Security Basics mailing list archives
RE: hipaa guidance
From: "Chinnery, Paul" <PaulC () mmcwm com>
Date: Fri, 14 Oct 2005 07:41:52 -0400
If I may just jump in here, check out http://www.hipaadvisory.com/ for more info. Also, there is a HIPAA email list where you should post some of your HIPAA questions. This list is read and answered by people whose sole job function is HIPAA. Very knowledgeable. http://www.hipaalert.com for info on how to subscribe. -----Original Message----- From: Dana [mailto:absolutezero273c () myrealbox com] Sent: Thursday, October 13, 2005 8:22 AM To: security-basics () securityfocus com Subject: Re: hipaa guidance John, I appreciate you taking the time to respond. I also appreciate the input from everyone else that has responded. I did spend time googling hipaa security. I also specifically looked at the information security focus has made available. Particularly the article by Steven Weil, as well as past applicable posts to security focus 'security-basics'. Unfortunately what I have found does not provide me with enough detail to assist me in making a 'comfortable' recommendation to my client. Not that I was looking for a checklist, but something that was not so vague, as the current legislation is. I realize that hipaa must be vague as to encompass every possible organization from 5 employees to 5 million. I have read many 'opinions' on how hipaa should be applied. That includes legal opinions instructing organizations to be vague in their documentation so as to prevent infractions but provide enough detail that it is accepted as a legal hipaa policy. And unfortunately, for the sake of examples, I have not found any court cases, outside of the use of Lexis/Nexus, that would set a precedent. So I am finding it difficult to apply these policies to a small non-profit that has less than 10 employees that access the single server housed in the administrators office. I believe I have the ability/knowledge/skills to interpret security 'best practices' and apply them to this size organization but would they stand up in a court of law? Don't know. Haven't seen anything telling me otherwise. It all depends upon the interpretation by the individuals overseeing this legislation at the particular time of review. Maybe this should simply be left to the CEO and legal counsel to decide what kind of liability we (the consulting organization) would like to assume? Dana
first of all, I recommend that you spend a few more >minutes googling 'HIPAA security' - securityfocus itself has an >excellent piece on the subject.
There are, to my knowledge, no free "check all these >boxes and you'll be compliant" HIPAA guides although using existing >security standards will get you close enough.
If you're still in doubt as to how to proceed I would, >indeed, recommend that your client engage someone experienced in HIPAA >assessments.
John
Current thread:
- hipaa guidance absolutezero273c (Oct 11)
- Re: hipaa guidance Josh Tolley (Oct 12)
- Re: hipaa guidance Josh Tolley (Oct 13)
- <Possible follow-ups>
- Re: hipaa guidance jblackley (Oct 12)
- RE: hipaa guidance Cronican, John (Oct 13)
- Re: hipaa guidance Dana (Oct 13)
- Re: hipaa guidance Impulse (Oct 14)
- RE: hipaa guidance Chinnery, Paul (Oct 14)