[optimal] Re: HIPAA Security initiative
- From: "Hess, Ditte" <dhess@xxxxxxxxxxxxx>
- To: "'optimal@xxxxxxxxxxxxx'" <optimal@xxxxxxxxxxxxx>
- Date: Mon, 20 Feb 2012 09:20:35 -0500
Hi Jim,
Thanks for your response - Rick just joined Optimal and he is looking forward
to sharing information on this subject!!
Ditte
Ditte J. Hess, CRA
Dir. of Photographic Educational &
Research Training Programs
Bascom Palmer Eye Institute
900 NW 17th Street
Miami, FL 33136
Phone (305) 326-6000 x6280
EMail dhess@xxxxxxxxxxxxx<mailto:dhess@xxxxxxxxxxxxx>
Web http://www.bascompalmer.org<http://www.bascompalmer.org/>
The information contained in this transmission may contain privileged and
confidential information. It is intended only for the use of the person(s)
named above. If you are not the intended recipient, you are hereby notified
that any review, dissemination, distribution or duplication of this
communication is strictly prohibited. If you are not the intended recipient,
please contact the sender by reply email and destroy all copies of the original
message.
P please consider the environment - do you really need to print this email?
From: optimal-bounce@xxxxxxxxxxxxx [mailto:optimal-bounce@xxxxxxxxxxxxx] On
Behalf Of James Strong
Sent: Friday, February 17, 2012 9:15 AM
To: optimal@xxxxxxxxxxxxx
Subject: [optimal] Re: HIPAA Security initiative
One thing to keep in mind here is that DICOM and HIPAA are two completely
different animals and don't have much to do with one another. An instrument
being DICOM compliant doesn't mean it will be HIPAA-fied.
DICOM is a "standardised" data structure that means an instrument that is DICOM
compliant "should" be able to exchange data with other DICOM compliant systems.
Be aware that DICOM isn't a silver bullet for data/system integration; there
are varying "flavors" or dialects of DICOM. If the 2 pieces don't speak the
same dialect then things get much more complicated.
HIPAA deals with keeping Protected Health Information safe and has multiple
facets. Some of which are as simple as Password protecting systems that
contain PHI, individual log-ins to such systems, and audit trails for data
access i.e. who is looking at what data.
While DICOM-izing an instrument may ultimately push your data into a HIPAA
compliant system, it doesn't make the instrument itself or the data it can
access HIPAA compliant.
If it were my project, i'd ask my HIPAA expert to come to clinic and look at
the instrument with me so they understand how it is used and then generate a
specific list of concerns and pose that to the vendor.
That said, i think this is a GREAT thread and am also VERY curious if someone
out there has gone thru the process from the perspective of a large
institutional hospital, because it's going to be very interesting.
Unfortunately i don't know that there will be one absolute answer; i think the
way HIPAA has been constructed, it leaves much open to the interpretation.
j-
Other related posts:
