Ok, I’ve been Googling around, and I understand that the basics of HIPAA (Health Insurance Portability and Accountability Act) from a computer security perspective is to keep all patient information on a need to know basis. But when I look around for real tech guidelines all I get is loose “policy” information, nothing like “You must use at least 104 bit WEP on WAPS” or anything technical. My question is, what does HIPAA really mean from a security tech’s perspective? How do you know your “compliant”?

Concerning HIPAA, I advocate implementing baseline controls and using due care or due diligence in conjunction with industry best practices as related in ISO17799 and other documents (NIST).

In other words, by implementing baseline controls you are addressing and mitigating commonly known risks rather than attempting to identify a myriad of unknowns.

ISO17799 is actually "a comprehensive set of controls comprising best practices in information security". You should check out ISO 17799 at http://www.iso-17799.com/

Would one good checklist accomplish what you need to? Probably not.

Neither ISO 17799 nor NIST provides all the information you need to take into consideration.

While many checklists available for sale as HIPAA Compliance Toolkits do ask some good questions, they also leave out quite a bit – especially from a technical standpoint.

For example, best practice typically requires that workstations running an operating system should have the latest security updates and patches installed UNLESS there is a legitimate reason for not doing so.
In the instance of Microsoft Windows, one important reason for not installing the latest update to Microsoft XP (SP2) is that it may break a critical application you need to run your practice. So, if your practice is running a certain application that the vendor has not yet made compatible to run with SP2, then this is a legitimate reason not to install SP2. However, you’ve identified the risk and hopefully have mitigated it in some fashion with alternative measures.

There’s no such thing as doing a risk analysis that is "strictly HIPAA" that does not take into consideration other items/issues at risk as provided for in NIST or ISO. Using the HIPAA security rule standards and implementation specifications alone should not considered being thorough.

Using an appropriate level of due diligence will be a struggle for small practices. There’s no simple answer – no silver bullet.

Go here for a better explanation, HIPAA (http://www.ibg.com/ShadesOfGrayOpinion.html)

I signed up for the Yahoo ShareHIPAA forum, maybe you should too.

Most regulations I've ever dealt with aren't technical, and are never that specific...

http://aspe.hhs.gov/admnsimp/pl104191.htm

I've never been responsible for HIPAA compliance, but for laws like sarbox there are frameworks like COBIT and COSO that are more specific for section 404... HIPAA is mostly high level... My recommendation is to find a common framework to follow and become compliant.

//probably irrelevant

I know this is your legislation, rather than ours, but I will make one cynical observation if I may.

The legislators know so little about the subject, they tend to phrase the legislation in "thou shalt not get found out" terms and let the lawyers ("and other reptiles" :D ) take it from there.

I know that this is a far from ideal situation, but that is life I am afraid :(

By the way "Lawyers and other reptiles" is the title of a very funny book...................if you can find it and have the time please do read it ;)

I guess the whole issue is one of being able to demonstrate " due diligence" and then CYA

I'm HIPAA compliant....

What does it mean?

Nothing really... To be ruthlessly honest. You have to state you are HIPAA compliant and that's really it... The problem comes if you lose some PHI, (Protected Healthcare Information), then they will ask what you did to claim compliance, what physical measures have you taken, what electronic measures, what policies are in place, how are they monitored... ad infinitum until they can screw you to the wall... :mad:

You have to do the basics in terms of firewalling, AV, monitoring, backups etc. I think you'll find it more important to ensure that physical security is addressed, what you have done to ensure appropriate rights and permissions to PHI internally and, most important, policies, policies, policies.... They love that paperwork. Make sure that Property Management, (building managers for physical security), Personnel, (policies), and IT are involved at a minimum. You may need other departments depending upon your organization chart but those three will be the minimum.

Oh, and I nearly forgot one of the most important things... Vendors etc. must sign partnership agreements I think they call them if they are ever potentially going to see any PHI. This would include vendors that provide billing services and things like that.

Overall it's not a badly written law in that it allows for flexibility etc. I just don't trust them not to be a$$hats when you try and still lose some PHI...

My $2...

TS, you do have me confused. You say your HIPAA compliant, well first off do you live in detroit or the UK lol I have always been meaning to ask that. Basically im asking if you have to adhere to that law or not. depending on if you live in the US or the UK.

Tex~ I have a long history of Anglo-American relationships :D

If it is a UK subsid of a US co it still has to comply with the PARENT COMPANY rules (like USA),
we have to supply suitably "translated" tax returns for consolidation and so forth


:D

ahhh ok I understand now so I guess its basically "when in rome, act as the romans do" kinda thing. well that clears up alot for me but I still wonder what side of the pond TS is on lol

Tex:

Hmmm... Now let me see... My info says I live near Detroit... My flag says I'm British... I see no issue there... It's all quite clear to me... ;) I am British and I live near Detroit, (less than 20 miles). So, yes, my job requires me to be HIPAA compliant...

your info says near detroit USA but then the flag is British which I have no probs with you having British pride. but wouldnt it have been easier to put say, Detroit USA with an American Flag then making sure people knew about your British ties when they clicked on your profile? It would sure cut down on the confusion for Texans like me
Just a thought :D

off topic/ I was just curious ( you can answer this in a PM or not at all lol) Do you like the US or the UK better?

I'm not here to make things "easy"... ;)

I'm a Brit to the core... swore my allegance to "Her Majesty Queen Elizabeth the Second, her Heirs and Successors" and will always maintain that... But having lived in the good ole US of A for 17 years I'm starting to get the hang of it... ;)

So... Back to HIPAA...

im sorry I hijacked the thread... now I can rest easy knowing your political alliances lol :)

Tiger, one more post and your at 5K. congrats my friend :)

TigerShark: You have to state you are HIPAA compliant and that's really it... The problem comes if you lose some PHI,

Losing some PHI is only one aspect of this deal. There are other valid reasons to be audited other than losing info, of which I will relate further in this post.

85 percent of my clients are oral surgeons, dentists and doctors, so I have to deal with HIPAA in many places where I work and it's not losing PHI that we are worried about as much as it is valid/invalid client complaints/concerns that reach the ears of the HIPAA authority.

Seems everyone wants to sue someone, and since my clients look like the pot of gold they aren't, anybody with a trumped up complaint can attempt to bring down an inspection, if they know to whom to complain to loud enough.

Anyways, here is a excerpt from 45 CFR parts 160 and 164 (enforcement) from the Department of Health and Human Services.

The authority for administering and enforcing compliance with the Privacy Rule has been delegated to the HHS Office for Civil Rights (OCR). 65 FR 82381 (December 28, 2000). The authority for administering and enforcing compliance with the nonprivacy HIPAA rules has been delegated to the Centers for Medicare & Medicaid Services (CMS). 68 FR 60694 (October 23, 2003).
At present, our compliance and enforcement activities are primarily complaint-based . Although our enforcement efforts are focused on investigating complaints, they may also include conducting compliance reviews to determine if a covered entity is in compliance. When potential violations come to our attention through a complaint or a compliance review, OCR or CMS’s Office of HIPAA Standards (OHS), as appropriate, attempts to resolve the matter informally. Many such matters are resolved at the initial stage of contact.

Listed in this CFR are penalties per similar and unsimilar violations with total yearly penalties.

//Thread hijack

Tex~ you seem to know very little?

I attach your proper flag, please correct your details accordingly...............

"Just when you thought that the Northern War of Economic Aggession was over" :D

Sorry, don't know how to do multiple attachments............if, indeed, it is possible?

Send Tiger~ some blue lupin seeds?

This one is politically correct they hope ;) :D

it's not losing PHI that we are worried about as much as it is valid/invalid client complaints/concerns that reach the ears of the HIPAA authority

ZT: Absolutely... Primarily the complaint is usually going to come from the client simply because, in the vast majority of cases the HIPAA compliant entity will be the last to know that data has gone "walkies". The fun thing about it though is the way the regulations are written. There is practically nothing said about how you must protect PHI - it's almost all left to the entity to determine what should be done - which could be a recipe for disaster given a Doctor with no computer knowledge and the ability to read the regs... ;)

The company I work for has products in multiple countries and use Safe Harbor instead of HIPAA. From what I have experienced Safe Harbor is more stringent especially when it comes to personal data.

My experience has been more directly with the data and when having to sending it to external companies for testing purposes. All of the personal information had to be removed (i.e. initials) or changed (i.e. birth date, study identifier and other certain dates which could link a person to a specific visit).

When sending the data out I had to send it on a CD-R since they wouldn't allow it to be sent over an email (even over a secured connection). The data had to be in an encrypted zip file and the password was sent separately. Both were sent via Fed-Ex after it was approved by our Safe Harbor representative. This was done even with a confidentiality agreement with the companies in question.

For internal use it didn't have to be as "scrambled" but there still was some level and again it had to be approved before it could be sent/used to the department.

Like HIPAA the tech side isn't clearly defined and left to mainly open to interpretation by the company representatives.

"Security. The Directive requires that "appropriate technical and organizational measures to protect data" against destruction, loss, alteration, or unauthorized disclosure or access be taken(Article 17)."

Safe Harbor (http://www.export.gov/safeharbor/sh_overview.html)

**MOVED**

I placed this thread in regulatory compliance.

--TH13

HIPAA email trial accounts are available at http://securemedical.net and http://mdemail.net

I have approved this post, as it has relevance to the Topic and will enable people interested access to "trial accounts". :)