Dave,
We do a lot of IT work for Doctor offices and organizations connected to hospitals and such. We have a document they all had to sign saying that we are not responsible for identifying or resolving issues related to HIPAA compliance, because of these very issues. We make recommendations that from the IT side help with security and establish a IT Secure framework to build on, but the responsibility and liability is squarely with the offices to determine what they have to do to be compliant. Most offices simply will not pay the money to do what is needed. If you are set in this venture, first get legal counsel to draft a proposal that says while you are here to consult and provide guidance that ultimately you are not responsible for anything regarding HIPAA directly. Here is the reason. HIPAA is so grey that if the office fails to follow a process, break a rule, etc and they are facing civil/criminal (Which means paying dollars) you will be the fall guy..ALWAYS.. It's the same concept of tape backup. We install the solution, train them, but we are not responsible for their data if they don't check the status of their backup or fail to swap their tapes. How can you be responsible for what they do or don't do. You can't..Get it in writing. 2. There is no standard form or process that works. Every environment is different; apps, connections, types of service( Billing, Financial, service) and it even gets more specific based on types of billing and service.. Yet all in a strangely gray haze that really just means spend money.... Good luck, I would have a root canal every day of my life than maintain compliancy with HIPAA regs and reconcile those with doctors... Greg From: Jon Harris [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2008 3:36 PM To: NT System Admin Issues Subject: Re: Hippa Compliance Checklist Agreed that is why I refuse to do that work. Jon On Tue, Aug 12, 2008 at 2:13 PM, Ziots, Edward <[EMAIL PROTECTED]> wrote: HIPAA compliance is a lot more than a checklist it's a process, and you need to know what policies and procedures that the doctor has in place along with the practices of the partners that that doctor associates with. There are two major pieces of HIPAA you need to deal with the Privacy Section, and the Security Section. A lot of it is vague, and not clear cut. There are some good to do or consider, but I will tell you that information disclosure ( unencrypted hardware being used to store patient info) will get you in trouble, also privacy issues. Again I am going to say this loud and clear its not a checklist it's a process, and it isn't for the faint of heart. Z Edward E. Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP,Security+,Network+,CCA Phone: 401-639-3505 ________________________________ From: Jon Harris [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 12, 2008 11:26 AM To: NT System Admin Issues Subject: Re: Hippa Compliance Checklist ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
