)

(1)

Emergency Access Procedure (Required)---Section 164.312(a)(2)(ii)

(1)

Automatic log-off (Addressable)---Section 164.312(a)(2)(iii)

(1)

Encryption and Decryption (Addressable)---Section 164.312(a)(2)(iv)

(1)

Audit Controls (Standard)---Section 164.312(b)

(1)

Integrity

(1)

Integrity (Standard)---Section 164.312(c)(1)

(2)

Implementation Specification: Mechanism to Authenticate Electronic Protected Health Information (Addressable)---Section 164.312(c)(2)

(1)

Person or Entity Authentication (Standard)---Section 164.312(d)

(3)

Transmission Security---Section 164.312(e)

(1)

Transmission Security (Standard)---Section 164.312(e)(1)

(1)

Transmission Security Implementation Specifications---Section 164.312(e)(2)

(1)

Integrity Controls (Addressable)---Section 164.312(e)(2)(i)

(1)

Encryption (Addressable)---Section 164.312(e)(2)(ii)

(1)

Conclusion Regarding Technical Safeguards

(1)

Policies, procedures, and documentation---Section 164.316

(6)

Policies and Procedures (Standard)---Section 164.316(a)

(2)

Documentation---Section 164.316(b)

(1)

Documentation (Standard)---Section 164.316(b)(1)

(1)

Documentation Implementation Specifications---Section 164.316(b)(2)

(3)

Implementation

(6)

Steven Fleisher

Stephen Wu

The Process of Implementing the Security Rule

(1)

The State of Compliance

(5)

Enforcement

101

(26)

Francoise Gilbert

No Cumulative Civil and Criminal Penalties

102

(1)

Civil Violations

102

(2)

Criminal Violations

104

(3)

Private Right of Action

107

(1)

Final Rule for the Imposition of Civil Money Penalties

108

(19)

Regulatory Background

109

(1)

Development of the Final Enforcement Rule

109

(2)

Comparing the Final Enforcement Rule with Prior Drafts

111

(1)

Detailed Review of the Final Enforcement Rule

111

(1)

Applicability

111

(1)

HHS Oversight

111

(1)

Investigations and Compliance Review under the Enforcement Rule

112

(1)

Investigational Subpoenas

113

(1)

Request for Documents

113

(1)

Affirmative Defenses

114

(1)

Secretarial Action Regarding Complaints and Compliance Reviews

115

(1)

Notice of Proposed Determination

116

(1)

Failure to Request a Hearing

116

(1)

Hearing before Administrative Law Judge

117

(1)

Response to Notice

117

(1)

Discovery

117

(1)

Hearing and Decision

118

(2)

Appeal of the Administrative Law Judge's Decision

120

(2)

Civil Money Penalties

122

(1)

Basis for Civil Money Penalties

122

(1)

Amount of Civil Money Penalties

123

(1)

Violation of an Identical Requirement or Prohibition

124

(1)

Factors Considered in Determining the Amount of Civil Money Penalties

124

(1)

Collection of the Penalty

125

(1)

Waiver and Settlement

126

(1)

Third-Party Notification

126

(1)

Liability and Litigation

127

(10)

Kathryn Coburn

Liability and Litigation Overview

127

(6)

Risk Management

133

(4)

Conclusion

137

(2)

Stephen Wu

Appendix 1 HIPAA Administrative Simplification Provisions

139

(24)

Appendix 2 HIPAA Security and Privacy Regulations

163

(146)

Appendix 3 HIPAA Security Resources on the Internet

309

(4)

Index

313

More Information:

Table of contents