I second that. That is the best guide to HIPAA I have come across. Also to second what was said earlier, HIPAA is not overly prescriptive (i.e. it does not dictate what actual steps to take to be compliant).
That being said, recent updates and additions to HIPAA under the American Reinvestment and Recovery Act (ARRA), did direct Health and Human Services (HHS) to be a bit more prescriptive (through issued Guidance's). They did recently issue their first guidance around securing data at rest, in motion, in use, and at disposal. You may want to also take a look at it since it does address acceptable encryption (it basically points you to NIST 800-111 for data at rest and FIPS 140-2 for data in motion). The guidance can be found here: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hitechrfi .pdf. You may also want to take a look at the section of ARRA that relates to HIPAA (Title XIII, subtitle D - http://en.wikisource.org/wiki/American_Recovery_and_Reinvestment_Act_of_2009 /Division_A/Title_XIII/Subtitle_D) since it was released subsequent to the NIST guidance. Jody _____ From: [email protected] [mailto:[email protected]] On Behalf Of Jeremiah Wilson Sent: Friday, August 14, 2009 5:13 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] HIPAA Remote Site Connection Question Here's a link to the NIST's guidelines for hipaa compliance. - http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.p df - jeremy No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.56/2302 - Release Date: 08/14/09 06:10:00
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
