Health Information Security: HIPAA provides valuable information to implement security within health care organizations (or other organizations for that matter). In particular, the details of the HIPAA Final Security Rule are explained and illustrated. Learning objectives include:
- Apply every requirement of the HIPAA Security Rule to a health care entity.
- Describe a model of security in terms of administration, technical, and physical safeguards.
- Construct a life cycle of compliance in terms of awareness, gap analysis, risk analysis, implementation, training, and audit.
- Design access control and encryption systems.
- Assess costs of security compliance.
The book follows intimately the February 2003 Security Rule and is the most comprehensive guide to the problems and solutions that Rule anticipates.
This book will also help you to:
- Understand inside out the HIPAA Final Security Rule,
- Know what health industry peers are doing,
- Obtain in-depth explanations and examples for complex topics like risk analysis, role-based access control, and encryption,
- Have policies, procedures, forms, checklists, and spreadsheets to help your compliance program, and
- Know where to most cost effectively invest your limited dollars so as to maximize the compliance impact
Health Information Security: HIPAA is an authoritative, comprehensive, and incisive guide to the 2003 Security Rule. Every specification for administrative, technical, and physical security is explained in detail.
Table of Contents
1 SECURITY
1.1 WORKFLOW
1.2 LEVELS
1.3 COMPUTER SECURITY POLICIES
1.4 THE PROBLEM
1.5 CULTURE
1.5.1 Corporation
1.5.2 Culture Challenge
2 HIPAA’S SECURITY RULE
2.1 ADMINISTRATIVE SIMPLIFICATION
2.2 COVERED INFORMATION
2.2.1 Covered Entities
2.2.2 Information Protected
2.3 SCHEDULE AND PENALTIES
2.4 ADDRESSABLE
2.5 PREEMPTION
3 LIFE CYCLE
3.1 AWARENESS
3.2 GAP ANALYSIS
3.2.1 Baseline
3.2.2 Implementation
3.2.3 GAO Manual
3.2.4 EarlyView Tool
3.3 RISK ANALYSIS
3.3.1 Principles
3.3.2 Example
3.3.3 What the Rule Says
3.4 INFORMATION SECURITY OFFICER
3.5 TRAINING
3.5.1 The Rule
3.5.2 Content
3.5.3 Methods
3.6 QUALITY CONTROL
3.6.1 ISO 9000
3.6.2 The Rule
3.7 CARILION AND CHILDREN’S
4 ADMINISTRATIVE SAFEGUARDS
4.1 MANAGEMENT AND AWARENESS
4.2 WORKFORCE SECURITY
4.2.1 Supervision and Clearance
4.2.2 Termination
4.3 INFORMATION ACCESS
4.3.1 Regulation
4.3.2 Access Examples
4.4 INCIDENT PROCEDURES
4.5 CONTINGENCY PLAN
4.6 EVALUATION
4.7 CASE STUDIES
4.7.1 Kaiser Example
4.7.2 Mayo Example
4.7.3 Small Provider
4.8 MATRIX
5 TECHNICAL SAFEGUARDS
5.1 ACCESS CONTROL
5.2 AUDIT
5.2.1 Extreme Case
5.2.2 Not Needed
5.3 INTEGRITY
5.4 USER AUTHENTICATION
5.5 TRANSMISSION
5.6 ACCESS MODELS
5.6.1 Labels
5.6.2 Users and Roles
5.6.3 Role Hierarchies
5.7 CASE STUDIES
5.7.1 Authentication
5.7.2 Role-Based Software
5.7.3 Small Provider
5.7.4 Example Record Security
5.8 WORKFLOW SYSTEMS
6 ENCRYPTION
6.1 TRUSTED COMPUTING BASE
6.2 CRYPTOGRAPHY
6.3 PUBLIC-KEY INFRASTRUCTURE
6.3.1 Certificates
6.3.2 Management
6.3.3 Healthcare Enterprise Needs
6.4 VIRTUAL PRIVATE NETWORKS
6.5 ELECTRONIC SIGNATURES
6.5.1 Purpose
6.5.2 Laws
6.5.3 Authentication
6.6 EXAMPLE PKI
6.6.1 History of CHIME-Trust
6.6.2 Architecture
6.6.3 Services
6.6.4 Organizational Issues
6.7 EXAMPLE INTERNET TRANSACTIONS
7 ENTITY-TO-ENTITY
7.1 BUSINESS ASSOCIATE
7.1.1 Definition
7.1.2 Business Associate Contracts
7.1.3 Sample Contract
7.1.4 Scalability
7.2 HYBRID ENTITY
7.2.1 Affiliated Entities
8 PHYSICAL SAFEGUARDS
8.1 FACILITY ACCESS
8.1.1 Disaster Recovery and Repairs
8.1.2 Facility Security and Access
8.2 WORKSTATION
8.3 DEVICE AND MEDIA CONTROLS
8.4 EXAMPLES
8.4.1 Small Provider
8.4.2 Home Workers
8.4.3 Kaiser Local Area Network
8.4.4 Yale
8.4.5 University of North Carolina
9 FINANCIAL IMPACT
9.1 DHHS ESTIMATES
9.2 SCALING COSTS
9.3 IMPLEMENTATION MODEL
9.3.1 Construction
9.3.2 Insights
9.4 MAINTENANCE MODEL
9.4.1 Administrative
9.4.2 Technical and Physical
9.5 OVERALL
9.6 RISK ANALYSIS
9.7 MINIMUM AND MAXIMUM COST
9.7.1 Administrative
9.7.2 Technical
9.7.3 Physical
9.8 CONCLUSION
10 CONCLUSION
10.1 OVERVIEW
10.1.1 Life Cycle
10.1.2 Administration
10.1.3 Technology
10.2 FUTURE
10.2.1 Electronic Medical Records
10.2.2 HIPAA-Compliant Technology?
10.2.3 Vision
10.2.4 Direction
11 APPENDIX
11.1 THE LAW
11.2 SECURITY RULE
11.2.1 Administrative Safeguards
11.2.2 Physical Safeguards
11.2.3 Technical Safeguards
11.2.4 Organizational Requirements
11.3 SECURITY MATRIX
11.4 INFORMATION STEWARD POLICY
11.5 COMPETENCY TEST
12 REFERENCES
13 INDEX OF TERMS
