Security Basics mailing list archives
RE: HIPAA certs
From: "mhunt" <mhunt () hotpop com>
Date: Mon, 3 Mar 2003 20:30:53 -0600
I have been gearing up to do HIPAA COMPSEC audits for about four months now, and have been studying it in depth for about a year. The do not have to be compliant with the security regs until April 2005 (or 2006 if they are a health plan with less than 50 members)...HOWEVER: if there is a disclosure of PHI then I believe they are still responsible and can be fined under the privacy regulations that go into action very soon. They don't have to tighten network security yet, but if they don't and get hacked then they could still be in violation. Originally the security regs and privacy regs where together as one part, but since it took the gov several years to publish the "final" ruling, they decided to extend it a few years. The idea behind HIPAA network security is electronic enforcement of written policies and risk management. You have to do a risk assessment based on the clients potential disclosure level. IE disclosure of an HIV infected person is much worse than disclosure of someone with a cold. You have to do a gap analysis. You have to patch the systems, and make sure that PHI cannot be disclosed in any way. Depending on the medical software used, this would most likely force practices to use NT4/2K./OSX/Unix for desktops that access a PHI database, because other OS's don't have adequate auditing capabilities. They need to write EVERYTHING THEY DO down. From what I can tell, the first action the gov will make is a request to see documentation and policies. Everyone must have some computer training, and have them sign a form saying they where trained. The SSO must keep track of all this paperwork, and is the contact person for CMS. The need written policies on disaster recovery, security incident procedures, workstation use and security, and several other things. As other people have noted, it is all avalible on CMS'you website. Or, you could go to my website at http://www.med-is.com and look in the Files area. I've got the original security ruling, the final security ruling, the important parts of the FSR, and several other documents that would help quite a bit in making a practice HIPAA compliant. The site is really slow and looks like crap, so don't complain. I'm in the process of a re-do. Plus, my Definitions has a set of definitions set out by CMS which define things as PHI, security incidents, and so on so you can talk their jargon better. If you have any additional questions, email me. I am planning to do my first actual HIPAA audit some time next week... -----Original Message----- From: JohnNicholson () aol com [mailto:JohnNicholson () aol com] Sent: Friday, February 28, 2003 4:47 PM To: Drew () Valleymed org; sflist-secbasic () reliance net; compjma () hotmail com; security-basics () securityfocus com Subject: Re: HIPAA certs One important thing to note is that the preamble to the Privacy Rule says that companies must take adequate security precautions as part of the implementation of the Privacy Rule. Some people have suggested that this means that you basically have to comply with the final version of the Security Rule starting on April 14. John In a message dated 2/27/2003 2:40:14 PM Eastern Standard Time, Drew () Valleymed org writes:
Just to clarify several of the comments already posted. The HIPAA Privacy Rule goes into effect this April The HIPAA Security Rule goes into effect in April 2005 Having said that you can't prove privacy without security! If you are just starting I would agree with Sonja-you have some work
to do.
I would also like to call attention to Brian's comment from several
days ago.
Brian said:... Try here:
http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-2-12-0 3.pdf
from about page 264, especially the grid on the last 3 pages... I have converted the matrix out of a .pdf and made it look nice in word table, if you'd like a copy email me direct. Drew "HIPAA geek"
Current thread:
- Re: HIPAA certs JohnNicholson (Mar 03)
- RE: HIPAA certs mhunt (Mar 04)
- <Possible follow-ups>
- RE: HIPAA certs Robinson, Sonja (Mar 17)