GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
Re: OT: Making data centers HIPAA compliant - what is [7:61648] posted 01/23/2003
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


Howard, do you have an opinion you would care to share publicly regarding
organizations such as TruSecure and their HIPAA initiatives? Worth
considering? Studying?


""Howard C. Berkowitz""  wrote in message
news:200301221645.QAA30252@xxxxxxxxxxxxxxxxx
> At 8:06 PM +0000 1/20/03, Charles Riley wrote:
> >Priscilla,
> >
> >Thank you for the reply.  I had actually already checked most of these
sites
> >here.  There is a great focus on getting the providers into compliance,
but
> >very little information about certifiying the networks, servers, storage
> >devices, and other infrastructure used to support in creation, transport,
> >and sharing of medical information...very very very very little.   The
most
> >I have found is a brief paragraph about ensuring that software complies
(and
> >no checklist for that either.)
>
> Charles, this is something I'm trying to phrase objectively and
> delicately. There is a certain amount of relevant guidance, not
> necessarily under HIPAA guidance, but elsewhere in government.  To
> synthesize this, you need to have a good understanding not
> necessarily of law, but how healthcare works.
>
> As an example, there are several independent requirements for
> security of different kinds of healthcare information. By far the
> most stringent are those set by the Drug Enforcement Administration
> for electronic prescribing of controlled substances.  These go into
> quite a bit of technical specifications.
>
> In the position of being a processor of medical information, it's
> probably cost-effective to comply with the most restrictive
> requiremens, because healthcare providers do tend to provide a
> growing list of services.  So, in the last design I did, I used DEA
> for the crypto, authentication, audit, etc., but 21CFR11 (on human
> subject research) for software auditability requirements.  There
> actually were challenges in reconciling HIPAA and DEA requirements
> for user authentication.
>
> The reality was that having an extensive background in medical
> informatics, it still probably took me several months to sort out a
> reasonably clear picture. At some point, I need to see return on my
> research investment.  Determining the requirements for a specific
> service, therefore, tends to become the sort of thing when my
> consulting meter starts running.  I suspect this would be similar for
> most people involved.
>
> Yes, there are various case studies, but, again, you need to have an
> idea where to look for them -- such as various NIH forums. Recent
> antiterror legislation is putting more constraints on microbiology
> labs--there are, for example, perfectly reasonable justifications for
> having your own anthrax cultures, but you need to dot the i's and
> cross the t's.  Much of this comes from CDC, but there will be a
> certain amount in USDA regulations.
>
> I would say that the pure legal aspect is less important than
> understanding the environment and players.  HIPAA, for example, in
> many cases just drops back and says "due diligence", and you need a
> paper trail to demonstrate your design approach.
>
> >
> >In thinking about this, I would not only need a checklist, but applicable
> >clauses, sub clauses, etc. of the actual HIPAA to comply with.  In other
> >words, I need to go back and major in law, or do as you suggest and
locate a
> >HIPAA tech specialist, and hope I get one that knows what they are doing.
> >
> >Given all the confusion right now,  I wonder if those companies touting
> >their data centers as "HIPAA compliant" are doing the equivalent of
> >individuals putting "CCIE Written" on their resumes?
> >
> >Charles
> >
> >
> >""Priscilla Oppenheimer""  wrote in message
> >news:200301201931.TAA18294@xxxxxxxxxxxxxxxxx
> >>  Charles Riley wrote:
> >>  >
> >>  > Sorry for the OT post, but have searched high and low, and no
> >>
> >>  No problem. I don't think it's really OT. HIPAA is going to have a big
> >>  affect on many data networks.
> >>
> >>  I'm surprised that you say there isn't information available on how to
> >>  become HIPAA compliant. There's a lot, isn't there? If companies are
> >saying
> >>  that they are HIPAA certified, that's a bit of a misnomor. I don't
think
> >>  there's any certification, but there is compliance info available.
> >>
> >>  Did you check these links:
> >>
> >>  http://www.hipaadvisory.com/
> >>
> >>  http://aspe.hhs.gov/admnsimp/
> >  >
> >>  http://www.cms.hhs.gov/hipaa/
> >>
> >>  http://www.hipaa.org/
> >>
> >>  I wonder if you could hire a consultant to help you wade through all
the
> >>  regulations and confusing info from the goverment. Hopefuly some
> >consultants
> >>  will specialize in this.
> >>
> >>  Priscilla
> >>
> >>  > definite
> >>  > answer in site. Really, really apoliogize for the nontechnical
> >>  > nature of
> >>  > this post, but I have reached a wall after searching all over
> >>  > for an answer.
> >>  > I guess you could say that I am "ill" with searching...
> >>  >
> >>  > HIPAA is an medical information protection and privacy act
> >>  > passed by
> >>  > Congress in 1996.  The deadline for complying or gettting an
> >>  > extension is
> >>  > this year.  You'll probably see more and more requests like
> >>  > mine as the year
> >>  > goes by, so I figured I'd start things off.
> >>  >
> >>  > HIPAA is currently in a state of flux as far as implementation
> >>  > and
> >>  > enforcement is concerned, as many medical professional and
> >>  > organizations
> >>  > rush to comply.  Which brings me to my question...
> >>  >
> >>  > In my searches, I see several organizations trumpeting the fact
> >>  > their data
> >>  > centers are "HIPAA certified", meaning that they are cleared to
> >>  > process,
> >>  > store, or otherwise handle medical and private info.   How is
> >>  > it possible to
> >>  > achive this certification when there does not seem to be any
> >>  > standards or
> >>  > processes from the U.S. government detailing what will earn the
> >>  > certification?
> >>  >
> >>  > Does having a couple of tape drives on a server behind a
> >>  > firewall with
> >>  > restricted access qualify a data center to be "HIPAA
> >>  > Compliant"?  Is there a
> >>  > checklist, policy, standard, or procedure for certification
> >>  > required by the
> >>  > U.S. government that I missed in my searches?  If so, I would
> >>  > appreciate
> >>  > gettting the links to such information.
> >>  >
> >>  > TIA,
> >>  >
> >>  > Charles




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=61648&t=61648
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx