Debra, We've used the proposed Security Rule as a starting place for our security measures. I've reviewed them with several security experts (I would definitely not classify myself as a security expert!) and they agree that the requirements (with the exception of the certification) in the proposed rule constitute sound basic security. What is proposed is scalable and allows people to improve over time.
>From our perspective, appropriate and reasonable security makes good business sense. >It doesn't really matter (from a pragmatic perspective) that the rule is not final. If you don't lock your clinic doors at night (a commonly accepted security practice) and someone stole all your clinical files as a result could you be found liable for negligence even though the rule is not final? I'm not a lawyer but I'd guess that the answer is yes (any legal opinions on this out there?) I'd say it's very easy to make a similar argument for the computer security measures proposed in the final rule. Most of the suggested computer security requirements are sort of the equivalent of locking the door at night - they are widely accepted practices in the computer security field. Just because they are new to you doesn't mean you shouldn't be familiar with them. The other thing to remember is that even if you are not legally liable there is always the court of public opinion. While you may not be sued for a security breech the resulting bad press could be much more damaging (ask the University of Washington!). In addition, I would vigorously agree with the earlier comment that you cannot have privacy without security. Security is about controlling access to data (person X has access to this particular piece of PHI but person Y does not) . Privacy is about using that data appropriately once access has been controlled (egg;, person X has valid access to specific PHI but they are prohibited from selling it). It's my understanding that the electronic/digital signatures issue has greatly increased in complexity from a political perspective since the HIPAA NPRM on Security was published. DEA is (as I understand it) becoming a CA (does anyone have recent info on this?), and that there were other departments in the federal government who were independently working on the electronic signature issue. Then were was the passage of the electronic signature bill (does anyone have the name? I can't recall it) which basically said that an "X" at the end of an email could possibly constitute an electronic signature. It sounded like HHS had to go back to the drawing board and re-negotiate the electronic/digital signature portion. them's my two cents! Jan Root UHIN Standards Manager "Cimbala, Debra" wrote: > Hi!!! > > Where can one find information on the security standard and the electronic >signature standard required by HIPAA? > > We are a health plan and I was wondering .....Has anyone implemented these >features for HIPAA compliance? > > Thanks!!! > Debra Cimbala > Customer Communications > 336.548.8587 > 336.548.7789 > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > > > > > > The WEDI SNIP listserv to which you are subscribed is not moderated. The > discussions on this listserv therefore represent the views of the individual > participants, and do not necessarily represent the views of the WEDI Board of > Directors nor WEDI SNIP. If you wish to receive an official opinion, post > your question to the WEDI SNIP Issues Database at > http://snip.wedi.org/tracking/. > Posting of advertisements or other commercial use of this listserv is > specifically prohibited. The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. Posting of advertisements or other commercial use of this listserv is specifically prohibited.
