I have found that providing the big picture clearly and succintly is invaluable, especially when the tides are changing. If the consultant-provided bits and pieces of this picture have enabled us to move more effectively toward compliance, then the value of the bits and pieces is measurably greater when theory, methodology, experience, and passion weave them in to the big picture. This is powerful information that allows you to understand the present and see the future, and hopefully empower us to make effective business decisions.
I have found HIPAA to be much like peeling an onion. Everytime you think you've gotten to the heart of the issue, the next layer of petals seem to be tougher and harder to peel away. The goal posts keep moving. This complex, dynamic HIPAA compliance matix is difficult to manage. I have never seen anything like it. To document due diligence in the compliance initiative you will need mountains of paper. You may want to consider designing your own HIPAA database to automate some of those administrative and business analysis tasks presently done manually and of course, save a couple of forests.
There is a possibility that technology will replace a lot of people. But for the most part, the people that will be replaced through increased productivity will be those people in the health care industry that were never there, the ones whose hat or hats you are wearing right now. I appreciate the consultants that have come to assist the health care industry in its time of need. In my opinion the best group of these consultants are CISSPs. I just hope we don't tar and feather them before we can learn to communicate.
Most respectfully,
ShareHIPAA
HI Karen,I have to take issue with your closing statement. As someone that's been doing risk assessments for decades and HIPAA risk assessments/risk analyses for over 5 years, I truly can't imagine anyone posting much about methodologies that hasn't been used, published, and considered standard practice for almost forever on this subject. Just posting to this list cannot connote ownership of intellectual property or imply what fair use of that property is. If someone reposts the wealth of material I've posted to this list and many others about risk assessment methodologies, then your statement implies I can no longer use the material I've developed myself and freely submitted just because it was posted here. And that's plain wrong. Not to mention that it's *conducting* the risk assessment that's the really hard work, not just developing the methodology.There seems to be a lot of consultant bashing on this list, which I believe is misplaced. We're not here to replace people, we're here to assist and augment organizations that can not or do not want to hire staff on a permanent basis. The value of knowing how *many* organizations conduct their HIPAA compliance efforts is difficult to overestimate, and no amount of list reading can replace that experience. It would be nice if people posting to the list try to maintain a professional respect for one another.Fred Langston, CISSP
Senior Principal Consultant
W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
Seattle, WA www.Guardent.com
________________________________________
G U A R D E N T
Enterprise Security and Privacy Programs-----Original Message-----This listserv is not for advertising, so please do not mail the entire list about your products. In addition, I hope that any "how to do a risk assessment" advice and information that is freely given from this listserv to persons representing consulting companies is not then used to bill similar organizations for the company's "expert" advice.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 11, 2003 6:01 PM
To: WEDI SNIP Security Workgroup List
Cc: [EMAIL PROTECTED]
Subject: Re: Risk Assessments
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-security as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
