Health Information Compliance Alert

READER QUESTION:

New Software May Not Be Necessary

Question: Since the security reg is 'technology-neutral' and doesn't require CEs to buy new software, can we get by with coming up with something on our own? Are we going to get nailed by the feds if there's a security incident and our security plan software isn't viewed as being compliant by the feds?


Chicago Subscriber


Answer: "There is absolutely nothing in the final security rule that is not already incorporated into the software products that are in common use today," says Harry Smith, president of the Denver chapter of the International Systems Security Association.

Smith says many security product vendors will try to sell you expensive solutions, claiming that you won't be compliant without them. "Don't fall for any 'HIPAA hype,'" he warns, adding that there are three aspects of technical security, which he calls the three "As": authentication, access control and audit.

Almost every operating system, database system, and patient information system includes built in controls that address the three As.

Most likely, "all you'll have to do is dust off the User's Guide and figure out how to ensure that everyone has his own user account and password, and set the appropriate file permission for sensitive information.