Posted on | March 4, 2010 | No Comments
Behind every rule or regulation that you can imagine, you will find an intent. The intent of speed limits is to reduce deaths and injuries caused by motor vehicle accidents. The intent of HIPAA is to safe guard HI (health information) thereby transforming it into PHI (protected health information). Its one thing to implement HIPAA (and HITECH) to the letter, its another thing to understand what the two combined are actually attempting to accomplish and incorporate that intent into procedures.
Rather than take the risk of a laptop not being encrypted, its a better idea to just have “no laptop” zones. You don’t want employees downloading PHI and walking out the door with it. Even if the laptop is encrypted, your problem lies in ensuring compliance with the other parts of the guidelines. For instance, can you trust that your employee will not have PHI displayed on a screen where the general public might be able to glimpse at and read it? If not, how is HITECH going to be effective since you can’t report a breach that you can’t possibly know about? Yes, allowing a passer by to look through a window at Starbucks and see someone’s information on a laptop screen is just as much of a breach as stealing a copy of the file.
There is no law that says your job has to be convenient. There is a rule that says good security is more often than not extremely inconvenient. This means, dealing with PHI is always going to be inconvenient. The sooner we accept and endorse that simple premise, the sooner you’ll stop reading about these egregious and completely avoidable losses.
Moving beyond just no laptop zones, are your desktops that can access PHI locked down? Do they have working USB ports, bluetooth or other creature comforts? Do you leave the stock DVD/RW drives in them to keep the warranty and re-sale value up to par? Can people access stuff like gmail, yahoo mail, facebook, twitter, or the plethora of other potential pitfalls from the same machine that access confidential information? Are the screens positioned so that only authorized people can view them? Are the cases alarmed if opened?
The other thing that many people forget is that medical records often contain photocopies (front and back, with signature) of credit cards. It could be people paying by credit for elective procedures not covered by their plan, someone satisfying a co-pay, lots of things. It could just be the CC imprint carbon that some merchants need in order to prove that they actually had possession of the card in case the client files a dispute. How often do you think someone would charge liposuction then call the bank to report the charge as fraudulent? More often than you’d think.
This means, you aren’t just dealing with health records, you are also dealing with credit card information. Since any record could contain that kind of information, you must be sure that you treat each PDF as if it does. With this line of thinking, an amazing thing happens. You start to look at the intent of PCI/DSS and realize that implementing the simple monitoring and reporting requirements would satisfy your obligations under HITECH.
It costs so very, very little to develop a good plan, good procedures and implement it without concession to the moaning and groaning of users that want to use Facebook at work. It costs a lot more to offer free credit and identity theft monitoring to 12,000 or more people for a year, due to a brain dead mistake. The way to eschew additional regulations is to show legislators that private industries are already on top of the issues at hand. To date, demonstrating this has been an epic, epic failure.