I.T. guidelines to ensure HIPAA compliance?

Status
Not open for further replies.
Joined
Dec 1, 2014
Messages
1,283
Location
California
I'm having a hard time getting my HR Department to understand that there are very strict policies, guidelines, etc., from an Information Technology perspective, that we need to follow to be sure that we're HIPAA compliant as an organization. However, I'm having difficulty putting my fingers on the specifics.

Does anyone know of a credible source where I can get such specifics?

Thank you,
Ed
 
[off-topic]
let me guess:
-they want to have full access to employee data, in an .excel file....
-password to the file: $#$#$%RY HRHTYG RTH HGH (easily breakable with password crack)
-password to computer (because manager cannot remember more): 1234 (and that was a big fight from just 1/empty password)
-you disinfect their computers once a month because of "funny" emails from the chain of friends
-they had you at least a ransowmware in the last 2 years...
-untouchable (dil/sil of....)
-they want to work from home too/remote access with same weak passwords....
[/off-topic]

beside the link Mr Nice give you, i would search for a couple lawsuits and their awards to get them in scare mode.
it's the only thing working with them, the moment you start talking technical.....

My best wishes to you for having to deal with this (the year is 2016, not 1989)
 
Originally Posted By: pandus13
[off-topic]
let me guess:
-they want to have full access to employee data, in an .excel file....
-password to the file: $#$#$%RY HRHTYG RTH HGH (easily breakable with password crack)
-password to computer (because manager cannot remember more): 1234 (and that was a big fight from just 1/empty password)
-you disinfect their computers once a month because of "funny" emails from the chain of friends
-they had you at least a ransowmware in the last 2 years...
-untouchable (dil/sil of....)
-they want to work from home too/remote access with same weak passwords....
[/off-topic]

beside the link Mr Nice give you, i would search for a couple lawsuits and their awards to get them in scare mode.
it's the only thing working with them, the moment you start talking technical.....

My best wishes to you for having to deal with this (the year is 2016, not 1989)


Most of what you say is true...but it's worse than that; all 700+ employees have local Administrator rights and because I work for a school...if "we" (in IT) step on their toes more than they would like, they'll scream "ACADEMIC FREEDOM" and report us to the SEIU Union thugs. If we step on their toes too hard...the Union will do what they can to fire me, even though I'm Union (unfortunately) also.

smile.gif


Ed
 
one step at the time my friend, one step at the time...
-deal with the HR (scare them good!)
-!!! keep everything about this in writing!!! (if the axe comes down, you want to show you were forced and by who. it's very easy to say, IT's fault, they told me tooo)
-for the others, if you don't have 1,000 computer configurations, build 3-4 usb sticks with the clean image of the computer and overwrite (what? you need your files and you didn't have a backup?). Only be careful if they need their local files.... if they need it, i would not do anything on-site, but keep it for 2 days off-site and clean it/re-install it in quiet, on your terms......
or have a clean computer ready to deploy always at the bigger sites (for speed)

experience: dealt with university (as in multiple faculties + multiple sites) for 4 years about 12 years ago....different country, same potato heads....
 
You can have a security audit done by a 3rd party if you are having issues convincing them.

The 3rd party usually can give a 1 day spiel too for free or low cost as part of the sales pitch; and carry more weight if your voice is already getting disregarded.

IF you're in Education though, you may have already lost the audience if you're saying you need to comply with HIPAA, unless you're dealing with Patient and health records...
 
Last edited:
The one constant in all this a mentioned above is document everything and keep those records in hard copy folders stored in one place, properly secured. Document sources, regulations, instructions, people, communications in great detail and if in doubt put it in the record.

We went through a HIPAA compliance issue and although we got one step wrong our reference to the HIPAA documentation showed a reasonable if slightly incorrect interpretation of a vaguely worded regulation and our good faith efforts to comply. Everything was settled very quickly to the satisfaction of all parties involved.The one saving grace was the involvement of a 3rd party audit service and our obvious efforts to strictly comply with the rules and regulations.
 
I used to work in banking and we had to PROVE to auditors that we were FFIEC and HIPAA compliant. I'm just shocked that educational institutions aren't audited because, I'll bet, 90% are not compliant. The Faculty will absolutely pitch a fit and their heads will explode if you do anything that makes their life more difficult! They will *butch* up a storm if you make them change their logon password more than every 90 days, restrict file shares not allow FTP and desktop RDP access from offsite, etc., etc. The list is endless.

Ed
 
Status
Not open for further replies.
Back
Top