E-Book, Englisch, 210 Seiten, Format (B × H): 191 mm x 235 mm
Virtue / Rainey HCISSP Study Guide
1. Auflage 2014
ISBN: 978-0-12-802089-0
Verlag: William Andrew Publishing
Format: EPUB
Kopierschutz: 6 - ePub Watermark
E-Book, Englisch, 210 Seiten, Format (B × H): 191 mm x 235 mm
ISBN: 978-0-12-802089-0
Verlag: William Andrew Publishing
Format: EPUB
Kopierschutz: 6 - ePub Watermark
The HCISSP certification is a globally-recognized, vendor-neutral exam for healthcare information security and privacy professionals, created and administered by ISC². The new HCISSP certification, focused on health care information security and privacy, is simliar to the CISSP, but has only six domains and is narrowly targeted to the special demands of health care information security.
Tim Virtue and Justin Rainey have created the HCISSP Study Guide to walk you through all the material covered in the exam's Common Body of Knowledge. The six domains are covered completely and as concisely as possible with an eye to acing the exam. Each of the six domains has its own chapter that includes material to aid the test-taker in passing the exam, as well as a chapter devoted entirely to test-taking skills, sample exam questions, and everything you need to schedule a test and get certified. Put yourself on the forefront of health care information privacy and security with the HCISSP Study Guide and this valuable certification.
- Provides the most complete and effective study guide to prepare you for passing the HCISSP exam - contains only what you need to pass the test, and no fluff!
- Completely aligned with the six Common Body of Knowledge domains on the exam, walking you step by step through understanding each domain and successfully answering the exam questions.
- Optimize your study guide with this straightforward approach - understand the key objectives and the way test questions are structured.
Autoren/Hrsg.
Fachgebiete
- Wirtschaftswissenschaften Betriebswirtschaft Wirtschaftsinformatik, SAP, IT-Management
- Mathematik | Informatik EDV | Informatik EDV & Informatik Allgemein EDV: Zertifizierung
- Mathematik | Informatik EDV | Informatik Angewandte Informatik Wirtschaftsinformatik
- Medizin | Veterinärmedizin Medizin | Public Health | Pharmazie | Zahnmedizin Medizin, Gesundheitswesen Medizinische Mathematik & Informatik
- Mathematik | Informatik EDV | Informatik Technische Informatik Computersicherheit Datensicherheit, Datenschutz
Weitere Infos & Material
- Healthcare Security and Privacy
- Domain 1: Healthcare Industry
- Domain 2: Regulatory Environment
- Domain 3: Privacy and Security in Healthcare
- Domain 4: Information Governance and Risk Management
- Domain 5: Information Risk Assessment
- Domain 6: Third Party Risk Assessment
- References
- The Test
Chapter 3 Regulatory Environment
Abstract
This chapter discusses the fundamental legal and regulatory requirements that govern healthcare information. It will also review the importance of policies and procedures used by the organization when protecting healthcare information during data exchange. Keywords
Data breach regulations HIPAA HITECH Act Information flow Policies Procedures Standards Compensating controls Residual risk Code of Ethics This chapter will help candidates Understand the legal and regulatory environment for health information Understand healthcare-related security and privacy frameworks Understand regulatory requirements and controls Understand code of conduct and ethics in a healthcare information environment Legal issues that pertain to information security and privacy for healthcare organizations
Under the wide array of legal issues, healthcare organizations face several challenges around information security and privacy. In addition to there being high-level governance frameworks, many of the specific security and privacy requirements impact the operations of healthcare organizations. Although all healthcare organization employees have the responsibility for properly safeguarding healthcare information, security, and privacy, professionals are at the forefront of compliance with legal and regulatory requirements associated with healthcare delivery. Health Insurance Portability and Accountability Act of 1996 (HIPAA)
In the United States, one of the most important healthcare laws is HIPAA. According to the Office for Civil Rights, “The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.” Although HIPAA contains several legislative mandates, the most relevant section to information security is the Administrative Simplification section. This section includes the standards for privacy, security, and enforcement. Figure 3.1 shows the relationship between the various elements of HIPAA. Figure 3.1 Elements of HIPAA. Select elements and definitions
As stated earlier, HIPAA has several elements and covers a number of issues that healthcare organizations must comply with. However, for exam preparation purposes we would like to highlight some select elements and definitions from HIPAA. According to the HIPAA, Public Law 104-191 (August 21, 1996), Subtitle F Administrative Simplification, Part C, Section 1171, the term “health information” means any information, whether oral or recorded in any form or medium, that: 1. Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual. Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: 1. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and 2. Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and: a. That identifies the individual; or b. With respect to which there is a reasonable basis to believe the information can be used to identify the individual. Additionally, protected health information is defined by 45 CFR 160.103, and, as defined, is referenced in Section 13400 of Subtitle D (“Privacy”) of the Health Information Technology for Economic and Clinical Health Act (HITECH Act). “Protected health information means individually identifiable health information [defined above]: (1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) Employment records held by a covered entity in its role as employer.” The American Recovery and Reinvestment Act (ARRA) of 2009
The ARRA of 2009 was enacted to provide stimulus and recovery mechanisms in response to the great recession. Although there are many elements to ARRA, most of which are outside the scope of this book, we focus our discussions on select healthcare domains, specifically the HITECH Act and amendments to HIPAA. The most significant changes to HIPAA now include: The final Breach Notification Rule Updates to business associate responsibilities Expansion of the penalty consequences Investigative authority for potential violations to the Attorney General of each state With these changes to HIPAA, healthcare organizations were required to expand and enforce their own privacy and security structures as well as expand the controls to their business relationships and partners with whom they share healthcare information. According to the Office for Civil Rights, “The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.” Figure 3.2 demonstrates the relationship between HITECH Act and HIPAA privacy and security rules. Specifically, they work together to ensure privacy and security concerns are properly addressed as healthcare organizations adopt and extend the meaningful use of health information technology (IT). Figure 3.2 Relationship between HITECH and HIPAA. International standards
When looking outside of U.S. boundaries, many international healthcare organizations face similar legal and regulatory challenges. Several countries are developing or adhering to regulations that require the protection of personally identifiable information used by healthcare organizations. Some of the more common laws and regulations include: Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – Sets out ground rules for how private sector organizations may collect, use, or disclose personal information in the course of commercial activities. European Commission Data Protection Legislation – Various legislation, documents, and guidance on the protection of personal data within the European Union. UK Data Protection Act 1998 – Controls how organizations, businesses, or the government uses your personal information. A culture of privacy and security
It is important to remember that employees take their cues from the organization’s senior leadership. When senior leaders place importance on proactive security and privacy programs, healthcare organizations can properly safeguard the personal health information (PHI) entrusted to them by the patients they serve. This “tone at the top” not only enables the right attitude when delivering patient care services but also ensures that privacy and security professionals have the resources they need. Although it is important to remember that every employee at a healthcare organization is responsible for safeguarding PHI, privacy and security professionals are charged with the protection of PHI on a daily basis. Although there can be subtle differences between the specific...
