The Practical Guide to HIPAA Privacy and Security Compliance, Second Edition


Updated and revised, with several new sections, this one-stop resource for HIPAA privacy and security provides immediately applicable advice for any organization's unique situation. It defines what HIPAA is, what it requires, and what can be done to achieve and maintain compliance. It describes the HIPAA Privacy and Security Rules and compliance tasks in easy-to-understand language and enables organizations to determine how HIPAA will impact them. Anyone preparing an organization for HIPAA laws will receive ...

See more details below
Hardcover (Revised)
$79.95 price
Other sellers (Hardcover)
  • All (8) from $74.32   
  • New (5) from $74.32   
  • Used (3) from $79.94   
Sending request ...


Updated and revised, with several new sections, this one-stop resource for HIPAA privacy and security provides immediately applicable advice for any organization's unique situation. It defines what HIPAA is, what it requires, and what can be done to achieve and maintain compliance. It describes the HIPAA Privacy and Security Rules and compliance tasks in easy-to-understand language and enables organizations to determine how HIPAA will impact them. Anyone preparing an organization for HIPAA laws will receive expert guidance on requirements and other commonly-discussed topics.

Read More Show Less

Editorial Reviews

From the Publisher

Praise for the New Edition:

The HIPAA regulations are transforming how providers and insurers think about the individually identifiable health information they create and receive every minute of every day. ... There is a potential for serious harm to service levels and even to patient health if misunderstandings as to the dictates of these regulations choke off the exchange of patient-health information. This guide is a good step toward erasing many of those misunderstandings. I commend the authors for their fine efforts at translating a difficult subject into practical terms.
—Mark Lutes, Chairman, Epstein Becker Green, Washington, DC

Praise for the Bestselling First Edition:

The book's main strength is its abundant and varied content. It thoroughly describes the main provisions of HIPAA's security and privacy requirements using actual language from the legislation interspersed with the authors' commentary. This format…helpfully guides readers through the labyrinthine HIPAA requirements.
—Scott Forbes, Microsoft

Rebecca and Kevin have compiled a wealth of knowledge in an easy-to-read, conversational style. This book is packed with useful facts and practical tips that grabs and keeps your attention as though you are listening to the authors in your own living room. The astute reader will keep a pad of paper and a pile of 'sticky notes' handy. You will no doubt come back to this valuable resource over and over again!
Michael J. Corby, CCP, CISSP, President and CEO, M. Corby & Associates, Inc.

This is a very comprehensive view of HIPAA privacy and security compliance which provides a pragmatic, step by step methodology for understanding and complying with the regulation. The practical checklists, the quizzes which
can be used in HIPAA awareness programs, and the pointers to valuable resources are all added benefits.
Micki Krause, CISSP, Chief Information Security Officer, Pacific Life Insurance

Read More Show Less

Product Details

  • ISBN-13: 9781439855584
  • Publisher: Taylor & Francis
  • Publication date: 10/20/2014
  • Edition description: Revised
  • Edition number: 2
  • Pages: 544
  • Sales rank: 1,010,447

Meet the Author

Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta, Georgia based Principle Logic, LLC. He has worked in IT since 1989 and specializes in performing information security assessments for corporations, security product vendors, independent software developers, universities, government agencies, and nonprofit organizations. Before starting his information security consulting practice in 2001, Kevin served in various information technology and security roles for several health care, e-commerce, financial, and educational institutions.

Kevin has appeared on CNN as an information security expert and has been quoted in The Wall Street Journal, Entrepreneur, Fortune Small Business, Men’s Health, Women’s Health, Woman’s Day, and Inc. Magazine. His work has also been referenced by the PCI Security Standards Council in their PCI DSS Wireless Guidelines. He has given and participated in hundreds of highly rated presentations, panel discussions, seminars, and webcasts on information security and compliance.

Kevin has authored or coauthored 11 information security books, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley) as well as Implementation Strategies for Fulfilling and Maintaining IT Compliance ( He has written dozens of whitepapers and hundreds of articles and guest blog posts, and he is a regular contributor to,,, and Security Technology Executive magazine.

Kevin is the creator and producer of the Security On Wheels audiobooks, which provide security learning for IT professionals on the go ( and its associated blog (http:// He also covers information security and related matters on Twitter (@kevinbeaver) and YouTube (PrincipleLogic). He earned his bachelor’s degree in computer engineering technology from Southern College of Technology and his master’s degree in management of technology from Georgia Tech. He obtained his CISSP certification in 2001 and also holds MCSE, Master CNE, and IT Project+ certifications.

Kevin can be reached through his website ( and invites you to connect to him via LinkedIn (

Rebecca Herold has over 25 years of information privacy, security, and compliance expertise. She is CEO of Privacy Professor® and is a partner for Compliance Helper®. She has led the NIST SGIP Smart Grid Privacy Subgroup since June 2009. She has been an adjunct professor for the Norwich University Master of Science in Information Security and Assurance (MSISA) program since 2005. She has written 17 books and hundreds of published articles. She has been invited to speak at a wide variety of events throughout the United States, and in other worldwide locations such as Melbourne, Australia; Bogotá, Colombia; and Naas, County Kildare, Ireland.

Rebecca is widely recognized and respected, and has been providing information privacy, security, and compliance services, tools, and products to organizations in an extensive range of industries for over two decades. Just a few of her awards and recognitions include the following:

  • Rebecca was ranked #2 in the "Top 25 Female Infosec Leaders to Follow on Twitter" in 2014 by Information Security Buzz.
  • Rebecca was named to the ISACA International Privacy Task Force in 2013.
  • Rebecca was named on Tripwire’s list of "InfoSec’s Rising Stars and Hidden Gems: The Top 15 Educators" in July 2013.
  • Rebecca was ranked #5 in the "Top 25 Female Infosec Leaders to Follow on Twiter" in 2013 by Information Security Buzz.
  • Rebecca has been named one of the "Best Privacy Advisers in the World" multiple times in recent years by Computerworld magazine, most recently ranking third in the world in the last rankings provided.
  • In 2012, Rebecca was named one of the most influential people and groups in online privacy by
  • In 2012, Rebecca was named a Privacy by Design Ambassador by the Ontario, Canada Data Privacy Commissioner.

Rebecca is a partner for the Compliance Helper services for health-care organizations and their business associates to meet their HIPAA, HITECH, and other legal requirements. She is a member of the IAPP Certification Advisory Board, and is an instructor for the IAPP’s CIPM, CIPP/IT, CIPP/US, and CIPP foundations classes.

Rebecca currently serves on multiple advisory boards for security, privacy, and high-tech technology organizations. She is frequently interviewed and quoted in diverse broadcasts and publications such as IAPP Privacy Advisor, BNA Privacy & Security Law Report, Wired, Popular Science, Computerworld, IEEE’s Security and Privacy Journal, NPR, and many others. She regularly appears on the Des Moines, Iowa-based Great Day morning television program on KCWI to discuss and provide advice for information security and privacy topics.

Rebecca was born and raised in Missouri and has degrees in math, computer science, and education. She has lived in Iowa on a farm with her family for the past couple of decades, where they raise corn, soy beans, and sunflowers, and make hay. They are currently renovating a house that is over 100 years. See more about Rebecca, her work, services, and products at:

  • The Privacy Professor ( and
  • Co-Owner, CPO, and CISO, SIMBUS (
  • Partner, Compliance Helper (
  • Adjunct Professor for the Norwich University Master of Science in Information Security and Assurance (MSISA) program (
  • Twitter ID: PrivacyProf (
Read More Show Less

Table of Contents


Introduction to HIPAA
How HIPAA Came to Be
What HIPAA Covers
Current State of HIPAA Compliance
Overview of the Omnibus Rule Updates
What the HITECH Act Covers
Pending Proposed Rules
Organizations That Must Comply with HIPAA
Organizations That Must Comply with the HITECH Act
HIPAA Penalties and Enforcement
Insight into the Electronic Transactions and Code
Sets Rule
Practical Checklist

Related Regulations, Laws, Standards, and Guidance
ARRA and the HITECH Act
Practical Checklist

Preparing for HIPAA, HITECH , and Other Compliance Changes
Managing Change
Creating the Mind-Set
It Is Up to You
Practical Checklist

HIPAA Cost Considerations
Privacy Implementation Costs
Privacy Ongoing Maintenance Costs
Costs Related to Providing Access to PHI
Privacy Officer Costs
Security Implementation Costs
Security Ongoing Maintenance Costs
Security Officer Costs
Practical Checklist
Relationship between Security and Privacy
Privacy Rule and Security Rule Overlaps
Practical Checklist


HIPAA Privacy Rule Requirements Overview

Uses and Disclosures
Incidental Uses and Disclosures
Minimum Necessary Requirement
Business Associates
Notice of Privacy Practices for PHI
Individual Rights to Request Privacy Protection for PHI
Individual Access to PHI
Amendment of PHI
Accounting Disclosures of PHI
PHI Restrictions Requests
Administrative Requirements
Personal Representatives
Transition Provisions
Compliance Dates and Penalties
Practical Checklist

Performing a Privacy Rule Gap Analysis and Risk Analysis
Gap Analysis and Risk Analysis
Practical Checklist

Writing Effective Privacy Policies
Notice of Privacy Practices
Example NPP
Organizational Privacy Policies
Practical Checklist

State Preemption
What Is Contrary?
Exceptions to Preemption
Preemption Analysis
Practical Checklist

Crafting a Privacy Implementation Plan
Some Points to Keep in Mind
Practical Checklist

Privacy Rule Compliance Checklist


Security Rule Requirements Overview
Introduction to the Security Rule
General Rules for Security Rule Compliance
Insight into the Security Rule
Other Organizational Requirements
Reasons to Get Started on Security Rule Initiatives
Practical Checklist

Performing a Security Rule Risk Analysis
Risk Analysis Requirements According to HIPAA
Risk Analysis Essentials
Stepping through the Process
Calculating Risk
Managing Risks Going Forward
Practical Checklist

Writing Effective Information Security Policies
Introduction to Security Policies
Critical Elements of Security Policies
Sample Security Policy Framework
Security Policies You May Need for HIPAA Security Rule Compliance
Managing Your Security Policies
Practical Checklist

Crafting a Security Implementation Plan
Some Points to Keep in Mind
Practical Checklist

Security Rule Compliance Checklist


Health-Care Provider Issues
Privacy Notices
Fees for Record Review
Mitigation Measures
Fax Use
Sheets
Patient Charts
Business Associates
Practical Checklist

Health-Care Clearinghouse Issues
Financial Institutions
Practical Checklist

Health Plan Issues
What Is a Health Plan?
What Is a Small Health Plan?
Health Plan Requirements
Marketing Issues
Notice of Privacy Practices
Types of Insurance Plans Excluded from HIPAA
Government and Law Enforcement
Practical Checklist

Employer Issues
"Small" and "Large" Employers
Health Benefits
Enforcement and Penalties
Organizational Requirements
Health Information
Medical Surveillance
Workers’ Compensation
Practical Checklist

Business Associate Issues
Is Your Organization a Business Associate?
Business Associate Requirements
What You Can Expect to See or Hear from Covered Entities
Common Business Associate Weaknesses
Issues to Consider
Moving Forward
Practical Checklist


Building a HIPAA-Compliant Technology Infrastructure
Areas of Technology to Focus On
Looking Deeper into Specific Technologies
Mobile Computing
Additional Technology Considerations
Practical Checklist

Crafting Security Incident Procedures and Contingency Plans
Handling Security Incidents
Security Incident Procedure Essentials
Basics of Contingency Planning
Moving Forward
Practical Checklist

Outsourcing Information Technology Services
Reasons to Consider Outsourcing
What Functions to Outsource
What to Look For in Outsourcing Firms
Common Outsourcing Mistakes
Practical Checklist


HIPAA Training, Education, and Awareness
Creating an Effective Awareness Program
Identify Awareness and Training Groups
Training Design and Development
Awareness Options
Document Training and Awareness Activities
Get Support
Measure Effectiveness
Practical Checklist

Performing Ongoing HIPAA Compliance Reviews and Audits
Ongoing Cost of Compliance
Privacy Issues
Security Issues
Making Audits Work
Practical Checklist


Appendix A: Enforcement and Sanctions
Appendix B: HIPAA Glossary
Appendix C: Model Incident and Privacy Response Procedures
Appendix D: HIPAA Resources

Further Reading

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)