Written by highly respected author Kate Borten, CISSP, CISM, this updated edition explains how the Omnibus Rule affects organizations that are subject to HIPAA. It will help facilities and business associates understand how they and their information security programs can remain in compliance with new and continuing regulatory requirements. This second edition emphasizes that security is not a one-time project and reminds readers that they should already be performing risk assessments to comply with the HIPAA Security Rule. A new Introduction explains the significance of the HITECH Act and the Omnibus Rule to covered entities and their business associates (BA). HITECH made BAs directly liable for Security Rule compliance, and the Omnibus Rule went further, revising the definition to include all downstream subcontractors with access to PHI. This closed a major loophole in privacy protection, significantly expanding the number of organizations deemed BAs and directly subject to HIPAA compliance and enforcement. This book explains how HIPAA and the Omnibus Rule do the following: * Clarify the definition of BA, which now includes all downstream subcontractors with access to PHI * Clarify that covered entities and BAs must have ongoing programs to protect electronic PHI, including regular updates to security documentation * Revise and modernize the definition of electronic media to align it with the terminology used by the National Institute of Standards and Technology * Ensure that access termination procedures apply to all workforce members, not only to employees * Encourage encryption but not require it across the board
Kate Borten, CISSP, CISM, president of The Marblehead Group founded in 1999, offers a unique blend of technical and management expertise, information security and privacy knowledge, and an insider understanding of the healthcare industry. Her company serves the full spectrum of healthcare covered entities and their business associates with respect to understanding privacy and security regulations, establishing and enhancing their formal privacy and security programs, and assessing risk and regulatory compliance. She has more than 20 years of experience designing, implementing, and integrating healthcare information systems at world-renowned medical facilities including Massachusetts General Hospital.