I'm assuming, from the general body of the email, that you're subject to US law here. Disclaimer: I'm not a lawyer, although I've read enough about IT regulation (particularly SB 1386 and HIPAA) to know you're in a world of trouble.
> The doctors are exempt from all policies as they are not employees > of the provider. Not only is this true, it says so in the very > first policy in their list of policies. Isn't that grand? > Since the doctors are exempt, they do what they please. And what > they please is to download a *large* number of medical records into > an unprotected computer at home that was stolen today. At the very least, this violates 164.502 part b.1 of HIPAA (from http://www.hhs.gov/ocr/regtext.html) >> (b) Standard: minimum necessary. >> >> (1) Minimum necessary applies. When using or disclosing protected >> health information or when requesting protected health >> information from another covered entity, a covered entity must >> make reasonable efforts to limit protected health information to >> the minimum necessary to accomplish the intended purpose of the >> use, disclosure, or request. If your health care provider is granting blanket access to doctors they are in obvious violation of this subpart. Your legal team may be relying upon the subsequent section 164.506, section a.2.i: >> § 164.506 Consent for uses or disclosures to carry out treatment, >> payment, or health care operations. >> >> (a) Standard: consent requirement. >> >> (1) Except as provided in paragraph (a)(2) or (a)(3) of this >> section, a covered health care provider must obtain the >> individual’s consent, in accordance with this section, prior to >> using or disclosing protected health information to carry out >> treatment, payment, or health care operations. >> >> (2) A covered health care provider may, without consent, use or >> disclose protected health information to carry out treatment, >> payment, or health care operations, if: >> >> (i) The covered health care provider has an indirect treatment >> relationship with the individual; or Since a doctor at a health care provider has an indirect relationship with all patients of the other doctors of the provider. However, 164.502 section a.1.iii clearly limits the "without consent": >> (iii) Without consent, if consent is not required under § >> 164.506(a) and has not been sought under § 164.506(a)(4), to >> carry out treatment, payment, or health care operations, except >> with respect to psychotherapy notes; If your doctors are routinely data-dumping the patient records of the entire facility, you guys are up the creek. No paddle. > This has not yet been reported under California 1386 yet, and > apparently there is a discussion going on whether they need to as > it was not the medical provider's machine.... Whoo, lord, do your people need to be more worried about the law. SB 1386 (note, it's actually 1798.29 of California's Civil Code now that it's been signed into law) makes NO provision about *systems* ownership, only data integrity. From http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html: >> SEC. 2. Section 1798.29 is added to the Civil Code, to read: >> 1798.29. (a) Any agency that owns or licenses computerized data >> that includes personal information shall disclose any breach of >> the security of the system following discovery or notification of >> the breach in the security of the data to any resident of >> California whose unencrypted personal information was, or is >> reasonably believed to have been, acquired by an unauthorized >> person. >> (d) For purposes of this section, "breach of the security of the >> system" means unauthorized aquisition of computerized data that >> compromises the security, confidentiality, or integrity of >> personal information maintained by the agency. You'll note that 1798.29 does not strictly define "system" as that "hardware which is owned by the agency", but instead explicitly defines "breach of the security of the system" in terms of unauthorized acquisition of the *data*. Your health care provider, under 1798.29, is responsible for the integrity of the data collected by itself *regardless of the current possessor of the data*. If a doctor downloads a chunk of data on his home PC and it gets stolen, this is functionally equivalent to the doctor printing out a thousand patient records and carrying it around in his/her briefcase; the data belongs to the health care provider, not the doctor, and it is their responsibility to disclose, not the doctor's. I imagine that your organization is leery of fessing up to this disclosure because their internal access policy is so clearly in violation of HIPAA. I would advise most strongly that they fess up NOW and fix the problem - data privacy laws in the US are going to get stronger, not weaker, and sweeping this under the rug just means that it will come to light later when the penalties are greater. Including Jail Time :) _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
