Thursday, September 13, 2007

No, No, No, No

Ha! This is really pushing the HIPAA envelope--- that a hospital name is protected under HIPAA! Talk about a prime Golden Hippo candidate!

Gunther Slaton, President of GSI states ... "GSI is engaged in a project with nine separate hospitals and are working on due diligence for analysis and funding for healthcare accounts receivable. This is part of the ever- increasing market share for GSI for funding of receivables in the $2-trillion+ healthcare market. The names are withheld due to confidentiality requirements and HIPAA rules. Progress reports will be made as this project moves forward. We can categorically state that this project involves the largest amount of receivables for a single project in the history of GSI."

I am guessing that there either isn't really all that many hospitals involved, that the deal isn't really done, or that there is some other factor that makes them want to hide the name of the hospitals. Any of these reasons are likely, but if I were an investor, I'd be asking why the folks in this deal have so little understanding of regulations that they deal with every single day.


Another thing to tatoo on your forehead:

If you have the job of making your company compliant, remember this: compliance is NOT a technology project. It involves so much more. It takes diligence and hard work. Don't get into the checkbox mentality. There is no quick fix. Don't believe the companies that give quick paths to becoming compliant. They don't work. And don't assume that you don't need help. This is not an easy task, even for smaller companies.

Not a goal, a process!

Walking Shoes

Sometimes no matter what you do, stupid wins:
Covered entities are responsible

The Council of Community Clinics (CCC) in San Diego ought to ponder that difference as it deals with the aftermath of its recent breach. Jon Paul Oson, a former network administrator with privileged access, quit his job after a disagreeable performance evaluation. He then allegedly gained access to the CCC systems two month later, disabled the backup systems and then systematically destroyed patient data. For this, Olsen faces an indictment (download PDF), a fine of up to $500,000 and a career reduced to a pile of ash. [Just the career? Not if the affected patients get hold of him, I'd bet. -- Ed.]

Oson's the bad guy, obviously, but CCC is not out of the woods. An astute Computerworld reader asked, "Where is the line about the company he hacked being fined for HIPAA violations?" and noted that "if they were doing everything they were supposed to be doing, he [w]ould not have been able to get access ... after being terminated" and that they would have been "monitoring their logs and caught the fact that the backup wasn't working correctly."

How in the world can an adminsitrator leave the building after termination and still be able to access systems? This is beyond stupid, it is transcendently irresponsible.

Sing, sing, sing

Music to my ears:

"Our software is HIPAA (SOX, etc.) compliant."

No, it's not.

Many security standards, such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, include requirements for the implementation and operation of a system. These detail the actual practice of protecting sensitive data, not just the type or design of security controls.

Proper security controls in a piece of software can support compliance with HIPAA, Sarbanes-Oxley or other regulatory requirements, but a direct claim of compliance-in-a-box is laughable. There's no way to box up a proven-compliant life cycle into an unimplemented piece of software without incorporating your data and experience.

This article is golden. Absolutely a must read for anyone lost in the dark forest of regulatory confusion.

Only the Lonely

It is nice to find I am not alone--- I'm not the only one who has become less than popular by insisting on having a minimum level of security:

We allowed laptops until last year, when one news story after another told about laptops that had gone missing. They often held data such as patients’ names and Social Security numbers. The case of the missing Veterans Administration laptop alone was enough to curl your hair if you’re in charge of securing similar information.

The Lucky Few

Now, only systems administrators and a few chiefs trained in laptop security have laptops. Even then, they can’t synchronize their My Documents folders from the network drive to the laptop. Protected data remains within the protected network.

Read the whole article, then read the comments. Setting high standards will catch you flak, even from those not affected. But you will sleep at night.

The times they are a'changing

Okay, slackers, your happy time is over:

Measured subjectively, Runyon estimates that 60% of health care providers are compliant with HIPAA's security standards. A survey last summer of 220 health care providers and insurance companies by the Healthcare Information and Management Systems Society and Phoenix Health Systems showed that only 56% are complying with the security requirements.

Runyon said ambiguity was built into the HIPAA security regulations on purpose to make them less onerous and encourage adoption. But now that organizations have had a couple years to implement best practices and security technologies, he expects enforcement to increase in the next two to five years, which will "put some teeth into this rule."

Enforcement is coming--- I know you have heard this before, but time really is running out. Don't wait for it to start to rain before you build your ark.

I Owe My Soul (to the Company Store)

I'm not very worried for the potential of privacy abuse here, (though given the history of company abuse of employee health info I probably should be) but this seems a little creepy to me, for reasons I can't quite identify:

As companies try to rein in rising health care costs, workers in many industries are dealing with on-site health clinics. Large employers including Toyota Motor Co., Pepsi Bottling Group, Credit Suisse and Sprint Nextel have set up or expanded on-site health clinics in recent years.

Workers aren't forced to use these company clinics, but companies provide financial incentives including lower co-pays, deductibles and an ability to see the on-site doctor on company time.

I think the idea of providing an on-site health clinic is actually a good idea, but it would seem less big-brotherly if they were run by independent third parties. Am I being paranoid here, or do you feel like it would be too weird to have your employer potentially have access to your health info?

Run Around Sue

Nope. HIPAA is a power so great that it can only be used for good, or evil, but it won't do this:

An Ohio federal court has ruled that the confidentiality requirements of the Health Insurance Portability and Accountability Act (HIPAA) do not excuse Ohio's Medicaid agency from disclosing patient information in a class action to enforce Medicaid's early and periodic screening, diagnosis and treatment (EPSDT) requirements

Like everything else that is little understood and big and scary seeming, HIPAA is just too tempting to hide behind, especially if you are a public servant hoping to avoid scrutiny. From the beginning the coursts have been able to penetrate this veil of privacy, but it hasn't stopped folks from trying.