HITECH Act and HIPAA: Guidelines for data security compliance

Value-added resellers and security consultants can help healthcare practitioners comply with HIPAA by educating these SMBs during product sales, and by implementing risk analysis and management processes. This HIPAA Compliance Guide will help you get up to speed on the regulation's requirements, the Security Rule and risk management.

Regulatory compliance can be daunting for independent health care providers. These SMBs often lack the resources to dedicate a staff member to IT, never mind monitor their HIPAA guidelines and compliance efforts. Security consultants and value-added resellers (VARs) can help new medical offices implement the risk analysis and risk management processes and technical controls that will lead to HIPAA-protected health information.

We've designed this HITECH Act, HIPAA data security compliance and training guide to help VARs and consultants take advantage of these business opportunities. You'll find resources that will help you become acquainted with HIPAA data security requirements as well as the tools necessary for compliance.

Table of Contents


HIPAA changes 2009: HITECH Act for health care
Thanks to the Health Information Technology for Economic and Clinical Health Act (HITECH), which was part of the American Recovery and Reinvestment Act, HIPAA went through a series of revisions. Now, HIPAA-covered entities must implement or verify technical, security and privacy controls, including firewalls, access control systems and encryption. David Mortman reviews the HITECH Act and other HIPAA changes of 2009.

HITECH Act business associate agreement
If you are working with a HIPAA-covered entity, you are a business associate, and your HIPAA policies and procedures take on a whole new meaning.

We spoke with Kevin McDonald, executive vice president and director of compliance practices at Alvaka Networks, who has first-hand experience with the HITECH Act business associate agreement, the technical and non-technical controls being implemented in health care facilities, and the level of HIPAA know-how among his channel peers.

HITECH Act incentives translate to opportunities for VARs
The $19.2 billion earmarked by the HITECH Act is only a fraction of what the nation's hospitals and doctors will spend for the conversion -- including security to protect patient records. To help health care organizations convert to electronic health care record (EHR) implementations, solution providers have the opportunity to provide security products and services to support the federal HITECH Act mandate. Learn about the requirements of the HITECH Act, including breach disclosure.


A HIPAA security risk analysis
The HITECH Act also introduced HIPAA Rule 45 CFR 164.308(a)(1). Of particular note is the rule's mandate for a risk assessment. Learn the basics of a HIPAA data security risk analysis, including a documented risk management framework that identifies the controls in place to prevent vulnerabilities and exposure of HIPAA patient information.

HIPAA data encryption
Every plan for HIPAA PHI, or protected health information, should involve some form of encryption. Health care IS managers will need to work together with security resellers to understand what patient data needs to be encrypted and at what point in the process it needs to be encrypted, such as in motion or at rest. Allen Zuk reviews how to overcome HIPAA data encryption security challenges.


HITRUST Common Security Framework
Healthcare organizations struggle with compliance audit requirements from business partners who use a number of standard frameworks. At the same time, these healthcare organizations often have separate, redundant compliance programs for different regulations. Security solution providers can leverage the Health Information Trust Alliance's (HITRUST) Common Security Framework (CSF) to navigate through the HIPAA rules . But will it catch on?

HITRUST alliance certification
A certification program from the Health Information Trust (HITRUST) Alliance is in development. The CSF Ready seal will demonstrate that products have obtained a basic level of certification, helping organizations that need an independent evaluation of products. Certified devices need to be able to secure standard IT devices such as computers, switches, routers and firewalls, but also specialized equipment, including Internet-connected MRI machines and health monitors. Learn more about the HITRUST Alliance HIPAA compliance certification.


HIPAA-covered entities
Chapter 13 from Healthcare Information Systems provides an overview of HIPAA's security rules, including a definition of HIPAA covered entities -- organizations that are required to comply. These entities include healthcare providers, health plans, healthcare clearinghouses and business associates. Consultants and resellers who are new to HIPAA data security will find this .pdf to be a helpful primer.

Conducting a HIPAA security audit
This article provides a brief summary of the HIPAA security rules, with some pointers on how they apply specifically to Domino and Notes. You'll also find a link to a HIPAA security audit tool developed as a Notes database. Many of the HIPAA security rules are considered either "required" or "addressable." Make sure you know how to handle requirements that are not mandatory.

Maintaining HIPAA compliance policies and procedures
It has been several years since HIPAA-covered entities were first required to comply with HIPAA. Auditor requirements have evolved. In this "Ask the Expert" Q&A, learn how you can ensure that you customers keep up on their HIPAA compliance policies and procedures.

Risk management guide
There's a difference between risk and vulnerability management. This series of articles by Shon Harris, author of CISSP All-in-One Exam Guide, delves into the risk management process, from defining an acceptable level of risk to conducting a risk analysis.

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations