Howard, do you have an opinion you would care to share publicly regarding organizations such as TruSecure and their HIPAA initiatives? Worth considering? Studying?
""Howard C. Berkowitz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > At 8:06 PM +0000 1/20/03, Charles Riley wrote: > >Priscilla, > > > >Thank you for the reply. I had actually already checked most of these sites > >here. There is a great focus on getting the providers into compliance, but > >very little information about certifiying the networks, servers, storage > >devices, and other infrastructure used to support in creation, transport, > >and sharing of medical information...very very very very little. The most > >I have found is a brief paragraph about ensuring that software complies (and > >no checklist for that either.) > > Charles, this is something I'm trying to phrase objectively and > delicately. There is a certain amount of relevant guidance, not > necessarily under HIPAA guidance, but elsewhere in government. To > synthesize this, you need to have a good understanding not > necessarily of law, but how healthcare works. > > As an example, there are several independent requirements for > security of different kinds of healthcare information. By far the > most stringent are those set by the Drug Enforcement Administration > for electronic prescribing of controlled substances. These go into > quite a bit of technical specifications. > > In the position of being a processor of medical information, it's > probably cost-effective to comply with the most restrictive > requiremens, because healthcare providers do tend to provide a > growing list of services. So, in the last design I did, I used DEA > for the crypto, authentication, audit, etc., but 21CFR11 (on human > subject research) for software auditability requirements. There > actually were challenges in reconciling HIPAA and DEA requirements > for user authentication. > > The reality was that having an extensive background in medical > informatics, it still probably took me several months to sort out a > reasonably clear picture. At some point, I need to see return on my > research investment. Determining the requirements for a specific > service, therefore, tends to become the sort of thing when my > consulting meter starts running. I suspect this would be similar for > most people involved. > > Yes, there are various case studies, but, again, you need to have an > idea where to look for them -- such as various NIH forums. Recent > antiterror legislation is putting more constraints on microbiology > labs--there are, for example, perfectly reasonable justifications for > having your own anthrax cultures, but you need to dot the i's and > cross the t's. Much of this comes from CDC, but there will be a > certain amount in USDA regulations. > > I would say that the pure legal aspect is less important than > understanding the environment and players. HIPAA, for example, in > many cases just drops back and says "due diligence", and you need a > paper trail to demonstrate your design approach. > > > > >In thinking about this, I would not only need a checklist, but applicable > >clauses, sub clauses, etc. of the actual HIPAA to comply with. In other > >words, I need to go back and major in law, or do as you suggest and locate a > >HIPAA tech specialist, and hope I get one that knows what they are doing. > > > >Given all the confusion right now, I wonder if those companies touting > >their data centers as "HIPAA compliant" are doing the equivalent of > >individuals putting "CCIE Written" on their resumes? > > > >Charles > > > > > >""Priscilla Oppenheimer"" wrote in message > >[EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > >> Charles Riley wrote: > >> > > >> > Sorry for the OT post, but have searched high and low, and no > >> > >> No problem. I don't think it's really OT. HIPAA is going to have a big > >> affect on many data networks. > >> > >> I'm surprised that you say there isn't information available on how to > >> become HIPAA compliant. There's a lot, isn't there? If companies are > >saying > >> that they are HIPAA certified, that's a bit of a misnomor. I don't think > >> there's any certification, but there is compliance info available. > >> > >> Did you check these links: > >> > >> http://www.hipaadvisory.com/ > >> > >> http://aspe.hhs.gov/admnsimp/ > > > > >> http://www.cms.hhs.gov/hipaa/ > >> > >> http://www.hipaa.org/ > >> > >> I wonder if you could hire a consultant to help you wade through all the > >> regulations and confusing info from the goverment. Hopefuly some > >consultants > >> will specialize in this. > >> > >> Priscilla > >> > >> > definite > >> > answer in site. Really, really apoliogize for the nontechnical > >> > nature of > >> > this post, but I have reached a wall after searching all over > >> > for an answer. > >> > I guess you could say that I am "ill" with searching... > >> > > >> > HIPAA is an medical information protection and privacy act > >> > passed by > >> > Congress in 1996. The deadline for complying or gettting an > >> > extension is > >> > this year. You'll probably see more and more requests like > >> > mine as the year > >> > goes by, so I figured I'd start things off. > >> > > >> > HIPAA is currently in a state of flux as far as implementation > >> > and > >> > enforcement is concerned, as many medical professional and > >> > organizations > >> > rush to comply. Which brings me to my question... > >> > > >> > In my searches, I see several organizations trumpeting the fact > >> > their data > >> > centers are "HIPAA certified", meaning that they are cleared to > >> > process, > >> > store, or otherwise handle medical and private info. How is > >> > it possible to > >> > achive this certification when there does not seem to be any > >> > standards or > >> > processes from the U.S. government detailing what will earn the > >> > certification? > >> > > >> > Does having a couple of tape drives on a server behind a > >> > firewall with > >> > restricted access qualify a data center to be "HIPAA > >> > Compliant"? Is there a > >> > checklist, policy, standard, or procedure for certification > >> > required by the > >> > U.S. government that I missed in my searches? If so, I would > >> > appreciate > >> > gettting the links to such information. > >> > > >> > TIA, > >> > > >> > Charles Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61648&t=61648 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
