funny, but as a transmission medium, facsimile is considered secure by the payment card industry (PCI) ... then you have to have policies in place for handling the paper output
Erik Goldoff IT Consultant Systems, Networks, & Security _____ From: Jeff Brown [mailto:[email protected]] Sent: Tuesday, June 16, 2009 5:19 PM To: NT System Admin Issues Subject: Re: HIPPA help You need to be able to demonstrate(in writing) that you have thought about how sensitive data is protected. Biggest part of work(and it is ongoing for us) was/is to teach/convince our employees that patient data NOT be sent using email to anyone outside our organization. We have yet to decide email was the only or even preferred method of getting sensitive data to people outside our buildings/network. Up to this point I believe that has saved us a lot of money. I don't know how long we will be able to do things the way we are, which is to say we use the fax machine a lot. Please don't suggest that we are spending more money than we know on faxes, we do almost ALL our business in this local market, so we aren't paying long distance fees on those faxes. I do hate the faxing technology in general though. On Tue, Jun 16, 2009 at 4:03 PM, Bill Lambert <[email protected]> wrote: +2 Bill Lambert Concuity 847-941-9206 -----Original Message----- From: Erik Goldoff [mailto:[email protected]] Sent: Tuesday, June 16, 2009 4:02 PM To: NT System Admin Issues Subject: RE: HIPPA help + 1 HIPAA is a set of *recommendations* for the standard of security, but there are few, if any granular, detail level requirements ... Erik Goldoff IT Consultant Systems, Networks, & Security -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Tuesday, June 16, 2009 4:40 PM To: NT System Admin Issues Subject: Re: HIPPA help On Tue, Jun 16, 2009 at 3:40 PM, Bob Fronk <[email protected]> wrote: > I am in the middle of a HIPPA compliance review. One of the > consultants is suggesting that all our email be encrypted because it > may contain HIPPA related information. HIPAA is a mess, and it's been a while for me, but as I recall, the regulations generally don't require specific mechanisms like encryption for particular tasks. You have to take steps to protect it. You don't have to be crazy. Chances are they're just talking out of their rectum. Consultants do that a lot. It's especially common when it comes to compliance; the consults go for overkill "to be safe". Ask them to quote chapter and verse from an actual law or regulation. When they can't, thank them for the suggestion and move on to the next item. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
