I thought this was offlist. All apologies.
John Scrivner wrote:
If I get a sit-down with the HIPAA compliance officer for the hospital
here I am going to need to get someone else on the phone with them who
is knowledgeable about HIPAA compliance who can help me sell the idea
that wireless can be used in HIPAA compliant data transmission
systems. Would yo be that person? If so then send me the best number
to reach you at. I will let you know when I will have this meeting to
make sure it is a time when you could talk if needed.
Peter R. wrote:
A HIPAA consultant was at my luncheon yesterday. He pulled all this
info for you:
pulled a couple things below as background as well as the actual
regulation. The one that pertains to this discussion is the last
paragraph below. There is no strict rule as to how to secure and in
actual fact, switched or dial-up networks are deemed more secure due
to the random nature of the connection.
The HIPAA Security Rule establishes specific requirements for
securing all electronic protected health information (EPHI) -- while
at rest (in servers or storage) or in motion (in transmission,
wireless or wired).
‘‘Transmission security (refers to)… electronic protected health
information is transmitted from one point to another, it must be
protected in a manner commensurate with the associated risk.”
§ 164.312 Technical safeguards.
A covered entity must, in accordance with § 164.306:
(a)(1) Standard: Access control. Implement technical policies and
procedures for electronic information systems that maintain
electronic protected health information to allow access only to those
persons or software programs that have been granted access rights as
specified in § 164.308(a)(4).
(2) Implementation specifications: (i) Unique user identification
(Required). Assign a unique name and/or number for identifying and
tracking user identity. (ii) Emergency access procedure (Required).
Establish (and implement as needed) procedures for obtaining
necessary electronic protected health information during an
emergency. (iii) Automatic logoff (Addressable). Implement electronic
procedures that terminate an electronic session after a predetermined
time of inactivity. (iv) Encryption and decryption (Addressable).
Implement a mechanism to encrypt and decrypt electronic protected
(b) Standard: Audit controls. Implement hardware, software, and/or
procedural mechanisms that record and examine activity in information
systems that contain or use electronic protected health information.
(c)(1) Standard: Integrity. Implement policies and procedures to
protect electronic protected health information from improper
alteration or destruction. (2) Implementation specification:
Mechanism to authenticate electronic protected health information
(Addressable). Implement electronic mechanisms to corroborate that
electronic protected health information has not been altered or
destroyed in an unauthorized manner.
(d) Standard: Person or entity authentication. Implement procedures
to verify that a person or entity seeking access to electronic
protected health information is the one claimed.
(e)(1) Standard: Transmission security. Implement technical security
measures to guard against unauthorized access to electronic protected
health information that is being transmitted over an electronic
communications network. (2) Implementation specifications: (i)
Integrity controls (Addressable). Implement security measures to
ensure that electronically transmitted electronic protected health
information is not improperly modified without detection until
disposed of. (ii) Encryption (Addressable). Implement a mechanism to
encrypt electronic protected health information whenever deemed
Daniel L. Ruggles
CISSP, CISM, CMC, IAM, PMP
Liaison Technologies, LLC
WISPA Wireless List: firstname.lastname@example.org