Howard, Thanks for the reply, you have helped me to narrow my focus to rendering the data center "HIPAA compliant". Do you have any pointers or URLs that you can share to any checklists, policies, requirements, etc. for making a data center compliant?
TIA, Charles ""Howard C. Berkowitz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 5:23 PM +0000 1/20/03, Charles Riley wrote: > >Sorry for the OT post, but have searched high and low, and no definite > >answer in site. Really, really apoliogize for the nontechnical nature of > >this post, but I have reached a wall after searching all over for an answer. > >I guess you could say that I am "ill" with searching... > > > >HIPAA is an medical information protection and privacy act passed by > >Congress in 1996. The deadline for complying or gettting an extension is > >this year. You'll probably see more and more requests like mine as the year > >goes by, so I figured I'd start things off. > > > >HIPAA is currently in a state of flux as far as implementation and > >enforcement is concerned, as many medical professional and organizations > >rush to comply. Which brings me to my question... > > > >In my searches, I see several organizations trumpeting the fact their data > >centers are "HIPAA certified", meaning that they are cleared to process, > >store, or otherwise handle medical and private info. > > There is no such thing as HIPAA certification, and I do work > extensively with medical systems. The best anyone could say is > "HIPAA compliant", which has fairly established parallels in the > telephony world, where it is possible to get NEBS certification, but > extremely expensive and applicable only to one configuration (much as > was NSA Orange Book certification) > > Reputable vendors mean something when they say NEBS compliant, but > there is much more track record in telephony than in medical > informatics. > > Indeed, there are additional regulations besides HIPAA that may > become relevant, including 21CFR11 (primarily about human subject > research), CLIA laboratory accreditation and the DEA regulations for > electronic prescribing of controlled substances. All of these do > include technical, as well as procedural, requirements. For example, > DEA specifies the digital signature algorithms and keys, but also has > requirements for time synchronization to be used on message > authenticators and events logged. > > >How is it possible to > >achive this certification when there does not seem to be any standards or > >processes from the U.S. government detailing what will earn the > >certification? > > Again, there isn't. If an industry group were to get together and > try to set procedures for doing this, there is an umbrella > administrative organization tht might help -- the National Voluntary > Laboratory Accreditation Program (NVLAP), which has probably been > renamed in the normal course of events. > > >Does having a couple of tape drives on a server behind a firewall with > >restricted access qualify a data center to be "HIPAA Compliant"? > > If that firewall is connected to the Internet, no. There are > specific HIPAA guidelines that would call for 128-bit DES outside the > firewall. At present, HIPAA does allow cleartext on dedicated or FR > facilitie, but it appears that an encryption requirement will evolve > because things like DEA require it. > > >Is there a > >checklist, policy, standard, or procedure for certification required by the > >U.S. government that I missed in my searches? If so, I would appreciate > >gettting the links to such information. > > They exist in many places; I've got loads of things that I've > collected for consulting clients. You have to be selective in what > you are looking for; I'm sure I don't have everything. For example, > there are checklists for design and review of human research, but I > only scanned those, because my client was concerned with the related > but separate problem of patient recruitment for clinical trials. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61462&t=61462 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
