Conducting a HIPAA security audit (part 2)

In a companion article What is HIPAA?, I present a summary of the new federal law called HIPAA that affects the healthcare industry. My particular interest in this law, along with many readers, is obviously the portion of the rules that apply to computer security. All healthcare organizations will be reviewing and changing their computer systems over the next two years, to meet the HIPAA security deadline of April 2005. (Smaller organizations have until April 2006.)

Reading the security rules is quite a nightmare however. The paragraphs, subparagraphs, and bullet points are nested at least five levels deep. To help you get started, this article provides a brief summary of the security rules, with some pointers about how they apply specifically to Domino and Notes. Also, I include a link to a HIPAA audit tool I developed as a Notes database.

The HIPAA security rules are divided into three main sections, along with two other paperwork requirements.

Some parts of the security rules particularly relate to Domino and Notes, and are made easy by features of these products.

An important point to understand about the security rules is that each line item is marked as either "r

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

equired" or "addressable." Required means what you think: you must do it. Addressable means that you are not required to do the item. But if you do not, you must carefully document why not and what your alternative plan is to meet the same overall security goals. Many people misinterpret addressable as "optional." It does not mean optional.

Below is a link to the HIPAA security audit tool I created as a Notes database. Each detailed item of the security rules is a separate document in the database. Within each document are fields for: a summary of the item, full details of the item rules, the audit status of that item (not started, passed, failed), a flag to indicate if the item is required or addressable, and detailed results information.

This is the first public release of this tool, so it is not perfect. Feel free to improve the database and, if you want, send it back to me. I will add the best changes to the public copy.

Chuck Connell is president of CHC-3 Consulting , which helps organizations with all aspects of Domino and Notes. He also performs HIPAA security audits through his web site HipaaSecurityExperts.com.