HIPAA Requirements

[FOBSIDE]

I do tech work for small businesses. Lately I have encountered doctors with small practices that want their technology upgraded. I know HIPAA has lots and lots of regulations, but I'm not really understanding them. Pretty much all the practices that I deal with have 5 workstations at most with data sharing on a central server. I know HIPAA requires a firewall for any medical practice with an Internet connection, but what standards? Does any kind of regulation need to be met on the LANs? Also, most of these practices have billing software that is done over the Internet. I know the vendors are HIPAA compliant, but is there any special regulations that I need to meet for billing? What data needs to be secure and what doesn't? I'm kind of at a loss, so if anyone can provide answers or reading material that isn't so cryptic, that would be much appreciated.

 

[cmetz]

There are far far too many details to even go into here. Many of them are reasonable, some of them are silly. If you don't understand them, don't worry, you're not alone. It's not clear to me that anyone really does.

The executive summary is that you need to consciously follow computer security "best practices." Having equipment that's passed certifications like some of the ICSA ones is helpful too. It would also be a good idea to have documented security measures and procedures so you can justify it to a HIPAA auditor/inspector.

Oh, and one of the silly ones that comes to mind - screens must be oriented in such a way that customers can't ever see them.

Do some google searches for details.

 

[n0cmonkey]

EDIT:Removed because verisign is evil. Looking for something else though...

 

[cmetz]

n0cmonkey, have you read the document you linked to? Verisign is more often than not evil, and they want a whole lot of marketing information for what appears to be a certificate advertisement..

 

[n0cmonkey]

Originally posted by: cmetz
n0cmonkey, have you read the document you linked to? Verisign is more often than not evil, and they want a whole lot of marketing information for what appears to be a certificate advertisement..

No, I didn't read it. I probably should have though, thinking about it. I remember getting crappy verisign docs before... doh.

 

[ITJunkie]

Here's a place to help you get started Fob...HIPAA.

As cmetz already said "far too many details to go into here". You will need to do "due diligence" on this. There are tons of sites out there that will provide info and generic policy documents that will make your life much easier.

Good luck!

 

[Kilrsat]

http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp

You'll find a link to the 49 page PDF dealing with security there.

Basically you need to know who is accessing what, when, why, how, etc. Wireless networks need to be 802.11G with WPA not WEP.

Databases will need auditing information tracking access and changes, and much more than I can remember right now.