Where can I find a clear and concise statement of HIPAA security standards on which I can evaluate my WAN?
So far I have found thousand of pages regarding privacy or new formats for claims, eob's and eligibility verification. But where is the criteria against which I can judge or configure my Windows 2000 WAN?
The HIPAA security rule is still in its proposed form, but it's most likely not going to change much once it's finalized (supposedly in October 2002). You can view the current draft of the security rule at http://aspe.os.dhhs.gov/admnsimp/nprm/secnprm.pdf. In a nutshell, the rule is divided into four categories: Administrative Procedures with 12 requirements; Physical Safeguards with six requirements; Technical Security Services with five requirements; and Technical Security Mechanisms with one requirement. In addition, there's currently an electronic signature standard, but word has it that this will be dropped in the final version of the rule.
Like any good security standard, the HIPAA security rule is based more on policies, procedures and business processes than it is on technology. The requirements are designed to be scaleable and technology neutral, thus there are no specific technology requirements for system hardening, encryption algorithms, security infrastructure, etc. The rule tells you what to do, not how to do it. There's a chance that the final security rule will be based on NIST, ISO or other security standards, which will make it much easier to find documentation on how to implement the proper systems and comply. For more information on the HIPAA security rule, check out the following URLs:
Frequently asked questions about security and electronic signature standards
HIPPAdvisory standards for security and electronic sigantures
HIPAA security rule FAQ
Five good reasonds to get started on HIPAA security compliance