RE: HIPAA Security Official

Catherine Lohmeier Wed, 17 Sep 2003 10:31:58 -0700

Title: RE: HIPAA Security Official

The security officer position organized outside of IT would also eliminate potential conflicts of interest…for example: a person policing their own department might not be as objective as someone from the outside looking in.

Catherine Lohmeier

Implementations Project Lead

OD Professional™ Team

-----Original Message-----
From: Paul Litwak [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 17, 2003 10:19 AM
To: WEDI SNIP Security Workgroup List
Subject: Re: HIPAA Security Official

I have a little different point of view. I'm a lawyer. Working with a CISSP, I've had the opportunity to do several combined privacy/security readiness assessments. In a couple of cases involving large organizations (county government; university), we've recommended that the Security Officer be someone outside the IT department. In both cases, the IT people were technically capable, and had a strong interest in safeguarding information. But they didn't have the broad organizational perspective or authority needed to make decisions that required balancing of operational needs against security risks. (For example, County Emergency Medical Service staff access to and transmittal of medical information from an ambulance.) It was easier for the operating departments and for IT for a member of the senior management team to play the role of Security Officer, with the support of IT. It also sent a message to employees to take security seriously.

Paul Litwak

Attorney & Counselor at Law

2832 S. Lynnhaven Rd.

Virginia Beach, VA 23452

Ph: 757-431-2020

Fax: 757-431-3688

[EMAIL PROTECTED]

www.paul-litwak.com

www.hipaacomplianceguide.com

----- Original Message -----

From: Steven Fowler

To: WEDI SNIP Security Workgroup List

Sent: Wednesday, September 17, 2003 9:48 AM

Subject: RE: HIPAA Security Official

The Security Rule is a good bit more straight-forward, black/white compared to the Privacy Rule, so I believe the cost of putting someone with a legal background in that position would far outweigh any benefits. Since the Security Rule emphasizes storage and transmission of electronic records, it seems to me that an IT background is most appropriate for this position (some combination of IT and medical records would be ideal). Our Security Officer is based in our IT department. Like the Privacy Officer, however, its an organizational-wide position. The Security Officer can't just be a techie-he/she has to be able to interact and work effectively with all departments and levels, even those who are not technically inclined.

Steven L. Fowler
Compliance Officer
Health Care District of Palm Beach County
West Palm Beach, FL
mailto:[EMAIL PROTECTED]
561-659-1270

-----Original Message-----
From: Kuisle, John P. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 16, 2003 12:47 PM
To: WEDI SNIP Security Workgroup List
Subject: HIPAA Security Official

All,

I was looking for a little feedback on what other companies are doing with regard to naming a Security Official to comply with the HIPAA Security rule.

As one of our Legal experts and I looked at the duties of that person, many of them were aligned with my job, so the logical conclusion is that I could fill the role. However, since I'm an IT person, fairly low on the food chain and not really aligned with any particular business area and since the HIPAA Security Regs are specific to electronic health information, there was some question about whether this responsibility should be given to someone from our Health Insurance area or a Legal person.

John Kuisle
IS Supervisor - Security and Business Recovery
Federated Mutual Insurance
507-455-5477
________________________________________________________________________________________________
This information is intended only for the use of the addressee(s) and may contain privileged, confidential or proprietary information. If you are not the intended recipient, or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, displaying, copying, or use of this information is strictly prohibited. If you have received this communication in error, please notify us immediately at [EMAIL PROTECTED] or by telephone at (800) 533-0472, and return the information to the sender with all copies deleted and destroyed. Thank you.

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]

If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.

You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org

RE: HIPAA Security Official

Reply via email to