Slashdot Mirror

← Back to Stories (view on slashdot.org)

Is Win2k + SP3 HIPAA Compliant?

Posted by Cliff on from the EULAs-vs-government-regulations dept.

Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

3 of 401 comments (clear)

  1. Here's a couple of Linux Medical Sites by motardo · · Score: 5, Informative
    http://www.openhealth.org/


    http://www.euspirit.org/

  2. Check Out MSHUG.ORG or HL7 by puto · · Score: 5, Informative

    The Microsoft Healthcare Users Group. This is a group of vendors that sit togehter on a board that define all standards for healthcare products that run on MS software. To be a member of this group or state that your software is compliant they certify you.

    They strictly adhere to all governmental regulations for healthcare records including EDI and storing of sensitive medical records.

    The medical industry is a huge economic buyer in the hardware and software industry and MS based vendors have always been in strict compliance with government standards.

    1. Check to see if your software is HL7(health care 7) HL7 is a protocol for formatting, transmitting and receiving data in a healthcare environment.

    2. Ask your vendor how they store the medical rcords, is it hl7 compliant. I think you guys have a homegrown product? IF your product is home grown it does'nt apply to the governmental standard for handling medical data, the EULA is the least of your worries.

    3. IF the product is home grown. Cover your ass.

    MSHUG is microsoft centric but a good start for you.

    I did medical software for ten years and dealt with all these issues long ago. Your vendor should be able to point you in the right direction. BUT IF YOUR SOFTWARE CAME FROM A VAR, DONT ASK HIM, CALL THE ACTUAL HOME COMPANY! The developers will give you more of a straight answer than the var.

    PUTO

    --
    The Revolution Will Not Be Televised
  3. Get More Than Just a Lawyer by Phoukka · · Score: 5, Informative

    If your company is of any size whatsoever, you'll need more than just a lawyer who specializes in HIPAA compliance issues. You'll need to acquire the services of a HIPAA compliance and remediation consulting group. Our hospital is using Ernst & Young.

    It sounds like you have multiple areas to look at -- your data storage, your data transmission (you aren't just creating those medical records from thin air, are you?), your partner companies, and how you handle the Patient Identifying Health Information on the desktop. Not to mention that your company should have been preparing for this for QUITE some time now.

    First, you'll need to make sure that your data storage, transmission and handling (includes handing paper copies around), and desktop security are all compliant. Next you'll find that you are also responsible for making sure that any business partner companies are compliant. This task basically means getting your partner companies to sign "HIPAA Business Partner Agreement" contracts that means the partner company states that they are contractually obligated to handle any patient data of yours in a means that is also HIPAA compliant.

    Finally, and most important of all, you'll need to be able to document all of the above, in a form that the government inspectors can easily use to check your compliance. Yay.

    Get yer HIPAA-lovin' lawyers on the stick as fast as you can, and file for any extensions that may apply. You will need a complete inventory of any and all computing infrastructure (servers, workstations, network, and software) that touches identifying patient medical data. You will need to have this inventory so your CIO, lawyers, computer security experts and your HIPAA remediation consultants can check the compliance of everything on the list. Anything failing compliance, you'll need to fix or replace.

    One last thing: you are also responsible for making sure that the source of your medical data is asking permission to use that medical data, and is asking that permission in a way that is compliant.

    I hope this provides you with a decent starting point. Good luck, you have a hard task ahead of you.