Re: [WISPA] HIPAA
Adam, The attorney's serving the WISPA community would be hanging out on the Member's list, not this one. http://www.wispa.org/where-there-is-a-wisp-there-is-a-way Where there is a Wisp, there is a way! http://www.cvent.com/d/xcqthv Join Us at WISPAPALOOZA 2013 - Las Vegas, Oct 12-18 Respectfully, Rick Harnish Executive Director WISPA 260-307-4000 cell 866-317-2851 Option 2 WISPA Office Skype: rick.harnish. rharn...@wispa.org adm...@wispa.org (Trina and Rick) From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Adam Greene Sent: Thursday, August 08, 2013 5:47 PM To: 'WISPA General List' Subject: [WISPA] HIPAA Hi guys, I understand the Dept of Health and Human Services has published final HIPAA guidelines which go into effect as of 9/23/13, and that the scope of liability of service providers, as well as fines, have increased substantially. For example, this article caught my attention: http://www.wileyrein.com/publications.cfm?sp=articles http://www.wileyrein.com/publications.cfm?sp=articlesid=8628 id=8628 Many of us besides providing fixed wireless connectivity services to our customers, also provide hosting, email and other IT services, so I figure this is probably a concern for many of us. I am wondering if there is a lawyer or law firm serving the WISPA community that might be available to provide some guidance as to the true extent of liability a service provider has when contracted as a Business Associate by a healthcare industry customer, in a variety of situations. We have some specific questions, so if preferred, you can share your contact information with me off list and I can engage you directly. My direct email is agre...@webjogger.net. Thanks! Adam -- Adam Greene Webjogger www.webjogger.net http://www.webjogger.net/ agre...@webjogger.net 845-757-4000 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] HIPAA
Thanks Rick! Will re-post to that list. I appreciate it. From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Rick Harnish Sent: Thursday, August 08, 2013 5:57 PM To: 'WISPA General List' Subject: Re: [WISPA] HIPAA Adam, The attorney's serving the WISPA community would be hanging out on the Member's list, not this one. http://www.wispa.org/where-there-is-a-wisp-there-is-a-way Where there is a Wisp, there is a way! http://www.cvent.com/d/xcqthv Join Us at WISPAPALOOZA 2013 - Las Vegas, Oct 12-18 Respectfully, Rick Harnish Executive Director WISPA 260-307-4000 cell 866-317-2851 Option 2 WISPA Office Skype: rick.harnish. rharn...@wispa.org mailto:rharn...@wispa.org adm...@wispa.org mailto:adm...@wispa.org (Trina and Rick) From: wireless-boun...@wispa.org mailto:wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Adam Greene Sent: Thursday, August 08, 2013 5:47 PM To: 'WISPA General List' Subject: [WISPA] HIPAA Hi guys, I understand the Dept of Health and Human Services has published final HIPAA guidelines which go into effect as of 9/23/13, and that the scope of liability of service providers, as well as fines, have increased substantially. For example, this article caught my attention: http://www.wileyrein.com/publications.cfm?sp=articles http://www.wileyrein.com/publications.cfm?sp=articlesid=8628 id=8628 Many of us besides providing fixed wireless connectivity services to our customers, also provide hosting, email and other IT services, so I figure this is probably a concern for many of us. I am wondering if there is a lawyer or law firm serving the WISPA community that might be available to provide some guidance as to the true extent of liability a service provider has when contracted as a Business Associate by a healthcare industry customer, in a variety of situations. We have some specific questions, so if preferred, you can share your contact information with me off list and I can engage you directly. My direct email is agre...@webjogger.net mailto:agre...@webjogger.net . Thanks! Adam -- Adam Greene Webjogger www.webjogger.net http://www.webjogger.net/ agre...@webjogger.net mailto:agre...@webjogger.net 845-757-4000 ___ Wireless mailing list Wireless@wispa.org http://lists.wispa.org/mailman/listinfo/wireless
Re: [WISPA] HIPAA Problem Gets Worse
The local hospital in town, that is also the employer of my two partners, has a Cisco wireless system in place, and has had since before we were in business. SSID is turned on, DHCP is turned off, and encryption is turned on. (WEP 128bit I think) Recently, they went through an audit by an independent security agency, and while they did find some problems with insecure user passwords, the wireless lan was found to be fully HIPPA safe. Doctors use the wireless on their laptops to do their thing in the hospital, and it all seems to work fine. Pete Davis NoDial.net John Scrivner wrote: I need your help! It looks like I am going to have to go over the head of the IT guy at the area hospitals. According to the person I am speaking with I cannot even get a phone call returned from him to talk about the issues regarding wireless broadband delivery and HIPAA. The say flat out no use of wireless for connectivity to area health care centers. Can some of you please send me some success stories offlist where you installed connections to health care facilities for them to use as their intranet connections? Any references to working with their IT people to deliver a solution that met HIPAA guidelines would be nice. Once I get some of those success stories I will request a meeting with the CEO of the hospital who is a friend of mine and can help us get this done. Thanks guys, Scriv PS. Offlist your success stories to [EMAIL PROTECTED] -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] HIPAA
If I get a sit-down with the HIPAA compliance officer for the hospital here I am going to need to get someone else on the phone with them who is knowledgeable about HIPAA compliance who can help me sell the idea that wireless can be used in HIPAA compliant data transmission systems. Would yo be that person? If so then send me the best number to reach you at. I will let you know when I will have this meeting to make sure it is a time when you could talk if needed. Thanks, Scriv Peter R. wrote: A HIPAA consultant was at my luncheon yesterday. He pulled all this info for you: pulled a couple things below as background as well as the actual regulation. The one that pertains to this discussion is the last paragraph below. There is no strict rule as to how to secure and in actual fact, switched or dial-up networks are deemed more secure due to the random nature of the connection. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2003_registerdocid=fr20fe03-4.pdf The HIPAA Security Rule establishes specific requirements for securing all electronic protected health information (EPHI) -- while at rest (in servers or storage) or in motion (in transmission, wireless or wired). ‘‘Transmission security (refers to)… electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.” § 164.312 Technical safeguards. A covered entity must, in accordance with § 164.306: (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (2) Implementation specifications: (i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Daniel L. Ruggles CISSP, CISM, CMC, IAM, PMP Principal Liaison Technologies, LLC -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] HIPAA
A HIPAA consultant was at my luncheon yesterday. He pulled all this info for you: pulled a couple things below as background as well as the actual regulation. The one that pertains to this discussion is the last paragraph below. There is no strict rule as to how to secure and in actual fact, switched or dial-up networks are deemed more secure due to the random nature of the connection. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2003_registerdocid=fr20fe03-4.pdf The HIPAA Security Rule establishes specific requirements for securing all electronic protected health information (EPHI) -- while at rest (in servers or storage) or in motion (in transmission, wireless or wired). ‘‘Transmission security (refers to)… electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.” § 164.312 Technical safeguards. A covered entity must, in accordance with § 164.306: (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (2) Implementation specifications: (i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Daniel L. Ruggles CISSP, CISM, CMC, IAM, PMP Principal Liaison Technologies, LLC -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] HIPAA
If I'm reading this information correctly, it states that the care providers are responsible for encrypting and decrypting electronically transmitted information. Mark Nash Network Engineer UnwiredOnline.Net 350 Holly Street Junction City, OR 97448 http://www.uwol.net 541-998- 541-998-5599 fax - Original Message - From: Peter R. [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Wednesday, November 29, 2006 6:00 AM Subject: Re: [WISPA] HIPAA A HIPAA consultant was at my luncheon yesterday. He pulled all this info for you: pulled a couple things below as background as well as the actual regulation. The one that pertains to this discussion is the last paragraph below. There is no strict rule as to how to secure and in actual fact, switched or dial-up networks are deemed more secure due to the random nature of the connection. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2003_registerdocid=fr20fe03-4.pdf The HIPAA Security Rule establishes specific requirements for securing all electronic protected health information (EPHI) -- while at rest (in servers or storage) or in motion (in transmission, wireless or wired). ‘‘Transmission security (refers to)… electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.” § 164.312 Technical safeguards. A covered entity must, in accordance with § 164.306: (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (2) Implementation specifications: (i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Daniel L. Ruggles CISSP, CISM, CMC, IAM, PMP Principal Liaison Technologies, LLC -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] HIPAA
I'd like to bring attention to this specific part of the text (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. Could this be amunition to argue that a Hospitol almost REQUIRES or HIGHLY BENEFITS from using your wireless service, as it BEST accommodates the need to enable/guarantee Emergency access, as an alternative true diverse route to access and transmit data. Tom DeReggi RapidDSL Wireless, Inc IntAirNet- Fixed Wireless Broadband - Original Message - From: Peter R. [EMAIL PROTECTED] To: WISPA General List wireless@wispa.org Sent: Wednesday, November 29, 2006 9:00 AM Subject: Re: [WISPA] HIPAA A HIPAA consultant was at my luncheon yesterday. He pulled all this info for you: pulled a couple things below as background as well as the actual regulation. The one that pertains to this discussion is the last paragraph below. There is no strict rule as to how to secure and in actual fact, switched or dial-up networks are deemed more secure due to the random nature of the connection. http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2003_registerdocid=fr20fe03-4.pdf The HIPAA Security Rule establishes specific requirements for securing all electronic protected health information (EPHI) -- while at rest (in servers or storage) or in motion (in transmission, wireless or wired). ‘‘Transmission security (refers to)… electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk.” § 164.312 Technical safeguards. A covered entity must, in accordance with § 164.306: (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/or number for identifying and tracking user identity. (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (c)(1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (2) Implementation specifications: (i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Daniel L. Ruggles CISSP, CISM, CMC, IAM, PMP Principal Liaison Technologies, LLC -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
