What does HIPAA Compliant mean to you?

[bubarooni]

I'm being driven crazy by our HIPAA thug over our email security. He's got our Executive Board all worked up and I need to get them an answer.

Is there a general answer I can give them?

Something along the lines of:

'We have an SSL. We force users to change passwords regularly. We have an account lockout policy for bad logins. We therefore meet or exceed minimum standards.'

I can't really find a firm, definitive answer on these boards or anywhere else.

Thanks In Advance

[spectra]

Having read the segment of HIPPA that pertains to IT folks like us I will offer the following:

1. It's vague due to the wide use of the word "reasonable". Reasonable protection of sensitive patient data....yada yada

2. What I did was cite the section of the HIPPA rules and then show via diagram that I am above or on par with industry standards and that I am over and above reasonable.
I also write it in simple terms. So either the diagram is understood or the written stuff is understood or both.

3. Sounds like you've implemented and secured most things above reasonable and according to industry norm. Sounds like you just need to do a nice written thing with pretty pictures. The idiots that wear the suits like that sort of thing.


Yet another situation of suits (lawyers and non-tech biz folks) wanting to act like they know IT and it's implementation. Let's hope IT doesn't get like healthcare. In healthcare, doctors and care givers don't make patient decisions, insurance companies do based of $$. Soon we will have lawyers running servers and being network and system administrators and they have no IT skills and have never been in the trenches What a world we live in

[bubarooni]

Yeah, I'm trying to point out that very fact to them. I told them we have more to fear from users copying someones PHI on a digital copier and selling it on the street corner then someone hacking us in some manner.

I asked them what HIPAA means when they say 'addressable' vs 'required'. The HIPAA thug decided they needed to have a meeting on it.

Sheesh...

Do you a link to that HIPAA section you mention above?

[spectra]

I did that a while back, no worries. I got a gameplan for ya

Ask the suits to give you a copy of the HIPPA document or a link to it. Im sure they have it. The section that talks about IT is not that huge. It's a very dry read though. Read it bummer, and you will see why I suggested what I did.

Don't tell the suits. Spoken words mean nothing to them. Put it in writing.

I will go hunting for the document again and post what I find. Don't worry, the suits are just that, suits Here today n gone tomorrow.

Post if you get the doc from them.
Hang tight

[bubarooni]

'Here today n gone tomorrow.'

That's the most hope I've had in ages.

Thanks for your help!