Re: Security Question

From: "Stranger" <stranger@xxxxxxxx>

| Hi Dave,
|
| That is a huge part of my concern. We are in the transition phase of
| switching to all electronic records. However in the mean time, employees to
| have information on there home drives. Or at time when remoting them I will
| see patient information on their screens. I'm trying to explain to the CEO
| that we really should not allow the connection to the network. Do you know
| where I can find the regulation that would show this?
|
| I really appreciate your help.
|

No. I am not a lawyer nor an expert on the federal regulations surrounding HIPAA.

I stated the permission/priveledge concept in general terms. If the data is protected by
Domain Account priveledges and NTFS permissions then the data would be protected.

Give the consultant ONLY enough capability to perform the overall duty without direct access
to medical records. If this can not be done or the change in you computing model makes it
too difficult then deny this action. Otherwise you will need to have an internal IT person
on staff, who is thus an employee who signed employee confidentiality documents.

It may be possible that you might be covered by HIPAA regulations if the outside consulatnt
sings confidentiality documents. I don't know. That's one for the lawyers.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


.