Rx2000HIPAA Digest, Volume 24 #1 From: medimage@voicenet.com Subject: Re: A Cautionary Note #2 From: aeby@umcaz.edu Subject: HIPAA and Disaster Recovery Plan #3 From: RFischer@foleylaw.com Subject: #4 From: lisa.cavitt@sih.net Subject: Re: HIPAA and Disaster Recovery Plan #5 From: brider@jhmi.edu Subject: Re: HIPAA and Disaster Recovery Plan #6 From: Clyde.Hewitt@NCMail.NET Subject: Re: HIPAA and Disaster Recovery Plan #7 From: Sslazarus@aol.com Subject: Re: HIPAA and Disaster Recovery Plan #8 From: joldenburg@evantageconsulting.com Subject: "Authorizing" access ********** Message #1 ********** From: medimage@voicenet.com To: Subject: Re: A Cautionary Note Date: Thu, 1 Jun 2000 15:22:54 -0400 The IT vendor excuse dujour? Just add water and stir. If the breach is the vendor's fault, I'll find it and photograph it. No oversight passes without hardcopy evidence And if it's a bug, it's the vendor's fault. And I'll still find it. At the end of the day, if the IT industry wants to dabble in healthcare for their profits then they will build in compliance and be held accountable. Dave Koster My official title: HIS/RIS/LIS/CIS/DISC/DICOM/PACS Network Installer, Network Administrator, Network Manager, Network Maintenance and the Primary Reason HIPAA Compliance is 100% Impossible. This is reality not pessimism;-) ----- Original Message ----- From: To: Sent: Wednesday, May 31, 2000 12:44 PM Subject: A Cautionary Note With regard to vendor representation and warranties regarding compliance, I'd like to caution people that no IT system cannot ensure a customer's compliance with HIPAA confidentiality and privacy requirements -- at the most, the system can provide certain enumerated technical capabilities that can assist the client in achieving HIPAA compliance through the customer's own compliance program. Richard X. Fischer Foley & Lardner 330 N. Wabash Avenue Chicago, Illinois 60611 Phone: 312/755-2577 Fax: 312/755-1925 Email: Rfischer@foleylaw.com ********** Message #2 ********** From: aeby@umcaz.edu To: "'rx2000hipaa@rx2000.org'" Subject: HIPAA and Disaster Recovery Plan Date: Thu, 1 Jun 2000 13:56:13 -0700 Could someone tell me where I could find reference/section on the required disaster preparation and recovery' in the HIPAA regulations? Thanks. Angela Eby Sr. Systems Analyst University Medical Center Tucson, AZ 85724-5173 AEby@umcaz.edu ********** Message #3 ********** From: RFischer@foleylaw.com To: "'Rx2000HIPAA@rx2000.org'" Subject: Date: Fri, 2 Jun 2000 13:21:21 -0500 With all respect to David, a computer system cannot ensure that a person does not take print out of a person's confidential medical information and show it to people who have no right to the information, or that the person ill not discuss information contained in an electronic medical record with someone who has no right or need to know. People comply; IT systems conform. Richard X. Fischer Foley & Lardner 330 N. Wabash Avenue hicago, Illinois 60611 Phone: 312/755-2577 Fax: 312/755-1925 Email: Rfischer@foleylaw.com David Koster wrote: The IT vendor excuse dujour? Just add water and stir. If the breach is the vendor's fault, I'll find it and photograph it. No oversight passes without hardcopy evidence And if it's a bug, it's the vendor's fault. And I'll still find it. At the end of the day, if the IT industry wants to dabble in healthcare for their profits then they will build in compliance and be held accountable. Dave Koster My official title: HIS/RIS/LIS/CIS/DISC/DICOM/PACS Network Installer, Network Administrator, Network Manager, Network Maintenance and the Primary Reason HIPAA Compliance is 100% Impossible. This is reality not pessimism;-) ********* Message #4 ********** From: lisa.cavitt@sih.net To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA and Disaster Recovery Plan Date: Fri, 2 Jun 2000 14:04:26 -0500 Here are a few of the places disaster recovery are mentioned on Administrative Simplification web site. http://aspe.hhs.gov/admnsimp/nprm/sec06.htm http://aspe.hhs.gov/admnsimp/nprm/sec07.htm http://aspe.hhs.gov/admnsimp/nprm/sec14.htm http://aspe.hhs.gov/admnsimp/nprm/sec15.htm http://aspe.hhs.gov/admnsimp/nprm/sec16.htm This last section has a map to the regulations REQUIREMENT: IMPLEMENTATION MAPPED Contingency plan (all listed applications and data STANDARDS implementation features must be criticality analysis 17,47, implemented). 53 Data backup plan 12,17, 47 Disaster recovery plan 12,17, 47, 53 Emergency mode 47, 53 operation plan Testing and revision 12,17, 47 Hope this was helpful. Lisa R. Cavitt Information Services Southern Illinois Healthcare 1385 E Main Street Carbondale, Il 62901 Fax: 618-529-7311 E-Mail: lisa.cavitt@sih.net Rx2000HIPAA@rx2000.org To: Rx2000HIPAA@rx2000.org cc: Subject: HIPAA and Disaster Recovery Plan 06/01/00 03:56 PM Please respond to Rx2000HIPAA Could someone tell me where I could find reference/section on the required disaster preparation and recovery' in the HIPAA regulations? Thanks. Angela Eby Sr. Systems Analyst University Medical Center Tucson, AZ 85724-5173 AEby@umcaz.edu ********** Message #5 ********** From: brider@jhmi.edu To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA and Disaster Recovery Plan Date: Fri, 02 Jun 2000 15:14:29 -0400 Easiest thing to do is refer to the HCFA Security Matrix under Business Continuity Planning. The majority of references in the legislation fall under the Security section. Can provide more detail if you need it....just let me know Bill Rider, CBCP Mgr, Info Security/Disaster Recovery Johns Hopkins Hospital (410) 955-1691 brider@jhmi.edu 06/01/00 04:56PM >>> Could someone tell me where I could find reference/section on the required disaster preparation and recovery' in the HIPAA regulations? Thanks. Angela Eby Sr. Systems Analyst University Medical Center Tucson, AZ 85724-5173 AEby@umcaz.edu=20 ********** Message #6 ********** From: Clyde.Hewitt@NCMail.NET To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA and Disaster Recovery Plan Date: Sat, 03 Jun 2000 15:45:15 -0400 Also check out the NCHICA EarlyView Security Assessment Tool. It has several questions that can help you navigate the Security Matrix and BCP. Rx2000HIPAA@rx2000.org wrote: Easiest thing to do is refer to the HCFA Security Matrix under Business Continuity Planning. The majority of references in the legislation fall under the Security section. Can provide more detail if you need it....just let me know Bill Rider, CBCP Mgr, Info Security/Disaster Recovery Johns Hopkins Hospital (410) 955-1691 brider@jhmi.edu 06/01/00 04:56PM >>> Could someone tell me where I could find reference/section on the required disaster preparation and recovery' in the HIPAA regulations? Thanks. Angela Eby Sr. Systems Analyst University Medical Center Tucson, AZ 85724-5173 AEby@umcaz.edu ********** Message #7 ********** From: Sslazarus@aol.com To: Rx2000HIPAA@rx2000.org Subject: Re: HIPAA and Disaster Recovery Plan Date: Mon, 5 Jun 2000 11:00:31 EDT See the Security Regulation, under Administrative Procedures. Steven S. Lazarus, PhD, FHIMSS Boundary Information Group sslazarus@aol.com ********** Message #8 ********** From: joldenburg@evantageconsulting.com To: "'rx2000hipaa@rx2000.org'" Subject: "Authorizing" access Date: Tue, 6 Jun 2000 11:25:06 -0500 I'm interested in knowing how other people read proposed HIPAA regulations regarding how you validate that someone is authorized to access sensitive data--and what other people are doing about it. As I read the regulations, they seem to identify lots of security steps and procedures for issuing logons and passwords or digital certificates to individuals, that will enable them in the future to access sensitive healthcare data. What I don't see anywhere is information about what steps you need to take to ensure that the person to whom you are issuing the logon and password or digital certificate "is who he/she says he/she is." This "hole" seems to me to be compounded by the problem that for many transactions, it is not the physician who needs to be authorized, but a clerk within a clinic or hospital. How do the rest of you read this? How are you addressing it in your organizations? Thanks, Jan Oldenburg joldenburg@evantageconsulting.com