While the legal system is different, you may wish to refer to the fellow-anglo-saxons in the UK which publish quite a bit of literature - e.,g. a code of practice for protecting patient confidentiality http://www.confidentiality.scot.nhs.uk/publications/6074NHSCode.pdf www.connectingforhealth.nhs.uk/resources/archive/gpsoc.pdf (statement of compliance for a GP practice IT system) etc...
---------- Forwarded message ---------- From: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: 06.09.2007 20:00 Subject: FDE Digest, Vol 12, Issue 3 To: [email protected] Send FDE mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://www.xml-dev.com/mailman/listinfo/fde or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of FDE digest..." Today's Topics: 1. Re: Of course FDE is not sufficent... (Patrick Cahalan) 2. Re: Of course FDE is not sufficent... (Netsecurity) ---------------------------------------------------------------------- Message: 1 Date: Wed, 05 Sep 2007 09:57:34 -0700 From: Patrick Cahalan <[EMAIL PROTECTED]> Subject: Re: [FDE] Of course FDE is not sufficent... To: [EMAIL PROTECTED], [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=windows-1252; format=flowed > Thanks for your comments, but please remember I'm just a minion in > this mess so I'm not in trouble, rather it is the south ends of the > jackasses headed north who allow this to happen and the advisors, > legal and otherwise, who tell them it is okay to do this. Currently, today, the *interpretation* of HIPAA absolves you of criminal liability. However, the legal interpretation of HIPAA is still being worked out in the courts; it is entirely possible that some data privacy zealous district attorney could charge you under the felony provisions of HIPAA as an accessory. This email thread constitutes acknowledgment after the fact of wrongdoing, by one possible interpretation. If I were in your position, I would consult an attorney or at the very least do some research into your local district attorney's leanings. > My main point in bringing this to the table here is that FDE is > only a mechanism that is implemented by very fallible humans who > will bend under the pressure of losing their jobs and being > blacklisted from the industry. Yes, this is absolutely true. > It is slightly more complex than this. In theory a given doctor has > access to only those records of their own patients and the patients > that are seen by the same group. The reality is broader I think, > but I don't think it allows them access to *every* medical record. The "minimum necessary" language is not specific, and is open to interpretation. If this goes to a jury, I think your organization's position will be in the unenviable position of establishing a legal precedent here in "minimum necessary" in a way that is decidedly not favorable. > In general I agree. I don't think they are dumping the patient > records of an entire facility, but over time they acquire and keep > much more than they are currently using or monitoring. This failure > to purge unneeded records is the key problem beyond the arrogance > of refusing to put up with password controls, time outs, and > encryption requirements. If you don't have a written records retention policy, your organization's liability is far greater than if you do. If you're not informing the doctors that they are expected to purge this data, you can't reasonably expect them to do so on their own. > This is exactly what I think the lawyers are relying on. The > doctors are authorized, therefore their possession is legal. Once > it is in the hands of the doctor and lost, I believe their thinking > is that it is the doctor's problem, not theirs. I would agree with > your more inclusive version but, like you I'm not a lawyer so my > opinion doesn't count for much. This is tricky, because it relies upon a legal position that once the data is transferred to the doctor, it is no longer "owned" by the organization, but by the doctor. And, for what it's worth, this is a discarded argument. See the Department of Health and Human Services own guidelines for remote access and storage of data: http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf *Clearly* the Department of Health and Human Services regards this data as still being the responsibility of the organization, not the doctor. > Any ideas to help with this, direct or indirect, are most welcome. Quite frankly, I think you have both a professional and moral obligation to disclose this security breach. If you are reluctant to do so because of job security issues, you need to confront a supervisor with the afore linked HSS guidelines document. If they refuse to go forward, you should disclose this breach to whatever health oversight agency or public health authority that has jurisdiction over your organization. You have whistleblower protections (see 164.502 of HIPAA). Of course, this won't prevent your organization from firing you if they choose to do so, but will certainly give you justifiable meaningful grounds for an unlawful termination lawsuit. This will be a long, drawn out, ugly affair, but if you just sit and do nothing, your organization's bad security practices will continue unabated, and sooner or later you're going to be in this position again. ------------------------------ Message: 2 Date: Wed, 5 Sep 2007 15:30:04 -0700 From: Netsecurity <[EMAIL PROTECTED]> Subject: Re: [FDE] Of course FDE is not sufficent... To: Patrick Cahalan <[EMAIL PROTECTED]>, [EMAIL PROTECTED], [email protected] Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset="iso-8859-1" Wow! Thanks for putting it so bluntly. I agree with your view, but hadn't thought about the potential personal implications. I'm not staff, just a hired gun for a relatively short term engagement. My time will be up in less than two months. Given the glacial speed of the organization I might not even hear back from those who could make a change. Plus it is complicated by some other dubious practices that I can't go into here. In my opinion it requires a Federal investigation to get to the roots of the problems. I don't know your working situation but in mine I know of a couple of people who attempted to blow the whisle and can no longer find work in their fields because of the informal blacklist that is done by innuendo. In addition I'm close to "retirement" age and the age discrimination that exists here in the SF Bay Area is very tough to overcome. Plus I don't have the money to fight a long legal battle having been hit hard by the dot bomb. Do you know any good attorrneies? That seems to be the only option that is the least bit ethical. Thanks, Allen --------- Original Message -------- From: Patrick Cahalan <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>, [email protected] <[email protected]> Subject: Re: [FDE] Of course FDE is not sufficent... Date: 09/05/07 09:58 > > > Thanks for your comments, but please remember I'm just a minion in > > this mess so I'm not in trouble, rather it is the south ends of the > > jackasses headed north who allow this to happen and the advisors, > > legal and otherwise, who tell them it is okay to do this. > > Currently, today, the *interpretation* of HIPAA absolves you of > criminal liability. However, the legal interpretation of HIPAA is > still being worked out in the courts; it is entirely possible that > some data privacy zealous district attorney could charge you under the > felony provisions of HIPAA as an accessory. This email thread > constitutes acknowledgment after the fact of wrongdoing, by one > possible interpretation. If I were in your position, I would consult > an attorney or at the very least do some research into your local > district attorney's leanings. > > > My main point in bringing this to the table here is that FDE is > > only a mechanism that is implemented by very fallible humans who > > will bend under the pressure of losing their jobs and being > > blacklisted from the industry. > > Yes, this is absolutely true. > > > It is slightly more complex than this. In theory a given doctor has > > access to only those records of their own patients and the patients > > that are seen by the same group. The reality is broader I think, > > but I don't think it allows them access to *every* medical record. > > The "minimum necessary" language is not specific, and is open to > interpretation. If this goes to a jury, I think your organization's > position will be in the unenviable position of establishing a legal > precedent here in "minimum necessary" in a way that is decidedly not > favorable. > > > In general I agree. I don't think they are dumping the patient > > records of an entire facility, but over time they acquire and keep > > much more than they are currently using or monitoring. This failure > > to purge unneeded records is the key problem beyond the arrogance > > of refusing to put up with password controls, time outs, and > > encryption requirements. > > If you don't have a written records retention policy, your > organization's liability is far greater than if you do. If you're not > informing the doctors that they are expected to purge this data, you > can't reasonably expect them to do so on their own. > > > This is exactly what I think the lawyers are relying on. The > > doctors are authorized, therefore their possession is legal. Once > > it is in the hands of the doctor and lost, I believe their thinking > > is that it is the doctor's problem, not theirs. I would agree with > > your more inclusive version but, like you I'm not a lawyer so my > > opinion doesn't count for much. > > This is tricky, because it relies upon a legal position that once the > data is transferred to the doctor, it is no longer "owned" by the > organization, but by the doctor. > > And, for what it's worth, this is a discarded argument. See the > Department of Health and Human Services own guidelines for remote > access and storage of data: > > http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal122806.pdf > > *Clearly* the Department of Health and Human Services regards this > data as still being the responsibility of the organization, not the > doctor. > > > Any ideas to help with this, direct or indirect, are most welcome. > > Quite frankly, I think you have both a professional and moral > obligation to disclose this security breach. If you are reluctant to > do so because of job security issues, you need to confront a > supervisor with the afore linked HSS guidelines document. If they > refuse to go forward, you should disclose this breach to whatever > health oversight agency or public health authority that has > jurisdiction over your organization. You have whistleblower > protections (see 164.502 of HIPAA). Of course, this won't prevent > your organization from firing you if they choose to do so, but will > certainly give you justifiable meaningful grounds for an unlawful > termination lawsuit. This will be a long, drawn out, ugly affair, but > if you just sit and do nothing, your organization's bad security > practices will continue unabated, and sooner or later you're going to > be in this position again. > ________________________________________________ Message sent using UebiMiau 2.7.10 ------------------------------ _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde End of FDE Digest, Vol 12, Issue 3 ********************************** _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
