Re: Questions in regard to Security/Privacy
Richard, The first question is: Is what is being transmitted Protected Healthcare Information? If not all the rest is moot. If what is being transmitted is strictly the financial data (This merchant charged this person this much), it probably isn't PHI, but just money. If it is you must do a risk-of exposure analysis. First, the receiving system must be capable of properly protecting any PHI it receives. Terminal-to-Private Network is probably adequately secured. In this case, you may decide that encryption is just wasting resources. Going via the Internet will probably need some kind of end-to-end encryption to be adequately secure, since the Internet is inherently a broadcast to every computer connected to the net, received by anyone who wants to listen. Make your decisions and document them. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital Health Care Centers[EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." - Original Message - From: Richard Smith To: WEDI SNIP Privacy Workgroup List Sent: Thursday, February 27, 2003 11:52 AM Subject: Questions in regard to Security/Privacy I would like to know how the privacy security act under HIPAA will impact ourcurrent systems today? I support POS card/swipe machines that dialup (via anasync/sync modem) over the public telephone system into a server that isconnected to a private network. These machines (terminals) are located throughout the USA in Provider offices, clinics and hospitals. The dialup protocol(VISA) is the same protocol that the financial processors use today doingcredit/debit transactions. Are there any issues that I need to be concernedabout from the terminal point of view?The second part of my question, I would like to know how the privacy securityact under HIPAA will impact POS card/swipe machines that dialup (via anasync/sync modem) over the public telephone system into a ISP that is connectedto the Internet. These machines (terminals) are located through out the USA inProvider offices, clinics and hospitals. The dialup protocol will be either VISAor PPP (Point-to Point). Are there any issues that I need to be concerned aboutfrom the terminal point of view?---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
RE: Questions in regard to Security/Privacy
I don't see these POS terminals being affected by HIPAA if in fact they are doing a financial transaction...ie patient is making a payment for services rendered(paying the co-pay with a credit card). Now, there is a network of POS terminals that do eligibility checks and referrals etc..these terminals are conducting transactions for which a standard has been defined and are therefore subject to the HIPAA TCS rule. The use of these POS terminals qualify the provider as a Covered Entity which in turn makes the provider subject to the Privacy and Security Rule. Any other opinions or observations? CL Original Message From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: RE: Questions in regard to Security/Privacy Date: Thu, 27 Feb 2003 09:52:59 -0800 I would like to know how the privacy security act under HIPAA will impact our current systems today? I support POS card/swipe machines that dialup (via an async/sync modem) over the public telephone system into a server that is connected to a private network. These machines (terminals) are located through out the USA in Provider offices, clinics and hospitals. The dialup protocol (VISA) is the same protocol that the financial processors use today doing credit/debit transactions. Are there any issues that I need to be concerned about from the terminal point of view? The second part of my question, I would like to know how the privacy security act under HIPAA will impact POS card/swipe machines that dialup (via an async/sync modem) over the public telephone system into a ISP that is connected to the Internet. These machines (terminals) are located through out the USA in Provider offices, clinics and hospitals. The dialup protocol will be either VISA or PPP (Point-to Point). Are there any issues that I need to be concerned about from the terminal point of view? --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org Catherine Lohmeier Sr. Business Consultant PCI: e-commerce for healthcare ph. 402-304-1918 www.hipaasurvival.com --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
Re: Questions in regard to Security/Privacy
Catherine, Just a clarification. These non-financial POS terminals would have to use standard transactions (such as 270/271, 278, etc.) to do their job when a standard is available. The opinions expressed here are my own and not necessarily the opinion of LCMH. Douglas M. WebbComputer System EngineerLittle Company of Mary Hospital Health Care Centers[EMAIL PROTECTED] "This electronic message may contain information that is confidential and/or legally privileged. It is intended only for the use of the individual(s) and entity(s) named as recipients in the message. If you are not an intended recipient of the message, please notify the sender immediately, delete the material from any computer, do not deliver, distribute, or copy this message, and do not disclose its contents or take action in reliance on the information it contains. Thank you." - Original Message - From: Catherine Lohmeier To: WEDI SNIP Privacy Workgroup List Cc: [EMAIL PROTECTED] Sent: Thursday, February 27, 2003 03:07 PM Subject: RE: Questions in regard to Security/Privacy I don't see these POS terminals being affected by HIPAA if in factthey are doing a financial transaction...ie patient is making apayment for services rendered(paying the co-pay with a credit card).Now, there is a network of POS terminals that do eligibility checksand referrals etc..these terminals are conducting transactions forwhich a standard has been defined and are therefore subject to theHIPAA TCS rule. The use of these POS terminals qualify the provideras a Covered Entity which in turn makes the provider subject to thePrivacy and Security Rule.Any other opinions or observations?CL Original Message From: [EMAIL PROTECTED]To: [EMAIL PROTECTED]Subject: RE: Questions in regard to Security/PrivacyDate: Thu, 27 Feb 2003 09:52:59 -0800I would like to know how the privacy security act under HIPAA willimpact ourcurrent systems today? I support POS card/swipe machines that dialup(via anasync/sync modem) over the public telephone system into a server thatisconnected to a private network. These machines (terminals) arelocated throughout the USA in Provider offices, clinics and hospitals. The dialupprotocol(VISA) is the same protocol that the financial processors use todaydoingcredit/debit transactions. Are there any issues that I need to beconcernedabout from the terminal point of view?The second part of my question, I would like to know how the privacy securityact under HIPAA will impact POS card/swipe machines that dialup (viaanasync/sync modem) over the public telephone system into a ISP that isconnectedto the Internet. These machines (terminals) are located through outthe USA inProvider offices, clinics and hospitals. The dialup protocol will beeither VISAor PPP (Point-to Point). Are there any issues that I need to beconcerned aboutfrom the terminal point of view?---The WEDI SNIP listserv to which you are subscribed is not moderated.The discussions on this listserv therefore represent the views of theindividual participants, and do not necessarily represent the viewsof the WEDI Board of Directors nor WEDI SNIP. If you wish to receivean official opinion, post your question to the WEDI SNIP IssuesDatabase at http://snip.wedi.org/tracking/. These listservs shouldnot be used for commercial marketing purposes or discussion ofspecific vendor products and services. They also are not intended tobe used as a forum for personal disagreements or unprofessionalcommunication at any time.You are currently subscribed to wedi-privacy as:[EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe format http://subscribe.wedi.org or send a blank email to[EMAIL PROTECTED]If you need to unsubscribe but your current email address is not thesame as the address subscribed to the list, please use theSubscribe/Unsubscribe form at http://subscribe.wedi.orgCatherine LohmeierSr. Business ConsultantPCI: e-commerce for healthcareph. 402-304-1918www.hipaasurvival.com---The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED]To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscrib