RE: HIPAA certs

["Garbrecht, Frederick" <FGarbrecht () ecogchair org>]

The absence of very specific requirements in the HIPAA regs is a source of a
lot of consternation, but I believe the policies were specifically written
to be vague; the actual 'fit' of security and privacy recommendations will
vary depending on a number of factors that may be unique to each covered
entity.  For example, the security regs will have different implications for
a large health plan with a complex network  than for a solo practitioners
office with a single computer and a cable modem.  There seems to be a
surprising lack of guidance available, as you have found out; most of the
information on the web (aside from the relevant government sites) is not
very helpful because it is put there by consulting groups with a proprietary
interest in selling their expertise.  I've found that the 'HIPAA@IT' books
(available at Amazon) are pretty good at distilling the essential points and
providing the closest thing to a checklist that you can follow to perform
gap analysis and subsequently work toward compliance.  There are also some
software tools available that will perform the analysis for you as well, but
they tend not to be cheap.  The web sources that I find useful are the
HIPAAdvisory site http://www.hipaadvisory.com/, and the government sites:
the HHS Office of Civil Rights, for the privacy regs ->
http://www.hipaadvisory.com/, and the Centers for Medicare and Medicaid
(CMS) -> http://www.cms.hhs.gov/hipaa/.

I don't think that anyone has any experience at this point with HIPAA
inspections (at least insofar as privacy and security rule compliance is
concerned).  The HIPAA privacy rules have not taken effect yet (compliance
due date is April 14th of this year); the final security reg was only
published in the Federal Register yesterday, and the compliance date will be
at least a year away. 

Frederick Garbrecht, M.D., GSEC
Garbrecht Consulting




-----Original Message-----
From: Jason Hastain [mailto:hastain () sbcglobal net]
Sent: Thursday, February 20, 2003 1:29 PM
To: security-basics () securityfocus com
Subject: HIPAA certs


hey all,

I have a few clients who are doctors running small practices.  They have
small LAN's and DSL connectinos behind a simple NAT router/firewall in one
case and persoanl FW's in the other (unfortunatly not my decision in either
case).

Each has approached me about the HIPAA certs in the last week.  I have read
through what seams reams of pages on it b ut have been unable to deduce
anything other than general good security practices.  Strong passwords,
offsite encrypted backups, real firewalls, etc and so on.

Can anyone shed some light onto this subject or point me to a document with
only the IT requirements prefereably boiled down to something simple?

And also has anyone had any experience yet with the HIPAA investigators or
quality control people checking on a site?  any ideas what they are looking
for?

I understand it is a 20k dollar fine for each infraction so I would hate for
it to be on my watch.

tia

Jason Hastain
Hastain Consulting