Monday, February 27, 2006

Down by Law

This seems quite clear to me, and I am glad that the courts agreed with my non-lawyer opining self--

Limits on release of medical records. After the state hospital and state training school denied the P&A's request to access the medical records of its disabled patients, both sides sought guidance on the extent to which HIPAA and the Medicaid Act affected the disclosure requirements of the P&A Acts. The court determined that the limits on the release of protected health information found in HIPAA and the Medicaid Act do not prevent the P&A from accessing protected health information. Under HIPAA, medical records may be released when required by another law. The P&A Acts require the release of medical records in certain circumstances, satisfying requirements for release of the information under HIPAA.

The law is pretty clear. If HIPAA comes into conflict with an existing state law, in most cases the state law will have precedence. Mostly this was intended to allow states to have stronger regulations regarding privacy, but I can see where in this case the state law would need to have more juice, even though it doesn't deal directly with privacy. Lawyers.... tell me if I am mistaken!

Beast of Burden

Balance, Grasshopper, balance. Having a sane approach to compliance doesn't just save you from sleepless nights, it can save your compnay money, time and effort, which as you know are the holy trinity of getting something approved by the higherups, who always have those pesky "why" questions.
From Processor comes this editorial "Taming the Compliance Beast"---

Sarbox and HIPAA are so big (and so feared) that some firms go overboard to comply with them. “The biggest problem is over-scoping,” says Gartner’s Caldwell. Some companies put controls “here, there, and everywhere,” he says, ignoring the narrow intent of the law. For instance, Sarbox was designed to address financial controls and audits and never mentions IT per se. But some auditors have been reluctant to limit their clients’ efforts, a problem that was common in the early days of Sarbox when little was known about it. In contrast, some companies don’t go far enough, approaching Sarbox and HIPAA “as a project, not a process,” says Forrester’s Rasmussen. They don’t see compliance as part of their day-today operations, he says, and too often assign a project manager to an ad hoc job that won’t suffice in the long run.

This is so true. About half the front-line workers I deal with are suffering from HIPAA fatigue. They have been beat on for so long, and been so handcuffed by policies that they despise the very mention of HIPAA.
The other half are working at places that are so casual with PHI that they themselves are concerned, and are attending one of my workshops to cover thier own assets.
Find a sane middle ground. Make your policies transparent enough that your front-line workers can follow them, but integrated into your processes so that they have some effectiveness.

Friday, February 17, 2006

Mind on Our Money

Think protecting your data is expensive? It could cost as much as 15 times as much to respond to a breach---

A September 2005 report by Gartner Inc. states that "a company with at least 100,000 customer accounts to protect can spend, in the first year, as little as $6 per account for just data encryption or as much as $16 per customer account for data encryption, host-based intrusion prevention and strong security audits combined. This compares with an expenditure of at least $90 per customer account when data is compromised or exposed during a breach."
Thus, by approaching security as an opportunity rather than as a burden, an organization can stay ahead of criminals, competitors, reporters and regulators; reduce or avoid cost over time; and transform data security into a strategic advantage for the organization.

That's some mighty simple math for you. A lot of us have to go before the bean-counters to jsutify spending even the smallest amount on things we know to be important, but because many of those things are difficult to explain, we don't always get the tools or resources we need. Put like this, however, we are speaking their language; dollars and cents.

Key to the Highway

Extremely good piece on EHR's and research by Nancy Harris in Government Health IT---

Hidden keys to health
The medical community is sitting on mountains of e-health data that could lead to important medical discoveries. But will its value remain buried by privacy concerns and lack of funding?

Kansas City

There is starting to be some push back against EHR--- and rightly so. I tend to be in favor of systems that allow good access to information to providers, but as an IT guy I have to say that a) any system can be abused, and b) you have to give good data to get good data.
This article from Kansas City Info Zine says it well, right in the title: Electronic Medical Records Have Potential for Misuse---

Advocates of Electronic Health Records say the system will have the tightest possible security. But recent large-scale thefts of credit card and banking information have shown that all databases, even those with state-of-the-art security protections, can be compromised. Electronic medical records systems now in operation have already sprung some serious security leaks. In 2003, a medical transcriptionist in Pakistan threatened to post patient records from the University of California San Francisco's Medical Center on the Internet unless she was paid for her work for a transcription service company hired by the university. The dispute was resolved but meanwhile patients had no idea their records were being sent overseas. In another breach, two computers that held a disc containing the confidential records of close to 200,000 patients of a medical group in San Jose, California, were posted for sale on The FBI recovered the information and the medical group informed current and former patients of the theft.The full report on electronic medical records appears in the March 2006 issue of Consumer Reports which goes on sale February 7, 2006 wherever magazines are sold. The investigation will be available online to subscribers of at

We need to be paying attention to this. HIPAA already has a reputation as a clumsy, intricate, annoying, but toothless tiger. If all of that compliance work that we have all struggled to accomplish can be simply bypassed through idiocy, poor implimentation, or loopholes that allow abuse, then shame on us for letting it happen.

Dear Prudence

So disclosing PHI isn't just against the law, it is rude.
Really, this is a good sign. When the Dear Abby's and in this case, Ask Amy's get involved, you know that we have come a pretty long way.
And there is a lesson here--- we sometimes forget, amidst the pain in the neck nit-picking details of the latest set of compliance rules that this information is private, that it belongs to people who should have every right to expect that their personal information not be broadcast to the world.

Dance to the Music

Here it is--- the final version of the enforcement rule. I have only skimmed it at this point, but I didn't find much different.
It is 45 pages of legalese, but if you are any way involved with HIPAA compliance, you need to read it.

Friday, February 10, 2006

Detroit Rock City

I am often asked "Can't I just buy a software to do all this?" --- the short answer is the best one here---- no. In this article from the UK in IT Analysis Clive Longbottom slices and dices the problem with trusting your vendors to make you compliant.

Think of all the computerised solutions that we have had since the advent of the mainframe in the 1960s - barely 40 years ago. Could we now easily recover data from an original Winchester disk? Could we easily provide information to the 'powers that be' if it were stored in Navy DIF or AmiPro version 1.2? This becomes a thorny point when 'they' insist on the original document - even file viewers cannot guarantee fidelity of view...

Overall, the KISS (Keep It Simple, Stupid) approach to governance and compliance is the best - start with a high-level framework and look for the technical solutions that will facilitate the framework. Then look at what a company's needs are for specific areas of governance and layer solutions over the framework. This should give a higher level of flexibility for the future and prevent that horrible feeling when you think you have everything covered and find that the one piece of information Chief Inspector Knacker of the Fraud Squad is demanding is not covered by your swanky, multi-million euro compliance solution.

It is your data, and your behind that will be in a sling if you are not in compliance. As Clive points out, the best solution is to top-to-bottom make sure that your data is secure and available.

Baby I'm Back

I have been very busy lately, so I haven't been keeping up here as much as I'd like. But for now things are less chaotic, so to celebrate the return to order, let's look at this piece from Tech Republic:

After a disaster, not only do you have to get back up and running within the time constraints set forth by regulatory compliance, but you're going to have to continue to ensure that you can meet or exceed standards. This is especially true for privacy regulations like HIPAA, which do not go away just because you're on alternate servers in another location. Quite the contrary, failing over or restoring to new systems is a red flag that you might not be in compliance anymore. In order to prove that the disaster has not destroyed your organisation's ability to protect data, you will have to ensure that security and encryption protocols are being enforced at the backup site, and that compliance-software implementations are performing the same tasks at the alternate site as they do at the production site.

One of the places I find some push back from those who want to be in compliance, but still don't understand how it really works is in the area of disaster recovery. The reason why it is included in the HIPAA rules is that data handling has to be seamless---- it is an end to end process that goes from creation to distruction, and your data needs to be protected along every detour it might take, whether through a BA or through a temporary home in your back-up servers.