ComPly With Me--- a HIPAA Forum

3 I's

2009-01-22T13:11:00.000-08:00

There's no avoiding it; there's a new sheriff in town. With the coming change of administration, and a congress far more open to the idea of regulation, spurred by the recent problems in the lending sector, there is little doubt that we will be seeing a spate of new regulations and regulatory bodies, as well as an increase in the enforcement of existing regulations, such as Sarbanes-Oxley, HIPAA, and GBLA.

The last few years have been full enough of regulatory landmines for the unsuspecting IT department. At the same time though, enforcement has been lax. For example, under HIPAA, which has a complaint-driven enforcement process, there have been over 32,000 complaints over the last five years, but fewer than a dozen prosecutions. In fact, according to Inspector General of HHS, the Center for Medicare and Medicaid, an enforcement entity, "had not implemented proactive compliance reviews and therefore had no effective way to determine whether covered entities were complying with HIPAA Security Rule provisions."

Look for this to change, perhaps dramatically. HHS has already started an audit program, and several statements by various heads of congressional committees have indicated that for regulatory slackers, the party is over.

So what does this mean for those poor souls charged with maintaining regulatory compliance in organizations which, up until now haven't really felt all that much pressure? For many it means changing the view they have had about compliance. Careful planning and fresh approaches will be the key to coping with new regulation as well as old regulations newly enforced.

Invisibility, Integration, and Integrity. These need to become our new watchwords as we move forward into the unknown territory of compliance. Most important is invisibility. No matter what systems, programs rules or processes we come up with, if they are not designed to impact the end user as little as possible, then they will be bypassed. History has shown us that as little as one extra step in a work sequence will cause end-users to find ways to bypass or ignore them, unless the user perceives the added step as needed to perform their primary work function. Nowhere is this more evident than in healthcare, where regulatory steps, especially HIPAA related, are seen by many as timewasters and barriers to providing care to patients. If the end user experience is not included in compliance planning, then whatever solutions chosen will inevitably fail.

Compliance solutions need to integrate with existing systems, including technical, organizational, and workflow systems. A tacked on compliance solution will be resource wasting, time wasting, and ultimately ignored. Email solutions, for example, should use existing systems for both secure and non-secure communications, instead of creating a new and separate system just to handle secure communication. Relying on end-users to judge which of two parallel systems to use leads to frustration at best. Systems should be chosen to maximize ease of integration with what already is in use.

Usually when IT security people talk about integrity, they are talking about keeping your data consistent, but in this case I am using it in the ethical sense. You cannot expect your end users to comply if you aren't. You can pretty much expect that any shortcut or bypass you use will be found and exploited by your users, too. Set that example, talk to your users and make certain that what you do is what they should be doing, too.

Three I's: invisibility, integration, and integrity. Keep these in mind as you plan, implement and administer your compliance solutions and you will find the entire journey to compliance land much, much smoother.

Blue Suit, Red Cape and Red Boots

2008-10-09T14:08:00.001-07:00

No doubt about it, things are getting tighter. Even with the volume off, the TV has a streaming litany of financial woe in a never ending flow from left to right at the bottom of the screen. And you don't need Jim Cramer to remind you, your customers are letting you know, as well as your screaming bottom line

At the same time your work day and productivity is being strangled by more regulation, more rules and more requirements for security. Even beyond the regulatory considerations, you really do want your clients' data as safe as you can make it. It is part of the reason you got into this business, along with the Truth, Justice and American way stuff. But how to catch that speeding locomotive with all these chains around your ankles?

The first step is to develop the security mindset. Like so many other things, security is not a destination, it is a way of thinking. The same instincts and habits that make you rattle the back door after locking up can serve you with many information and data security issues as well. You are not locking the back door because you expect an intruder. You are prudently making it a little more difficult for the eventual intruder that someday will check your back door. Similarly, you are not protecting your data against a specific bad guy, but instead building an array of defenses so as to make your operation as unattractive to data and identity thieves as possible.

Make certain that your employees have a grasp of the basics and are incorporating them into the work day. Passwords should be routinely changed, and not written on post-it notes or shared. Callers who ask for information about internal systems should be clearly identified, or better yet referred to a designated person. That designated person should be the office go to person for all basic security questions, and well-briefed as to possible vulnerabilities and how an exploitation might present itself.

New and even more stringent regulations are on the way. How you keep your client's data safe is going to be a problem that rests on your shoulders. You can spend a fortune building new, secure systems, or you can temper that spending with better training and looking at alternate ways of handling your data, such as on-line hosting, where the back-end security is handled for you. This combination can be a cost-effective way of providing improved security without having to leap any tall buildings.

International Talk Like a Pirate Day!

2008-09-19T10:31:00.001-07:00

Arrrgh!

Ah, Sweet Mystery

2008-05-13T10:39:00.000-07:00

Is your data secure? How do you know?

Here is yet another example of data exposed by carelessness and a simple error, and not noticed or reported for quite a long time.

From the San Francisco Chronicle:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided. Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Over 6000 patients' information exposed on the internet for over 3 months! The sad and sorry part is not that the persons effected weren't then notified when it was caught--- that part is simply crummy behavior, and as heinous as that is is out of our scope. The real issue is that learning that you are exposed is often times way too late. In this case it was a careless data-mining company, which should have been under a Business Associate's agreement under the HIPAA rules, and been monitored by the Hospital's compliance officer.

Doing a vanity search on Google and finding your own medical records must be quite a shock. Imagine having one of your customers find something like that... something like, say last year's quarterlies conveniently displayed for the world to peruse.

So is there a bullet-proof way of making certain that your stuff stays secure? Not really but there are a number of ways you can protect yourself. For big companies the options are legion, but for smaller companies one of the best is to consolidate your data so that access is generally made through a single source. Online hosting ensures that professional and vigilent care is taken of your data. Like the common cold, there is no cure for idiocy, but knowing that your information is in the hands of people who make it thier business to keep it safe, secure, and accessable to only the right people is priceless.

Baby One More Time

2008-04-18T10:52:00.000-07:00

Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!Britney Spears!

Fire 'em all.

Really. I am sick of this, because if it happens to celebrities and they catch this many, it means that the rest of us are pretty close to being on public display.

String 'em up, it'll teach 'em a lesson.

Over and over

2008-04-18T10:20:00.000-07:00

So many times, companies think of the audit process as a needed evil, something to endure then forget. No retailer would think that about inventory, but somehow we tend to think of our data as less valuable, perhaps because it is intangible. It isn't--- your data is your business. Here is what Brian Cote in SC magazine has to say:

Businesses need to consider data security as a whole, not merely as part of the audit process. This approach not only helps reduce the overall length of the audit process, it eliminates unnecessary vulnerability in the organization—providing a far greater reward than merely passing the audit. After all, if an organization suffers an exploit of security vulnerability, they'll face a far more costly and disruptive scenario than any compliance audit could cause. Without having a holistic approach to data security, organizations are doomed to reinvent the wheel.

An unchecked and unmonitored sytem is a vulnerable one. Regular reviews, tests and audits help keep the safeguards you have in place effective.

My Way

2008-03-10T14:51:00.000-07:00

I wanted to say something about Google Health.
I have been watching for some time the various schemes to centralize healthcare records, from Hillary Clinton and Bill Frist's unlikely alliance a couple of years ago to Washington State's efforts (my wife is on the Governor's HISPC Advisory Board, so I have gotten to watch some of the sausage-making close up) and in general I think that it is not only a good idea in theory but that there is a certain practical inevitablity to it.
Still, when prominent health organizations start considering placing PHI in the hands of the world's largest search engine company, I am a little less enthusiastic. For starters there is no accountibilty at this point. Google is certainly not a covered entity and for all of their massive and admirable ability to keep, sort and provide information to millions of users across the globe they, like any other company who does business internationally are susceptable to the whims of the governments of the countries where they do business.
Is my PHI a matter of national security? Of course not, and mine is especially boring; I have enjoyed good health for decades and have suffered from none of the things that might be of concern to anyone. But different countries have different privacy standards, different countries have different legal systems, and I have at least the expectation of privacy, as flimsy as that might be.
As far as I am concerned, the song goes like this: "Not covered by HIPAA? Then you don't get my PHI." Period.

Time After Time

2008-03-10T12:58:00.000-07:00

Its about time:

OKLAHOMA CITY (AP) - Federal prosecutors have accused an Oklahoma City woman of violating a federal health privacy law as part of an identity theft scheme.

An indictment alleges Leslie A. Howell violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

U.S. Attorney for the Western District of Oklahoma spokesman Bob Troester says the Feb. 15 indictment was the first in the district for violating HIPAA.

First in the district? More like nearly the first in the country! Is this part of a new pattern, or just another case of an acorn dropping into the sleeping sow's mouth?

It Wasn't Me

2008-03-10T12:37:00.000-07:00

Oh, please...

When Team 4 got certain records, the HIPAA enforcement office was supposed to block out the names of all patients who filed the complaints. But when Team 4's Paul Van Osdol examined the records, he found nine cases where patient names were disclosed. So, it appears the people in charge of enforcing the medical privacy law failed to follow their own rules.

Teresa Dimichelle is one of those patients whose names were disclosed. She agreed to talk about it.

Van Osdol: "The fact that the government failed to protect you, the same government agency that enforces HIPAA laws, what does that tell you?"

Dimichelle: "That it's all a joke to them. It was about my health care and the way I was being treated. I didn't think it needed go to whoever, Joe Schmoe down the street."

"That's alarming, and you should be commended for doing that request and uncovering that, because that's something we definitely need to address," said Altmire.

A spokesman for the Department of Health and Human Services said its disclosure of patient names is not a violation of HIPAA. That's because the government agency is not covered by the HIPAA law.

No, not a violation of HIPAA, just a violation of at least one other privacy law, and common sense, common decency, and especially the public's ability to swallow the lame excuse.

Secret Love

2008-02-12T11:31:00.000-08:00

I have been beating this drum for a long time, about how important it is to make every part of your security and compliance plan workable not just for us geeks, but for every user. Here is another thought about classifying information that has occured to me, but I haven't gotten around to writing about. Now I don't have to:

Chief information officers need to take a leading role in setting up formal information classification schemes to stop them over-engineering them to comply with security regulations, according to a report from the Information Security Forum (ISF).

The ISFsaid that information classification systems were overly complex. "As a result they rarely deliver business benefits and are often simply ignored," it said.

Now me and all my geeky friends just love us some multi-layered processes and classification schemes that look like flow-charts of Merovingian Dynasties, but you know, most people don't. Stange as it may seem, most folks just want to do their jobs, and if you make it too difficult for them, they will bypass your marvelous system, or in the case of data classification, underclassify it to avoid hassling with additional layers of crap. Make it easier for them to do the right thing, will ya?

Secret Meetings

2008-02-12T10:41:00.000-08:00

Outsourced Enforcement? We have seen how well outsourcing has worked with things like disaster relief, so why not take a whack at compliance?

But I know how much a good PWC auditor costs, and I know how much the average civil service auditor makes. I guarantee the latter costs less, unless PWC itself is outsourcing this work to India or someplace.

And would it be too much to ask for the public, or at least the industry, to get a gander at that contract? On what basis is PWC being paid? What is their incentive? Is it a fixed price per audit, is it hourly, or is it based on the fines they collect?

The folks at iHealthBeat have another concern. What if PWC has to audit one of its own clients? The government says the company will recuse themselves. Does that mean the audit is then off? Better call PWC, then.

I don't always agree with Dana Blankenhorn, but in this case he is spot on. This raises far too many questions, and simply cannot be cost-efficient.

Hot Rod Lincoln

2008-01-10T11:49:00.000-08:00

Passed along without comment:

Mayo Clinic announced Friday that Hansen was no longer practicing at the clinic but would not say whether he resigned or was fired.

Hansen acknowledged to Mayo administrators that he snapped the picture of Sean Dubowik's penis, which is tattooed with the words "Hot Rod," Mayo said.

The picture was taken Dec. 11 when Hansen catheterized Dubowik before gallbladder surgery.

After Hansen told him of the picture, Dubowik, 37, said he "felt betrayed, violated and disgusted."

Every Girl's Crazy 'Bout a Sharp-Dressed Man

2008-01-10T11:24:00.000-08:00

More Golden Hippo goodness! HIPAA, the only act in the history of the US to cover every public official posterior everywhere!

The American Civil Liberties Union of Middle Tennessee (ACLU-TN) should soon receive the information it has requested to monitor Metro Nashville Public Schools’ standard school attire policy, according to an attorney with the Metro legal department.

The information request was received by Metro Nashville Public Schools Oct. 15, and ACLU-TN requested a response within 30 days. Metro legal responded on Thursday of last week. Mary Johnston, the Metro legal department attorney heading up the legal side of the response, said the information should be ready for ACLU-TN by next week.

“We are now awaiting the [information], so all is fine,” said ACLU-TN Executive Director Hedy Weinberg in an e-mail interview.

Metro Schools spokesperson Woody McMillin said fulfilling school-related public information requests can be time-consuming, given legal restrictions including the Family Educational Rights and Privacy Act (FERPA) and Health Insurance Portability and Accountability Act (HIPAA) that add time to public information requests.

So now even dress code compliance records are considered PHI! Whatta rule!

Gone Fishin'

2008-01-10T10:48:00.000-08:00

While you are carefully guarding the front gates, don't forget you have an enemy who will cheerfully come in through the trash chute:

As long as enterprises rely on ad hoc solutions for disposing of retired IT assets, systems are going to end up in closets and warehouses wasting space until someone decides to get rid of them, often in a dumpster. To ensure proper management of old technology, enterprises must work with established IT asset recovery providers that handle the end-to-end process – reverse logistics, software asset inventory analysis and reporting, thorough data destruction, device refurbishment and resale, and finally, recycling.

We like a bulk erase and five holes through old hard drives. Tapes, paper, and floppies should be shredded. You know the drill :)

Song Sung Blue

2007-12-11T15:59:00.000-08:00

Why is it almost always someone famous that sparks these audits? Remember a short while ago when a number of staff were fired or suspended for peeking at Bill Clinton's records? I know it it human nature to be curious about someone who is famous, but celebrities generally are considered to have given up some of their right to privacy, not earned the right to extra enforcement:

Buffalo, NY (WBEN) - In the wake of extensive publicity over Buffalo Bill Kevin Everett's on-field spinal injury, Kaleida Health has disciplined an employee after investigating possible violation of the federal health care privacy rules, known as HIPAA.

HIPAA (The Health Insurance Portability and Accountability Act of 1996) includes several privacy regulations that severely restrict who can access patient medical records.

The routine compliance audit found no violation of the federal rules that regulate access to medical records, but did uncover enough of an issue to have one employee suspended, according to sources.

Good for the hospital, but it shouldn't take a special case to remind folks about compliance.

The Boys are Back in Town

2007-12-07T21:48:00.000-08:00

Some of you may have noticed that I haven't been updating as often as I used to. Well I've been pretty busy. My wife ran for office, and I also took a little time and wrote this:

$13.99

That's right, I wrote a novel, you can buy it, and it is getting great reviews. Check it out--- it is about a woman in bronze age Mesopotamia who takes people out into the desert and feeds them to a monster. Its got blood, sword fights, betrayal, sorcery and death. You know, a love story.

Girl in the Mirror

2007-12-07T21:41:00.000-08:00

This looks like it could have been written by me--- a sweet little rundown of Golden Hippo contenders for worst misuse of HIPAA, by Shanna Flowers of the Roanoke Times. Her centerpiece is this:

The latest example is William Byrd High School, where officials this week told an auditorium full of hysterical parents to stand down because there isn't a problem, but golly, if there is, they can't tell you all the facts. Just trust them -- they're doing everything they can.

Kids are sick, but we can't tell you the symtoms, and it isn't serious, but we can't tell you what it is, and its not contagious, but we can't tell you who it is.
Sheesh!

Doctor My Eyes

2007-12-07T21:29:00.000-08:00

Workplace Wellness programs are starting to look very attractive to many companies that are faced with impossible rises in the cost of benefits. Implementing a stop smoking plan, or providing incentivess for workers to live healthier can increase production, reduce sick days, and help to cut the overall healthcare costs of campany. But there are regulatory pitfalls that many don't understand, and find intimidating.
Here is a quick rundown from The Metropolitan Corporate Council on the steps employers need to take before embarking on such a program.

Nonetheless, employers contemplating a workplace wellness program are well advised to consider that conditioning a reduction in health care costs on satisfying a health-related goal, such as actual smoking cessation or meeting a certain cholesterol level, may be subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Nondiscrimination Rules and/or federal and state discrimination statutes. In addition, regardless of the structure contemplated, employers should consider requirements for wellness programs that may arise under the HIPAA Privacy Rule (45 C.F.R. 160,164).

Yeah, its a little on the dry side, but the information is well presented and worth knowing.

Call The Ambulance

2007-10-30T16:44:00.000-07:00

That HIPAA thingy cuts both ways...

Jaramillo said he plans to sue the city as an entity, and the mayor and councilors individually on grounds violating the Health Insurance Portability and Accountability Act by divulging unpaid ambulance bills, infringing upon his freedom of speech and retaliation for whistleblowing...

Documentation shows Jaramillo divulged his ambulance bills himself at a council meeting, Bhasker said.

Self-immolation is one thing, but flaming out like this is amazing. I think he had better get a new lawyer, because from the looks of things, his current one is not serving him very well.

Stupid Cupid

2007-10-30T16:32:00.000-07:00

Now here is a classic hunka hunka burnin' stupid:

NORTH BERGEN -- More than two dozen Palisades Medical Center employees have been suspended for violating Oscar winner George Clooney's patient privacy rights after a motorcycle accident in Weehawken last month, hospital officials said.

A hospital spokesman would not detail the alleged infractions that led to the monthlong suspensions of 27 workers. But a spokeswoman for the union that represents some of the suspended employees said the violations ranged from workers who accessed Clooney's health records to others who went into his room to shake his hand.

The suspended workers acted "inappropriately" in accordance with federal patient confidentiality regulations, spokesman Eurice Rojas said.

"They were suspended for a range of things," Rojas said on Tuesday. "Only direct caregivers should be accessing a patient's file or chart."

I have no sympathy for front line workers who, at this late date think that it okay to oogle someone's health info just because they are famous. I would also fire the person responsible for their training.

Open Season On My Heart

2007-10-30T16:27:00.000-07:00

It is the HIPAA excuse season, and boy howdy are they thick on the ground:

ATLANTIC CITY - Federal health law experts said health privacy laws are confusing, but should not keep city officials from revealing where the resort's mayor is.
Mayor Bob Levy's last official duty came last Wednesday, when he signed seven ordinances into law. Since then he, and his black city-issued Dodge Durango, have apparently vanished.

His attorney and city officials have said since Thursday he was in an undisclosed hospital receiving unspecified treatment. In the meantime, Business Administrator Domenic Cappella has served as acting mayor.

With Levy's absence, the city has been beset by rumors of imminent resignations tied to an ongoing federal investigation into his military record. City Council members have said they believe Levy has abandoned his post and have sought state help replacing him.

Adding to the problem is that top city officials say they know where he is, but providing more information would run afoul of the 1996 federal Health Insurance Portability and Accountability Act, commonly called HIPAA.

Under Federal investigations? Hide, say you are sick, and claim HIPAA rules prevent anyone from finding out where you are! This one has Golden Hippo written all over it!

How We Operate

2007-10-30T16:14:00.000-07:00

Here is an excellent run-down on setting up secure passwords from fellow CISSP and IT security blogger Joel Dubin:

At the heart of compliance is access management and authentication. And at the heart of authentication are user IDs and passwords. Despite their many weaknesses and the availability of multifactor authentication technologies, the venerable user ID and password combo remains the centerpiece of access to many corporate systems.
Rather than tearing up network plumbing for new-fangled devices, like one-time password (OTP) tokens and smart cards, many companies have opted to strengthen their existing password systems to keep compliant with audit and compliance regulations and standards, including Sarbanes-Oxley, HIPAA, FFIEC and PCI DSS.

It doesn't have to be a big deal, and you don't have to spend a ton of money. Just spend a little time in training and reminding users of how it is done.

Take That & Party

2007-10-30T16:09:00.000-07:00

Damn skippy!

"Attorney General Van Hollen's well-researched legal opinion provides a valuable public service by clearing up confusion and explaining that federal HIPAA law does not enable local and state government officials to keep records secret if they should otherwise be open," Stanley said.

"In this case, a local fire department had refused to provide information about a public employee who crashed his truck into a sign and was arrested for drunk driving. The taxpayers who pay for his salary, for the truck he was driving and for the auto and liability insurance - as well as the people who live in the neighborhoods he was driving drunk through - deserve to know that information."

Like every other abused law, HIPAA has a special place in the heart of public officials who are less than fond of the public spotlight. HIPAA is not a shield law for cronies and incompetence, it is to protect individuals rights of privacy. Take that, public servant!

They're Red Hot

2007-10-30T15:52:00.000-07:00

Somedays the stupid burns so hotly you can warm your attic with it:

"You can't look at your own records or any family member records unless there is a clinical need to do so," Braccino said. "If you are doing so just because they are there and you have a private interest, you are violating HIPAA regulations and patient confidentiality."

Trustee Shelbie Bershinsky said many of the employees probably looked at their own medical records with harmless intent.

"I've been in health care 19 years and I, until today, I didn't think there was anything wrong with me looking at my records," she said. "I now know that I shouldn't do that."

Hospital compliance officer Dean Jessup said HIPPA regulations, including the prohibition against viewing one's own medical records, are posted at each of the hospital's time clocks.

Your medical records are yours. There is no provision in HIPAA preventing you in any way from viewing your own PHI. None. There may very well be a regulation in that facility's HIPAA compliance policy against it, but it is nowhere to be found in the Act itself.

Insecurity Alert

2007-10-07T18:44:00.000-07:00

Headlines like this scare me:

These Notebook PCs Aren't A Security Risk

Nope. Even though they carry no data, there is no such thing. This particular item is a wireless thin client, and though they don't carry any data, they connect through wireless networks! What part of wireless network goes with "Aren't a Security Risk?"