Re: hipaa guidance

["Impulse" <filkins () impulse net>]

GO look at the SANS SBS book if you can get your hands on one. as well as
some of the practicals.
HIPAA security is largely dependant on your documentation.  First, determine
how privacy applies to you.  Second undersatnd your electronic protected
heathcare informaton flows.  Third -- do your risk analysis -- check out
Octave -- with a 10 person non-profit the process should be really simpled.
Fourth document your results.  And finally develop your plan.  Then you will
know what you need to do administratively, physcially, and technically.
There is no real 'formula' --just soem common sense on what is reasonaible
for your organization.
----- Original Message ----- 
From: "Dana" <absolutezero273c () myrealbox com>
To: <security-basics () securityfocus com>
Sent: Thursday, October 13, 2005 5:22 AM
Subject: Re: hipaa guidance



John,

I appreciate you taking the time to respond.  I also appreciate the input
from everyone else that has responded.

I did spend time googling hipaa security.  I also specifically looked at the
information security focus has made available.  Particularly the article by
Steven Weil, as well as past applicable posts to security focus
'security-basics'.

Unfortunately what I have found does not provide me with enough detail to
assist me in making a 'comfortable' recommendation to my client.

Not that I was looking for a checklist, but something that was not so vague,
as the current legislation is.  I realize that hipaa must be vague as to
encompass every possible organization from 5 employees to 5 million.

I have read many 'opinions' on how hipaa should be applied.  That includes
legal opinions instructing organizations to be vague in their documentation
so as to prevent infractions but provide enough detail that it is accepted
as a legal hipaa policy.  And unfortunately, for the sake of examples, I
have not found any court cases, outside of the use of Lexis/Nexus, that
would set a precedent.

So I am finding it difficult to apply these policies to a small non-profit
that has less than 10 employees that access the single server housed in the
administrators office.

I believe I have the ability/knowledge/skills to interpret security 'best
practices' and apply them to this size organization but would they stand up
in a court of law?  Don't know. Haven't seen anything telling me otherwise.
It all depends upon the interpretation by the individuals overseeing this
legislation at the particular time of review.

Maybe this should simply be left to the CEO and legal counsel to decide what
kind of liability we (the consulting organization) would like to assume?

Dana

> first of all, I recommend that you spend a few more >minutes googling
> 'HIPAA security' - securityfocus itself has an >excellent piece on the
> subject.

> There are, to my knowledge, no free "check all these >boxes and you'll be
> compliant" HIPAA guides although using existing >security standards will
> get you close enough.

> If you're still in doubt as to how to proceed I would, >indeed, recommend
> that your client engage someone experienced in HIPAA >assessments.

> John