Dennis, Certification and Accreditation processes supply a methodology and process for determining whether or not something meets a particular specification ( in this case HIPPA). The federal government uses the National Institute of Science and Technology (NIST) Common Criteria, DoD uses DITSCAP and the Open Source Community uses OSSTIMM. All defining the industries best practice approaches to complying with a specification. Staff certification falls in the same category. To exercise due care in a new area where there is no obvious CAA process, qualified staff must make policy determinations based on other industries best practices. One way to determine qualification is to require nationally accepted certifications in the same way that medical practitioners are required to pass licensing exams. Chris Riley, CISSP
Denies Melded wrote: > HHS is not going to certify any product or individual. > > Moreover, you are not going to be able to hide behind someone else's > "certification" when patients, regulators or trial attorneys come knocking. > > For all the regulations, the best you can hope for is that the product is > CAPABLE of meeting the requirements of each regulation. For example, the > Privacy Rule has generated a growing number of tools that purport to meet > the market's need to protect patient confidentiality. So are these policies > and procedures HIPAA compliant? Maybe. But what good does that do you if you > don't understand them, apply them to your specific situation or enforce > them? > > The best they can do is offer you tools that can enable or ease your > compliance tasks. > > The same holds true for security. These products can only enable compliance. > If you need a certain level of encryption, then a product that offers that > level of encryption -- if you use it -- will meet the requirements of HIPAA. > > HIPAA compliant may be a better term to use for these products, assuming > they do what the claim. > > If someone claims to be certified, take a look at who did the certifying, > and then make a decision about the vendor. Some consulting firms have > offered this certifying service. So what you have is a third-party > certifying a product -- not a government entity. > > The most important thing to remember: Compliance is an ongoing exercise. It > never ends. Privacy and security are ongoing responsibilities and you are > not going to be able to take a product, insert it into your operations and > then think you have completed your task. > > New technologies are going to present new security and privacy challenges. > These will necessarily require adjustments on your part as well. > > Hope this helps, > Dennis Melamed > Editor > Health Information Privacy Alert > (202) 296-3069 > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, May 15, 2002 1:38 PM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: CERTIFICATION? > > REF: Certification > > Are you speaking of individuals ? Or, products ? > > David Sweigert, M.S., CISSP > State IT Security Policy Officer > Office of Statewide IT Policy > Computer Services Division > http://www.ohio.gov/itp > > "Kerri Stone" > <[EMAIL PROTECTED] To: [EMAIL PROTECTED] > m> cc: > Subject: CERTIFICATION? > 05/15/2002 12:31 > PM > > Hello. I am not sure if this has been discussed or not, but I have been > looking at a number of websites where people claim to do "certification" of > HIPAA compliance. And even a few claim to have been certified by their > respective states, or even the federal government. I thought there was no > such thing as official HIPAA certification. I was under the impression it > was self-certification. Am I wrong? I would appreciate any feedback. > Thank you. > > Sincerely, > Kerri Stone > HIPAA Project Manager > SCB Computer Technology > (954) 234-3569 > [EMAIL PROTECTED] > > Get your FREE download of MSN Explorer at http://explorer.msn.com. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: > http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. > > ********************************************************************** > To be removed from this list, go to: >http://snip.wedi.org/unsubscribe.cfm?list=privacy > and enter your email address. -- Chris Riley, CISSP Information Tool Designers Inc. Secure Virtual Office Solutions http://aegis.info-tools.com/ ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
