the hipaa program reference handbook

Leo, CISSP, CHS–III Introduction Setting the Record Straight Defining the Asset in Question The Beginning of All Things HIPAA The Privacy Roles: Chief Privacy Official Training Requireme

AU2211_title 10/27/04 8:33 AM Page 1

TheHIPAAProgram Reference

This book contains information obtained from authentic and highly regarded sources Reprinted material

is quoted with permission, and sources are indicated A wide variety of references are listed Reasonable efforts have been made to publish reliable data and information, but the author and the publisher cannot assume responsibility for the validity of all materials or for the consequences of their use.

Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic

or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher.

All rights reserved Authorization to photocopy items for internal or personal use, or the personal or internal use of specific clients, may be granted by CRC Press, provided that $1.50 per page photocopied

is paid directly to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923 USA The fee code for users of the Transactional Reporting Service is ISBN 0-8493-2211-1/04/$0.00+$1.50 The fee

is subject to change without notice For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged.

The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale Specific permission must be obtained in writing from CRC Press for such copying.

Direct all inquiries to CRC Press, 2000 N.W Corporate Blvd., Boca Raton, Florida 33431

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation, without intent to infringe.

Visit the Auerbach Web site at www.auerbach-publications.com

© 2005 by CRC Press Auerbach is an imprint of CRC Press

No claim to original U.S Government works International Standard Book Number 0-8493-2211-1 Library of Congress Card Number 2004046397 Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

Library of Congress Cataloging-in-Publication Data

The HIPAA program reference handbook / Ross Leo, editor.

p cm.

Includes bibliographical references and index.

ISBN 0-8493-2211-1 (alk paper)

1 Medical records Law and legislation United States 2 United States Health Insurance Portability and Accountability Act of 1996 I Leo, Ross.

KF3827.R4 H5652 344.7304'1 dc22

2004046397 AU2211_C000.fm Page iv Thursday, October 28, 2004 9:30 AM

AUERBACH PUBLICATIONS

www.auerbach-publications.com

To Order Call: 1-800-272-7737 • Fax: 1-800-374-3401

Agent-Based Manufacturing and Control

Systems: New Agile Manufacturing

Solutions for Achieving Peak Performance

Massimo Paolucci and Roberto Sacile

Disassembly Modeling for Assembly,

Maintenance, Reuse and Recycling

A J D Lambert and Surendra M Gupta

ISBN: 1574443348

The Ethical Hack: A Framework for

Business Value Penetration Testing

James S Tiller

ISBN: 084931609X

Fundamentals of DSL Technology

Philip Golden, Herve Dedieu,

and Krista Jacobsen

ISBN: 0849319137

The HIPAA Program Reference Handbook

Ross Leo

ISBN: 0849322111

Implementing the IT Balanced Scorecard:

Aligning IT with Corporate Strategy

Jessica Keyes

ISBN: 0849326214

Information Security Fundamentals

Thomas R Peltier, Justin Peltier,

and John A Blackley

ISBN: 0849319579

Information Security Management

Handbook, Fifth Edition, Volume 2

Harold F Tipton and Micki Krause

ISBN: 0849332109

Introduction to Management

of Reverse Logistics and Closed

Loop Supply Chain Processes

Mobile Computing Handbook

Imad Mahgoub and Mohammad Ilyas ISBN: 0849319714

MPLS for Metropolitan Area Networks

Nam-Kee Tan ISBN: 084932212X

Multimedia Security Handbook

Borko Furht and Darko Kirovski ISBN: 0849327733

Network Design: Management and Technical Perspectives, Second Edition

Teresa C Piliouras ISBN: 0849316081

Network Security Technologies, Second Edition

Kwok T Fung ISBN: 0849330270

Outsourcing Software Development Offshore: Making It Work

Tandy Gold ISBN: 0849319439

Quality Management Systems:

A Handbook for Product Development Organizations

Vivek Nanda ISBN: 1574443526

A Practical Guide to Security Assessments

Sudhanshu Kairab ISBN: 0849317061

The Real-Time Enterprise

Dimitris N Chorafas ISBN: 0849327776

Software Testing and Continuous Quality Improvement,

Second Edition

William E Lewis ISBN: 0849325242

Supply Chain Architecture:

A Blueprint for Networking the Flow

of Material, Information, and Cash

William T Walker ISBN: 1574443577

The Windows Serial Port Programming Handbook

Ying Bai ISBN: 0849322138

OTHER AUERBACH PUBLICATIONS

Oscar Boultinghouse, M.D.

Dr Oscar Boultinghouse currently serves as the Director of CorrectionalTelemedicine for the University of Texas Medical Branch, CorrectionalManaged Care Division, which is recognized as the largest telemedicineprogram in the world He is the former Director of Operations and MedicalDirector for the UTMB Center for Telehealth and Distance Education He

is a recognized authority in the use of telemedicine in extremely remoteenvironments and in disaster support Formally the Director of UTMB’sLife Flight Operation, he currently serves as the Medical Director of Texas-

3 DMAT Dr Boultinghouse is a board certified Emergency MedicineSpecialist and is currently pursuing a master’s degree in Health Informatics

Mary Brown, CISSP, CISA

Mary Brown had 13 years of experience in the accounting and audit fieldwhen she developed an interest in IT and in information security inparticular For the past seven years, Mary has focused largely on networkand application security She has extensive experience in risk analysis andinformation security policy development She is one of the foundingmembers of the Healthcare Security Professional Interest Group, whichmeets to develop community standards for information security in health-care settings Mary is also a member of the Computer Security Institute(CSI), the Information Systems Audit and Control Association (ISACA),and the Information Systems Security Association (ISSA) She has a B.S

in Management Information Systems from Metropolitan State Universityand a master’s degree in Information Technology with a specialization ininformation security from Capella University She has earned her CISSPand CISA, which are internationally recognized certifications for expertise

in information security and IT auditing respectively Mary works as aSenior Information Security Specialist for a large urban teaching hospital

in Minnesota and has been working for Capella University teaching system

AU2211_C000.fm Page v Thursday, October 28, 2004 9:30 AM

assurance and networking and on developing and refreshing informationsecurity and assurance course curriculum since 2002

Johnathan Coleman, CISSP, CISM

Johnathan Coleman joined the ATI team in May of 2001 as a ProgramManager in the Information Protection Technology Division He bringsten years of leadership and technical project management experience ininformation security, distributed communications networks, informationsystems consulting, and technical risk management Mr Coleman is leadingthe effort in training the approximately 170 Department of Defense MedicalInformation Security Readiness Teams in a SEI/CERT developed approach

to conducting threat and vulnerability assessments that meet HIPAA datasecurity requirements, and has authored subject-specific training materials(instructor and train-the-trainer manuals) for use by the DOD He is alsoresponsible for the design and development (using proven software engi-neering processes) of multimedia demonstration software used to assist

in the training and execution of organizational vulnerability and riskassessments

Todd Fitzgerald, CISSP, CISA

Todd Fitzgerald is the Director of Information Systems Security and serves

as the Systems Security Officer for United Government Services, LLC (part

of the WellPoint Health Networks family of companies), which is thelargest processor of Medicare Part A claims Todd is a member of theBoard of Directors and co-chair of the Security Taskforce for the HIPAACollaborative of Wisconsin (www.hipaacow.org), a nonprofit corporationformed to promote sharing between Wisconsin health plans, clearing-houses, and providers He is a participant of the Centers for Medicare andMedicaid Services/Gartner Security Best Practices Workgroup, the BlueCross Blue Shield Association Information Security Advisory Group, aboard member of the International Systems Security Association (ISSA)Milwaukee Chapter, and previously a board member for the ISSA—Dela-ware Valley Chapter serving Pennsylvania, Maryland, Delaware, and NewJersey Todd has held various broad-based senior management InformationTechnology positions with Fortune 500 and Fortune Global 250 companiessuch as IMS Health, Zeneca, Syngenta, and American Airlines and priorpositions with Blue Cross Blue Shield United of Wisconsin Todd hasauthored articles on HIPAA security and frequently presents at conferencesand association meetings to promote security awareness Todd has earned

a B.S in Business Administration from the University of Wisconsin-LaCrosseand a M.B.A with highest honors from Oklahoma State University

Brian Geffert, CISSP, CISA

Brian Geffert is a senior manager for Deloitte & Touche’s Security ServicesPractice and specializes in information systems controls and solutions

AU2211_C000.fm Page vi Thursday, October 28, 2004 9:30 AM

Brian has worked on the development of HIPAA assessment tools andsecurity services for healthcare industry clients to determine the level ofsecurity readiness with the Health Insurance Portability and AccountabilityAct of 1996 (HIPAA) regulations In addition, he has implemented solutions

to assist organizations addressing their HIPAA security readiness issues.Finally, Brian is a Certified Information Systems Security Professional(CISSP) and a Certified Information Systems Auditor (CISA)

Caroline Ramsey Hamilton

Caroline is the founder and president of RiskWatch, Inc., and she spendsmost of her time working directly with large private companies, U.S.federal agencies, and state governments to create better ways of managingtheir risk Caroline is internationally recognized as an expert in securityrisk management She participated as a charter member of the Risk Manager’sModel Builders Workshop sponsored by the National Institute of Standardsand Technology from 1989 to 1997; she was appointed as a working groupmember to build a working model for risk management, the DefensiveInformation Warfare Risk Management Model, under the auspices of theOffice of the Secretary of Defense She is currently working with the MaritimeSecurity Council and the U.S Coast Guard in the development of risk andvulnerability assessment guidelines for Port Security

Ross A Leo, CISSP, CHS-III

Ross Leo has been an information security professional for over 23 years.Most of this time was spent at NASA Mission Control, during which timeRoss wrote many volumes and papers on information security policy, riskanalysis, secure design standards and practices, disaster recovery, andcontingency planning A recent paper, “Single Sign-on,” appeared in thefourth edition of the Handbook of Information Security Management Asco-chairman of the international Generally Accepted System Security Prin-ciples Committee (GASSPC), he co-authored and saw the publication ofthe GASSP Version 2 Ross’s experience covers a broad range of enter-prises He has worked internationally as a Systems Analyst, SystemsEngineer, IT Auditor, and Security Consultant His past employers includeIBM, St Luke’s Episcopal Hospital, Computer Sciences Corporation, Coo-pers & Lybrand, Rockwell International, and Dynegy From 1999 to 2002,

he was Director of Security Engineering and Chief Security Architect forthe Mission Control Center at the Johnson Space Center Presently, Ross

is the Director of Information Systems and Chief Information SecurityOfficer for the Correctional Managed Care Division of the University ofTexas Medical Branch in Galveston, Texas

Mark Lott

Mark Lott is an information technology professional whose primary focus

is within the software quality assurance environment He has managed

AU2211_C000.fm Page vii Thursday, October 28, 2004 9:30 AM

successful implementations for many Fortune 100 companies while ducing and enhancing client’s software testing methodologies He hasspent the last 15 years as a software tester, project manager, qualityassurance manager, and consultant Mark is currently serving as Chairman

intro-of HCCO (HIPAA Conformance Certification Organization), serving thehealthcare community with practical guidelines for complying with HIPAAregulation through the use of accreditation and certification standards andservices He has effectively led the industry in the creation of a nationalinteroperability testing process for HIPAA transactions, ensuring compli-ance software is accurately and thoroughly tested A featured speaker atconferences and local industry groups Mark has shared his insights andreal-world experience educating people as to the value and critical nature

of incorporating proven software testing methodologies and change agement within the software delivery life cycle

Uday O Ali Pabrai, CHSS, SCNA

Creator of the first program on HIPAA skills certification and author ofthe number one book on HIPAA, Getting Started with HIPAA, Uday O.Ali Pabrai is a highly sought-after HIPAA consultant, security expert, and

an exceptional speaker Uday is an AIP Fellow and Board member, SITImember, and past chair of the Subject Matter Expert Committee forCompTIA’s Internet and security certifications Previously, as founder andCEO of Net Guru Technologies, he created the world-leading CertifiedInternet Webmaster (CIW) program Uday is the co-creator of the highlysuccessful, enterprise-centric, Security Certified Program (SCP)

Keith Pasley, CISSP

Keith Pasley is an information security professional with over 19 years ofexperience in the information technology field Keith has designed andimplemented security architectures for businesses in a variety of industriesincluding healthcare and financial services Keith is a Senior SystemsEngineer He can be reached at securityminded@comcast.net

AU2211_C000.fm Page viii Thursday, October 28, 2004 9:30 AM

Ken M Shaurette, CISSP, CISA, CISM, NSA-IAM

Ken M Shaurette is an Information Security Solutions Manager for MPCSecurity Solutions located in Pewaukee, Wisconsin Ken began gaining ITexperience in 1978 and has provided managed information security pro-fessionals and programs, and provided information security and auditadvice and vision, for companies building information security programssince 1985 As a frequent speaker at regional and national seminars andconferences Ken has also contributed white papers and other writing onsecurity back to the industry Ken is the Chairman of the InformationSecurity Specialist Advisory Board for Milwaukee Area Technical College,President of the Western Wisconsin Chapter of InfraGard, President ofISSA-Milwaukee Chapter (International Systems Security Association), amember of the Wisconsin Association of Computer Crime Investigators(WACCI), a participant in the Cyber Security Alliance (www.staysafeon-

line.info), co-chair of the HIPAA-COW (Collaborative of Wisconsin) rity Workgroup, and co-chair of the annual Wisconsin InfraGard KIS (KidsImproving Security) Poster Contest

Secu-AU2211_C000.fm Page ix Thursday, October 28, 2004 9:30 AM

To my family, the best cheering section to be found anywhere,

and especially my wife who leads it

AU2211_C000.fm Page xi Thursday, October 28, 2004 9:30 AM

PART I: PROGRAMS AND PROCESSES

1 The Roles and Responsibilities

Ross A Leo, CISSP, CHS–III

Introduction

Setting the Record Straight

Defining the Asset in Question

The Beginning of All Things HIPAA

The Privacy Roles: Chief Privacy Official

Training Requirements

Training Follow-Through

Safeguards

The Privacy Roles: Patient Complaint Ombudsman

The Security Role: The Chief Security Official

Tasks and Actions: What the CSO Must Do

Policy, Process, and ProcedureSecurity Management Program

Step One: Risk AnalysisStep Two: Risk ManagementConclusion

Bibliography

2 The Final HIPAA Security Rule Is Here! Now What?

Todd Fitzgerald, CISSP, CISA

Introduction

HIPAA Arrives on the Scene

The Rule-Making Process

AU2211_C000.fm Page xiii Thursday, October 28, 2004 9:30 AM

The Security Objectives of the Final Rule Did Not Change SubstantiallyPrivacy Rule Requirements for Security

The Final HIPAA Security Rule

Let’s Just Be Reasonable

The Security Standards

Changes to the Proposed Standards in the Final Rule

Administrative SafeguardsSecurity Management ProcessAssigned Security ResponsibilityWorkforce Security

Information Access ManagementSecurity Awareness and TrainingSecurity Incident ProceduresContingency Plan

EvaluationBusiness Associate Contracts and Other ArrangementsPhysical Safeguards

Facility Access ControlsWorkstation UseWorkstation SecurityDevice and Media ControlsTechnical Safeguards

Access ControlAudit ControlsIntegrity (Formerly Data Authentication)Person or Entity Authentication

(Combined Authentication Requirements)Transmission Security

Documentation and Other Related StandardsPragmatic Approach

Risk, Risk, Risk!

Enterprise Security and HIPAA

The Role of Industry Standards

A Flexible Approach: Good News and Bad News

Risk-Based Solutions

Building a Security Decision Framework

Step 1: Business Requirements DefinitionStep 2: Business Impact Analysis

AU2211_C000.fm Page xiv Thursday, October 28, 2004 9:30 AM

Step 3: Solution ImplementationStep 4: Compliance MonitoringDeploying the People, Processes, and Technologies

Merging HIPAA into Your Enterprise Security Program

HIPAA and a New Level of Information Protection

Acknowledgment

Note

4 Steps to an Effective Data Classification Program

Mary Brown, CISSP, CISA

Step Four: Find and Classify Data

Step Five: Creation of Access Profiles Using Role-Based AccessStep Six: Development of a Maintenance Plan

Summary

PART II: STANDARDS AND COMPLIANCE

5 HIPAA Security and the ISO/IEC 17799

Uday O Ali Pabrai, S+, CHSS, SCNA

Introduction

ISO 17799 and HIPAA

ISO/IEC 17799 StandardISO/IEC 17799 Web SiteApproach and PhilosophySecurity PrinciplesSecurity Policy

HIPAA Security PolicyHIPAA Policies and Procedures StandardHIPAA Documentation Standard

Time Limit (Required)Availability (Required)Updates (Required)Security Organization

HIPAA Organizational RequirementsBusiness Associate ContractsOther Arrangements

Group Health PlanAsset Classification and Control

HIPAA System Management ProcessAU2211_C000.fm Page xv Thursday, October 28, 2004 9:30 AM

Business Continuity Planning

HIPAA Contingency Plan Requirements

6 Execution of a Self-Directed Risk Assessment

Methodology to Address HIPAA Data Security

as a Decentralized Information Assurance Decision-Making ToolDOD’s Health Information Assurance Risk AssessmentMethodology

Key Characteristics of OCTAVEResults

Transitioning the OCTAVE Method to the DOD HealthcareCommunity 111

Attendees’ Evaluation of the OCTAVE Training SeminarsConclusion

Acknowledgments

References

7 Ten Steps to Effective Web-Based Security Policy

Development and Distribution

Todd Fitzgerald, CISSP, CISA

Introduction

Enter the Electronic Age 118

Functionality Provided by Web-Based Deployment 118

A Pragmatic Approach to Successful E-Policy Deployment

Step 1: Issue Request for Proposal 119Step 2: Establish Security Organization Structure for Policy ReviewStep 3: Define What Makes a Good Security Policy

AU2211_C000.fm Page xvi Thursday, October 28, 2004 9:30 AM

Step 4: Establish Security Policy Review Process

A Policy Need Determined

B Create, Modify Existing Policy

C Internal Review by Security Department 8

D Security Council Reviews and Recommends Policy 8

E Information Technology Steering Committee Approves Policy

F Publish PolicyStep 5: Installation and Configuration of Web-Based PolicyDistribution Application

A How Are the Individual Users Set Up with the Product?

B Is E-Mail Supported?

C How Easy Is It to Produce Accurate Compliance Reports?

D How Do Users Authenticate to the Tool?

Step 6: Pilot Test Policy Deployment Tool with UsersStep 7: Provide Training on the Tool

Step 8: Rollout Policies in PhasesStep 9: Monitor ComplianceStep 10: Manage Ongoing Process for Policy ViolationsWhew … Ten Steps and We Are Done, Right?

Final Thoughts

PART III: ECONOMICS, LEGALITY, AND LIABILITY

8 HIPAA Privacy Rules Require Security Compliance

Steven B Markin

Introduction

What Is “Reasonable” Under the Privacy Rules?

Risk Analysis, Risk Management, and a Sanction Policy Are theFoundation of Security Management

Vulnerability Testing Is Required

How Frequently Do I Need to Perform Vulnerability Testing?

In Conclusion

References

9 Legalities and Planning: The Stake Is in the Ground

Ken M Shaurette, CISSP, CISA, CISM, IAM

Introduction

Take My Advice at Your Own Risk

HIPAA Rules

HIPAA and Due Diligence

Penalties and Liability

What Is Compliance?

Planning Security Compliance?

What Can Be Done?

Certification of Compliance

Other Legislation’s Potential Impact

AU2211_C000.fm Page xvii Thursday, October 28, 2004 9:30 AM

Sarbanes–Oxley Act (SOX)Corporate Information Security Accountability ActCalifornia’s SB1386

FutureConclusion

PART IV: TRANSACTION AND INTERACTIONS

10 HIPAA from the Patient’s Point of View

Oscar Boultinghouse, M.D.

Introduction

Overview of HIPAA Insurability Protections

Understand the Various Types of Health CoverageTypes of Coverage

Eligibility for HIPAA ProtectionsWhen the Employee Is Hired for a New JobWhen an Employee Leaves a Job or Otherwise Loses GroupHealth Plan Coverage

Determine the Impact of Any Preexisting ConditionEligibility to Minimize the Length of the Preexisting ConditionExclusion

Know the State’s Law on CoverageUnderstand Other Coverage ProtectionsSpecial Enrollment Rights to Other Group CoverageOverview of HIPAA Privacy and Security Rules

The Privacy RuleThe Security RuleElectronic TransactionsInformatics Technologies in Healthcare

12 The Role of DHHS, CMS, OCR, and OHS

Todd Fitzgerald, CISSP, CISA

CMS Transaction and Code Set Enforcement ApproachCMS Office of HIPAA Standards (OHS)

CMS Security Standard ApproachNational Health Information InfrastructureConclusion: DHHS and the Rest of Us

References

PART V: SECURITY, PRIVACY, AND CONTINUITY

13 The HIPAA Security Risk Analysis

Caroline Ramsey Hamilton

Introduction

What Is Risk Analysis?

The “Classic” Method of Risk Analysis

Risk Assessment Methodology

Steps in a Risk Assessment

The Vulnerability Assessment

Survey Questions

The Technical Vulnerability Assessment

Vulnerability Assessment Results

Enrolling the Organization in Risk Management

The Cost Benefit — Establishing Return-on-Investment (ROI)

Automating the Process

Selecting an Automated Risk Assessment Package to Meet the

Risk Analysis Requirement of the HIPAA Final Security Rule

Risk Assessment Is Good Management

The Future of Risk Assessment

14 HIPAA Security Compliance: What It Means

for Developers, Vendors, and Purchasers

Keith Pasley, CISSP

Introduction

HIPAA Security Rule: What Software Developers Should Know

PHI-Related Software DevelopmentReasonably Anticipated Threat ProtectionHIPAA Security Rule: How Vendors Can Help

Impact on System VendorsScalable Solutions

HIPAA Security Rule: Making Product Selections

Note

Bibliography

AU2211_C000.fm Page xix Thursday, October 28, 2004 9:30 AM

15 Issues and Considerations for Business Continuity

Planning under HIPAA

Kevin C Miller

Introduction

BCP Best Practices

Step One: Initiation

Step Two: Business Impact Analysis

Step Three: Business Continuity Strategies

Step Four: Plan Construction

Step Five: Plan Exercise and Maintenance

Conclusion

PART VI: APPENDICES

A Part I: A HIPAA Glossary

Part II: Consolidated HIPAA Administrative Simplification

Final Rule Definitions

Part III: Purpose and Maintenance

PurposeMaintenance

B HIPAA Security Rule Standards, Implementation Specifications,

and NIST Resource Guide for Implementing HIPAA

DefinitionsReferences/Related PoliciesPolicy DevelopmentPolicy ApprovalReviewsAppendix C.2

Information Stewardship PolicyPurpose

PolicyDefinitionsAU2211_C000.fm Page xx Thursday, October 28, 2004 9:30 AM

References/Related PoliciesPolicy DevelopmentPolicy ApprovalReviewsAppendix C.3

Information Systems Access PolicyPurpose

PolicyPassword PolicyPurpose

PolicyAppendix C.4

eHealth Code of EthicsVision StatementIntroductionDefinitionsResponsible PartneringAccountability

Appendix C.5

Chain of Trust Agreement

D Guide to HIPAA Security Assessment

Prepared by WorkSmart MD, A Meyer Technologies, Inc Company

The Security Requirements of HIPAA

Requirements for Security AdministrationRequirements for Physical SafeguardsRequirements for Technical Security Services and MechanismsAU2211_C000.fm Page xxi Thursday, October 28, 2004 9:30 AM

There are many books that deal with the various aspects of the HIPAA

regulations yet very few include the pertinent facts of all three: transactions,

privacy, and security It is pleasing to read a collection of works that

encompasses all three aspects of complying with HIPAA in an

easy-to-understand manual of the regulations and how organizations can readily

and informatively move their organizations towards HIPAA compliance

The solutions presented here for developing strategies for HIPAA

trans-actions, privacy, and security areas are straightforward and provide

detailed strategies for implementation across healthcare organizations and

their business partners

The HIPAA Program Reference Handbook has been written for several

audiences First, it is intended for high-level managers to help them more

fully understand the various aspects involved in complying with the law

and its implementing regulations Second, this volume provides guidance

on creating and coordinating a cohesive and enforceable policy

frame-work, and related procedures within an organization Third, this book

provides much-needed information, based on real experience, to help

individual project teams come to know the necessary requirements in

other program implementation areas, thus ensuring that the teams’

responses to the regulation are designed and implemented correctly to

ensure compliance across the spectrum of this broad legislation

In order for successful implementation of cohesive HIPAA policies and

procedures, healthcare organizations must understand regulation

require-ments and responsibilities and how to effectively manage compliance and

change This compendium contains practical explanations for creating and

combining the necessary work efforts and strategies for implementing

successful and cost-effective solutions for organizations affected by HIPAA

regulations

AU2211_C000.fm Page xxiii Thursday, October 28, 2004 9:30 AM

Taking on HIPAA can be an extremely complex and daunting task for

even the most well-prepared and organized healthcare entity Complicating

things further, with many functions being performed through business

associates and third-party vendors, it is a challenge to adequately

coordi-nate all the various policies, procedures, and technology enhancements

required for such a large undertaking

Although everyone agrees that such a program is a very large

under-taking, there is a significant part of the healthcare community, in a variety

of disciplines, who have dedicated themselves to ensure adequate

knowl-edge transfer to assist all those in the industry elsewhere who need help

Management places faith that all aspects will come together in a timely

manner, but usually does so without any clear idea of what exactly the

completed project will produce, whether it will meet expectations, or how

all the major pieces and subprojects will ultimately fit together This volume

provides these managers and teams with the information and insight that

validates their faith, confirms direction and progress, and permits them to

make midcourse corrections confidently when and where necessary

This book’s approach combines the best features of techniques used

individually by experts in the field, yet when combined can be instrumental

in the overall success of an organization in regard to their aspects of

succeeding within HIPAA regulations and compliance

Mark Lott

Chairman, HCCO

AU2211_C000.fm Page xxiv Thursday, October 28, 2004 9:30 AM

THE HIPAA CONFORMANCE CERTIFICATION

ORGANIZATION

HCCO is a nonprofit organization serving the healthcare community with

practical guidelines for complying with HIPAA regulation through a

cer-tification and accreditation process using national standards HCCO is the

industry leader in bringing interoperability of HIPAA transactions to

health-care through its CCAP testing programs HCCO believes that all

cost-effective and successful compliance strategies will require a common

approach to implementation among communities of covered entities, their

software vendors, and business associates HCCO offers effective and

affordable solutions for all organizations involved in HIPAA compliance

initiatives

THE VISION

To provide national leadership in the development and

estab-lishment of conformance, certification and accreditation criteria

and standards, for products, services, processes and

methodol-ogies used by covered entities and their business associates to

confirm their compliance with the regulations promulgated

pursuant to the Health Insurance Portability and Accountability

AU2211_C000.fm Page xxv Thursday, October 28, 2004 9:30 AM

Act (HIPAA) and the associated Standards and ImplementationGuides HCCO shall develop and maintain criteria and stan-dards, and implement a program to certify the application ofHCCO criteria and standards towards conforming products,services, processes, and methodologies.

THE HCCO MISSION

The core mission of HCCO is to establish criteria and standardsfor independent evaluation of the conformance of products,services, processes, and methodologies to all aspects of HIPAATitle II rules for transactions, privacy, and security It is expectedthat HCCO criteria and standards will result in functional equiv-alency between equally certified products, services, processes,and methodologies

COMMITTEE ORGANIZATION

HCCO has a committee for each specific area of HIPAA: transactions,security and privacy, legal issues, administrative simplification, and har-monization (of standards and or application) It is inherent in the com-mittee’s proper functioning to be inclusive, rather than exclusive It is alsoinherent in the committee’s composition that a balance should existbetween technical and nontechnical and managerial and nonmanagerial

COMMITTEE FOCUS

Each committee works on the adaptation (of existing and applicable) orestablishment of standards and conformance criteria in the aspect of HIPAAthat is its focus The standards and criteria will include technology, policy,procedure, and professional practice The intent is not to “reinvent thewheel,” but rather to draw from the best of the work already done in thearea of standards and adapt it for application to the requirements of HIPAA.For example, the HCCO Security, Privacy, and Continuity Committee

is evaluating existing standards against the requirements of the HIPAAPrivacy and Security Rules to determine their applicability as potentialmodels for industrywide standards Examples include ISO 15408 (thecommon criteria), ISO 17799 (BS 7799), the Generally Accepted SystemsSecurity Principles (GASSP), guidance issued by the National Institute ofStandards and Technology (NIST), and similar organizations

Continuing the example, the committee will take from these and othersources the best of their content, and develop a set of standards, compliance

criteria, policy and procedure templates, and process frameworks that canthen be generally applied in a given healthcare setting Vendors seekingHIPAA certification against these standards will be encouraged to submitdesigns, specifications, templates, and product samples for evaluation andpotential certification The committee will apply its evaluation process tothe vendor item, and, for those attaining certification, will issue a formalstatement to the vendor to so indicate.

Given this focus, the committee must maintain independence so that

it may issue credible and uncompromised opinions as to the certificationstatus of any given vendor product or service submitted to this process

In keeping with this practice, members will not be limited in any waywith respect to the committee’s activities or evaluation processes except

in those cases where a potential conflict of interest may exist

Some examples of HCCO product and service offerings follow

HCCO CCAP Interoperability Testing for HIPAA Compliance

HCCO is the industry leader in fostering interoperability in all HIPAAtransactions CCAP is a community testing effort with the nation’s largestEDI translators and EDI validators to align HIPAA compliance edits witheach other to promote interoperable transactions CCAP is the only processavailable to vendors to test interoperability across healthcare-coveredentities

HIPAA Test File Programs

HCCO’s HIPAA test file program uses various test conditions for all HIPAAtransactions for organizations to test for common compliance understand-ing to ensure compliant transactions and interoperability with all otherparticipants

HCCO Free EDI Testing

HCCO invites all covered entities, business associates, and software dors to use our free HIPAA EDI testing engine Our testing community isguaranteed to be up to date with the latest compliance edits and isinteroperable with over 90 percent of all healthcare organizations that useEDI technology certified under the CCAP Platinum Program

ven-HCCO HIAA Transaction Certification

HCCO offers HIPAA transaction certification for all covered entities, ness associates, and software vendors HCCO certification is definitive

busi-proof of your compliance capabilities and because HCCO testing is free,

we have removed any obstacles from the healthcare community so theycan continually test their software for HIPAA compliance

HCCO Privacy Certification for Business Associates

The HCCO board of directors approved the HCCO Privacy CertificationProgram for Business Associates The HCCO Business Associate Certifica-tion Program conforms to the HIPAA Privacy and Security Rules

HCCO Security Certification for Vendor Products and Entity Sites

HCCO will soon offer a review and certification program for vendors ofsystems, software, and other technologies to covered entities and providerorganizations In addition, HCCO will soon be offering a certificationprogram for covered entity sites which will affirm that their processes,systems, and operations conform to the requirements of the HIPAA Securitystandards and requirements

HCCO HIPAA Medical Banking Certification Program

HCCO offers healthcare covered entities, financial institutions, and theirbusiness partners an industry-specific HIPAA Medical Banking Certification.This industry-leading certification is focused solely on the capability ofinstitutions to properly handle the 835 and 820 HIPAA transaction sets

HCCO Accreditation of Third-Party HIPAA Certifiers

HCCO is pleased to announce the establishment of our accr editationprogram for organizations that want to become third-party certifiers forHCCO HIPAA Transactions and Business Associate Certification Programs

HCCO ebXML EDI Interoperability Certification

HCCO, the leader in bringing interoperability to healthcare, is proud topartner with the UCC and Drummond Group to bring ebXML interoper-ability testing to healthcare

I want to thank those authors who participated in the construction of this

first edition of the HIPAA Standard Reference Handbook It is no small

task to put together a work covering something as vast as a law can be,and making the parts of it clear and accessible to those who mustimplement it It is neither easy nor quick in the doing Nor can it be done

by one person It is a team effort, and I have been very fortunate to havehad the team I have had in this project Should it be successful, it will

be because of their contributions and belief in its importance and necessity

It is hoped that this is the first in a series for this work; a work whosepurpose is to bring usable information and guidance to professionals whoare responsible for implementing the regulations that underlie and are thesubstance of the law itself The Health Insurance Portability and Account-ability Act is rather simple in its text, but deep and wide in its effect onthe healthcare industry It is not the Act itself, but the text of the regulationsfound in Title 45 of the Code of Federal Regulations that are complex tounderstand Much confusion and even fear of the potential impact of thislegal body pervades healthcare institutions and the professionals working

in them Speaking for myself and the contributors to this volume, it is ourhope that the information contained herein will dispel some of that, andadd value to the efforts of those who will read it

I also want to thank my publisher, Rich O’Hanley at CRC Press, forhis belief in this project, and his support during its construction His sharprational mind and ready, well-tried advice to me throughout this projectwas sometimes funny, sometimes painful, but always important and alwaysuseful

And finally I want to thank one individual in particular My good friendand mentor, Hal Tipton, gave me my first “official” position in the early1980s as ISO for the Johnson Space Centre My career, more than twentyyears hence, has found me participating in many “firsts,” and working on

many of the projects that produced the foundational principles and bestpractices of the Information Security Profession I have had the privilege

of working with Hal on several of those projects and on other occasions,including co-teaching the (ISC)2 CISSP Review Seminar to candidatespreparing for the professional certification examination He has been aconsistent and ready source of encouragement and sound counsel in all

my efforts Over the years, I have come to know him as a man of deepdedication to our profession, of great personal integrity, and a most worthyfriend

Only I know all the steps that make up the last twenty years of myprofessional practice, and it would take a long time to recount them.Suffice it to say that without his starting me on this path, and being apositive influence, guide, counselor, and example from then on, myprofessional life would have turned out very differently, and this bookwould ultimately not have been possible Thanks, Hal

Now that HIPAA is here, a new day has dawned in healthcare Or has it?HIPAA is one of the most important and pervasive pieces of legislationand regulation to take flight in recent years, yet many in healthcare stilldon’t understand what it is, and specifically, what they are expected to

do about it It is not surprising that they don’t: although the law itself isfairly simple in its wording, the Code of Federal Regulations that specifieshow to implement, sets standards, and so on is very thick indeed This

is to say nothing of its portent It is this portent that concerns the authorswho contributed to this body of work

People seem to agree that electronic payment processing is an ideawhose time has come So the rules regarding transaction code sets (andall that entails) seem to be okay No one seems to have a problem withthe privacy rules; at least not in theory Everyone has trouble with thesecurity rules, however you look at it According to my research, thereare three reasons for these ambivalent (and stronger) feelings

The first is that many believe that HIPAA is too big and too expensive

to work; therefore it is doomed to failure The second is that there arejust as many who believe that the change required by it is too great; this

is to say, the amount and type of change are more than they can manageproperly over the long implementation period HIPAA will require Thethird is fear: fear that the foregoing are correct, fear that they will beforced to “do HIPAA” anyway, and fear that they will suffer the legalpenalties no matter what they do Is there truth to any of this? There maywell be, even if you took away the fear factor

The greatest is fear of the unknown They have heard so many stories:nightmare tales of the costs to implement the regulations, nightmare talesabout how unwieldy the implementation is because the rules are some-what vague, standards do not provide enough information to implement,and on and on The most pernicious fear among these is that those

responsible know a lot of what needs doing, but they have not the foggiestnotion about whether, after all the dust settles, their programs and systems

do in fact comply with the Act and how that will be tested and measured

No one seems to be able to tell them clearly either This brings me tothe purpose for this book

The concept embodied here is clarity The contributors to this volumeare seasoned veterans who have spent time in the trenches working outthe issues and problems associated with implementing programs tobecome compliant with the HIPAA requirements, as specified in Title 45

of the Federal Code of Regulations, Sections 160 to 164 Some of themare consultants, some are full-time employees of covered entities, andsome work for the standards bodies All of them have worked first-handwith the standards and requirements, and are sharing from that experience

in these pages

The book is organized into five parts The first part covers “Programsand Processes.” This section discusses topics such as due diligence;program design and implementation; workforce education; human dynam-ics; issues analysis; a review of the legislation, policy, and proceduredevelopment; internal control structures and requirements; the chief pri-vacy officer role; chief security officer role; and other foundational matters.The second part, “Standards and Compliance,” covers topics related toproduct, policy, technology, and process standards, all of which arefocused on helping an organization achieve compliance with the legisla-tion’s mandates and requirements The compliance portion addresses whatstandards of performance, execution, and due care must be met to actuallyestablish organizational compliance An additional chapter, “HIPAA Pro-grams: Design and Implementation” by Chris Brown, CISSP, CISA, will

appear in the March/April 2005 issue of Information Systems Security, and

concurrent with the publication of this book on the journal’s Web site,www.infosectoday.com

The third section, “Finance, Economics, Legality, and Liability,” dealswith the aspects and analysis of the law in particular, its impacts, and theissues of liability associated with senior management, specific roles (CPO,CSO, CISO, et al.), and staff within the organization

Section Four, “Transactions and Interactions,” discusses the nature andintricacies of the transaction types, standards, methods, and implementa-tions required by the Act The authors cover the flow of payments andpatient information within the organization, and between it, payers, gov-ernment agencies, and other entities

Section Five, “Security and Privacy,” discusses the security and privacyrequirements, standards, methods, and implementations required by theAct Chapters in this section describe human and machine requirements,interface issues, functions, and other aspects of the technology required

to successfully implement the required security and privacy measures in

a compliant manner

In this first edition, I have attempted to capture current useful mation from practitioners on the leading edge, and I believe I havesucceeded The materials in these pages present different viewpoints indifferent venues and application areas from professionals in them Therewill always be the theoretical methodology describing the ideal approach.The writers here have captured the pragmatics, and present informationand experience that is valuable and applicable now

infor-Ross A Leo, Editor

Throughout the text of the Act, various requirements are referred to

as “required,” or “addressable.” These roles fall into the former category.These can be assigned within the workforce of the covered entity, or,alternatively, hired in the absence of sufficiently qualified employees.Those so emplaced are charged to ensure that the organization movespurposefully toward a state of compliance, and so to remain once there.The secretary of the Department of Health and Human Services (DHHS)

is charged with the responsibility and authority to implement and enforcethe Act itself The official effective date for compliance with this portion

of the Act has come and gone; that much is certain That the workdescribed here is vital and required to continue is also certain What isnot yet clear is how precisely this will be accomplished or measured: bywhom, by when, and with what yardstick

AU2211_book.fm Page 3 Tuesday, October 26, 2004 10:42 AM

4
The HIPAA Program Reference Handbook

SETTING THE RECORD STRAIGHT

The Health Insurance Portability and Accountability Act, Public Law

104-191, was signed into law on August 21, 1996 by then President Bill Clinton.Subsequently, various other activities have occurred relative to this lawthat amplify, clarify, and elaborate on the five titles within the law itself,including the privacy rules and the final security rules Under Subtitle F:

“Administrative Simplification,” Section 261 “Purpose” of the Act reads:

It is the purpose of this subtitle to impr ove the Medicareprogram under title XVIII of the Social Security Act, the Medicaidprogram under title XIX of such Act, and the efficiency andeffectiveness of the health care system, by encouraging thedevelopment of a health information system through the estab-lishment of standards and requirements for the electronic trans-mission of certain health information

It is clear from this example that seldom, if ever, can a federal lawlike HIPAA be enacted and enforced directly from its basic text To dothis requires a body of implementing regulations that describe the detailedmechanics and processes that make the law work Given that Congressdid not act to produce these within the timeframe specified in the law,the secretary of the Department of Health and Human Services wasempowered to do so

That regulatory framework comes under the Federal Code of Regulations(CFR), Title 45 “Public Welfare, Volume 1, Subtitle A: Department of Healthand Human Services General Administration, Subchapter C: AdministrativeData Standards and Related Requirements, Parts 160 through 164.” Theseveral hundred pages of text found here is what actually implements HIPAA.The discussion on security and privacy that follows derives from Title II ofthe law itself called “Administrative Simplification.” This is not intended to

be a thick legalistic piece, and so to simplify reading, when a reference ismade to “the Act,” the reference applies to this entire body of material

DEFINING THE ASSET IN QUESTION

Our concern here is the asset governed by HIPAA known as “healthinformation,” as defined in Part II 45 CFR 160.103, as it r elates to aspecifically identifiable individual or individuals This health informationpertains to the physical or psychological status of an individual, whetherpast, present, or future, that is created, collected, or otherwise in the care

of a functional entity such as a health plan, provider, school, university,

or other entity, and relates in any way to provision of care or paymentfor that care, regardless of timeframe This information can be in anyform: written, oral, or electronically stored

AU2211_book.fm Page 4 Tuesday, October 26, 2004 10:42 AM

The Roles and Responsibilities
5

The essence of the “protected health information” concept is permittingthose persons and business entities with a clear and reasonable “need toknow” to create, collect, and maintain that information in accordance withbusiness requirements, and preventing disclosure of it to those partiesthat have a murky need, or none at all This, it is believed, will providereasonable protection to individuals from adverse consequences, andpossibly predatory or otherwise inappropriate marketing practices caused

by disclosures of this information

It is believed by most that there is a very close, intertwined relationshipbetween privacy and security within the context of HIPAA The basicmission of any information security program is to ensure the preservation

of Confidentiality, Integrity, and Availability (C-I-A) of that information,and privacy, for all intents, equates to Confidentiality This relationship isbest described as privacy being the goal, and security, in all its forms,being the tool to achieve it More precisely stated, security is that set ofmechanisms, controls, and practices that is employed to ensure that privacy(confidentiality) of health information is gained and maintained in accor-dance with the statutes

In the following sections, we discuss privacy and the roles of thosedirectly involved with it at the program or institutional level Following that,

we discuss security, at which point I elaborate on the ideas mentioned above

THE BEGINNING OF ALL THINGS HIPAA

It is a common and valuable practice to begin with a “gap analysis.” This

is a formal investigatory method to determine where strengths and nesses lie so that they can be correctly addressed and mitigated Thesetake various forms, but in the case of privacy, the gap analysis is bestperformed through interview and questionnaire, using a standard questionset that relates directly to the specific requirements of the Act

weak-The questionnaires are quite often long and detailed, but some examplequestions would be:

1 Has someone been designated as having responsibility for ing privacy issues, and overseeing corrective action to achievecompliance with the Act?

address-2 Have you established a policy or set of documents that outlinesyour entity’s policies, procedures, controls, and training related toyour patient privacy program?

3 Has your organization defined processes and controls for the dling of PHI in accordance with the Act, including uses, de-iden-tification, r eleases, ar chival and storage, authorizations,amendments, and so on?

han-AU2211_book.fm Page 5 Tuesday, October 26, 2004 10:42 AM

6
The HIPAA Program Reference Handbook

4 Have you designated a person to handle HIPAA privacy complaintsand inquiries?

5 Have you established procedures to handle individuals’ requests toamend, update, or correct their health information?

The main points of this exercise are in fact risk identification, mitigation,and establishment of a basis for compliance It has long been assumed

in medical and insurance practice that patient privacy is sacred and to bekept inviolate Although there are laws in place governing this, adherence

to this practice has been largely based on the “honor system.” That said,this system, for all its apparent informality, has worked well; but not sowell that a law such as HIPAA could be done without forever

As is ever the case, reducing risk means reducing the probability thatbad things will happen, or that the consequences from those that do willamount to “acceptable losses.” In the case of HIPAA and privacy, thismeans litigation and losses stemming from unfavorable judgments pursuant

to compromises of PHI and damages to the patients themselves Not to

be overlooked, however, is the value gained or maintained by being in

a position to assure to your patient population that their privacy is indeedsacred, and that all possible is being done to protect it Regardless of therespective position or message, an entity choosing not to begin with agap-risk analysis of this general type can say neither with any degree ofconfidence, and that approach will place at risk patient trust, which maywell be the highest probability and most costly risk of all

As a final comment on the gap analysis, it is not a “do it once” task.Gap-risk analyses should be periodically reperformed to ensure that thegaps previously identified stay closed, and that opportunities to identifynew ones are used to best advantage for timely closure of them as well

THE PRIVACY ROLES: CHIEF PRIVACY OFFICIAL

The Act calls for the designation of two specific individuals under section 164.530, “Administrative Requirements” of the privacy rule Thefirst of these is the privacy official The Act itself reads as follows:

Sub-(a)(1) Standard: personnel designations.

(i) A covered entity must designate a privacy official who isresponsible for the development and implementation of thepolicies and procedures of the entity

This position has come to be known popularly as the “Chief PrivacyOfficer,” or CPO Although it can be anyone with the given entity, theperson often designated to fulfill this required position usually works in

AU2211_book.fm Page 6 Tuesday, October 26, 2004 10:42 AM

The Roles and Responsibilities
7

the covered entity’s legal office, possibly the chief counsel, assuming theentity is large enough to have one Should that not be the case, smallfirms will frequently designate a senior officer as the nominal CPO, with

a subordinate actually charged with performing the daily duties, all underthe watchful eye of the covered entity’s legal advisors Either way isacceptable provided the designation is made, and the designee has theauthority to act on behalf of the covered entity in such matters

The official in charge of the privacy protection program must firstunderstand the provisions and requirements of the Act itself, beginningwith formal documentation of the designation of the individual or entitychosen for it:

(2) Implementation specification: personnel designations A ered entity must document the personnel designations in para-graph (a) (1) of this section as required by paragraph (j) of thissection

cov-The section referenced above makes no statement about specificformats or forms It simply requires that the designation be made inaccordance with the standard processes for formalizing such declarationswithin a given organization, that the declaration may be maintained ineither written or electronic form, and that the declaration must be main-tained “ for six years from the date of its creation or the date when

it last was in effect, whichever is later.”

One of the more difficult aspects of this role requires the CPO tointeract with the systems management function This is dif ficult, notbecause systems people are in and of themselves difficult, but because

of the systems themselves and how information is stored in and movedthrough them, and how it is accessed by authorized users

The CPO, then, is the individual who must ultimately assur e theprogram’s success in all aspects and respects In reading the details ofthe Act regarding what must follow the designation, and the tasks thatthe newly appointed CPO must oversee, interpolating those not directlystated that support providing that assurance, the role of the CPO is bestcharacterized as being “a foot wide and a mile deep.” This is to say thatthe focus is entirely dedicated to the assurance of privacy, but must do

so at every level within the organization

Once the designations are made, the easy part is over

8
The HIPAA Program Reference Handbook

the writers of the Act realized that people cannot, as a practical matter,

be held accountable for violations of a such complex regulation if (a)they are not informed of the contents of the Act itself; (b) they are nottrained in the three “P’s,” policies, processes, and procedures; (c) theyare not provided the criteria and process of achieving and maintainingcompliance; and (d) they are not given a clear grasp of the penalties forviolations

With that in mind, the writers of the Act included training requirementsfor all persons that work for a given covered entity It could be reasonablyassumed that not all members of the entity’s workforce are expected tocome in contact with PHI, and thus further assumed that not everyonerequires such training The CEO is an obvious example, as would thechief operations and financial officers, and potentially others Nevertheless,consideration must be given to the “chance” encounter with PHI If theencounter involved these officers, they must know precisely what to doand whom to see about it As the leaders, having a grasp of the Act andthe risks and penalties associated with violations would seem mandatorygiven their fiduciary obligations to the entity and to any shareholders of

it Given the wording of the standard, the CPO should seek to have allmembers appropriately trained The standard itself reads:

(b)(1) Standard: training A covered entity must train all bers of its workforce on the policies and procedures withrespect to protected health information required by this subpart,

mem-as necessary and appropriate for the members of the workforce

to carry out their function within the covered entity

Following that, the Act calls for three types of training to effectivelyimplement the requirements of the standard:

(2)(i)(A) To each member of the covered entity’s workforce by

no later than the compliance date for the covered entity;

(2)(i)(B) Thereafter, to each new member of the workforcewithin a reasonable period of time after the person joins thecovered entity’s workforce; and

(2)(i)(C) To each member of the covered entity’s workforcewhose functions are affected by a material change in the policies

or procedures required by this subpart, within a reasonableperiod of time after the material change becomes effective inaccordance with paragraph (i) of this section

AU2211_book.fm Page 8 Tuesday, October 26, 2004 10:42 AM