RE: hipaa guidance

["Chinnery, Paul" <PaulC () mmcwm com>]

If I may just jump in here, check out http://www.hipaadvisory.com/ for more info.  Also, there is a HIPAA email list 
where you should post some of your HIPAA questions.  This list is read and answered by people whose sole job function 
is HIPAA.  Very knowledgeable.  http://www.hipaalert.com for info on how to subscribe.
-----Original Message-----
From: Dana [mailto:absolutezero273c () myrealbox com]
Sent: Thursday, October 13, 2005 8:22 AM
To: security-basics () securityfocus com
Subject: Re: hipaa guidance



John,

I appreciate you taking the time to respond.  I also appreciate the input from everyone else that has responded.

I did spend time googling hipaa security.  I also specifically looked at the information security focus has made 
available.  Particularly the article by Steven Weil, as well as past applicable posts to security focus 
'security-basics'.  

Unfortunately what I have found does not provide me with enough detail to assist me in making a 'comfortable' 
recommendation to my client.

Not that I was looking for a checklist, but something that was not so vague, as the current legislation is.  I realize 
that hipaa must be vague as to encompass every possible organization from 5 employees to 5 million.

I have read many 'opinions' on how hipaa should be applied.  That includes legal opinions instructing organizations to 
be vague in their documentation so as to prevent infractions but provide enough detail that it is accepted as a legal 
hipaa policy.  And unfortunately, for the sake of examples, I have not found any court cases, outside of the use of 
Lexis/Nexus, that would set a precedent.  

So I am finding it difficult to apply these policies to a small non-profit that has less than 10 employees that access 
the single server housed in the administrators office.  

I believe I have the ability/knowledge/skills to interpret security 'best practices' and apply them to this size 
organization but would they stand up in a court of law?  Don't know. Haven't seen anything telling me otherwise. It all 
depends upon the interpretation by the individuals overseeing this legislation at the particular time of review.    

Maybe this should simply be left to the CEO and legal counsel to decide what kind of liability we (the consulting 
organization) would like to assume?

Dana 

> first of all, I recommend that you spend a few more >minutes googling
> 'HIPAA security' - securityfocus itself has an >excellent piece on the
> subject.

> There are, to my knowledge, no free "check all these >boxes and you'll be
> compliant" HIPAA guides although using existing >security standards will
> get you close enough.

> If you're still in doubt as to how to proceed I would, >indeed, recommend
> that your client engage someone experienced in HIPAA >assessments.

> John