HIPAA law or HITECH law
Hi
I'm trying to get myself familiar with HIPAA laws as it applies to IT side of the organization. I'm going via multiple websites or use some tools that refer to some pieces of legal code such as 45 CFR 164.308 (A)1(i) or 164.312. (e) (1) and extra with explanations on what Government wants. Where do I find a full list of what is required for HIPAA with actual legal words that explain what they want. Reason that I would like to do that is because many websites or tools reference to some random portions of the code and I would like to go through the code myself and make sure I understand and I'm not missing anything that others left out. I spent hours over HHS.gov but can't find some simple list to work with.
Thank you
I'm trying to get myself familiar with HIPAA laws as it applies to IT side of the organization. I'm going via multiple websites or use some tools that refer to some pieces of legal code such as 45 CFR 164.308 (A)1(i) or 164.312. (e) (1) and extra with explanations on what Government wants. Where do I find a full list of what is required for HIPAA with actual legal words that explain what they want. Reason that I would like to do that is because many websites or tools reference to some random portions of the code and I would like to go through the code myself and make sure I understand and I'm not missing anything that others left out. I spent hours over HHS.gov but can't find some simple list to work with.
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
FYI, consider five truths to help grasp how critical the security risk assessment is for achieving and demonstrating HIPAA compliance:
http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=447&cid=sm_1104859&appeal=sm
http://www.isaca.org/Knowledge-Center/Blog/Lists/Posts/Post.aspx?ID=447&cid=sm_1104859&appeal=sm
The simple idea is that PT identifiable information must be closely maintained and protected.
This is done on an application side where each user is uniquely identified and access to records is recorded.
Since the environment can be diverse, each component has to be secured, auditable, ..
Application level security/auditing.
Storage if any (files/attachments/documen
DB database access who has it and is it audited.....
The difficulty you will find yourself in if you start at looking at compliance side without identifying the environment you are dealing with, you will never find your way out of the HIPAA document as it deals with everything from a single doctor office and ........
If you are using third party provided application, they have to be HIPAA compliant leaving likely the DB/Filestorage and access to use the application to you in the minimalistic approach.
This is done on an application side where each user is uniquely identified and access to records is recorded.
Since the environment can be diverse, each component has to be secured, auditable, ..
Application level security/auditing.
Storage if any (files/attachments/documen
DB database access who has it and is it audited.....
The difficulty you will find yourself in if you start at looking at compliance side without identifying the environment you are dealing with, you will never find your way out of the HIPAA document as it deals with everything from a single doctor office and ........
If you are using third party provided application, they have to be HIPAA compliant leaving likely the DB/Filestorage and access to use the application to you in the minimalistic approach.
though I do not really advocate checklist as the single off measures but it is necessity as baseline as a self assessment too, primarily the safeguards are to be on ensuring confidentiality and integrity of individual electronic protected health information (e-PHI). It covers such information at rest, on transit and in use with controls include mainly in domain of access control, audit controls, Integrity Controls and transmission security.
Another important point which some may miss out is the Omnibus Rule extends HIPAA to business associates of covered entities and raised the stakes on regulatory compliance. Do see past 2014 update which covers in useful summary what need to be comply by covered entities and business associate as well.
For ref
2014 update- http://www.lexology.com/library/document.ashx?g=18895da3-1837-42fe-b552-8276bee30c70
privacy checklist - http://www.hollandhart.com/pdf/HIPAA-Privacy-Checklist-HH.pdf
security checklist - http://www.hollandhart.com/pdf/HIPAA-Security-Checklist-HH.pdf
Another important point which some may miss out is the Omnibus Rule extends HIPAA to business associates of covered entities and raised the stakes on regulatory compliance. Do see past 2014 update which covers in useful summary what need to be comply by covered entities and business associate as well.
For ref
2014 update- http://www.lexology.com/library/document.ashx?g=18895da3-1837-42fe-b552-8276bee30c70
privacy checklist - http://www.hollandhart.com/pdf/HIPAA-Privacy-Checklist-HH.pdf
security checklist - http://www.hollandhart.com/pdf/HIPAA-Security-Checklist-HH.pdf
https://www.google.com/search?q=hipaa+checklist