RE: HIPAA certs

["mhunt" <mhunt () hotpop com>]

I have been gearing up to do HIPAA COMPSEC audits for about four months
now, and have been studying it in depth for about a year.  

The do not have to be compliant with the security regs until April 2005
(or 2006 if they are a health plan with less than 50 members)...HOWEVER:
if there is a disclosure of PHI then I believe they are still
responsible and can be fined under the privacy regulations that go into
action very soon.  They don't have to tighten network security yet, but
if they don't and get hacked then they could still be in violation.

Originally the security regs and privacy regs where together as one
part, but since it took the gov several years to publish the "final"
ruling, they decided to extend it a few years.

The idea behind HIPAA network security is electronic enforcement of
written policies and risk management.  You have to do a risk assessment
based on the clients potential disclosure level.  IE disclosure of an
HIV infected person is much worse than disclosure of someone with a
cold.  You have to do a gap analysis.  You have to patch the systems,
and make sure that PHI cannot be disclosed in any way.  Depending on the
medical software used, this would most likely force practices to use
NT4/2K./OSX/Unix for desktops that access a PHI database, because other
OS's don't have adequate auditing capabilities.

They need to write EVERYTHING THEY DO down.  From what I can tell, the
first action the gov will make is a request to see documentation and
policies.  Everyone must have some computer training, and have them sign
a form saying they where trained.  The SSO must keep track of all this
paperwork, and is the contact person for CMS.  The need written policies
on disaster recovery,  security incident procedures, workstation use and
security, and several other things.  As other people have noted, it is
all avalible on CMS'you website.  Or, you could go to my website at
http://www.med-is.com and look in the Files area.  I've got the original
security ruling, the final security ruling, the important parts of the
FSR, and several other documents that would help quite a bit in making a
practice HIPAA compliant.  The site is really slow and looks like crap,
so don't complain.  I'm in the process of a re-do.  Plus, my Definitions
has a set of definitions set out by CMS which define things as PHI,
security incidents, and so on so you can talk their jargon better.

If you have any additional questions, email me.  I am planning to do my
first actual HIPAA audit some time next week...

-----Original Message-----
From: JohnNicholson () aol com [mailto:JohnNicholson () aol com] 
Sent: Friday, February 28, 2003 4:47 PM
To: Drew () Valleymed org; sflist-secbasic () reliance net;
compjma () hotmail com; security-basics () securityfocus com
Subject: Re: HIPAA certs

One important thing to note is that the preamble to the Privacy Rule
says that companies must take adequate security precautions as part of
the implementation of the Privacy Rule.

Some people have suggested that this means that you basically have to
comply with the final version of the Security Rule starting on April 14.

John


In a message dated 2/27/2003 2:40:14 PM Eastern Standard Time,
Drew () Valleymed org writes:

> Just to clarify several of the comments already posted.
> The HIPAA Privacy Rule goes into effect this April
> The HIPAA Security Rule goes into effect in April 2005
> Having said that you can't prove privacy without security!
> If you are just starting I would agree with Sonja-you have some work
to do.
> I would also like to call attention to Brian's comment from several
days ago.
> Brian said:...
> Try here:
http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-2-12-0
3.pdf
> from about page 264, especially the grid on the last 3 pages...
>
> I have converted the matrix out of a .pdf and made it look 
> nice in word table, if you'd like a copy email me direct.
>
> Drew
> "HIPAA geek"