"You can't just write a policy, put it in a binder, label it "HIPAA Security Rule Compliance" and call it a day. And you can't assume that the physical safeguards are administrative in nature. For example, in the area of device and media controls, how do you keep someone from carrying off EPHI (that's electronic protected health information) using one of those little USB flash devices? Do you disable USB ports on all computer systems, or can you disable the use of such devices through Active Directory or third-party software? " Full story here.
Got a similar story? Please share it in the comments. We'd love to hear from you!
Thursday, May 12, 2005
30 Days Out
From ComputerWorld comes this charming and "Oh, yeah!" provoking account of Security manager C.J. Kelly's frantic 30 day HIPAA compliance assist to the agency's ISO.