Re: HIPAA security requirements

["lakewood1 () copper net" <lakewood1 () copper net>]

Hi Matt,

You might be interested in two links that I follow closely:

The OpenHealth Initiative
openhealth-list () minoru-development com

and the OpenEHR standards project (Electronic Healthcare Records)
openehr-technical () openehr org

Are you familiar with OHSU:
http://www.ohsu.edu/cc/hipaa/general_info.shtml

HIPAA is a newcomer and has some obvious problems. The OpenHealth 
Initiative and the
OpenEHR group discussion groups will provide considerable information 
beyond HIPAA,
the advantages and disadvantages of HIPAA too numerous to cover here.

The OHSU link will provide forms currently in use that have been 
reviewed. Specific issues
you have can be presented to the staff at OHSU to see if they have a 
ready answer.

My primary focus is on Patients and related groups with special 
attention directed at Providers.
For this the advantages of OpenEHR far surpasses the HIPAA advantages 
(personal
opinion).

Join the lists.

Regards!

-Thomas Clark

BTW: I am an IT professional.




Matt Kenigson wrote:

> Howdy,
>
> I've been lurking on the list now for over a year and wanted to start 
> my first post by thanking everyone out there who has been answering 
> questions and has contributed to all of the wonderful projects I've 
> heard about on the list.  My hat is off to all of you for being such 
> talented professionals and still managing to give back to the 
> community with your efforts.
>
> Now, on to the feature:
>
> I was wondering if anyone has come across any specific requirements 
> that are implicit or even implied by the security-related portions of 
> the HIPAA act, including amendments.  As a web application developer, 
> I have to assure my healthcare clients that we will strive to meet 
> HIPAA requirements, but have never come across any document or 
> analysis that tries to bring into focus what precisely that means in 
> the context of database-backed web applications.  Some things are 
> obvious:  If your app does absolutely anything that could expose 
> patient information to the wrong eyes, that would fall astray.  Others 
> are not quite as obvious.  Also, after a contract has been completed, 
> if new exploits are discovered, what are the developer's ongoing 
> responsibilities?  Is the developer forever obligated to point out new 
> security weaknesses so that the client can opt to hire someone to fix 
> them?  If not, where does the liability end?
>
> Does anyone know of any such document, discussion, or guidance?  Care 
> to start one?  I'll help.
>
> I should note that my thinking on this was jump-started by the 
> interesting column currently featured on owasp.org by Jeff Williams.  
> I should also note that I could only read what was on that first page, 
> as the link for more of the story seems to be broken right now.
>
> Thanks,
>
> Matt Kenigson
> president () sheergenius com