Updated annually, the Information Security Management Handbook, Sixth Edition, Volume 6 is the most comprehensive and up-to-date reference available on information security and assurance. Bringing together the knowledge, skills, techniques, and tools required of IT security professionals, it facilitates the up-to-date understanding required to stay
Frequently asked questions
Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go. Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Information Security Management Handbook, Volume 6 by Harold F. Tipton, Micki Krause Nozaki, Harold F. Tipton,Micki Krause Nozaki in PDF and/or ePUB format, as well as other popular books in Business & Management. We have over one million books available in our catalogue for you to explore.
What Business Associates Need to Know about Protected Health Information under HIPAA and HITECH
Rebecca Herold
Introduction
Before launching into a discussion of protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA), it is first important to have a basic understanding of HIPAA, and also why HIPAA even exists. This chapter first provides a high-level description of HIPAA and the subsequent Health Information Technology for Economic and Clinical Health Act (HITECH Act) to provide readers with the necessary background information to help better understand the term PHI. The chapter then describes certain specific types of information considered to be PHI, other situations where other information may be considered to be PHI, and then situations when these same information items do not fall under the definition of PHI. The chapter concludes with a set of recommendations for defining and protecting PHI within covered entities (CEs) and business associates (BAs), as they are defined within HIPAA and the HITECH Act.
HIPAA Overview
In today’s high-tech and increasingly online all the time, network-connected world, depending on locking file cabinets, passwords, and encryption alone to protect health information is not realistic. In addition to technology challenges, the laws that exist to protect patient information are a hodgepodge patchwork and greatly diverse under growing numbers of state, federal, and international laws and regulations. Before the dawning of the twenty-first century, patients’ health information could be distributed without notice for almost any reason, including those not even related to healthcare or medical treatments. For example, such health information could be passed from an insurer to a lender, who subsequently could deny the individual’s application for a mortgage or a loan. The health information could even be sent to an individual’s employer, who could then consider it for making personnel decisions.
By enacting HIPAA, Congress mandated that organizations must take specific actions to protect individually identifiable health information. HIPAA contains an important section called Administrative Simplification. The provisions of this section are intended to reduce the costs and administrative burdens of healthcare by standardizing many administrative and financial forms and transactions. Administrative Simplification includes the Privacy Rule and Security Rule subsections that mandate standards for safeguarding, physical storage and maintenance, transmission, and access of PHI. The privacy requirements are collectively referred to as the Privacy Rule, and the security, or safeguard, requirements are collectively referred to as the Security Rule.
The Privacy Rule was passed on 14 April 2001, and updated on 14 August 2002, with compliance required by most health plans, healthcare providers, and healthcare clearing houses, collectively referenced as CEs, by 14 April 2003. Those entities that do not comply with these regulations are subject to severe civil and criminal penalties.
The Privacy Rule has requirements to safeguard PHI by
Giving patients more control over their health information
Setting limitations on the use and release of health records
Establishing safeguards that CEs must implement to protect the privacy of health information
Holding those in noncompliance responsible through civil and criminal penalties for privacy violations
Attempting to create a balance between public responsibility for disclosure of some forms of information and the personal information of individual patients
Giving patients the opportunity to make informed choices when seeking care and reimbursement for care based on considering how personal health information can be used
Enabling patients to learn how their information can be used along with the disclosures of their information
Limiting release to only the minimal amount of information needed for required disclosures
Giving patients the right to examine and correct any mistakes in their personal health records
The Security Rule came into effect in 2005 and can be characterized as being many things, including:
A set of information security “best practices” that make good business sense
A minimum security baseline that is intended to help prevent unauthorized use and disclosure of PHI
An outline of what to do to establish a security program
Something that encourages healthcare organizations to embrace e-business and leverage the benefits that an improved technology infrastructure can provide
Standards to reduce the threats, vulnerabilities, and overall risks to PHI along with their associated costs and negative impact on the organization
It is important for CEs and BAs to understand that the Security Rule is not
A set of specific how-to instructions covering exactly how to secure PHI
A set of rules that must be implemented the same way for every organization
New, magical, or all that are complicated.
The overall goals of the Security Rule revolve around the confidentiality, integrity, and availability of electronic PHI. These terms are defined as
Confidentiality: The requirement that data stored or transmitted is revealed only to those authorized to see it
Integrity: The requirement that data remains free from unauthorized creation, modification, or deletion
Availability: The requirement that data is available when needed
When the proper policies, procedures, and technologies are in place, PHI can be reasonably protected against known threats and vulnerabilities. This will allow entities to protect against unauthorized uses and disclosures of PHI, a primary consideration of the HIPAA.
HITECH Overview
The HITECH Act is part of President Obama’s $787 billion stimulus package, known as the American Recovery and Reinvestment Act (ARRA) of 2009, which was signed into law on 17 February 2009. The HITECH Act was designed to help fulfill a promise that President Obama made in a speech on 8 January 2009, at George Mason University:*
To improve the quality of our health care while lowering its costs, we will make the immediate investments necessary to ensure that, within five years, all of America’s medical records are computerized. This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests…. But it just won’t save billions of dollars and thousands of jobs; it will save lives by reducing the deadly but preventable medical errors that pervade our health-care system.
There are significant additional requirements to the HIPAA as a result of the HITECH Act. The bulk of all the original HIPAA Security Rule and Privacy Rule requirements are still valid and should still be followed. It would be dangerous not to do so, not only from a compliance perspective, but also from an information security, privacy, and risk management point of view. The HITECH Act did not replace all the HIPAA requirements. Generally, the HITECH Act augmented the HIPAA and expanded its requirements primarily by
Adding breach response requirements and additional BA contract requirements for the CEs
Greatly expanding the BA responsibilities for safeguarding PHI by requiring the BAs to follow the Security Rule requirements
Including a specific direction for rendering PHI unusable
Including the non-CE and non-BA r...
Table of contents
Cover
Title Page
Copyright
Contents
Introduction
Editors
Contributors
DOMAIN 1: ACCESS CONTROL: Access Control Administration
DOMAIN 2: TELECOMMUNICATIONS AND NETWORK SECURITY: Internet, Intranet, Extranet Security
DOMAIN 3: INFORMATION SECURITY AND RISK MANAGEMENT: Security Management Concepts and Principles
Risk Management
Security Management Planning
Employment Policies and Practices
DOMAIN 4: APPLICATION DEVELOPMENT SECURITY: System Development Controls
Malicious Code
DOMAIN 5: CRYPTOGRAPHY: Cryptographic Concepts, Methodologies, and Practices
DOMAIN 6: SECURITY ARCHITECTURE AND DESIGN: Principles of Computer and Network Organizations, Architectures, and Designs
