Regulatory compliance can be daunting for independent health care providers. These SMBs often lack the resources to dedicate a staff member to IT, never mind monitor their HIPAA

guidelines and compliance efforts. Security consultants and value-added resellers (VARs) can help new medical offices implement the risk analysis and risk management processes and technical controls that will lead to HIPAA-protected health information.

We've designed this HITECH Act, HIPAA data security compliance and training guide to help VARs and consultants take advantage of these business opportunities. You'll find resources that will help you become acquainted with HIPAA data security requirements as well as the tools necessary for compliance.

Table of Contents

HITECH Act 2009

HIPAA security controls

HITRUST

Other resources

HITECH ACT 2009

HIPAA changes 2009: HITECH Act for health care
(see links below)
Thanks to the Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act, HIPAA went through a series of revisions. Now, HIPAA-covered entities must implement or verify technical, security and privacy controls, including firewalls, access control systems and encryption. David Mortman reviews the HITECH Act and other HIPAA changes of 2009.

HITECH Act business associate agreement
(see links below)
If you are working with a HIPAA-covered entity, you are a business associate, and your HIPAA policies and procedures take on a whole new meaning.

We spoke with Kevin McDonald, executive vice president and director of compliance practices at Alvaka Networks, who has first-hand experience with the HITECH Act business associate agreement, the technical and non-technical controls being implemented in health care facilities, and the level of HIPAA know-how among his channel peers.

HITECH Act incentives translate to opportunities for VARs
(see link below)
The $19.2 billion earmarked by the HITECH Act is only a fraction of what the nation's hospitals and doctors will spend for the conversion -- including security to protect patient records. To help health care organizations convert to electronic health care record (EHR) implementations, solution providers have the opportunity to provide security products and services to support the federal HITECH Act mandate. Learn about the requirements of the HITECH Act, including breach disclosure.

HIPAA SECURITY CONTROLS

A HIPAA security risk analysis
(see link below)
The HITECH Act also introduced HIPAA Rule 45 CFR 164.308(a)(1). Of particular note is the rule's mandate for a risk assessment. Learn the basics of a HIPAA data security risk analysis, including a documented risk management framework that identifies the controls in place to prevent vulnerabilities and exposure of HIPAA patient information.

HIPAA data encryption
(see link below)
Every plan for HIPAA PHI, or protected health information, should involve some form of encryption. Health care IS managers will need to work together with security resellers to understand what patient data needs to be encrypted and at what point in the process it needs to be encrypted, such as in motion or at rest. Allen Zuk reviews how to overcome HIPAA data encryption security challenges.

HITRUST

HITRUST Common Security Framework
(see link below)
Healthcare organizations have struggled to meet audit requirements from business partners who use a number of standard frameworks. At the same time, these healthcare organizations often have separate, redundant compliance programs for different regulations. Security solution providers can leverage the Health Information Trust Alliance's (HITRUST) Common Security Framework (CSF) to navigate through the HIPAA rules . But will it catch on?

HITRUST alliance certification
(see link below)
A certification program from the Health Information Trust (HITRUST) Alliance is in development. The CSF Ready seal will demonstrate that products have obtained a basic level of certification, helping organizations that need an independent evaluation of products. Certified devices need to be able to secure standard IT devices such as computers, switches, routers and firewalls, but also specialized equipment, including Internet-connected MRI machines and health monitors. Learn more about the HITRUST Alliance HIPAA compliance certification.

OTHER RESOURCES

HIPAA-covered entities
(see link below)
Chapter 13 from Healthcare Information Systems provides an overview of HIPAA's security rules, including a definition of HIPAA covered entities -- organizations that are required to comply. These entities include healthcare providers, health plans, healthcare clearinghouses and business associates. Consultants and resellers who are new to HIPAA data security will find this .pdf to be a helpful primer.

Conducting a HIPAA security audit
(see link below)
This article provides a brief summary of the HIPAA security rules, with some pointers on how they apply specifically to Domino and Notes. You'll also find a link to a HIPAA security audit tool developed as a Notes database. Many of the HIPAA security rules are considered either "required" or "addressable." Make sure you know how to handle requirements that are not mandatory.

Maintaining HIPAA compliance policies and procedures
(see link below)
It has been several years since HIPAA-covered entities were first required to comply with HIPAA. Auditor requirements have evolved. In this "Ask the Expert" Q&A, learn how you can ensure that you customers keep up on their HIPAA compliance policies and procedures.

Risk management guide
(see link below)
There's a difference between risk and vulnerability management. This series of articles by Shon Harris, author of CISSP All-in-One Exam Guide, delves into the risk management process, from defining an acceptable level of risk to conducting a risk analysis.