Guidelines for HIPAA Compliance in the Works

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,87492,00.html

Story by Jaikumar Vijayan 
NOVEMBER 24, 2003 
COMPUTERWORLD

Health care organizations looking for more information on how to 
comply with HIPAA security mandates may soon get more help. 
URAC, a nonprofit accreditation agency for the health care industry, 
along with the Workgroup for Electronic Data Interchange and the 
National Institute of Standards and Technology, is developing 
guidelines for implementing HIPAA security policies. 

The Healthcare Security Workgroup, which the three organizations 
created earlier this year, met in Washington last week to discuss how 
to consolidate industry best practices and security standards into a 
set of easily implemented instructions. The goal is to give 
organizations subject to the Health Insurance Portability and 
Accountability Act something they can use to ensure compliance with 
the law's security requirements by the April 15, 2005, deadline, said 
Adam Stone, a member of the workgroup. The group aims to deliver the 
guidelines by the middle of next year. 

"No standard measures exist in the health care industry" to implement 
HIPAA's security requirements, Stone said. "One of the major problems 
with the rule is that it is so broad. There are a million different 
ways to approach it in terms of compliance." 

The workgroup will study how it can adopt and adapt NIST's more 
general security specifications for federal information systems in the 
health care sector, said Lisa Gallagher, senior vice president of 
Washington-based URAC. Similarly, the workgroup will gather 
information on best practices, case studies and other standards 
efforts by organizations such as the Healthcare Information and 
Management Systems Society. 

"We are going to gather all this information and make it available on 
a national basis," Gallagher said, by means of white papers and a 
portal site. 

The community feedback that's being collected by the workgroup is also 
useful in adapting NIST standards for the health care industry, said 
Arnold Johnson, a NIST program manager in Washington. 

"Real standards are very, very [much] needed," said Roger Brown, a 
senior IT auditor at Jefferson Health System, a $2 billion health care 
organization in Radnor, Pa. "Only the economically strong [companies] 
will comply with the intent of the law. Most will spend the absolute 
minimum they think they can get away with." Standards will provide a 
formal yardstick for measuring compliance, he said. 



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.