Wow! Thanks for putting it so bluntly. I agree with your view, but hadn't thought about the potential personal implications.
I'm not staff, just a hired gun for a relatively short term engagement. My time will be up in less than two months. Given the glacial speed of the organization I might not even hear back from those who could make a change. Plus it is complicated by some other dubious practices that I can't go into here. In my opinion it requires a Federal investigation to get to the roots of the problems. I don't know your working situation but in mine I know of a couple of people who attempted to blow the whisle and can no longer find work in their fields because of the informal blacklist that is done by innuendo. In addition I'm close to "retirement" age and the age discrimination that exists here in the SF Bay Area is very tough to overcome. Plus I don't have the money to fight a long legal battle having been hit hard by the dot bomb. Do you know any good attorrneies? That seems to be the only option that is the least bit ethical. Thanks, Allen --------- Original Message -------- From: Patrick Cahalan <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>, [email protected] <[email protected]> Subject: Re: [FDE] Of course FDE is not sufficent... Date: 09/05/07 09:58 > > > Thanks for your comments, but please remember I'm just a minion in > > this mess so I'm not in trouble, rather it is the south ends of the > > jackasses headed north who allow this to happen and the advisors, > > legal and otherwise, who tell them it is okay to do this. > > Currently, today, the *interpretation* of HIPAA absolves you of > criminal liability. However, the legal interpretation of HIPAA is > still being worked out in the courts; it is entirely possible that > some data privacy zealous district attorney could charge you under the > felony provisions of HIPAA as an accessory. This email thread > constitutes acknowledgment after the fact of wrongdoing, by one > possible interpretation. If I were in your position, I would consult > an attorney or at the very least do some research into your local > district attorney's leanings. > > > My main point in bringing this to the table here is that FDE is > > only a mechanism that is implemented by very fallible humans who > > will bend under the pressure of losing their jobs and being > > blacklisted from the industry. > > Yes, this is absolutely true. > > > It is slightly more complex than this. In theory a given doctor has > > access to only those records of their own patients and the patients > > that are seen by the same group. The reality is broader I think, > > but I don't think it allows them access to *every* medical record. > > The "minimum necessary" language is not specific, and is open to > interpretation. If this goes to a jury, I think your organization's > position will be in the unenviable position of establishing a legal > precedent here in "minimum necessary" in a way that is decidedly not > favorable. > > > In general I agree. I don't think they are dumping the patient > > records of an entire facility, but over time they acquire and keep > > much more than they are currently using or monitoring. This failure > > to purge unneeded records is the key problem beyond the arrogance > > of refusing to put up with password controls, time outs, and > > encryption requirements. > > If you don't have a written records retention policy, your > organization's liability is far greater than if you do. If you're not > informing the doctors that they are expected to purge this data, you > can't reasonably expect them to do so on their own. > > > This is exactly what I think the lawyers are relying on. The > > doctors are authorized, therefore their possession is legal. Once > > it is in the hands of the doctor and lost, I believe their thinking > > is that it is the doctor's problem, not theirs. I would agree with > > your more inclusive version but, like you I'm not a lawyer so my > > opinion doesn't count for much. > > This is tricky, because it relies upon a legal position that once the > data is transferred to the doctor, it is no longer "owned" by the > organization, but by the doctor. > > And, for what it's worth, this is a discarded argument. See the > Department of Health and Human Services own guidelines for remote > access and storage of data: > > http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf > > *Clearly* the Department of Health and Human Services regards this > data as still being the responsibility of the organization, not the > doctor. > > > Any ideas to help with this, direct or indirect, are most welcome. > > Quite frankly, I think you have both a professional and moral > obligation to disclose this security breach. If you are reluctant to > do so because of job security issues, you need to confront a > supervisor with the afore linked HSS guidelines document. If they > refuse to go forward, you should disclose this breach to whatever > health oversight agency or public health authority that has > jurisdiction over your organization. You have whistleblower > protections (see 164.502 of HIPAA). Of course, this won't prevent > your organization from firing you if they choose to do so, but will > certainly give you justifiable meaningful grounds for an unlawful > termination lawsuit. This will be a long, drawn out, ugly affair, but > if you just sit and do nothing, your organization's bad security > practices will continue unabated, and sooner or later you're going to > be in this position again. > ________________________________________________ Message sent using UebiMiau 2.7.10 _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
