Appendix Q 483
insurers. Identifying these instances will define the scope of work required
to come into compliance with this requirement. To obtain this information,
it is imperative to involve process owners as well as technology owners.
Once this list is complete, a risk analysis should be performed to determine
what steps to take. As noted below, there are no “required” implementation
specifications related to this standard. The specific measures to take are de-
pendent on the level of risk.
Client Response:
2. Is instant messaging used for communicating electronic protected health
information?
Guidance: Instant messaging has gone from being used for socializing to
being used for business purposes. You should find out if it is being used and
what is being transmitted using instant messaging software. There are so-
lutions to secure instant message traffic.
Client Response:
a. REQUIRED Implementation Specifications
i. None
b. ADDRESSABLE Implementation Specifications
i. Integrity Controls
Security measures to ensure that electronically transmitted electronic protected health
information is not improperly modified without detection until it is disposed of.
Guidance: Based on what is being transmitted, the risk analysis should
consider the likelihood that electronic protected health information can be
altered during transmission. Depending on the risk, different solutions can
be implemented including software that can check integrity or other pro-
cedures that check to determine whether information has been altered.
Client Response:
AU1706_book.fm Page 483 Tuesday, August 17, 2004 11:02 AM
484 A Practical Guide to Security Assessments
ii. Encryption
1. Implement a mechanism to encrypt electronic protected health information
as deemed appropriate.
Guidance: Encryption was one of the areas that received comments from
the public in the earlier draft of the HIPAA security regulations. For many
health care entities, particularly the smaller rural ones, the cost of encrypt-
ing communications over public networks can be daunting. As a result, en-
cryption became an “addressable” specification. For example, information
communicated over a dial-up line probably would not require encryption
because the likelihood that the confidentiality can be compromised is slim.
The expectation is that companies should encrypt transmitted information
if their risk analysis determines that encryption is warranted.
Client Response:
NOTES
1. Federal Register/Vol 68 No. 34/Thursday, February 20, 2003/Rules and regulations
pp. 8377
2. Ibid
3. Ibid
4. Ibid
5. Ibid
6. Ibid
7. Ibid
8. Ibid
9. Ibid
10. Ibid
11. Ibid
12. Ibid
13. Ibid
14. Ibid
15. Ibid
16. Ibid
17. Ibid
18. Ibid
19. Ibid
20. Federal Register/Vol 68 No. 34/Thursday, February 20, 2003/Rules and Regulations
pp. 8376
21. Federal Register/Vol 68 No. 34/Thursday, February 20, 2003/Rules and regulations
pp. 8377
22. Ibid
AU1706_book.fm Page 484 Tuesday, August 17, 2004 11:02 AM
Appendix Q 485
23. Federal Register/Vol 68 No. 34/Thursday, February 20, 2003/Rules and regulations
pp. 8378
24. Ibid
25. Ibid
26. Ibid
27. Ibid
28. Ibid
29. Ibid
30. HIPAA @IT Reference, 2003 Edition, Roy Rada
31. Federal Register/Vol 68 No. 34/Thursday, February 20, 2003/Rules and regulations
pp. 8378
32. University of Miami — Bioethics Program Privacy/Data Protection — http://pri-
vacy.med.miami.edu/glossary/xd_business_associate.htm
33. Federal Register/Vol 68 No. 34/Thursday, February 20, 2003/Rules and regulations
pp. 8378
34. Ibid
35. Ibid
36. Ibid
37. Ibid
38. Ibid
39. Ibid
40. Ibid
41. Ibid
42. Ibid
43. Ibid
44. Ibid
45. Ibid
46. Ibid
47. Ibid
48. Ibid
49. Ibid
50. Ibid
51. Ibid
52. Federal Register/Vol 68 No. 34/Thursday, February 20, 2003/Rules and regulations
pp. 8379
53. Ibid
54. Ibid
AU1706_book.fm Page 485 Tuesday, August 17, 2004 11:02 AM
AU1706_book.fm Page 486 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.14.15.94