Slashdot Mirror

← Back to Stories (view on slashdot.org)

Striving for HIPAA Compiance?

Posted by Cliff on from the forcibly-changing-the-way-you-work dept.

krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?

13 of 277 comments (clear)

  1. Why not try this? by demonlapin · · Score: 5, Informative

    Although it's another side of health care, why not take a look at the AMA's page on HIPAA? Much of the advice is geared toward small practitioners, and as such would be useful in helping you figure out where to start.

    1. Re:Why not try this? by blake182 · · Score: 4, Informative

      In general, it is a difficult problem to say "we need to be HIPAA-compliant". It generally needs to break down to finding all of the points where healthcare information flows outside the organization, and then protecting that information.

      From the standpoint of email, there was a great amount of effort put into this in 2001. Check out this press release which summarizes the effort. Basically, there was a group of email vendors led by the Massachusetts Health Data Consortium (MHDC) that got together and standardized a method of doing server to server encryption of email. This effort is currently an Internet Draft, draft-ramsdell-enc-smime-gateway, and it will actually be moved to the IETF-SMIME working group in time for the next meeting. It is basically a profile of the DOMSEC effort, which is in turn a profile of S/MIME. I participated in this effort on behalf of Tumbleweed, and at the end of it all, the products were all working together, and I am a co-author and editor of the draft.

      The bottom line is that there exist commercially available solutions from multiple vendors which satisfy the HIPAA requirements for secure email, which is most likely a large part of your charge. These products are generally usable in a "gateway" configuration where they can be placed next to an existing mail server to automatically encrypt / decrypt mail according to policy. Further, this effort is being discussed and documented in the IETF so that new implementations can be created.

  2. Re:Bureaucratic filth by Jeremiah+Cornelius · · Score: 5, Informative
    Part of the problem with HIPAA is the earnest attempt to create a standard for Information Security controls, without a requirement for implementation specifics on individual security controls. The aim is admirable - do not specify technologies which could be tied to a vendor, or rendered obsolete within the decade. Also, do not make assumptions about the specific sensitivity of individual data elements in the custody of various regulated entities.

    The unfortunate consequence is that the resulting guidelines are very general, and require a continuous lifecycle process for evaluation, iplementation, audit and compliance. The healthcare industry must now involve itself in a regieme of regulatory overhead analogous to that of Securities or banking.

    I don't think this is bad, per se. There is no history here for an emergence of industry best practices, etc. Expect it to be messy for a while.

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  3. A Few Things by danielgast · · Score: 5, Informative

    Yes, many of us who are in the industry, or in tangentally related ones, such as myself, are feeling the frustration from HIPAA. Here's the survival guide as I've seen it:

    1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.

    2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a .ppt presentation)

    3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.

    4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).

    5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.

    -Dan

    1. Re:A Few Things by LinuxWoman · · Score: 3, Informative

      Dan made some very good points. File extensions where possible, that shows you're at least aware that you still have issues but have plans in the works to fix them. Start with the larger problems (and the ones you CAN fix) and get those holes patched. Plan on doing a lot of user training, the less technically savvy are often convinced proper security makes computer use insanely difficult. Inform the users that if they dont' follow security procedures you'll fire them because you can't afford to have the company shut down. Finally, keep copies to document EVERY single step you take in trying to reach compliance. If you can document that, in most govt. audit situations you'll get a warning and a date for a re-audit. If, for some reason, you DO get fined it'll certainly lessen the fine - from the insane level of you're stupid so you must have lots of money down to you've tried so here's a light slap on the wrist. Good luck.

  4. Re:Don't just tell them... by Zeinfeld · · Score: 3, Informative
    Don't just tell them you will fire them, Actually fire a couple. The rest shape up real quick.

    Dilbert's boss posts on Slashdot!

    There is no point in threats when people have no idea what to do. And there is simply no point in trying to solve an enterprise security problem with tools designed by geeks for geeks.

    PGP is as you point out not an easy concept to explain to an end user. In particular PGP is designed arround an ideology of personal security, and not enforcing an enterprise wide security policy.

    First you need someone to write the security policy. 'We don't believe in security' is probably not a starter, might put off the patients. Fortunately the more complex privacy issues have been punted on - for now, expect them to return in due course. For the time being you need your network security measures and application security. But don't buy into a system unless the vendor is likely to be arround in a couple of years to provide privacy management infrastructure as well.

    What you need for messaging security is a PKI that enables the encryption features of Outlook, Lotus Notes, Netscape etc. Given your time constraints it would probably be best to look at an outsourced solution so you don't have to worry about building secure infrastructure or write a CPS or anything stupid. This is also much cheaper up front on capital costs.

    The other thing you will need to do is to draw up some sort of survey that describes the circumstances under which you report confidential patient information to outside bodies - under HIPPA that includes external medical practices, labs etc. You will need to make sure that their privacy practices align with the ones you communicate to the patients.

    --
    Looking for an Information Security student project suggestion?
    Try http://dotcrimeManifesto.com/
  5. IT ISN'T AS HARD AS IT LOOKS! by leftism11 · · Score: 5, Informative

    I worked as a HIPAA compliance consultant and have contributed a chapter to a CIO-level book to discuss HIPAA compliance.

    If you can read and have a general understanding of the healthcare industry, you can easily understand HIPAA.

    First, and foremost, you MUST read the *actual* HIPAA regulations (Privacy and Security) in order to properly understand the HIPAA requirements. They are NOT difficult to read--they just look intimidating, but are actually VERY well written, generally easy to understand, and are accompanied by a ton of background and explanations. Do NOT, under any circumstances, rely on the claims of vendors or any other "HIPAA Analyst" etc. regarding HIPAA compliance issues unless you have read the regs and can validate the claims, and ensure that they are even relevant to your organization. Educate yourself and you will be amazed at how much simpler HIPAA becomes. (If you need to implement HIPAA transactions, there is very little to read--just the transaction specs.)

    Second, after you have personally read and understand the requirements, put them in the context of your organization. I believe that you will find that the reality of HIPAA compliance is relatively simple, and consists primarily of policies, procedures, and general best practices. Any time you hear someone saying "You HAVE to do X, Y, and Z" to be compliant, and those steps sound unreasonable or very difficult, you should be skeptical and verify that 1) that interpretation of the requirements is valid, and 2) they actually apply to your organization.

    After doing these two things, you will be in control of your HIPAA compliance effort. There may still be some hot items with short deadlines depending on which rules (Transactions, Privacy, and/or Security) apply to you, but it should not be a crisis.

    I no longer do HIPAA compliance consulting, but if you want some URLs to start with or general recommendations, feel free to e-mail me at leftism11@yahoo.com.

    You can start here by downloading the PDFs of the Privacy and Security HIPAA regs:

    http://aspe.hhs.gov/admnsimp/

    A site to check for updates and HIPAA news is:

    http://www.hipaadvisory.com/

    (They have good news updates, but again, use your knowlege of HIPAA and understanding of your organization to filter any opinions you get from their site.)

  6. Uhhhh by isa-kuruption · · Score: 4, Informative

    First, if you are a 'security officer' means you are a VP level or better. Are you paid for this? As an officer, you have the authority to tell people to do what you want, you also have the authority to hire and fire as needed, etc....

    Look, I work for a pharmacy benefits company, and we've been dealing with HIPAA regulations for about 3 years now... the fact your organization chose to wait until 6 months before the mandatory date just says they are ill prepared to be in business. HIPAA is not something that showed up overnight... it's been known about for a few years now, and any decent company would have already arranged for the changes to be put into place.

    Also, referring to my first statement, if you are an "officier" of the company, it means you COULD go to jail if you break the law (e.g. like not being HIPAA compliant), so I would be VERY careful about accepting that title. Maybe they made you the fall guy?

  7. Take a deep breath by Aron+S-T · · Score: 2, Informative

    While HIPAA compliance is serious, no one is going to shut you down if you aren't compliant by April. First of all, the privacy rule just was finalized a few weeks ago, and the security rules haven't even been finalized yet. This isn't Y2K - the deadlines are artificial, and, as was done for the transaction deadline, extensions no doubt will be offered.

    The key though is this:

    The first step you must take now is build a compliance plan! This is important because you will need it to get an extension. It is also the only way to make HIPAA compliance manageable.

    Keep in mind, as well, that HIPAA is mostly about best practices regarding security and privacy. Even if HIPAA didn't exist you should be doing it. Not just you. Everyone out there. HIPAA is just a stick.

    So
    1. Look at your organization
    2. Build a plan
    3. Educate your employees why this is important
    4. Implement the plan
    5. Educate your employees how this will be done
    6. Test the plan
    7. Educate your employees what needs to be done

    I think you get the picture. And don't feel pressured. Just do it right, step by step.

  8. The email part of the HIPAA regulations by sportal · · Score: 4, Informative

    I've mainly been dealing with the effect of the HIPAA regulations on email. The organization I work for primarily communications with other health care organizations, not patients directly. We will probably implement a mix of solutions and make the option available to the other organization of what they want to use. You only need to worry about encrypting email that contains PHI (patient health information).

    1. STARTTLS - Implement it in you mail server or border mail gateway, and you email gets encrypted on the fly without requiring any user intervention. Works great only a couple of things you need to look out for. An informal agreement with the other organization will help iron these out. (a) You need to ensure that the other mail server (the one in the MX record) is the last hop across public networks. You don't want that server forwarding on the message unencrypted after you send it encrypted. (b) You need to enforce the use of TLS for some domains. Postfix allows this and I'm sure others do. (c) Signed SSL certificates by a proper CA (not self-signed) help prevent man in the middle style attacks.

    2. S/MIME - Works, but you got to train the users on both ends. Put your S/MIME public keys up on your website so that users can download them.

    3. PGP - Works, but same as S/MIME, you got to train the users on both ends. Put your PGP public keys up on your website so that users can download them.

    4. A secure web mail contact form - Good for only one-way communication (them sending messages to you), but it works a lot easier than trying to train an AOL User/patient how to use S/MIME. Prevents them from broadcasting to the Internet their SSN, and health problems in clear text.

    5. An S/MIME gateway - Most mail servers can act as STARTTLS servers, but most don't have the option of being an S/MIME gateways, so you have to add an additional commercial piece of software, and so do all the other organizations that you are communicating to. Also it only helps the organization to organization level, since AOL is running an S/MIME gateway, and neither is hotmail.

    Personally I would like to see the HIPAA regulations jumpstart the use of STARTTLS enabled SMTP servers. S/MIME and PGP are difficult for users, and will probably not end up being used if it isn't easy.

  9. HIPAA simplified? by CokoBWare · · Score: 2, Informative

    Hi guys,

    I work in a company where HIPAA compliance has been mandated by our legal counsel for liability reasons. Here's what I've managed to synthesize from the requirements...

    1. HIPAA is meant to protect the patient and their medical information from getting leaked out into the public.

    2. HIPAA is good, and it requires organizations working with medical data to treat it as sensitive information. Medical data of patients should be kept safe like your own children (not the best example, but you get the point).

    3. Protect the association between a paitient and their medical information. There is nothing wrong with having medical information less secure unless it is accompanied by anything traceable to a patient (like SSN, address, name, next-of-kin, etc.).

    4. HIPAA demands that any time personal medical information is viewed or used, it needs to be tracked somehow to show the fingerprint trail.

    5. Protect all information systems from unauthorized access, including computer systems, physical claims, etc. Your premises should be as secure as your network!

    6. Read the HIPAA proposal, AND look for summaries on HIPAA. If the HIPAA proposal is too dense a read, then the summaries will help you get started.

    7. Form a HIPAA committee... usually one person from each department or overseeing group to help make implementations possible.

    8. Get your company audited for HIPAA compliance after you have implemented your measures. This way, you can have an "objective" 3rd-party evaluate your compliance and suggest remedies before the deadline.

    9. Don't get caught up in "If they can't enforce it, why should I bother?" That's lazy... would you want your personal medical information left on the sidewalk for someone to pick up and use against you? These are peoples lives we're talking about!

    Well I've said enough. I am NO expert on HIPAA, but I have our CIO's and Security Manager's ear. These few points are what I've managed to make sense of while discussing the topic with them.

    Good luck on your own HIPAA compliance efforts.

    CokoBWare

  10. I worked for a medical center IS dept in 1998-1999 by dumbunny · · Score: 2, Informative

    Everybody who had anything to do with HIPAA compliance went to at least one HIPAA workshop. HIPAA was the focus of many, many meetings. We had one person whose primary focus was HIPAA, and every manager was on board with the program. My advice is that you find a good HIPAA workshop, make sure your managers attend, and develop a coherent strategy together. If you don't take intelligent steps toward compliance, you risk becoming the fall guy.

    At the workshop, the topic of jail time for non-compliance came up. We jokingly asked about how the jail time could be divided up, and whether a 90-day sentence could be turned into 45 2-day sentences to be shared among all employees. The response was, basically, that it'd have to be a pretty blatent violation to warrant jail time, and the people charged would probably those most responsible.

    It's to your benefit to quickly determine whether management is informed and ready to make this a high priority. Asking them to attend a short workshop is a good way for you both get things started and get a feel for the situation, IMO. After that, you can decide whether to stay on or jump ship.

  11. [OT] SNIP by Anonymous Coward · · Score: 1, Informative

    From http://www.cms.gov/hipaa/hipaa2/default.asp:

    Strategic National Implementation Process (SNIP) - A collaborative healthcare industry process for the development and implementation of standards. Site includes white papers on transactions, security, and privacy.

    For some reason, when I hear the phrase "SNIP" from the medical industry I have a tendancy to wince. *g*