> Thanks for your comments, but please remember I'm just a minion in > this mess so I'm not in trouble, rather it is the south ends of the > jackasses headed north who allow this to happen and the advisors, > legal and otherwise, who tell them it is okay to do this.
Currently, today, the *interpretation* of HIPAA absolves you of criminal liability. However, the legal interpretation of HIPAA is still being worked out in the courts; it is entirely possible that some data privacy zealous district attorney could charge you under the felony provisions of HIPAA as an accessory. This email thread constitutes acknowledgment after the fact of wrongdoing, by one possible interpretation. If I were in your position, I would consult an attorney or at the very least do some research into your local district attorney's leanings. > My main point in bringing this to the table here is that FDE is > only a mechanism that is implemented by very fallible humans who > will bend under the pressure of losing their jobs and being > blacklisted from the industry. Yes, this is absolutely true. > It is slightly more complex than this. In theory a given doctor has > access to only those records of their own patients and the patients > that are seen by the same group. The reality is broader I think, > but I don't think it allows them access to *every* medical record. The "minimum necessary" language is not specific, and is open to interpretation. If this goes to a jury, I think your organization's position will be in the unenviable position of establishing a legal precedent here in "minimum necessary" in a way that is decidedly not favorable. > In general I agree. I don't think they are dumping the patient > records of an entire facility, but over time they acquire and keep > much more than they are currently using or monitoring. This failure > to purge unneeded records is the key problem beyond the arrogance > of refusing to put up with password controls, time outs, and > encryption requirements. If you don't have a written records retention policy, your organization's liability is far greater than if you do. If you're not informing the doctors that they are expected to purge this data, you can't reasonably expect them to do so on their own. > This is exactly what I think the lawyers are relying on. The > doctors are authorized, therefore their possession is legal. Once > it is in the hands of the doctor and lost, I believe their thinking > is that it is the doctor's problem, not theirs. I would agree with > your more inclusive version but, like you I'm not a lawyer so my > opinion doesn't count for much. This is tricky, because it relies upon a legal position that once the data is transferred to the doctor, it is no longer "owned" by the organization, but by the doctor. And, for what it's worth, this is a discarded argument. See the Department of Health and Human Services own guidelines for remote access and storage of data: http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf *Clearly* the Department of Health and Human Services regards this data as still being the responsibility of the organization, not the doctor. > Any ideas to help with this, direct or indirect, are most welcome. Quite frankly, I think you have both a professional and moral obligation to disclose this security breach. If you are reluctant to do so because of job security issues, you need to confront a supervisor with the afore linked HSS guidelines document. If they refuse to go forward, you should disclose this breach to whatever health oversight agency or public health authority that has jurisdiction over your organization. You have whistleblower protections (see 164.502 of HIPAA). Of course, this won't prevent your organization from firing you if they choose to do so, but will certainly give you justifiable meaningful grounds for an unlawful termination lawsuit. This will be a long, drawn out, ugly affair, but if you just sit and do nothing, your organization's bad security practices will continue unabated, and sooner or later you're going to be in this position again. _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
