Third-Party Risk Management - HCISSP Study Guide (2015)

HCISSP Study Guide (2015)

Chapter 7. Third-Party Risk Management

Abstract

This chapter discusses the importance and purpose of managing risk associated with third parties. This includes understanding the definition of third parties, risk assessment and management activities, and requirements for maintaining a third-party inventory, applying security standards and practices, determining assessment requirements, and addressing incident response and connectivity requirements.

Keywords

Third-party risk management

Security

Privacy

Risk assessment

Incident notification

Incident response

Third-party connectivity

This chapter will help candidates

Understand definition of third parties

Understand importance of third-party inventory

Identify and implement third-party standards and practices

Determine need for third-party assessments

Coordinate incident response with third parties

Establish third-party connectivity

Identify and correct third-party risks

Introduction

As few healthcare organizations successfully operate without enlisting support from third-party service providers who will access, process, or store patient information, healthcare organizations must understand their responsibilities and proactively manage risks associated with these relationships. To do so, healthcare organizations must understand the definition and maintain an inventory of third parties, apply management standards and practices, identify need for and conduct third-party assessments, implement incident response plans and procedures, establish secure connectivity, and oversee risk management and completion of corrective action plans.

Knowledge Areas

After reviewing this chapter and supporting reference materials, HCISPP candidates should comprehend the importance and purpose of conducting third-party risk assessments. This includes the definition of third parties, identifying assessment requirements, application of management standards and practices, incident response involving third parties, and third-party risk management activities.

Definition of third parties

By law, the HIPAA Privacy Rule applies only to covered (primary) entities including health plans, healthcare clearinghouses, and certain healthcare providers. However, most healthcare providers and health plans do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses (third parties). The Privacy Rule allows covered entities to disclose protected health information to these third parties (referred to as “business associates”) if the covered entities obtain satisfactory assurances that the third party will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule.

For the purpose of this chapter, remember the following definitions:

Covered entity: The primary entity such as a health plan, healthcare clearinghouse, and certain healthcare providers who maintains a direct relationship with patients.

Third parties: Also referred to as business associates, a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Third parties can also be subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate.

Inventory

Covered entities are responsible for creating and maintaining an inventory over time of third parties involved in the processing, storage, and/or transmission of their health information. The third-party inventory should also include additional details of importance such as:

Name of the individual or department who will be responsible for coordinating the execution of business associate or other agreements;

List of systems and information processed, stored, and/or transmitted by the third party including data classification;

Details regarding connectivity and/or data exchanges with the third party; and

Description of services to be provided by the third party such as:

• Claims processing or billing;

• Data analysis;

• Utilization review;

• Quality assurance;

• Benefit management;

• Practice management;

• Repricing;

• Hardware maintenance; or

• All other HIPAA-regulated functions.

It is important to clearly define roles and responsibilities for the covered entity relationship manager and the third party who will process, store, and/or transmit health information. These roles and responsibilities can be defined within the covered entity’s organizational policies and standards and included in contractual agreements (e.g., business associate) where applicable to the third party.

Management standards and practices

When establishing third-party relationships, contractual agreements are required to clearly communicate roles, responsibilities, and requirements pertaining to protecting the confidentiality, integrity, and availability of health information. Under HIPAA, written contracts must be implemented to address:

Permitted use: Establish the permitted and required uses and disclosures of protected health information by the third party

Unauthorized disclosure: Provide that the third party will not use or further disclose the information other than as permitted or required by the contract or as required by law

Safeguards: Require the third party to implement appropriate administrative, physical, and technical safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information

Event notification: Require the third party to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information

Disclosure authorization: Require the third party to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings

Compliance: To the extent the third party is to carry out a covered entity’s obligation under the Privacy Rule, require the third party to comply with the requirements applicable to the obligation

Audit: Require the third party to make available to the covered entity and regulatory bodies its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the third party on behalf of, the covered entity for purposes of determining the covered entity’s compliance with the HIPAA Privacy Rule

Termination: At termination of the contract, if feasible, require the third party to return or destroy all protected health information received from, or created or received by the third party on behalf of, the covered entity

Subcontractors: Require the third party to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the third party with respect to such information

Right to terminate: Authorize termination of the contract by the covered entity if the third party violates a material term of the contract

It is also important to understand the specific locations/countries where information will be processed, stored, or transmitted. In situations where third-party services involve processing, storage, or transmission of health information outside the covered entity’s home country, agreements will need to address jurisdictional matters and additional agreements may be required to ensure compliance with regulatory obligations such as the European Data Protection Directive.

Risk assessment

While legal requirements will vary based on local and regional regulations, generally risk assessments are triggered when a third party will process, store, and/or transmit personal health information or by contractual requirements. However, in order to conduct these assessments, a covered entity will need an agreement in place with a third party that addresses:

Assessment scope (what information is required to complete the assessment, will an on-site inspection of controls be required, etc.);

Notification requirements (will the third party receive 30/60/90 days’ advance notice of an assessment);

Roles and responsibilities for conducting an assessment (will the assessment be performed by the covered entity or an independent third party);

Frequency assessments will be performed (annually, biannually, on request, etc.); and

Remediation of findings (how will remediation be handled, will findings trigger a right to terminate agreement for cause if not remediated, etc.).

Assessment and audit support

While requirements for third-party information asset protection controls will vary by covered entity, scope of services and information, and regulatory requirements, they will generally align with the objectives of the covered entity’s information governance and risk management program. Figure 7.1 provides a sample from NIST Special Publication 800-66 Revision 1 of the key administrative, physical, and technical controls and activities required under the HIPAA Security Rule. While all controls may not be required for third parties, it can serve as a guide to assist covered entities with identifying applicable controls, communicating requirements, and monitoring ongoing compliance.

Security Management Process

Key Activities

Description

Identify relevant information systems

Identify all information systems that house EPHI

Include all hardware and software that are used to collect, store, process, or transmit EPHI

Analyze business functions and verify ownership and control of information system elements as necessary

Conduct risk assessment

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the third party (refer to Chapter 6 for risk assessment methodology)

Implement a risk management program

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level

Acquire IT systems and services

Although the HIPAA Security Rule does not require purchasing any particular technology, additional hardware, software, or services may be needed to adequately protect information. Considerations for their selection should include the following:

• Applicability of the IT solution to the intended environment

• The sensitivity of the data

• The organization’s security policies, procedures, and standards

• Other requirements such as resources available for operation, maintenance, and training

Create and deploy policies and procedures

Implement the decisions concerning the management, operational, and technical controls selected to mitigate identified risks

Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices

Create procedures to be followed to accomplish particular security-related tasks

Develop and implement a sanction policy

Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the third party

Develop policies and procedures for imposing appropriate sanctions (e.g., reprimand, termination) for noncompliance with the organization’s security policies

Implement sanction policy as cases arise

Develop and deploy the information system activity review process

Implement procedures to regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports

Develop appropriate standard operating procedures

Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports

Implement the information system activity review and audit process

Activate the necessary review process

Begin auditing and logging activity

Assigned Security Responsibilities

Key Activities

Description

Select a security official to be assigned responsibility for HIPAA security

Identify the individual who has final responsibility for security

Select an individual who is able to assess effective security and to serve as the point of contact for security policy, implementation, and monitoring

Assign and document the individual’s responsibility

Document the assignment to one individual’s responsibilities in a job description

Communicate this assigned role to the entire organization

Workforce Security

Key Activities

Description

Implement procedures for authorization and/or supervision

Implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed

Establish clear job descriptions and responsibilities

Define roles and responsibilities for all job functions

Assign appropriate levels of security oversight, training, and access

Identify in writing who has the business need – and who has been granted permission – to view, alter, retrieve, and store EPHI, and at what times, under what circumstances, and for what purposes

Establish criteria and procedures for hiring and assigning tasks

Ensure that staff members have the necessary knowledge, skills, and abilities to fulfill particular roles

Ensure that these requirements are included as part of the personnel hiring process

Establish a workforce clearance procedure

Implement procedures to determine that the access of a workforce member to EPHI is appropriate

Implement appropriate screening of persons who will have access to EPHI

Implement a procedure for obtaining clearance from appropriate offices or individuals where access is provided or terminated

Establish termination procedures

Implement procedures for terminating access to EPHI when the employment of a workforce member ends or as required

Develop a standard set of procedures that should be followed to recover access control devices (e.g., identification badges, access cards)

Deactivate computer access accounts

Information Access Management

Key Activities

Description

Isolate healthcare clearinghouse functions

If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the EPHI of the clearinghouse from unauthorized access by the larger organization

Determine if a component of the third party constitutes a healthcare clearinghouse under the HIPAA Security Rule

If no clearinghouse functions exist, document this finding. If it does, ensure implementation of procedures for access consistent with the HIPAA Privacy Rule

Implement policies and procedures for authorizing access

Implement policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process, or other mechanism

Decide how access will be granted to workforce members within the organization

Select the basis for restricting access

Select an access control method (e.g., identity-based, role-based)

Determine if direct access to EPHI will ever be appropriate for individuals external to the organization (e.g., third parties, subcontractors)

Implement policies and procedures for access establishment and modification

Implement policies and procedures that, based on the organization’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process

Establish standards for granting access

Provide formal authorization from the appropriate authority before granting access to sensitive information

Evaluate existing security measures related to access controls

Evaluate the security features of access controls already in place, or those of any planned for implementation, as appropriate

Determine if these security features involve alignment with other existing management, operational, and technical controls, such as policy standards and personnel procedures, maintenance and review of audit trails, identification and authorization of users, and physical access controls

image

FIGURE 7.1 Sample of NIST key activities for HIPAA Security Rule.

Communication of Findings

Findings resulting from completed third-party assessments should be clearly communicated to management at both the covered entity and third party. Treatment decisions and action plans should be agreed between the parties, documented in writing, and formally tracked until remediation has been completed.

Incident notification and response

Attacks frequently compromise personal and business data, and it is critical to respond quickly and effectively when security incidents occur. The concept of incident response has become widely accepted and implemented. One of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that appropriate actions are taken. Incident response helps organizations to minimize loss or theft of information and disruption of services, and reduce overall risk associated with incidents. Another benefit is the ability to use information gained during incident handling to help the organization better prepare for handling future incidents and provide stronger protection for systems and data. Sound incident response capabilities also help in dealing with legal issues that may arise during or after incidents.

Internal Processes for Incident Response

Organizations should define and implement policies, processes, and procedures to appropriately address security incidents in a timely manner as they arise. As described in NIST’s Special Publication 800-61 Revision 2, Computer Security Incident Handling Guide, the incident response process includes several phases. The initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after controls are implemented. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it. During this phase, activity often cycles back to detection and analysis, for example, to see if additional hosts are infected by malware while eradicating a malware incident. After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents. Figure 7.2 illustrates the relationship between the various phases during the incident response life cycle.

image

FIGURE 7.2 NIST incident response life cycle.

Incident Response Relationship Between Covered Entity and Third Party

Strong relationships, contractually defined roles and responsibilities, and close coordination are critical between covered entities and third parties when incidents occur. Roles and responsibilities should be clearly defined and requirements included within contractual agreements where appropriate such as:

Notification point(s) of contact;

Expectations regarding timely notification of incidents; and

Agreements to cooperate and mitigate potential covered entity risk.

Third parties must provide a reasonable assurance of being able to report suspected incidents to a covered entity in a timely manner so a covered entity can initiate its own incident response process and procedures.

Breach Identification, Notification, and Initial Response

Depending on where a covered entity conducts business, it may have to comply with various local, state, and/or federal regulations that require notification of suspected incidents within a specific time frame. As a regulatory notification clock can start from the time an incident was identified, it is increasingly important that third parties notify a covered entity of an incident as soon as reasonably possible. For example, the HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured protected health information. Under the rule, notification is required to the affected individuals, the Secretary, and, in certain circumstances, the media. Notification also must occur without unreasonable delay and within 60 days for individuals and 60 days for the Secretary when more than 500 individuals were impacted following the discovery of a breach.

As a result, third-party agreements should clearly communicate breach notification and incident response expectations including point(s) of contact at the primary entity and what information must be reasonably provided to assist with risk assessment and appropriate response activities such as type of information and number of records involved in the breach. Agreements should also address whether the primary entity or third party will be responsible for issuing notifications and that both organizations agree to fully cooperate with and participate in an investigation should either be required.

For situations where an incident has occurred as a result of suspected illegal or malicious activities, law enforcement should be engaged and maintaining evidence chain of custody becomes increasingly important. To maintain chain of custody, you must document the preservation of evidence from the time it is collected to the time it is presented in court. To prove the chain of custody, and ultimately show that the evidence has remained intact, prosecutors will generally need individuals who can testify:

That the evidence offered in court is the same evidence they collected or received;

To the time and date the evidence was received or transferred to another provider; and

That there was no tampering with the item while it was in custody.

Establishing connectivity

Covered entities should ensure completion of risk assessments, treatment of risk, and execution of contractual agreements prior to establishing third-party connectivity. They should also assess their level of trust for the third party and understand requirements for connectivity, system access, and data exchanges to ensure the implementation of appropriate safeguards (or standards) to guard against unauthorized data access.

Trust

A covered entity’s level of trust can be assessed based on the results of the covered entity’s risk assessment, identified deficiencies, and status of remediation plans. Organizations can also take into consideration information such as a third party’s historical track record of protecting information and any assurances provided by an independent and mutually trusted third party. Next, the covered entity needs to understand what (if any) information will be exchanged and the classification (or sensitivity) of the information, always taking care to minimize what is shared to only that which is required. Finally, the organization needs to understand if the third party will require direct access to its systems. If access is required, the third party should be required to comply with the covered entity’s policies and access should be granted on a role-based, need-to-know, and least privileged basis.

Safeguards

When establishing third-party connectivity, requirements for administrative, physical, and technical safeguards should be identified. Once identified, controls should be appropriately implemented to protect the confidentiality, integrity, and availability of the covered entity’s information and information systems. Refer to Figure 7.1 or NIST Special Publication 800-66 for examples of activities and controls required under the HIPAA Security Rule.

Connection Agreements

Connection agreements can be used to define and mutually agree on the type of connectivity that will be established between the parties. The agreements can also address administrative, physical, and technical safeguards that either party must implement and maintain as a condition of establishing connectivity. These can be either included within a business associate agreement or handled separately.

Promoting awareness of requirements

Information Flow Mapping and Scope

Healthcare organizations need to understand how information flows between systems and within the organization as part of the information life cycle and to support their mission. They also need to understand the role of third parties and how the information they access, process, and store fits into the equation. This will help improve an organization’s ability to manage risk and ensure sensitive information is appropriately protected throughout its life cycle, regardless of where it is accessed, processed, or stored.

Data Sensitivity and Classification

To determine the value and risk associated with data, an organization must first assess the confidentiality, integrity, and availability requirements that pertain to the data. These requirements can come from the business, be driven by local, state, and federal regulatory requirements that apply to certain types of data (e.g., electronic personal health information, personally identifiable information), or a combination of both. Not all data types will share the same sensitivity or classification. For example, a patient’s name in combination with home address does not share a similar value and present the same risk as a patient’s name in combination with Social Security number (SSN). As a result, name in combination with home address might be assigned a medium risk classification and require less security controls than name in combination with SSN that might be assigned a high risk classification. Different volumes of information can also have an impact on classification. For example, 1 patient’s name in combination with SSN would have a different value and risk than the name and SSN of 500 patients.

Once an organization identifies the confidentiality, integrity, and availability of information shared with a third party, it will be better positioned to implement the required safeguards for such information based on its classification.

Privacy Requirements

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Organizations must assess privacy requirements that apply prior to sharing data with a third party to ensure compliance with business and regulatory requirements.

Security Requirements

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. Security requirements are closely associated with privacy and can typically be derived based on the classification of data. Once an organization is assigned an appropriate classification based on the confidentiality, integrity, and availability of the data, appropriate administrative, physical, and technical safeguards can be identified to ensure the data are protected.

Risks Associated With Third Parties

The primary healthcare organization is ultimately responsible for the protection of data entrusted to them, whether accessed, processed, or stored internally or shared with their third parties. As such, they must conduct periodic due diligence on their third parties to ensure appropriate administrative, physical, and technical safeguards are implemented to maintain compliance with the primary healthcare organization’s requirements.

Risk remediation

Management, treatment, and corrective action plans associated with third-party risks should be handled and tracked in a manner consistent with the primary healthcare organization’s security and privacy governance practices discussed in Chapters 5 and 6. Likelihood and impact of third-party findings should be assessed, corrective action plans developed and communicated, and remediation tracked as part of ongoing compliance activities by the covered entity. Third-party contractual agreements should also clearly address remediation requirements including who will be responsible for any costs associated with remediation. Once a third party provides an attestation of remediation being completed, the primary healthcare organization should review evidence to validate and ensure risks have been remediated to an acceptable level.

Key terms

Term

Definition

Chain of custody

Documenting the preservation of evidence from the time it is collected to the time it is presented in court

Covered entity

The primary entity such as a health plan, healthcare clearinghouse, and certain healthcare providers who maintains a direct relationship with patients

Third party

Also referred to as business associates, a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. Third parties can also be subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate

Incident response

Process to help organizations minimize loss or theft of information, disruption of services, and reduce overall risk associated with incidents

Level of trust

Assessed based on the results of the covered entity’s risk assessment, identified deficiencies, and status of remediation plans

Connection agreement

Used to define and mutually agree on the type of connectivity that will be established between the parties

HIPAA Privacy Rule

Requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization

HIPAA Security Rule

Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity

Practice Exam

1. The HIPAA Privacy Rule applies only to covered (primary) entities including:

a. Health plans

b. Healthcare clearinghouses

c. Certain healthcare providers

d. All of the above

2. Under HIPAA, written contracts must be implemented to address:

a. Termination

b. Breach reimbursement

c. Event notification

d. a and c

3. Risk assessments are generally triggered when a third party will:

a. Store, process, and/or transmit personal health information

b. Store and/or process personal health information

c. Transmit and/or process personal health information

d. Transmit and/or store personal health information

4. Which NIST Special Publication describes the key administrative, physical, and technical controls and activities required under the HIPAA Security Rule?

a. 800-61 Revision 2

b. 800-39

c. 800-66 Revision 1

d. 800-30 Revision 1

5. Findings resulting from completed third-party assessments should be clearly communicated to:

a. Management at the covered entity

b. Management at the third party

c. a and b

d. None of the above

6. Incident response helps organizations to:

a. Reduce overall risk associated with incidents

b. Minimize disruption of services

c. Minimize loss or theft of information

d. All of the above

7. Which NIST Special Publication focuses on computer security incident response handling?

a. 800-61 Revision 2

b. 800-39

c. 800-66 Revision 1

d. 800-30 Revision 1

8. Under the HIPAA Breach Notification Rule, notification is generally required to the affected individuals, the Secretary, and in certain circumstances, the media within:

a. 30 days

b. 45 days

c. 60 days

d. 90 days

9. A covered entity’s level of trust for a third party can be assessed based on the results of:

a. Identified deficiencies

b. The covered entity’s risk assessment

c. Status of remediation plans

d. All of the above

10. Connection agreements with third parties can be used to:

a. Address administrative, physical, and technical safeguard requirements

b. Define and mutually agree on the type of connectivity established between parties

c. a and b

d. None of the above

11. To determine the value and risk associated with data, an organization must assess data:

a. Confidentiality requirements

b. Integrity requirements

c. Availability requirements

d. All of the above

12. The HIPAA Privacy Rule establishes:

a. National standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically

b. National standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity

c. International standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically

d. International standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity

13. The HIPAA Security Rule establishes:

a. National standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically

b. National standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity

c. International standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically

d. International standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity

14. Who is ultimately responsible for the protection of data entrusted to a healthcare organization?

a. Patient

b. Third party accessing, processing, or storing healthcare data

c. Primary healthcare organization

d. Department of Health and Human Services (HHS)

Practice Exam Answers

1. d

2. d

3. a

4. c

5. c

6. d

7. a

8. c

9. d

10. c

11. d

12. a

13. b

14. c

References

Breach Notification Rule, n.d. Breach Notification Rule. N.p., web. September 1, 2014. <http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/>.

Business Associates. Health Information Privacy. Department of Health & Human Services, December 3, 2002. Web. August 15, 2014. <http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/businessassociates.pdf>.

Business Associate Contracts, n.d. Business Associate Contracts. N.p., web. September 1, 2014. <http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html>.

National Institute of Standards and Technology, n.d. An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. IST Special Publication 800-66 Revision 1. Web. September 1, 2014. <http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf>.

National Institute of Standards and Technology, n.d. Computer Security Incident Handling Guide. Special Publication 800-61 Revision 2. Web. September 1, 2014. <http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf>.

National Institute of Standards and Technology, n.d. Managing Information Security Risk. N.p., web. July 1, 2014. <http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf>.

SART Toolkit – Develop a SART, n.d. SART Toolkit – Develop a SART. N.p., web. September 1, 2014. <http://ovc.ncjrs.gov/sartkit/develop/issues-coc.html>.

The Security Rule, n.d. The Security Rule. N.p., web. September 1, 2014. <http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html>.