Running Header: Assignment: Summary of Laws, Regulations, and Standards 1

Micah Geertson
CSOL 540
09/20/2019

Assignment:
Summary of Laws, Regulations, and Standards
Summary of Laws, Regulations, and Standards 2

Table of Contents
HIC, Inc. LRS Summary ............................................................................................................................ 3
Scope ............................................................................................................................................................ 3
Rules ............................................................................................................................................................. 3
Privacy ............................................................................................................................................ 3
Security ........................................................................................................................................... 3
Breach ............................................................................................................................................. 3
Special Topics .............................................................................................................................................. 3
Safeguards ................................................................................................................................................... 3
Administrative Safeguards ............................................................................................................ 4
Physical Safeguards ....................................................................................................................... 4
Technical Safeguards ..................................................................................................................... 4
PCI DSS ....................................................................................................................................................... 4
Local State Regulatory Laws ..................................................................................................................... 4
General Privacy Protection ........................................................................................................... 4
Patient’s Right to Access ............................................................................................................... 4
Breach Notifications....................................................................................................................... 4
References .................................................................................................................................................... 5
Summary of Laws, Regulations, and Standards 3

HIC, Inc. LRS Summary

Scope
The purpose of this document is to outline the rules, special topics, safeguards, Payment
Card Industry Data Security Standard (PCI DSS), and local regulatory state laws that apply to
HIC, Inc and will be enforced to remain compliant in order to conduct business. Each of these
topics are in direct relation to the Health Insurance Portability and Accountability Act of 1996
(HIPAA) with the exception of PCI DSS, which falls under a separate security standard that
accounts for credit card transactions. A summary of each topic follows this introduction.

Rules
The U.S. Department of Health & Human Services (HHS) has defined three major
categories as part of the HIPAA security standard.: Privacy, Security, and Breach Notifications.
Privacy: Meant to protect the privacy of individual’s health information and govern how
Protected Health Information (PHI) is used and disclosed by the medical
insurance industry (HHS, 2003).
Security: This rule is meant to set the “national standards for protecting the
confidentiality, integrity, and availability of electronic PHI” (HHS, 2003).
Additionally, it describes who and what is protected and the necessary safeguards.
Breach Notifications: This rule is meant to ensure that “entities and their business
associates provide notifications following a breach of unsecured PHI” (HHS,
2003). This means that any unauthorized access to unprotected PHI must
immediately be reported.

Special Topics
The Health Information Technology for Economic and Clinical Health (HITECH) Act is
one of several special topics introduced by the HHS. The purpose of the HITECH Act is to
“promote the adoption and meaningful use of health information technology” and is meant to
“strengthen the civil and criminal enforcement of the HIPAA rules” (HHS, 2003). Within the
HITECH Act is a section under Subtitle D that focuses on the privacy and security concerns
associated with electronic transmission of health information.

Safeguards
Under HIPAA Security Rule guidelines, three safeguards: Administrative, Physical, and
Technical are defined to ensure appropriate protection of protected health information (HHS,
2003). The HHS Security Series documents define each category as follows:
Administrative Safeguards:
Summary of Laws, Regulations, and Standards 4

Defined as “administrative actions, and policies and procedures, to manage the

selection, development, implementation, and maintenance of security measures to protect
electronic protected health information and to manage the conduct of the covered entity’s
workforce in relation to the protection of that information” (HIPAA Security Series #2,
2005).
Physical Safeguards:
Defined as “physical measures, policies, and procedures to protect a covered
entity’s electronic information systems and related buildings and equipment, from natural
and environmental hazards, and unauthorized intrusion” (HIPAA Security Series #3,
2005).
Technical Safeguards:
Defined as “the technology and the policy and procedures for its use that protect
electronic protected health information and control access to it” (HIPAA Security Series
#4, 2005).

PCI DSS
In addition to protecting PHI, HIC, Inc. will need to comply with standards set forth by
PCI DSS. The PCI Security Standards Council defines this protection as being able to “secure
cardholder data that is stored, processed and/or transmitted by entities completing payment card
transactions” (PCISSC, 2016).

Local State Regulatory Laws

As HIC, Inc. operates in the state of California, local laws are also imposed upon the
company. This includes:
General Privacy Protections:
Additional prosecution against companies and individuals who “knowingly and
willfully obtain, disclose, or use medical information in violation of the Confidentiality of
Medical Information Act (CMIA)” (CHHS, 2019).
Patient’s Right to Access:
California affords individuals additional rights to access both Health records and
Lab results via the Internet or other electronic means with patient consent that is
consistent with CMIA (CHHS, 2019).
Breach Notifications:
Should a breach occur, California law requires that each individual that is affected
by the breach be notified if the records contain personal information (CHHS, 2019).
Summary of Laws, Regulations, and Standards 5

References
Department of Health and Human Services. (2007, March). Security Standards: Administrative
Safeguards. Retrieved from HIPPA Security Series:
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/adminsafeg
uards.pdf
Department of Health and Human Services. (2007, March). Security Standards: Physical
Safeguards. Retrieved from HIPPA Security Series:
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/physsafegua
rds.pdf
Department of Health and Human Services. (2007, March). Security Standards: Technical
Safeguards. Retrieved from HIPPA Security Series:
https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/techsafegua
rds.pdf
PCI Security Standards Council. (2016, May). The Prioritized Approach to Pursue PCI DSS
Compliance. Retrieved from PCI Security Standards:
https://www.pcisecuritystandards.org/documents/Prioritized-Approach-for-PCI_DSS-v3_2.pdf
State of California Office of Health Information Integrity. (2019). Federal and State Health
Laws. Retrieved from https://www.chhs.ca.gov/ohii/health-laws/
U.S. Department of Health & Human Services. (2013, July 26). Breach Notification Rule .
Retrieved from Health Information Privacy: https://www.hhs.gov/hipaa/for-professionals/breach-
notification/index.html
U.S. Department of Health & Human Services. (2013, July 26). Retrieved from HITECH Act
Enforcement Interim Final Rule: https://www.hhs.gov/hipaa/for-professionals/special-
topics/hitech-act-enforcement-interim-final-rule/index.html
U.S. Department of Health & Human Services. (2013, July 26). Summary of the HIPAA
Security Rule . Retrieved from Health Information Privacy: https://www.hhs.gov/hipaa/for-
professionals/security/laws-regulations/index.html
United States Department of Health & Human Services. (2003, May). Summary of the HIPPA
Privacy Rule. Retrieved from https://www.hhs.gov/sites/default/files/privacysummary.pdf