RE: Microsoft technologies. By default, non-HIPAA compliant?

["Tina Bird" <tbird () precision-guesswork com>]

> Lastly: "But the cost of having that feature custom coded is beyond
> what most small offices would even consider when MS's 'X' is built right
> in..." What part of HIPAA states "But if it is too difficult or costs
> too much, just forget the whole thing"?
Actually, that would be embedded in the definition of "addressable"
specifications:

http://www.medical.philips.com/main/company/connectivity/hipaa/hipaa_securit
y_rule.html

"To meet these requirements a Covered Entity must implement administrative,
physical and technical security standards. Implementation specifications for
the standards are categorized as being "required" or "addressable".

Required - The implementation of these specifications is mandatory.
Addressable - Covered Entities will need to do one of the following:
Implement one or more of the addressable implementation specifications,
Implement one or more alternate security measure,
Implement a combination of both; or
Decide not to implement either an addressable implementation specification
or an alternate security measure (If it is not reasonable and appropriate,
the entity must either implement another equivalent measure or, if the
standard can be met another way, choose not to implement the specification
or any equivalent specification. The Covered Entity must document the
reasons for its choice.)"

...or in plainer English, if the covered entity is willing to put down on
paper that the proposed security mechanism is unreasonably expensive or
difficult, they don't have to do it.  I'm pretty sure that a LOT of
healthcare organizations are going to claim that switching to a browser that
is >not< embedded in their desktop-operating-system-of-choice is
prohibitively expensive, and they'll get away with it for at least a while.

ie., the final version of the Security Rule, released in April 2003, is more
of a guideline than a rule.  In the best pirate spirit.

cheers, tbird