On Thu, Aug 13, 2009 at 9:48 AM, Robert Miller <[email protected]> wrote:
> Hello Everyone, > > I am hoping Larry or someone else may have an answer or direction to a > question regarding HIPAA and the security required for the connection. > I want to give some background information for those who may not know > our current network. > > We are a satellite internet service provider and are about to provide a > backup solution to hospitals, however I am trying to find out what type > of connection is required to comply with HIPAA. > > Does the connection need to be encrypted using hardware encryption? *HIPAA is a risk based regulation and the "HIPAA Covered Entity" must do a risk assessment and implement safeguards to protect against any reasonably anticipated threat identified in the risk assessment HIPAA is technology neutral and any controls that adequately protects PHI are OK. HIPAA would never specify hardware vs software encryption. For HIPAA documentation is very important for both the assessment and controls you choose*. > > > Does the connection require dedicated VPN Tunnel? *HIPAA doesn't address issues such as a dedicated VPN tunnel. However, if there is a threat to the CIA of ePHI due to commingling of data, this must be addressed. A dedicated tunnel might be one way to address this threat. I am not sure, but guess that this is what you are getting at by a dedicated tunnel.* > > > Where can I get detailed information about HIPAA security guidelines? * * > *NIST has a publication > http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf. > There are FAQs and guidance on the Office of Civil Rights' and CMS's > website. Sans also has a book. There are a lots of resources and I will send > them along if think of them. * > > Is there another provider that has medical information transversing > between two or more remote locations and how are they complying? T*here are hundreds of thousands of Covered Entities exchanging PHI with Business Associates and other Covered Entities. The Covered Entity will usually have a HIPAA Business Associate Contract in place before sending PHI and hopefully in using industry best practice encryption. Some folks still use private lines for legacy systems and are calling this good enough based on their risk assessment and documentation. This likely won't be enough in the future, but some are calling it OK for now. You may or may not be a Business Associate of the Hospital and there are new rules for BAs in the Hitech Act. The final regs have not been issues, but things will be different as soon as they come out.* *I worry that you are kind of thinking of HIPAA in the wrong way. HIPAA is really just good old information security good practice with an extra dose of documentation. Also, nobody knows what HIPAA means for now. The courts will decide what it means and think there have only been one or two cases to date. Also, the guidance and FAQs from OCR and CMS are a good resource and give some insight into what they are thinking. The courts will usually defer to agency guidance. By the way OCR is taking over enforcement of the security rule from CMS, so that will be a bit easier. Also, I hope I haven't made this more confusing. Unfortunately, HIPAA isn't easy to figure out quickly! * > > > Any and all advice is greatly appreciated and thanks in advance for a > better direction! > > Robert > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com >
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
