Best IT Blog

Healthcare HIPAA, HITRUST, HITECH Resources


IT Security / Technology Risk / Control Frameworks

HITRUST: (RISK Framework)


Assessment Areas – HIPAA

  • Expert background in Technical Controls Assessment, Compliance, Risk, and Security control requirements.
  • HIPAA Security Rule (3 Safeguards – Administrative, Physical, Technical), Required vs. Addressable. HIPAA Gap Assessments, HIPAA IT Auditing or HIPAA IT Controls Design, Integration, Testing. Gap Assessments, Privacy Gap Assessment – Pre Audits.
  • Understanding of risk and control frameworks such as HITRUST, COBIT, UCF, ITIL, and ISO


Preparatory Research

  • Electronic Medical Records: Success Requires an Information Security Culture:

  • Aligning Application Security and Compliance: (good info)

  • SANS – MOACL – Mother of All Control Lists: (dated info but good)


HIPAA Terminology

Covered Entity, Business Associate, Conduit, Meaningful Use/MU Phase I/II/III, Breach Notification Rule, OCR, ePHI / PHI, BNR, PNR, CFR 45 CFR 164.x (9/2013 – 3/2014), Final HIPAA Omnibus Rule, BA Contracts,


IT Governance / Regulations – HIPAA

HIPAA / Omnibus HIPAA Privacy, Security, Governance, And Compliance.




HIPAA: Survival Guide

(Good info)


Covered Entity, Business Associate, Baa / Contracts, Conduit, Meaningful Use/Mu Phase I/Ii/Iii, Breach Notification Rule, OCR, Ephi / Phi, Bnr, Pnr, Cfr 45 Cfr 164.X (9/2013 – 3/2014), Final HIPAA Omnibus Rule, Ba Contracts, HIPAA / Hitrust:  HIPAA And Hitrust – What’s The Difference?


Overview of HIPAA/Hitech Omnibus Final Rule

Omnibus / Healthit



EPHI Identifiers / De-Identification

HHS: Guidance on Methods for De-Identification

HIPAA Phi: List of 18 Identifiers and Definition of PHI

EPHI Computer Systems Inventory:


Yale: Break Glass Procedure: Granting Emergency Access to Critical EPHI Systems

Meaningful Use: What Is Meaningful Use?



Breach Notification Rule: HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414

Covered Entities & Business Associates: § 160.103 Definitions.

  • De-Identification of PHI. Methods In Accordance With HIPAA Privacy Rule.
  • Summary Of The HIPAA Security Rule: HHS: Summary Of The HIPAA Security Rule
  • HIPAA Security Risk Analysis Tips – 9 Essential Elements
  • Complete A Privacy Rule Compliance Assessment (45 CFR §164.530)
  • MU – HIPAA Security Risk Analysis: How To Conduct A Meaningful Use / HIPAA Security Risk Analysis:
  • ECFR: Electronic Code Of Federal Regulations:
  • Cornell Law School – 45 CFR 164 – Summaries:

Are You Ready For A HIPAA Audit? 5 Insights for Executives

HIPAA Audit Tips – Prepare For Audits Using Omnibus Final Rule

White Paper: The HIPAA Final Omnibus Rule: New Changes Impacting Business Associates

Deloitte Brief: Update: Privacy and Security Of Protected Health Information Omnibus Final Rule and Stakeholder Considerations


OCR HIPAA Audits: Findings/Recommendations: Notification of Findings And Recommendations Report From OCR HIPAA Audits

HHS/OCR: HIPAA Lessons – UCLA: Specific Lessons from HIPAA Privacy and Security Case At


OCR HIPAA Audits: What To Expect When OCR Audits Come

HIPAA Interview and Document Request: HIPAA Security Onsite Investigations and Compliance Reviews: – Great Sample

OCR HIPAA Audit Briefings:  OCR Data On First 20 HIPAA Compliance Audits

HIPAA Enforcement: Case Examples Organized By Covered Entity:




HIPAA Settlements / Resolution Agreements

HIPAA-Hitech Compliance: Proven HIPAA Audit Tips – Actions You Should Take Now To Prepare For OCR HIPAA Audits

  1. Set privacy and security risk management & governance program in place (45 cfr § 164.308(a)(1))
  2. Develop & implement comprehensive HIPAA privacy and security and breach notification policies & procedures (45 cfr §164.530 and 45 cfr §164.316)
  3. Train all members of your workforce (45 cfr §164.530(b) and 45 cfr §164.308(a)(5))
  4. Complete a HIPAA security risk analysis (45 cfr §164.308(a)(1)(ii)(a))
  5. Complete a HIPAA security evaluation (= compliance assessment) (45 cfr § 164.308(a)(8))
  6. Complete technical testing of your environment (45 cfr § 164.308(a)(8))
  7. Implement a strong, proactive business associate / management program (45 cfr §164.502(e) and 45 cfr §164.308(b))
  8. Complete privacy rule and breach notification rule compliance assessments (45 cfr §164.500 and 45 cfr §164.400)
  9. Document and act upon a remediation plan


HHS.GOV – HIPAA: Security Series

  1. Security 101 for Covered Entities
  2. Security Standards Administrative Safeguards
  3. Security Standards – Physical Safeguards
  4. Security Standards – Technical Safeguards
  5. Security Standards – Organizational, Policies & Procedures, and Documentation Requirements
  6. Basics of Risk Analysis & Risk Management
Comments Off on Healthcare HIPAA, HITRUST, HITECH Resources

Comments are closed.