HIPPA / personnel question. - TechRepublic
General discussion
January 24, 2005 at 09:05 AM
graeme

HIPPA / personnel question.

by graeme . Updated 21 years, 5 months ago

Bear with me – the question is at the end!

Scenario:

1. We have installed a brand new network to help a small not for profit in the medical sector get HIPPA compliant – as well as HQ there are some remote sites that VPN back to base. For email – travelling staff have OWA to an Exchange Server fromn where ever they are.

2. As part of the contract we offered initial training for their whole staff and enhanced training for their “in-house” tech. We also provided a boilerplate “Acceptable Computer Use Policy” which is a rather large document that can be edited to suit the particular organization’s modus operandi.

3. We are retained to assist the in house tech with maintenance and as an oversight to their in-house actions.

It is a nice on-going maintenance contract.

This weekend it is was pretty obvious from our security measures that someone had made a casual attempt to try obvious username/passwords to access the server. The IIS log trapped the IP address of the attempt(s) and we have been able to demonstrate that the attempt was from an employee’s home address and that they used the first part of their OWA to at least get themselves in the ballpark as to the IP address to try and get to the server from.

We turned the matter over to the “in-house” tech and the organization’s HR department with the appropriate parts of the server logs.

This incident demonstrated that the organization HAD completed and communicated the Acceptable Computer Use Policy and DID include the recommended clause regarding attempting to access areas outside a user’s credentials could lead to disciplinary action. But we discovered that the organization had NOT obtained a signature to acknowledge communication of the policy.

Now at one level – the state the organization operates in is a “hire and fire at will” state. So they can just let the non-contracted employee go with no reason given – if they choose to.

But it has also become apparent that it is a general policy of the organization’s HR department to NOT have employees sign ANYTHING in the way of a training or policy documents – whether it it an IT matter – or anything else!

Now we come to the question!

I have communicated to the “in-house” tech (our principal point of contact) that we consider this to be a gross oversight on their part – because it makes it hard for the organization to prove they are attempting to be compliant with ANYTHING – let alone HIPPA.

Their tech agrees but feels their hands are tied.

We feel we are covered because we have communicated the concern.

Does anyone have experience with this situation and possibly examples of HIPPA problems with an approach like this so we can give their tech some ammunition with their HR department?

TIA

This discussion is locked

All Comments