Howard, do you have an opinion you would care to share publicly regarding
organizations such as TruSecure and their HIPAA initiatives? Worth
""Howard C. Berkowitz"" wrote in message
> At 8:06 PM +0000 1/20/03, Charles Riley wrote:
> >Thank you for the reply. I had actually already checked most of these
> >here. There is a great focus on getting the providers into compliance,
> >very little information about certifiying the networks, servers, storage
> >devices, and other infrastructure used to support in creation, transport,
> >and sharing of medical information...very very very very little. The
> >I have found is a brief paragraph about ensuring that software complies
> >no checklist for that either.)
> Charles, this is something I'm trying to phrase objectively and
> delicately. There is a certain amount of relevant guidance, not
> necessarily under HIPAA guidance, but elsewhere in government. To
> synthesize this, you need to have a good understanding not
> necessarily of law, but how healthcare works.
> As an example, there are several independent requirements for
> security of different kinds of healthcare information. By far the
> most stringent are those set by the Drug Enforcement Administration
> for electronic prescribing of controlled substances. These go into
> quite a bit of technical specifications.
> In the position of being a processor of medical information, it's
> probably cost-effective to comply with the most restrictive
> requiremens, because healthcare providers do tend to provide a
> growing list of services. So, in the last design I did, I used DEA
> for the crypto, authentication, audit, etc., but 21CFR11 (on human
> subject research) for software auditability requirements. There
> actually were challenges in reconciling HIPAA and DEA requirements
> for user authentication.
> The reality was that having an extensive background in medical
> informatics, it still probably took me several months to sort out a
> reasonably clear picture. At some point, I need to see return on my
> research investment. Determining the requirements for a specific
> service, therefore, tends to become the sort of thing when my
> consulting meter starts running. I suspect this would be similar for
> most people involved.
> Yes, there are various case studies, but, again, you need to have an
> idea where to look for them -- such as various NIH forums. Recent
> antiterror legislation is putting more constraints on microbiology
> labs--there are, for example, perfectly reasonable justifications for
> having your own anthrax cultures, but you need to dot the i's and
> cross the t's. Much of this comes from CDC, but there will be a
> certain amount in USDA regulations.
> I would say that the pure legal aspect is less important than
> understanding the environment and players. HIPAA, for example, in
> many cases just drops back and says "due diligence", and you need a
> paper trail to demonstrate your design approach.
> >In thinking about this, I would not only need a checklist, but applicable
> >clauses, sub clauses, etc. of the actual HIPAA to comply with. In other
> >words, I need to go back and major in law, or do as you suggest and
> >HIPAA tech specialist, and hope I get one that knows what they are doing.
> >Given all the confusion right now, I wonder if those companies touting
> >their data centers as "HIPAA compliant" are doing the equivalent of
> >individuals putting "CCIE Written" on their resumes?
> >""Priscilla Oppenheimer"" wrote in message
> >> Charles Riley wrote:
> >> >
> >> > Sorry for the OT post, but have searched high and low, and no
> >> No problem. I don't think it's really OT. HIPAA is going to have a big
> >> affect on many data networks.
> >> I'm surprised that you say there isn't information available on how to
> >> become HIPAA compliant. There's a lot, isn't there? If companies are
> >> that they are HIPAA certified, that's a bit of a misnomor. I don't
> >> there's any certification, but there is compliance info available.
> >> Did you check these links:
> >> http://www.hipaadvisory.com/
> >> http://aspe.hhs.gov/admnsimp/
> > >
> >> http://www.cms.hhs.gov/hipaa/
> >> http://www.hipaa.org/
> >> I wonder if you could hire a consultant to help you wade through all
> >> regulations and confusing info from the goverment. Hopefuly some
> >> will specialize in this.
> >> Priscilla
> >> > definite
> >> > answer in site. Really, really apoliogize for the nontechnical
> >> > nature of
> >> > this post, but I have reached a wall after searching all over
> >> > for an answer.
> >> > I guess you could say that I am "ill" with searching...
> >> >
> >> > HIPAA is an medical information protection and privacy act
> >> > passed by
> >> > Congress in 1996. The deadline for complying or gettting an
> >> > extension is
> >> > this year. You'll probably see more and more requests like
> >> > mine as the year
> >> > goes by, so I figured I'd start things off.
> >> >
> >> > HIPAA is currently in a state of flux as far as implementation
> >> > and
> >> > enforcement is concerned, as many medical professional and
> >> > organizations
> >> > rush to comply. Which brings me to my question...
> >> >
> >> > In my searches, I see several organizations trumpeting the fact
> >> > their data
> >> > centers are "HIPAA certified", meaning that they are cleared to
> >> > process,
> >> > store, or otherwise handle medical and private info. How is
> >> > it possible to
> >> > achive this certification when there does not seem to be any
> >> > standards or
> >> > processes from the U.S. government detailing what will earn the
> >> > certification?
> >> >
> >> > Does having a couple of tape drives on a server behind a
> >> > firewall with
> >> > restricted access qualify a data center to be "HIPAA
> >> > Compliant"? Is there a
> >> > checklist, policy, standard, or procedure for certification
> >> > required by the
> >> > U.S. government that I missed in my searches? If so, I would
> >> > appreciate
> >> > gettting the links to such information.
> >> >
> >> > TIA,
> >> >
> >> > Charles
Message Posted at:
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx