You are currently subscribed to wedi-privacy as: [email protected]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
---
Bruce's excellent point -- and suggestion
-- is reinforced in the following excerpt from the original Final Rule
(emphasis mine):
http://www.hhs.gov/ocr/part6.txt
[[Page
82745]]
Section 164.530(c)--Safeguards
Comments: A few comments assert that the rule requires some
institutions that
do not have adequate resources to develop costly
physical and technical
safeguards without providing a funding mechanism
to do so. Another comment
said that the vague definitions of adequate
and appropriate safeguards could
be interpreted by HHS to require the
purchase of new computer systems and
reprogram many old ones. A few
other comments suggested that the safeguards
language was vague and
asked for more specifics.
Response: We require covered entities to maintain safeguards
adequate for
their operations, but do not require that
[[Page 82746]]
specific
technologies be used to do so. Safeguards need not be
expensive or high-tech
to be effective. Sometimes, it is an
adequate
safeguard to put a lock on a door and only give the keys to those
who
need access. As described in more detail in the preamble discussion
of
Sec. 164.530, we do not require covered entities
to guarantee the
safety of protected health information against all
assaults. This
requirement is flexible and scalable to allow
implementation of
required safeguards at a reasonable
cost.
---
Part of the fear, uncertainty, and doubt in responding
to HIPAA is a tendency to overcomplicate risks beyond the point
of reasonableness.
Thanks,
Mike
McKinlay
McKesson
---
-----Original Message-----
From: Bruce T LeGrand [mailto:[EMAIL PROTECTED]]
Sent:
Thursday, October 24, 2002 9:55 AM
To: WEDI SNIP Privacy Workgroup
List
Subject: RE:Privacy issues
This is one of those situations where the subjective analysis takes
over.
If a practice uses Win 98 workstations, and the environment where
the letter might be left on screen is not a high traffic area, then a policy
that you minimize the window might be a "reasonable" approach.
It is far
too easy to expound on all the technological enhancements that are going to make
us more secure, but the reality is that, a good analysis of exposure, policies
and procedures to address the problems, and regular training to enforce those
may be all that is required to handle the situations.
------------------(
Forwarded letter 1 follows )--------------------
Date: Thu, 24 Oct 2002
10:23:09 -0400
To: [EMAIL PROTECTED]
From:
Marshall.E.Fryman[mfryman]@futuraintl.com.inet
Sender:
[EMAIL PROTECTED]
Reply-To:
[EMAIL PROTECTED]
Subject: Privacy issues
The privacy
regulation draws attention to a reasonable effort to maintain the privacy of
patient's information except on a "need to know" basis. If we take the premise
of a doctor's office where Person A types a letter to a patient containing
confidential information. If Person A then walks away from their terminal, I
would reasonably conclude that there should be some sort of password-protected
screen saver that automatically pops up to blank the screen so that anyone
passing by can not read said letter. If this workstation is setup using Windows
9x, is it also reasonable to claim that this machine is not securable? If I
reboot the Win 9x machine, I can bypass any password that was originally setup
on this machine and still read the letter. If I upgrade this machine to Windows
NT / 2000 / XP, it is no longer possible to bypass the security system. This is
clearly a more secure environment, but has anyone attempted to define if this
falls within the "reasonable" precautions that a practice should
take?
Anyone have any ideas? I have talked to CMS and they said that they
were not really qualified to answer the question. Their initial reaction was
that this was an issue of security not privacy, but they later changed their
mind and said it might fall within the "reasonable"
clause.
Thanks,
Marshall
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
