I'm Doing Time in a Maximum Security Twilight Home

Read this:

"If you're impacted by HIPAA, you must have a comprehensive security program -- including risk assessment, policy development, controls, and monitoring and responses processes -- in place. But if the main concern is SOX, you'll be strictly responsible only for security around particular, auditable processes. Here's an opportunity to act broadly, extending SOX-driven security infrastructure and consulting spending to categories not covered by the audit.
In other words, spend once on developing a risk management and control infrastructure for security and then derive multiple benefits, for example by meeting compliance and catching low-level, non-SOX fraud at the same time.
After taking the right approach, says Hellman, there will scarcely be a distinction between compliance and security success: "It's incredibly intertwined. Compliance is an overlay over your security processes."

As the writer points out, this is an approach, not a solution, but the whole idea of integrating your security and compliance efforts makes so much sense. Too many systems have a network, with some kind of database tacked on, and glued to that some security that accreted through responses to the last five attacks, and then some sort of compliance procedure melded together by the IT and legal department. When they finally call someone like me, the mare's nest is nearly inpenetrable, filled with sacred cows, and the whole thing has cost 3 times what it should.

Garden of Simple

Another free webcast, "How to simplify and automate your compliance procedures" from SearchSecurity:

"The growth of government mandates has caused an increase in manually intensive, compliance-related tasks that reduce IT efficiency. And according to AMR Research, the total tab for compliance-related spending will exceed $6 billion over the next 5 years. At this webcast, learn firsthand from Charles Kolodgy of IDC about how you can simplify, automate and reduce the cost of achieving IT security and regulatory compliance. Get tips on how you can get away from using manual methods to ensure compliance and how to reduce the complexity and burden on your IT infrastructure."

There is a lot of good stuff out there lately, but making time to learn and apply all of it is nearly impossible for those in small practices, or with limited IT budgets. My suggestion? Find a hired gun to put your compliance house in order, train a current staff memeber to keep up with things, then make sure they have a few hours a week to do so.

Going Up To The Country, Paint My Mailbox Blue

If you make a system easy enough to use, or even user-transparent, there will be far fewer problems with compliance. For many IT people this is axiomatic. When we are talking users who don't really care about all of our fancy high-tech equipment, it goes double. Securing e-mail doesn't have to be a nightmarish ordeal:

"Secure messaging is sort of a serendipitous technology," Osterman says. "If you ask somebody if they need to encrypt e-mail, a lot of people will say, 'No, not really.' But put an easy-to-use encryption capability in front of them, and they find more uses for it."

If it is hard to use, they won't use it. If it takes a lot of time, they won't use it. If it seems to interfere with proper care of their patients, they won't use it.
And if they won't use it, why bother?
Let's make these systems and policies transparent and user-friendly.
Or they won't use it.

In the Air Tonight

Sometimes things seem to come together, or maybe something is in the air. This weekend I had a long conversation about email security, and this morning I find a quite excellent (though rambling) rant from Jeff over at HIPAA Blog:

"That's what gets people going, though. Encryption of emails. I've pooh-poohed it because of the relative risk question, but there's another reason to pooh-pooh it: you don't encrypt your phone messages, do you? Is there a greater risk of your emails being intercepted than your phone calls being intercepted? Not much of one; presumably phone circuits are more closely controlled than internet circuits (you never know what route your email will take, really), but wouldn't someone have to be involved in criminal conduct as great as wiretapping to intercept your email?"

And there is this from USNews:

"Compliance with rules like HIPAA (which governs the use and release of medical information) prompted Rochester, N.Y.-based Sutherland Global Services to install E-mail security software this year. The outsourcing firm often handles sensitive information like credit cards and medical records; company heads wanted to ensure that this information remained private. Sutherland now has a system in place that checks outgoing E-mail for key phrases or words, putting a quarantine on any message that may contain private information."

And from way back in 1999, an article from CNN with a quote from Jeff LePage (who by the way didn't hire me a few years back for a pretty cool sounding job--- but who seemed like a decent guy nonetheless---which would have had the added bonus of letting me work with an IT guy who is quoted in national publications) on keeping track of what your email is used for.

"I didn't really realize how much of a problem I had until I started using (monitoring software)," said Jeff LePage, director of MIS at American Fast Freight Inc. in Kent, Wash.
At American Fast Freight, a year after putting monitoring software in place, the software is now capturing only two or three inappropriate e-mails per week from the company's 330 employees -- requiring only a quick once-per-week check, LePage said."

Gonna Teach You to Love Me

Do you need to be a tech to understand and supervise compliance? This entry in Computer World chronicles the frustrations of a manager trying to deal with a non-technical person in the role of compliance officer.

"We were at an impasse created by that long-ago misunderstanding about the nature of the ISO position. When the HIPAA security rule went into effect, covered entities such as my agency were required to designate someone to handle ISO responsibilities. Many covered entities noticed that roughly 80% of the policies and plans required by the HIPAA security rule are categorized as "administrative," only 5% or so are categorized as "technical," and the rest are categorized as "physical."

Here's the misunderstanding: Even though the bulk of the policies are deemed administrative, implementing the policies is primarily a technical exercise. I believe -- and many may argue with me -- that writing a good policy requires a solid understanding of what technologies are available to implement the plan. You need some technical knowledge to be able to visualize the plan. You can't say, "Thou shalt do thus" and not be able to "do thus."

I believe that compliance management can be done by non-technical people, but it is difficult, and the same sort of flexibility and trainability that makes for a good employee in every other role is indispensable here. If your compliance officer isn't technical, they need to be willing and able to get at least a foundation of technical understanding. Just as anyone else would be expected to grow into their position, so should the non-technical compliance officer make every effort to at least learn the basics. It sounds like this one was given the opportunity, and failed to step up to the plate.

My Baby Said

From the Fort Wayne News Sentinal comes this amusing and actually informed article:

"Just when I thought common sense was prevailing, my daughter, six months pregnant, told me of her recent experience at a Fort Wayne hospital. When going there for an outpatient test, the registration clerk asked her to sign a form stating she AND her baby had been informed of their privacy rights under HIPAA.
“My baby hasn’t been informed about anything,” my daughter said.

Both attorneys, she and her husband first thought the request “was a joke,” they said. But in all seriousness the clerk said the hospital had instituted the policy after another pregnant patient complained her unborn child had not been made aware of his or her privacy rights."

Most of the time, stuff like this is a training issue. When it isn't, there is always a back story. Sadly, to the patient, it just looks like more weird regulation.

The Last in Line

Good thing we are all HIPAA compliant, huh! Seriously, though, that .5% number is pretty danged impressive.

"HIPAA Compliance Required McClellan on Thursday also announced that CMS after Oct. 1 no longer will process claims that are not HIPAA-compliant for Medicare reimbursement, according to CQ HealthBeat. In a news release, CMS said that about 0.5% of Medicare fee-for-service providers submitted non-HIPAA-compliant claims as of June 2005. After Oct. 1, such claims will be returned to the filer for resubmission, according to CMS. "We are firmly committed to an interoperable electronic health care system, and the close-to-100% compliance with HIPAA standards for claims shows that the health care industry shares this commitment," McClellan said (CQ HealthBeat [2], 8/4). "

Communication Breakdown

David J. Brailer, the National Coordinator for Health Information Technology at the Department of Health and Human Services actually seems like a pretty together kind of guy--- his recent testimony in front of congress brought up a lot of issues, and his perspective seemed... well, to have perspective.

"The challenge here is how to adapt security/privacy issues with sharing information," Brailer said in response to a question posed by Rep. Pete Stark, D-Calif., about his opinion of the Health Insurance Portability Accountability Act.
"We can't impose multi-million dollar practices on a small practice," Brailer added, explaining that a large practice could use biometrics in its computers while a small practice only used a password, making interoperability impossible between the two systems.

For a lot of CE's, the Security Rule has been a brand new set of headaches. I should note that, even with the above scenario, though, there are solutions to secure communication between dissimilar systems. You do it everytime you bank online, and your WinXP desktop talks to the bank's AS/400.

Don't Leave Me Now

A lot of information loss seems to be from poorly secured documents, and bad document storage. This is especially dangerous when the record is at end of life. You can't just haul your old records to the dump, and handwritten notes are one of the blindspots for many organizations. It does no good to secure your electronic records, if the notes that they were based on can be gotten by simple dumpster diving.

Here is a brief piece from the Boston Herald that covers the high points of shredding.

"MetroWest Medical Center in Framingham also uses shredders at each nurse's station, and a HIPAA compliance team regularly "audits" the regular trash cans to ensure medical records have not been placed there, said spokesman Beth Donnelly. And when the hospital needs to purge computerized records, it locks the hard drives in a secure location and hires an outside company to "de-gouse," or strip, them with magnetic equipment. "

OT: Extra points for anyone who catches the fairly obscure reference in the title of this post. *And I am pretty sure that they mean "degauss"--- "de-gouse" sounds like a fairly unpleasant office procedure involving harsh chemicals and minor surgery.