HIPAA law or HITECH law

Hi
I'm trying to get myself familiar with HIPAA laws as it applies to IT side of the organization. I'm going via multiple websites or use some tools that refer to some pieces of legal code such as 45 CFR 164.308 (A)1(i) or 164.312. (e) (1) and extra with explanations on what Government wants. Where do I find a full list of what is required for HIPAA with actual legal words that explain what they want. Reason that I would like to do that is because many websites or tools reference to some random portions of the code and I would like to go through the code myself and make sure I understand and I'm not missing anything that others left out. I spent hours over HHS.gov but can't find some simple list to work with.

Thank you
LVL 1
mavrukinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gheistCommented:
I am far from where hippapatams is relevant but:
https://www.google.com/search?q=hipaa+checklist
0
btanExec ConsultantCommented:
I suggest you check out the hhs site on below which their unofficial simplified combined rule in exact and likewise there are the actual one they provided in the site.
The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Parts 160, 162, and 164, and includes:

Transactions and Code Set Standards
Identifier Standards
Privacy Rule
Security Rule
Enforcement Rule
Breach Notification Rule
http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html

For info -
HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.  Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).

HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
http://www.hhs.gov/ocr/privacy/hipaa/administrative/

Another alternate useful resource as per above
CFR 45 PART 160 — GENERAL ADMINISTRATIVE REQUIREMENTS
CFR 45 PART 162 — ADMINISTRATIVE REQUIREMENTS
CFR 45 PART 164 — SECURITY AND PRIVACY
http://www.hipaasurvivalguide.com/hipaa-regulations/hipaa-regulations.php
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
madunix (Fadi SODAH)Commented:
FYI, consider five truths to help grasp how critical the security risk assessment is for achieving and demonstrating HIPAA compliance:
http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=447&cid=sm_1104859&appeal=sm
0
arnoldCommented:
The simple idea is that PT identifiable information must be closely maintained and protected.
This is done on an application side where each user is uniquely identified and access to records is recorded.

Since the environment can be diverse, each component has to be secured, auditable, ..
Application level security/auditing.
Storage if any (files/attachments/documents) file system level
DB database access who has it and is it audited.....

The difficulty you will find yourself in if you start at looking at compliance side without identifying the environment you are dealing with, you will never find your way out of the HIPAA document as it deals with everything from a single doctor office and ........

If you are using third party provided application, they have to be HIPAA compliant leaving likely the DB/Filestorage and access to use the application to you in the minimalistic approach.
0
btanExec ConsultantCommented:
though I do not really advocate checklist as the single off measures but it is necessity as baseline as a self assessment too, primarily the safeguards are to be on ensuring confidentiality and integrity of individual electronic protected health information (e-PHI). It covers such information at rest, on transit and in use with controls include mainly in domain of access control, audit controls, Integrity Controls  and transmission security.

Another important point which some may miss out is the Omnibus Rule extends HIPAA to business associates of covered entities and raised the stakes on regulatory compliance. Do see past 2014 update which covers in useful summary what need to be comply by covered entities and business associate as well.

For ref
2014 update- http://www.lexology.com/library/document.ashx?g=18895da3-1837-42fe-b552-8276bee30c70
privacy checklist - http://www.hollandhart.com/pdf/HIPAA-Privacy-Checklist-HH.pdf
security checklist - http://www.hollandhart.com/pdf/HIPAA-Security-Checklist-HH.pdf
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.