REF: Government certification
This "certification" concept was "kicked around" several years ago by the U.S. National Institute of Standards and Technology (NIST). Any engineer at NIST had taken the draft HIPAA regulations and created a PROPOSED protection profile based upon Common Criteria (see ISO 17799). A CC protection profile has never gotten off the ground; although Lew Lorton, DDS, was promoting the concept in the Washington, DC beltway. That is the closet "quasi-official" effort I have seen to date. Regarding vendors, IMHO, nothing more than "HIPAA READY" should be a term used to describe products. "HIPAA Complaint" or "HIPAA Certified" is complete marketing hype and unsupportable. David Sweigert, M.Sci., CCNA, CISSP State IT Security Policy Officer Department of Administrative Services http://www.ohio.gov/itp <timmcguinness@ya hoo.com> To: "Meyer, Perry" <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, 08/30/2002 12:57 <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>, PM <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> Please respond to cc: timmcguinness Subject: Certifications Perry, your point is very valid! As stated by the agencies, it isn't the role of the government to "Certify" a product, service, or process relating to HIPAA. Certifications by their nature certifications require a process of accreditation, credentialing, and ideally broad support. I have no knowledge of what the vendor in question bases their "certification" on, and without full disclosure of that basis I view its claim as suspect, however there is at least one validly certified training/education product in the market - certified/credentialed by a State University System. However, this specific problem has resulted in the creation of a separate body to address this issue of developing HIPAA conformance certification standards. This activity is complementary to the work of the other HIPAA bodies, and recognizing the urgency of this for covered entities and industry alike, has begun and hopes to publish a significant body of work rapidly. This also raises another important point - full disclosure. Some on this listserv express offense at participants including their company names in their replies and messages. Personally, I want to know who it is that is expressing their opinions and who they represent, and in what capacity. I appreciate a weblink also, making it easy to view their context. Without this disclosure, we do not have the ability to properly weight their credentials or perspective in these issues. Each of us needs to be able to evaluate each posted statement and not simply take everything said as fact or legal opinion - this one included. So I would encourage all to be candid in their signatures for these reasons and recognize the difference between spam commercialism and simple honest disclosure. Tim McGuinness, Ph.D. President, HIPAA Help Now Inc. [EMAIL PROTECTED] www.hipaahelpnow.com Executive Co-Chairman for Privacy, HIPAA Conformance Certification Organization (HCCO) www.hipaacertification.org -----Original Message----- From: Meyer, Perry [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 27, 2002 8:24 AM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: WEDI SNIP Forum to be Rescheduled!!! Just curious, but does CMS or OCR recognize "certified" HIPAA training? I see no mention of this in the regs. I think we need to be very careful in promoting something as "certified" when it comes to HIPAA. Perry Meyer Senior Vice President Iowa Hospital Association The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
