Home page logo
/

basics logo Security Basics mailing list archives

Re: HIPAA certs
From: Brian Jones <bjones () marshmed com>
Date: Fri, 21 Feb 2003 10:21:22 -0600


Jason,

Try here:
 http://www.cms.hhs.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-2-12-03.pdf

from about page 264, especially the grid on the last 3 pages.

The regs don't take effect until april, so no one knows what to look for, and if
you are dealing with small providers it is after that but I am not sure when.
Inspections won't begin until after that so no one knows what to expect. It is
important to note the difference between required issues like risk analysis, and
addressable issues, like password management and encryption (really, though you
better have a good reason for not implimenting them).

You are largely correct, to me it looks like basic security (protect integrity,
accuracy and confidentiality of PHI) and a lot of policies, procedures,
documentation, etc. Just make sure you have a good reason for not implimenting
anything addressable, and prohibitive cost is a good reason.

Brian

Jason Hastain wrote:

hey all,

I have a few clients who are doctors running small practices.  They have
small LAN's and DSL connectinos behind a simple NAT router/firewall in one
case and persoanl FW's in the other (unfortunatly not my decision in either
case).

Each has approached me about the HIPAA certs in the last week.  I have read
through what seams reams of pages on it b ut have been unable to deduce
anything other than general good security practices.  Strong passwords,
offsite encrypted backups, real firewalls, etc and so on.

Can anyone shed some light onto this subject or point me to a document with
only the IT requirements prefereably boiled down to something simple?

And also has anyone had any experience yet with the HIPAA investigators or
quality control people checking on a site?  any ideas what they are looking
for?

I understand it is a 20k dollar fine for each infraction so I would hate for
it to be on my watch.

tia

Jason Hastain
Hastain Consulting


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault