Below are HIPAA HiTech Risk Resources to help you learn more about Information Security, HIPAA Security Compliance Laws and Regulations, The HITECH Act, Data Breach Notification Interim Final Rule, and The Electronic Health Record Incentive Program and Meaningful Use:

HIPAA Security Risk Analysis & resources

The HIPAA Risk Analysis or more specifically the HIPAA Security Risk Analysis required at 45 CFR §164.308(a)(1)(ii)(A) should be performed by all Covered Entities, Business Associates and their Agents and Subcontractors.  Below are resources to help you learn more about and complete a bona fide HIPAA Security Risk Analysis.

• NIST SP800_53_r4_Security and Privacy Controls for Federal Information Systems and Organizations
• Federal Cloud Computing Strategy: Cloud-First
• HHS / OCR Guidance on Risk Analysis Requirements under the HIPAA Security Rule
• NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments
• NIST SP800-34 Contingency Planning Guide for Federal Information Systems
• NIST SP800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
• NIST SP800-39-final_Managing Information Security Risk 
• NIST SP800-53A, Rev 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans
• NIST SP 800-61 Revision 2, Computer Security Incident Handling Guide
• NIST SP800-111-Guide to Storage Encryption Technologies for End User Devices
• NIST SP800-115 Technical Guide to Information Security Testing and Assessment
• NIST SP800-124-rev1 Guidelines for Managing and Securing Mobile Devices in the Enterprise-DRAFT
• Open Security Architecture (OSA) Coparison of Existing Threat Catalogues
• Basics of Security Risk Analysis and Risk Management
• Reassessing Your Security Practices in a Health IT Environment -A Guide for Small Health Care Practices
• HIPAA Security Risk Analysis Background and Requirements – A White Paper for Healthcare Professionals

HIPAA Security Risk Management

• FBI Private Industry Notification (PIN) on Health Systems Cyber Intrusions 
• Promoting Patient Safety Through Effective Health Information Technology Risk Management 
• Federal CIO Council BYOD Resource Toolkit

Business Associates

• Business Associate Omnibus ReadinessCheck™  
• A White Paper for HIPAA Business Associates (And Agents & Subcontractors!) – Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!
• What Business Associates Need to Know about HIPAA

HIPAA and HITECH OCR Enforcement and Legal Actions

• September 2,2015 – CancerCareGroup Resolution Agreement & Corrective Action Plan
• June 23, 2014- $800,000 HIPAA Settlement in Medical Records Dumping Case – Parkview Health Systems
• May 7, 2014 – Data Breach Results in $4.8 Million HIPAA Settlements – New York Presbyterian & Columbia University Medical Center
• April 16, 2014 Concentra Health Services Resolution Agreement & Corrective Action Plan
• April 11, 2014 QCA Health Plan, Inc. Resolution Agreement & Corrective Action Plan
• March 5, 2014 SKAGIT County Resolution Agreement & Corrective Action Plan
• December 20, 2013 Adult & Pediatric Dermatology, P.C. of Massachusetts Resolution Agreement & Corrective Action Plan 
• August 14, 2013 Affinity Health Plan Resolution Agreement & Corrective Action Plan
• July 8, 2013 WellPoint Resolution Agreement  
• April 5, 2013 Idaho State University Resolution Agreement & Corrective Action Plan
• December 17, 2012 Hospice of North Idaho  Resolution Agreement & Corrective Action Plan 
• September 17, 2102 Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates Inc. Resolution Agreement & Corrective Action Plan
• July 25, 2102 Accretive Health – State of MN Settlement Agreement embedded in SEC 8-K Filing
• June 2012 Alaska Department of Health & Human Services Resolution Agreement / Corrective Action Plan
• March 2012 Blue Cross Blue Shield TN Resolution Agreement / Corrective Action Plan 
• April 2012 Phoenix Cardiac Surgery P.C. Resolution Agreement Corrective Action Plan
• July 2011 University of California Los Angeles Health System Resolution Agreement
• February 2011 Massachusetts General Hospital Resolution Agreement / Corrective Action Plan 
• June 2010 RITE-AID HHS Resolution Agreement & Corrective Action Plan
• July 2010 RITE-AID FTC Agreement Containing Consent Order
• January 2009 CVS Resolution Agreement & Corrective Action Plan
• June 2009 CVS FTC Agreement Containing Consent Order

Healthcare Cybercrime, Fraud and Costs

• FBI Liaison Alert System_A-000039-TT
• FBI Private Industry Notification (PIN) – Health Care Systems and Medical Devices at Risk for Increased Cyber Intrusions for Financial Gain 
• Ponemon 2012 Cost of Cyber Crime Study
• Verizon 2012 Data Breach Investigations Report
• Medical Record Theft, HIPAA Security and HITECH | by David Auge | July 15, 2012
• The Financial Impact of Breached Protected Health Information: A Business Case for Enhanced PHI Security
• Second Annual Benchmark Study on Patient Privacy and Data Security conducted by the Ponemon Institute
• Kroll’s 2011-2012 Annual Global Fraud Report
• RSA Report on Cybercrime and the Healthcare Industry 
• Healthcare Information at Risk: Practical Strategies to Avoid Breaches

HIPAA Security Compliance Laws, Regulations and Guidance

• Practical Guidance for Health Care Governing Boardson Compliance Oversight 5/2015
• Omnibus Final Rule, as published in Federal Register 1/25/2013
• NIST-OCR 2012 HIPAA Security Conference Webcasts and Presentations
• ONC Guide to Privacy and Security of Health Information
• Are You a Covered Entity?
• 2011 HIMSS Security Survey Final Report November 2, 2011 
• Stress, Compliance, and Ethics Survey by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association January 2012
• Squire-Sanders: Update on Privacy and Security Issues for Retail Pharmacies 
• Health Research Institute: Managing patient privacy and security on a new data-sharing playground 
• NIST-OCR 2011 HIPAA Security Conference Webcasts and Presentations
• CERT Common Sense Guide to Prevention and Detection of Insider Threats
• HIPAA Primer by Iron Mountain
• 2010 HIMSS Security Survey
• The Truth About HIPAA, The HITECH Act and Data Backup
• HIPAA Security Data Backup Requirement
• A White Paper for Health Care Professionals – Preparing for the HIPAA Security Rule
• HIPAA Security Final Rule (The Law)
• Journal of AHMA: A Wake Up Call of HIPAA Security Rule
• 2009 HIPAA Compliance Review Analysis And Summary of Results
• HIPAA Survival Guide
• How LiveVault Helps CEs and BAs Become HIPAA and HITECH-Compliant
• NIST Special Publication 800-66: A Resource Guide for Implementing The HIPAA Security Rule

Encryption and Destruction

• Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
• SP 800-111-Guide to Storage Encryption Technologies for End User Devices
• FIPS PUB 140-2 SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
• NIST SP 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
• NIST SP 800-113, Guide to SSL VPNs
• NIST SP 800-77, Guide to IPsec VPNs
• Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals
• NIST-SP800-88-Guidelines for Media Sanitization_with-errata

Health Information Exchanges

• AHIMA & HIMSS White Paper: The Privacy  and Security Gaps in Health Information Exchanges

The Electronic Health Record Incentive Program and Meaningful Use

• Meaningful Use Stage 2 Clinical Quality Measures Tipsheet 
• Meaningful Use Stage1 Changes Tipsheet
• Meaningful Use Stage1 vs Stage2 Comparison Tables for Eligible Providers
• Meaningful Use Stage1 vs Stage2 Comparison Tables for Hospitals
• Meaningful Use Stage 2 Overview Tipsheet
• Medicare and Medicaid Programs; Electronic Health Record Incentive Program-Meaningful Use Stage 2 Requirements
• EHR Incentive Program for Medicare Hospitals
• EHR Incentive Program Tip Sheet for Critical Access Hospitals
• Medicare Incentive Payments Tip Sheet for Eligible Professional
• Eligible Professional Stage I Meaningful Use Table of Contents Core and Menu Set Objectives
• Eligible Professional Meaningful Use Stage I Core Measures Measure 15 of 15
• Eligible Hospital and Critical Access Hospital Meaningful Use Core Measure Measure 14 of 14
• 42 CFR Parts 412, 413, 422 et al. Medicare and Medicaid Programs; Electronic Health Record Incentive Program; Final Rule
• Meaningful Use, Privacy and Security “45 CFR Part 170 Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology; Final Rule”
• Medicare and Medicaid EHR Incentive Programs
• The “Meaningful Use” Regulation for Electronic Health Records – by David Blumenthal, M.D., M.P.P., and Marilyn Tavenner, R.N., M.H.A. (The New England Journal of Medicine)

The HITECH Act

• Booz | Allen | Hamilton White Paper – Realizing the Promise of Health Information Exchange
• HITECH Act and the HHS Rules – An Assessment of the New Healthcare Privacy Regulations
• OCR’s new Enforcement Officer Valerie Morgan-Alston’s HIPAA Enforcement Presentation
• Health Information Technology for Economic and Clinical Health Act
• Full ARRA Law including The HITECH Act (The Law)
• Notice of Public Rule Making-Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under HITECH
• NIST SP800-52 Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations
• NIST SP800-77 Guide to IPsec VPNs
• NIST SP800-88 Guidelines for Media Sanitization
• NIST SP800-111 Guide to Storage Encryption Technologies for End User Devices
• NIST SP800-113 Guide to SSL VPNs

Data Breach Notification Interim Final Rule and Other Data Breach Information

• Anatomy of a Data Breach Disaster 
• Navigant March2011 Data Breach Study 
• White Paper – SaaS Isn’t Just For Productivity Anymore – Innovative PC encryption managed through the Cloud
• Breach Notification for Unsecured Protected Health Information: Interim Final Rule

NIST-OCR 2012 HIPAA Security Conference Presentations

• View or download the presentations from each day of the NIST-OCR 2012 HIPAA Security Conference

State Privacy, Security and Breach Regulations

• Massachusetts’ 201 CMR 1700 STANDARDS FOR THE PROTECTION OF PERSONAL INFORMATION OF RESIDENTS OF THE COMMONWEALTH

Information Security and Privacy Items of Interest

• FTC’s Guide for Assisting Identity Theft Victims 
• Windows ITPro – The Importance of Managing Privileged Accounts
• CDW Elevated Heart Rates: EHR and IT Security 
• 2010 Annual Study-U.S. Cost of a Data Breach by Symantec and Ponemon 
• CBS News Reports: The Risks of Data Breaches on Digital Copiers 
• Information Security and Privacy in Healthcare_Current State of Research
• Top 10 Health Technology Hazards For 2011
• Ponemon Institute Benchmark Study on Patient Privacy and Data Security – November 2010
• ONC Guide to Privacy and Securityof Electronic Health Information

Centers for Medicare & Medicaid Services (CMS) Educational Papers

• Security 101 For Covered Entities
• Security Standards – Administrative Safeguards
• Security Standards – Physical Safeguards
• Security Standards – Technical Safeguards
• Security Standards – Organizational, Policies and Procedures and Documentation Requirements

PCI DSS Security Risk Analysis

• PCI Security Standards Council Information Supplement: PCI DSS Risk Assessment Guidelines- November 2012
• Payment Card Industry Data Security Standard PCI DSS Version 2.0 October 2010

HIPAA Security Compliance Laws, Regulations and Guidance

• Stress, Compliance, and Ethics Survey by the Society of Corporate Compliance and Ethics and the Health Care Compliance Association January 2012

Some of these HIPAA HiTech Risk Resources tips will get you more knowledge in regulatory guidelines.