Forwarded from: Caspian Kilkelly <Caspian (at) random-interrupt.org> RE: HIPAA security rules- These rules are basically a bare minimum for compliance, and don't usually end up passing muster for other standards (IHE, HITTSP, HL7, the various ISOs, etc) which most hospital and care network administrators want to see. HIPAA is finally catching up with the rest of them, it seems. The simplified version of this is as follows- any company that produces EHRs or other patient data management, handling or creation systems should have an audit system built in, that can audit Patient information access and changes. This is a minimum for most specifications, and the only reason it gets missed at an application level is that designers and coders, or their bosses seem to think that the platform the app runs on should already have automatic logging. In any case, it shouldn't actually affect the cost of EHR or other Medical IT system adoptions, since this should already be baked in. Caspian Kilkelly (caspian (at) random-interrupt.org) InfoSec News wrote: > http://www.aafp.org/online/en/home/publications/news/news-now/government-medicine/20090318hipaa-security-rules.html > > By Sheri Porter > AAFA News Now > 3/18/2009 > > The recently passed federal stimulus package includes changes to > federal health information privacy and security provisions under the > Health Insurance Portability and Accountability Act, or HIPAA, that > will affect physician practices. According to health care policy > experts, however, the extent of that impact remains to be seen. > > The Health Information Technology for Economic and Clinical Health, or > HITECH, Act, which is intended to promote widespread adoption of > health IT, was incorporated into the American Recovery and > Reinvestment Act of 2009, (Page 144; 407-page PDF; About PDFs) which > was signed into law on Feb. 17. > > According to provisions in the legislation, physicians now will be > required to track any disclosure of a patient's medical information. > Previous regulations allowed physicians to disclose patient > information for the purpose of treatment, payment or health care > operations, but they were not required to track when that information > was disclosed. _______________________________________________ Best Selling Security Books and More! http://www.shopinfosecnews.org/Received on Mon Mar 23 2009 - 02:20:50 PDT
This archive was generated by hypermail 2.2.0 : Mon Mar 23 2009 - 02:26:53 PDT