--- You are currently subscribed to wedi-privacy as: [email protected] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- Marshall,
In the scenario that you have described (below), we would recommend to our clients that they attend to the intents of both the (final) Privacy & Security rule, AND the (proposed) Security rule. The "reasonableness" clause is scaleable. That is the implementation of the security P&P's in a small provider's office (with say one administrative position supporting the clinical work of a physician) might be relatively simple in relationship to the implementation of security P&P's in a large, complex hybrid entity, such as an academic medical center. For example, the small provider may not need an efficient log-off scheme if no one else besides the physician and the administrator has physical access to the computer. Alternatively, in a larger of more complex office situation, "smart" proximity-cards may be the rule-of-thumb to automatically close-down an application as soon as the user walks away from the computer. In between those extremes, any number of progressive security measures might be implemented. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] <mailto:MRosenblum@;att.net> CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener informaci�n privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicaci�n por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la direcci�n mostrada y elimine el mensaje original. Gracias. -----Original Message----- From: Marshall E. Fryman [mailto:mfryman@;futuraintl.com] Sent: Thursday, October 24, 2002 10:23 AM To: WEDI SNIP Privacy Workgroup List Subject: Privacy issues --- You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The privacy regulation draws attention to a reasonable effort to maintain the privacy of patient's information except on a "need to know" basis. If we take the premise of a doctor's office where Person A types a letter to a patient containing confidential information. If Person A then walks away from their terminal, I would reasonably conclude that there should be some sort of password-protected screen saver that automatically pops up to blank the screen so that anyone passing by can not read said letter. If this workstation is setup using Windows 9x, is it also reasonable to claim that this machine is not securable? If I reboot the Win 9x machine, I can bypass any password that was originally setup on this machine and still read the letter. If I upgrade this machine to Windows NT / 2000 / XP, it is no longer possible to bypass the security system. This is clearly a more secure environment, but has anyone attempted to define if this falls within the "reasonable" precautions that a practice should take? Anyone have any ideas? I have talked to CMS and they said that they were not really qualified to answer the question. Their initial reaction was that this was an issue of security not privacy, but they later changed their mind and said it might fall within the "reasonable" clause. Thanks, Marshall --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
