Hard times on the HIPAA front

A trio of ugly situations means painful publicity for lazy or sloppy organizations

1 2 3 Page 3
Page 3 of 3

There's no twist or unexpected sardonic ending here. The simple lesson is that organizations subject to HIPAA regulations should think twice about lame excuses and willful ignorance of security requirements. Sadly I continually encounter people responsible for HIPAA compliance (or worse yet, "expert" consultants) who quite simply have never read the security rule.

Here's a secret those freshly minted experts don't seem to know: The security rule is not only pretty clear but is short -- if you know where to look. Click on the unobtrusive "Regulations" link on the left side of the Centers for Medicare & Medicaid Service's Security Standard Web site, and find the "Security Final Rule (download PDF)." If you're just getting acquainted with HIPAA, skip to the last 13 pages of the document, and start with definitions on page 8,374 (don't worry, the document starts with page 8,334). Pay special attention to the difference between "required" and "addressable" security implementation specifications in Section 164.306.

Believe it or not, all the stuff that matters -- the administrative, physical and technical safeguards, followed by two small sections on organization and required documents -- is between pages 8,377 and 8,379. That's right... just three pages. And it's followed by a nice one-page summary table of all requirements.

And it's not a complicated law.

Read it.

Do it.

Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blasé, cynical, jaded, content and enthusiastic again. He manages information governance reform for a refugee aid organization and continues to have his advice ignored by CEOs, auditors and sysadmins alike.

Copyright © 2007 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
Shop Tech Products at Amazon