Hi Tom, I'm not sure I'd call this a dead horse. The HIPAA Security Rule talks a bit about the need for sanctions as a component of achieving compliance at 68 FR 8347 (first column).
"The sanction policy is a required implementation specification because -- (1) the statute requires covered entities to have safeguards to ensure compliance by officers and employees; (2) a negative consequence to noncompliance enhances the likelihood of compliance; and (3) sanction policies are recognized as a usual and necessary component of an adequate security program." Surely, moving the protected health information to a location and putting it in the control of people outside U.S. jurisdiction compromises the ability to impose sanctions in the event that security is compromised. Especially since the outsourcer would be a Business Associate and, under the HIPAA rules, Kaiser would not be held responsible for their actions. The downside is that the Security Rule doesn't go into effect until April 20, 2005. On the other hand, Kaiser's moving that data offshore might be seen as a preemptive move to avoid the Security Rule and, given that Health Care is likely to be an issue in the upcoming Presidential campaign, it might be something the politicians here would latch on to. I think Kaiser covers about 50 million Americans. That's a lot of potentially pissed off voters. Hmmm..... Might be a Cause here. Best regards, Bill ----- Original Message ----- From: <[email protected]> To: <openehr-technical at openehr.org> Sent: Saturday, May 17, 2003 2:08 AM Subject: Patient Privacy: Impact of Outsourcing > Hi All, > > The following link is to an article appearing in the San Francisco Chronicle > online version, May 14, 2003 entitled: > > LAZARUS AT LARGE > Kaiser exporting privacy > > http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2003/05/14 > /BU307139.DTL&type=tech > > Unfortunately this has been predicted by many. Rushing out to contact > members of the US congress requesting a new privacy and security bill would > be too late and probably wasted effort. It should highlight the need for > very stringent security mechanisms and procedures that continually monitor > and track data transmission and storage at a minimum. > > In previous emails 'Secure Data Store' facilities have been mentioned. This > is just one example why they are needed. > > -Thomas Clark > > > - > If you have any questions about using this list, > please send a message to d.lloyd at openehr.org > - If you have any questions about using this list, please send a message to d.lloyd at openehr.org
