Hi Patrick, Thanks for your comments, but please remember I'm just a minion in this mess so I'm not in trouble, rather it is the south ends of the jackasses headed north who allow this to happen and the advisors, legal and otherwise, who tell them it is okay to do this.
I've complained and talked with others who agree with you and I; the response is that the doctors are "gods" who can not be forced to do what is right. My main point in bringing this to the table here is that FDE is only a mechanism that is implemented by very fallible humans who will bend under the pressure of losing their jobs and being blacklisted from the industry. Contrary to what many may think, recruiters and others in HR have many ways of covertly cooperating with each other to weed out those who disturb the waters. I once read a masterful description of how this is done in academia when someone is applying for a post-doc position. I wish I could remember where I saw it. In any case, the basics involve damning with faint praise. Anyone attuned to innuendo can see it immediately and acts according to their interpretation of the tone of the letter of recommendation. It almost never can be proven but many of us agree it exists. So, back to the basics, when we look at FDE we need to keep in mind the human element because, at least I believe it to be so, we are attempting to make all of us safer from attack against or misuse of our private data. We may well disagree about the best mechanisms but we are united in our goals. I'm at my wits end in coming up with strategies given that there are few, if any, safe harbors for whistle-blowers these days, how would you suggest this be addressed? Additional comments inline. Patrick Cahalan wrote: > I'm assuming, from the general body of the email, that you're subject > to US law here. Disclaimer: I'm not a lawyer, although I've read > enough about IT regulation (particularly SB 1386 and HIPAA) to know > you're in a world of trouble. Yep, do tell. >> The doctors are exempt from all policies as they are not employees >> of the provider. Not only is this true, it says so in the very >> first policy in their list of policies. Isn't that grand? > >> Since the doctors are exempt, they do what they please. And what >> they please is to download a *large* number of medical records into >> an unprotected computer at home that was stolen today. > > At the very least, this violates 164.502 part b.1 of HIPAA (from > http://www.hhs.gov/ocr/regtext.html) > >>> (b) Standard: minimum necessary. >>> >>> (1) Minimum necessary applies. When using or disclosing protected >>> health information or when requesting protected health >>> information from another covered entity, a covered entity must >>> make reasonable efforts to limit protected health information to >>> the minimum necessary to accomplish the intended purpose of the >>> use, disclosure, or request. > > If your health care provider is granting blanket access to doctors > they are in obvious violation of this subpart. It is slightly more complex than this. In theory a given doctor has access to only those records of their own patients and the patients that are seen by the same group. The reality is broader I think, but I don't think it allows them access to *every* medical record. > Your legal team may be relying upon the subsequent section 164.506, > section a.2.i: > >>> § 164.506 Consent for uses or disclosures to carry out treatment, >>> payment, or health care operations. >>> >>> (a) Standard: consent requirement. >>> >>> (1) Except as provided in paragraph (a)(2) or (a)(3) of this >>> section, a covered health care provider must obtain the >>> individual’s consent, in accordance with this section, prior to >>> using or disclosing protected health information to carry out >>> treatment, payment, or health care operations. >>> >>> (2) A covered health care provider may, without consent, use or >>> disclose protected health information to carry out treatment, >>> payment, or health care operations, if: >>> >>> (i) The covered health care provider has an indirect treatment >>> relationship with the individual; or > > Since a doctor at a health care provider has an indirect relationship > with all patients of the other doctors of the provider. However, > 164.502 section a.1.iii clearly limits the "without consent": > >>> (iii) Without consent, if consent is not required under § >>> 164.506(a) and has not been sought under § 164.506(a)(4), to >>> carry out treatment, payment, or health care operations, except >>> with respect to psychotherapy notes; > > If your doctors are routinely data-dumping the patient records of the > entire facility, you guys are up the creek. No paddle. In general I agree. I don't think they are dumping the patient records of an entire facility, but over time they acquire and keep much more than they are currently using or monitoring. This failure to purge unneeded records is the key problem beyond the arrogance of refusing to put up with password controls, time outs, and encryption requirements. > >> This has not yet been reported under California 1386 yet, and >> apparently there is a discussion going on whether they need to as >> it was not the medical provider's machine.... > > Whoo, lord, do your people need to be more worried about the law. > > SB 1386 (note, it's actually 1798.29 of California's Civil Code now > that it's been signed into law) Yeah, I know, but SB 1386 is more recognizable by those who are not lawyers. In fact when one searches the net for other states that have enacted similar laws the are commonly referred to by phrases similar to "...based on California's SB 1386." > makes NO provision about *systems* > ownership, only data integrity. From > > http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html: > >>> SEC. 2. Section 1798.29 is added to the Civil Code, to read: >>> 1798.29. (a) Any agency that owns or licenses computerized data >>> that includes personal information shall disclose any breach of >>> the security of the system following discovery or notification of >>> the breach in the security of the data to any resident of >>> California whose unencrypted personal information was, or is >>> reasonably believed to have been, acquired by an unauthorized >>> person. This is exactly what I think the lawyers are relying on. The doctors are authorized, therefore their possession is legal. Once it is in the hands of the doctor and lost, I believe their thinking is that it is the doctor's problem, not theirs. I would agree with your more inclusive version but, like you I'm not a lawyer so my opinion doesn't count for much. The situation is much like NASA's Columbia disaster: managers were unwilling to tell higher ups about the concerns of the lower level engineers so actions were taken based on faulty or incomplete data, leading directly to the very public failure. >>> (d) For purposes of this section, "breach of the security of the >>> system" means unauthorized aquisition of computerized data that >>> compromises the security, confidentiality, or integrity of >>> personal information maintained by the agency. > > You'll note that 1798.29 does not strictly define "system" as that > "hardware which is owned by the agency", but instead explicitly > defines "breach of the security of the system" in terms of > unauthorized acquisition of the *data*. And this is where they say that the computers are not part of their system so they have little or no responsibility to protect it once it is handed over to an authorized user. > Your health care provider, under 1798.29, is responsible for the > integrity of the data collected by itself *regardless of the current > possessor of the data*. I wish they agreed. It would make life much simpler. But the lawyers and the big consulting firms make money on mudding the waters so it is not in their interests to simplify the issues to the level of clarity that you have. > If a doctor downloads a chunk of data on his home PC and it gets > stolen, this is functionally equivalent to the doctor printing out a > thousand patient records and carrying it around in his/her briefcase; > the data belongs to the health care provider, not the doctor, and it > is their responsibility to disclose, not the doctor's. > > I imagine that your organization is leery of fessing up to this > disclosure because their internal access policy is so clearly in > violation of HIPAA. I would advise most strongly that they fess up > NOW and fix the problem - data privacy laws in the US are going to get > stronger, not weaker, and sweeping this under the rug just means that > it will come to light later when the penalties are greater. > > Including Jail Time :) Don't I just wish. Alas we have many too many examples of the street corner kid being landed in jail for life for possessing some small amount of crack while white collar criminals get off with a small slap and get to keep the bulk of their stolen riches a la Milken, the "king" of the junk bond scandals twenty years ago. Any ideas to help with this, direct or indirect, are most welcome. Best to you and yours, Allen _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
