At 5:23 PM +0000 1/20/03, Charles Riley wrote: >Sorry for the OT post, but have searched high and low, and no definite >answer in site. Really, really apoliogize for the nontechnical nature of >this post, but I have reached a wall after searching all over for an answer. >I guess you could say that I am "ill" with searching... > >HIPAA is an medical information protection and privacy act passed by >Congress in 1996. The deadline for complying or gettting an extension is >this year. You'll probably see more and more requests like mine as the year >goes by, so I figured I'd start things off. > >HIPAA is currently in a state of flux as far as implementation and >enforcement is concerned, as many medical professional and organizations >rush to comply. Which brings me to my question... > >In my searches, I see several organizations trumpeting the fact their data >centers are "HIPAA certified", meaning that they are cleared to process, >store, or otherwise handle medical and private info.
There is no such thing as HIPAA certification, and I do work extensively with medical systems. The best anyone could say is "HIPAA compliant", which has fairly established parallels in the telephony world, where it is possible to get NEBS certification, but extremely expensive and applicable only to one configuration (much as was NSA Orange Book certification) Reputable vendors mean something when they say NEBS compliant, but there is much more track record in telephony than in medical informatics. Indeed, there are additional regulations besides HIPAA that may become relevant, including 21CFR11 (primarily about human subject research), CLIA laboratory accreditation and the DEA regulations for electronic prescribing of controlled substances. All of these do include technical, as well as procedural, requirements. For example, DEA specifies the digital signature algorithms and keys, but also has requirements for time synchronization to be used on message authenticators and events logged. >How is it possible to >achive this certification when there does not seem to be any standards or >processes from the U.S. government detailing what will earn the >certification? Again, there isn't. If an industry group were to get together and try to set procedures for doing this, there is an umbrella administrative organization tht might help -- the National Voluntary Laboratory Accreditation Program (NVLAP), which has probably been renamed in the normal course of events. >Does having a couple of tape drives on a server behind a firewall with >restricted access qualify a data center to be "HIPAA Compliant"? If that firewall is connected to the Internet, no. There are specific HIPAA guidelines that would call for 128-bit DES outside the firewall. At present, HIPAA does allow cleartext on dedicated or FR facilitie, but it appears that an encryption requirement will evolve because things like DEA require it. >Is there a >checklist, policy, standard, or procedure for certification required by the >U.S. government that I missed in my searches? If so, I would appreciate >gettting the links to such information. They exist in many places; I've got loads of things that I've collected for consulting clients. You have to be selective in what you are looking for; I'm sure I don't have everything. For example, there are checklists for design and review of human research, but I only scanned those, because my client was concerned with the related but separate problem of patient recruitment for clinical trials. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61429&t=61429 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]