Educause Security Discussion mailing list archives

Re: HIPAA Requires Encryption?

From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Thu, 26 Aug 2010 17:34:49 -0500

Also, take into consideration whether any state laws may apply. The Texas Medical Privacy Act (2001), for example, 
requires 'Any person (or organization) who engages in the practice of assembling, collecting, analyzing, using, 
evaluating, storing, or transmitting PHI, etc.".

State law in this case would supersede and the entity would be required to follow HIPAA mandates.


Paul

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, 
Todd
Sent: Thursday, August 26, 2010 5:06 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Requires Encryption?

The first question: Whom is the university's "covered entity" and where are the data records (ePHI) which require HIPAA 
regulatory safeguard?  In other words, which part of the university conducts Medicare/Medicaid billable transactions? 
Is that group a Hybrid Entity? (Is data being co-mingled on the SQL server with non-covered entities?  (Often, 
organizations do not understand if HIPAA is required and assume it is simply because they have patient health records.  
This is the first thing to find out.)
Next, is there a Privacy or Compliance Officer overseeing the HIPAA program whom can furnish details where all 
electronic patient transactions take place?
Also, don't forget to look at physical safeguards and archive/data backup.  Lost backup tapes or mobile devices 
(laptops or thumb drives) which are not encrypted have most often been where electronic HIPAA breaches occur.
Feel free to write me back directly if you have more questions (Previously, I was the CISO for one of the nation's 
largest metropolitan health departments.)
Best,
Todd A. Plesco  CISM, CBCP
Chapman University, Director of Information Security
One University Drive, Orange, CA 92866
Phone: (714) 744-7979/Fax: (714) 744-7041

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew 
Link
Sent: Thursday, August 26, 2010 1:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] HIPAA Requires Encryption?


Very recently, I inherited the job of focusing information security efforts.  In the process of upgrade of a SQL 
server, a question has arisen regarding the provision in HIPAA (Addressable) to encrypt EPHI at rest on both the server 
and the backup media.  It does come at some additional cost, though it's manageable.  Before proceeding, however, I 
thought I'd ask if anyone has suggestions.


Thanks,

--Matthew Link.

  Director, User Services

  Information Services, UCM

  660-543-8063

  link () ucmo edu

Current thread:

HIPAA Requires Encryption? Matthew Link (Aug 26)
- Re: HIPAA Requires Encryption? Paul Kendall (Aug 26)
- Re: HIPAA Requires Encryption? Plesco, Todd (Aug 26)
  - Re: HIPAA Requires Encryption? Paul Kendall (Aug 26)
- Re: HIPAA Requires Encryption? Ozzie Paez (Aug 26)
  - Re: HIPAA Requires Encryption? SCHALIP, MICHAEL (Aug 26)
    - Re: HIPAA Requires Encryption? Ozzie Paez (Aug 26)
    - Re: HIPAA Requires Encryption? Faith Mcgrath (Aug 27)