Jeff: Not true based on the proposed security rule. There is actually NO language specific to laptop, mobile computers or "in the field", only to the type of communications network. In fact, in the Background section it states that the rule shall: "7. Be technologically independent of the computer platforms and transmission protocols used in electronic health transactions, except when they are explicitly part of the standard." A laptop used "in the field" (I assume a standalone pc) would actually be one of the easiest scenarios with which to comply. You only need to be password protected (application), physical control of media (i.e. don't leave your laptop unattended), audit controls for data and employ auto logoff (notwithstanding the normal awareness, training and documentation requirements). I have no idea what your vendor was getting at. I hope he/she was not even inferring that the PDA was more or, even as secure as a laptop but that is not really the issue. The type of network the device is communicating with (let' assume a wireless connection to a LAN/WAN network with internet access) dictates your level of compliance issues NOT the type device.
Closed Network - Where the network is via dedicated lines owned or controlled by the entity and not connected to any �public� network, the following must be in place: Integrity Controls (ensure the validity of the data) Message Authentication (received matches sent) One of the following: Access Controls (already required) Encryption Open or Public network (internet)-Where the network is open (e.g., shared data line, Internet, switched WAN), then the following must be in place: Alarm (IDS) Audit Trail Entity and user Authentication Event Reporting Encryption FYI: I personally would employ some encryption beyond WEP for the wireless part. also, any mobile device raises some physical security concern (i.e. leaving it unattended) but so does leaving the back entrance to the office/clinic/hospital unlocked. Eddie G. Anderson 204 Blue Crab Cove Emerald Isle, NC 28594 Phone 252-354-5111 Fax 866-286-8038 email [EMAIL PROTECTED] -----Original Message----- From: Jeff Carswell [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 24, 2002 9:20 PM To: '[EMAIL PROTECTED]' Subject: Laptop Security Compliance Recently our company was visited by a vendor selling a Palm based EMR solution and they made the statement, "Under HIPAA there is no way to make a laptop compliant if it is being used out in the field". Can this really be true?? If anyone has additional info or links to regs that speak directly to this issue it would be greatly appreciated. Thanks. Jeff Carswell Vice President, Corporate Development Affiliated Sante Group ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
