Honestly, I am not amazed that the laptops was stolen and there was PHI/PII on them unencrypted. This along with unencrypted memory sticks are two of the biggest culprits and now would follow under the breach notifications, along with HITECH ACT, and the teeth it gave to HIPAA, it will probably help but not truly solve this type of issue.
Endpoint security will also help, but you are going to reach a point in which you are hampering the users trying to do their work, which brings up more questions whether its their process that needs to change, or more security awareness training along with administrative punishment up to including termination for violation of the policies and procedures of the company, or being grossly negligent in this reguard. Z Edward Ziots CISSP,MCSA,MCP+I,Security +,Network +,CCA Network Engineer Lifespan Organization 401-639-3505 [email protected] From: paul d [mailto:[email protected]] Sent: Friday, May 14, 2010 11:06 AM To: NT System Admin Issues Subject: RE: HIPAA Question All too true, John. And not just small offices either. CMS has a page that links breaches involving more than 500 people. I'm amazed at the number of incidents involving laptops that were stolen whose data was unencrypted. ________________________________ From: [email protected] To: [email protected] Date: Fri, 14 May 2010 09:43:22 -0400 Subject: RE: HIPAA Question A course of action that is reasonable and doable. Most of the responses in this thread are knee jerk over thinking of the issue. The sheer fact that you can fax a piece of PHI (fax transmissions aren't encrypted last time I checked) to a "secure location" should give you some idea of what's reasonable. As a part time consultant to a software reseller we've come across a disturbing fact - most small medical related offices have no real clue as to how or even why they have to follow HIPAA standards other than it's a Federal law and they signed some form saying they had watched the webinar and drank the koolaid. It's really very poorly implemented in these small offices because there is no ROI, compliance is a cost center and they only spend what is absolutely necessary - then something bad happens and they make an adjustment. John W. Cook Systems Administrator Partnership For Strong Families 315 SE 2nd Ave Gainesville, Fl 32601 Office (352) 393-2741 x320 Cell (352) 215-6944 Fax (352) 393-2746 MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4 From: James Kerr [mailto:[email protected]] Sent: Friday, May 14, 2010 9:19 AM To: NT System Admin Issues Subject: Re: HIPAA Question We have a consent form they must sign for us to send a fax or mailing so we could use that for emailing also. We can still send the data encrypted and give them the password over the phone. James ----- Original Message ----- From: paul d <mailto:[email protected]> To: NT System Admin Issues <mailto:[email protected]> Sent: Friday, May 14, 2010 8:47 AM Subject: RE: HIPAA Question They're usually referred to as Privacy or Security officers. For example, a CISO. For HIPAA, there can also be a compliance officer. And, to the OP, you'll eventually have to come up with some way to electronically deliver the data as it's part of the meaningful use act; you have to be able to give a patient their medical record by electronic means if they so desire. ________________________________ Subject: RE: HIPAA Question Date: Fri, 14 May 2010 10:09:32 +0100 From: [email protected] To: [email protected] Good God please don't do that! Password protected Word documents do not stand up to scrutiny. I don't work withy HIPAA at all, but I have worked within UK FSA and DPA guidelines for PII type data. If the patient demands it, you can send it unencrypted (we did this with voice recordings on CD .. policy was all CDs/DVDs had to be encrypted, but if a customer demanded a recording of a call we could send an audio CD via Registered Post (they must sign)). Personally, I would advise the patient of the issues around this action and offer to post it via some recorded method. If they wanted it electronically - perhaps you have some portal they can register on and log into to retrieve results? If it has to be email, they could send you an email requesting it that you respond to (helps with audit trail). I would suggest encryption - we use S/MIME a lot as it's easy for users in comparison to PGP and the like. Whatever you do, it should be based on having a policy and something your data protection officer (do you have such people in the US!?) and legal team are happy with. Going outside the loop tends to get you fired if it goes pear shaped ... a ________________________________ From: John Cook [mailto:[email protected]] Sent: 13 May 2010 21:34 To: NT System Admin Issues Subject: Re: HIPAA Question Put it into a passworded Word doc and verbally give them the password. ________________________________ From: James Kerr <[email protected]> To: NT System Admin Issues <[email protected]> Sent: Thu May 13 15:22:20 2010 Subject: HIPAA Question Guys, I have a quick HIPAA question. We work with people infected with HIV. A patient that lives out of state is asking us to email him info about his viral load. Any suggestions for how to email that info or get that info to him somehow? If the email content doesn't contain identifying info, is it ok? James ________________________________ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ************************************************************************************ WARNING: The information in this email and any attachments is confidential and may be legally privileged. If you are not the named addressee, you must not use, copy or disclose this email (including any attachments) or the information in it save to the named addressee nor take any action in reliance on it. If you receive this email or any attachments in error, please notify the sender immediately and then delete the same and any copies. "CLS Services Ltd × Registered in England No 4132704 × Registered Office: Exchange Tower × One Harbour Exchange Square × London E14 9GE" ________________________________ The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. Get busy. <http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5> ________________________________ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to. This email and any attached files are confidential and intended solely for the intended recipient(s). If you are not the named recipient you should not read, distribute, copy or alter this email. Any views or opinions expressed in this email are those of the author and do not represent those of the company. Warning: Although precautions have been taken to make sure no viruses are present in this email, the company cannot accept responsibility for any loss or damage that arise from the use of this email or attachments. ________________________________ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. Get busy. <http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
