Here's a link to a whitepaper on the subject of HIPAA's Final Security Rule.
http://www.hipaadvisory.com/regs/finalsecurity/summaryanalysis.htm While I don't know one way or another if there's source code mandate in the Security Rule, under the Technical Safeguards header, it says that covered entities must implement "Policies and procedures to protect EPHI from improper alteration or destruction to ensure data integrity. This integrity standard is coupled with one addressable implementation specification for a mechanism to corroborate that EPHI has not been altered or destroyed in an unauthorized manner." In all liklihood, a HIPAA auditor would consider a company in breach of that clause if EPHI (Electronic Personal Health Information) were in the hands of a 3rd party vendor, unless the standards in the next header "Business Associate Contracts" were maintained. Quoting: "For relationships where a third party is used to create, receive, maintain or transmit EPHI on the covered entity's behalf, the Security Rule requires the business associate to: * Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity and availability of the covered entity's EPHI; * Ensure that its agents and subcontractors to whom it provides EPHI meet the same standard; * Report to the covered entity any security incident of which it becomes aware; and * Ensure that the contract authorizes termination if the business associate has violated a material term." The thing is, if HIPAA is handled the way Sarbanes-Oxley and DCAA (Defense Contracter Auditing Agency) are handled, what you have is a broad set of guidelines, and an auditing team that determines whether or not you are following those guidelines. I've only gone through one SarBox audit, but with the DCAA, the standards of what is and is not acceptable vary wildly from site to site, and from audit team to audit team. Just some thoughts. Matt Osbun Web Developer Health Systems, International -----Original Message----- From: Jochem van Dieten [mailto:[EMAIL PROTECTED] Sent: Saturday, August 06, 2005 4:57 AM To: CF-Talk Subject: Re: OT - Security Of Sensitive Data I am not very familiar with HIPAA reglations, but it sounds like they are something like the procedural and technical guidelines from the Dutch Data Protection Authority. Those guidelines mandate that if you store class 2 or higher personal data (lots of relatively harmless data like name and address, or a little bit of sensitive data like health records), you need to have access to the source code of every piece of software you use to process that data. Does the HIPAA mandate something similar? Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Logware (www.logware.us): a new and convenient web-based time tracking application. Start tracking and documenting hours spent on a project or with a client with Logware today. Try it for free with a 15 day trial account. http://www.houseoffusion.com/banners/view.cfm?bannerid=67 Message: http://www.houseoffusion.com/lists.cfm/link=i:4:214003 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
