[ Thursday, December 04, 2008 ]
NIST weighs in:
This is cool (OK, geeky and long, but still potentially very useful): the National Institute of Standards and Technology has a very important job: they standardize everything, so things work together in industry, commerce, society, etc. These are the folks that came up with the different size and shape of electrical plugs, so you don't plug a 110 appliance into a 220 outlet, and determined the right size for the screw-in part of your light bulbs. Some standards develop on their own, or through a battle of the technologies (think VHS versus Beta). But some would be a mess if somebody didn't come up with standards early, and that's where NIST comes in. They came up with the HIPAA transaction standards, using industry groups to help determine how the forms should look, what information they should contain, how it should be organized, etc.
Anyway, NIST has now come out with a resource paper on implementing the HIPAA security rule. It can be found here
. Like I said, it's long. But I have 2 observations about it: First, it is comprehensive in both substance and approach. By that, I mean it's usable by the biggest IT geek as well as the office administrator whose IT knowledge ends at the power button on the computer. It's long, but well organized, and it's pretty easy to determine when you've gone deep enough in one section to know that you can skim the rest. It's step-by-step, issue-by-issue, question-by-question approach makes it equally usable for a single-physician practice administrator as for a multi-hospital system. The writing is sufficiently accessible to be readable by just about any manager-level personnel (or just about anyone with a high school education), yet informative enough to work for true techies.
But my second observation is, if any of this stuff is completely new to you, then you've been out of HIPAA Security Rule compliance for 3.5 years. Nevertheless, it's a good review, regardless of where you are in your HIPAA Security compliance. Remember, HIPAA Security isn't a one-and-done deal: you must assess and address, but you must also continuously review, reassess and readdress if necessary. If you've done this and asked these questions, then ask them again. If you haven't, you better start now.
In fact, I think this is important enough to warrant its own link (to the left).
Jeff [10:33 AM]
Blogger: HIPAA Blog - Edit your Template