• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Hipaa rules dealing with networks

amdskip

amdskip

Lifer
Now I know this isn't exactly a networking topic but I know there should be many of you here that have knowledge on this subject.

I'm helping out at a small physical therapy office. Someone else setup everything. There is a Dell server running server 2003 (domain server and patient file software, maybe more), a laptop, and a personal office pc. The network has a dsl modem, redbox firewall/dhcp (watchguard?, can't remember the exact name), switch, and a wireless router). Currently the receptionist uses the server as their personal computer (wtf, what moron set this up!).

Server 2007 has no antivirus and had 37 critical updates. Updates were started and I will return next weekend to work on fixing the issues. The other office pc also needs a new anti virus (2003 has come and gone..).

Basically I need to tell them to purchase a separate receptionist computer, updated anti virus, and make changes for Hipaa. Anyone have experience with this?
 
I went through something similar with my former employer. But in that case it was Sarbanes Oxley, NASD, SEC rules we had to deal with in regards to email and other types of data. In the end we were a small enough shop that all of our other data was on paper. But the email side I contracted out with a 3rd party vendor who presented us with a letter to present at audit time.

I honestly suggest they hire a consultant that will give an outline on what they need to do to fall into compliance. You dont want to do this on your own and find out something went wrong. When the govt comes a cracking the company will hang you out to dry. And I believe the govt can actually toss people in jail for major violations even if it wasnt done on purpose.
 
I've walked into several small offices where someobody was using the Server as a workstation. The first time I saw this, I warned them and they promptly bought a Dell workstation. But it was too late. They already had two major trojans on their server.
 
HIPAA is a huge PITA. At a minimum, any PHI (Protected Health Information) data that is patient-identifiable needs to have any access logged, so they can show who accessed what patient information when. There shouldn't be any access/disclosure of PHI data without prior approval from the patient - this includes other staff members who are not directly involved in patient care or ancillary duties that would require them to view the data. It goes on and on....

A basic link that may be somewhat helpful:
link

 
JDMnAR1 is right on:

>HIPAA is a huge PITA.

In my travels, I've run into HIPPA issues and never got anything resembling straight answers at an engineering level. Everyone seems to think that different things are and aren't required. My best advice right now is, sadly, to hire a HIPPA consultant, do whatever they say, and keep a big paper trail to point to having performed that exercise.
 
Originally posted by: cmetz
In my travels, I've run into HIPPA issues and never got anything resembling straight answers at an engineering level. Everyone seems to think that different things are and aren't required. My best advice right now is, sadly, to hire a HIPPA consultant, do whatever they say, and keep a big paper trail to point to having performed that exercise.
Click to expand...
I have yet to find a small medical practice that has actually SEEN a HIPAA enforcement official. I'm not sure that they exist. The biggest danger for small practices is that if they ever DO have a bad leak, both the public and the government could come down hard on them.

HIPAA training is mostly pretty simplistic from an IT point of view at least. I haven't taken any HIPAA certification tests, but I took some example tests and nearly passed them without even having read anything. Mostly, it's a matter of definitions of terms and such.

There are "guidelines" for security, and some things are obvious. Only those with a "need to know" should have access to data. There should be backups. Etc. etc. Most details are left to the imagination of the implementer, who is advised to use "Industry Best Practices".
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top