Ross A. Leo0849322111, 9780849322112
Table of contents :
EEn……Page 1
The HIPAA Program Reference Handbook……Page 2
Back Cover……Page 3
Copyright Info……Page 5
CONTRIBUTORS……Page 7
DEDICATION……Page 12
TOC……Page 13
FOREWORD……Page 22
THE VISION……Page 24
COMMITTEE FOCUS……Page 25
HCCO HIAA Transaction Certification……Page 26
HCCO Security Certification for Vendor Products and Entity Sites……Page 27
HCCO ebXML EDI Interoperability Certification……Page 28
ACKNOWLEDGMENTS……Page 29
INTRODUCTION……Page 31
Part I PROGRAMS AND PROCESSES……Page 34
INTRODUCTION……Page 35
DEFINING THE ASSET IN QUESTION……Page 36
THE BEGINNING OF ALL THINGS HIPAA……Page 37
THE PRIVACY ROLES: CHIEF PRIVACY OFFICIAL……Page 38
TRAINING REQUIREMENTS……Page 39
SAFEGUARDS……Page 42
THE PRIVACY ROLES: PATIENT COMPLAINT OMBUDSMAN……Page 44
THE SECURITY ROLE: THE CHIEF SECURITY OFFICIAL……Page 45
TASKS AND ACTIONS: WHAT THE CSO MUST DO……Page 46
Policy, Process, and Procedure……Page 47
SECURITY MANAGEMENT PROGRAM……Page 48
Step One: Risk Analysis……Page 57
Step Two: Risk Management……Page 58
CONCLUSION……Page 64
GLOSSARY OF DEFINITIONS APPLICABLE TO THE SECURITY FUNCTION IN 45 CFR 164.304:……Page 65
INTRODUCTION……Page 67
HIPAA ARRIVES ON THE SCENE……Page 68
THE RULE-MAKING PROCESS……Page 69
THE SECURITY OBJECTIVES OF THE FINAL RULE DID NOT CHANGE SUBSTANTIALLY……Page 70
PRIVACY RULE REQUIREMENTS FOR SECURITY……Page 72
LET’S JUST BE REASONABLE……Page 74
THE SECURITY STANDARDS……Page 76
CHANGES TO THE PROPOSED STANDARDS IN THE FINAL RULE……Page 77
Security Management Process……Page 80
Information Access Management……Page 81
Security Incident Procedures……Page 82
Evaluation……Page 83
Physical Safeguards……Page 84
Workstation Security……Page 85
Access Control……Page 86
Person or Entity Authentication (Combined Authentication Requirements)……Page 87
Documentation and Other Related Standards……Page 88
PRAGMATIC APPROACH……Page 89
RISK, RISK, RISK!……Page 90
CONCLUSION……Page 91
BIBLIOGRAPHY……Page 92
INTRODUCTION……Page 93
RISKS OF NONCOMPLIANCE……Page 94
THE ROLE OF INDUSTRY STANDARDS……Page 95
A FLEXIBLE APPROACH: GOOD NEWS AND BAD NEWS……Page 96
Step 1: Business Requirements Definition……Page 97
Step 2: Business Impact Analysis……Page 100
DEPLOYING THE PEOPLE, PROCESSES, AND TECHNOLOGIES……Page 101
MERGING HIPAA INTO YOUR ENTERPRISE SECURITY PROGRAM……Page 102
NOTE……Page 104
WHAT IS NEEDED PRIOR TO BEGINNING A DATA CLASSIFICATION PROGRAM?……Page 105
STEP ONE: ASSIGNMENT OF ROLES……Page 107
STEP TWO: ASSIGNMENT OF RESPONSIBILITIES FOR EACH ROLE……Page 108
Authorized Requestors……Page 109
STEP FOUR: FIND AND CLASSIFY DATA……Page 110
STEP SIX: DEVELOPMENT OF A MAINTENANCE PLAN……Page 111
SUMMARY……Page 112
Part II STANDARDS AND COMPLIANCE……Page 114
ISO/IEC 17799 Standard……Page 115
ISO/IEC 17799 Web Site……Page 116
Approach and Philosophy……Page 118
Security Principles……Page 119
HIPAA Policies and Procedures Standard……Page 120
SECURITY ORGANIZATION……Page 121
HIPAA Organizational Requirements……Page 122
Other Arrangements……Page 123
ASSET CLASSIFICATION AND CONTROL……Page 124
PERSONNEL SECURITY……Page 125
HIPAA Workforce Security……Page 126
HIPAA Physical Safeguards……Page 127
HIPAA Integrity Controls and Transmission Security……Page 128
SYSTEM DEVELOPMENT AND MAINTENANCE……Page 129
HIPAA CONTINGENCY PLAN REQUIREMENTS……Page 130
HIPAA Security Core Requirements……Page 131
SUMMARY……Page 132
INTRODUCTION……Page 134
Background on HIPAA Privacy and Security……Page 135
DEVELOPMENT OF A RISK ASSESSMENT METHODOLOGY TO BE USED AS A DECENTRALIZED INFORMATION ASSURANCE DECISION- MAKING TOOL……Page 136
Key Characteristics of OCTAVE……Page 137
Transitioning the OCTAVE Method to the DOD Healthcare Community……Page 140
CONCLUSION……Page 142
REFERENCES……Page 143
INTRODUCTION……Page 145
FUNCTIONALITY PROVIDED BY WEB-BASED DEPLOYMENT……Page 146
Step 1: Issue Request for Proposal……Page 147
Step 2: Establish Security Organization Structure for Policy Review……Page 150
Step 3: Define What Makes a Good Security Policy……Page 152
B. Create, Modify Existing Policy……Page 155
D. Security Council Reviews and Recommends Policy……Page 156
F. Publish Policy……Page 157
Step 5: Installation and Configuration of Web-Based Policy Distribution Application……Page 158
A. How Are the Individual Users Set Up with the Product?……Page 159
C. How Easy Is It to Produce Accurate Compliance Reports?……Page 160
Step 7: Provide Training on the Tool……Page 161
Step 8: Rollout Policies in Phases……Page 163
Step 9: Monitor Compliance……Page 164
WHEW… TEN STEPS AND WE ARE DONE, RIGHT?……Page 166
FINAL THOUGHTS……Page 167
Part III ECONOMICS, LEGALITY, AND LIABILITY……Page 168
INTRODUCTION……Page 169
RISK ANALYSIS, RISK MANAGEMENT, AND A SANCTION POLICY ARE THE FOUNDATION OF SECURITY MANAGEMENT……Page 170
VULNERABILITY TESTING IS REQUIRED……Page 171
IN CONCLUSION……Page 172
REFERENCES……Page 173
TAKE MY ADVICE AT YOUR OWN RISK……Page 175
HIPAA RULES……Page 176
HIPAA AND DUE DILIGENCE……Page 177
PENALTIES AND LIABILITY……Page 178
WHAT IS COMPLIANCE?……Page 179
PLANNING SECURITY COMPLIANCE?……Page 181
What Can Be Done?……Page 183
CERTIFICATION OF COMPLIANCE……Page 185
Corporate Information Security Accountability Act……Page 186
Future……Page 187
CONCLUSION……Page 188
Part IV TRANSACTION AND INTERACTIONS……Page 189
INTRODUCTION……Page 190
OVERVIEW OF HIPAA INSURABILITY PROTECTIONS……Page 191
Eligibility for HIPAA Protections……Page 192
When an Employee Leaves a Job or Otherwise Loses Group Health Plan Coverage……Page 193
Know the State’s Law on Coverage……Page 194
Special Enrollment Rights to Other Group Coverage……Page 195
OVERVIEW OF HIPAA PRIVACY AND SECURITY RULES……Page 196
1. Patient is registered by the admitting clerk into the hospitalÌs information database…….Page 198
4. The physician, after examining the patient, orders laboratory testing from the emergency department terminal…….Page 199
7. After the patient has been treated and released, the hospital patient accounting office submits a bill to the patientÌs insurance company…….Page 200
INFORMATICS TECHNOLOGIES IN HEALTHCARE……Page 201
CONCLUSION……Page 202
REFERENCES……Page 203
INTRODUCTION……Page 204
STRATEGY……Page 206
COMPLIANCE EDIT TESTING……Page 208
CASE STUDIES……Page 211
CONCLUSION……Page 212
INTRODUCTION……Page 215
DEPARTMENT OF HEALTH AND HUMAN SERVICES HAS A LARGE JOB……Page 216
DHHS HIPAA RESPONSIBILITIES……Page 218
Administrative Simplification Rule-Making Process……Page 220
Office of Civil Rights……Page 221
The Privacy Rule Complaint Process……Page 222
Centers for Medicare and Medicaid Services (CMS) Organization……Page 223
CMS and HIPAA……Page 224
CMS Transaction and Code Set Enforcement Approach……Page 226
CMS Office of HIPAA Standards (OHS)……Page 229
CMS Security Standard Approach……Page 230
National Health Information Infrastructure……Page 233
CONCLUSION: DHHS AND THE REST OF US……Page 234
REFERENCES……Page 236
Part V SECURITY, PRIVACY, AND CONTINUITY……Page 237
INTRODUCTION……Page 238
WHAT IS RISK ANALYSIS?……Page 239
THE “CLASSIC” METHOD OF RISK ANALYSIS……Page 241
STEPS IN A RISK ASSESSMENT……Page 242
SURVEY QUESTIONS……Page 243
THE TECHNICAL VULNERABILITY ASSESSMENT……Page 244
ENROLLING THE ORGANIZATION IN RISK MANAGEMENT……Page 245
AUTOMATING THE PROCESS……Page 246
SELECTING AN AUTOMATED RISK ASSESSMENT PACKAGE TO MEET THE RISK ANALYSIS REQUIREMENT OF THE HIPAA FINAL SECURITY RULE……Page 247
THE FUTURE OF RISK ASSESSMENT……Page 249
INTRODUCTION……Page 251
PHI-Related Software Development……Page 252
Reasonably Anticipated Threat Protection……Page 253
Impact on System Vendors……Page 254
Scalable Solutions……Page 255
HIPAA SECURITY RULE: MAKING PRODUCT SELECTIONS……Page 257
BIBLIOGRAPHY……Page 258
INTRODUCTION……Page 259
BCP BEST PRACTICES……Page 260
STEP ONE: INITIATION……Page 261
STEP TWO: BUSINESS IMPACT ANALYSIS……Page 262
STEP THREE: BUSINESS CONTINUITY STRATEGIES……Page 264
STEP FIVE: PLAN EXERCISE AND MAINTENANCE……Page 265
CONCLUSION……Page 267
VI APPENDICES……Page 268
AHIMA……Page 269
American National Standards Institute (ANSI)……Page 270
Business Relationships……Page 271
CHIME……Page 272
Compliance Date……Page 273
Data Content……Page 274
Data-Related Concepts……Page 275
Disclosure……Page 277
EMR……Page 278
HCFA Common Procedural Coding System (HCPCS)……Page 279
Health Industry Business Communications Council (HIBCC)……Page 280
HIMSS……Page 281
International Classification of Diseases (ICD)……Page 282
LTC……Page 283
Memorandum of Understanding (MOU)……Page 284
National Committee on Vital and Health Statistics (NCVHS)……Page 285
National Uniform Claim Committee (NUCC)……Page 286
NUCC……Page 287
Protected Health Information (PHI)……Page 288
Standard Transaction Format Compliance System (STFCS)……Page 289
Translator……Page 290
WEDI……Page 291
XML……Page 292
Business associate:……Page 293
45 CFR 160.202 Definitions [from the Final Privacy Rule]……Page 298
45 CFR 162.103 Definitions [ from the Final Transactions & Code Sets Rule]……Page 300
45 CFR 164.501 Definitions [from the Final Privacy Rule]……Page 301
45 CFR 164.504 Uses and Disclosures: Organizational Requirements……Page 308
Purpose……Page 309
Maintenance……Page 310
Appendix B……Page 311
HIPAA Security Rule Standards, Implementation Specification, and NIST Resource Guide for Implementing……Page 312
POLICY……Page 325
Prohibited Uses……Page 326
Ownership and User Privacy of E-Mail……Page 327
Retention of Electronic Mail……Page 328
Provider/Patient Use of E-mail……Page 329
DEFINITIONS……Page 330
PURPOSE……Page 331
POLICY……Page 332
POLICY APPROVAL……Page 334
POLICY……Page 335
POLICY……Page 338
Introduction……Page 339
Definitions……Page 340
Accountability……Page 346
2. TERM……Page 347
6. REPORT OF IMPROPER DISCLOSURE or SYSTEMS COMPROMISE……Page 348
10. TERMINATION……Page 349
13. INJUNCTIVE RELIEF……Page 350
18. GOVERNMENT HEALTHCARE PROGRAM REPRESENTATIONS……Page 351
21. GOVERNING LAW……Page 352
Appendix D GUIDE TO HIPAA SECURITY ASSESSMENT……Page 353
Actions required to address these……Page 359
Comments……Page 360
Key Issues……Page 361
Roadblocks……Page 362
HIPAA Requirement……Page 363
Actions required to address these……Page 364
HIPAA Requirement……Page 365
Roadblocks……Page 366
Key Issues……Page 367
Roadblocks……Page 368
Actions required to address these……Page 369
Comments……Page 370
Explanation of HIPAA Regulation……Page 371
Actions highly recommended to address these……Page 372
HIPAA Requirement……Page 373
Actions required to address these……Page 374
Explanation of HIPAA Regulation……Page 375
Roadblocks……Page 376
HIPAA Requirement……Page 377
Actions required to address these……Page 378
HIPAA Requirement……Page 379
Key Issues……Page 380
Actions highly recommended to address these……Page 381
HIPAA Requirement……Page 382
Actions required to address these……Page 383
Explanation of HIPAA Regulation……Page 384
Roadblocks……Page 385
Key Issues……Page 386
Actions highly recommended to address these……Page 387
HIPAA Requirement……Page 388
Actions required to address these……Page 389
Actions highly recommended to address these……Page 390
Key Issues……Page 391
Comments……Page 392
Actions highly recommended to address these……Page 393
Actions required to address these……Page 394
HIPAA Requirement……Page 395
Actions highly recommended to address these……Page 396
Key Issues……Page 397
Roadblocks……Page 398
Explanation of HIPAA Regulation……Page 399
Comments……Page 400
Actions highly recommended to address these……Page 401
Explanation of HIPAA Regulation……Page 402
Comments……Page 403
HIPAA Requirement……Page 404
Actions required to address these……Page 405
Comments……Page 406
Index……Page 407
Reviews
There are no reviews yet.