[ Thursday, May 05, 2005 ]
New Security Rule FAQs from CMS: There appear to be 5 new FAQs out (hat tip to John Cody). Go here
, click on the FAQ button at the top, select "HIPAA Administrative Simplification" from the "topics" pull-down menu, and go to the last page of FAQs (the new ones are marked).
The most interesting FAQ and answer, in my opinion, is this one
: I've noted before that the Security Rule BAA requirements state that BAs must report every "security incident" to the CE, even though "security incident" is so broadly defined that it includes every single ping, regardless of how benign the ping might be or how well protected the network is from that pinger. The FAQ addresses the issue, and says that the BA and CE might agree that the only report the BA needs to make on those pings is "a monthly report that only includes an aggregate number of pings for that month." The CE might look at the report, look for patterns, and request some further analysis or special protections based on that. That does minimize the reporting requirement, but it also indicates that CMS is not going to ratchet back the reporting requirement or the expansive definition of "security incident." I think this is foolish and sets a too-high standard for most CEs and most of their BAs.
Jeff [10:35 AM]
Blogger: HIPAA Blog - Edit your Template