What does HIPAA really mean?
Page 1 of 3 123 LastLast
Results 1 to 10 of 21

Thread: What does HIPAA really mean?

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    What does HIPAA really mean?

    Ok, I’ve been Googling around, and I understand that the basics of HIPAA (Health Insurance Portability and Accountability Act) from a computer security perspective is to keep all patient information on a need to know basis. But when I look around for real tech guidelines all I get is loose “policy” information, nothing like “You must use at least 104 bit WEP on WAPS” or anything technical. My question is, what does HIPAA really mean from a security tech’s perspective? How do you know your “compliant”?

  2. #2
    Senior Member
    Join Date
    Mar 2005
    Posts
    400
    Concerning HIPAA, I advocate implementing baseline controls and using due care or due diligence in conjunction with industry best practices as related in ISO17799 and other documents (NIST).

    In other words, by implementing baseline controls you are addressing and mitigating commonly known risks rather than attempting to identify a myriad of unknowns.

    ISO17799 is actually "a comprehensive set of controls comprising best practices in information security". You should check out ISO 17799 at http://www.iso-17799.com/

    Would one good checklist accomplish what you need to? Probably not.

    Neither ISO 17799 nor NIST provides all the information you need to take into consideration.

    While many checklists available for sale as HIPAA Compliance Toolkits do ask some good questions, they also leave out quite a bit – especially from a technical standpoint.

    For example, best practice typically requires that workstations running an operating system should have the latest security updates and patches installed UNLESS there is a legitimate reason for not doing so.
    In the instance of Microsoft Windows, one important reason for not installing the latest update to Microsoft XP (SP2) is that it may break a critical application you need to run your practice. So, if your practice is running a certain application that the vendor has not yet made compatible to run with SP2, then this is a legitimate reason not to install SP2. However, you’ve identified the risk and hopefully have mitigated it in some fashion with alternative measures.

    There’s no such thing as doing a risk analysis that is "strictly HIPAA" that does not take into consideration other items/issues at risk as provided for in NIST or ISO. Using the HIPAA security rule standards and implementation specifications alone should not considered being thorough.

    Using an appropriate level of due diligence will be a struggle for small practices. There’s no simple answer – no silver bullet.

    Go here for a better explanation, HIPAA

    I signed up for the Yahoo ShareHIPAA forum, maybe you should too.
    ZT3000
    Beta tester of "0"s and "1"s"

  3. #3
    Most regulations I've ever dealt with aren't technical, and are never that specific...

    http://aspe.hhs.gov/admnsimp/pl104191.htm

    I've never been responsible for HIPAA compliance, but for laws like sarbox there are frameworks like COBIT and COSO that are more specific for section 404... HIPAA is mostly high level... My recommendation is to find a common framework to follow and become compliant.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    //probably irrelevant

    I know this is your legislation, rather than ours, but I will make one cynical observation if I may.

    The legislators know so little about the subject, they tend to phrase the legislation in "thou shalt not get found out" terms and let the lawyers ("and other reptiles" ) take it from there.

    I know that this is a far from ideal situation, but that is life I am afraid

    By the way "Lawyers and other reptiles" is the title of a very funny book...................if you can find it and have the time please do read it

    I guess the whole issue is one of being able to demonstrate " due diligence" and then CYA
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm HIPAA compliant....

    What does it mean?

    Nothing really... To be ruthlessly honest. You have to state you are HIPAA compliant and that's really it... The problem comes if you lose some PHI, (Protected Healthcare Information), then they will ask what you did to claim compliance, what physical measures have you taken, what electronic measures, what policies are in place, how are they monitored... ad infinitum until they can screw you to the wall...

    You have to do the basics in terms of firewalling, AV, monitoring, backups etc. I think you'll find it more important to ensure that physical security is addressed, what you have done to ensure appropriate rights and permissions to PHI internally and, most important, policies, policies, policies.... They love that paperwork. Make sure that Property Management, (building managers for physical security), Personnel, (policies), and IT are involved at a minimum. You may need other departments depending upon your organization chart but those three will be the minimum.

    Oh, and I nearly forgot one of the most important things... Vendors etc. must sign partnership agreements I think they call them if they are ever potentially going to see any PHI. This would include vendors that provide billing services and things like that.

    Overall it's not a badly written law in that it allows for flexibility etc. I just don't trust them not to be a$$hats when you try and still lose some PHI...

    My $2...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    TS, you do have me confused. You say your HIPAA compliant, well first off do you live in detroit or the UK lol I have always been meaning to ask that. Basically im asking if you have to adhere to that law or not. depending on if you live in the US or the UK.
    Git R Dun - Ty
    A tribe is wanted

  7. #7
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Tex~ I have a long history of Anglo-American relationships

    If it is a UK subsid of a US co it still has to comply with the PARENT COMPANY rules (like USA),
    we have to supply suitably "translated" tax returns for consolidation and so forth


    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  8. #8
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    ahhh ok I understand now so I guess its basically "when in rome, act as the romans do" kinda thing. well that clears up alot for me but I still wonder what side of the pond TS is on lol
    Git R Dun - Ty
    A tribe is wanted

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Tex:

    Hmmm... Now let me see... My info says I live near Detroit... My flag says I'm British... I see no issue there... It's all quite clear to me... I am British and I live near Detroit, (less than 20 miles). So, yes, my job requires me to be HIPAA compliant...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    your info says near detroit USA but then the flag is British which I have no probs with you having British pride. but wouldnt it have been easier to put say, Detroit USA with an American Flag then making sure people knew about your British ties when they clicked on your profile? It would sure cut down on the confusion for Texans like me
    Just a thought

    off topic/ I was just curious ( you can answer this in a PM or not at all lol) Do you like the US or the UK better?
    Git R Dun - Ty
    A tribe is wanted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •