Educause Security Discussion mailing list archives
Re: HIPAA Requires Encryption?
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Thu, 26 Aug 2010 17:34:49 -0500
Also, take into consideration whether any state laws may apply. The Texas Medical Privacy Act (2001), for example, requires 'Any person (or organization) who engages in the practice of assembling, collecting, analyzing, using, evaluating, storing, or transmitting PHI, etc.". State law in this case would supersede and the entity would be required to follow HIPAA mandates. Paul From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Plesco, Todd Sent: Thursday, August 26, 2010 5:06 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] HIPAA Requires Encryption? The first question: Whom is the university's "covered entity" and where are the data records (ePHI) which require HIPAA regulatory safeguard? In other words, which part of the university conducts Medicare/Medicaid billable transactions? Is that group a Hybrid Entity? (Is data being co-mingled on the SQL server with non-covered entities? (Often, organizations do not understand if HIPAA is required and assume it is simply because they have patient health records. This is the first thing to find out.) Next, is there a Privacy or Compliance Officer overseeing the HIPAA program whom can furnish details where all electronic patient transactions take place? Also, don't forget to look at physical safeguards and archive/data backup. Lost backup tapes or mobile devices (laptops or thumb drives) which are not encrypted have most often been where electronic HIPAA breaches occur. Feel free to write me back directly if you have more questions (Previously, I was the CISO for one of the nation's largest metropolitan health departments.) Best, Todd A. Plesco CISM, CBCP Chapman University, Director of Information Security One University Drive, Orange, CA 92866 Phone: (714) 744-7979/Fax: (714) 744-7041 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Link Sent: Thursday, August 26, 2010 1:19 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] HIPAA Requires Encryption? Very recently, I inherited the job of focusing information security efforts. In the process of upgrade of a SQL server, a question has arisen regarding the provision in HIPAA (Addressable) to encrypt EPHI at rest on both the server and the backup media. It does come at some additional cost, though it's manageable. Before proceeding, however, I thought I'd ask if anyone has suggestions. Thanks, --Matthew Link. Director, User Services Information Services, UCM 660-543-8063 link () ucmo edu
Current thread:
- HIPAA Requires Encryption? Matthew Link (Aug 26)
- Re: HIPAA Requires Encryption? Paul Kendall (Aug 26)
- Re: HIPAA Requires Encryption? Plesco, Todd (Aug 26)
- Re: HIPAA Requires Encryption? Paul Kendall (Aug 26)
- Re: HIPAA Requires Encryption? Ozzie Paez (Aug 26)
- Re: HIPAA Requires Encryption? SCHALIP, MICHAEL (Aug 26)
- Re: HIPAA Requires Encryption? Ozzie Paez (Aug 26)
- Re: HIPAA Requires Encryption? Faith Mcgrath (Aug 27)
- Re: HIPAA Requires Encryption? SCHALIP, MICHAEL (Aug 26)