HIPAA law or HITECH law

mavrukin used Ask the Experts™
I'm trying to get myself familiar with HIPAA laws as it applies to IT side of the organization. I'm going via multiple websites or use some tools that refer to some pieces of legal code such as 45 CFR 164.308 (A)1(i) or 164.312. (e) (1) and extra with explanations on what Government wants. Where do I find a full list of what is required for HIPAA with actual legal words that explain what they want. Reason that I would like to do that is because many websites or tools reference to some random portions of the code and I would like to go through the code myself and make sure I understand and I'm not missing anything that others left out. I spent hours over HHS.gov but can't find some simple list to work with.

Thank you
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2015

I am far from where hippapatams is relevant but:
Exec Consultant
Distinguished Expert 2018
I suggest you check out the hhs site on below which their unofficial simplified combined rule in exact and likewise there are the actual one they provided in the site.
The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Parts 160, 162, and 164, and includes:

Transactions and Code Set Standards
Identifier Standards
Privacy Rule
Security Rule
Enforcement Rule
Breach Notification Rule

For info -
HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically.  Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).

HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).

Another alternate useful resource as per above

FYI, consider five truths to help grasp how critical the security risk assessment is for achieving and demonstrating HIPAA compliance:
Distinguished Expert 2017

The simple idea is that PT identifiable information must be closely maintained and protected.
This is done on an application side where each user is uniquely identified and access to records is recorded.

Since the environment can be diverse, each component has to be secured, auditable, ..
Application level security/auditing.
Storage if any (files/attachments/documents) file system level
DB database access who has it and is it audited.....

The difficulty you will find yourself in if you start at looking at compliance side without identifying the environment you are dealing with, you will never find your way out of the HIPAA document as it deals with everything from a single doctor office and ........

If you are using third party provided application, they have to be HIPAA compliant leaving likely the DB/Filestorage and access to use the application to you in the minimalistic approach.
btanExec Consultant
Distinguished Expert 2018

though I do not really advocate checklist as the single off measures but it is necessity as baseline as a self assessment too, primarily the safeguards are to be on ensuring confidentiality and integrity of individual electronic protected health information (e-PHI). It covers such information at rest, on transit and in use with controls include mainly in domain of access control, audit controls, Integrity Controls  and transmission security.

Another important point which some may miss out is the Omnibus Rule extends HIPAA to business associates of covered entities and raised the stakes on regulatory compliance. Do see past 2014 update which covers in useful summary what need to be comply by covered entities and business associate as well.

For ref
2014 update- http://www.lexology.com/library/document.ashx?g=18895da3-1837-42fe-b552-8276bee30c70
privacy checklist - http://www.hollandhart.com/pdf/HIPAA-Privacy-Checklist-HH.pdf
security checklist - http://www.hollandhart.com/pdf/HIPAA-Security-Checklist-HH.pdf

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial