tag:blogger.com,1999:blog-1913143473082500114.post4231009265906392521..comments2024-01-10T11:43:07.084-08:00Comments on Ephemerallaw: 333,000 Unencrypted Records Exposed a Month AgoWilliam Morrisshttp://www.blogger.com/profile/09679044599000737422noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-1913143473082500114.post-16991299779397000972008-11-19T03:31:00.000-08:002008-11-19T03:31:00.000-08:00Actually, HIPAA does specify things which are requ...Actually, HIPAA does specify things which <I>are</I> required (e.g., unique user identification, emergency access procedures, media disposal policies, etc). It just happens that encryption isn't among them.William Morrisshttps://www.blogger.com/profile/09679044599000737422noreply@blogger.comtag:blogger.com,1999:blog-1913143473082500114.post-42911297260474835052008-11-18T10:49:00.000-08:002008-11-18T10:49:00.000-08:00Thank you for your detailed response to Bill’s que...Thank you for your detailed response to Bill’s question. In my research of HIPAA I found the lack of specifics set forth by HHS to be frustrating. Correct me if I am wrong, but it seems to me a covered entity can set policies as they see fit as long as justification is provided. I think this lack of clarity and specifics does not protect patients as much as tighter regulations could.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1913143473082500114.post-31514557527194757672008-11-17T09:25:00.000-08:002008-11-17T09:25:00.000-08:00William,I have posted my own article with referenc...William,<BR/><BR/>I have posted my own article with reference to yours. Thank you.<BR/><BR/>JohnJohn Taylorhttps://www.blogger.com/profile/15220821369172645158noreply@blogger.comtag:blogger.com,1999:blog-1913143473082500114.post-91364318529612180502008-11-17T08:54:00.000-08:002008-11-17T08:54:00.000-08:00Hi Bill,I can clear up your confusion over "requir...Hi Bill,<BR/><BR/>I can clear up your confusion over "required" and "addressable" safeguards in the HIPAA Security Rule.<BR/><BR/>A covered entity may decide NOT to implement an addressable safeguard (such as encryption) based on their Risk Assessment. This decision must be documented, however.<BR/><BR/>From Pg 8336 of the HIPAA Security Rule:<BR/><BR/>"In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: (a) Implement one or more of the addressable implementation specifications; (b) implement one or more alternative security measures; (c) implement a combination of both; or (d) not implement either an addressable implementation specification or an alternative security measure. In all cases, the covered entity must meet the standards, as explained below."<BR/><BR/>From HHS HIPAA Security Series, "Security 101 for Covered Entities":<BR/><BR/>"If the covered entity chooses not to implement an addressable specification based on its assessment, it must document the reason and, if reasonable and appropriate, implement an equivalent alternative measure."Unknownhttps://www.blogger.com/profile/00039664451113854930noreply@blogger.comtag:blogger.com,1999:blog-1913143473082500114.post-21182165198805757452008-11-17T06:24:00.000-08:002008-11-17T06:24:00.000-08:00Little confused by one statement about encryption....Little confused by one statement about encryption. You seem to imply that encryption for is not required. Under HIPAA it is required but you have a choice on how to do it (addressable). In this case this seems to be a compromised internal system which HIPAA nor most privacy/security standards don't address. PCI standards are moving closer. This issue with out knowing more detail seems to be vulnerability and access issue under HIPAA.None of your Businesshttps://www.blogger.com/profile/11708108546179519900noreply@blogger.com