The absence of very specific requirements in the HIPAA regs is a source of a lot of consternation, but I believe the policies were specifically written to be vague; the actual 'fit' of security and privacy recommendations will vary depending on a number of factors that may be unique to each covered entity. For example, the security regs will have different implications for a large health plan with a complex network than for a solo practitioners office with a single computer and a cable modem. There seems to be a surprising lack of guidance available, as you have found out; most of the information on the web (aside from the relevant government sites) is not very helpful because it is put there by consulting groups with a proprietary interest in selling their expertise. I've found that the '[EMAIL PROTECTED]' books (available at Amazon) are pretty good at distilling the essential points and providing the closest thing to a checklist that you can follow to perform gap analysis and subsequently work toward compliance. There are also some software tools available that will perform the analysis for you as well, but they tend not to be cheap. The web sources that I find useful are the HIPAAdvisory site http://www.hipaadvisory.com/, and the government sites: the HHS Office of Civil Rights, for the privacy regs -> http://www.hipaadvisory.com/, and the Centers for Medicare and Medicaid (CMS) -> http://www.cms.hhs.gov/hipaa/.
I don't think that anyone has any experience at this point with HIPAA inspections (at least insofar as privacy and security rule compliance is concerned). The HIPAA privacy rules have not taken effect yet (compliance due date is April 14th of this year); the final security reg was only published in the Federal Register yesterday, and the compliance date will be at least a year away. Frederick Garbrecht, M.D., GSEC Garbrecht Consulting -----Original Message----- From: Jason Hastain [mailto:[EMAIL PROTECTED] Sent: Thursday, February 20, 2003 1:29 PM To: [EMAIL PROTECTED] Subject: HIPAA certs hey all, I have a few clients who are doctors running small practices. They have small LAN's and DSL connectinos behind a simple NAT router/firewall in one case and persoanl FW's in the other (unfortunatly not my decision in either case). Each has approached me about the HIPAA certs in the last week. I have read through what seams reams of pages on it b ut have been unable to deduce anything other than general good security practices. Strong passwords, offsite encrypted backups, real firewalls, etc and so on. Can anyone shed some light onto this subject or point me to a document with only the IT requirements prefereably boiled down to something simple? And also has anyone had any experience yet with the HIPAA investigators or quality control people checking on a site? any ideas what they are looking for? I understand it is a 20k dollar fine for each infraction so I would hate for it to be on my watch. tia Jason Hastain Hastain Consulting