Wednesday, December 28, 2005

Save Me From Being Alone

This article is a good example of why I subscribe to SearchSecurity.com.


Everyone knows users are the soft spot in security programs. They've even confessed in recent surveys that they take more risks at work -- opening strange email attachments, clicking bizarre IM links and downloading dubious programs -- because they can. Phish scams and spyware, the two major malware trends in 2005, will continue to proliferate with the aid of increased technical proficiency and sophisticated social engineering. Already we've quickly gone from phony financial Web sites to human-resource e-mails to fake jury duty notices and false subscriber notifications. That means security must continue to save us from ourselves. Just be aware some of the biggest offenders are probably sitting in the boardroom.

This is an excellent round-up of the security issues of the last year, including compliance issues, and identity theft, both of which should be of interest to readers here.

Tuesday, December 20, 2005

21 and Invincible

From Benefitnews.com comes an outstanding six step plan for securing PHI:

Certainly this "reasonable safeguards" benchmark is open to interpretation. The good news is this benchmark accounts for the fact that no security system is invincible. The bad news is that if you've failed to review how your benefits office handles PII, identify risks, mitigate those risks, educate your employees, etc., a reasonable individual will find that you did not put in place reasonable safeguards to secure PII. Doing nothing is not an option.

As the writer points out, most information loss comes from humans, not faulty machines, and most of that is non-malicious, just plain old human error.

Tuesday, December 13, 2005

You Can Demand

Here is a on-demand webinar from Citrix about GoToMyPC. It is an extended commercial, of course, but there is a ton of info, and one of the speakers is Ross McKenzie, Director of Information Systems at Johns Hopkins Bloomberg School of Public Health.

As a healthcare industry professional responsible for complying with HIPAA standards regulating patient information, you need to know about Citrix® GoToMyPC® Corporate, a managed remote-access solution that that can help your organization meet HIPAA compliance guidelines while improving patient care, increasing speed of service and reducing IT costs. Join us for a 30-minute interactive Webinar to learn how Johns Hopkins Bloomberg School of Public Health has provided its faculty and staff with secure, easy-to-use remote access. Plus, discover how GoToMyPC Corporate can provide your organization with instant, secure remote access to email, files, applications and network resources in real time. Key benefits of GoToMyPC Corporate:
Highly secure, 128-bit encryption, security time-outs and strong passwords
Supports compliance with HIPAA provisions
No up-front costs or hardware to manage
No training required
Who should watch the on-demand Webinar?
Managers who need the highest level of security and control over remote workers
Budget owners who need to manage costs of implementing IT solutions
Network administrators who need to ensure compatibility with existing architecture
Those responsible for ensuring HIPAA compliance

Some of our regular visitors to this site are from Johns Hopkins, so it is nice to be able to send a referral back that way, however indirect :)

Charles Atlas

Outstanding article from TechWorld on the conflict between IT securtiy and regulatory compliance:

This is the biggest flaw in compliance – that a network that has been audited as meeting its legal obligations is seen as somehow acceptably secure. No network ever will be secure in this sense. Procedures can be laid down in black and white but they will never be followed correctly at all times. Mistakes will be made and unforeseen threats will emerge.

Regulations, by their nature, are static, while IT security is dynamic, reacting to new threats, anticipating future attacks, working to shore up previous weaknesses and new vulnerabilities. HIPAA tried to address this dichotomy by making the regulations non-technology specific, and to some extent it worked. But there is still that dynamic tension between the 97 pound weakling of your IT budget and the bully who is kicking regulatory sand in his face.

Hi Heel Sneakers

3Com wants to hack your sytem, but unlike Sony, they are on your side. Ethical hacking has been around for a long time, and invasive security audits are nothing new--- a very amusing movie was built around the concept a few years ago. "Sneakers" had Robert Redford, Dan Acroyd, and hacking banks--- what could be more fun?
NetworkWorld has this to say about it--- the 3Com thing, not Robert Redford:

In three days or more of onsite testing, the experts would run a variety of tests and assessment tasks, including network mapping, scanning and password cracking. They would attempt to gain access to machines and move up the hierarchy of system privileges on corporate servers - from guest to admin to root access. Emulation of blended attacks on the customer network, penetration testing and evasion techniques are also used.

For a few thousand dollars, you can know for certain if you are Security Rule compliant. Might be worth it.

Friday, December 02, 2005

Take Out the Crime

Now this is really juicy! A HIPAA compliance officer, whose former employers are saying is unreliable, is claiming that HIPAA required her to sit in on interviews of a shooting victim. Her testimony conflicts with everyone else's, including the hospital administrators who seem to be puzzled that she would have been involved.

Chartraw said her job responsibilities included ensuring a patient could submit to an interview and sitting through interviews with law enforcement officers to monitor patients' conditions throughout the interview. All three witnesses said no hospital policy required a HIPAA officer to sit through interviews or monitor patient conditions. The prosecution presented a letter from the hospital's attorney dated prior to Hilde's admittance that reiterated that HIPAA has no such requirement.

HIPAA is so wonderful! It means so many different things to so many different people. In this case, it seems to mean that a compliance officer can insert herself into a real life version of CSI. Or so she would seemingly have us believe.

Driving with the Brakes On

As we move closer to a national health records system, it is important to remember that our consumer is probably going to push back. This recent survey reported in SHRM Online found that 67 percent of Americans are concerned about the privacy of their personal health information and are largely unaware of their rights. And a major concern was that employers would use medical information to discriminate against workers.

Though there is no evidence of massive disregard for the privacy rules, fear of job repercussions is not entirely unfounded.

In 1998, for example, an Atlanta truck driver lost his job when his employer learned from his insurance company that he had sought treatment for a drinking problem, according to one of scores of stories about privacy breeches posted on the Health Privacy Project’s web site.

“The fear of disclosure, the fear of loss of benefits, the fear that people will be adversely affected in their jobs continues,” project director Janlori Goldman told HR News.

The most concerned? Minorities and those with on-going health problems.

Two Dice and a Silent Disguise

Unintentional Truth Department---- from TMCnet:

The scramble to comply with legislated security initiatives such as the Final Rule of the Health Insurance Potability and Accountability Act...

Yes, many of us find parts of HIPAA hard to swallow.

Over all, though shot through with annoying typos, this article provides a pretty good overview of many of the issues of compliance and enforcement of the Security Rule, including many of the reasons many of us are less than fully compliant.
Here is the money quote:

According to Amith Viswanathan, a healthcare industry analyst at Frost and Sullivan, private practices “rely heavily on their venders to be complaint” ... as opposed to actively pursuing compliance themselves.

Relying on your vendors to make you compliant is like driving without insurance, and hoping if you do get in an accident, that the other driver is covered.

Wednesday, November 30, 2005

William Tell Overture

Still struggling with compliance? You are not the Lone Ranger. A HIPAA compliance survey released by HIPAAdvisory.com found that only 30% of payer organizations and 18% of provider organizations were currently compliant with HIPAA security regulations. If you are a provider who falls into that unhappy 82%, it is only a matter of time before someone has a complaint. So far, the HIPAA cops have been pretty easy, preferring that you remediate rather than be penalized. How did we get to this place, even though we have been given years to compy? Security expert Joe Malec thinks there are a number of reasons:

Fearful of lawsuits and hefty civil penalties, some public and private institutions have erred on the side of caution, implementing more stringent HIPAA safeguards than were originally intended. Since the law is intentionally vague on what companies should do to comply, organizations would rather be safe than sorry. Even with the best of intentions, some standards for controls have had to be decided by the courts. One company that learned this the hard way was BJ Wholesalers, which just recently settled with the Federal Trade Commission over charges of failing to adequately safeguard sensitive customer information on their systems.
Then there's the required cultural shift. Beyond the technical safeguards, companies also need to promote security awareness and ethics training as well as education and enforcement of corporate security policies and procedures covering topics such as password standards, encryption and data classification. Such a level of cooperation has been hard to come by. Compliance laws have put more pressure on IT security and on enterprise users who ultimately make or break any approved security program. Political battles and fallout are new to some IT workers.

So what do we do?
For smaller practices, there is probably no way around it. You are just going to have to go to a hired gun. Just yesterday I was chatting with another consultant, and he passed on the story of a 4 doctor practice who decided that they would just roll the dice, not spend the few thousand bucks it would take to make their new systems compliant, and just hope that nobody complains. Because my friend is a pretty ethical guy, he turned down the gig, because he knew that particular shortcut had every possibilty of turning out bad. There are a lot of ways to save a nickle, but failing to take the required steps to protect your patients PHI is a very pound-foolish one.

Monday, November 28, 2005

Baby Got Back

A whole new category of PHI---

Fatter rear ends are causing many drug injections to miss their mark, requiring longer needles to reach buttock muscle, researchers said Monday.
Standard-sized needles failed to reach the buttock muscle in 23 out of 25 women whose rears were examined after what was supposed to be an intramuscular injection of a drug.

Next time someone asks you why they need to keep health information confidential, just remind them of how easy it would be to figure out what the king-size needles are for.

Rocket Man

Most PHI fits nicely into a traditional structured database, but some things, like x-ray images, and other graphical PHI, sometimes do not. XML is a general-purpose markup language for creating special-purpose markup languages, capable of describing many different kinds of data. One of the DB products mentioned below is Windows SQL Server 2005. I will be attending a product launch for this tomorrow--- I'll let you know what Uncle Bill's minions have to say.

"Databases have done a very good job of storing structured data -- but with unstructured data they have not," said Noel Yuhanna, an analyst at Forrester Research Inc., in Cambridge, Mass.
Reaching into that unstructured data to extract information is one pressing integration issue. The other is interoperability -- being able to get information using data from different applications, which may run on different operating systems.
With IBM's DB2 Viper, Microsoft's SQL Server 2005 and Oracle's XML DB feature in 9i and 10g, all three major database vendors are now offering XML capability, which allows a database to query the content of files that are not in relational database form. Bernie Spang, director of databases at IBM, estimated that 35% of business information is already in XML, compared with only 15% in traditional relational databases.

Tuesday, November 22, 2005

Scene Report

Here is a little more of the tension between journalists and privacy. I am a firm supporter of the first amendment--- in fact my first blog was about first amendment issues. I also was a reporter for a couple of years, and I understand the frustration many writers have when trying to gather information or confirmation. No one in the news biz wants to be simply a stenographer. But as recent developments have shown us, the press is not above blame. And even though I agree with three-fourths of this editorial from the College Heights Herald in Bowling Green, Kentucky, I am not willing to hand off privacy decisions to the fourth estate.

HIPAA isn't entirely bad. It makes an attempt to improve health care in this country, but that comes at the expense of press freedom. Some will undoubtedly disagree, but we feel precedence should go to the First Amendment issue. The right to privacy is implied, but not written.Surely there is a way to reconstruct HIPAA in a way that protects the individual with regard to health insurance while allowing journalists to obtain pertinent information for accurate stories.Journalists may not be licensed, but we take our work seriously. We are more than capable of knowing the difference between using information for the public good and abusing it. Have a little faith in our profession.

I would like to, but then I am reminded of Jayson Blair, Jeff Gannon, and others who have shown that some reporters are no more trustworthy than the people they cover, and unlike a hospital administrator or rogue physician, are already protected from the consequences of whatever they report by that very same first amendment.

Friday, November 18, 2005

Man (Opposable Thumb)

Pay attention! If it makes the front page of MSNBC, soon it will be affecting you!

It was just a tiny thumb drive, but now, it's a pretty big problem for a Hawaii hospital. And what happened there could eventually become a problem for you, too.
Last month, Wilcox Memorial Hospital in Kauai had to inform 120,000 past and present patients that their private information had been misplaced. Their names, addresses, Social Security numbers, even medical record numbers had been placed on one of those tiny USB flash drives -- and now, according to a letter sent home, the drive was missing.
The device had been misplaced in early October, and hasn't been heard from since, said hospital spokeswoman Lani Yukimura. While medical information was not on the device, it would be a treasure trove for an ID thief who found it. Once plugged into any computer’s USB port, a finder would have access to about as many identities as ChoicePoint Inc. leaked to criminals last year. So why has the Wilcox incident gotten so little attention?

Oooh! Oooh! Oooh! I know the answer to that one!
Nobody has gotten nailed by a multi-million dollar class-action suit yet.
But they will. Trust me, they will.
Please don't let it be you.

Block Lockdown

Speaking here as an IT guy, we have a love/hate relationship with USB thumb drives, or "geek sticks" as we used to call them. On the one...er...hand, they are handy, portable, fast and easy to deploy. On the other is the fact that they are generally as secure as post-it notes, and as easy to steal as the plastic flamingo on your neighbor's lawn. EnterpriseStorageForum.com has this to say about them:

Doctors or technicians, say, could be logged on to a system and be interrupted by an emergency. They may leave their desks without logging out. All it takes, then, is someone within the facility to slip a USB drive in and record confidential information. Even if such a scenario never actually happens, hospitals have to be able to prove that it didn't. The question is how?
This problem is compounded by the fact that doctors are notoriously opposed to heavy-handed security. They want nothing standing between them and rapid access to patient data. So a blanket lockdown on thumb drives and CDs could result in a backlash from physicians.

This piece is largely a commercial for a company that makes security software for storage devices, but the problem is real.

Thursday, November 17, 2005

California Uber Alles

Lisa Woodley, CMT, alerted me to this piece from the California Healthcare Foundation:

Conducted by Forrester Research, the survey reveals that—despite federal protections under HIPAA—two in three Americans are concerned about the confidentiality of their personal health information and are largely unaware of their privacy rights.
In addition, one in eight patients reportedly engages in behavior to protect personal privacy, presenting a potential risk to their health. More than half (52 percent) of respondents are concerned that employers may use health information to limit job opportunities, highlighting the implications of the privacy issue.
Yet despite these concerns, consumers report a favorable view of new health technology, with a majority (59 percent) willing to share personal health information when it could result in better medical treatment.

There are some pretty interesting conclusions here. Seems like we should be educating our patients, as well as our staff.

Friday, November 11, 2005

Just Dropped In (To See What Condition My Condition Was In)

More yummy HIPAA goodness from Monsters and Critics:

Scott Myers, Accenture`s managing director for health and life sciences, said the pilot projects would expose the critical issues around protecting privacy so the IT consortiums could develop the answers.
'Most people don`t know they will be able to tailor their consent to view medical records so a doctor only gets the information pertinent to their current condition,' Myers told UPI. 'Perhaps you think the orthopedist who`s fixing your broken leg doesn`t need to know about the STD you contracted four years ago and you want your psychiatric records off limits to everyone. You will be able to specify that in the new system, but you will need to know how. Once we learn how to do these things properly in the pilots, we need to create good education programs for both consumers and healthcare professionals so the system will work,' he said.

Thursday, November 10, 2005

All Rights Reserved

And speaking of TPO:

Court Upholds Use of TPO in HIPAA Privacy Case
The US Court of Appeals for the Third Circuit has upheld the use of personal health information (PHI) for use in treatment, payment, and operations (TPO) without consent as permitted in the HIPAA privacy regulations. The decision in the case Citizens for Health v. Leavitt (3d Cir., No. 04-2550) was handed down on October 31 and upheld a previous decision by the US District Court for Eastern Pennsylvania. Patient advocacy groups had argued that the HIPAA rules for release of PHI for these routine uses, without consent, violated First and Fifth Amendment rights of individuals. The courts decision can be found at http://www.ca3.uscourts.gov/opinarch/042550p.pdf.

*thanks to Lisa Woodley for passing on this item from the AHIMA Advantage e-alert.

We Laugh at Danger and Break All the Rules

Stuff like this makes me want to scream:

My son had been experiencing chest pain. On Oct. 11, the facility nurse spent a large amount of her workday on the phone trying to get care for my son, but HIPAA prevented my son from getting timely care. Ultimately, he was brought to the emergency room because, even with all the releases and consents I had signed, effective communication was blocked by fear of violating HIPAA.

No! No! No! No!
HIPAA was specidically set up to not interfere with TPO-- Treatment, Payment, and Operations. And there is a reason for the T being first.
There is no excuse for this, especially in Oregon, where there has been a concentrated effort at training.
Mental Health has its own HIPAA issues, and I have nothing but sympathy for the frustrations of this poor mother who gets to do the bureaucratic tango every time she wants a tissue. But for the love of little worms in apples, if the patient is having chest pains, treat the patient!

Revealed Secrets of the Whispering Moon

Man bites dog! Lions bunk with lambs! Mariners win the pennant!
OK, maybe not the last one, dangit. But almost. Here, from Monsters and Critics, is someone who thinks HIPAA doesn't go far enough!

'Simply put, we don`t think the legal protection under HIPAA is sufficient for the technological development planned -- we`re not opposed to the technology, but we feel there should be more safeguards when (transmitting) some medical information,' Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, D.C., told United Press International.


Put that way, I have to agree. Only problem, there is huge resistance to the technology as it is. As Mr. Rotenberg points out farther down in the article, the financial world has far more stringent safeguards, and they still get hacked. The technology is there, but the healthcare world lacks the will, the vision, and let's face it, the motivation or interest. Very few people enter the healthcare field hoping to work with encryption algorythms and virtual private networking protocols.
I love Monsters and Critics. They are not always right, but they always stir things up.

It Only takes One Bar (To Make a Prison)

Looks like some folks in the Delaware Department of Correction and Correctional Medical Services are hiding behind HIPAA:

Rep. Spence decided to call for research into HIPAA after a Monday night legislative public hearing, where scores of inmates or their families lambasted the state agency and the private company for poor care."We want to find out if there is a way we can look at some of these records," Rep. Spence said."It's very frustrating for us as elected officials because we want to find out what's happening, but it's hard to do that without medical records."There might be something we can do legislatively to help the situation."
Ronald D. Smith, the House attorney who will be charged with researching HIPAA, said he is not sure what his efforts will yield."HIPAA is a vast undertaking of federal legislation," Mr. Smith said."I have some familiarity with it because my wife is involved with medical record-keeping. You either have an exemption or you do not. You are not going to get a lot of give.

HIPAA is so dang convenient! No one understands it, everyone is afraid of it, and it lets you keep secrets! Mr. Smith, who is quoted above, demonstrates the problems with osmotive knowledge. His wife works in medical records keeping, so he is an expert! My ex-wife is an engineer with Boeing, so I can design airplanes! My oldest son is a french Chef, so lemme at that coq au vin! My across the street neighbor is a heart surgeon, so hand me that scalpel!
I am a little confused, though. Which "exemptions" are Mr. Smith talking about? Certainly he must know that a court can order those records examined. Surely he is aware that, as the article points out, the inmate can designate a personal representative.
In fairness to poor Mr. Smith, he was probably put on the spot, and very likely HIPAA is pretty far outside of his field of practice. It sounds like he is not going to let the Department of Corrections bamboozle him, at least not for long. Chances are, the real barrier is not some evil-doer covering up wrong, but some over-worked records clerk in the basement of a state facility who just doesn't understand how the whole thing works. In which case there is no need for new legislation, just a better training program, and perhaps better oversight of the patient notification of inmates.
If there is anyone in that cyclone of confusion who needs a consultant to help sort things out, give me a call. In the meantime, has anyone seen my retracters? I'm needed in surgery!

Monday, November 07, 2005

When I'm President

I am a little frightened by this--- President Bush is using the same examples here that I use when explaining privacy and portability issues:

'If you live in Ohio and you have to go down to Florida and you get in an automobile accident, an electronic medical record means your data (are transmitted) to the doctor in the emergency room ... just like that, as opposed to calling somebody, getting them out of bed, asking `could you please go find so-and-so`s file` and transmitting the information -- a speedy response to an emergency saves lives,' Bush said after touring the Cleveland Clinic last January.
'I`m sure people are out there saying, `I don`t want my medical records floating around so somebody can pick them up,`' the president continued. 'I presume I`m like most Americans -- I think my medical records should be private. I don`t want people prying into them, I don`t want people looking at them, I don`t want people opening them up unless I say it`s fine ... to do so.'

I would guess that Uncle George and I are seldom in agreement. Even so, it is a good example, and the article it comes from, in Monster and Critics, is a good one to show someone who isn't getting why this HIPAA stuff is all that important.

Jail Guitar Doors

Just think: if you continue to be a compliance slacker, you could be the cautionary tale. From IT Business Edge:

Question: Why haven't we heard much about HIPAA lately?

Armstrong: There haven't been any high-profile prosecutions yet under HIPAA. With Sarbanes-Oxley, you have people fined, going to jail, bankrupted. Sarbanes-Oxley has had a much greater impact on IT people and c-level executives. Organizations covered by HIPAA should be thinking about patient privacy anyway, and HIPAA, after all, is one big privacy policy. But until there is a headline about a hospital official going to jail over selling patient information, HIPAA won't be an effective deterrent. It all boils down to how the law is enforced. When you start throwing people in jail, it becomes a deterrent.

It really is just a matter of time.

The Diving Line

More on the WZZM Dumpster Dive Olympics:

We found billing information, doctors' schedules, and some very personal information. In one dumpster we found a personal information form that a patient filled out when they went to the doctor's office. It included the person's name, address, social security number, date of birth, and more. We even found one woman's entire hospital discharge report, with all of her diagnosis.

Reporter Amy Fox is doing a great job on this series, enough so that I wish I got WZZM--- maybe I should talk to my cable provider :)

Scary Indecision

When I speak at conferences, I always ask who is in compliance. Nearly every hand comes up, but by the end there are enough of the same dozen questions to let me know that far too many of us are not. Here is a horror story from WZZN in Grand Rapids, MI:

We looked at about a dozen unlocked, ungated dumpsters and found information in about half of them. The private information came from a handful of locations, out of tens of thousands of medical providers in Michigan. But, health care privacy laws are in place to make sure no personal patient information gets out.

If I were a greedier man, I would do a combination of dumpster diving and wardriving, and sell that information to a hungry litigator. Instead, I am working on the side of the angels, trying hard to nudge the healthcare world into the 21st century. Please, don't think that you can roll the dice, and just slide by with compliance. It isn't just HIPAA that will rise up and bite you: at least 16 states have far more draconian laws on the books.

Cherry Lips

Proof once again that I roam the far corners of the blogosphere so that you don't have to:

With benefits such as enhanced employee efficiency, greater overall business productivity and improved customer service and satisfaction, one would expect organisations to rush towards mobilising their workforce. However, in a recent IDC survey, the biggest inhibitor to enterprise mobility was the fear of unauthorised access.

A few days ago I was a speaker at a healthcare conference (I do that alot!) and afterword, as so often happens, I spent more time talking to participants in the lobby than I had spent in actual presentation. Some less than kind observers might say that indicates that less information is presented than is optimal, but I prefer to think that I had stimulated so much thought that there wan't time in the allotted Q&A to answer all of them.
At any rate, more and more I am being asked about wireless devices, not just wireless laptops and PDA's, but convergent devices as well. The article cited above, from CIO Asia, has the simplest, most direct answer to maybe half of the questions:

Treat mobile devices as part of your existing network
Mobile devices accessing corporate information via the Internet must be treated as an extension of your existing network and not as a separate network. Integrate the two authentication mechanisms to provide second level authentication, and centrally administer and manage devices from within the network to ensure that devices are regularly backed up and the latest security updates are applied.

Try the following experiment: sit with your wireless laptop in the parking lot of any multi-practice complex. If there are 50 practices, you will find 12-15 unsecured wireless networks available. This is unacceptable, and it is just getting worse.

Monday, October 31, 2005

Old Time Rock N Roll

Frequently I am asked at seminars and in trainings about families and their rights to Aunt Mandy's information. One of the biggest points of resistance to HIPAA compliance, especially among hospital front line workers, is the idea that someone calling from six states away might not be able to get information about a loved one.
We all know cases where this has happened, but we tend to forget that in spite of the concern and desire to know about Aunt Mandy, it may not be any of that person's business, and in fact that person might be the last one Aunt Mandy wants poking into her medical information. This is an old issue, but like many golden oldies it keeps making back onto the playlist. Another is the clergy who can no longer minister to his flock or print prayer requests in the church bulletin. Of course, if she wanted Reverend Finefellow at Aunt Mandy's bedside, there is nothing in HIPAA preventing him from being there, and in any case, the local congregation is not a covered entity, and how much they print in the bulletin is only governed by the limits of space and good taste.
This article, by Cindy Steltz in the Rochester Democrat and Chronicle, does a good job of covering some of the still lingering public concerns, and debunking some of the persistant myths. I'd like to see more of this kind of thing.

Rikki Don't Lose That Number

Further steps toward the dreaded patient identifier here in this report from the Commission on Systemic Interoperability. We know it is going to happen, we know that it really should happen, but when it actually does happen, be prepared for an enormous backlash from patients.

The group urged building on the Health Insurance Portability and Accountability Act (HIPAA) to develop national standards for authentication, authorization and security to gain consumers' confidence for connectivity. The standard could include a unique patient identifier, and Congress should strengthen protections under HIPAA by authorizing federal criminal penalties against those who intentionally access protected data without authorization, according to the commission.

"It is clear that electronic records, appropriately secured, provide a great deal more confidentiality than paper records. But the patchwork of often contradictory state laws, rules and cases preclude the development of a national health information network," said Scott Wallace, commission chair and CEO of the National Alliance for Health IT, an industry group. The commission recommended that AHIC begin work toward an interoperable drug record for all Americans by 2010 as a breakthrough case.


Tuesday, October 25, 2005

Welcome to the Machine

From Healthcare IT News:

In a memo to its employees last week, IBM announced it would allow employees to conduct online health risk assessments and create personal health records. The service, a joint offering from WebMD and Fidelity, initially will let employees enter information such as medication and medical history into the records. There's also a health tracker that allows users to enter data such as blood pressure readings. Another tool allows employees to check for any drug interactions with medications they are currently taking.

This is the wave of the future, I think. One of the consequences of HIPAA has been a growing interest by some in having better control and access to their own PHI. As long as there is some kind of verifiable, high wallseparationn between employee access and the employer providing it, this could be a very good thing. Of course, like everything else, it will be abused, but the growing awareness of the public of individual rights under HIPAA and other privacy laws will make any transgressions ugly, at least.
At the same time, there is some understandable discomfort with allowing your employer to potentially tap into your PHI. Recent events in the corporate realm haven't been comforting--- the lowered regulatory enthusiasm and the "anything goes" attitude shown by companies like Worldcom and Enron are making it difficult for many people to maintain any level of trust in MegaCorp, Inc, and that it is IBM at the forefront of this initiative has it's own sardonic flavor.

Monday, October 17, 2005

In the Lap of the Gods Revisited

I keep harping on this, but you know, its true: the greatest danger to your confidential information, including PHI, is from within. From SearchSecurity.com:

A new survey of Global 2000 professionals suggests laptops are most likely to be lost or stolen at work. And 90% of those missing devices contain confidential business information, such as sensitive e-mails, network passwords and proprietary documents. Add in that 82% are never recovered, and you've got a lot of corporate secrets circulating in the open.


It does no good to secure your fixed systems with encryption, multi-layer passwords, and biometrics and leave it possible for someone to just lift the keys to the kingdom in an unsecured laptop, PDA, or even web-enable cell phone or other convergent device. The worst part?

"When looking at how the respondents commented on their stolen laptop, many mentioned the physical security of the device but no one mentioned the information security of the device. In most circumstances, the information value contained on the laptop far outweighs the hardware/software value."

School Street

Perhaps I am missing something here, but this statement seems incorrect:

A school official said due to the federal HIPAA Privacy Rule, they could not identify the student. HIPAA stands for the Health Insurance Portability and Accountability Act.

The student came from the Kilpatrick Elementary Health, Science and Wellness Magnet School, but unless there is something more going on than the school name, I doubt that they are a covered entity.
At the same time, the Arkansas Department of Health issued this less than enlightening statement:

”We investigate any reportable infectious disease in the state that is contagious,“ said Ann Wright, spokeswoman with the ADH.

See if you can figure it out. The full story is here.

King's Lead Hat

Here is an update on the lead/privacy case in Ohio. From the First Amendment Center :
COLUMBUS, Ohio — A newspaper wants to report on homes, many of them rented, where lead paint has harmed children. The city health department fears federal fines and penalties if it complies with the state's open-records law.
In what attorneys say is one of the first such tests nationwide, the Ohio Supreme Court must decide if state law trumps the federal rule.
The 2-year-old federal Health Insurance Portability and Accountability Act prohibits health insurers, medical care providers and entities that process medical information from releasing any information that identifies the patient. However, the information can be released by a public agency if a state records law mandates it.

With a Little Help From My Friends

"DOL again extends COBRA deadlines for Katrina victims"

Mister Cee's Master Plan

It is not enough to decide that you are going to do something to make your systems HIPAA compliant--- too often I see systems which would have worked just fine, if there had been some kind of overview planning before I was called in to fix them.
Here, from LocalTechWire are some steps to help you optimize the results of your planning for technology implementations. Some of the highlights:


    • Create a vision that considers both the short- and long-term implications, defines success criteria, and identifies risks.

    • Have an independent technology consultant perform a technology assessment. Evaluate several approaches and solutions.

    • Focus on total cost of ownership, not just the initial cost. Consider operational and productivity benefits as well on-going support costs in order to determine your best option.

Tuesday, October 11, 2005

Midnight at the Lost and Found

Interesting case from The Pueblo Chieftan:

Rick is emancipated from his parents but stays in touch with them. They reported him missing on Sept. 22, and didn't find him until a week later.
"It turns out that he checked himself into the mental ward at Parkview hospital, but when we checked with the hospital they flat out told us no, he was not there," Harmes said. "They finally released him (on Sept. 29) and he called us right away."...


"The hospital blamed it on the privacy laws, but I think they dropped the ball," he said. "I would think if people have to go to the law to try to find a person, that would carry some weight. But it didn't."


I'm not really certain that Colorado state law would allow disclosure, but under HIPAA a missing person's case would probably allow at least confirmation that the person was still alive. Mental health issues can be sticky, though, and it looks like the hospital in this case was being over cautious rather than obstructive.

Give Me Just a Little More Time

Some help for Katrina victims:

The U.S. Department of Labor's Employee Benefits Security Administration (EBSA), in conjunction with the Internal Revenue Service, announced a further extension of a number of deadlines so workers and employers affected by Hurricane Katrina have additional time to make critical health coverage decisions.
The relief provides additional time to comply with certain deadlines, contained in the Consolidated Omnibus Budget Reconciliation Act (COBRA), the Health Insurance Portability and Accountability Act (HIPAA) and the rules for processing of health claims, that can have a profound impact on workers' health benefits.

Auntie's Municipal Court

Pretty interesting story from the Cincinnati Enquirer:

The Cincinnati Health Department and The Enquirer will square off in the Ohio Supreme Court today over how to balance privacy rights with the public's right to know.
The fight, among the first of its kind in Ohio, involves federal privacy rules that have triggered two years of legal battles between journalists and public officials across the country.
The Cincinnati dispute arose last year when the newspaper requested records of citations that the health department has issued to property owners for failing to eliminate sources of lead poisoning, such as lead-based paint.

It will be interesting to see how this is decided in the courts. I am torn. On the one hand, this seems like another case of public officials hiding behind HIPAA to avoid public accountablity, and a case of frustrated reporters trying to do their jobs. On the other hand, the children involved certainly have a right to privacy, especially since exposure to lead can have serious, life-long effects, and a prospective employer, for example, might use the information unfairly.

Monday, October 03, 2005

Stealing People's Mail

Free online seminar coming Wednesday Oct 5, 9:30 AM PST:

Simplifying HIPAA Email Compliance

October 5, 2005
The American Hospital Association recently endorsed a standardized secure messaging solution to comply with HIPAA e-mail regulations. After researching all major players in the secure messaging space, AHA chose PostX for its ability to meet rigorous security requirements, with solutions sized for the smallest hospitals to the largest. In this informative 30-minute event, the AHA explain why they awarded PostX an exclusive endorsement for secure messaging.



Vendor driven, of course, but still may be informative.

Monday, September 26, 2005

Straight Outta Now Rule

Here it is, the thing you have been waiting for:
HIPAA Administrative Simplification: Standards for Electronic Health Care Claims Attachments; Proposed Rule
Read, enjoy, there will be a quiz Friday.

Everybody's Got Something to Hide Except for Me and My Monkey.

As a former reporter, I can be sympathetic to those who feel that HIPAA blocks them from being able to do their job correctly. However, much of the time when I hear the HIPAA whine from reporters, they are just flat wrong--- the patient's right to privacy is not trumped in most cases by the public's right to know. There certainly are exceptions, but usually, though sympathetic, I know that the greater good is being served by the privacy given all of us by HIPAA and other privacy laws.
So when I started reading this article in the Missoula Independant, I was sceptical. It sounded like another HIPAA whine. Reading further I realized that it was, in fact, another case of folks in authority using HIPAA as an excuse to cover up what seems to be from what I can tell, some negligence somewhere along the line.
I was especially amused by the little jab from one of the interviewees:


“You can thank your buddy Bill Clinton,” Eggensperger told us, by way of explaining his secrecy. When asked what he meant by “your buddy Bill Clinton,” Eggensperger had this to say: “I’ve read your Independent. It’s about as left-wing as it gets. I’m telling you because of your buddy Bill Clinton we can’t give out that information.”
When pressed, Eggensperger said the Sanders county attorney had instructed him to not give out any information. Then he hung up.

Someone a little bitter here? Like Jon Stewart asks;"What exactly is the statuate of limitations on Bill Clinton?"
As an aside, I have to say this to folks who mouth off to reporters--- you may very well be correct about what you are angry about, but they nearly always get the last word, and their last word is read by the entire circulation of their paper.

Woo-Hah--- Got You All In Check

At the University of Arizona, they are taking HIPAA compliance seriously:

"During "spot checks" she observes activities in the waiting area while disguised as a typical student or patient, Poole said. "I'll put on my jeans and a T-shirt and pull my hair up on top of my head," Poole said.
Unannounced visits also serve the purpose of ensuring that the behavior Poole observes during evaluations is maintained on a daily basis, answering the question, "Did they put on a show because I was coming in, or is this really the way it's done?" Poole said."

As well as keeping very good track of what is going on, they are experimenting with computer kiosks for checking in for appointments (rather than saying your name to a receptionist) and light up pagers for when it is that patient's turn. I like to see this level of creativity, and from the reactions of the students affected who were interviewed, patients seem to appreciate it to.

Tuesday, September 20, 2005

Rebel Without a Clue

HHS (you know, the government guys who have a clue) came up with this fast-and-dirty solution to difficult to obtain perscription records in the wake of the katrina disaster. They were able in a very short time to provide a database for nearly 80% of those affected. The cool thing? It was entirely voluntary.

"The companies voluntarily worked together to create a site where shelter doctors could link to databases from a single source. Otherwise, doctors would have had to cobble together patient information from five sources. The databases contained prescription data for 80 percent of those affected by the storm and floodwaters, he said. The Veterans Affairs Department also contributed data. "

Gold Standard Multimedia of Tampa, Fla., the Medicaid prescription-drug contractor for the three affected states, provided the front end. Looks like they did a bang-up job.
Privacy issues will follow, of course, but the success of this project is pretty clearly the child of the big push for EPHI.

Monday, September 19, 2005

Reflect on Conflict

An interesting new study from Harvard University--- Health IT Report: Coordinating Patient Care Takes Back Seat to Processing Claims:

"Understanding exactly who benefits from electronic health records, and how much, is at the heart of a debate between health care providers and health care payers.
Clinicians say they are pressured to purchase expensive systems that primarily benefit payers.
Payers don't want to help physicians purchase systems that will help provide care to competitors' clients. "

There is money to be saved on every front here. An important reason for electronic records is that somewhere along the line there is money to be saved, in labor costs, in liability, and in other efficiencies. The sad thing for clinicians is that the payers have a bigger stick, and are farther removed from the patient. The middle ground here is probably not going to be in the middle.

Wednesday, September 14, 2005

Nothing to Say

Passed on without comment:

A database of electronic medical records could have helped emergency medical workers care for people displaced by Hurricane Katrina and would have resulted in fewer disruptions in evacuees’ medical needs, according to speakers at the 11th National Health Insurance Portability and Accountability Act (HIPAA) Summit, held Sept. 7-9 in Washington, D.C., and sponsored by the eHealth Initiative.
Many of the evacuees’ original medical records, which were housed in health care providers’ offices in areas affected by the storm, are currently inaccessible, and many likely were destroyed. As a result, emergency medical care providers are having trouble determining what medications evacuees were taking and in what dosages.
.

Impact is Imminent

Interesting white paper from Apani Networks on Health Insurance Portability and Accountability Act (HIPAA) and its Impact on IT Security :

"HIPAA security regulations are intentionally vendor and technology neutral, and consequently are both broad and open to interpretation based on the individual circumstances of the healthcare entity. The Security Rule contains three measuresthat must be addressed in order to protect and assure the confidentiality of electronic protected health information:- Administrative Safeguards: Implement policies and procedures to prevent, detect, contain, and correct security violations.- Physical Safeguards: Implement policies and procedures to limit physical access to computer systems and their facilities, while ensuring that properly authorized access is allowed.- Technical Safeguards: Implement policies and procedures that protect and monitor information access, and prevent unauthorized access to data transmitted over a network."

Fight from the Inside

Okay, I have been harping on this forever, but you know, it isn't some spike-haired superhacker who is going to snatch your data. This very well written article from Insurance Networking News:

"Circumstances surrounding the majority of insiders who committed acts of sabotage and their resultant acts of destruction followed similar paths:
* The attack was triggered by a negative work-related event.
* Insiders planned their attack in advance.
* When hired, perpetrators had been granted system administrator or privileged access (one-half did not have authorized access at time of incident).
* They used unsophisticated methods for exploiting systemic vulnerabilities in applications, processes and/or procedures.
* They compromised computer accounts, created unauthorized backdoor accounts, or used shared accounts in their attacks.
* They used remote access to carry out some of the attacks.
* The attacker was detected only after there was a noticeable irregularity in the information system, or when a system became unavailable."

Read the whole thing, please.

Monday, September 12, 2005

Good Luck Charm

Here are some folks who seem to have their act pretty much together:

"Robert Merritt was worried about the medical ID bracelet he left behind at a hospital.
The bracelet, put on his arm as part of the hospital's routine, contained personal information, including his Social Security number.
After a few days at home, Merritt went back to the hospital, where the administrator put him at ease. The bracelet, he was told, was shredded.
"They were pretty thorough from what I saw," Merritt said."


Read the whole thing, it is an example of both a pretty good article, and a hospital administration who is concerned for patient privacy, and interested in taking advantage of the technologies already available. Remember, this sort of tech is an investment, not an expense. Wisely spent, your tech dollars will return themselves quite nicely in efficiencies, as well as provide some much appreciated regulatory CYA.

La Belle Dame Sans Regrets

From the article in ComputerWorld cited below:

"HIPAA provides for civil penalties of up to $25,000 and criminal penalties of up to $250,000 per year for noncompliance. But the CMS initiates an enforcement process only if a complaint is filed against a company.
As a result, many businesses are unwilling to invest the money and resources needed to comply, said James Bragg, a former HIPAA security officer at a Tulsa, Okla.-based hospital. Bragg said he was laid off earlier this year after he had implemented "very basic levels of access and audit controls" for the hospital. "

Oh, very nice. This is akin to putting your fingers in your ears and chanting "lalala"--- I hope this hospital and others like them find their happy place, because the process is complaint driven. All it takes is one disgruntled employee--- like for instance the HIPAA guy they laid off--- to blow the whistle, and they will be paying lawyers instead of compliance officers. We may be expensive, but few of us bill by the hour.

I Wish on Every Nickle

This is just plain nuts:

"CHP, which operates 29 hospitals, has implemented many of the requirements but still needs to address the disaster recovery component, Harrison said. That part of the process has been put off because of a lack of IT staffers to dedicate to the task, he said, noting that CHP's security team has just two workers who are responsible for securing more than 2,000 servers across two data centers. "

They run 29 hospitals, but only have 2 people for 2000 servers? What exactly can they be thinking? Hats off to those two techies, 'cause I sure couldn't keep track of my share of that many servers, spread over two data centers and 29 facilites. Do they think they are somehow saving money? More than anything, they should be coming up with a good disaster recovery plan, because they are certainly setting themselves up for a good disaster.
Bt the way, I think I met these two uber-techs at a HIPAA training in Chicago earlier this year. They are good, alright, but if I had known the kind of responsibility they are shouldering, I would have looked closer for the supersuits hidden under their secret identity outfits.
If this is how it seems, then shame on the CHP administration. Saving a nickle, and overworking two very good, dedicated and knowlegeable people can only come back to bite you in the end.

Thursday, September 08, 2005

Cover Your Rig

Here is an update on the earlier story about the clinic administrator who was using HIPAA as an excuse to avoid oversight: his butt got fired---

"Late in Wednesday’s meeting, the board discussed a memorandum that Donahue issued last week, restricting access to the clinic for board members and others. Donahue said Friday that he sent the memorandum to comply with the federal Health Insurance Portability and Accountability Act (HIPAA) County Attorney
James Konstanty said the memorandum does appear to comply with HIPPA. However, Dr. Ben Friedell, D-Milford, said he thought the memorandum went beyond what HIPAA mandates and should be revoked."

The County Attorney is wrong. HIPAA specifically allows as use any PHI that might be revealed to the clinic's board as TPO, Treatment, Payment, or Operations. Also, any PHI that could be accidently seen by a board member walking through the halls would also be visible to other patients. This was blatantly a fanny-cover, and the administrator doing it was counting on nobody understanding HIPAA well enough to call him on it. In the case of the County Attorney, he was right--- the Attorney had an opinion, but sadly it was a wrong one.

Wednesday, September 07, 2005

I Fought the Law

I am often asked at seminars about law enforcement and HIPAA. My answer is usually to provide the attendee with a copy of the Washington State Hospital Association's Hosptial and Law Enforcement Guide to Disclosure of Protected Health Information, which is 33 pages long.
The short answer is that law enforcement and healthcare workers have different priorities, and I give a warning that the cops will cheerfully lie to you about their authority if they think it will help them to catch the bad guys. I would to, if I were in their shoes.
An example of how this might play out in your state can be found here, where, predictably, law enforcement wants one thing, and healthcare folks want another. Nearly every state has already addressed this problem, but once again, it isn't the overworked cop's responsibilty to ensure your compliance, it is your overworked staffer's responsibility.

Lock Down

WooHoo! Here is a report from Network World that just makes my little IT security heart sing:

"In December, people would receive an e-mail with a Christmas tree that you could click on to decorate. It looked innocent enough, but it wound up installing a keystroke logger on people's computers."

That's bad enough, but when the keystroke logger is on a PC in a pharmacy that is already struggling to keep up with Health Insurance Portability and Accountability Act (HIPAA) privacy mandates, the potential for legal exposure skyrockets. "A keystroke logger is a clear HIPAA violation," Fischer says. "



These folks have locked their systems down--- the only hole? The pharmacies, of course, because they require more internet access for obvious reasons. The solution for that final bit of open vulnerablity? Training, of course.
It can be done!

Ease My Pain

If you thought you would never see an affected party praise HIPAA, the good folks at the Indiana University Athletic Department are here to ease your pain:

"We are continuing to educate our media, our coaches and our student-athletes about HIPAA, and how important it is to abide by this law," Rhoda said. "I support HIPAA because I feel that it provides clear parameters for releasing injury information."

Read this--- some folks out in the real world do get it, and how it can be a good thing.

Take Up Thy Stethescope and Walk

Wow, this is really confusing, but it looks like someone is trying to use HIPAA as an excuse to cover up misconduct:

"In a related matter, last week Donahue sent board members a memorandum, telling them, in part, that "no person other than authorized staff should simply walk into the hallway or other areas of the clinic without staff authorization. Persons without authorization will be asked to leave, and appropriate authorities, Oneonta Police or Otsego County Sheriff, will be notified if they fail to comply."
Donahue said Friday that the memorandum was necessary to make sure the clinic complies with the federal Health Insurance Portability and Accountability Act (HIPAA). "

Can anyone make sense of this for me?

Vertical Man

It may be kicking and screaming, and dragged by the hair into the 21st century, but it still is going to happen that even the most reluctant office will eventually use some sort of e-records. From the Channel Insider: "Industry Labors in Anticipation of Health Records Standards"
"If you look at every doctor's office, they have their billing online and in a format like everyone else, but their records are still done largely by hand and kept in those giant vertical cabinets we all know," he said. "HIPAA was supposed to make these things portable."

Friday, August 26, 2005

I'm Doing Time in a Maximum Security Twilight Home

Read this:

"If you're impacted by HIPAA, you must have a comprehensive security program -- including risk assessment, policy development, controls, and monitoring and responses processes -- in place. But if the main concern is SOX, you'll be strictly responsible only for security around particular, auditable processes. Here's an opportunity to act broadly, extending SOX-driven security infrastructure and consulting spending to categories not covered by the audit.
In other words, spend once on developing a risk management and control infrastructure for security and then derive multiple benefits, for example by meeting compliance and catching low-level, non-SOX fraud at the same time.
After taking the right approach, says Hellman, there will scarcely be a distinction between compliance and security success: "It's incredibly intertwined. Compliance is an overlay over your security processes."

As the writer points out, this is an approach, not a solution, but the whole idea of integrating your security and compliance efforts makes so much sense. Too many systems have a network, with some kind of database tacked on, and glued to that some security that accreted through responses to the last five attacks, and then some sort of compliance procedure melded together by the IT and legal department. When they finally call someone like me, the mare's nest is nearly inpenetrable, filled with sacred cows, and the whole thing has cost 3 times what it should.

Thursday, August 25, 2005

Garden of Simple

Another free webcast, "How to simplify and automate your compliance procedures" from SearchSecurity:

"The growth of government mandates has caused an increase in manually intensive, compliance-related tasks that reduce IT efficiency. And according to AMR Research, the total tab for compliance-related spending will exceed $6 billion over the next 5 years. At this webcast, learn firsthand from Charles Kolodgy of IDC about how you can simplify, automate and reduce the cost of achieving IT security and regulatory compliance. Get tips on how you can get away from using manual methods to ensure compliance and how to reduce the complexity and burden on your IT infrastructure."

There is a lot of good stuff out there lately, but making time to learn and apply all of it is nearly impossible for those in small practices, or with limited IT budgets. My suggestion? Find a hired gun to put your compliance house in order, train a current staff memeber to keep up with things, then make sure they have a few hours a week to do so.

Wednesday, August 17, 2005

Going Up To The Country, Paint My Mailbox Blue

If you make a system easy enough to use, or even user-transparent, there will be far fewer problems with compliance. For many IT people this is axiomatic. When we are talking users who don't really care about all of our fancy high-tech equipment, it goes double. Securing e-mail doesn't have to be a nightmarish ordeal:

"Secure messaging is sort of a serendipitous technology," Osterman says. "If you ask somebody if they need to encrypt e-mail, a lot of people will say, 'No, not really.' But put an easy-to-use encryption capability in front of them, and they find more uses for it."

If it is hard to use, they won't use it. If it takes a lot of time, they won't use it. If it seems to interfere with proper care of their patients, they won't use it.
And if they won't use it, why bother?
Let's make these systems and policies transparent and user-friendly.
Or they won't use it.

Monday, August 15, 2005

In the Air Tonight

Sometimes things seem to come together, or maybe something is in the air. This weekend I had a long conversation about email security, and this morning I find a quite excellent (though rambling) rant from Jeff over at HIPAA Blog:

"That's what gets people going, though. Encryption of emails. I've pooh-poohed it because of the relative risk question, but there's another reason to pooh-pooh it: you don't encrypt your phone messages, do you? Is there a greater risk of your emails being intercepted than your phone calls being intercepted? Not much of one; presumably phone circuits are more closely controlled than internet circuits (you never know what route your email will take, really), but wouldn't someone have to be involved in criminal conduct as great as wiretapping to intercept your email?"

And there is this from USNews:

"Compliance with rules like HIPAA (which governs the use and release of medical information) prompted Rochester, N.Y.-based Sutherland Global Services to install E-mail security software this year. The outsourcing firm often handles sensitive information like credit cards and medical records; company heads wanted to ensure that this information remained private. Sutherland now has a system in place that checks outgoing E-mail for key phrases or words, putting a quarantine on any message that may contain private information."

And from way back in 1999, an article from CNN with a quote from Jeff LePage (who by the way didn't hire me a few years back for a pretty cool sounding job--- but who seemed like a decent guy nonetheless---which would have had the added bonus of letting me work with an IT guy who is quoted in national publications) on keeping track of what your email is used for.

"I didn't really realize how much of a problem I had until I started using (monitoring software)," said Jeff LePage, director of MIS at American Fast Freight Inc. in Kent, Wash.
At American Fast Freight, a year after putting monitoring software in place, the software is now capturing only two or three inappropriate e-mails per week from the company's 330 employees -- requiring only a quick once-per-week check, LePage said."

Tuesday, August 09, 2005

Gonna Teach You to Love Me

Do you need to be a tech to understand and supervise compliance? This entry in Computer World chronicles the frustrations of a manager trying to deal with a non-technical person in the role of compliance officer.

"We were at an impasse created by that long-ago misunderstanding about the nature of the ISO position. When the HIPAA security rule went into effect, covered entities such as my agency were required to designate someone to handle ISO responsibilities. Many covered entities noticed that roughly 80% of the policies and plans required by the HIPAA security rule are categorized as "administrative," only 5% or so are categorized as "technical," and the rest are categorized as "physical."

Here's the misunderstanding: Even though the bulk of the policies are deemed administrative, implementing the policies is primarily a technical exercise. I believe -- and many may argue with me -- that writing a good policy requires a solid understanding of what technologies are available to implement the plan. You need some technical knowledge to be able to visualize the plan. You can't say, "Thou shalt do thus" and not be able to "do thus."

I believe that compliance management can be done by non-technical people, but it is difficult, and the same sort of flexibility and trainability that makes for a good employee in every other role is indispensable here. If your compliance officer isn't technical, they need to be willing and able to get at least a foundation of technical understanding. Just as anyone else would be expected to grow into their position, so should the non-technical compliance officer make every effort to at least learn the basics. It sounds like this one was given the opportunity, and failed to step up to the plate.

My Baby Said

From the Fort Wayne News Sentinal comes this amusing and actually informed article:

"Just when I thought common sense was prevailing, my daughter, six months pregnant, told me of her recent experience at a Fort Wayne hospital. When going there for an outpatient test, the registration clerk asked her to sign a form stating she AND her baby had been informed of their privacy rights under HIPAA.
“My baby hasn’t been informed about anything,” my daughter said.

Both attorneys, she and her husband first thought the request “was a joke,” they said. But in all seriousness the clerk said the hospital had instituted the policy after another pregnant patient complained her unborn child had not been made aware of his or her privacy rights."

Most of the time, stuff like this is a training issue. When it isn't, there is always a back story. Sadly, to the patient, it just looks like more weird regulation.

Friday, August 05, 2005

The Last in Line

Good thing we are all HIPAA compliant, huh! Seriously, though, that .5% number is pretty danged impressive.

"HIPAA Compliance Required McClellan on Thursday also announced that CMS after Oct. 1 no longer will process claims that are not HIPAA-compliant for Medicare reimbursement, according to CQ HealthBeat. In a news release, CMS said that about 0.5% of Medicare fee-for-service providers submitted non-HIPAA-compliant claims as of June 2005. After Oct. 1, such claims will be returned to the filer for resubmission, according to CMS. "We are firmly committed to an interoperable electronic health care system, and the close-to-100% compliance with HIPAA standards for claims shows that the health care industry shares this commitment," McClellan said (CQ HealthBeat [2], 8/4). "


Thursday, August 04, 2005

Communication Breakdown

David J. Brailer, the National Coordinator for Health Information Technology at the Department of Health and Human Services actually seems like a pretty together kind of guy--- his recent testimony in front of congress brought up a lot of issues, and his perspective seemed... well, to have perspective.

"The challenge here is how to adapt security/privacy issues with sharing information," Brailer said in response to a question posed by Rep. Pete Stark, D-Calif., about his opinion of the Health Insurance Portability Accountability Act.
"We can't impose multi-million dollar practices on a small practice," Brailer added, explaining that a large practice could use biometrics in its computers while a small practice only used a password, making interoperability impossible between the two systems.

For a lot of CE's, the Security Rule has been a brand new set of headaches. I should note that, even with the above scenario, though, there are solutions to secure communication between dissimilar systems. You do it everytime you bank online, and your WinXP desktop talks to the bank's AS/400.

Monday, August 01, 2005

Don't Leave Me Now

A lot of information loss seems to be from poorly secured documents, and bad document storage. This is especially dangerous when the record is at end of life. You can't just haul your old records to the dump, and handwritten notes are one of the blindspots for many organizations. It does no good to secure your electronic records, if the notes that they were based on can be gotten by simple dumpster diving.

Here is a brief piece from the Boston Herald that covers the high points of shredding.

"MetroWest Medical Center in Framingham also uses shredders at each nurse's station, and a HIPAA compliance team regularly "audits" the regular trash cans to ensure medical records have not been placed there, said spokesman Beth Donnelly. And when the hospital needs to purge computerized records, it locks the hard drives in a secure location and hires an outside company to "de-gouse," or strip, them with magnetic equipment. "

OT: Extra points for anyone who catches the fairly obscure reference in the title of this post. *And I am pretty sure that they mean "degauss"--- "de-gouse" sounds like a fairly unpleasant office procedure involving harsh chemicals and minor surgery.

Wednesday, July 27, 2005

Searching for Artificial Happiness

"29% of companies purchased a solution for SarBox, 26% - for HIPAA by ZDNet's ZDNet -- More than 26% of customers surveyed by Network Intelligence are using the solution for HIPAA, 29% for Sarbanes-Oxley (SOX) and 5% for Payment Card Industry Standard (PCI). "

This is a vendor related study--- not much more than a press release, but it is interesting in that it shows that there are folks out there, like you, who are looking around for some sort of integrated solution to data handling and compliance.

The problem with this is always going to be that one size doesn't always fit all, and when you combine functions, the failure of one often causes the failure of all.

Tuesday, July 19, 2005

Two Rooms at the End of the World

So here it is, from RedNova--- the beginning of the apocolypse:

"Who could have ever imagined seeing former Speaker of the House Newt Gingrich standing side-by-side with former first lady and now senator from New York Hillary Rodham Clinton announcing their shared plan for the nation's healthcare system?
And yet there they were this past May, holding a joint press conference and describing how they would drag health care, kicking and screaming if need be, into a future filled with new IT and communication systems.
The Gingrich-Clinton announcement was not an isolated event. It was followed immediately by the introduction of the 21ist Century Health Information Act of 2005 in the House, jointly sponsored by Reps. Tim Murphy (R-Pa.) and Patrick Kennedy (D-R.I.). A companion Senate bill came a week later introduced by Sens. Mel Martinez (R- FIa.) and Clinton. "

Well, not really the apocolypse. Actually a logical next step, that properly done will make HIPAA compliance much easier, by further automation of the system.
More as I learn more.

Thursday, July 14, 2005

Knock Three Times

There has been a rash of reportings of data theft lately that has a very strange effect of causing many to become complacent about their data protection measures because, after all, their system is working.
The problem is that there is no way to know if your data is bulletproof. You can only be certain when it is not, and you have evidence that your security has been breached. The vast majority of data theft, including PHI, is undetectable, and unprosecutable, because unlike physical theft, the stolen data is still there. If someone sneaks into a museum in the dead of night, dressed in spandex and night googles, and makes off with a Bottecelli, in the morning there is a big square of unfaded wall, an empty nail, a light dusting of tracked-through laser-detection talcum powder, and no painting. The problem with stolen data is that most of the time there is no way to know that your system has been breached, or if it has been, that anything is missing because nothing is actually missing.
So what do you do to keep your data secure?
The threats come in three flavors, and there are steps that you can take to protect yourself from each one.
1. The Barbarians at the Gates. There are people out there who don't like you. There are people out there who don't care about you, but want what you have. And there are people out there who don't care about you, or what you have, but want inside just. because. they. can.
These are the folks that firewalls were invented to thwart, and I assume that y'all have covered this loophole. Firewalls, encryption, strong passwords, and some sort of Intrusion Detection System (IDS) cover you there. If you don't understand or like this stuff (hard for me to believe, but then again I went heavily into BetaMax, so what do I know) hire someone who does. A competent IT security consultant can set up most small practices in a few hours of system hardening. Do make sure that the contract includes some basic training for your users concerning the changes and best practices.
2. The Enemy Within. Far more likely to cause you grief is the viper cherished in your bosom. No one knows for sure, but I would guess that the retail model applies here--- 90% internal theft. After all, who else holds the keys to your kingdom? Training, monitoring, set usage policies, and careful terminal check-out procedures can help, but you never know. If you have 20 employees and they all seem perfectly content, either you are the shining example all other bosses should aspire to, or at least 5% of your workforce is adept at hiding their dissatisfaction. I know which one seems most likely to me.
3. Stupid is as Stupid Does. And Stupid seems to be doing more than his fair share lately. Data theft is the classic crime of opportunity. "It was just laying there, so I took it." Or "The web site was unsecured" (here) or "The safe was left open" (here) or -one that I recently was asked about- "I left the box of records in the back seat, and someone borrowed my car." I love consulting, but dang, please make it harder for me, will ya? No more post-it notes with passwords conveniently stuck to the monitor, or so cleverly stuck under the keyboard. No more backup tapes on a shelf behind your desk, or stacked on top of the server. No more shared passwords for the entire office.
Once again, if you don't know about this stuff, contract someone who does. It is so very much cheaper and less stressful to spend a few bucks and a few hours hardening your system and providing a few hours of common sense training for your crew than it is to learn about your PHI disclosure from the guy with good hair and too many teeth holding the mike and standing sideways in your lobby so his cameraman can get a good shot.

Wednesday, July 06, 2005

Unintended Lyrical Befuddlement

Here is a report from the First Amendment Center on a HIPAA conference in Nashville that reads like a laundry list of misconceptions about HIPAA-- reporters whining about the public's right to know (a wonderful thing, the first amendment, designed to protect individuals and groups from being silenced, and its corallary of the public right to know is to keep the big shots in control from hiding stuff from us-- NOT to make reporters jobs easier), a hacker named "Mudge" who boasts he could bring down the internet in 30 minutes, and an anti-HIPAA crusader from here in Washington State who claims that HIPAA is less about privacy than it is about discrimination.

I like this one a lot:
"James Hudnut-Beumler, dean of Vanderbilt Divinity School and an ordained Presbyterian minister, brought an often-overlooked effect of HIPAA to light: how hard it is has become for clergy to see members of their congregations in the hospital or even get any information about them. Churches must now be very careful what they reveal about patients to their congregations, particularly in church bulletins, he said.

“It has turned us (clergy) into social engineers,” Hudnut-Beumler said. “It gets hard to do the work that you are supposed to do and that the family expects you to do.” He proposed a “good Samaritan provision” to apply to HIPAA that would protect medical personnel in the case of “well-intended disclosure,” an idea many attendees received favorably."

Of course, we all know that Vanderbilt Divinity School is not a covered entity, and I sincerely doubt that most Presbyterian congregations need to worry about the HIPAA cops inspecting their church bulletins.

Man, I wish I was at that conference, sounds like it was a blast.

Protect Ya Neck

I hereby declare July as Security Compliance Month-- we'll have a parade, an award show, and a Security Rule Film Festival. While I work out the details, entertain yourself with this from Ramon Padilla Jr. at Tech Republic:
"However, as it is now, the temptation is there for others to gamble on not getting caught—and, in the process, to gamble with your career. When it comes time to request funding for HIPAA compliance, it might go like this: "Well Bob, I see your budget request for us to comply with the HIPAA security standards is pretty large. I'm afraid we can't handle that. "Do the best that you can."
But whose head will be on the chopping block once a security complaint is filed and it is leaked to the press? You can bet it won't be the person who denied your funding!"
Good points from Ramone--- remember, Ken Lay is still playing golf with his cronies while his Enron underlings are all residents at the Gray Bar Inn.

I've Just Seen a Face

A pretty good white paper in Information Week from Citrix about security compliance:
"...some of the common top-of-mind topics that CIOs in this industry face include:
  • Patient Safety.
  • Loss of cash flow from an inability to bill because the network is down.
  • Unauthorized release or use of PHI from external or internal threats.
  • Temporary unavailability of data to critical systems that impairs patient safety.
  • Growth in the number of users with wired and wireless access devices.
  • Installing the latest patch upgrades.
  • Integrating new systems with legacy systems.
  • Rapid identification and response to problems.
  • Monitoring patient data for early signs of potential terrorist or bio-terrorism events.
  • Interpreting and adopting new information technology compliance mandates."
Vendor white papers are usually about pushing their own product, so read between the lines. This one has some good info, though, so it is worth your scan.

Save the Population

A good general concept-level piece on data storage from IT Observer:

"Information Lifecycle Management (ILM) is one strategy for managing and storing data, according to its evolving business value and access requirements over time. Data must remain accessible on demand for compliance and audit inquiries."

Storage is going to be a very hot issue in the next little while, as folks begin to understand the ramifications of the security rule. Having a plan now is so much better than having an emergency later.

Thursday, June 30, 2005

Moonlight in Vermont

From the Bennington (Vermont) Banner comes a story of a defense attorney arguing that HIPAA prohibits the disclosure of mental health records from the state prison in this case:

"Prosecutors are seeking a Burlington murder suspect's medical records from the Vermont Department of Corrections to determine if he is mentally fit to stand trial.
The Corrections Department records, which date back eight years, are critical to supporting or disproving whether Gerald Montgomery is mentally incompetent, Mary Morrissey, a deputy Chittenden County state's attorney, told Vermont District Court Judge Michael Kupersmith on Tuesday.
"This is a man charged with murder and kidnapping," Morrissey said."

An independant, court-appointed psychiatrist says that Montgomery hears voices, but could be faking, so the state wants to see his records from prison to see if there is anything that would support this.

"Brenner also argued that Montgomery's health records are private and their confidentiality protected by state and federal law -- specifically the Health Insurance Portability and Accountability Act, or HIPAA."

Well.... no. The Privacy rule specifically lists this sort of disclosure as allowed when requested by court order. State law I don't know about, but I suspect it also has this as an exception.

In the Navy

Military providers come online: from the National Naval Medical Center Journal, at dcmilitary.com
"Although he says he does not envision identifier codes replacing everything, or solving all problems, Fennewald said he envisions it limiting record losses and unauthorized access to records. "

Friday, June 24, 2005

If You Have to Ask

Wow! This is really cool: a searchable HIPAA database from Ask Sam. Definitely something to add to your favorites.
http://www.asksam.com/ebooks/HIPAA/

Wednesday, June 22, 2005

Key to the Gate

Jeff over at HIPAA Blog gets all the best comments. Right now he is involved in a dialog with Diva of Disgruntled that points up a number of issues. From what I can tell, there is plenty of wrong to spread around, and some foolishness and poor judgment on both sides. The situation makes a good example of what can happen when an employer (in this case Kaiser) exposes themselves to an unhappy ex-employee. Some important points here:
Your biggest threat is from within. We spend tons of time building defenses against the uber hacker when most of the time he really isn't all that interested in us. These defenses are important, though because part of why he isn't interested in us is that we are hard to crack, and there are so many other easy targets out there. Anyone who wants to understand how most hackers work should read a good history of the campaigns of Caesar Borgia, Lucretia's older brother, and the man that Machiavelli based The Prince on. Borgia conquered most of Italy in a very short time, mostly by not conquering it. If a city was a hard nut to crack, he bypassed it, knowing that there were plenty of easier targets. If he really wanted a city, and the defenses were strong, he bribed someone inside to let him in.
Think about it. Who knows your defenses and systems? The folks who work with them, or in this case someone who used to work with them. And who is most likely to want to do you harm? Some joyriding script-kiddy out to show his buddies how good his kung fu is, or someone who feels they have been done wrong, and who has little to lose?
So what do you do to minimize your exposure here? Like everything else it is way better to prevent fires than to be a fireman. Screen your employees carefully. Treat them well. Monitor their activities. And make sure that you terminate them with dignity. Fighting with someone over a few dollars of unemployment insurance may save you some pennies in the short term, but you will make an enemy of someone who has the keys to the postern gate, a map to the stronghold, and the secret password that opens the citadel.

Monday, June 20, 2005

Every State Line

From the Providence Business News comes some more stuff on how state laws can preempt HIPAA, and how it is important to understand both, and how they apply to you.

"It's a complicated, specific area of law, Zubiago said, and not all people who interact with the health care system understand it."

You no doubt noticed that some of the examples would not be violations under HIPAA, but combined with the state law, and the added awareness of privacy issues that HIPAA brings they make a pretty good cautionary tale, indeed.

Thursday, June 16, 2005

Practice Makes Perfect

Some excellent practical suggestions on wireless from ComputerWorld---

"Stehman listed several best practices executives can follow to avoid compliance problems. Among them are making sure of the following:
  • All user devices are tested and certified by the IT staff prior to being connected to the wireless network.
  • Help desk support personnel receive hands-on training for all of the wireless devices certified by IT staffers.
  • Wireless users are briefed on how to comply with enterprise security requirements.
  • All wireless-enabled applications pass security and performance requirements prior to being deployed.
  • All wireless applications have a designated owner."

More stuff like this is needed--- there is no end of articles telling us about encryption, types of attacks, wireless protocols and technical stuff that you and I love, but to the users is just more crap in the way of doing their job.
(Shamelessly crossposted from my other blog KeepItSafe.)

Protect and Survive

From Newswise comes this interesting snippet---
CHERYL CAMIN, attorney at GARDERE WYNNE SEWELL: "The Justice Department's recent ruling, which sharply limited criminal liability for violations of the HIPAA privacy rule by individuals and companies, should not be read as letting violators off the hook completely. They may still be criminally or civilly liable under other federal and state laws. If a hospital is found liable for an employee or vendor's mistake, the hospital may seek recourse against them for breach of contract. And this announcement may not be the final word on HIPAA liability, either. Additional interpretations of this and future DOJ rulings will shed more light on who really may be held accountable under HIPAA."
Once again, here in Washington State, as in several other states, we have privacy laws that are a little more fierce than HIPAA, and so pre-empt them. It is important that you include your state privacy laws and guidelines in any HIPAA training that you provide for your employees. It would be a shame to be perfectly in compliance with HIPAA, have a complaint, and still be in violation under state law.

Monday, June 13, 2005

No Cure for the Pure

No, no, no, no, no!
Don't do this:
"...he was not happy when a Charlotte doctor's office insisted on having his Social Security number when Locke brought his 16-year-old son in for treatment last month.
In the wrong hands, Social Security numbers are identity theft booster rockets. They're used by criminals to open credit card accounts, commit financial fraud and put a victim into a mess of debt.
Why did the doctor's office -- Mecklenburg Dermatology Associates -- need his Social Security number?
The office manager, Felicia Canty, said it's required by HIPAA, the federal medical privacy law."

This stuff is hard enough to deal with. Lets not set up adversarial relationships with the very people we are supposed to be helping. Whether this was a training issue, or just an office manager who just wasn't going to be told how things works (and as a sometime consultant, I know that the real power in the office is the office manager--- regardless of whose name is on the corner office door--- fail to sell the office manager on a new compliance measure or procedure, and you have wasted your money and time) doesn't really matter. What matters is this is thunderously rotten customer service, and a very stupid thing to get yourself in the paper over.

Thursday, June 09, 2005

Justice in a Barrel

So if you haven't heard already, the DOJ has issued an opinion that clarifies and further muddies (ain't that the way it goes?) the confusion of who is criminally liable in HIPAA violation cases. As the famous Gibson case has been held up in the past as a guideline for the rest of us in dealing with employees and their actions, this is pretty revolutionary stuff, but at the same time makes a sort of sense: Covered entities are covered entities, not their employees or associates.
Will this make it less easy for you to coerce your employees into compliance?
Well, yes and no.
As Jeff points out over at the always readable HIPAA Blog, the responsibility always was on the covered entity to ensure compliance. That hasn't changed; what has changed is the size of the cudgel you wield. Before you could have said that if they weren't good little boys and girls and didn't eat their broccoli that the big bad HIPAA cops would come and get them. But in truth, the big bad HIPAA cops were probably never going to get them anyway. It was always up to you. Your rules, your policies, your responsibility to enforce.
On the front line, this is probably less of a big deal than it seems, especially here in Washington State, where our state laws on privacy are rough enough that even the HIPAA enforcers back slowly away, careful to avoid eye contact. But boy howdy has it got the dander up on the blogosphere! For a rundown on this donnybrook check out this and this. Read through the links--- it reminds me a little of some of the flame wars on the political sites I frequent.
Bruce Schneier, the security guru, thinks the law has been gutted, Jeff at HIPAA Blog disagrees. Both have good reasons to think what they do. Schneier comes from an IT background, as do I, and one of the results of that is the certain knowledge that there is no real privacy, only ways to make it inconvenient for the black hats to get at your stuff. HIPAA is one of those inconveniences, and anything that looks to make it less effective as a deterrent is going to bug him. Jeff is a lawyer, and his take on things carries some weight based on his experience with how the law actually shakes out in the courts.
The only one of my regular sources to not yet weigh in on this is Bob Coffield at Healthcare Blog Law. You can join me in checking back with him here.
At any rate, this is more fun than a possum in a lint bag.

Monday, June 06, 2005

Everybody Loves a Happy Ending

Here is a cure for that low-down feeling you may have been suffering as you slog through the latest set of steps to compliance: Cecilia woman on the front lines in nationwide ethics battle. (Hardin County, Kentucky, News-Enterprise.)
Read the whole thing--- at first it seems like regular law-suit boilerplate. But cases like this are why HIPAA came into being, and it has all the classic elements of an epic drama--- veteran done wrong, innocent children in the way, an unresponsive, faceless mega-company, crusading attorneys--- and it has a happy ending!