ComPly With Me--- a HIPAA Forum

Preventing Cybercrime

2011-10-04T10:25:00.000-07:00

In the cyber crime world, there is no such thing as a bullet-proof defense. However, the risk of data-loss, unauthorized access, or other undesirable intrusions can be reduced or nearly eliminated by taking some basic precautions. Among them:

1. Ensure that all accounts have unique passwords. All passwords should be difficult to guess. A strong policy is like having a good lock on the front door. Passwords should not be a word found in the dictionary or a given name. Instead, passwords should be made of random upper- and lower-case letters, numbers and symbols. Each password should contain at least 3 of the four, and should be no shorter than eight characters. Passwords should be changed every three months, or if there is any reason to believe that a password has been compromised.

2. Update the network configuration as soon as vulnerabilities become known. Leaving a known vulnerability open is very foolish. Any incorrect or compromised network configuration needs to be corrected immediately, and care taken that new ones don’t arise. Proper change management procedures can mitigate this.

3. Apply upgrades and patches promptly. Applications and operating systems may contain hundreds of thousands, even million of lines of code. Vulnerabilities are discovered all the times. Even a mature, stable, tested and well-written application like QuickBooks 2010 had 13 revisions after its release. Operating systems may be released with hundreds of vulnerabilities that are not discovered until after release. Upgrades and patches must be applied as soon as the vulnerability is discovered and a patch for it released.

4. Check log files regularly to detect and trace intruders. Log files are useful for finding and patching holes, as well as detecting intrusion attempts and unauthorized use escalation. They can be used for mapping problems between account names and security IDs, finding incorrect permissions for performing tasks, problems with trust relationship between the primary domain and trusted domains and errors that may be caused by a number of different problems.

5. Train all employees to identify and avoid cyber crime attacks. Train all users to report any suspected phishing attempts or potential security beaches. Proper training in cyber crime prevention can help users to counter viruses, phishing attacks and computer-based identity theft. Nearly all fraud and identity theft happens at the user level. Proper training makes users aware and prepared.

Training, awareness and preparation can make an enormous difference in avoiding and preventing cyber crime.

3 I's

2009-01-22T13:11:00.000-08:00

There's no avoiding it; there's a new sheriff in town. With the coming change of administration, and a congress far more open to the idea of regulation, spurred by the recent problems in the lending sector, there is little doubt that we will be seeing a spate of new regulations and regulatory bodies, as well as an increase in the enforcement of existing regulations, such as Sarbanes-Oxley, HIPAA, and GBLA.

The last few years have been full enough of regulatory landmines for the unsuspecting IT department. At the same time though, enforcement has been lax. For example, under HIPAA, which has a complaint-driven enforcement process, there have been over 32,000 complaints over the last five years, but fewer than a dozen prosecutions. In fact, according to Inspector General of HHS, the Center for Medicare and Medicaid, an enforcement entity, "had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions."

Look for this to change, perhaps dramatically. HHS has already started an audit program, and several statements by various heads of congressional committees have indicated that for regulatory slackers, the party is over.

So what does this mean for those poor souls charged with maintaining regulatory compliance in organizations which, up until now haven't really felt all that much pressure? For many it means changing the view they have had about compliance. Careful planning and fresh approaches will be the key to coping with new regulation as well as old regulations newly enforced.

Invisibility, Integration, and Integrity. These need to become our new watchwords as we move forward into the unknown territory of compliance. Most important is invisibility. No matter what systems, programs rules or processes we come up with, if they are not designed to impact the end user as little as possible, then they will be bypassed. History has shown us that as little as one extra step in a work sequence will cause end-users to find ways to bypass or ignore them, unless the user perceives the added step as needed to perform their primary work function. Nowhere is this more evident than in healthcare, where regulatory steps, especially HIPAA related, are seen by many as timewasters and barriers to providing care to patients. If the end user experience is not included in compliance planning, then whatever solutions chosen will inevitably fail.

Compliance solutions need to integrate with existing systems, including technical, organizational, and workflow systems. A tacked on compliance solution will be resource wasting, time wasting, and ultimately ignored. Email solutions, for example, should use existing systems for both secure and non-secure communications, instead of creating a new and separate system just to handle secure communication. Relying on end-users to judge which of two parallel systems to use leads to frustration at best. Systems should be chosen to maximize ease of integration with what already is in use.

Usually when IT security people talk about integrity, they are talking about keeping your data consistent, but in this case I am using it in the ethical sense. You cannot expect your end users to comply if you aren't. You can pretty much expect that any shortcut or bypass you use will be found and exploited by your users, too. Set that example, talk to your users and make certain that what you do is what they should be doing, too.

Three I's: invisibility, integration, and integrity. Keep these in mind as you plan, implement and administer your compliance solutions and you will find the entire journey to compliance land much, much smoother.

Blue Suit, Red Cape and Red Boots

2008-10-09T14:08:00.001-07:00

No doubt about it, things are getting tighter. Even with the volume off, the TV has a streaming litany of financial woe in a never ending flow from left to right at the bottom of the screen. And you don't need Jim Cramer to remind you, your customers are letting you know, as well as your screaming bottom line

At the same time your work day and productivity is being strangled by more regulation, more rules and more requirements for security. Even beyond the regulatory considerations, you really do want your clients' data as safe as you can make it. It is part of the reason you got into this business, along with the Truth, Justice and American way stuff. But how to catch that speeding locomotive with all these chains around your ankles?

The first step is to develop the security mindset. Like so many other things, security is not a destination, it is a way of thinking. The same instincts and habits that make you rattle the back door after locking up can serve you with many information and data security issues as well. You are not locking the back door because you expect an intruder. You are prudently making it a little more difficult for the eventual intruder that someday will check your back door. Similarly, you are not protecting your data against a specific bad guy, but instead building an array of defenses so as to make your operation as unattractive to data and identity thieves as possible.

Make certain that your employees have a grasp of the basics and are incorporating them into the work day. Passwords should be routinely changed, and not written on post-it notes or shared. Callers who ask for information about internal systems should be clearly identified, or better yet referred to a designated person. That designated person should be the office go to person for all basic security questions, and well-briefed as to possible vulnerabilities and how an exploitation might present itself.

New and even more stringent regulations are on the way. How you keep your client's data safe is going to be a problem that rests on your shoulders. You can spend a fortune building new, secure systems, or you can temper that spending with better training and looking at alternate ways of handling your data, such as on-line hosting, where the back-end security is handled for you. This combination can be a cost-effective way of providing improved security without having to leap any tall buildings.

International Talk Like a Pirate Day!

2008-09-19T10:31:00.001-07:00

Arrrgh!

Ah, Sweet Mystery

2008-05-13T10:39:00.000-07:00

Is your data secure? How do you know?

Here is yet another example of data exposed by carelessness and a simple error, and not noticed or reported for quite a long time.

From the San Francisco Chronicle:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Over 6000 patients' information exposed on the internet for over 3 months! The sad and sorry part is not that the persons effected weren't then notified when it was caught--- that part is simply crummy behavior, and as heinous as that is is out of our scope. The real issue is that learning that you are exposed is often times way too late. In this case it was a careless data-mining company, which should have been under a Business Associate's agreement under the HIPAA rules, and been monitored by the Hospital's compliance officer.

Doing a vanity search on Google and finding your own medical records must be quite a shock. Imagine having one of your customers find something like that... something like, say last year's quarterlies conveniently displayed for the world to peruse.

So is there a bullet-proof way of making certain that your stuff stays secure? Not really but there are a number of ways you can protect yourself. For big companies the options are legion, but for smaller companies one of the best is to consolidate your data so that access is generally made through a single source. Online hosting ensures that professional and vigilent care is taken of your data. Like the common cold, there is no cure for idiocy, but knowing that your information is in the hands of people who make it thier business to keep it safe, secure, and accessable to only the right people is priceless.

Baby One More Time

2008-04-18T10:52:00.000-07:00

Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!

Fire 'em all.

Really. I am sick of this, because if it happens to celebrities and they catch this many, it means that the rest of us are pretty close to being on public display.

String 'em up, it'll teach 'em a lesson.

Over and over

2008-04-18T10:20:00.000-07:00

So many times, companies think of the audit process as a needed evil, something to endure then forget. No retailer would think that about inventory, but somehow we tend to think of our data as less valuable, perhaps because it is intangible. It isn't--- your data is your business. Here is what Brian Cote in SC magazine has to say:

Businesses need to consider data security as a whole, not merely as part of the audit process. This approach not only helps reduce the overall length of the audit process, it eliminates unnecessary vulnerability in the organization—providing a far greater reward than merely passing the audit. After all, if an organization suffers an exploit of security vulnerability, they'll face a far more costly and disruptive scenario than any compliance audit could cause. Without having a holistic approach to data security, organizations are doomed to reinvent the wheel.

An unchecked and unmonitored sytem is a vulnerable one. Regular reviews, tests and audits help keep the safeguards you have in place effective.

My Way

2008-03-10T14:51:00.000-07:00

I wanted to say something about Google Health.
I have been watching for some time the various schemes to centralize healthcare records, from Hillary Clinton and Bill Frist's unlikely alliance a couple of years ago to Washington State's efforts (my wife is on the Governor's HISPC Advisory Board, so I have gotten to watch some of the sausage-making close up) and in general I think that it is not only a good idea in theory but that there is a certain practical inevitablity to it.
Still, when prominent health organizations start considering placing PHI in the hands of the world's largest search engine company, I am a little less enthusiastic. For starters there is no accountibilty at this point. Google is certainly not a covered entity and for all of their massive and admirable ability to keep, sort and provide information to millions of users across the globe they, like any other company who does business internationally are susceptable to the whims of the governments of the countries where they do business.
Is my PHI a matter of national security? Of course not, and mine is especially boring; I have enjoyed good health for decades and have suffered from none of the things that might be of concern to anyone. But different countries have different privacy standards, different countries have different legal systems, and I have at least the expectation of privacy, as flimsy as that might be.
As far as I am concerned, the song goes like this: "Not covered by HIPAA? Then you don't get my PHI." Period.

Time After Time

2008-03-10T12:58:00.000-07:00

Its about time:

OKLAHOMA CITY (AP) - Federal prosecutors have accused an Oklahoma City woman of violating a federal health privacy law as part of an identity theft scheme.

An indictment alleges Leslie A. Howell violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

U.S. Attorney for the Western District of Oklahoma spokesman Bob Troester says the Feb. 15 indictment was the first in the district for violating HIPAA.

First in the district? More like nearly the first in the country! Is this part of a new pattern, or just another case of an acorn dropping into the sleeping sow's mouth?

It Wasn't Me

2008-03-10T12:37:00.000-07:00

Oh, please...

When Team 4 got certain records, the HIPAA enforcement office was supposed to block out the names of all patients who filed the complaints. But when Team 4's Paul Van Osdol examined the records, he found nine cases where patient names were disclosed. So, it appears the people in charge of enforcing the medical privacy law failed to follow their own rules.

Teresa Dimichelle is one of those patients whose names were disclosed. She agreed to talk about it.

Van Osdol: "The fact that the government failed to protect you, the same government agency that enforces HIPAA laws, what does that tell you?"

Dimichelle: "That it's all a joke to them. It was about my health care and the way I was being treated. I didn't think it needed go to whoever, Joe Schmoe down the street."

"That's alarming, and you should be commended for doing that request and uncovering that, because that's something we definitely need to address," said Altmire.

A spokesman for the Department of Health and Human Services said its disclosure of patient names is not a violation of HIPAA. That's because the government agency is not covered by the HIPAA law.

No, not a violation of HIPAA, just a violation of at least one other privacy law, and common sense, common decency, and especially the public's ability to swallow the lame excuse.

Secret Love

2008-02-12T11:31:00.000-08:00

I have been beating this drum for a long time, about how important it is to make every part of your security and compliance plan workable not just for us geeks, but for every user. Here is another thought about classifying information that has occured to me, but I haven't gotten around to writing about. Now I don't have to:

Chief information officers need to take a leading role in setting up formal information classification schemes to stop them over-engineering them to comply with security regulations, according to a report from the Information Security Forum (ISF).

The ISFsaid that information classification systems were overly complex. "As a result they rarely deliver business benefits and are often simply ignored," it said.

Now me and all my geeky friends just love us some multi-layered processes and classification schemes that look like flow-charts of Merovingian Dynasties, but you know, most people don't. Stange as it may seem, most folks just want to do their jobs, and if you make it too difficult for them, they will bypass your marvelous system, or in the case of data classification, underclassify it to avoid hassling with additional layers of crap. Make it easier for them to do the right thing, will ya?

Secret Meetings

2008-02-12T10:41:00.000-08:00

Outsourced Enforcement? We have seen how well outsourcing has worked with things like disaster relief, so why not take a whack at compliance?

But I know how much a good PWC auditor costs, and I know how much the average civil service auditor makes. I guarantee the latter costs less, unless PWC itself is outsourcing this work to India or someplace.

And would it be too much to ask for the public, or at least the industry, to get a gander at that contract? On what basis is PWC being paid? What is their incentive? Is it a fixed price per audit, is it hourly, or is it based on the fines they collect?

The folks at iHealthBeat have another concern. What if PWC has to audit one of its own clients? The government says the company will recuse themselves. Does that mean the audit is then off? Better call PWC, then.

I don't always agree with Dana Blankenhorn, but in this case he is spot on. This raises far too many questions, and simply cannot be cost-efficient.

Hot Rod Lincoln

2008-01-10T11:49:00.000-08:00

Passed along without comment:

Mayo Clinic announced Friday that Hansen was no longer practicing at the clinic but would not say whether he resigned or was fired.

Hansen acknowledged to Mayo administrators that he snapped the picture of Sean Dubowik's penis, which is tattooed with the words "Hot Rod," Mayo said.

The picture was taken Dec. 11 when Hansen catheterized Dubowik before gallbladder surgery.

After Hansen told him of the picture, Dubowik, 37, said he "felt betrayed, violated and disgusted."

Every Girl's Crazy 'Bout a Sharp-Dressed Man

2008-01-10T11:24:00.000-08:00

More Golden Hippo goodness! HIPAA, the only act in the history of the US to cover every public official posterior everywhere!

The American Civil Liberties Union of Middle Tennessee (ACLU-TN) should soon receive the information it has requested to monitor Metro Nashville Public Schools’ standard school attire policy, according to an attorney with the Metro legal department.

The information request was received by Metro Nashville Public Schools Oct. 15, and ACLU-TN requested a response within 30 days. Metro legal responded on Thursday of last week. Mary Johnston, the Metro legal department attorney heading up the legal side of the response, said the information should be ready for ACLU-TN by next week.

“We are now awaiting the [information], so all is fine,” said ACLU-TN Executive Director Hedy Weinberg in an e-mail interview.

Metro Schools spokesperson Woody McMillin said fulfilling school-related public information requests can be time-consuming, given legal restrictions including the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) that add time to public information requests.

So now even dress code compliance records are considered PHI! Whatta rule!

Gone Fishin'

2008-01-10T10:48:00.000-08:00

While you are carefully guarding the front gates, don't forget you have an enemy who will cheerfully come in through the trash chute:

As long as enterprises rely on ad hoc solutions for disposing of retired IT assets, systems are going to end up in closets and warehouses wasting space until someone decides to get rid of them, often in a dumpster. To ensure proper management of old technology, enterprises must work with established IT asset recovery providers that handle the end-to-end process – reverse logistics, software asset inventory analysis and reporting, thorough data destruction, device refurbishment and resale, and finally, recycling.

We like a bulk erase and five holes through old hard drives. Tapes, paper, and floppies should be shredded. You know the drill :)

Song Sung Blue

2007-12-11T15:59:00.000-08:00

Why is it almost always someone famous that sparks these audits? Remember a short while ago when a number of staff were fired or suspended for peeking at Bill Clinton's records? I know it it human nature to be curious about someone who is famous, but celebrities generally are considered to have given up some of their right to privacy, not earned the right to extra enforcement:

Buffalo, NY (WBEN) - In the wake of extensive publicity over Buffalo Bill Kevin Everett's on-field spinal injury, Kaleida Health has disciplined an employee after investigating possible violation of the federal health care privacy rules, known as HIPAA.

HIPAA (The Health Insurance Portability and Accountability Act of 1996) includes several privacy regulations that severely restrict who can access patient medical records.

The routine compliance audit found no violation of the federal rules that regulate access to medical records, but did uncover enough of an issue to have one employee suspended, according to sources.

Good for the hospital, but it shouldn't take a special case to remind folks about compliance.

The Boys are Back in Town

2007-12-07T21:48:00.000-08:00

Some of you may have noticed that I haven't been updating as often as I used to. Well I've been pretty busy. My wife ran for office, and I also took a little time and wrote this:

$13.99

That's right, I wrote a novel, you can buy it, and it is getting great reviews. Check it out--- it is about a woman in bronze age Mesopotamia who takes people out into the desert and feeds them to a monster. Its got blood, sword fights, betrayal, sorcery and death. You know, a love story.

Girl in the Mirror

2007-12-07T21:41:00.000-08:00

This looks like it could have been written by me--- a sweet little rundown of Golden Hippo contenders for worst misuse of HIPAA, by Shanna Flowers of the Roanoke Times. Her centerpiece is this:

The latest example is William Byrd High School, where officials this week told an auditorium full of hysterical parents to stand down because there isn't a problem, but golly, if there is, they can't tell you all the facts. Just trust them -- they're doing everything they can.

Kids are sick, but we can't tell you the symtoms, and it isn't serious, but we can't tell you what it is, and its not contagious, but we can't tell you who it is.
Sheesh!

Doctor My Eyes

2007-12-07T21:29:00.000-08:00

Workplace Wellness programs are starting to look very attractive to many companies that are faced with impossible rises in the cost of benefits. Implementing a stop smoking plan, or providing incentivess for workers to live healthier can increase production, reduce sick days, and help to cut the overall healthcare costs of campany. But there are regulatory pitfalls that many don't understand, and find intimidating.
Here is a quick rundown from The Metropolitan Corporate Council on the steps employers need to take before embarking on such a program.

Nonetheless, employers contemplating a workplace wellness program are well advised to consider that conditioning a reduction in health care costs on satisfying a health-related goal, such as actual smoking cessation or meeting a certain cholesterol level, may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Nondiscrimination Rules and/or federal and state discrimination statutes. In addition, regardless of the structure contemplated, employers should consider requirements for wellness programs that may arise under the HIPAA Privacy Rule (45 C.F.R. 160,164).

Yeah, its a little on the dry side, but the information is well presented and worth knowing.

Call The Ambulance

2007-10-30T16:44:00.000-07:00

That HIPAA thingy cuts both ways...

Jaramillo said he plans to sue the city as an entity, and the mayor and councilors individually on grounds violating the Health Insurance Portability and Accountability Act by divulging unpaid ambulance bills, infringing upon his freedom of speech and retaliation for whistleblowing...

Documentation shows Jaramillo divulged his ambulance bills himself at a council meeting, Bhasker said.

Self-immolation is one thing, but flaming out like this is amazing. I think he had better get a new lawyer, because from the looks of things, his current one is not serving him very well.

Stupid Cupid

2007-10-30T16:32:00.000-07:00

Now here is a classic hunka hunka burnin' stupid:

NORTH BERGEN -- More than two dozen Palisades Medical Center employees have been suspended for violating Oscar winner George Clooney's patient privacy rights after a motorcycle accident in Weehawken last month, hospital officials said.

A hospital spokesman would not detail the alleged infractions that led to the monthlong suspensions of 27 workers. But a spokeswoman for the union that represents some of the suspended employees said the violations ranged from workers who accessed Clooney's health records to others who went into his room to shake his hand.

The suspended workers acted "inappropriately" in accordance with federal patient confidentiality regulations, spokesman Eurice Rojas said.

"They were suspended for a range of things," Rojas said on Tuesday. "Only direct caregivers should be accessing a patient's file or chart."

I have no sympathy for front line workers who, at this late date think that it okay to oogle someone's health info just because they are famous. I would also fire the person responsible for their training.

Open Season On My Heart

2007-10-30T16:27:00.000-07:00

It is the HIPAA excuse season, and boy howdy are they thick on the ground:

ATLANTIC CITY - Federal health law experts said health privacy laws are confusing, but should not keep city officials from revealing where the resort's mayor is.
Mayor Bob Levy's last official duty came last Wednesday, when he signed seven ordinances into law. Since then he, and his black city-issued Dodge Durango, have apparently vanished.

His attorney and city officials have said since Thursday he was in an undisclosed hospital receiving unspecified treatment. In the meantime, Business Administrator Domenic Cappella has served as acting mayor.

With Levy's absence, the city has been beset by rumors of imminent resignations tied to an ongoing federal investigation into his military record. City Council members have said they believe Levy has abandoned his post and have sought state help replacing him.

Adding to the problem is that top city officials say they know where he is, but providing more information would run afoul of the 1996 federal Health Insurance Portability and Accountability Act, commonly called HIPAA.

Under Federal investigations? Hide, say you are sick, and claim HIPAA rules prevent anyone from finding out where you are! This one has Golden Hippo written all over it!

How We Operate

2007-10-30T16:14:00.000-07:00

Here is an excellent run-down on setting up secure passwords from fellow CISSP and IT security blogger Joel Dubin:

At the heart of compliance is access management and authentication. And at the heart of authentication are user IDs and passwords. Despite their many weaknesses and the availability of multifactor authentication technologies, the venerable user ID and password combo remains the centerpiece of access to many corporate systems.
Rather than tearing up network plumbing for new-fangled devices, like one-time password (OTP) tokens and smart cards, many companies have opted to strengthen their existing password systems to keep compliant with audit and compliance regulations and standards, including Sarbanes-Oxley, HIPAA, FFIEC and PCI DSS.

It doesn't have to be a big deal, and you don't have to spend a ton of money. Just spend a little time in training and reminding users of how it is done.

Take That & Party

2007-10-30T16:09:00.000-07:00

Damn skippy!

"Attorney General Van Hollen's well-researched legal opinion provides a valuable public service by clearing up confusion and explaining that federal HIPAA law does not enable local and state government officials to keep records secret if they should otherwise be open," Stanley said.

"In this case, a local fire department had refused to provide information about a public employee who crashed his truck into a sign and was arrested for drunk driving. The taxpayers who pay for his salary, for the truck he was driving and for the auto and liability insurance - as well as the people who live in the neighborhoods he was driving drunk through - deserve to know that information."

Like every other abused law, HIPAA has a special place in the heart of public officials who are less than fond of the public spotlight. HIPAA is not a shield law for cronies and incompetence, it is to protect individuals rights of privacy. Take that, public servant!

They're Red Hot

2007-10-30T15:52:00.000-07:00

Somedays the stupid burns so hotly you can warm your attic with it:

"You can't look at your own records or any family member records unless there is a clinical need to do so," Braccino said. "If you are doing so just because they are there and you have a private interest, you are violating HIPAA regulations and patient confidentiality."

Trustee Shelbie Bershinsky said many of the employees probably looked at their own medical records with harmless intent.

"I've been in health care 19 years and I, until today, I didn't think there was anything wrong with me looking at my records," she said. "I now know that I shouldn't do that."

Hospital compliance officer Dean Jessup said HIPPA regulations, including the prohibition against viewing one's own medical records, are posted at each of the hospital's time clocks.

Your medical records are yours. There is no provision in HIPAA preventing you in any way from viewing your own PHI. None. There may very well be a regulation in that facility's HIPAA compliance policy against it, but it is nowhere to be found in the Act itself.

Insecurity Alert

2007-10-07T18:44:00.000-07:00

Headlines like this scare me:

These Notebook PCs Aren't A Security Risk

Nope. Even though they carry no data, there is no such thing. This particular item is a wireless thin client, and though they don't carry any data, they connect through wireless networks! What part of wireless network goes with "Aren't a Security Risk?"

Whisper in Blindness

2007-10-07T18:36:00.000-07:00

More and more I am starting to believe that email is the biggest blind spot in most systems:

One slip-up can become a whopper. For example, a Palm Beach County, Fla., health department statistician and epidemiologist mistakenly attached a list containing more than 6,000 names of HIV/AIDS patients to an e-mail in 2005. The message was sent to 800 of the department's 900 employees.

It is so easy to hit send without giving any thought, and that is just the most likely innocent breach. Most people have web-based email accounts like Hotmail, GMail, or Yahoo Mail. Because these are web-based, it is nearly impossible to control what goes out via them. One alternative, of course, is to block access to these webmail providers, but there are so many and users are so clever at circumventing blocks and safeguards that it is almost impossible to make this bulletproof. Training is a solution, of course, but not a cure, because if your users are careless or malicious they will ignore you.

Anatomy of Your Enemy

2007-10-07T18:33:00.000-07:00

See? Its not just me:

Apgar noted that while there are technological solutions that claim to harden records against vulnerabilities, it might be a mistake to focus too much on outside threats. "Eighty percent of all security breaches come from your people," he said. "It's not the hackers."

Don't ignore the barbarians at the gates, but pay closer attention to the enemy within!

Get That Clear

2007-10-07T17:56:00.000-07:00

Quote of the day:

On the opposite end of the spectrum are those less-enlightened companies that chose to go with "CNN is our IDS" and that only learn that their networks were compromised when the news shows up in the media. Don't be those guys.

Just say no to CNN!

No, No, No, No

2007-09-13T12:08:00.000-07:00

Ha! This is really pushing the HIPAA envelope--- that a hospital name is protected under HIPAA! Talk about a prime Golden Hippo candidate!

Gunther Slaton, President of GSI states ... "GSI is engaged in a project with nine separate hospitals and are working on due diligence for analysis and funding for healthcare accounts receivable. This is part of the ever- increasing market share for GSI for funding of receivables in the $2-trillion+ healthcare market. The names are withheld due to confidentiality requirements and HIPAA rules. Progress reports will be made as this project moves forward. We can categorically state that this project involves the largest amount of receivables for a single project in the history of GSI."

I am guessing that there either isn't really all that many hospitals involved, that the deal isn't really done, or that there is some other factor that makes them want to hide the name of the hospitals. Any of these reasons are likely, but if I were an investor, I'd be asking why the folks in this deal have so little understanding of regulations that they deal with every single day.

Testify

2007-09-13T12:03:00.000-07:00

Another thing to tatoo on your forehead:

If you have the job of making your company compliant, remember this: compliance is NOT a technology project. It involves so much more. It takes diligence and hard work. Don't get into the checkbox mentality. There is no quick fix. Don't believe the companies that give quick paths to becoming compliant. They don't work. And don't assume that you don't need help. This is not an easy task, even for smaller companies.

Not a goal, a process!

Walking Shoes

2007-09-13T11:59:00.000-07:00

Sometimes no matter what you do, stupid wins:

Covered entities are responsible

The Council of Community Clinics (CCC) in San Diego ought to ponder that difference as it deals with the aftermath of its recent breach. Jon Paul Oson, a former network administrator with privileged access, quit his job after a disagreeable performance evaluation. He then allegedly gained access to the CCC systems two month later, disabled the backup systems and then systematically destroyed patient data. For this, Olsen faces an indictment (download PDF), a fine of up to $500,000 and a career reduced to a pile of ash. [Just the career? Not if the affected patients get hold of him, I'd bet. -- Ed.]

Oson's the bad guy, obviously, but CCC is not out of the woods. An astute Computerworld reader asked, "Where is the line about the company he hacked being fined for HIPAA violations?" and noted that "if they were doing everything they were supposed to be doing, he [w]ould not have been able to get access ... after being terminated" and that they would have been "monitoring their logs and caught the fact that the backup wasn't working correctly."

How in the world can an adminsitrator leave the building after termination and still be able to access systems? This is beyond stupid, it is transcendently irresponsible.

Sing, sing, sing

2007-09-13T11:19:00.000-07:00

Music to my ears:

"Our software is HIPAA (SOX, etc.) compliant."

No, it's not.

Many security standards, such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, include requirements for the implementation and operation of a system. These detail the actual practice of protecting sensitive data, not just the type or design of security controls.

Proper security controls in a piece of software can support compliance with HIPAA, Sarbanes-Oxley or other regulatory requirements, but a direct claim of compliance-in-a-box is laughable. There's no way to box up a proven-compliant life cycle into an unimplemented piece of software without incorporating your data and experience.

This article is golden. Absolutely a must read for anyone lost in the dark forest of regulatory confusion.

Only the Lonely

2007-09-13T11:02:00.000-07:00

It is nice to find I am not alone--- I'm not the only one who has become less than popular by insisting on having a minimum level of security:

We allowed laptops until last year, when one news story after another told about laptops that had gone missing. They often held data such as patients’ names and Social Security numbers. The case of the missing Veterans Administration laptop alone was enough to curl your hair if you’re in charge of securing similar information.

The Lucky Few

Now, only systems administrators and a few chiefs trained in laptop security have laptops. Even then, they can’t synchronize their My Documents folders from the network drive to the laptop. Protected data remains within the protected network.

Read the whole article, then read the comments. Setting high standards will catch you flak, even from those not affected. But you will sleep at night.

The times they are a'changing

2007-09-13T10:44:00.000-07:00

Okay, slackers, your happy time is over:

Measured subjectively, Runyon estimates that 60% of health care providers are compliant with HIPAA's security standards. A survey last summer of 220 health care providers and insurance companies by the Healthcare Information and Management Systems Society and Phoenix Health Systems showed that only 56% are complying with the security requirements.

Runyon said ambiguity was built into the HIPAA security regulations on purpose to make them less onerous and encourage adoption. But now that organizations have had a couple years to implement best practices and security technologies, he expects enforcement to increase in the next two to five years, which will "put some teeth into this rule."

Enforcement is coming--- I know you have heard this before, but time really is running out. Don't wait for it to start to rain before you build your ark.

I Owe My Soul (to the Company Store)

2007-09-13T10:28:00.000-07:00

I'm not very worried for the potential of privacy abuse here, (though given the history of company abuse of employee health info I probably should be) but this seems a little creepy to me, for reasons I can't quite identify:

As companies try to rein in rising health care costs, workers in many industries are dealing with on-site health clinics. Large employers including Toyota Motor Co., Pepsi Bottling Group, Credit Suisse and Sprint Nextel have set up or expanded on-site health clinics in recent years.

Workers aren't forced to use these company clinics, but companies provide financial incentives including lower co-pays, deductibles and an ability to see the on-site doctor on company time.

I think the idea of providing an on-site health clinic is actually a good idea, but it would seem less big-brotherly if they were run by independent third parties. Am I being paranoid here, or do you feel like it would be too weird to have your employer potentially have access to your health info?

Run Around Sue

2007-09-13T10:23:00.000-07:00

Nope. HIPAA is a power so great that it can only be used for good, or evil, but it won't do this:

An Ohio federal court has ruled that the confidentiality requirements of the Health Insurance Portability and Accountability Act (HIPAA) do not excuse Ohio's Medicaid agency from disclosing patient information in a class action to enforce Medicaid's early and periodic screening, diagnosis and treatment (EPSDT) requirements

Like everything else that is little understood and big and scary seeming, HIPAA is just too tempting to hide behind, especially if you are a public servant hoping to avoid scrutiny. From the beginning the coursts have been able to penetrate this veil of privacy, but it hasn't stopped folks from trying.

How Can I Miss You

2007-08-15T10:56:00.000-07:00

Regulars to this site will have noticed that my posting has been light lately. I have been working on a fairly lengthy paper on compliance transparency and it has been taking far too much of my HIPAA energy. It should be done sometime next week, and then I'll be back to my usual irregular posting :)

Blinded by the Light

2007-08-15T10:54:00.000-07:00

Here is what people say when they have been terrified by HIPAA training:

You know you can go to jail," firefighter Jim Robertson told the Potterville-Benton Township Fire Board. "You know you can go to jail if you have a HIPAA (federal privacy law) violation."

Yeah, except nobody ever has.

Too Much Love

2007-08-15T10:46:00.000-07:00

Interesting piece by Phillip Alexander in Security Park titled "The Dangers of Too Much Data Privacy"-- while I don't entirely agree with him, he brings ups some good points.

The private sector as a whole has not always been responsible stewards of the non-public personal information that consumer entrust to them. It is axiomatic that when the private sector fails to act responsibly, the public sector will enact regulations to mandate changes in behavior. The slew of highly publicized data breaches and the accompanying public outcry are at least partially responsible for the stampede of data privacy laws passed in recent years.

By the way, just in general Security Park has some cool stuff.

Fear the Reaper

2007-07-16T11:46:00.000-07:00

Because, you know, if we continue with HIPAA the terrorists win. From a letter to the editor of the Asbury Park Press:

Finding terrorist cells in the British health care industry is disturbing, because it exposes those doctors as criminals intending to cause mass murder. Al-Qaida is recruiting people from nations such as India and Pakistan who work within the industry. The easy access and knowledge doctors have of dangerous biological agents, chemicals and drugs poses a new threat.

Medical terrorists also have access to private information in our medical records. In cases of our recovering soldiers, they see the wounds inflicted that make them unfit for further duty.

The medical reports of millions of Americans are routinely sent over the Internet to India and Pakistan to be typed or transcribed. Most Americans are unaware the doctor treating them here is sending their private medical history and treatment record to India to be typed. Depending on the turnaround time, your medical report already may be somewhere in India before you return home from treatment.

Once these private medical reports leave the United States via the Internet, they enter a cyber-system, where the medical information can be passed from one company to another within a business chain. Your doctor may not know where the medical dictation finally ends up downloaded to a foreign computer to be typed or transcribed.

All of this is legal under the less-than-adequate medical privacy law called HIPAA. The solution to this crisis is simple: Don't allow our personal medical information to leave the jurisdiction of the U.S. court system. Plenty of qualified medical transcribers live here, where it is easier to maintain privacy and trace the path of this sensitive information.

There are so many things wrong with this I don't have the energy to fully rebut them. Leaving aside the delusional nature of the thing and concentrating on HIPAA, the writer is of course mistaken. PHI in India is still under jurisdiction of US courts via Business Associate Agreements, which make at least the US based sides responsible for the conduct of their foreign counterparts.

Now there are boogymen under every hospital bed. Sheesh.

One Clear Moment

2007-07-16T11:02:00.000-07:00

Great article on EHR from Government Health IT:

At the same time, he acknowledged that simply building security features into a system doesn’t ensure that the data will be protected if no one reviews the logs, insists that passwords be changed regularly and so on.

“Everyone in this field of privacy and security acknowledges that the weak link is humans and their training,” Leavitt said. “So you get a false sense of security. You look at the features and you’re quite impressed, but most breaches occur because of human problems.… It’s very important to recognize that the human component — the training component and the policy component — is as important or more important than the software features. You never want to focus only on these technical features.”

In the same vein, most of the people interviewed for this article mentioned the need for HHS to more strongly enforce HIPAA rules. The department enforces the rules only when someone complains. When HHS discovers violations, officials have chosen to work with the offenders to bring them into compliance rather than take them to court.

Without more rigorous enforcement, critics say, the public will have little confidence that health care providers are actually using audit trails and other EMR security features. Runyon noted approvingly that in March the HHS inspector general undertook an audit of an Atlanta hospital’s compliance with HIPAA’s security rules. It was the agency’s first such audit, but the IG is reportedly planning more.

Among other things, it discusses the Nationwide Health Information Network and health information exchanges (HIEs), also known as regional health information organizations, and their role in disclosure and auditing. My wife is on the Governor's Commission on this in our state, and I have been following it with great interest. As I know more, I'll report.

Mr. Postman

2007-07-02T14:54:00.000-07:00

From the comments faaaaar below:

Anonymous said...
My friend works for a large health insurance company and her daughter works at one of the insurance company's key accounts. The daughter sent the mother an email one day asking for some information about a key account coworker. The mother replied that the daughter's request, which had the last name and date of birth of coworker, tripped the PHI filter on the email and the mother had to delete the request. The daughter resends the request with the information 'hidden' within a song of silly words and asks if the stupid filters caught the last name and date of birth that time. The mother replies that it didn't. The mother fabricates a response to the daughter so she would stop asking for this information. A day later the mother was fired from her job because human resources said that she had violated HIPAA. How can HIPAA be violated when the mother did not use the name and date of birth and fabricated her response? HR will not look up the key account woman's information because they claim they would be in violation of HIPAA based on the reason that they have no need to know if real/false medical information was given because their perception of what the mother did is more than necessary for them to have fired her. Is this really how HIPAA works or is someone misreading the rule? Thank you in advance for helping.

As a professionally paranoid security guy I must say that this looks like an attempt to circumvent the safeguards in place. To an outsider this looks like a test run. The mother's best course of action (if truly innocent) was to firmly tell the daughter no, and explain why it was not appropriate to ask, and really not appropriate to try to game the PHI filters. Made up data has an even worse potential for damaging the privacy of the individual than real data. If they were truly innocent of planning skullduggery, then they are both extremely guilty of poor judgemnt and disregard for the rules.
Can't blame this one on HIPAA--- the mother was guilty of circumventing the protections set in place, breaking the security rules of the insurance company, and playing fast and loose with the patient's PHI, fabricated or not. And yes, HR had no reason to review the real PHI, which would have definatly violated the patient's privacy.

Save My Grave

2007-06-15T12:16:00.000-07:00

Wow! Another great "Golden Hippo" nominee for creative use of HIPAA. This time it is Nebraska Attorney General Jon Bruning, who has declared that numbered markers on graves from the state mental hospital from over a century ago cannot be indentified by name, because of HIPAA. The McCook Daily Gazette disagrees:

We understand Nebraska Health and Human Services' reluctance to release patient information -- most of us wouldn't want such information about ourselves to be made public.

But we have seen HIPAA used as an excuse for all sorts of obstruction, from the condition of accident victims to the location of a house fire.

We have to question the need to conceal the name or date of death for someone who died nearly 120 years ago, especially to people who only want to trace their family trees.

Send in the Clowns

2007-06-15T12:06:00.000-07:00

Security is a strategy, not a policy!

A box left in a trash bin could end up leaving some local doctors a little lighter in the wallet.

The Greenwich Post was given a box filled medical documents from the Dearfield Medical Building that may have been improperly disposed of. The box was discovered at 4 Dearfield Drive inside a trash bin in May and contains information about lab tests and insurance approvals as well as other medical issues. These documents are not medical charts, but do contain patient names and contact information.

According the United States Department of Health and Human Services, under the privacy regulations for the Health Insurance Portability and Accountability Act (HIPAA), documents such as the ones in the trash bin are supposed to be kept confidential and then shredded when disposed of, not just thrown out in a box.

While it was not confirmed from which office at the medical building all the documents originated, the names of Alfred Padilla and Judith Goldberg-Berman, who run an endocrinology practice in the building, appear frequently on the documents.
Dr. Padilla spoke to Greenwich Post on Tuesday and expressed surprise that the documents had not been shredded. He said it was the practice’s policy to make sure all medical documents were properly disposed of.

“We take HIPAA very seriously,” Dr. Padilla said. “In general we will shred everything we throw away.”

Dr. Padilla said there were some documents that were kept in a room at the practice to be shredded, but hadn’t yet been. He speculated that the cleaning crew at the building might have accidentally disposed of them.

“We have a pile of boxes to be shredded,” Dr. Padilla said. “If the cleaning people came and took the box, mistaking it for garbage, that would have been what happened... My suspicion is that one of our shredding boxes ended up in the trash bin. That’s the only theory I can come up with.”

Sheesh. Who'da ever thunk that cleaning people might mishandle patient records?

Fight For All The Wrong Reasons

2007-06-15T11:40:00.000-07:00

I TOLD you so!

An audit of Atlanta's Piedmont Hospital that was initiated by the U.S. Department of Health and Human Services in March is raising concerns in the health care industry about the prospect of more enforcement actions related to the data security requirements of the federal HIPAA legislation.

The audit was the first of its kind since the Health Insurance Portability and Accountability Act's security rules went into effect in April 2005, joining data privacy mandates that were already in place. The security rules require organizations that handle electronic health data to implement measures for controlling access to confidential medical information and protecting it against compromise and misuse.

If your management has been slacking on compliance, it is time to read them this article from Computer World. Enforcement is the new black; the free ride is over. I absolutely agree with Barry Runyon:

The mere fact that an audit of HIPAA security compliance was conducted for the first time has many in the health care industry preparing for more enforcement actions, according to Barry Runyon, an analyst at Gartner Inc. "I don't think Piedmont was an anomaly," he said. "My sense is that there is going to be more feet on the street from HHS going on unannounced audits."

Good grief, we in this industry have had plenty of time to get our acts together, and most of the provisions are nothing more than best practices anyway.

Please, please, please do not be the next hospital, clinic, or other covered entity that I write about here. Get compliant!

If Everyone Cared

2007-06-13T11:32:00.000-07:00

From another forum where I am a moderator comes this question from someone worried about IT security:

I was asked this question, and I'm not quite sure how to answer it. Where does one turn when they see a complete disregard and lack of importance in the compliance for HIPAA security. The privacy rules are basically followed. But on the technology side, they have policies in place that are just not followed, upper management has stated behind closed doors that HIPAA and security really aren't that important. There really is no one who is the HIPAA security officer. HR is the HIPAA privacy officer. And no one in the healthcare facility will take the issues seriously - even when approached by their own IT about its importance.
Where do they turn, and how do they go about it while keeping their job

The problem is, of course, that enforcement has been criminally lax. But with the recent change in power comes a new emphasis on enforcement, and there are going to be covered entities that are going to become the big, awful example. In the past very little was done when someone was found to be out of compliance, but recent news suggests that the tide is turning.
One of the most compelling reasons to follow the HIPAA security rules is that they are generally best practices anyway. The time to protect yourself is not after you have already been exposed.
All it would take would for there to be a big data loss, with PHI exposed, and those same scofflaws would be scrambling to save their behinds. And the goat would be the IT guy--- no matter the final outcome, the first instinct of those in charge is to blame underlings, and nobody likes IT people anyway.
The process is complaint driven, which means that someone has to rat them out first. The good news is that any affected person can complain, which in practice means just about anybody.
I would suggest the hair-on-fire approach, pointing out to the beancounters that the exposure is real, the dangers are extreme, and the risk to their jobs, the economic strength of the facility, and the possible irreparable PR disaster of a major data loss is not in any way worth not following procedures.
Of course, it is important to make certain that the procedures and policies don't interfere with the business at hand. Healthcare frontliners are notoriously hostile to extra steps that seem to make their primary mission more difficult. Your procedures need to be as transparent to the end user as possible, or they will be disregarded, bypassed or ignored.
The person may be able to convince management of the possible financial risks involved, as money seems to motivate. They may also volunteer to be the champion on this, as sometimes the only reason things don't happen is nobody wants to bell the cat.
Of course, without the buy-in of top management, this is all moot, because every organization is like a fish, in that it rots from the head down. Without a security officer, and absent help from on high, there is not much to be done.
Good luck on this!

Three Of A Perfect Pair

2007-05-22T10:06:00.000-07:00

HIPAA as a PR Shield:

Javier Espinosa, a senior at SMU, recently came within two hours of dying. Doctors at Methodist Hospital in Dallas saved his life with an emergency liver transplant.

While Espinosa initially went to SMU's Memorial Health Center to be treated and diagnosed for his cold-like symptoms, he said the health center is not equipped with proper resources to diagnose and treat severe cases.

"The health center can't recognize and [doesn't] really know how to handle hard-core cases like mine," Espinosa said.

Espinosa said he expected the health center to offer advice and guidance when they were unable to diagnose his symptoms. However, staff at the health center said very little and did not suggest going to a hospital.

"I expected the health center to be more responsible," he said. "It was obvious my test results were off the chart and they weren't like 'Go and see a doctor in this hospital,' and they should have."

The health center had no comment regarding Espinosa's case and referred questions to SMU's Assistant Director of News & Communications, Robert Bobo.

Bobo said that Espinosa's case cannot be talked about unless he signs a contract releasing the school from HIPAA or FERPA. HIPAA is the Health Insurance Portability and Accountability Act and according to the online U.S. Department of Health and Human Services it's the "national standards to protect the privacy or personal health information." FERPA is the Family Educational Rights and Privacy Act.

HIPAA as interpreted by the Three Stooges:

So, we all trooped in to the county’s selected health care provider for TB testing. I really didn’t know exactly what was supposed to be done and presumed that the Occupational Medicine Center we went to did. Wrong. I came to find out that while half of us received the appropriate testing, the other half received misinformation. And our second test was done way too soon, necessitating a third test. Further, I found out that we were treated as “new hires” in a big hospital rather than acute EMS exposures. After several weeks of attempting to deal with the situation as Jane Q. Paramedic, I was still unable to convince the hospital to give me a copy of my own medical records, despite executed HIPAA releases and dozens of phone calls. Seems you have to get your medical records from somewhere six states away. Then, they sent me all of my medical records for the last 10 years, with the exception of the one for the exposure, which was the only one I requested. They also sent me a big bill for the copies.

And finally, HIPAA as the New Sheriff in Town:

Arizona requires mandatory disclosure of medical records in medical malpractice cases and, amazingly, is currently considering a change to mandatory arbitration procedures to require the same thing. As we have often explained, these provisions violate HIPPA, the comprehensive federal scheme that provides essential privacy rights for medical records.

The voice of reason is finally kicking in: the Georgia Supreme Court recently struck down their statute requiring mandatory disclosure of medical records in medical malpractice cases citing HIPPA preemption. The decision basically holds that the Georgia statute's failure to include provisions required by HIPPA, such as "the HIPAA requirement of notice of the right to revoke" or "the failure to require a specific and meaningful identification of the information to be disclosed and the failure to provide for an expiration date or a sufficient expiration event," makes the Georgia invalid in light of the preemptive effect of HIPPA.

I Made My Excuses and Left

2007-04-29T09:29:00.000-07:00

No more excuses:

The same swing can be seen with other laws. Twenty-five percent of large companies are not compliant with California’s security breach notification law but only 14 percent of midsize companies are not compliant. Midsize companies are less compliant when it comes to the Health Insurance Portability and Accountability Act, or HIPAA (27 percent of midsize companies are noncompliant versus 21 percent of large companies).

The reason, as usual, is money. Sarbanes-Oxley and HIPAA compliance is more complicated and expensive than, for example, GLBA compliance. But the mid-market’s excuse that it doesn’t have the money to comply may be becoming obsolete. According to Mark Lobel, a PricewaterhouseCoopers advisory partner specializing in security, the price is dropping for technologies that help companies comply with security and privacy laws. With affordable tools coming onto the market that can sniff out the data you need to protect, excuses from mid-market CIOs that it’s too expensive to comply with Sox and other laws will no longer work, Lobel asserts.

Mo Money, Mo Problems

2007-04-29T08:48:00.000-07:00

AAAAAAAAArrrrrrgggggg!

Attorney David Hanson, a partner in Michael Best & Friedrich and chairman of its healthcare practice group, noted there are people in the health field who think the industry already is spending too much time and money on patient data security - thanks to regulations like the Health Insurance Portability and Accountability Act.

Too much time and money? Yeah, like there hasn't been any data-breeches lately in the health-care sector. Only if you are spending your money stupidly. Only if your time is spent trying to find ways to just barely comply, as a part of a general CYA policy concerning compliance.

Show me a properly designed and fully supported patient data security system. Then bitch about too much time and money. Anybody who thinks this deserves whatever exposure to lawsuit they get.

"It's a strategy, not a policy!"

Days of Our Wives

2007-04-29T08:39:00.000-07:00

You know, this HIPAA thing often seems to lead in completely unexpected directions. Who would have ever guessed that a boring collection of medical regulations would somehow connect with the trial for statuatory rape of a notorious cult leader?

A 5th District judge has ordered a media coalition seeking to unseal a secret petition issued in the prosecution of polygamous sect leader Warren S. Jeffs to submit to the court briefs addressing issues of the leader's privacy rights under HIPAA, the Health Insurance Portability and Accountability Act of 1996.

You know, it used to be if I wanted to be left alone on a long flight, when the person in the seat next to me asked what I did, I told them I was a HIPAA consultant and offered to tell them all about it. They would immediately feign fatigue, and be fake-snoring in minutes. But if this sort of thing keeps happeneing, I'll be wearing wrap-around shades and travelling with an entourage.

Hat too Flat

2007-04-29T08:18:00.000-07:00

At a recent speech in Washington DC, Google's Adam Bosworth set forth a bunch of stuff planned for Google Health, described as as likely to be “simple, sloppy solution” as befitting the Google way of doing business. All of it sounded pretty good, except when he unleashed this whopper:

Google is trying to lay the groundwork to have HIPAA overturned, and short of that would like to educate providers and patients about how to get at their information even within the constraints of current laws. They’d like to see consumers have the ability to review and challenge their records as is the case with credit bureau information

Ummm.... this is already a right under HIPAA--- Mr.Bosworth seems to have been talking through his hat.

Stupid Things

2007-04-04T14:19:00.000-07:00

How in the world can this still happen?

Empire Blue Cross and Blue Shield, a division of WellPoint a medical services company in the US , has begun notifying 75,000 members that a compact disc holding their personal and medical information has been lost, according to published reports.

The personal data was stored on an unencrypted CD

Not one day passes that there isn't another report of ID theft or smething similar, so awareness must surely be there. Low cost encription software is cheap, easy to use and ubiquitous. There are thousans of us out there talking ourselves blue in the face about this stuff.
Johns Hopkins had a similar issue lately, but the data was encripted, so no problem.
How can this still happen?

Highway Rain

2007-04-04T13:30:00.000-07:00

Shred, please.

Hundreds of confidential documents from the Cleveland Clinic littered Interstate 77 on Tuesday after blowing off the back of a garbage truck.

Clinic spokeswoman Eileen Sheil said "almost all" of the 300 to 500 documents were recovered from the area of Fleet Avenue.

The documents are employees' performance reviews and patients' results from the cardiology laboratory, Sheil said.

The federal Health Insurance Portability and Accountability Act requires patient documents to be shredded, which these were not.

"Procedures were not followed," Sheil said. Clinic officials are investigating who was responsible.

Uh huh.

The First Cut Is The Deepest

2007-04-04T13:19:00.000-07:00

ID theft is a huge problem, and when it involves medical records, the outcome can sometimes be deadly. But see if you can see the problem with this:

HIPAA also addressed security and privacy of health data, encouraging the widespread use of electronic data interaction.

The danger, however; comes when a thief uses a fraudulent identification to seek health treatment. His history - allergies, blood type, and treatment record - then becomes part of the data stored in the system, and can affect the care of the actual person.

“That's when they start giving me the wrong blood,” Jennings said, adding grimly. “I know a surgeon in Warsaw, Ind., that's removed an appendix from the same person five times.”

Five times? At what point do you notice something wrong? And who in the world is yanking so many appendices, anyway? What sort of patient population would allow for this? And how many is too many? Do you cut them off at some point? "Sorry, this coupon has a limit of three per customer."
Somehow I think someone is exaggerating for effect, don't you?

I Write the Songs

2007-04-04T13:05:00.000-07:00

Gotta love a guy who heads his posts with song titles! This piece, titled Paper Doll, is a quick rundown on the various technologies available at low cost to help you get a little closer to that goal of a paperless office, dental style.
Most small practices don't have anybody to ramrod changes. New technology usually happens as something breaks. There are some ways that are relatively painless steps to friendlier processes, though, and if they are less expensive and easy to impliment, then they are both more likely to find their way into use, and less likely to be bypassed by the end users as being too much trouble or getting in the way of care.

One (Hu)man, One Vote Remix

2007-04-04T10:42:00.000-07:00

From the comments on the post below about the pharmacy worker who was using patient records for her husband's political campaign:

pharmdatamining said...
She lives near me.
I'm changing pharmacies now! Doh!

My wife is a candidate for city council of the city in which we reside. I promise not to pirate anyone's information for her fundraising activities :)

I Fought the Law

2007-04-04T10:31:00.000-07:00

Let's see if I can make sense of this: a woman was admitted to the hospital, told the folks there that her husband had pushed her, hospital calls police. All normal stuff. But then the woman decides she doesn't want to talk to the police, and the hospital staff decides HIPAA does not allow them to let the police in to interview the woman. They come back with an obstruction of justice warrant, and arrest the case manager. Woman goes home, police never talk to her. Obstruction charges are later dropped, but the arrested case manager sues for false arrest:

Melancon threw out the lawsuit, saying the federal Health Insurance Portability and Accountability Act does not block officers from getting information about a crime, and noting that the officers had obtained a warrant for Maier's arrest, meaning that a judge had found probable cause for the charge. He said that provides protection against accusations of false arrest.

It seems like everyone got caught in the machine, here. The police certainly needed to respond to the domestic violence call, and the patient's privacy was protected. In some states the domestic violence laws are strict enough that the cops would not have been allowed any discrection. But even though the charges were dropped, no one ever is edified by being escorted out of their place of employment in handcuffs.
Reading between the lines, I suspect this may have been a motivator:

Maier's attorney, Paul Marx, said Maier was far from the only person who told police that they could not give them the woman's name, but may have been the most vocal.

*Thanks for catching the typo, Jason!

Mr. Postman

2007-03-09T16:46:00.000-08:00

From the comment section, below:

Anyone, please point me to right direction. My niece married to a doctor who later turned out to be a jerk. My niece finally gave up and filed for divorce. While the divorce is still pending he disclosed some very sensitive health information of her wife to like half of the town. Somebody told us to file a HIPAA complaint but we are not sure if it falls under that law? where to start from and what should we expect from HIPAA's end?
Thanks in advance for your help.
Regards
Ray

HIPAA will only apply if the doctor was also her caregiver. Information gathered and shared as a spouse is not covered, and the fact of his being a doctor will not automatically make him a covered entity.
Although things are looking better, enforcement has been very lax under the current administration. You might inquire, though, and other local privacy laws may apply.
The complaint process is here:
http://www.hhs.gov/ocr/privacyhowtofile.htm
Good Luck!

Easy Does It

2007-03-02T09:42:00.000-08:00

Here is what happens when HIPAA training happens in a calm and sensible manner:

Although people might complain about HIPAA requirements I no longer feel that they have a leg to stand on. There is nothing outrageous in these requirements (except maybe one or two really quirky things) and the only real problem will be the way that the auditors interpret the HIPAA standards and how they are applied within an organization. Of course this is true of any standard. There will always be a negotiation of the level of protections compared to the risks involved. My personal feeling is that through HIPAA we have a standard, a overall policy, that is applicable to these specific organizations. We can point to these standards to when the organization fails to adequately protect the sensitive information with which they are entrusted.

See? It wasn't that difficult, now was it?

One (hu)'man One Vote

2007-03-01T15:01:00.000-08:00

This is wrong in so many ways! Professional breach, HIPAA violation and most likely election law violation too. (My wife is a candidate for city council here on the opposite corner of the country, and while state laws vary, the allowable sources of voter information are usually pretty narrow.)

In her zeal to drum up votes for her husband, Loretta Jason said she used the customer list at Publix's pharmacy, where she works, to get the unlisted home number of a Dania Beach family to ask for their votes in the city's Feb. 13 primary

I have a great deal of sympathy for the poor lady, who after all was just trying to help her husband make a difference. Still, some pretty poor judgement on her part, poor enough that I tend to think she wasn't entirely unaware, and perhaps just didn't think she would get caught.

Street Fighting Man

2007-03-01T14:31:00.000-08:00

Yes, HIPAA does mandate the assault of photographers, if Mr. Moon is to be believed:

During the pandemic drill on November 30, Mr. Sharpe approached news photographer Chip Moon from behind without warning, grabbed the photographer's arm and pulled him across the room to a Hudson police officer, demanding that the officer confiscate Mr. Moon's equipment and destroy any images in his camera.
The Independent had assigned Mr. Moon to photograph the event and had received advance clearance from the county Health Department. When a Health Department official at the site confirmed that Mr. Moon was authorized to be at the event, Mr. Sharpe left the room without any explanation.
According to the stipulation, in addition to serving a 30-calendar-day suspension without pay and issuing a statement expressing regret for his actions, Mr. Sharpe waives any right to a hearing. He acknowledges that he was offered the opportunity to consult with an attorney.
In his statement, Mr. Sharpe says at the time of the incident he had received a radio message that there was a breach of security by a photographer inside the school. "Due to the fact that established protocol was altered, I was unaware that the photographer had been given access and permission to take photos," he writes. "Being mindful of HIPAA rules and regulations, my actions were two-fold: 1) to protect the privacy of the person receiving the flu inoculation and 2) to protect the County from possible Federal HIPAA Law violation." HIPPA refers to the federal Health Insurance Portability and Accountability Act, part of which protects the confidentiality of patient records.

It is gratifying to learn that, as much as I love HIPAA and all of the many things it allows, that there is someone out there even more concerned about the privacy of others, enough so that he was ready to throw his body in the path of the rogue photographer in question and manhandle him away from the exposed vaccinationees!

Start Me Up

2007-03-01T14:23:00.000-08:00

Jury returns guilty verdict in first HIPAA trial
The owner of a Florida claims handling company has been convicted of conspiracy to commit fraud, computer fraud, identity theft related to the use patient information from a local medical clinic, and violating the Health Insurance Portability and Accountability Act (HIPAA) through wrongful disclosure of personally identifiable health information. This HIPAA prosecution was the first HIPAA violation case that has gone to trial in the U.S., according to the Department of Justice (DOJ).

Identity theft and Medicare fraud. Fernando Ferrer, Jr., the owner of Advanced Medical Claims, Inc., purchased patient information from a former Cleveland Clinic employee. According to the indictment, the clinic employee accessed the clinic's computer system to download the personal identification information of more than 1,100 of the clinic's patients and sold the information to Ferrer. Ferrer then provided the information to others who used it to file fraudulent claims for Medicare reimbursement. The theft resulted in the submission of more than $7 million in fraudulent Medicare claims, with approximately $2.5 million paid to providers and suppliers.

Possible sentence. At sentencing, Ferrer faces statutory maximum prison terms of five years on the conspiracy count, five years on the computer fraud count, ten years on the wrongful disclosure of individually identifiable health information count, and two years on each count of aggravated identity theft. In addition, he may be required to pay fines totaling $750,000.

DOJ Press Release, Jan. 24, 2007. From CCH Healthcare.

What's Goin' On

2007-03-01T13:51:00.000-08:00

Can anybody make sense of this? Something is off, but there just isn't enough infrormation as to what exactly is going on:

In one case, Mary Dykton, a rehab patient at St. Vincent since her 2003 elective open-heart surgery in Albuquerque, came to know and respect Andermann over the course of regular visits to the hospital gym. When Andermann departed suddenly for England, Dykton asked gym staff for news about Andermann and her father’s health. In doing so, she told one hospital staffer “that I knew what was going on.” Dykton says her comment was in reference to Andermann’s father’s health. But it was interpreted to mean that Dykton, a patient, knew about the hospital’s disciplinary action against Andermann.

In a Jan. 8 letter to St. Vincent CEO Alex Valdez, Dykton refutes the allegation that Andermann ever divulged inappropriate information to her. According to Dykton, Valdez has yet to respond to the letter.

Another former cardiac rehab patient, Santa Fe attorney Jeff Brannen, became a gym regular “because you get to know the people who work there, not because the gym is a great place.”

But after Andermann approached Brannen “as a friend” for a lawyer referral, “Someone there from cardio rehab recognized me as a patient, and apparently by giving her the name of another attorney, that somehow constituted independent grounds for termination,” Brannen says, shaking his head in disbelief.

Ducks On The Wall

2007-02-09T11:43:00.000-08:00

Claire Martin from the Denver Post was kind enough to email me with this bit of info:

"...HIPAA was invoked when an official here said we couldn't photograph some dead wild ducks, whose deaths may be connected to a wastewater treatment system, because of HIPAA.
Which seemed to me like an incredibly elastic interpretation of HIPAA..."

Elastic indeed! This official really does deserve some recognition; this is cya taken to dizzyingly artistic heights. And as our latest entry in the "HIPAA Made Me Do It" it may be the benchmark against which all others must measure themselves. This is looking to be a banner year.

More as I am able.

Dead And Bloated

2007-01-24T22:00:00.000-08:00

A timely and timeless piece on "privilege bloat":

Large organizations have to manage high staff mobility and turnover. Access requirements of employees and contractors change rapidly as they are re-assigned from one position to another. When users try to access something that they need to do their job, and get an 'access denied' error message, they call the help desk, figure out what's missing, and get it fixed. In other words, processes for granting new privileges to users may not be friendly or timely, but they are always reliable.

The same cannot be said of privilege deactivation. When was the last time a user in your organization called the security administration desk and asked that an old ID or group membership be removed? In reality, users may forget that they have the old privilege, may not understand the security infrastructure or may simply hoard old privileges "just in case."

The net result of unreliable and/or untimely access termination processes is that users accumulate inappropriate security rights.

I often go into a small to medium organization and find an entire archaeology of former employees and changed current employees subsumed into the system. My favorite is when an employee is signing on to the "Assistant's" account, with the same password and username as the last five holders of that position. In small and medium organizations, a hired gun like me can ask a few questions and clean it up. In a large company, there may not be anyone who knows for certain about required rights and privileges, or even a current master list of users.
I know, you are asking yourself---"How can this be? Is there really any organization that is so careless that there are such gaping holes in their security?"
Well Timmy, here is the sad answer: There are a lot of them. And they have your personal information, lurking right there on their insanely insecure systems, just begging to be accessed by an unauthorized and ethically-challenged user.

The Young Offender's Mum

2007-01-24T21:50:00.000-08:00

It has to be an election year in Allenstown New Hampshire:

Allenstown Police Chief Shaun Mulholland on Monday warned residents to beware of a "sexually dangerous" person who had moved into town. If Mulholland revealed the person's name, he would be violating federal law.

The vague warning has caused widespread fear throughout the small town of 5,000, as Mulholland has said he knew it would. But the chief has also said he felt the option of remaining silent was unacceptable.

"I had to weigh the risks of the fear that would be created with the fear that somebody would get hurt," Mulholland told the New Hampshire Union Leader earlier this week. "And I had to take that risk. If I did nothing and, God forbid, something happened to one of our residents, that would (be) intolerable."

This, of course, is fear-mongering plain and simple. Sex offender notices are regularly sent out in nearly every state. HIPAA is very clear when it comes to public safety disclosures.
In the same article, an official comments to the effect that this whole privacy thing may have gone too far. This, and a police levy are most likely the real impetus behind this ridiculous piece of drivel.

Band Aid Covers the Bullet Hole

2007-01-24T21:34:00.000-08:00

The post below is from a response to this piece from the blogs on ComputerWorld:

When I see PCI or HIPAA programs, the motivating factor seems to be CYA tied to executive or market accountability. That is, if there is a breach, affected parties want to know that the organization took every reasonable precaution. That’s when compliance with specific sections of PCI or HIPAA comes in handy.

We are now on the threshold of more regulations. It is very clear that governments cannot mandate how organizations secure confidential information. The attacks and defense technologies just change too rapidly for any such regulations to be effective for long (like PCI requiring an IDS). New statutes for such things as data encryption or identity theft should use executive and market accountability as the enforcement hammers. Let the businesses adapt and innovate over time as threats and risks evolve. Anything else is doomed to be unproductive without improving security one iota.

CYA? Damn Skippy! What little HIPAA compliance I see is entirely the result of CYA; in fact, it is a large part of my consulting pitch. And while we have gone through a long period of lax or non-existant enforcement, the pendulum is clearly swinging back. Best we all be thinking about C'ing our A's.

Cut Hands Has The Solution

2007-01-24T21:26:00.000-08:00

Hard to argue with this:

When I evaluate a "solution", I am thinking circles around the vendor because information security is a complicated, multi-layered beast. If a vendor came in, who was very well versed in the legislation, and in the security arena, and understood what their solution actually did as a part of the total solution, I would listen. So far, I've just not been that impressed and maybe that is why compliance vendors are wondering "how little market demand there is for HIPAA and PCI compliance solutions".

Compliance is a subset of security. And Michael's New Rule of Security is this: "It's A Strategy, Not Just A Policy." Or a piece of software.

It Wasn't Me

2007-01-09T14:59:00.000-08:00

Oh sure. Now not only can you use HIPAA to excuse just about anything you can torture into congruence, you can torture HIPAA itself to prove that you are not actually responsible for any actual violation, and of course without enforcement, who is to say you are wrong? From the Wall Street Journal, via Kaisernetwork.com --

The Journal profiled attorney Patricia Galvin, who was denied disability benefits after her health insurer, UnumProvident, accessed notes from psychotherapy sessions at Stanford Hospital & Clinics. According to the Journal, UnumProvident said the notes indicated that Galvin was not "too injured to work" after she was involved in a car accident and applied for long-term disability leave. UnumProvident had asked Galvin to sign a broad release to access her basic medical records, which included some of the psychotherapist's notes about Galvin that Stanford had scanned into its computer records system. Galvin has filed a lawsuit against Stanford and UnumProvident for violating medical privacy laws, among other issues, under the federal Health Insurance Portability and Accountability Act. HIPAA includes added protection for mental health records, but Stanford in court papers said that "psychotherapy notes that are kept together with the patient's other medical records are not defined as 'psychotherapy' notes under HIPAA."

Live and Let Die

2007-01-09T14:39:00.000-08:00

A chilling and sobering report from Bankrate.com:

Financial identity theft might wound your wallet, but medical identity theft can kill you.

Medical identity theft occurs when criminals obtain information such as a health insurance identification or Social Security number and use it to get health care or to obtain reimbursement from insurers and others for false claims. That means your medical history and health care records can include someone else's information. This can be life threatening: for example, causing a transfusion of the wrong blood type.

"People can die from this crime," says Pam Dixon, executive director of the World Privacy Forum, a privacy rights group. "It is a potentially huge issue. It's an incredibly intransigent problem and victims are finding that they have to sue health care providers to have their records corrected."

Pay attention--- you are not just exposing yourself to legal liability by sloppy record handling, you could cost someone their life.

Stench From The Dumpster

2006-12-20T14:33:00.000-08:00

A follow up on the Salt Lake dumpster dive story: it seems that it is shoot the messenger time:

The lawsuit filed Wednesday against KSL alleges its coverage was inaccurate.
"It wasn't a Dumpster, it was a recycling bin," said Brenda Flanders, a lawyer representing the company. "And it wasn't 20 feet from the sidewalk."
The bin was "out of the public domain" and its contents are collected by a company that shreds the documents inside, the lawsuit asserts. "At no time is the recycle bin subject to public dissemination," it claims.
Sheryl Worsley, managing editor of KSL Newsradio, said the station stands by its story. "The records were accessible to anyone," she said in a statement. "We found them in plain view, near a busy street, in an open recycling dumpster just 20 feet from the sidewalk and right next to a fast food restaurant drive-through."
The property was not marked private or fenced off, she said. The site was visited at least six times, and each time, the bin "was unlocked, sometimes with the lid wide open," she added.

Lame, lame, lame. And they would have gotten away with it to, if it weren't for those pesky kids.

Heard It Through the Grapevine

2006-12-20T14:03:00.000-08:00

Are you a reporter who has come here by mistake, hoping to pull a quote, or learn a little something? If so, here is an excellent set of lists to help you navigate HIPAA and still do your job.
Just to let you know, I feel your pain. I used to be a reporter, and know how difficult it can be to get the info you need. There are ways to get around to what you need, and still protect the privacy of those you write about.
If you just remember that HIPAA is to protect the patient's privacy and not cover the Hospital's gown gap, you should be just fine.

Slippin' and Slidin'

2006-12-20T11:50:00.000-08:00

If you haven't guessed already, I just love HIPAA. One of the best things about it is that is a force so powerful that it can only be used for good, or evil. The evil in this case being our latest installment in "HIPAA made me do it!"

It seems that a school board memeber has a wife who is involved in the union. Some folks feel that it would be a conflict of interest if Mr. Steel gets his health insurance through his wife, and is allowed to vote on contract issues that affect coverage. It would be pretty simple, but terribly boring, if Mr. Steel just recused himself from the vote, but he is saved from obscurity by refusing and by claiming he can't disclose if he is covered by his wife's policy because of HIPAA.

Mr. Flagg's been trying to learn if Mr. Steel gets health benefits from the school district through his wife. Mr. Steel has declined to release what he calls his "wife's personal information."

"Right now, we have been unable to get it because [Mr.] Steel has refused or ignored," Mr. Flagg said. "We disagree that it is a protected record under HIPAA."

The Health Insurance Portability and Accountability Act, known as HIPAA, enacted in 1996, is a federal law intended to protect the disclosure of personal medical information.

If Mr. Steel does receive the health insurance, he would not be permitted under Ohio law to vote on the teachers' contract.

If we had an award to give for creative HIPAA abuse, Mr. Steel would certainly get it. We could have a little award ceremony, and give out a gilded hippo.

Enforce U

2006-12-20T11:33:00.000-08:00

Is this how we are finally going to be forced to compliance?

The requirements laid out by HIPAA are notorious for lacking teeth or oversight, and many smaller healthcare organizations take advantage of this with lackluster compliance efforts. Magrath says that from a government enforcement perspective this won't likely change soon.

"The only way I see something coming down the pike, is if there are a bunch of high profile breaches that force legislators to do something," he says. "In the absence of that, I don't see anybody forcing hospitals to pay fines."

However, Walsh says that the healthcare sector may turn to self-policing as the most influential healthcare organizations recognize the importance of HIPAA mandates. For example, he believes that this may be the year that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) ties more HIPAA compliance requirements in with its accreditation process.

"Accreditation may be held up when the hospital doesn't comply," says Walsh. "They have been threatening this for some time, but maybe 2007 is the year they get serious about this."

Volume of Neglect

2006-12-20T11:22:00.000-08:00

Why am I not surprised by this:

The Department of Health and Human Services investigated less than 25 percent of 22,964 privacy complaints submitted to HHS’ Office for Civil Rights (OCR) from April 2003 through September 2006, according to a new report on medical privacy.

Somehow I don't think it is because most complaints are easily dismissed. I'm not alone here:

“Our experience has been that complaints are being dismissed without any real investigation and very few of them are sent to the Department of Justice for enforcement,” (Deborah)Peel said...
“Patients with legitimate complaints are simply not being helped," Peel said.

Now or Never

2006-12-20T11:19:00.000-08:00

I am a little late on this, but here are more final rules.

SHRMOnline has this excellent summary:

The 43 pages of final rules do not change the 2001 interim rules or the proposed rules on wellness programs. Instead, they finalize the 2001 interim rules from the DOL, HHS and Treasury and are designed to clarify some ambiguities regarding wellness programs, make some changes in terminology and organization, and add a description of wellness programs that are not required to satisfy additional standards.

Milk Shake

2006-12-03T13:38:00.000-08:00

Just when you think you have seen everything, comes some new and impossibly talented interpretation of HIPAA--- "Lampert Smith: UW boobs when it comes to breasts"

Unlike in 2001, when Cooper was born, Amy Olson was turned away this fall when she wanted to sit in a Camp Randall Stadium first-aid station to pump her breast milk during the game.

Frankly, UW-Madison administrators are being boobs about this.

Doug Beard, senior associate athletic director, said the difference is that the federal health information privacy rules (HIPAA) went into effect in the meantime.

If UW-Madison was to let nursing mothers into the first-aid station, Beard said they would invade the privacy of other patients.

"We feel it's totally inappropriate," Beard said. "We're tending to the ill and the sick" in the first-aid stations.

So what?

"My breast is hanging out," Olson said. "I'll see your medical emergency, and you'll see my breast."

I am in awe. This Doug Beard is like the Albert Einstien of HIPAA abusers. This might just be my favorite use of HIPAA for a stupid unintended excuse ever.

My Way

2006-12-03T13:32:00.000-08:00

Another thing to tatoo on your forehead, this time about security:

"It's A Strategy, Not Just A Policy"

When I'm 64

2006-12-03T13:29:00.000-08:00

Here is a thoughtful and intriguing discussion on long term storage--- what really will we do when records need to be retained for 100+ years?

A frequently discussed issue with long-term archiving is software compatibility over long periods of time -- what happens when no one remembers what "Centera" means, but there's still terabyte upon terabyte of disk stored in Centera format? While the debate rages about those issues, the issue of long-lasting physical media is often overlooked. Current digital media formats are far more advanced in the short term, but in terms of readability over vast stretches of time, they've still got nothing on the Rosetta Stone.

One by one, according to Remsing, the different formats can be scratched off the hundred-year archive list for physical reasons. It's difficult to put RAID on tape and difficult to migrate between formats on any form of removable media, whether tape or optical. Disk is flimsy in the long run and requires power and cooling.

There are many ideas, like holographic disks proposed. Worth thinking about.

Sweet Little Lies

2006-12-03T13:18:00.000-08:00

Another of the many wonderful ways HIPAA can be used as an excuse for something completely unreasonable from the Daily Astorian:

Too many government agencies want to keep secrets. The spirit of Oregon's public records statute is that records are deemed to be open to public inspection unless an agency head can substantiate a claim for secrecy.

Last week's absurd claim by the Oregon Health Division begs for a ray of sunshine. A public health authority declined the request of our sister newspaper, the Blue Mountain Eagle, for the name of the county in which Oregon's first mortality from West Nile Virus occurred. The health authority said secrecy was needed to protect the family of the deceased, and that the county had requested it not be named.

Take a law that many are terrified of but few know anything about, and you too can use it for an excuse for just about anything!

Lean on Me

2006-12-03T12:56:00.000-08:00

From the Sabanes-Oxley Compliance Journal comes this succinct and clear take on the drivers for IT security--- it's the compliance, stupid:

When strict regulations were first implemented, many IT professionals saw the legislation as an opportunity to demonstrate the important link between IT practices and standard business operations. However, the reality of the situation is that regulation is bogging down already overburdened IT resources. In today’s heightened cyber-threat environment where IT resources are already constrained, organizations face tremendous pressure to maintain compliance with the variety of complex regulations, and many IT departments are feeling the pinch.

A November 2005 survey by Ernst & Young stated that nearly two-thirds of its 1,300 respondents claimed that regulatory compliance is the primary driver of information security at their companies, ranking ahead of other critical missions such as protecting against security threats and meeting business objectives. It is not surprising that compliance ranked so important among the survey respondents. After all, even the most miniscule non-compliant decision can become the weak link to a data breach that threatens a company’s brand integrity and consumer confidence.

The data breaches that have dominated the headlines recently should make every IT manager take notice. According to Privacy Rights Clearinghouse, more than 210 publicized breaches have affected more than 55 million customers since February 2005. Those numbers are alarming, but the cost of notification is more so, with notification cost projections running from $10 to $35 per customer. Combining the hard costs of notification with the decline in shareholder and consumer confidence – where some studies show a five percent market cap decline in addition to a 10 to 12 percent decline in consumer confidence immediately following a breach – can produce devastating effects on an organization.

From one angle, it doesn't matter to me from where the driving force for IT security comes. That companies are paying attention and doing something about the potential company-destroying vulnerabilties that until recently were given only lip-service is a giant leap forward.

Get your Kicks

2006-12-03T11:00:00.000-08:00

Tell us what you really think: (from the gripe column at the Maryland, Pennsylvania, West Virginia Herald-Mail)

"HIPAA and the HIPAA regulations are the worst thing that has ever happened in the U.S. - worse than any type of foreign war, worse than any scourge or plague or anything else. HIPAA is ridiculous, and should be abolished at all costs. I understand the reasoning behind it, but as is typical in this country, we cannot do things middle-of-the-road; things that make sense. We have to go to one extreme or another. HIPAA is an extreme measure, and needs to be abolished and repealed as soon as possible. Hopefully, with a changeover in Congress, this will be reconsidered. I urge you, if you have loved ones who are ill or disabled or anything along those lines, please call your congressmen. Ask them to repeal or roll back HIPAA now. Spoken from someone who has been adversely affected by HIPAA."

1999

2006-11-12T10:27:00.000-08:00

One in four. Luddites.

The federal goal is for most Americans to have their medical information in electronic format by 2014, and for all prescriptions to be written electronically four years before that.Are physicians moving towards those goals? According to the most recent annual study done by the CDC’s National Center for Health Statistics, almost one in four doctors use partial or full electronic systems in their offices; that number is up 31 percent from the same survey done in 2001. (The study excludes radiology, anesthesiology and pathology.) These connected doctors recognize the benefits of an interoperable system of healthcare information sharing; when everyone is on the same electronic page, there is less probability of error. The Department of Health and Human Services has estimated that one of seven primary care visits is affected by missing medical information. And medical errors are caused by “M” words: miscommunication and missed communication between physicians, misinformation in the record, mishandling of information, mislabeled specimens, and misfiled or missing data.

Every form of record keeping has its pitfalls, but it seems absurd that in 2006 I would still be harping about installing digital systems.

Someday My Prince Will Come

2006-11-12T10:09:00.000-08:00

I have been harping for years that the regulatory climate would change someday. It looks like that someday is upon us:

The new Congress is likely to include oversight of a health privacy law, known as Health Insurance Portability and Accountability Act, or HIPAA, in the House Energy and Commerce Committee, where the feisty John Dingel is expected to take over and ally himself with muckraking Democratic Reps. Ed Markey and Henry Waxman. They'll have plenty to work with, as there have been some 20,000 violations of the complicated statute, according to Swire.

HIPAA is not the only regulation that enforcement has been lax on. A new congress will probably not be so likely to look the other way. Of course, big non-compliant targets will be flashiest, but smaller non-compliant targets (like you and me!) will be easier game.

Don't be the warm-up for the main event. There are a couple of months before the new congress sits. Use that time to tune up your compliance. I really don't want to read about you in the trades as the horrifying example.

Say My Name

2006-11-12T09:46:00.002-08:00

Every so often, I highlight another example of people using the handy HIPAA rules as an excuse or a scapegoat for some ridiculous or underhanded behavior. We have seen clinic managers cover up malfeasance, administrators use it to cover up lost records, and office managers use it to explain whatever rudeness they have perpetrated on some poor patient. This one is the biggest stretch I have seen:

With the introduction of the HIPAA rules, our government has set out to help us by protecting our privacy. Now, almost everyone is calling new customers or patients by a first name.

It seems that HIPAA is a tool of the dread conspiracy to call us all by our first names!

Happy Birthday To You

2006-11-01T10:34:00.000-08:00

Not on the national holiday list, but still an important landmark:

Dignitaries from the computer security field took the stage at the Computer History Museum on Oct. 26 to commemorate the 30th anniversary of public key cryptography, wax historical about academic, governmental and commercial developments in security, and ponder the future. Panelists included persons such as Whitfield Diffie, a cryptography pioneer and chief security officer at Sun Microsystems; Notes creator Ray Ozzie, now Microsoft's chief software architect, and Brian Snow, retired director for the National Security Agency's Information Assurance Directorate. They touched on topics ranging from NSA obstacles and export regulations to decades-old research papers and the Clipper chip.

A Hunting We Will Go

2006-11-01T10:24:00.000-08:00

Here is nice rundown of the various types of scams and preditors on the web, trying to steal your information, or the information you are caretaking for your patients.

The summaries are about halfway down the page.

Lookin' For Trouble

2006-10-15T18:37:00.000-07:00

Disturbing numbers:

Fewer hospitals and healthcare facilities are fully complying with the law this year than in 2005, according to a recent survey by the American Health Information Management Association (AHIMA), a professional organization for health information executives. And more than one-quarter of U.S. security executives whose organizations need to be HIPAA-compliant admit that they are not, according to "The Global State of Information Security 2006," a study released last month by CIO and PricewaterhouseCoopers.

A Bad Case of Loving You

2006-10-04T10:59:00.000-07:00

Here is an example of a guy with a ton of credentials in another field missing something entirely:

One particularly outrageous aspect of these cases is the way HIPAA's privacy provisions tie the hands of defense attorneys. We're only now finding out about these women's histories with other doctors because defense attorneys were prevented by HIPAA from knowing of or viewing their medical records, even when a man's freedom was at stake. The prosecution was free to make spurious claims to the jury -- claims they knew or should have known were inaccurate -- but the defense was barred from looking at the very medical records that would have rebutted many those spurious charges.

Of course, is the prosecution knew of potentially exculpatory evidence -- that is, their witnesses' dealings with other doctors -- and didn't disclose it to the defense, Ms. Buchanan's office might soon be forced to answer some difficult questions about prosecutorial misconduct.

Medical privacy is important, of course. But if the DEA is going to continue to go after these doctors with charges that hinge on the medical histories of some of their witnesses, defendant doctors ought to be able to peruse those histories for evidence that could help proove their innocence.

I read Balko occasionally, and several of my more conservative friends are big fans of his. In this case he misses the very important point that the HIPAA Privacy Rule allows for this very type of case. The problem had nothing to do with HIPAA. It was a failure of the prosecution during the discovery phase to disclose what they knew. HIPAA did not hamper the defense; a dishonest prosecution did.

Kansas City Star

2006-10-03T12:01:00.000-07:00

From the Kansas City Star, here is another case of HIPAA as a convenient excuse. An EMT got permission to post photos of an accident from the victims as a traffic safty example. He was suspended for violating the HIPAA Privacy Rule. Except with permission, there was no violation.

In the district's letter to Drennan, obtained by the Kirksville Daily Express, district officials accuse Drennan of disclosing protected patient information, violating ethics rules regarding patient confidentiality and committing an act that brings discredit on the district and questions its safe operation.

While the letter doesn't spell out the protected information, Drennan said ambulance district Chief Jason Albert told him the suspension was linked to the photos and online comments.

Albert said the suspension was based on other factors besides the photos but wouldn't comment further, saying it is still an internal personnel matter.

Other factors. Indeed. Without the HIPAA violation, which apparently didn't occur, would they have been able to suspend him? HIPAA is just so danged convenient!

Resolve

2006-09-25T14:44:00.000-07:00

From GCN:

“You could look at all the state laws in all jurisdictions that are involved and come up with so many potential conflicts that it would take you forever to resolve them,” Christensen said. “Are they actually getting in the way, or is it the way people interpret those laws, or are there other things that they are doing in the name of privacy and security that aren’t even based on law or regulations?”

HHS and AHIC's CCPSG (American Health Information Community’s Confidentiality, Privacy and Security Work Group) are working on a project to smooth out some of the inconsistancies in privacy and security. It will be interesting to see how this shakes out.

Save the Land

2006-09-16T12:43:00.000-07:00

In the course of writing this blog, I read a lot of stuff from a lot of sources. Most of it is pretty dull stuff, but occasionally something pops out at me, like this from an otherwise routine piece on secondary heath information markets from CosumerAffairs.com:

Sales of medical data could also figure into new "consumer-driven health care" products such as Health Savings Accounts (HSA's), as at least one company has developed "medical credit scores" designed to parse the risk of borrowers looking for price comparisons on potential accounts.

The whole HSA thing has never seemed very practical to me, as it would only help those who were in a position to need an additional tax break. As a replacement for insurance it would simply not work for most of us. But if someone opts in to a program like that, intended so far as I can tell to reward individual responsibility, how is it right that companies are already looking for ways to "redline" customers. That they would be using a loophole to use your own PHI against you is doubly wrong.

Killing Me Softly

2006-09-16T12:30:00.000-07:00

If you are struggling with compliance and you have users who use moblie devices, you need to read this from Computer World:

In general, however, Palma said there are three types of tangible security procedures that can bring mobile devices, and the data they carry, into compliance:

Authentication of devices and users.
Encryption of data.
The "remote kill." This enables IT personnel to remotely delete data on wireless devices such as smartphones once they are known to be missing. Such capabilities typically are provided by mobile device management software.
These broad elements are closely related to central management of mobile devices, another key aspect of mobile compliance efforts, Palma added.

"You need to centrally manage and push [changes] out to all types of devices and have a consistent approach because when it comes back to compliance, that's what you need," he said.

One of the solutions is to encrypt the entire device, not just individual files on it. "We encrypt the entire [device] one level below the operating system so if the machine is lost or the disk is stolen, it can't be read..." USB drives, PDAs, convergent devices, laptops. If you truly must have PHI on mobile devices, make it useless to unauthorized users.

If I Had a Hammer

2006-09-16T12:02:00.000-07:00

From NaplesNews.com comes this quite good piece by Liz Freeman on a very interesting case going on right now in Florida:

The 1,100 Naples patients who were victims in the state's first federal privacy prosecution have little legal recourse, and Cleveland Clinic not likely to face fines

The indictment of a former Cleveland Clinic Florida employee for conspiracy to commit health care fraud with personal information of more than 1,100 Naples patients isn’t likely to bring a hammer of civil fines against the hospital by the federal government, which has yet to sanction a hospital or other health care entity for patient privacy breaches.

But the former hospital employee at Cleveland Clinic in Weston and her Naples cousin, who was her alleged co-conspirator, will be the first in South Florida to be prosecuted for violating the federal law protecting patients’ privacy rights and the third such case nationally, according to the U.S. Attorney’s Office in Miami.

Note the general cynicism when it comes to enforcement--- even the folks from HHS can't put enough lipstick on this pig. What started as a reasonable policy to allow providers to ease into compliance has become an excuse to not enforce. It won't last forever, and when the climate changes there will be some very unhappy folks in the docket.

As a side note, it looks to me as though Cleveland Clinic Florida, the provider in this case, did everything they should have, and seem both blameless and cooperative.

Here is a little more detail on this case from the Sun-Sentinal.

And here is the press release from the FBI.

Crank it Up

2006-09-05T12:10:00.000-07:00

In the middle of a quite excellent and wonderfully ascerbic piece on storage solutions, Jon William Toigo, writing in Application Development Trends drops this tasty little description:

Acknowledging the risk that deleted data might be recovered using “under-data,” the U.S. Department of Defense has a project running with Georgia Tech Research Center to perfect a technique for absolutely ensuring data erasure from a hard disk in less than 5 seconds. Apparently, software based “data shredders” such as Norton WipeInfo don’t do an adequate job. Bad sectors of a hard disks that have been marked for exclusion from new data writes by disk electronics are ignored by the erasure process too. Since some valuable information might persist in these sectors, another approach, dubbed “Guard Dog” by developers, is being tried that leverages a 125-pound magnet and a hand crank to completely obliterate disk data in all sectors.

A 125-pound magnet and a hand crank? Man, I gotta get me one of those!

The rest of the article is well worth reading, too, by the way.

Poppa Don't Preach

2006-09-05T11:31:00.000-07:00

I told you so.
With the publication of the final enforcement rule, many observers are saying that the era of lax enforcement is at an end. Among those who think so are the folks at Law.com and Jennifer Wilcox has written a fine and scary piece called "HIPAA Gets 'Teeth'"--- among her suggestions for avoiding trouble in the future are these quite excellent queries:

Training: Are new benefits employees trained on the requirements of HIPAA Privacy and Security? Do you keep records documenting the training programs run for such employees, such as having employees sign statements certifying they attended the training?
Use of PHI for Employment Purposes: Do you have an appropriate "firewall" between your health plan and other human resources functions? Particularly for companies with relatively small human resources/benefits staff, do your employees know about the prohibition on using information obtained or created by the health plan for other employment-related purposes?
E-mails: Are you careful about disclosing PHI in e-mails that travel over open networks, unencrypted? Do employees use common-sense precautions to limit the amount of PHI used in e-mails?
Information Security: Has your HIPAA security risk assessment been updated to incorporate any new software, applications, or information technology systems purchased by your company? Does your Security Officer keep up to date on developments in information technology, and monitor warnings and reports regarding external PHI security threats such as viruses and worms?

There are several other questions in the full article that you should be asking yourself. It really does make sense to be ready for full enforcement, because it was inevitable that the day would come. It is so much better to be prepared, and compliant than to go through a scrambling panic remediation under the threat of federal attention. You are most of the way there now, and there is no reason for terror. Just spend a little effort and make sure that it is someone else held up as a cautionary tale on the six o'clock news.

Mr. Roboto

2006-09-05T09:03:00.000-07:00

Interesting discussion in CXOToday.com about identity management:

Frost & Sullivan added that apart from aiding regulatory compliance and security issues, identity management would enhance operational efficiency of enterprises, reduce costs and also enable risk management. A high level service centric identity management solution will have features including automated audits, attestations, consistent access and provisioning, an ability to manage change automatically and full delegation.

As organizations open their networks for increasing numbers of employees, customers and partners, companies will face the challenge of providing accounts to multiple users with an appropriate level of access to applications and resources. Large enterprises then begin to demand comprehensive identity and access management solutions which can provide self-service to end users in a secure environment while addressing all aspects of user administration, authentication and access control, claimed the study.

As a commenter points out, identity management is just one step in protecting your information, but it is a very imortant one.

Wasting Away Again in Margaritaville

2006-08-28T11:37:00.000-07:00

We live in the most interesting modern times--- did you know that there is an organization called The National Association for Information Destruction? I didn't until I read this excellent article in The Naples News:

Then his son introduced him to a magazine called Waste Age.
"I read an article that said Wayne Huizenga (owner of Miami Dolphins) had bought a document shredding business," Stevens said. "And I said, 'Gee if it's good enough for him, it's good enough for me.'"
So he started JM Stevens Services in Naples, which was one of the first on-site document shredding businesses in Collier and Lee counties. He did pretty good business, starting with about a dozen clients the first year and moving up to about 300 within seven years.
But it has been the last three years that Stevens' business has picked up.
"I added at least 200 or better clients in the last three years," Stevens said.
The reason for his client increase is recent federal laws designed to protect patient privacy rights, prevent identity thefts and preserve confidentiality of credit transactions. The laws increased the document handling requirements put on financial institutions that handle confidential information.

There is everything to like about this story--- small-town boy makes good, a new industry born of the need for privacy, and even a plug for keeping old data secure through destruction.

When You're a Jet

2006-08-25T10:51:00.000-07:00

A little self-promotion here--- Comply With Me has been invited to join HITSphere.

The HITSphere is a network of premium weblogs that write content about the healthcare, medical, and clinical informatics and information technology (IT) industry. Combined, these sites reach a large readership of influential healthcare technology professionals.

Check them out here.

And I will be administrating the new HIPAA forum at CCCure.org, one of the top security websites around.

Welcome new visitors from both places!