GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: OT: Making data centers HIPAA compliant - what is [7:61588] posted 01/22/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


At 8:06 PM +0000 1/20/03, Charles Riley wrote:
>Priscilla,
>
>Thank you for the reply.  I had actually already checked most of these sites
>here.  There is a great focus on getting the providers into compliance, but
>very little information about certifiying the networks, servers, storage
>devices, and other infrastructure used to support in creation, transport,
>and sharing of medical information...very very very very little.   The most
>I have found is a brief paragraph about ensuring that software complies (and
>no checklist for that either.)

Charles, this is something I'm trying to phrase objectively and 
delicately. There is a certain amount of relevant guidance, not 
necessarily under HIPAA guidance, but elsewhere in government.  To 
synthesize this, you need to have a good understanding not 
necessarily of law, but how healthcare works.

As an example, there are several independent requirements for 
security of different kinds of healthcare information. By far the 
most stringent are those set by the Drug Enforcement Administration 
for electronic prescribing of controlled substances.  These go into 
quite a bit of technical specifications.

In the position of being a processor of medical information, it's 
probably cost-effective to comply with the most restrictive 
requiremens, because healthcare providers do tend to provide a 
growing list of services.  So, in the last design I did, I used DEA 
for the crypto, authentication, audit, etc., but 21CFR11 (on human 
subject research) for software auditability requirements.  There 
actually were challenges in reconciling HIPAA and DEA requirements 
for user authentication.

The reality was that having an extensive background in medical 
informatics, it still probably took me several months to sort out a 
reasonably clear picture. At some point, I need to see return on my 
research investment.  Determining the requirements for a specific 
service, therefore, tends to become the sort of thing when my 
consulting meter starts running.  I suspect this would be similar for 
most people involved.

Yes, there are various case studies, but, again, you need to have an 
idea where to look for them -- such as various NIH forums. Recent 
antiterror legislation is putting more constraints on microbiology 
labs--there are, for example, perfectly reasonable justifications for 
having your own anthrax cultures, but you need to dot the i's and 
cross the t's.  Much of this comes from CDC, but there will be a 
certain amount in USDA regulations.

I would say that the pure legal aspect is less important than 
understanding the environment and players.  HIPAA, for example, in 
many cases just drops back and says "due diligence", and you need a 
paper trail to demonstrate your design approach.

>
>In thinking about this, I would not only need a checklist, but applicable
>clauses, sub clauses, etc. of the actual HIPAA to comply with.  In other
>words, I need to go back and major in law, or do as you suggest and locate a
>HIPAA tech specialist, and hope I get one that knows what they are doing.
>
>Given all the confusion right now,  I wonder if those companies touting
>their data centers as "HIPAA compliant" are doing the equivalent of
>individuals putting "CCIE Written" on their resumes?
>
>Charles
>
>
>""Priscilla Oppenheimer""  wrote in message
>news:200301201931.TAA18294@xxxxxxxxxxxxxxxxx
>>  Charles Riley wrote:
>>  >
>>  > Sorry for the OT post, but have searched high and low, and no
>>
>>  No problem. I don't think it's really OT. HIPAA is going to have a big
>>  affect on many data networks.
>>
>>  I'm surprised that you say there isn't information available on how to
>>  become HIPAA compliant. There's a lot, isn't there? If companies are
>saying
>>  that they are HIPAA certified, that's a bit of a misnomor. I don't think
>>  there's any certification, but there is compliance info available.
>>
>>  Did you check these links:
>>
>>  http://www.hipaadvisory.com/
>>
>>  http://aspe.hhs.gov/admnsimp/
>  >
>>  http://www.cms.hhs.gov/hipaa/
>>
>>  http://www.hipaa.org/
>>
>>  I wonder if you could hire a consultant to help you wade through all the
>>  regulations and confusing info from the goverment. Hopefuly some
>consultants
>>  will specialize in this.
>>
>>  Priscilla
>>
>>  > definite
>>  > answer in site. Really, really apoliogize for the nontechnical
>>  > nature of
>>  > this post, but I have reached a wall after searching all over
>>  > for an answer.
>>  > I guess you could say that I am "ill" with searching...
>>  >
>>  > HIPAA is an medical information protection and privacy act
>>  > passed by
>>  > Congress in 1996.  The deadline for complying or gettting an
>>  > extension is
>>  > this year.  You'll probably see more and more requests like
>>  > mine as the year
>>  > goes by, so I figured I'd start things off.
>>  >
>>  > HIPAA is currently in a state of flux as far as implementation
>>  > and
>>  > enforcement is concerned, as many medical professional and
>>  > organizations
>>  > rush to comply.  Which brings me to my question...
>>  >
>>  > In my searches, I see several organizations trumpeting the fact
>>  > their data
>>  > centers are "HIPAA certified", meaning that they are cleared to
>>  > process,
>>  > store, or otherwise handle medical and private info.   How is
>>  > it possible to
>>  > achive this certification when there does not seem to be any
>>  > standards or
>>  > processes from the U.S. government detailing what will earn the
>>  > certification?
>>  >
>>  > Does having a couple of tape drives on a server behind a
>>  > firewall with
>>  > restricted access qualify a data center to be "HIPAA
>>  > Compliant"?  Is there a
>>  > checklist, policy, standard, or procedure for certification
>>  > required by the
>>  > U.S. government that I missed in my searches?  If so, I would
>>  > appreciate
>>  > gettting the links to such information.
>>  >
>>  > TIA,
>>  >
>>  > Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61588&t=61588
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx