Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Striving for HIPAA Compiance?

Cliff posted more than 11 years ago | from the forcibly-changing-the-way-you-work dept.

Security 278

krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?

cancel ×

278 comments

Sorry! There are no comments related to the filter you selected.

Fafafooey! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4499577)

Babablooey!

HI !!! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4499585)

I am Junis from Kabul. With
help from friend Jon Katz I
have made first release of
my new operating system -
JUNIX. Plays well MP3 and has
good support for iPod system.
Also special file sytem to
store DivX of baywatch and
survivor television show.
I very much like america
culture. JUNIX is built for
commodore but I include my
compiler so you can build for
your system when you have dug
up hardware from chicken hut.

Hippo's Cobra's (-1, Offtopic)

fred911 (83970) | more than 11 years ago | (#4499588)

Gotta make ya wonder what health insurance has to to with animals:-)

Hey dude... (-1, Offtopic)

Bob Vila's Hammer (614758) | more than 11 years ago | (#4499589)

Do you know where I can score some cheap oxygen?

FIRST OPEN FIRMWARE POST (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4499594)

CLAIM FAILED

motherfuckaz.

Why not try this? (5, Informative)

demonlapin (527802) | more than 11 years ago | (#4499601)

Although it's another side of health care, why not take a look at the AMA's [ama-assn.org] page on HIPAA? Much of the advice is geared toward small practitioners, and as such would be useful in helping you figure out where to start.

Re:Why not try this? (4, Informative)

blake182 (619410) | more than 11 years ago | (#4499864)

In general, it is a difficult problem to say "we need to be HIPAA-compliant". It generally needs to break down to finding all of the points where healthcare information flows outside the organization, and then protecting that information.

From the standpoint of email, there was a great amount of effort put into this in 2001. Check out this press release [hipaadvisory.com] which summarizes the effort. Basically, there was a group of email vendors led by the Massachusetts Health Data Consortium (MHDC) that got together and standardized a method of doing server to server encryption of email. This effort is currently an Internet Draft, draft-ramsdell-enc-smime-gateway [ietf.org] , and it will actually be moved to the IETF-SMIME working group in time for the next meeting. It is basically a profile of the DOMSEC effort, which is in turn a profile of S/MIME. I participated in this effort on behalf of Tumbleweed, and at the end of it all, the products were all working together, and I am a co-author and editor of the draft.

The bottom line is that there exist commercially available solutions from multiple vendors which satisfy the HIPAA requirements for secure email, which is most likely a large part of your charge. These products are generally usable in a "gateway" configuration where they can be placed next to an existing mail server to automatically encrypt / decrypt mail according to policy. Further, this effort is being discussed and documented in the IETF so that new implementations can be created.

Bureaucratic filth (-1, Flamebait)

SexyKellyOsbourne (606860) | more than 11 years ago | (#4499611)

The HIPAA is a bloated, disgusting piece of huge paperwork that may have meant well, but grew disgustingly out of proportion, and was still bloated even after the Administrative Simplification. I believe in privacy, but there's no simple way to make everything ultra-secure with encryption and such -- and that should be a move taken by the businesses themselves, not forced upon them by a distant bureaucracy.

It's nothing but more government interference in private business that chains capitalism to the ground and makes us as weak and inefficient as the old Soviet Union was. This does not simplify anything with electronic transactions -- it just bogs down the already efficient electronic systems in place with red tape.

Want to fight it? Simple -- don't implement it if it hinders you and ignore it, and go on with business as usual.

Re:Bureaucratic filth (5, Informative)

Jeremiah Cornelius (137) | more than 11 years ago | (#4499718)

Part of the problem with HIPAA is the earnest attempt to create a standard for Information Security controls, without a requirement for implementation specifics on individual security controls. The aim is admirable - do not specify technologies which could be tied to a vendor, or rendered obsolete within the decade. Also, do not make assumptions about the specific sensitivity of individual data elements in the custody of various regulated entities.

The unfortunate consequence is that the resulting guidelines are very general, and require a continuous lifecycle process for evaluation, iplementation, audit and compliance. The healthcare industry must now involve itself in a regieme of regulatory overhead analogous to that of Securities or banking.

I don't think this is bad, per se. There is no history here for an emergence of industry best practices, etc. Expect it to be messy for a while.

Re:Bureaucratic filth (2, Insightful)

Mr. Slippery (47854) | more than 11 years ago | (#4499729)

Simple -- don't implement it if it hinders you and ignore it, and go on with business as usual.
...and wait to get your ass sued into oblivion when the first privacy violation occurs. Brilliant.

Re:Bureaucratic filth (4, Insightful)

fanatic (86657) | more than 11 years ago | (#4499761)

It's nothing but more government interference in private business that chains capitalism

Fine - let's have EVERY bit of your medical history made poublic please, and given to every insurrer, loan company or employer to whom you apply.

That's a great idea.

Almost there now anyways (2)

Archfeld (6757) | more than 11 years ago | (#4500126)

Soon there will only be ONE giant MEGA corp health care provider, and they can share your data with "umbrella companies" no matter what you say or want.

Re:Bureaucratic filth (2)

rgmoore (133276) | more than 11 years ago | (#4500006)

It's nothing but more government interference in private business that chains capitalism to the ground and makes us as weak and inefficient as the old Soviet Union was. This does not simplify anything with electronic transactions -- it just bogs down the already efficient electronic systems in place with red tape.

Since you don't like government interference in your business, I hope that your health care firm will give up access to funding in the form of Medicare, Medicaid, NIH research funds, etc. It would be terrible if you were to behave hypocritically by taking lots of government money and then turn around and complain about government regulations.

Re:Bureaucratic filth (2)

karlm (158591) | more than 11 years ago | (#4500053)

I believe in privacy, but there's no simple way to make everything ultra-secure with encryption and such -- and that should be a move taken by the businesses themselves, not forced upon them by a distant bureaucracy.

Then this will never happen, pure and simple, unless cracktivism is legalized (cracking inscured systems to publically disgrace the company into bolting thiings down).

Misleading... (5, Funny)

httpamphibio.us (579491) | more than 11 years ago | (#4499616)

I thought this was about some new car club for cool people.

HIPAAA, uh, ok, is that, like, the cool triple A? (1)

rumba (70920) | more than 11 years ago | (#4499922)

It's because Slashdot editors never check for spelling errors. I can't believe how many go by every day. I mean, when your job is to post half a dozen stories, wouldn't you think there would be a system for catching even the most common spelling mistakes? Get it together. Use your perl hax0ring skillz to run the articles through aspell or ispell.

Well excuse me... (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4499620)

But what has health care got to do with PGP and so on? Man are you in the right job? Clue me in.

--
Thilaa Amaa Fui

Re:Well excuse me... (0)

Anonymous Coward | more than 11 years ago | (#4499694)

I dont think the above is a troll posting. I for one see no relation between health care procedures and PGP (computer encryption --for clueless), would someone care to explain.

Re:Well excuse me... (0)

Anonymous Coward | more than 11 years ago | (#4499736)

I dont know how to explain but possibly PGP might be something to do with the person's securty health? I mean if you want to be secure healthwise in terms of a digital measure, for example; if you want to be aware and repell computer generated viri, then this could be a health issue to your computer which in turn could be directly related to your job preformance and health issues such as RSI and so on, Overall I just feel that that is the case.

--

John Murdock II
IAAL (intellectual/property rights and international consignments and overall geek )

Re:Well excuse me... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4499744)

So, Mr. John Murdock the AC lawyer. You believe RSI could be transmitted by a computer virus due to the reptitive anti-virus pop-up boxes one has to close on a fully infected PC?

Re:Well excuse me... (0)

Anonymous Coward | more than 11 years ago | (#4499808)

Yes, definitely; Infact, I've seen two such cases in the past; one a seemly harmless suite against Network Associates, and another against a popular pop-up advertisment coporation (I would like those guys bitten rather than the NetAssociate guys), anyway these things are very common in the industry and much more common in the entertainment and retail industry than our industry.

--
John Murdock II
IAAL (intellectual/property rights and international consignments and overall geek )

Re:Well excuse me... (0)

Anonymous Coward | more than 11 years ago | (#4499779)

PGP is a health issue as defined by the FDA. Please check all your TLA before making any more innocent posts that might be seen as a troll posting by overly trigger-happy moderators.

Bonjour.

MOTHERFUCKING MODS ON MOTHERFUCKING CRACK (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4499832)

Don't just tell them... (5, Insightful)

SaturnTim (445813) | more than 11 years ago | (#4499622)

Don't just tell them you will fire them, Actually fire a couple. The rest shape up real quick.

When it is a matter of compliance, they don't have an option. The sooner they understand it, the better. If management isn't behind you, then ask to be reassigned.

--ST

Re:Don't just tell them... (3, Insightful)

FreeLinux (555387) | more than 11 years ago | (#4499702)

If management isn't behind you, then get another job. Because, if that is the case with management the company will be shut down in short order. Then everyone will be out of work.

Or from what i am seeing....Don't comply.... (1, Funny)

Anonymous Coward | more than 11 years ago | (#4499778)

I have done some work with a few companies regarding becoming compliant. They pretty much across the board have decided not to do so. I find it pretty amusing.

Re:Don't just tell them... (3, Informative)

Zeinfeld (263942) | more than 11 years ago | (#4499900)

Don't just tell them you will fire them, Actually fire a couple. The rest shape up real quick.

Dilbert's boss posts on Slashdot!

There is no point in threats when people have no idea what to do. And there is simply no point in trying to solve an enterprise security problem with tools designed by geeks for geeks.

PGP is as you point out not an easy concept to explain to an end user. In particular PGP is designed arround an ideology of personal security, and not enforcing an enterprise wide security policy.

First you need someone to write the security policy. 'We don't believe in security' is probably not a starter, might put off the patients. Fortunately the more complex privacy issues have been punted on - for now, expect them to return in due course. For the time being you need your network security measures and application security. But don't buy into a system unless the vendor is likely to be arround in a couple of years to provide privacy management infrastructure as well.

What you need for messaging security is a PKI that enables the encryption features of Outlook, Lotus Notes, Netscape etc. Given your time constraints it would probably be best to look at an outsourced solution so you don't have to worry about building secure infrastructure or write a CPS or anything stupid. This is also much cheaper up front on capital costs.

The other thing you will need to do is to draw up some sort of survey that describes the circumstances under which you report confidential patient information to outside bodies - under HIPPA that includes external medical practices, labs etc. You will need to make sure that their privacy practices align with the ones you communicate to the patients.

How can you do this job without authority? (3, Insightful)

fishbowl (7759) | more than 11 years ago | (#4499623)

You need the authority to say "you will follow these procedures, or you will work elsewhere; preferably in another industry."

Until you have THAT authority, you do not really have the job that you think you have.

Re:How can you do this job without authority? (3, Insightful)

karlm (158591) | more than 11 years ago | (#4499855)

Until you have THAT authority, you do not really have the job that you think you have.

I think the author realizes this, but also realizes that "the carrot is better than the stick" when trying to motivate people for long-term results.

Re:How can you do this job without authority? (3, Insightful)

dillon_rinker (17944) | more than 11 years ago | (#4500026)

The stick is the only thing you have. Look at it from the owner's perspective:

I own a healthcare company. I will lose my livelihood if the people working for me don't adhere to these regulations. Therefore, anyone who refuses to comply CAN NOT work for me. Just like anybody else, I've got a spouse and kids and a house payment. Unlike most other people, I've got 20 other people working for me, all of whom have a spouse and kids and a house payment. I CAN NOT permit some nimrod to jeopardize the business. The reward for complying is a job. There is no punishment for failure to comply; you simply won't work for me.

Carrots are nice for persuading people to do things that are not essential, but in this kind of a situation, a stick is all that exists. If you disagree, I encourage you to find the carrots in the regulations that mandate compiance.

Re:How can you do this job without authority? (1)

malfunct (120790) | more than 11 years ago | (#4499889)

I am certain that there are a great number of ways that you can set up the system within which these people work correctly so that the guidlines are met with minimal training on the part of the majority of people.

For instance I think you can implement PGP in many places behind the scenes and manage keys and transactions without necessarily telling anyone. This seems to be a problem where technology is a solution so why can't we give him some technology advice.

Unfortunately I don't know what is required for the guidelines or I might be able to give some suggestions.

Re:How can you do this job without authority? (4, Insightful)

ESarge (140214) | more than 11 years ago | (#4500017)

Apply standard change management advice.
If you don't know what that is then go get someone to tell you. (Disclosure: I work for a large company that, amongst a lot of things, does change management).

The project I'm working on has a large change management component and I'm impressed with the sense of the person in charge of it.

Things to do:
Get the users together and explain HIPAA to them. Explain why it is important to the public (i.e. why you need good security). Explain the consequences of failure. People will understand if you actually explain the reasoning to them.
Give them chances to ask question and modify what you do. People are happier to sign on to things if they feel they've got some input into it.

Work on the IT side and get it work pretty well. Create detailed, clear, easy step by step instructions that work. Make sure you've got staff (i.e. you) available to provide quick support when it inevitably doesn't quite work.

Make sure you've got a high level executive sponsor who understands the political issues and is happy to give you the support you need. (i.e. authority to fire if need be.)

I would put in place a monitoring process. If a user isn't doing the right thing then grab them and talk to them.
If there's something you can do to fix their problem then do that. There may be technical things you can do that will get to them to do it right.
If they don't shape up once you've done that then you grab your executive sponsor and have a solemn meeting telling them to do things right. (This meeting has an implicit threat of firing behind it so it tends to work). Make a written record of this meeting.
If all that doesn't work then you start going through the due diligence firing process i.e. written warnings before firing. HR people know how to do this.

y'all should strive (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4499633)

to eat at subway

g to the oatse
c to the izzex
fo shizzle my nizzle you know the dilly-o

My afternoon (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4499636)

At first there was a gentle sound of 'slap, slap, slap,' as my balls danced over Taco's face, gently slapping off of his goatee.

But as the seasoned professional plied his trade, my loins began to thrust ever more vigorously, until I found myself pounding and pounding, deeper and deeper into Taco's voracious mouth. You could feel the yearning in his vacuum-like pleasure machine, in his muffled grunts, in his expert caressing of my engorged member.

And then, it happened. Like a tidal wave my orgasm washed over me, as jets of my jism spurted down Taco's throat, briefly gagging him. I came for what seemed like hours, until I collapsed in a heap, drained of my man sauce. After licking me clean and giving me a final caress, Taco sprang to his feet and hurriedly departed, mumbling something about getting back to slashdot and a crashed mysql server or something another.

Do these guys care? (1, Offtopic)

Dirtside (91468) | more than 11 years ago | (#4499640)

"HIPAAA"? (It's HIPAA.) "Compiance"? (Try "compliance.") I don't want this to turn into another "stupid editor tricks" rant, but I'm really getting annoyed.

Do these guys really care? Honestly, this is sad. The /. editors, we know, have wants and desires like any other human. Most of them seem to want open source to win. Do they not realize that taking the tiny amount of effort necessary to proofread and edit the story submissions and titles, would go a significant way toward reducing the perception of /. as a bunch of hyperactive nerds? (No, I don't see us that way, but a lot of non-geeks do.) If the editors really truly do want open source to "win" (whatever that would mean), they could do a lot just by ensuring that the front of the site looks competent, rather than incompetent.

I'm not claiming they have some kind of journalistic duty here; it's just normal freakin' common sense. If you write like you don't care, people will assume you don't care, and will ignore you. (Not, of course, the /. regulars who don't come here for what the editors have to say, but rather the discussions by the users.)

from the forcibly-changing-the-way-you-work dept. (2)

teamhasnoi (554944) | more than 11 years ago | (#4499739)

hehe - the irony.

For Christ's sake (4, Insightful)

abe ferlman (205607) | more than 11 years ago | (#4499858)

I love Slashdot, I read and post here all the time. I am also a database programmer who works in a research hospital. I would love to show some of my co-workers this article and some of the comments in it to get them thinking about HIPAA and free software.

But when the editors spell the regulations "HIPAAA" in big white letters at the top of the article, I can't share this with anyone who I want to respect me.

C'mon Cliff, and whoever (if anyone) is checking your work. It's not HIPPA, HIPPO, HIPAAA, HIPSTER or HIPAAPATAMAS. It's HIPAA, as krisguy manages to note 5 times in his writeup.

Hopefully the headline will be changed soon and this comment will eventually be modded away as offtopic, but basic spelling, grammar and usage are important to the community that makes your website worth reading.

ps- I'm sure someone will point out that the average slashdot post is worse than the Slashdot editorial crew, but to that I can only say that they will be equally culpable when they are paid for posting.

HIPAA (1, Troll)

Anonymous Coward | more than 11 years ago | (#4499648)

Well its a lot worse than you might think. Its now illegal to send personally identifiable information via electronic means (such as email).

The net result is, in a government office dealing with MediCare or MediCaid, they can't talk about anything in email if it can be used to identify who a person is.

You can't even get updates on the status of your perscription refill by email legally any more... EVEN IF YOU AUTHORIZE IT!

Faster, More Reliable Alternative (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4499661)

If Slashdot were a democracy I would vote to remove the Ask Slashdot section and replace it with a simple Google link. You will get better results from Google than you will on /. so why bother? See for yourself:
Ask Google [google.com] .

Wouldn't that be "Ask Google" then? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4499819)

jeez

Re:Faster, More Reliable Alternative (0, Offtopic)

stephenisu (580105) | more than 11 years ago | (#4499977)

If you were to activate an account then go into preferences you could disable this section of slashdot. For many this is a section of slashdot where they can get answers from others real life experiences.

Actual implementation not clear cut. (5, Insightful)

PIPBoy3000 (619296) | more than 11 years ago | (#4499667)

I'm a web/database developer in a large healthcare organization, and the phrase "HIPPA compliance" has been thrown around quite a bit lately. Some of this makes quite a bit of sense, like not sending patient information over the Internet via e-mail. Others are much more fuzzy, and seem to do more harm than good.

For example, only the people who "need to know" should have access to the data. The catch is that I'm somehow supposed to magically determine who needs to know what. Do I get to tell my directors that they can't see something? How much do I really get to question someone else who knows their job better than I?

Plus there's the catch-22 situations. There's data on which physicians can perform what procedures. I personally think that everyone in our organization should see it, as I don't want any physician performing procedures they're not supposed to. The catch is that not everyone "needs to know", so that increases the chance that the information won't be seen.

Re:Actual implementation not clear cut. (2)

karlm (158591) | more than 11 years ago | (#4499969)

Tangential question: anyone know if Postress supports Kerberos encryption yet, or is it still limited to only using Kerberos for authentication?

Tell The Truth (2, Insightful)

Anonymous Coward | more than 11 years ago | (#4499669)

From my work with HIPPA compliance, there are two important things to remember. One, there are no HIPPA police out there that will kill you and eat your children if your compliance comes into questions. Second, all they really want you to do is tell the thruth about the measures you have taken to secure patient or other sensitive data. For example, if you say your data is in a data safe, make sure it does. The problem you will have with lawsuits can only be brought up if you have not truly done what your compliance form says you did.

Re:Tell The Truth (3, Interesting)

Lucas Membrane (524640) | more than 11 years ago | (#4500069)

That's not all. If you disclose any data, you must be able to comply with requests from the subject to tell the subject what was disclosed when and to whom for up to six years later. This means that if you ship something with a label on it that says "Handle with Care -- Prosthesis", and the UPS people see the label, you should be able to let the patient to whom you shipped know this for up to six years later. Very onerous.

They haven't yet pronounced whether HIPAA prohibits doctors offices from using sign-in sheets, for example. This is a disclosure to each person signing in who the other patients are. After all, you can see them in the office and might recognize them, so how can it be a violation of 'privacy'? But it's exactly the kind of promiscuous disclosure that this act is supposed to prevent. The law is an ass.

HIPAA's goodness (5, Interesting)

fean (212516) | more than 11 years ago | (#4499671)

I currently have 3 seperate jobs (I'm a college student), and each one is affected by HIPAA in different ways... one is a branch of an insurance company, where I'm sure eventually all of our inter-company emails will have to be encrypted, reguardless of content, and we'll be very limited on what we can actually talk about on the phone (I'm in the phone cube all day)

the second is a hospital, where I work registration and transfers. Completely different setting, as I'm dealing with the patients face-to-face instead of over the phone, but there are lots of restrictions there, from where the monitors can be located (can't have a non-employee looking over your shoulder...) to how long the screen saver is set for (1 minute, and it's password protected, pain in the ass when you have to type that EVERY time you want to touch the computer)

for the third I work as a programmer for my college, we recently bid on a programming project to develop internet-based training for a very large hospice-based corporation. we'll be designing 20 modules to train volunteers and other very non-technical (i.e. retired, or first time workers) workers how to manage information correctly.

all of my jobs will be having INTENSIVE seminar type classes on what we need to stop doing so we don't get shut down. every one of them has taken a "do it or lose it" attitude about it because of the very short time frame to work with. There are still HIPAA mandates that are being changed, which means that nobody has even started creating the training, much less the training itself, and the compliance checks...

Re:HIPAA's goodness (4, Insightful)

GigsVT (208848) | more than 11 years ago | (#4499810)

Security's a bitch, get over it.

Those things are things you should have already been doing. No sensitive email should ever be sent in plain text, nor should any personal information be given out over insecure phone lines.

I'm against vague government mandates, probably more than most people are, but after seeing how even the most basic security is routienely ignored by users, managers, and administrators alike, fuck em. They have no business with my personal medical data if they can't even use good information security practices.

This sounds like a management problem. (5, Funny)

teamhasnoi (554944) | more than 11 years ago | (#4499672)

Since you work with oxygen, I would suggest making it worth their while by giving those who comply with your procedures a small bottle of the 'good stuff' to suck on at their desk.

You could accelerate compliance by filling the office full of acrid smoke from a bad power supply, or making Friday 'Nitrous Oxide Day'.

Nitrous day all good (0)

Anonymous Coward | more than 11 years ago | (#4499910)

Who wouldn't turn up for work? I'd be there early, and work late!

Re:This sounds like a management problem. (1, Offtopic)

karlm (158591) | more than 11 years ago | (#4499931)

Damit, I've got 5 good moderator points but I just posted here. Someone mod parent up to 5.

By the way, just for the kiddies out there: breathing pure oxygen slowly harms the lungs (especially at elevated pressures, which is why they use heliox instead of pure oxygen for really deep sea dives), so don't do it unless you need it. Oxygen bars are such a joke. I saw one in the local mall. $15 for 10 minutes of breathing pure oxygen.... Oooooh, and kids, don't do whippits too much.. excessive nitrous use can lead to muscular weakness.

HIPAA compliance (3, Interesting)

ThoreauHD (213527) | more than 11 years ago | (#4499700)

HIPAA is being sorted through at my place of work, which happens to be a hospital. We are basically turning our MS shop into a Citrix shop due to the impossibility of configuring thousands of computers at the user level.

We use ICA protocol with 128 bit encryption and rotating passwords.. but with all of the applications that one employee has to access, it's becoming a major breaking point remembering all of the passwords.

The apps can only be accessed via login, and each app has a separate login and password. It's bordering on the rediculous to get work done for people that's skillsets are RN's or MD's. MD's tend to be more technically adept(aka AOL), but the rest are hapless technoweenies(to quote a cheese movie).

Things are moving toward http browser based access, and temernical serviced applications. These things come in waves, and HIPAA is accelerating that wave towards TS clients.

As this is done, I hope to then be in a position to kill off MS clients and servers one by one. We can then concentrate on getting some real work done, rather than worrying about how W2K SP3/WinZP SP1 is a HIPAA violation or if MS will sue us next week cause they aren't making their stock margins.

And after all of this, we will have some work cut out for us(not much)- but it's OUR work. And we get to reap the benefits of our labor. No more Jakob Fugger and his gateway tariff between east/west. If the government can't do it, then I surely can. And so, there you have it.

no security regs yet (0)

Anonymous Coward | more than 11 years ago | (#4499703)

They don't even have the final security regs out yet
its a bloated pile of crap that only lawyers love.
In fact they will be the only ones to make any money off of it

HIPAAA Compliance? (-1, Offtopic)

American AC in Paris (230456) | more than 11 years ago | (#4499711)

Step one: Make sure to keep up to date on scheduled maintenance, or you won't be eligible for Roadside Towing Assistance...

Yo!

Put the Pizaaa down, step away from your hookaaah, and read your fscking heaaadlines!

paaathetic!

Re:HIPAAA Compliance? (0, Offtopic)

American AC in Paris (230456) | more than 11 years ago | (#4499760)

Tsk. There you go again, using the Editor Stick. I thought y'all had outgrown that.

It's really quite undignified of you.

BS7799 and ISO9000/1 (3, Insightful)

tezza (539307) | more than 11 years ago | (#4499719)

I was a developer at a Medical IT firm in London. We went through the process of BS7799 and ISO 9000/1.

BS7799 is the British Standard for Data Protection. We had to have a paper free desk and shred everything. Despite having a double sided laser printer, all the damn staff still printed single. Everyone is a lot greener back in Australia.

Anyway, moral from that successful drive is... get in early. Twenty something staff? That's nothing. Push it through now. What came across most was that the accreditations make sure you have 'Systems' in place. New staff come in knowing the system. Old staff, well they're not going to be easy.

Read Peopleware [dorsethouse.com] under the section 'Believers But Questioners' and work towards that. At least then you get to read a darn good book on company time.

"You don't do it, you don't work here" is about it (2)

starseeker (141897) | more than 11 years ago | (#4499726)

That's pretty much the only way on Earth you're going to force people who don't want to learn anything to get up to speed. One way to make the process smoother however, would be to lay out a simple series of steps they need to follow, and write it up into a little instruction sheet for them to refer to until they get the hang of it. It sounds like you'll be writing something like that, but remember simple and clear whenever possible. Golden rules in documentation writing.

Another point which will help (at least it would help ME in such a position) would be to explain to them in detail why these procedures are a good thing and what bad stuff might happen (besides being shut down) if they aren't followed. People may be less resistant to the changes if they know that said changes aren't just time wasting BS.

I guess that doesn't really help you if the people really don't want to learn, period. Then it's back to the "or else" stuff. But you can try to make them at least willing to do it by making them part of the "in the know" crowd who understand why these changes are made. You might find some of them will even support the improvements! So I guess I'd say try to change them from unwilling to willing, which lord knows is easier said than done.

A Few Things (5, Informative)

danielgast (445926) | more than 11 years ago | (#4499732)

Yes, many of us who are in the industry, or in tangentally related ones, such as myself, are feeling the frustration from HIPAA. Here's the survival guide as I've seen it:

1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.

2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a .ppt presentation)

3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.

4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).

5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.

-Dan

Re:A Few Things (3, Informative)

LinuxWoman (127092) | more than 11 years ago | (#4499844)

Dan made some very good points. File extensions where possible, that shows you're at least aware that you still have issues but have plans in the works to fix them. Start with the larger problems (and the ones you CAN fix) and get those holes patched. Plan on doing a lot of user training, the less technically savvy are often convinced proper security makes computer use insanely difficult. Inform the users that if they dont' follow security procedures you'll fire them because you can't afford to have the company shut down. Finally, keep copies to document EVERY single step you take in trying to reach compliance. If you can document that, in most govt. audit situations you'll get a warning and a date for a re-audit. If, for some reason, you DO get fined it'll certainly lessen the fine - from the insane level of you're stupid so you must have lots of money down to you've tried so here's a light slap on the wrist. Good luck.

Re:A Few Things (2)

koreth (409849) | more than 11 years ago | (#4499983)

MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products

Yeah, like I'm gonna trust my network security to a company that isn't even on the net.

Re:A Few Things (0)

Anonymous Coward | more than 11 years ago | (#4500010)

There is no extension for the April 2003 date. The extension was for the standardized transactions rule, not the patient privacy rule.

Also, it is a patient privacy rule. Provider information, such as specialties, can be shared without any problems.

"You don't do it, you don't work here." (0)

Anonymous Coward | more than 11 years ago | (#4499733)

I work in regulatory here, and I agree with the statement above.

Keep in mind, HIPAA is here to protect. Anyone who says that it should be removed is begging for Enron-esque games otherwise.

the truth (0)

Anonymous Coward | more than 11 years ago | (#4499746)

Why not tell them the truth? All you have to do is explain the situation. Haven't you thought of this? Let me form a basic blueprint for your speech...
"Folks, we have some new regulations that are industry wide, that if we do not comply with these regulations, the company gets shut down. Everyone must do their part." As far as training goes, you will have to conduct classes. PGP is relatively simple to use once you give the proper training. As a security officer, it is your duty to verify compliance, which will require regular security audits. I suggest you provide classes on the PGP, give them a book on codes, explain the rules, and have a few security audits before the 'go live' date. You have plenty of time.

argh (2)

Transcendent (204992) | more than 11 years ago | (#4499757)

I work for a medical billing software vendor.... the worst part about HIPAA is listening to our clients call in and ask and complain about when we're gonna be hipaa complaint. We had to basically fill out over 200 HIPAA extention forms for them because we knew they wouldn't know what to do... ...but it's not that bad for software vendors right now. All we have to do (because all the changes of HIPAA aren't even set yet.... they don't have their act together) is change some code for the electronic transmission...

In the software end of things (3, Insightful)

cr@ckwhore (165454) | more than 11 years ago | (#4499768)

I work for a company with 2 medical practice management software packages. These packages each sell for big bucks... a single installation can be $100,000, with annual fees on top of that.

HIPAA isn't new news. We've known about HIPAA for a long time, and only now, as the deadline stares us in the face, are we beginning to make our software HIPAA compliant.

This late action comes from a long stem of procrastination. Updating expensive software to be HIPAA compliant is a time consuming task... from the standpoint of a software manager (an incompetent one), why make the software HIPAA compliant today, when today could be used to implement a new requested feature?

After pushing off HIPAA compliancy day after day after day, we're now finally getting around to implementing the mandated changes. This isn't easy for other people in the healthcare industry, namely people working at the practices that need to teach HIPAA to billing clerks.

The delays of software authors cause delays at the practice, which causes healthcare costs to rise.

Don't thank me, thank my managers. Only a few days ago I enlightened my Technical Operations Manager that "HIPAA" isn't spelled "HIPPA". I guess he didn't get the memo yet.

Checklist (0, Offtopic)

GMontag (42283) | more than 11 years ago | (#4499769)

1. Get a CUSTOM form written by a sleezy lawyer absolvig you of all responsibility and have an Principle of the firm sign it.

2. Get a raise, in writing, for the new monumentous duties.

3. ???

4. PROFIT!!!!

Redundant??!! (0)

Anonymous Coward | more than 11 years ago | (#4500054)

how was that Redutant? looking at post in CRONOLOGICAL ORDER it is not a repeat, but maybe it is just my level set at 2 or my lack of moderator bias

Move what you can to the server.. (2, Interesting)

jcurious (3000) | more than 11 years ago | (#4499776)

If possible handle encryption at the mail server... there are smime based email encryption servers that will handle encryption/decryption... if this is not satisfactory then at a minimum put up an email policy server that will verify that any email going out is encrypted... if the users aren't willing encrypt thier messages, then don't let them email... below are examples of email encryption and policy enforcement servers (btw I belive tumbleweed can do policy enforcement as well)

Email encryption server:
http://www.tumbleweed.com/en/products/sol utions/ma il.html

Policy enforcement server:
http://www.ciphertrust.com/ironmail/index .htm

Good email encryption tool (0)

Anonymous Coward | more than 11 years ago | (#4499804)

A good email encryption tool for users who aren't too computer savy can be found at www.zixit.com.

It is pay ($) software but free stuff is usually too hard for a general user to comprehend.

Get to know your lawyer now (1)

gcrocker (74615) | more than 11 years ago | (#4499815)

Go ahead and start setting up meetings with your company's HIPAA attorney. They're getting VERY busy, and if you don't already have a lawyer that knows HIPAA, getting one should be your top priority. They can help you with extensions, prioritizing what to get fixed first, etc.

If you "don't have budget" for HIPAA attorney time, or if you don't have authority to make decisions and force them on the company, just work on your resume and start looking for a new job. No point sticking around for the fireworks.

Dealing with your end users not wanting to learn new stuff is a whole separate problem, and honestly, you probably don't have time to even worry about it. Consider a good-cop/bad-cop approach and have one person in charge of training (good cop) and another in charge of deployment (bad cop). This may help minimize turnover of angry employees. The good cop and the bad cop must share a brain for this to work.

-glenn

hipaa schmipaa (5, Interesting)

Anonymous Coward | more than 11 years ago | (#4499823)

It breaks down like this : the regs have been so loosened to be almost ineffectual.

You (as an individual and as an institution) only get jail time and big time fines if you get a proveable financial gain from violating hipaa regs, i.e. you sell a bunch of kidney transplant patient info to a dialysis machine company, and someone can produce records to prove this happened.

Ignorance or other non-compliance (if reported) only gets the institution (not you as a worker) fined $1000 per incident max, and the total fines can only be up to $25,000 a year. So in many cases it's cheaper to be non-hipaa compliant than it is to upgrade everything to be hipaa compliant.

Then there's the extension you can file to get another 6 months on your deadline to be hipaa compliant. If you file that you get until October 2002 or something like that. There will probably be more options to file extensions for even later than that if October is too soon for you.

Don't worry kids. HIPAA, much like 911, is a joke.

Re:hipaa schmipaa (0)

Anonymous Coward | more than 11 years ago | (#4500028)

You obviously have no idea the first thing about HIPAA. Go find a different thread to open your mouth in.

You think you have problems? (1)

/dev/trash (182850) | more than 11 years ago | (#4499829)

Wait to the companies that use Medical Software find out that Joe Tech Support can't dial in and fix the latest (minimum wage data-entry clerk's) goof up. They'll have to *gasp* do it themelves. Of course they'll blame Joe Tech Support.

1996 (0, Insightful)

Charlton Heston (588481) | more than 11 years ago | (#4499837)

The act was passed in 1996. And just now you are getting around to complying with it. Seems like you have advance notice, so there's no excuse.

Don't bother firing anyone who doesn't comply. It's too late to comply, and too late to save your sorry company.

Go ahead and mod me down, but someone has to have the balls to speak the truth.

Yet another trollhouse cookie... (0)

Anonymous Coward | more than 11 years ago | (#4499995)

Tsk.

The bill itself is not the issue. The issue is the set of regulations promulgated by Health and Human Services (DHHS) regarding standardization, security, and identification requirements. Three of those rules remain in proposed form, while only two (on standardization and privacy) were published as final in 2000. These are huge tomes, each one set forth as administrative, not statutory, law, and therefore liable to be amended. Any organization that cheerfully attempts to comply with regulations in flux will quickly destroy itself dealing with often contradictory standards that can change according the the whims of those on the 7th floor. (Hey, I'm with the government; I have no illusions about our ability to provide clear and concise rules.)

In addition to HIPAA compliance rules, we also have around 5500 pages of "guides" designed to help organizations and perplexed citizens come into compliance with the statutory requirements alone. Of course, those were published four years after Kennedy-Kassebaum, since DHHS is at least as confused as its private-sector counterparts. IHS -- the Indian Health Service -- only began its own HIPAA compliance effort a year ago, despite its close association with (as in "being a part of") DHHS.

However, feel free to troll away, actual thought and understanding being much more difficult than just vomiting over your keyboard and pushing "submit."

Loved you in Planet of the Apes (0)

Anonymous Coward | more than 11 years ago | (#4500124)

you are the man!

The likeliest outcome (2, Insightful)

SPiKe (19306) | more than 11 years ago | (#4499841)

It's been said before, but ...

In the end, the timetable set for HIPAA compliance will be pushed back further and further.

Some of the stuff they're asking for is just unreasonable. I don't remember a lot of it, but I'm just glad to be out of the world of health care.

Procrastinator (0)

Anonymous Coward | more than 11 years ago | (#4499842)

You realize that you've had 8 months to think about this. Why are all these idiots waiting till the last minute?

"a Oxygen Transfill Technician" ??? (0)

Anonymous Coward | more than 11 years ago | (#4499851)

"As a Oxygen Transfill Technician"

I suppose you dont have to be familiar with the word "AN" to be AN Oxygen fucking whatever technician, you dumb fuck.

Slashdot not HIPAA compliant... (0)

Anonymous Coward | more than 11 years ago | (#4499854)

I doubt you could be HIPAA compliant if you spell it HIP + Automobile Association of America.

Don't Panic!!! HIPAAA is BS (2)

Llama Keeper (7984) | more than 11 years ago | (#4499857)

I too am in charge of tons of HIPAAA stuff for my company. I've been to some seminars and such and have even read the PROPOSED regulations. My best advice, don't file an extension, don't panic, don't worry. HIPAAA is a typical unfunded mandate. Ask yourself who is going to enforce this? (Answer: NOBODY) Are the regulations even 100% absolute yet. (Answer: Hell No)

Don't sweat this stuff, get a template package or a nifty little book, (e-mail me for my recs, I'm not going to past advertisements for the "consultants") and don't panic! If you use industry standard best practices you should be pretty darn close to compliant anyway, if you don't use best practices, well maybe its time to panic. :)

its the INTERFACE stupid (0)

Anonymous Coward | more than 11 years ago | (#4499869)

the best way to get people on the track for encryption and securing toys like you mentioned is to first provide the appropriate tools for them with intuitive and a "familiar" user interface. If no tools exist like that, then consider an investment in consulting groups to take existing tools and write UI modules or wrappers for them, perhaps in HTML. The other tool besides the actual implement would be the registration/configuration tools. People want their computing to be like driving a car. Everyone knows how to drive "A" car so a new car of a different model has a very small learning curve due to consistent design.

Perhaps a very wise person in your organization has already begun a "common interface" initiative that you can use for the basis of your new user registration and application interface. (the actual tool using said security knick-knack)

Sounds like (mostly) a technical problem. (2, Interesting)

hamsterboy (218246) | more than 11 years ago | (#4499872)

From a programmer's point of view, this seems fairly straightforward, from what little I know of HIPAA. Sure, the bill is draconian, but since it's pretty much a blanket "encrypt everything", a general solution shouldn't be so bad, right?
  • Make sure email apps do the official encryption automatically to ALL emails
  • Put the database servers behind a nice firewall
  • Write up some policy on sensitive operations
Granted, the management end isn't so simple, but when people realize that they could face fines or jail time for violations, they'll go along, even if they think it's stupid. The hardest part seems to be training people on a new email app.

-- Hamster

My company doesn't care. (2, Interesting)

RazzleDazzle (442937) | more than 11 years ago | (#4499919)

All we got was a packet of 30 pages of fluff then just locked off a section of our warehouse with a digital key lock and just store everything in there now. Electronically we are not doing anything different than before. This is the most half-assed effort I have ever seen. Of course that fits right in with standard operational procedure. Jimmy rig it so it just barely works then when shit breaks, scream at your already depressed/frustrated tech workers and tell them, "You need to fix it and make it work so this never happens again.... in 1 day"

Don't do it by yourself, use the employees... (2)

joto (134244) | more than 11 years ago | (#4499920)

First, make a HIPAA working group with 3 or 4 non-IT members. Help them put out the guidelines, while you take care of the technical stuff, and checks the guidelines for technical sanity. Make HIPAA courses mandatory for everyone. Make the different departments audit each other for HIPAA compliance. Do everything you can to avoid actual HIPAA work yourself.

By involving employees, you will at not only free yourself from a lot of grunt-work, but you will also avoid becoming the nasty HIPAA police everyone ignores and hates. And you will probably also get a bit of enthusiasm from at least some of the co-workers. This is the right approach, because what you are after is mostly a culture-change, not a technical change. Besides, management will love you...

PGP use not hard to achieve (1)

BrianWCarver (569070) | more than 11 years ago | (#4499926)


It should be relatively easy to get people to start using PGP to encrypt all of their internal e-mails. So long as you can switch everyone to Mozilla [mozilla.org] or Netscape as their e-mail program of choice, then the Enigmail plugin [mozdev.org] makes using GPG or PGP encryption a breeze, and it can be easily set up to automatically ask for your password every time. That would be the only difficult part: Getting people to choose decent passwords and remembering them...but if you're in IT, you've faced that problem before.

Brian

Build it into the Tools... (1)

liquidbrains (265535) | more than 11 years ago | (#4499937)

I worked on a team that developed a medical claims processing system. We built all the compliance requirements right into the system. It was a pain, for the UI developers in particular, but worth it. The idea was for the app to lead the human element away from things they should not do and do the things they should for them. We used strictly configured systems that did not permit, or made very dificult, non-complient use. It just seemed easier to not give them the option of not following the rules.

HIPPAA = Revenue Scheme (0)

Anonymous Coward | more than 11 years ago | (#4499972)

Auditors show up, find violations, issue fines, move on ...

This is a software engineering windfall! (2)

ChicoLance (318143) | more than 11 years ago | (#4499984)

I work with Radiation Therapy, and HIPAA is causing quite a bit of concern. All of the patients that come through there for treatment have nice binders with their name on the spine. We've got warning stickers when two patients may have similar names. This makes it easy when you set them down on the table for the radiation treatment, that you're looking at Nancy Johnson's chart, and you don't get it confused with somebody else.

However, under HIPAA, all names that are viewable by any public must be removed. Those names on the binders -- they've got to be replaced with some ID number. The names on the whiteboards of the patients must also be removed. QA is _much_ harder when to confirm that you've got the right chart, you somehow have to verify you're looking at the right ID number, instead of just asking, "Are you Nancy Johnson?"

Federal compliance has been delayed before for some of these same problems, and there is any indication that it will be delayed again. Our director is moving towards HIPAA compliance, but not at the expense of care and safety.

This also has all of the earmarks of a Software Engineering windfall -- all of the medical systems have to be modified to remove names from public places. That's a lot of work!

BizTalk Accelerator for HIPAA (1)

MSwanson (99458) | more than 11 years ago | (#4499994)

I'll probably be shot, but you should really take a look at http://www.microsoft.com/biztalk/evaluation/hipaa/ default.asp [microsoft.com] . I'm aware of many companies that have used this to get up-to-speed quickly, and they are very satisfied with the results.

check for extension (0)

Anonymous Coward | more than 11 years ago | (#4499997)

You might want to look into extending your deadline, unless April is the date you've extended it to (which it might be, I can't remember). Only organizations who make over a certain amount of money can't extend it, and most others can extend the deadline by quite a bit of time (like 6-12 months). Again, I can't remember the details, but it's something maybe you should look into.

Some other people have said it, but it bears repeating. If your company isn't behind you getting this done, and provides you the resources to do so, then find another job. You need management to support you 100% when you tell people that they will have to do this or be fired. It also helps to tell them that this is all a good thing to help patients, and that if their medical data was floating around out there, unencrypted and getting looked at, they'd actually want this as well.

Also note that HIPAA only applies to data interchange between your organization and others outside of you. You don't need to digitally encrypt internal emails or files, only stuff you send outside or receive.

Lastly, using a PGP or X12 certificate only requires remembering one more password. Set it up for those 20, tell them they'll get fired if they don't, and it should be easy. :)

Privacy != Security in HIPAA (4, Insightful)

peacefinder (469349) | more than 11 years ago | (#4500029)

Okay, I know this sounds wierd, but my HIPAA expert tells me that Privacy and Security are totally different things according to HIPAA. You have *much* less to worry about by next spring than it seems like you might.

(From an IT perspective, one wonders what good privacy without security? For us, if it ain't secure, it's silly to call it private. But HIPAA was not written from an IT perspective...)

The Privacy portion of the rules take effect next spring, and you will have to deal with that. HOWEVER, the privacy rules deal with how you decide who is allowed to see the data, *not* how you protect the data... that's the Security portion of the HIPAA standard. Privacy is about rules and procedures for intentional data disclosure, and data security is NOT within the scope of the Privacy rules.

(So, for instance, HIPAA considers an e-mail over the public internet *private*, so long as you're sure the person you addressed it to is authorized to see the information it contains. Bonkers, but true.)

The HIPAA Security standard will address how you protect your data. It will address security issues from encrypting e-mail in transit to physical security of your data storage. These rules have not yet been published, although they are due at any moment. Once published, we'll have two years to comply... so not before October 2004 will they be in effect.

I advise you to get in touch with your state's medical association and attend their training seminars on HIPAA right away. Make sure to take along the office manager or medical records guru. It's information you WILL need.

Oh, and don't panic. :)

Re:Privacy != Security in HIPAA (1)

leftism11 (177941) | more than 11 years ago | (#4500112)


This is correct--the HIPAA Privacy rule and the Security rule are two different regulations that are quite different (although somtimes complimentary) with their requirements.

READ THE ACTUAL REGULATIONS.

http://aspe.hhs.gov/admnsimp/

They are well written and will give you a very good working knowlege of the requirements. "Experts" can be helpful at clarifying some details regarding how a particular requirement applies to your organization, but after reading the actual regs, you will have a very strong understanding of what needs to be done for Privacy and Security rule compliance.

Apply For an extenstion (3, Insightful)

LowellPorter (466257) | more than 11 years ago | (#4500044)

I work in the healthcare industry too. I believe there are certian circumstances where you can apply for an extension to the April 2003 date. Look more carefully at the law itself and not what your buying group gave you.

Re:Apply For an extenstion (1)

leftism11 (177941) | more than 11 years ago | (#4500090)


HR 3323 was passed a while back and allowed organizations to apply for an extension to the TRANSACTIONS DEADLINE ONLY. Unfortunately, the deadline for submitting the extension was October 16, 2002.

I haven't checked lately to see if they extended that deadline--they previously said that no late submissions would be considered.

Again, that extension DOES NOT apply to the Privacy rule or Security rule.

IT ISN'T AS HARD AS IT LOOKS! (5, Informative)

leftism11 (177941) | more than 11 years ago | (#4500050)

I worked as a HIPAA compliance consultant and have contributed a chapter to a CIO-level book to discuss HIPAA compliance.

If you can read and have a general understanding of the healthcare industry, you can easily understand HIPAA.

First, and foremost, you MUST read the *actual* HIPAA regulations (Privacy and Security) in order to properly understand the HIPAA requirements. They are NOT difficult to read--they just look intimidating, but are actually VERY well written, generally easy to understand, and are accompanied by a ton of background and explanations. Do NOT, under any circumstances, rely on the claims of vendors or any other "HIPAA Analyst" etc. regarding HIPAA compliance issues unless you have read the regs and can validate the claims, and ensure that they are even relevant to your organization. Educate yourself and you will be amazed at how much simpler HIPAA becomes. (If you need to implement HIPAA transactions, there is very little to read--just the transaction specs.)

Second, after you have personally read and understand the requirements, put them in the context of your organization. I believe that you will find that the reality of HIPAA compliance is relatively simple, and consists primarily of policies, procedures, and general best practices. Any time you hear someone saying "You HAVE to do X, Y, and Z" to be compliant, and those steps sound unreasonable or very difficult, you should be skeptical and verify that 1) that interpretation of the requirements is valid, and 2) they actually apply to your organization.

After doing these two things, you will be in control of your HIPAA compliance effort. There may still be some hot items with short deadlines depending on which rules (Transactions, Privacy, and/or Security) apply to you, but it should not be a crisis.

I no longer do HIPAA compliance consulting, but if you want some URLs to start with or general recommendations, feel free to e-mail me at leftism11@yahoo.com.

You can start here by downloading the PDFs of the Privacy and Security HIPAA regs:

http://aspe.hhs.gov/admnsimp/

A site to check for updates and HIPAA news is:

http://www.hipaadvisory.com/

(They have good news updates, but again, use your knowlege of HIPAA and understanding of your organization to filter any opinions you get from their site.)

General Security (2)

photon317 (208409) | more than 11 years ago | (#4500075)


As far as I'm aware (I do some coding for a small medical company, I've had to deal breifly with HIPAA), there's not actually any set-in-stone rules for what makes up HIPAA compliance. It boils down to you coming up with a HIPAA plan that describes how you will effectively secure patient information and sending it in and having it approved. Your plan might include PGP for email and SSL for web apps if that's where patient information flows at. Or you might devise your own schemes to protect it.

I guess what I'm saying is that all you have to do is treat patient records like you would your root password, follow good security practices, document them, and send them in for approval, and all should be ok.

Email gateway filters? (2)

karlm (158591) | more than 11 years ago | (#4500082)

Anyone know of any email gatewways capable of looking for any non-PGP content in the body of an email and then rejecting non-compliant emails?

Uhhhh (4, Informative)

isa-kuruption (317695) | more than 11 years ago | (#4500091)

First, if you are a 'security officer' means you are a VP level or better. Are you paid for this? As an officer, you have the authority to tell people to do what you want, you also have the authority to hire and fire as needed, etc....

Look, I work for a pharmacy benefits company, and we've been dealing with HIPAA regulations for about 3 years now... the fact your organization chose to wait until 6 months before the mandatory date just says they are ill prepared to be in business. HIPAA is not something that showed up overnight... it's been known about for a few years now, and any decent company would have already arranged for the changes to be put into place.

Also, referring to my first statement, if you are an "officier" of the company, it means you COULD go to jail if you break the law (e.g. like not being HIPAA compliant), so I would be VERY careful about accepting that title. Maybe they made you the fall guy?

HIPPA compliance simplified... (0)

Anonymous Coward | more than 11 years ago | (#4500094)

Here is a company that makes a product that allows you to VERY quickly create a HIPPA compliant security policy. Using their software you can also create implementation standards to streamline system setup to ensure compliance, and even monitor and archive compliance remotely. VERY COOL!

http://www.polivec.com/polivecbuilder.html
http ://www.polivec.com/polivecscanner.html

Hope it helps some of you.

Take a deep breath (2, Informative)

Aron S-T (3012) | more than 11 years ago | (#4500129)

While HIPAA compliance is serious, no one is going to shut you down if you aren't compliant by April. First of all, the privacy rule just was finalized a few weeks ago, and the security rules haven't even been finalized yet. This isn't Y2K - the deadlines are artificial, and, as was done for the transaction deadline, extensions no doubt will be offered.

The key though is this:

The first step you must take now is build a compliance plan! This is important because you will need it to get an extension. It is also the only way to make HIPAA compliance manageable.

Keep in mind, as well, that HIPAA is mostly about best practices regarding security and privacy. Even if HIPAA didn't exist you should be doing it. Not just you. Everyone out there. HIPAA is just a stick.

So
1. Look at your organization
2. Build a plan
3. Educate your employees why this is important
4. Implement the plan
5. Educate your employees how this will be done
6. Test the plan
7. Educate your employees what needs to be done

I think you get the picture. And don't feel pressured. Just do it right, step by step.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?