I work for a company and we fall under HIPAA. If my laptop is not encrypted I am fired. That's a fairly clear and well known fact where I work. All laptops will absolutly be encrypted. Period. Even the 'loaner' one that is checked out for presentations and has no data on it ;)
Now as to the original request. Find your Compliance officer who must be officially identifed per HIPAA and ask them what they deem is acceptable. There are any number of technical solutions for the method that can and will work, but none of them are approved until your compliance officer says they are. We use Tumbleweeb SMX (or Axway / whatever they are now). Steven Peck On Fri, May 14, 2010 at 8:41 AM, Ziots, Edward <[email protected]> wrote: > Honestly, I am not amazed that the laptops was stolen and there was PHI/PII > on them unencrypted. This along with unencrypted memory sticks are two of > the biggest culprits and now would follow under the breach notifications, > along with HITECH ACT, and the teeth it gave to HIPAA, it will probably help > but not truly solve this type of issue. > > > > Endpoint security will also help, but you are going to reach a point in > which you are hampering the users trying to do their work, which brings up > more questions whether its their process that needs to change, or more > security awareness training along with administrative punishment up to > including termination for violation of the policies and procedures of the > company, or being grossly negligent in this reguard. > > > > Z > > > > Edward Ziots > > CISSP,MCSA,MCP+I,Security +,Network +,CCA > > Network Engineer > > Lifespan Organization > > 401-639-3505 > > [email protected] > > > > From: paul d [mailto:[email protected]] > Sent: Friday, May 14, 2010 11:06 AM > > To: NT System Admin Issues > Subject: RE: HIPAA Question > > > > All too true, John. > And not just small offices either. CMS has a page that links breaches > involving more than 500 people. I'm amazed at the number of incidents > involving laptops that were stolen whose data was unencrypted. > > ________________________________ > > From: [email protected] > To: [email protected] > Date: Fri, 14 May 2010 09:43:22 -0400 > Subject: RE: HIPAA Question > > A course of action that is reasonable and doable. Most of the responses in > this thread are knee jerk over thinking of the issue. The sheer fact that > you can fax a piece of PHI (fax transmissions aren’t encrypted last time I > checked) to a “secure location” should give you some idea of what’s > reasonable. > > As a part time consultant to a software reseller we’ve come across a > disturbing fact – most small medical related offices have no real clue as to > how or even why they have to follow HIPAA standards other than it’s a > Federal law and they signed some form saying they had watched the webinar > and drank the koolaid. It’s really very poorly implemented in these small > offices because there is no ROI, compliance is a cost center and they only > spend what is absolutely necessary – then something bad happens and they > make an adjustment. > > > > John W. Cook > > Systems Administrator > > Partnership For Strong Families > > 315 SE 2nd Ave > > Gainesville, Fl 32601 > > Office (352) 393-2741 x320 > > Cell (352) 215-6944 > > Fax (352) 393-2746 > > MCSE, MCTS, MCP+I, A+, N+, VSP4, VTSP4 > > > > From: James Kerr [mailto:[email protected]] > Sent: Friday, May 14, 2010 9:19 AM > To: NT System Admin Issues > Subject: Re: HIPAA Question > > > > We have a consent form they must sign for us to send a fax or mailing so we > could use that for emailing also. We can still send the data encrypted and > give them the password over the phone. > > > > James > > ----- Original Message ----- > > From: paul d > > To: NT System Admin Issues > > Sent: Friday, May 14, 2010 8:47 AM > > Subject: RE: HIPAA Question > > > > They're usually referred to as Privacy or Security officers. For example, a > CISO. For HIPAA, there can also be a compliance officer. > And, to the OP, you'll eventually have to come up with some way to > electronically deliver the data as it's part of the meaningful use act; you > have to be able to give a patient their medical record by electronic means > if they so desire. > > ________________________________ > > Subject: RE: HIPAA Question > Date: Fri, 14 May 2010 10:09:32 +0100 > From: [email protected] > To: [email protected] > > Good God please don't do that! Password protected Word documents do not > stand up to scrutiny. > > > > I don't work withy HIPAA at all, but I have worked within UK FSA and DPA > guidelines for PII type data. If the patient demands it, you can send it > unencrypted (we did this with voice recordings on CD .. policy was all > CDs/DVDs had to be encrypted, but if a customer demanded a recording of a > call we could send an audio CD via Registered Post (they must sign)). > > > > Personally, I would advise the patient of the issues around this action and > offer to post it via some recorded method. If they wanted it electronically > - perhaps you have some portal they can register on and log into to retrieve > results? If it has to be email, they could send you an email requesting it > that you respond to (helps with audit trail). I would suggest encryption - > we use S/MIME a lot as it's easy for users in comparison to PGP and the > like. > > > > Whatever you do, it should be based on having a policy and something your > data protection officer (do you have such people in the US!?) and legal team > are happy with. Going outside the loop tends to get you fired if it goes > pear shaped ... > > > > > > > > a > > > > ________________________________ > > From: John Cook [mailto:[email protected]] > Sent: 13 May 2010 21:34 > To: NT System Admin Issues > Subject: Re: HIPAA Question > > Put it into a passworded Word doc and verbally give them the password. > > > > ________________________________ > > From: James Kerr <[email protected]> > To: NT System Admin Issues <[email protected]> > Sent: Thu May 13 15:22:20 2010 > Subject: HIPAA Question > > Guys, I have a quick HIPAA question. We work with people infected with > HIV. A patient that lives out of state is asking us to email him info about > his viral load. Any suggestions for how to email that info or get that info > to him somehow? If the email content doesn't contain identifying info, is it > ok? > > > > James > > > > > > > > ________________________________ > > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity to > which it is addressed and may contain Protected Health Information (PHI), > confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient without > the express written consent of the sender are prohibited. This information > may be protected by the Health Insurance Portability and Accountability Act > of 1996 (HIPAA), and other Federal and Florida laws. Improper or > unauthorized use or disclosure of this information could result in civil > and/or criminal penalties. > Consider the environment. Please don't print this e-mail unless you really > need to. > This email and any attached files are confidential and intended solely for > the intended recipient(s). If you are not the named recipient you should not > read, distribute, copy or alter this email. Any views or opinions expressed > in this email are those of the author and do not represent those of the > company. Warning: Although precautions have been taken to make sure no > viruses are present in this email, the company cannot accept responsibility > for any loss or damage that arise from the use of this email or attachments. > > > > > ************************************************************************************ > WARNING: > The information in this email and any attachments is confidential and may be > legally privileged. > > > If you are not the named addressee, you must not use, copy or disclose this > email (including any attachments) or the information in it save to the named > addressee nor take any action in reliance on it. If you receive this email > or any attachments in error, please notify the sender immediately and then > delete the same and any copies. > > > "CLS Services Ltd × Registered in England No 4132704 × Registered Office: > Exchange Tower × One Harbour Exchange Square × London E14 9GE" > > > > > > > > ________________________________ > > The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with > Hotmail. Get busy. > > > > > > > > > > > > ________________________________ > > CONFIDENTIALITY STATEMENT: The information transmitted, or contained or > attached to or with this Notice is intended only for the person or entity to > which it is addressed and may contain Protected Health Information (PHI), > confidential and/or privileged material. Any review, transmission, > dissemination, or other use of, and taking any action in reliance upon this > information by persons or entities other than the intended recipient without > the express written consent of the sender are prohibited. This information > may be protected by the Health Insurance Portability and Accountability Act > of 1996 (HIPAA), and other Federal and Florida laws. Improper or > unauthorized use or disclosure of this information could result in civil > and/or criminal penalties. > Consider the environment. Please don't print this e-mail unless you really > need to. > This email and any attached files are confidential and intended solely for > the intended recipient(s). If you are not the named recipient you should not > read, distribute, copy or alter this email. Any views or opinions expressed > in this email are those of the author and do not represent those of the > company. Warning: Although precautions have been taken to make sure no > viruses are present in this email, the company cannot accept responsibility > for any loss or damage that arise from the use of this email or attachments. > > > > > > > ________________________________ > > The New Busy is not the too busy. Combine all your e-mail accounts with > Hotmail. Get busy. > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
