Debra,
Jan, I think is looking for PUBLIC LAW 106?229?passed June 30, 2000,
ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT
And my hay-penny's worth is to agree with Jan that from our perspective as
well, appropriate and reasonable security makes good business sense.
Marsha
Verizon Information Technologies Inc.
Managed Care Division
Phoenix, AZ
HOME OF THE WORLD CHAMPION ARIZONA DIAMONDBACKS ... where Randy Johnson
joined Nolan Ryan last night, as the only pitchers in MLB history to have 6
seasons with 300+ strikeouts.
Phone - 602.678.6042
Fax - 602.678.6331
E-mail - [EMAIL PROTECTED]
Jan Root
<[EMAIL PROTECTED] To: [EMAIL PROTECTED]
> cc: [EMAIL PROTECTED]
Subject: Re: Security standard and
electronic signature standard
09/10/2002 01:00
PM
Debra,
We've used the proposed Security Rule as a starting place for our security
measures. I've reviewed them with several
security experts (I would definitely not classify myself as a security
expert!) and they agree that the requirements (with
the exception of the certification) in the proposed rule constitute sound
basic security. What is proposed is scalable and
allows people to improve over time.
>From our perspective, appropriate and reasonable security makes good
business sense. It doesn't really matter (from a
pragmatic perspective) that the rule is not final. If you don't lock your
clinic doors at night (a commonly accepted
security practice) and someone stole all your clinical files as a result
could you be found liable for negligence even
though the rule is not final? I'm not a lawyer but I'd guess that the
answer is yes (any legal opinions on this out
there?) I'd say it's very easy to make a similar argument for the computer
security measures proposed in the final rule.
Most of the suggested computer security requirements are sort of the
equivalent of locking the door at night - they are
widely accepted practices in the computer security field. Just because
they are new to you doesn't mean you shouldn't be
familiar with them. The other thing to remember is that even if you are
not legally liable there is always the court of
public opinion. While you may not be sued for a security breech the
resulting bad press could be much more damaging (ask
the University of Washington!).
In addition, I would vigorously agree with the earlier comment that you
cannot have privacy without security. Security is
about controlling access to data (person X has access to this particular
piece of PHI but person Y does not) . Privacy is
about using that data appropriately once access has been controlled (egg;,
person X has valid access to specific PHI but
they are prohibited from selling it).
It's my understanding that the electronic/digital signatures issue has
greatly increased in complexity from a political
perspective since the HIPAA NPRM on Security was published. DEA is (as I
understand it) becoming a CA (does anyone have
recent info on this?), and that there were other departments in the federal
government who were independently working on the
electronic signature issue. Then were was the passage of the electronic
signature bill (does anyone have the name? I can't
recall it) which basically said that an "X" at the end of an email could
possibly constitute an electronic signature. It
sounded like HHS had to go back to the drawing board and re-negotiate the
electronic/digital signature portion.
them's my two cents!
Jan Root
UHIN Standards Manager
"Cimbala, Debra" wrote:
> Hi!!!
>
> Where can one find information on the security standard and the
electronic signature standard required by HIPAA?
>
> We are a health plan and I was wondering .....Has anyone
implemented these features for HIPAA compliance?
>
> Thanks!!!
> Debra Cimbala
> Customer Communications
> 336.548.8587
> 336.548.7789
> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
>
>
>
>
>
>
> The WEDI SNIP listserv to which you are subscribed is not moderated. The
> discussions on this listserv therefore represent the views of the
individual
> participants, and do not necessarily represent the views of the WEDI
Board of
> Directors nor WEDI SNIP. If you wish to receive an official opinion,
post
> your question to the WEDI SNIP Issues Database at
> http://snip.wedi.org/tracking/.
> Posting of advertisements or other commercial use of this listserv is
> specifically prohibited.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the
individual
participants, and do not necessarily represent the views of the WEDI Board
of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
The WEDI SNIP listserv to which you are subscribed is not moderated. The
discussions on this listserv therefore represent the views of the individual
participants, and do not necessarily represent the views of the WEDI Board of
Directors nor WEDI SNIP. If you wish to receive an official opinion, post
your question to the WEDI SNIP Issues Database at
http://snip.wedi.org/tracking/.
Posting of advertisements or other commercial use of this listserv is
specifically prohibited.
