Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

HITECH / HIPAA Newsletter August 2013 Archive

HITECH Act Compliance is a Team Sport:  Is your team Omnibus Rule ready?

 August  2013 Issue No.  44
In this Issue
Products now available in the HSG Store
HIPAA Security: What's the essence of the Rule?
HITECH Switch OnProducts now available in the HSG Store. 

HIPAA Breach Notification Framework 

Our HIPAA Breach Notification Framework walks you through the process of analyzing security incidents to determine what actions you must take to ensure your response complies with the HITECH Breach Notification requirements. The Framework discusses HITECH breach compliance in simple terms and uses twelve flowchart diagrams to help you navigate the process. It also includes tools and templates that help "jump start" your breach notification compliance initiative.


 Buy Now...  



Business Associate Agreement: a HITECH Ready Model Contract

Our model Business Associate Agreement includes provisions that meet the requirements of HIPAA/HITECH and is fully annotated with links to the relevant statutory/regulatory authority that underpins each Contract clause. The Contract package also includes a complete "User's Guide," with a clause-by-clause explanation of the issues addressed in the Contract. 

Buy Now...

The Security Rule Under HITECH:
a Business Associate Perspective
First Edition

The most important step for building a "good SR compliance story" is for the business associate to get started. The approach in The Security Rule Under HITECH is to build the story iteratively over time. Most business associates (large or small) will likely need help in creating the story. The framework discussed throughout this document provides a good road map to follow.

Buy Now...

HIPAA Core Training Combo

This package includes the Breach Notification Simplified Training Module, the HIPAA Privacy Rule under HITECH Training Module, the HIPAA Security Rule Under HITECH  Training Module and the HITECH and HIPAA Compliant  Training Module all in one Combo Package.  Buy all 4 for a little more than than the price of 3

 Buy Now...
Quick Links

Join Our Mailing List
Interested in staying current on HITECH / HIPAA compliance issues? Click the "join our list" link above and receive your own copy of the newsletter each month.

Other Resources
HIPAA Survival Guide Store Overview
HIPAA Survival Guide Store Overview

Cloud, Social Media, and Mobile Checklist Product Overview
Cloud, Social Media, and Mobile Checklist Product Overview
Business Associate Agreement Product Overview
Business Associate Agreement Product Overview
HIPAA / HITECH Core Training Product Overview
HIPAA / HITECH Core Training Product Overview
Privacy Rule Checklist Product Overview
Privacy Rule Checklist Product Overview
Breach Notification Framework Product Overview
Breach Notification Framework Product Overview

HSG Logo 
Dear Carlos,

Welcome to our August 2013 HITECH / HIPAA Compliance Newsletter.  


Our article this month is entitled: HIPAA Security: What's the essence of the Rule?  


The Security Rule ("SR") is a set of regulations which requires that your Organization identify Risks, mitigate Risks, and monitor Risks over time in order to ensure the Confidentiality, Integrity, and Availability of your Organization's ePHI. That's it. This article is intended to provide you the basic concepts that help you understand, engage, and ultimately master the details. 


HSG Subscription Plan Front Cover We are pleased to announce Release 1.0 of our Subscription Service which is available for purchase in our new HIPAA Survival Guide Store along with our suite of Omnibus Rule Ready™ products. Our product suite has been updated to reflect Omnibus Rule modifications.


Our Subscription Service and products provide policies, processes, and tracking mechanisms to help covered entities and business associates deliver visible, demonstrable evidence of HIPAA compliance. The HIPAA Rules tell you what is required in order to comply; our Products provide best practice step-by-step guidance to help you meet your compliance objectives.

HSG Announcements
Webtones PointerIn addition to our commercial-off-the-shelf training products, we now offer training customized for your organization through our partnership with the Digital Business Law Group. We recognize that some organizations, including business associates, have a need for HIPAA / HITECH training tailored to their specific needs (click here or on the image below to get more information).
HIPAA Training  


Join the Conversation
The HIPAA Survival Group on LinkedIn continues to be the go to place for meaningful discussion of HITECH / HIPAA issues. You will find many industry thought leaders and insiders sharing their views on the evolving compliance landscape. 

Stay Connected
Want to stay updated throughout the month? Follow Carlos on Twitter by clicking on the badge below.  If you would like to read more regarding the authors' views on HIT and compliance click here and here and subscribe to their blogs.  

Become a Fan
Follow us on FaceBook by becoming a fan of the HIPAA Survival Guide. Also, be sure to check out our HITECH Videos.

Main_Article  HIPAA Security: What's the essence of the Rule?
Webtones Pointer The Security Rule ("SR") is a set of regulations which requires that your Organization identify Risks, mitigate Risks, and monitor Risks over time in order to ensure the Confidentiality, Integrity, and Availability of your Organization's ePHI. That's it. This article is intended to provide you the basic concepts that help you understand, engage, and ultimately master the details. 

However, in order to understand the SR you must become familiar with some of its technical jargon. Many of these definition are derived from NIST Special Publication 800-30, a document that should prove quite useful to those engaged in implementing the Security Rule.


HITECH / HIPAA NewsletterDefinitions

The SR is replete with technical terms. In addition, any description of how to comply with the SR will also necessitate the use of additional technical terms. Below we break down the technical jargon in a manner that is readily understood by the lay person. It is not written for the technical expert; although we believe even the latter may derive significant value from it. The SR contains its own Definitions in 164.304. We do not duplicate those here. However, we do provide a link to a SR definition the first time it is referenced.




Adequate Security

Security commensurate with the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of ePHI .



Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.



An Asset is a thing (tangible or intangible) that accesses, stores, maintains, or transmits ePHI. Examples include networks, PCs, servers, mobile devices, Information Systems, building, etc.


Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy Information System resources or the ePHI itself.



Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an Information System.


Ensuring timely and reliable access to and use of ePHI.



Preserving authorized restrictions on ePHI access and disclosure, including means for protecting personal privacy and proprietary ePHI.



The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of ePHI, unauthorized modification of ePHI, unauthorized destruction of ePHI, or loss of ePHI or ePHI system availability.



Individual is synonymous with a workforce member.

Information Owner

Official with statutory or operational authority for specified ePHI and responsibility for establishing the controls for its generation, classification, collection, processing, dissemination, and disposal.



Guarding against improper ePHI modification or destruction, and includes ensuring ePHI non-repudiation and authenticity.



A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given Vulnerability or a set of Vulnerabilities.



Business processes and workflows that interact with ePHI on a day-to-day basis and which would be negatively impacted should ePHI be corrupted, breached, or otherwise compromised.

Operational Controls

The security controls (i.e., safeguards or countermeasures) for an Information System that are primarily implemented and executed by people (as opposed to systems).


Operational Environment

The physical, technical, and organizational setting in which an Information System operates, including but not limited to: missions/business functions; mission/business processes; threat space; vulnerabilities; enterprise and information security architectures; personnel; facilities; supply chain relationships; information technologies; organizational governance and culture; acquisition and procurement processes; organizational policies and procedures; organizational assumptions, constraints, risk tolerance, and priorities/trade-offs.



The net mission impact considering (1) the probability that a particular Threat will exercise (accidentally trigger or intentionally exploit) a particular Vulnerability and (2) the resulting impact if this should occur.


      Risks arise from legal liability or mission loss due to:


(1)   Unauthorized (malicious or accidental) disclosure, modification, or destruction of ePHI;


(2)  Unintentional errors and omissions;


(3)  IT disruptions due to natural or man-made disasters;


(4)  Failure to exercise due care and diligence in the implementation and operation of the IT system.


      A Risk is not a single factor or event, but rather it is a combination of factors or events (Threats and Vulnerabilities) that, if actualized, may have an adverse impact on the Organization.


Risk Analysis/Assessment

Risk Analysis is a process by which an Organization identifies the following:


(1)   Threats to the Organizations (i.e., Operations, Assets, or Individuals);


(2)  Vulnerabilities internal and external to the Organization;


(3)  The harm (i.e., adverse Impact) that may occur given the potential for Threats exploiting Vulnerabilities; and


(4)  The likelihood that harm will occur.


      The end result of a Risk Analysis is an overall determination of Risk for the Organization (i.e., typically a function of the degree of harm and likelihood of harm occurring).


      In order to be useful for an SR implementation, Risks must be aligned with more granular subcategories using Operations, Assets, or Individuals as high level categories that are subsequently further subdivided.



Risk Assessment Methodology

A risk assessment process, together with a risk model, assessment approach, and analysis approach.


Risk Management

Risk Management is a comprehensive global Organizational process that contains the following sub-processes:


(1)   framing risk-the purpose of the Risk framing component is to produce a Risk Management strategy that addresses how your Organization intends to assess Risk, respond to Risk, and monitor Risk;


(2)  assessing risk-See the definition of Risk Analysis;


(3)  responding to Risk-this component determines how your Organization responds to risk in accordance with your Risk management strategy by developing, evaluating, selecting, and implementing Risk responses; and


(4)  monitoring risk-this component determines how your Organization tracks risks over time by verifying that "reasonable and appropriate" risk responses have been implemented and determining ongoing effectiveness of these responses vis-à-vis a changing operational environment.


      The NIST definition of Risk Management incorporates the "analysis/assessment" process whereas the SR has separated Risk Analysis from Risk Management as two separate Implementation Specifications for the first Standard of the Administrative Safeguards.


      It should be noted that as part of Risk Management, further Risk Assessments can and will be required over time (e.g. when your Organization's operational environment changes). Also the NIST Special Publications are not HITECH / HIPAA specific; their scope is much broader and therefore don't always align with the SR.


Risk Mitigation

Prioritizing, evaluating, and implementing the appropriate risk-reducing controls / countermeasures recommended from the Risk Analysis process. A subset of Risk Response.


Risk Monitoring

Maintaining ongoing awareness of an Organization's Risk environment, Risk Management program, and associated activities to support Risk decisions.


Risk Response

Accepting, avoiding, mitigating, sharing, or transferring Risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, or other organizations.


Security Controls

The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an Information System to protect the confidentiality, integrity, and availability of the system and its ePHI.


Technical Controls

Security Controls (i.e., safeguards or countermeasures) for an Information System that are primarily implemented and executed by the Information System through mechanisms contained in the hardware, software, or firmware components of the system.



The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific Vulnerability.


      There are several types of Threats that may occur within an Information System or operating environment. Threats may be grouped into general categories such as natural, human, and environmental.


      Examples of common threats in each of these general categories:


(1)   natural threats may include floods, earthquakes, tornadoes, and landslides;


(2)  human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry deletion and inaccurate data entry) actions; and


(3)  environmental threats may include power failures, pollution, chemicals, and liquid leakage.



A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security Breach or a violation of the system's security policy.


      Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a Security Incident, such as an inappropriate use ordisclosure of ePHI.


      Vulnerabilities may be grouped into two general categories, technical and nontechnical. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical Vulnerabilities may include: holes, flaws or weaknesses in the development of Information Systems; or incorrectly implemented and/or configured Information Systems.



Key Contract Sections The Essence of the Rule?


The intent here is not to over simplify or trivialize what is in fact a very complex set of regulations, but rather to ensure that the "end game" remains clearly visible as your Organization grapples with the complexity. 



About Us
HITECH Puzzles3Lions Publishing, Inc. is now the owner/operator of the HIPAA Survival Guide website and the official sponsor of this newsletter. Our mission is to bring you HITECH / HIPAA statutes and regulations in an easy to read and digestible format, products that help reduce the burden of compliance, and "news you can use" via our newsletter.

We take a partnering and collaborative approach to the marketplace. If you would like to see specific topics covered in this newsletter, or additional products, then please let us know.

Carlos Leyva, CEO
3Lions Publishing, Inc.
(800) 516-7903


Contact us today