The HIPAA program reference handbook

AU2211_title 10/27/04 8:33 AM Page 1

The

HIPAA

Program Reference

Handbook

Ross Leo

Editor

AUERBACH PUBLICATIONS

A CRC Press Company

Boca Raton London New York Washington, D.C.

This book contains information obtained from authentic and highly regarded sources. Reprinted material

is quoted with permission, and sources are indicated. A wide variety of references are listed. Reasonable

efforts have been made to publish reliable data and information, but the author and the publisher cannot

assume responsibility for the validity of all materials or for the consequences of their use.

Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic

or mechanical, including photocopying, microfilming, and recording, or by any information storage or

retrieval system, without prior permission in writing from the publisher.

All rights reserved. Authorization to photocopy items for internal or personal use, or the personal or

internal use of specific clients, may be granted by CRC Press, provided that $1.50 per page photocopied

is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA. The fee

code for users of the Transactional Reporting Service is ISBN 0-8493-2211-1/04/$0.00+$1.50. The fee

is subject to change without notice. For organizations that have been granted a photocopy license by the

CCC, a separate system of payment has been arranged.

The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating

new works, or for resale. Specific permission must be obtained in writing from CRC Press for such

copying.

Direct all inquiries to CRC Press, 2000 N.W. Corporate Blvd., Boca Raton, Florida 33431.

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are

used only for identification and explanation, without intent to infringe.

Visit the Auerbach Web site at www.auerbach-publications.com

© 2005 by CRC Press

Auerbach is an imprint of CRC Press

No claim to original U.S. Government works

International Standard Book Number 0-8493-2211-1

Library of Congress Card Number 2004046397

Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

Library of Congress Cataloging-in-Publication Data

The HIPAA program reference handbook / Ross Leo, editor.

p. cm.

Includes bibliographical references and index.

ISBN 0-8493-2211-1 (alk. paper)

1. Medical records--Law and legislation--United States. 2. United States. Health

Insurance Portability and Accountability Act of 1996. I. Leo, Ross.

KF3827.R4 H5652

344.7304'1--dc22

2004046397

AU2211_C000.fm Page iv Thursday, October 28, 2004 9:30 AM

AUERBACH PUBLICATIONS

www.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401

E-mail: [email protected]

Agent-Based Manufacturing and Control

Systems: New Agile Manufacturing

Solutions for Achieving Peak Performance

Massimo Paolucci and Roberto Sacile

ISBN: 1574443364

Curing the Patch Management Headache

Felicia M. Nicastro

ISBN: 0849328543

Cyber Crime Investigator's Field Guide,

Second Edition

Bruce Middleton

ISBN: 0849327687

Disassembly Modeling for Assembly,

Maintenance, Reuse and Recycling

A. J. D. Lambert and Surendra M. Gupta

ISBN: 1574443348

The Ethical Hack: A Framework for

Business Value Penetration Testing

James S. Tiller

ISBN: 084931609X

Fundamentals of DSL Technology

Philip Golden, Herve Dedieu,

and Krista Jacobsen

ISBN: 0849319137

The HIPAA Program Reference Handbook

Ross Leo

ISBN: 0849322111

Implementing the IT Balanced Scorecard:

Aligning IT with Corporate Strategy

Jessica Keyes

ISBN: 0849326214

Information Security Fundamentals

Thomas R. Peltier, Justin Peltier,

and John A. Blackley

ISBN: 0849319579

Information Security Management

Handbook, Fifth Edition, Volume 2

Harold F. Tipton and Micki Krause

ISBN: 0849332109

Introduction to Management

of Reverse Logistics and Closed

Loop Supply Chain Processes

Donald F. Blumberg

ISBN: 1574443607

Maximizing ROI on Software Development

Vijay Sikka

ISBN: 0849323126

Mobile Computing Handbook

Imad Mahgoub and Mohammad Ilyas

ISBN: 0849319714

MPLS for Metropolitan

Area Networks

Nam-Kee Tan

ISBN: 084932212X

Multimedia Security Handbook

Borko Furht and Darko Kirovski

ISBN: 0849327733

Network Design: Management and

Technical Perspectives, Second Edition

Teresa C. Piliouras

ISBN: 0849316081

Network Security Technologies,

Second Edition

Kwok T. Fung

ISBN: 0849330270

Outsourcing Software Development

Offshore: Making It Work

Tandy Gold

ISBN: 0849319439

Quality Management Systems:

A Handbook for Product

Development Organizations

Vivek Nanda

ISBN: 1574443526

A Practical Guide to Security

Assessments

Sudhanshu Kairab

ISBN: 0849317061

The Real-Time Enterprise

Dimitris N. Chorafas

ISBN: 0849327776

Software Testing and Continuous

Quality Improvement,

Second Edition

William E. Lewis

ISBN: 0849325242

Supply Chain Architecture:

A Blueprint for Networking the Flow

of Material, Information, and Cash

William T. Walker

ISBN: 1574443577

The Windows Serial Port

Programming Handbook

Ying Bai

ISBN: 0849322138

OTHER AUERBACH PUBLICATIONS

CONTRIBUTORS

Oscar Boultinghouse, M.D.

Dr. Oscar Boultinghouse currently serves as the Director of Correctional

Telemedicine for the University of Texas Medical Branch, Correctional

Managed Care Division, which is recognized as the largest telemedicine

program in the world. He is the former Director of Operations and Medical

Director for the UTMB Center for Telehealth and Distance Education. He

is a recognized authority in the use of telemedicine in extremely remote

environments and in disaster support. Formally the Director of UTMB’s

Life Flight Operation, he currently serves as the Medical Director of Texas￾3 DMAT. Dr. Boultinghouse is a board certified Emergency Medicine

Specialist and is currently pursuing a master’s degree in Health Informatics.

Mary Brown, CISSP, CISA

Mary Brown had 13 years of experience in the accounting and audit field

when she developed an interest in IT and in information security in

particular. For the past seven years, Mary has focused largely on network

and application security. She has extensive experience in risk analysis and

information security policy development. She is one of the founding

members of the Healthcare Security Professional Interest Group, which

meets to develop community standards for information security in health￾care settings. Mary is also a member of the Computer Security Institute

(CSI), the Information Systems Audit and Control Association (ISACA),

and the Information Systems Security Association (ISSA). She has a B.S.

in Management Information Systems from Metropolitan State University

and a master’s degree in Information Technology with a specialization in

information security from Capella University. She has earned her CISSP

and CISA, which are internationally recognized certifications for expertise

in information security and IT auditing respectively. Mary works as a

Senior Information Security Specialist for a large urban teaching hospital

in Minnesota and has been working for Capella University teaching system

AU2211_C000.fm Page v Thursday, October 28, 2004 9:30 AM

assurance and networking and on developing and refreshing information

security and assurance course curriculum since 2002.

Johnathan Coleman, CISSP, CISM

Johnathan Coleman joined the ATI team in May of 2001 as a Program

Manager in the Information Protection Technology Division. He brings

ten years of leadership and technical project management experience in

information security, distributed communications networks, information

systems consulting, and technical risk management. Mr. Coleman is leading

the effort in training the approximately 170 Department of Defense Medical

Information Security Readiness Teams in a SEI/CERT developed approach

to conducting threat and vulnerability assessments that meet HIPAA data

security requirements, and has authored subject-specific training materials

(instructor and train-the-trainer manuals) for use by the DOD. He is also

responsible for the design and development (using proven software engi￾neering processes) of multimedia demonstration software used to assist

in the training and execution of organizational vulnerability and risk

assessments.

Todd Fitzgerald, CISSP, CISA

Todd Fitzgerald is the Director of Information Systems Security and serves

as the Systems Security Officer for United Government Services, LLC (part

of the WellPoint Health Networks family of companies), which is the

largest processor of Medicare Part A claims. Todd is a member of the

Board of Directors and co-chair of the Security Taskforce for the HIPAA

Collaborative of Wisconsin (www.hipaacow.org), a nonprofit corporation

formed to promote sharing between Wisconsin health plans, clearing￾houses, and providers. He is a participant of the Centers for Medicare and

Medicaid Services/Gartner Security Best Practices Workgroup, the Blue

Cross Blue Shield Association Information Security Advisory Group, a

board member of the International Systems Security Association (ISSA)

Milwaukee Chapter, and previously a board member for the ISSA—Dela￾ware Valley Chapter serving Pennsylvania, Maryland, Delaware, and New

Jersey. Todd has held various broad-based senior management Information

Technology positions with Fortune 500 and Fortune Global 250 companies

such as IMS Health, Zeneca, Syngenta, and American Airlines and prior

positions with Blue Cross Blue Shield United of Wisconsin. Todd has

authored articles on HIPAA security and frequently presents at conferences

and association meetings to promote security awareness. Todd has earned

a B.S. in Business Administration from the University of Wisconsin-LaCrosse

and a M.B.A. with highest honors from Oklahoma State University.

Brian Geffert, CISSP, CISA

Brian Geffert is a senior manager for Deloitte & Touche’s Security Services

Practice and specializes in information systems controls and solutions.

AU2211_C000.fm Page vi Thursday, October 28, 2004 9:30 AM

Brian has worked on the development of HIPAA assessment tools and

security services for healthcare industry clients to determine the level of

security readiness with the Health Insurance Portability and Accountability

Act of 1996 (HIPAA) regulations. In addition, he has implemented solutions

to assist organizations addressing their HIPAA security readiness issues.

Finally, Brian is a Certified Information Systems Security Professional

(CISSP) and a Certified Information Systems Auditor (CISA).

Caroline Ramsey Hamilton

Caroline is the founder and president of RiskWatch, Inc., and she spends

most of her time working directly with large private companies, U.S.

federal agencies, and state governments to create better ways of managing

their risk. Caroline is internationally recognized as an expert in security

risk management. She participated as a charter member of the Risk Manager’s

Model Builders Workshop sponsored by the National Institute of Standards

and Technology from 1989 to 1997; she was appointed as a working group

member to build a working model for risk management, the Defensive

Information Warfare Risk Management Model, under the auspices of the

Office of the Secretary of Defense. She is currently working with the Maritime

Security Council and the U.S. Coast Guard in the development of risk and

vulnerability assessment guidelines for Port Security.

Ross A. Leo, CISSP, CHS-III

Ross Leo has been an information security professional for over 23 years.

Most of this time was spent at NASA Mission Control, during which time

Ross wrote many volumes and papers on information security policy, risk

analysis, secure design standards and practices, disaster recovery, and

contingency planning. A recent paper, “Single Sign-on,” appeared in the

fourth edition of the Handbook of Information Security Management. As

co-chairman of the international Generally Accepted System Security Prin￾ciples Committee (GASSPC), he co-authored and saw the publication of

the GASSP Version 2. Ross’s experience covers a broad range of enter￾prises. He has worked internationally as a Systems Analyst, Systems

Engineer, IT Auditor, and Security Consultant. His past employers include

IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, Coo￾pers & Lybrand, Rockwell International, and Dynegy. From 1999 to 2002,

he was Director of Security Engineering and Chief Security Architect for

the Mission Control Center at the Johnson Space Center. Presently, Ross

is the Director of Information Systems and Chief Information Security

Officer for the Correctional Managed Care Division of the University of

Texas Medical Branch in Galveston, Texas.

Mark Lott

Mark Lott is an information technology professional whose primary focus

is within the software quality assurance environment. He has managed

AU2211_C000.fm Page vii Thursday, October 28, 2004 9:30 AM

successful implementations for many Fortune 100 companies while intro￾ducing and enhancing client’s software testing methodologies. He has

spent the last 15 years as a software tester, project manager, quality

assurance manager, and consultant. Mark is currently serving as Chairman

of HCCO (HIPAA Conformance Certification Organization), serving the

healthcare community with practical guidelines for complying with HIPAA

regulation through the use of accreditation and certification standards and

services. He has effectively led the industry in the creation of a national

interoperability testing process for HIPAA transactions, ensuring compli￾ance software is accurately and thoroughly tested. A featured speaker at

conferences and local industry groups Mark has shared his insights and

real-world experience educating people as to the value and critical nature

of incorporating proven software testing methodologies and change man￾agement within the software delivery life cycle.

Steven B. Markin

Steven B. Markin is a New York attorney and president of ComplyGuard

Networks, Inc., a venture to aid covered entities in meeting the challenge

of HIPAA compliance.

Kevin C. Miller

Kevin C. Miller has been a communications and journalism professional

for over ten years including five years as a spokesman and journalist for

the U.S. Coast Guard. He has been published in magazines and newspa￾pers internationally and is currently the public relations coordinator for

Strohl Systems, a global leader in the business continuity planning software

and services market. He can be reached at [email protected].

Uday O. Ali Pabrai, CHSS, SCNA

Creator of the first program on HIPAA skills certification and author of

the number one book on HIPAA, Getting Started with HIPAA, Uday O.

Ali Pabrai is a highly sought-after HIPAA consultant, security expert, and

an exceptional speaker. Uday is an AIP Fellow and Board member, SITI

member, and past chair of the Subject Matter Expert Committee for

CompTIA’s Internet and security certifications. Previously, as founder and

CEO of Net Guru Technologies, he created the world-leading Certified

Internet Webmaster (CIW) program. Uday is the co-creator of the highly

successful, enterprise-centric, Security Certified Program (SCP).

Keith Pasley, CISSP

Keith Pasley is an information security professional with over 19 years of

experience in the information technology field. Keith has designed and

implemented security architectures for businesses in a variety of industries

including healthcare and financial services. Keith is a Senior Systems

Engineer. He can be reached at [email protected].

AU2211_C000.fm Page viii Thursday, October 28, 2004 9:30 AM

Ken M. Shaurette, CISSP, CISA, CISM, NSA-IAM

Ken M. Shaurette is an Information Security Solutions Manager for MPC

Security Solutions located in Pewaukee, Wisconsin. Ken began gaining IT

experience in 1978 and has provided managed information security pro￾fessionals and programs, and provided information security and audit

advice and vision, for companies building information security programs

since 1985. As a frequent speaker at regional and national seminars and

conferences Ken has also contributed white papers and other writing on

security back to the industry. Ken is the Chairman of the Information

Security Specialist Advisory Board for Milwaukee Area Technical College,

President of the Western Wisconsin Chapter of InfraGard, President of

ISSA-Milwaukee Chapter (International Systems Security Association), a

member of the Wisconsin Association of Computer Crime Investigators

(WACCI), a participant in the Cyber Security Alliance (www.staysafeon￾line.info), co-chair of the HIPAA-COW (Collaborative of Wisconsin) Secu￾rity Workgroup, and co-chair of the annual Wisconsin InfraGard KIS (Kids

Improving Security) Poster Contest.

AU2211_C000.fm Page ix Thursday, October 28, 2004 9:30 AM

DEDICATION

To my family, the best cheering section to be found anywhere,

and especially my wife who leads it.

AU2211_C000.fm Page xi Thursday, October 28, 2004 9:30 AM

CONTENTS

Foreword

Preface

Acknowledgments

Introduction

PART I: PROGRAMS AND PROCESSES

1 The Roles and Responsibilities

Ross A. Leo, CISSP, CHS–III

Introduction

Setting the Record Straight

Defining the Asset in Question

The Beginning of All Things HIPAA

The Privacy Roles: Chief Privacy Official

Training Requirements

Training Follow-Through

Safeguards

The Privacy Roles: Patient Complaint Ombudsman

The Security Role: The Chief Security Official

Tasks and Actions: What the CSO Must Do

Policy, Process, and Procedure

Security Management Program

Step One: Risk Analysis

Step Two: Risk Management

Conclusion

Bibliography

2 The Final HIPAA Security Rule Is Here! Now What?

Todd Fitzgerald, CISSP, CISA

Introduction

HIPAA Arrives on the Scene

The Rule-Making Process

AU2211_C000.fm Page xiii Thursday, October 28, 2004 9:30 AM

The Security Objectives of the Final Rule Did Not Change Substantially

Privacy Rule Requirements for Security

The Final HIPAA Security Rule

Let’s Just Be Reasonable

The Security Standards

Changes to the Proposed Standards in the Final Rule

Administrative Safeguards

Security Management Process

Assigned Security Responsibility

Workforce Security

Information Access Management

Security Awareness and Training

Security Incident Procedures

Contingency Plan

Evaluation

Business Associate Contracts and Other Arrangements

Physical Safeguards

Facility Access Controls

Workstation Use

Workstation Security

Device and Media Controls

Technical Safeguards

Access Control

Audit Controls

Integrity (Formerly Data Authentication)

Person or Entity Authentication

(Combined Authentication Requirements)

Transmission Security

Documentation and Other Related Standards

Pragmatic Approach

Risk, Risk, Risk!

Conclusion

Bibliography

3 Incorporating HIPAA Security Requirements into an

Enterprise Security Program

Brian T. Geffert, CISSP, CISA

Introduction

Meeting HIPAA Security Requirements

Risks of Noncompliance

Enterprise Security and HIPAA

The Role of Industry Standards

A Flexible Approach: Good News and Bad News

Risk-Based Solutions

Building a Security Decision Framework

Step 1: Business Requirements Definition

Step 2: Business Impact Analysis

AU2211_C000.fm Page xiv Thursday, October 28, 2004 9:30 AM

Step 3: Solution Implementation

Step 4: Compliance Monitoring

Deploying the People, Processes, and Technologies

Merging HIPAA into Your Enterprise Security Program

HIPAA and a New Level of Information Protection

Acknowledgment

Note

4 Steps to an Effective Data Classification Program

Mary Brown, CISSP, CISA

Introduction

What Is Needed Prior to Beginning a Data Classification Program?

Step One: Assignment of Roles

Step Two: Assignment of Responsibilities for Each Role

Department Heads

Data Custodians

Authorized Requestors

Account Managers

Step Three: Define the Data

Step Four: Find and Classify Data

Step Five: Creation of Access Profiles Using Role-Based Access

Step Six: Development of a Maintenance Plan

Summary

PART II: STANDARDS AND COMPLIANCE

5 HIPAA Security and the ISO/IEC 17799

Uday O. Ali Pabrai, S+, CHSS, SCNA

Introduction

ISO 17799 and HIPAA

ISO/IEC 17799 Standard

ISO/IEC 17799 Web Site

Approach and Philosophy

Security Principles

Security Policy

HIPAA Security Policy

HIPAA Policies and Procedures Standard

HIPAA Documentation Standard

Time Limit (Required)

Availability (Required)

Updates (Required)

Security Organization

HIPAA Organizational Requirements

Business Associate Contracts

Other Arrangements

Group Health Plan

Asset Classification and Control

HIPAA System Management Process

AU2211_C000.fm Page xv Thursday, October 28, 2004 9:30 AM