Information Security Management Handbook, Volume 6
Harold F. Tipton, Micki Krause Nozaki, Harold F. Tipton, Micki Krause Nozaki
This is a test
This is a test
Share book
504 pages
English
ePUB (mobile friendly)
Available on iOS & Android
eBook - ePub
Information Security Management Handbook, Volume 6
Harold F. Tipton, Micki Krause Nozaki, Harold F. Tipton, Micki Krause Nozaki
Book details
Book preview
Table of contents
Citations
About This Book
Updated annually, the Information Security Management Handbook, Sixth Edition, Volume 6 is the most comprehensive and up-to-date reference available on information security and assurance. Bringing together the knowledge, skills, techniques, and tools required of IT security professionals, it facilitates the up-to-date understanding required to stay
Frequently asked questions
How do I cancel my subscription?
Simply head over to the account section in settings and click on âCancel Subscriptionâ - itâs as simple as that. After you cancel, your membership will stay active for the remainder of the time youâve paid for. Learn more here.
Can/how do I download books?
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
What is the difference between the pricing plans?
Both plans give you full access to the library and all of Perlegoâs features. The only differences are the price and subscription period: With the annual plan youâll save around 30% compared to 12 months on the monthly plan.
What is Perlego?
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weâve got you covered! Learn more here.
Do you support text-to-speech?
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Is Information Security Management Handbook, Volume 6 an online PDF/ePUB?
Yes, you can access Information Security Management Handbook, Volume 6 by Harold F. Tipton, Micki Krause Nozaki, Harold F. Tipton, Micki Krause Nozaki in PDF and/or ePUB format, as well as other popular books in Business & Gestione. We have over one million books available in our catalogue for you to explore.
What Business Associates Need to Know about Protected Health Information under HIPAA and HITECH
Rebecca Herold
Introduction
Before launching into a discussion of protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), it is first important to have a basic understanding of HIPAA, and also why HIPAA even exists. This chapter first provides a high-level description of HIPAA and the subsequent Health Information Technology for Economic and Clinical Health Act (HITECH Act) to provide readers with the necessary background information to help better understand the term PHI. The chapter then describes certain specific types of information considered to be PHI, other situations where other information may be considered to be PHI, and then situations when these same information items do not fall under the definition of PHI. The chapter concludes with a set of recommendations for defining and protecting PHI within covered entities (CEs) and business associates (BAs), as they are defined within HIPAA and the HITECH Act.
HIPAA Overview
In todayâs high-tech and increasingly online all the time, network-connected world, depending on locking file cabinets, passwords, and encryption alone to protect health information is not realistic. In addition to technology challenges, the laws that exist to protect patient information are a hodgepodge patchwork and greatly diverse under growing numbers of state, federal, and international laws and regulations. Before the dawning of the twenty-first century, patientsâ health information could be distributed without notice for almost any reason, including those not even related to healthcare or medical treatments. For example, such health information could be passed from an insurer to a lender, who subsequently could deny the individualâs application for a mortgage or a loan. The health information could even be sent to an individualâs employer, who could then consider it for making personnel decisions.
By enacting HIPAA, Congress mandated that organizations must take specific actions to protect individually identifiable health information. HIPAA contains an important section called Administrative Simplification. The provisions of this section are intended to reduce the costs and administrative burdens of healthcare by standardizing many administrative and financial forms and transactions. Administrative Simplification includes the Privacy Rule and Security Rule subsections that mandate standards for safeguarding, physical storage and maintenance, transmission, and access of PHI. The privacy requirements are collectively referred to as the Privacy Rule, and the security, or safeguard, requirements are collectively referred to as the Security Rule.
The Privacy Rule was passed on 14 April 2001, and updated on 14 August 2002, with compliance required by most health plans, healthcare providers, and healthcare clearing houses, collectively referenced as CEs, by 14 April 2003. Those entities that do not comply with these regulations are subject to severe civil and criminal penalties.
The Privacy Rule has requirements to safeguard PHI by
Giving patients more control over their health information
Setting limitations on the use and release of health records
Establishing safeguards that CEs must implement to protect the privacy of health information
Holding those in noncompliance responsible through civil and criminal penalties for privacy violations
Attempting to create a balance between public responsibility for disclosure of some forms of information and the personal information of individual patients
Giving patients the opportunity to make informed choices when seeking care and reimbursement for care based on considering how personal health information can be used
Enabling patients to learn how their information can be used along with the disclosures of their information
Limiting release to only the minimal amount of information needed for required disclosures
Giving patients the right to examine and correct any mistakes in their personal health records
The Security Rule came into effect in 2005 and can be characterized as being many things, including:
A set of information security âbest practicesâ that make good business sense
A minimum security baseline that is intended to help prevent unauthorized use and disclosure of PHI
An outline of what to do to establish a security program
Something that encourages healthcare organizations to embrace e-business and leverage the benefits that an improved technology infrastructure can provide
Standards to reduce the threats, vulnerabilities, and overall risks to PHI along with their associated costs and negative impact on the organization
It is important for CEs and BAs to understand that the Security Rule is not
A set of specific how-to instructions covering exactly how to secure PHI
A set of rules that must be implemented the same way for every organization
New, magical, or all that are complicated.
The overall goals of the Security Rule revolve around the confidentiality, integrity, and availability of electronic PHI. These terms are defined as
Confidentiality: The requirement that data stored or transmitted is revealed only to those authorized to see it
Integrity: The requirement that data remains free from unauthorized creation, modification, or deletion
Availability: The requirement that data is available when needed
When the proper policies, procedures, and technologies are in place, PHI can be reasonably protected against known threats and vulnerabilities. This will allow entities to protect against unauthorized uses and disclosures of PHI, a primary consideration of the HIPAA.
HITECH Overview
The HITECH Act is part of President Obamaâs $787 billion stimulus package, known as the American Recovery and Reinvestment Act (ARRA) of 2009, which was signed into law on 17 February 2009. The HITECH Act was designed to help fulfill a promise that President Obama made in a speech on 8 January 2009, at George Mason University:*
To improve the quality of our health care while lowering its costs, we will make the immediate investments necessary to ensure that, within five years, all of Americaâs medical records are computerized. This will cut waste, eliminate red tape and reduce the need to repeat expensive medical testsâŚ. But it just wonât save billions of dollars and thousands of jobs; it will save lives by reducing the deadly but preventable medical errors that pervade our health-care system.
There are significant additional requirements to the HIPAA as a result of the HITECH Act. The bulk of all the original HIPAA Security Rule and Privacy Rule requirements are still valid and should still be followed. It would be dangerous not to do so, not only from a compliance perspective, but also from an information security, privacy, and risk management point of view. The HITECH Act did not replace all the HIPAA requirements. Generally, the HITECH Act augmented the HIPAA and expanded its requirements primarily by
Adding breach response requirements and additional BA contract requirements for the CEs
Greatly expanding the BA responsibilities for safeguarding PHI by requiring the BAs to follow the Security Rule requirements
Including a specific direction for rendering PHI unusable
