I'd like to bring attention to this specific part of the text....
"(ii) Emergency access procedure (Required).
Establish (and implement as needed) procedures for obtaining necessary
electronic protected health information during an emergency. "
Could this be amunition to argue that a Hospitol almost REQUIRES or HIGHLY
BENEFITS from using your wireless service, as it BEST accommodates the need
to enable/guarantee Emergency access, as an alternative true diverse route
to access and transmit data.
Tom DeReggi
RapidDSL & Wireless, Inc
IntAirNet- Fixed Wireless Broadband
----- Original Message -----
From: "Peter R." <[EMAIL PROTECTED]>
To: "WISPA General List" <wireless@wispa.org>
Sent: Wednesday, November 29, 2006 9:00 AM
Subject: Re: [WISPA] HIPAA
A HIPAA consultant was at my luncheon yesterday. He pulled all this info
for you:
pulled a couple things below as background as well as the actual
regulation. The one that pertains to this discussion is the last paragraph
below. There is no strict rule as to how to secure and in actual fact,
switched or dial-up networks are deemed more secure due to the random
nature of the connection.
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=2003_register&docid=fr20fe03-4.pdf
The HIPAA Security Rule establishes specific requirements for securing all
electronic protected health information (EPHI) -- while at rest (in
servers or storage) or in motion (in transmission, wireless or wired).
‘‘Transmission security (refers to)… electronic protected health
information is transmitted from one point to another, it must be protected
in a manner commensurate with the associated risk.”
§ 164.312 Technical safeguards.
A covered entity must, in accordance with § 164.306:
(a)(1) Standard: Access control. Implement technical policies and
procedures for electronic information systems that maintain electronic
protected health information to allow access only to those persons or
software programs that have been granted access rights as specified in §
164.308(a)(4).
(2) Implementation specifications: (i) Unique user identification
(Required). Assign a unique name and/or number for identifying and
tracking user identity. (ii) Emergency access procedure (Required).
Establish (and implement as needed) procedures for obtaining necessary
electronic protected health information during an emergency. (iii)
Automatic logoff (Addressable). Implement electronic procedures that
terminate an electronic session after a predetermined time of inactivity.
(iv) Encryption and decryption (Addressable). Implement a mechanism to
encrypt and decrypt electronic protected health information.
(b) Standard: Audit controls. Implement hardware, software, and/or
procedural mechanisms that record and examine activity in information
systems that contain or use electronic protected health information.
(c)(1) Standard: Integrity. Implement policies and procedures to protect
electronic protected health information from improper alteration or
destruction. (2) Implementation specification: Mechanism to authenticate
electronic protected health information (Addressable). Implement
electronic mechanisms to corroborate that electronic protected health
information has not been altered or destroyed in an unauthorized manner.
(d) Standard: Person or entity authentication. Implement procedures to
verify that a person or entity seeking access to electronic protected
health information is the one claimed.
(e)(1) Standard: Transmission security. Implement technical security
measures to guard against unauthorized access to electronic protected
health information that is being transmitted over an electronic
communications network. (2) Implementation specifications: (i) Integrity
controls (Addressable). Implement security measures to ensure that
electronically transmitted electronic protected health information is not
improperly modified without detection until disposed of. (ii) Encryption
(Addressable). Implement a mechanism to encrypt electronic protected
health information whenever deemed appropriate.
Daniel L. Ruggles
CISSP, CISM, CMC, IAM, PMP
Principal
Liaison Technologies, LLC
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/