Slashdot Mirror

I know more about nonhuman studies than clinical, but according to the US HHS (who runs FDA), the breakdown of costs are these:

- $15k/patient for phase I
- $20k/patient for phase 2
- $25k/patient for phases 3 and 4

The cost of the average trial:

- phase 1: $4 million
- phase 2: $13 million
- phase 3: $20 million
- phase 4: $20 million

Some phase 3 trials can be larger and last longer than average, like 20,000 patients over 5 years. Obviously at the average cost of $25k/patient, such a trial would cost $500 million, well over the average. In fact, a long study can greatly increase the per patient cost as well.

Because multiple trials are run in each phase for each drug, these trial costs are multiplied.

The principal cost in any trial are the medical procedures (~25%): drug administration, tests (lab, imaging, biopsy, etc), exams, etc. These are repeated multiple times on each patient during each trial to monitor changes in both efficacy and safety.

Here's a thorough accounting from US HHS:

http://aspe.hhs.gov/report/exa...

These costs are set by FDA regulatory standards and the medical laws of each country where the trial is performed. Of course if you want approval for your drug in another country, you must comply with all their rules as well, often repeating studies using their residents (e.g. Japan).

This 2012 Forbes article by Avik Roy offers further insight on why clinical trial costs are rising:

http://www.forbes.com/sites/ar...

Pharmas must play by these rules, but they don't write them. Lawmakers do that.

The fact that we don't seem to be looking into how to lower that number is a problem.

The problem is you don't spend 15 seconds on Google before spouting off. A quick search would have found you this page: Goal 1: Develop New and Improved Vaccines. The national vaccine plan says, "Research to improve existing vaccines also provides opportunities to improve on a range of vaccine characteristics such as efficacy, safety, and vaccine delivery."

As a bonus to you, the page lists these recent advances in vaccine technology:

* Advances in scientific understanding of diseases and vaccine responses, especially for pertussis, pneumococcal disease, dengue and hepatitis C.
* New vaccine production techniques and technologies.

Research a little and your posts will be more coherent; your brain will be clearer.

Allstate's patent also said the invention has the potential to evaluate drivers' physiological data, including heart rate, blood pressure and electrocardiogram signals, which could be recorded from steering wheel sensors. ... The recorded data may also provide an objective behavioral data collection system for third parties, e.g., health insurance companies, lending institutions, credit-rating companies, product and service marketing companies, potential employers, to evaluate an individual's behavioral characteristics in a real-life and commonly experienced situation, i.e., driving a motor vehicle, Insurer monitoring your heart rate?

That's a lot of big words, but all I can hear is HIPAA violation!

Protected Health Information.
  The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

“Individually identifiable health information” is information, including demographic data, that relates to:

        the individual’s past, present or future physical or mental health or condition,
        the provision of health care to the individual, or
        the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Summary of the HIPAA Privacy Rule

Allstate's patent also said the invention has the potential to evaluate drivers' physiological data, including heart rate, blood pressure and electrocardiogram signals, which could be recorded from steering wheel sensors. ... The recorded data may also provide an objective behavioral data collection system for third parties, e.g., health insurance companies, lending institutions, credit-rating companies, product and service marketing companies, potential employers, to evaluate an individual's behavioral characteristics in a real-life and commonly experienced situation, i.e., driving a motor vehicle, Insurer monitoring your heart rate?

That's a lot of big words, but all I can hear is HIPAA violation!

Protected Health Information.
  The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

“Individually identifiable health information” is information, including demographic data, that relates to:

        the individual’s past, present or future physical or mental health or condition,
        the provision of health care to the individual, or
        the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
Summary of the HIPAA Privacy Rule

Any place I ever worked that had part-time positions (I only ever held one part-time position, it was a second job as a favor for a friend who had more fiberglass work than he could handle on-schedule; beyond that, a second part-time job is a near impossibility as they all only seem to hire if you have open availability, which you can't have if you already have a job), they were 16-24hr/wk and the scheduling was usually closer to 16hr. I held a number of menial service-level and retail jobs before striking my first decent contract, so I have a sizable sample. Not a single past employer of mine routinely gave part-timers more than 16 hours per week. Not one. That, combined with the fact that most positions available outside of the professional world are part time, is my basis for using a 16 hour work week to calculate a livable wage. Sure, you can live on 7.25/hr if you're getting full-time work, that's $15080/yr; I supported my ex making barely $1000/yr over that for nearly a decade, but even if we halve that, nobody is surviving for a year on $7540, I don't care how skilled they are at budgeting. Hell, that's below the poverty level for a single person but, then, even a full-time minimum wage worker qualifies for food stamps. It's not a livable wage if we have to subsidize it.

In most of the country, $12/hr should be livable for a single person at anything over 16 hours, comfortable for those who excel at their part-time work and are granted more hours, and even more comfortable for anyone working full-time. Bay area and NYC excepted, of course.

They're typically defining "poverty" as less than 1/2 the median income.

Citation needed.

These sources don't define it that way:

http://www.census.gov/hhes/www...
http://www.census.gov/hhes/www...
http://aspe.hhs.gov/poverty/15...

You assume that not being officially poor means you're doing OK - it doesn't. In fact, a single person can make as little as $11k per year, and a couple as little as $15k without being categorized as poor in the US:

http://aspe.hhs.gov/poverty/14...

That's not the kind of money that could make people think the Republicans might better serve their interests. And for the purpose of this argument (at least), it doesn't matter if poor Americans aren't starving like poor Chinese or Brazilians - they're not making good money:

http://edition.cnn.com/2015/03...

You're obviously doing quite well for yourself though, if you think this is a planning and budgeting problem.

>While HIPPA has good parts and bad parts, one of the things it is routinely used for is to provide "privacy"
>as an excuse for anything a healthcare organization doesn't feel like talking about, in the same way that
>"privileged" or "classified" is used by governments.

Nooooooo no no no no no no no.

You can complain to HHS if a covered entity denies you information about your own records or billing.
With literal million dollar fines being handed out for violations, this is no longer a "thing." It was in the year 2000 when a lot of uncertainty existed. The hospital where the woman worked would get their ass kicked over this, including fines for not having an adequate training program, fines for failing to provide information to the patient, fines for not having an adequate compliance program... HIPAA authorizes disclosures for Treatment, Payment, or health care Operations.

http://www.hhs.gov/ocr/privacy...

Source: am a HIPAA auditor

... 7. The debt collector... are not suppose to see your PHI ( Personal Health information) as this is a HIPAA violation. If they were stupid enough to do this they may owe you even more money. ...

HIPAA covered entities can share your PHI and PII (Personally Identifiable Information) with third parties if they have a legal agreement with those entities to do so, and those third parties agree to follow HIPAA rules. The third party cannot continue the chain to a fourth party, they would have to go back to the 2nd party (the health care provider) to get another agreement for any further dissemination of information.

These are called Business Associates under HIPAA rules. The third parties do not become covered entities.

It is less than 3 years of poverty level living for a family of seven.

FTFY.

In order for your original statement to be true, you'd need at least seven people in your household according to the 2015 HHS poverty guidelines. For a single individual, $100,000 is roughly 8.5 years of poverty-level living.

would seem that this would be a violation of HIPPA security rules, assume pharmacies are covered entities, which I think they are. Specifically, covered entities must maintain adequate:

Administrative Safeguards

Security Management Process. As explained in the previous section, a covered entity must identify and analyze potential risks to e-PHI, and it must implement security measures that reduce risks and vulnerabilities to a reasonable and appropriate level.

Technical Safeguards

Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI).

It would seem simply allowing access via a name and birthdate is a violation of the above requirements.

Source: http://www.hhs.gov/ocr/privacy...

http://vaers.hhs.gov/data/inde...

So all of the adverse vaccine reactions reported on this official government website (hundreds of thousands) must all be a coincidence, right?

I'm certainly not a "scientist", but I was always taught that mercurty (primary adjuvant used in vaccinations for decades) was highly toxic and can cause brain damage. Anyone care to refute that?

You're full of shit.

I'm in the legal profession and we just did a hell of a lot of work to silo HIPAA-related documents and exhibits to comply with the "Business Associate" part of this:

If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

Also, in the event of a breach at this juncture, there should be a financial penalty for their negligence.

Fines Remain Rare as Health Data Breaches Multiply
on Tuesday March 03, @04:51AM
from the cost-of-doing-business dept.

tt2024432 writes:

Since October 2009, [US] health care providers and organizations (including third parties that do business with them) have reported more than 1,140 large breaches to the Office for Civil Rights, affecting upward of 41 million people. They’ve also reported more than 120,000 smaller lapses, each affecting fewer than 500 people.

In a string of meetings and press releases, the federal government’s health watchdogs have delivered a stern message: They are cracking down on insurers, hospitals and doctors offices that don’t adequately protect the security and privacy of medical records.

But as breaches of patient records proliferate – just this month, insurer Anthem revealed a hack that exposed information for nearly 80 million people – federal overseers have seldom penalized the health care organizations responsible for safeguarding this data, a ProPublica review shows.

It wasn't the men beating their wives, raping them and so on?

That was never as socially acceptable in this country as the dogma would have you believe. Going back to the 17th century (before there even was a "this country"), the colonies were making laws against wife-beating. I can't find the link now, but there are images of newspaper announcements of men being publicly whipped for doing so.

The people, usually men, abusing their children or stepchildren?

Actually, according to "Child Maltreatment 2012" (US Dept. of Health and Human Services - PDF Warning), the numbers pretty strongly indicate that the opposite is true: among biological parents, mothers are about 2x as likely as fathers to be perpetrators of child abuse, and among non-parents, categories that are separated by gender go to females as well. "Partner of Parent (Male)" does beat "Partner of Parent (Female)", though, at 2.3% vs 0.3%, so if you're limiting the population to just children abused by stepfathers, what you said is not exactly false.

What valid health concerns are those?

Vaccines do carry risk of serious side-effects, and sometimes death.

See HRSA vaccine injury claim stats and Vaccine Adverse Event Reporting System for data.

That may be, but by the very black and white wording of the law itself, the site is acting in a business associate capacity on behalf of health insurance companies.
Despite what is being reported -- "HHS says it isn't covered uhcuz it doesn't wanna be" -- it is, indeed, covered by HIPAA.

I have been quoting section references to you in an earlier reply but it might be better if you read a summary:
http://www.hhs.gov/ocr/privacy...

The problem for the website is that by HHS definitions, it is handling PHI (remember Section. 160.103 here) and is acting in a business associate capacity (this is also, coincidentally, covered at Section 160.103) and is therefore covered by HIPAA, period, over and done.

As for what happens when they pull the "well, we don't feel like it" card at HHS, I have no idea.

Suggestion: Everyone go report this as a HIPAA violation.

Suggestion: Everyone go report this as a HIPAA violation.

"only "covered entities" have to comply with HIPAA privacy regulations and, guess what? The government is not a covered entity."

Hi, HIPAA guy here. This is most assuredly incorrect. Popular misconception though.

Per HHS' own rules, the site operates as a Business Associate and is fully covered by HIPAA.

http://www.hhs.gov/ocr/privacy...

OP was technically correct-- "business associates" were not in scope for HIPAA. Later the Health Information Technology for Economic and Clinical Health (HITECH) Act applied HIPAA protections to "business associates" of covered entities.

Slashdot folks better know the HITECH act as the one that threw money into switching to "electronic" health records.

Anonymizing protected health information (while still retaining value for person-specific marketing purposes) can be difficult (if not impossible). Here's a link to an article that talks about the kind of identifiers that would have to be scrubbed.

http://www.hhs.gov/ocr/privacy...

Scroll down to the table that describes the "safe harbor" method of deidentifying data.

Age is a problem. Additionally, if a person's identity can be as easily determined using other readily accessible information (as the summary seems to say), you also have a problem.

"only "covered entities" have to comply with HIPAA privacy regulations and, guess what? The government is not a covered entity."

Hi, HIPAA guy here. This is most assuredly incorrect. Popular misconception though.

Per HHS' own rules, the site operates as a Business Associate and is fully covered by HIPAA.

http://www.hhs.gov/ocr/privacy...

An expungement is not always easy to obtain, as in many states it requires a much higher burden of proof (positive finding of innocence rather than beyond a reasonable doubt, for many states) and it doesn't address the issue created when that video/audio recording reveals the private medical history of a person that doesn't give consent and can't be consented for release unless by the person involved or by someone holding a power of attorney over the subject. Let's try a little thought experiment as an example, even if is a bit extreme:

911 call comes in for a medical distress call. Caller advises that he and his wife/partner/whatever were having a bit of fun in the bedroom and said partner decided to get a little adventurous, and now that cucumber isn't coming out of a place not normally used for the storage of various fruits and vegetables, pre-digestion, at least. Should that unedited call, telling names, addresses, chief complaint, whatever, be released? The way the Ohio law seems to be written as suggested above*, it would be. Let's carry it a step further (and get back to the release of unedited dash/body cam video), and the first responder on the scene, who happens to be a police officer (pretty common in quite a few areas) walks in on the scene to start rendering aid. Would his body cam need to be available in an unedited form to all who ask? Next step in the chain: victim of said "fruiting"** begins telling the officer/first responder of previous medical history, and how the carrot didn't do this last time*** and how it is starting to irritate his irritable bowel syndrome**** . Now, in the strictest sense, PMI***** is on the tape. Should that be released?

While this is a funny example******, and intended to go off the deep end, remember that laws don't always have room for interpretation on the fly without a court order. Is it acceptable to us, as a society, that we would not make allowances for the mental anguish of a family by releasing un-edited footage of a shooting scene where a small child could see their father in a pool of blood because the store he stopped at on the way home was the scene of an armed robbery gone wrong? How about the pain inflicted to a mother by having to watch the raw video of the police investigating the traffic accident where her teenage son was burned to death in a car being played on every local new channel for the next three days? And finally, is there some furthering of the goals of good governance provided by the release of responder's body cam video of John Q. Public with a cucumber stuck in his bum?

*I have not read the law in Ohio, so this assumption is based 100% on the AC's statement.
**Cucumbers have seeds on the inside, therefore technically a fruit, not intended as a social commentary.
***Yes, it's getting off the wall, but I had steamed veg with lunch, so deal with it.
**** Try saying that phrase 3 times fast without laughing. Go ahead, I'll wait
*****That would be Private Medical Information, as defined in the privacy rule of HIPPA, and in this case, it hasn't been de-identified.
******Unless you happen to have been a victim of this, in which case, my apologies and please allow me to introduce you to the crisper box in the refrigerator. Much better place for vegetables

An expungement is not always easy to obtain, as in many states it requires a much higher burden of proof (positive finding of innocence rather than beyond a reasonable doubt, for many states) and it doesn't address the issue created when that video/audio recording reveals the private medical history of a person that doesn't give consent and can't be consented for release unless by the person involved or by someone holding a power of attorney over the subject. Let's try a little thought experiment as an example, even if is a bit extreme:

911 call comes in for a medical distress call. Caller advises that he and his wife/partner/whatever were having a bit of fun in the bedroom and said partner decided to get a little adventurous, and now that cucumber isn't coming out of a place not normally used for the storage of various fruits and vegetables, pre-digestion, at least. Should that unedited call, telling names, addresses, chief complaint, whatever, be released? The way the Ohio law seems to be written as suggested above*, it would be. Let's carry it a step further (and get back to the release of unedited dash/body cam video), and the first responder on the scene, who happens to be a police officer (pretty common in quite a few areas) walks in on the scene to start rendering aid. Would his body cam need to be available in an unedited form to all who ask? Next step in the chain: victim of said "fruiting"** begins telling the officer/first responder of previous medical history, and how the carrot didn't do this last time*** and how it is starting to irritate his irritable bowel syndrome**** . Now, in the strictest sense, PMI***** is on the tape. Should that be released?

While this is a funny example******, and intended to go off the deep end, remember that laws don't always have room for interpretation on the fly without a court order. Is it acceptable to us, as a society, that we would not make allowances for the mental anguish of a family by releasing un-edited footage of a shooting scene where a small child could see their father in a pool of blood because the store he stopped at on the way home was the scene of an armed robbery gone wrong? How about the pain inflicted to a mother by having to watch the raw video of the police investigating the traffic accident where her teenage son was burned to death in a car being played on every local new channel for the next three days? And finally, is there some furthering of the goals of good governance provided by the release of responder's body cam video of John Q. Public with a cucumber stuck in his bum?

*I have not read the law in Ohio, so this assumption is based 100% on the AC's statement.
**Cucumbers have seeds on the inside, therefore technically a fruit, not intended as a social commentary.
***Yes, it's getting off the wall, but I had steamed veg with lunch, so deal with it.
**** Try saying that phrase 3 times fast without laughing. Go ahead, I'll wait
*****That would be Private Medical Information, as defined in the privacy rule of HIPPA, and in this case, it hasn't been de-identified.
******Unless you happen to have been a victim of this, in which case, my apologies and please allow me to introduce you to the crisper box in the refrigerator. Much better place for vegetables

I agree. I'm a big supporter of vaccines but one thing I find annoying is that it's almost impossible to find good numbers for vaccines.

In the United States, the 1952 polio epidemic became the worst outbreak in the nation's history. Of nearly 58,000 cases reported that year 3,145 died and 21,269 were left with mild to disabling paralysis.

Three years later, Dr. Jonas Salk became a national hero when he developed the first safe and effective polio vaccine in 1955 with the support of the March of Dimes. In the two years before the vaccine was widely available, the average number of polio cases in the U.S. was more than 45,000. By 1962, that number had dropped to 910.

Polio History

Charts. THE EFFECTIVENESS OF IMMUNIZATIONS

Chart 1. Reported cases of H. influenzae type b, United States, 1991 - 1997

Chart 2. Hib meningitis in children less than 5 years old according to the National Bacterial Meningitis Reporting System, 1980 through 1991.

Chart 3. Reported cases of measles, United States, 1960-1997

Chart 4. Reported mumps cases, United States, 1968-1997

Chart 5. Reported pertussis cases, United States, 1922-1997

Chart 6. Reported poliomyelitis cases, United States, 1920-1997

Chart 7. Reported rubella cases, United States, 1966-1997

In other words, almost everyone except YOU!

You have a right to access your health care records. You might find it hard to identify all the providers (that X-ray you got at the hospital might have been "Radiology Services, Inc." rather than "General Hospital, LLC"), you might need to pay them a not-so-small fee to pull and copy the records, and certain psychotherapy notes are excluded, but you do have a right to your medical records.

Your Medical Records
"The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule."

You're correct, preventative care is covered. But what does that actually mean?

http://www.hhs.gov/healthcare/...

Those are mostly screening services, not treatments. The "preventative care" list for women is a little better, but this is not a lot of care for your money.

prove it

What, that scientists lie and falsify data? The NIH alone publishes 1-2 Findings of Scientific Misconduct every month. Retractionwatch has stories every day. The vast majority of scientists are rigorous, honest people who know that their livelihood and career depend on maximum transparency, but there's an awful lot of pressure on grad students who just want a degree without a career, on research staff, and on faculty trying to support their labs. People make mistakes.

You don't know what you're talking about.

Investing capital on taking care of those less fortunate is what leads to a prosperous society for all.

In light of this understanding, it does make me wonder why your country doesn't have a National Health Service favoured by many civilized countries.

Contrast this with:
  * http://www.hhs.gov/

where there's a series of questions to help you determine if you qualify for healthcare :S

That doesn't discuss informed consent, which under Federal law requires that study participants be given specific information about the purpose, risks, procedures, duration, etc. etc. of the research.

http://www.hhs.gov/ohrp/humans...

Human subjects research is subject to mandatory informed consent - specific to the study being performed, you can't just have a boilerplate like the Facebook ToS - in almost all jurisdictions. For example, this is the US law Facebook undoubtably broke:

http://www.hhs.gov/ohrp/humans...

45 CFR 46 http://www.hhs.gov/ohrp/humansubjects/guidance/45cfr46.html In addition, California (presumably they have jurisdiction) has probably the tightest informed consent laws on the books. Facebook is in some deep shit unless they pay off the right feds.

There is no such law. In any case, this is the the basis for the entire news business.

While it may not be an actual law, there are strict rules about this for any study, like this one, that receives US federal funding.

It's called the Common Rule, although it generally only applies to federally funded research. There is some evidence that this study was in part federally funded. I think there are serious questions about whether a click-through agreement meets the standards of informed consent.

Although the study was approved by an institutional review board, I'm surprised, and the comment from the Princeton editor makes me wonder how well they understood the research design (or how clearly it was explained to them). This would never have gotten past my IRB.

In the United States, my Asperger's diagnosis qualified me for vocational rehabilitation services from the state of Indiana, mostly assistance with job placement and interviews. But I'm not aware of any sort of tax deduction for having an impairment unless the impairment is severe enough to make the person unable to engage in "substantial gainful activity". Unless an individual is blind, the SSA defines SGA as an income close to the current poverty level.

The HHS press release says

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

So, the physician wasn't completely clueless about computers, though perhaps HHS is being deliberately vague about his exact role.

No user should be able to do anything that would lead to this result. This is not the doctors fault. He may have violated a few policies, but to blame the entire incident on him is a bit ridiculous. This was a failure of their Network/Security team.

I second that notion. You have two issues here: the doctor should not have been able to reconfigure access in this way, and the IT staff should have spotted an unusual flow when the breach was active.

Clearly the [recital 2a] Googlebot and others were spidering patient data for some time, those 6,800 records would account for a lot of traffic. EVEN IF the queries were https encrypted or the URLs contained session hashes instead of data, logs would show web spiders accessing presumably 'internal use only' functions.

It is the responsibility of the senior IT administrator to establish a 'normal' baseline and track data flows at the router level, also set up an automated system which profiles web logs to profile transactions into as narrow a 'normal' definition as possible... and flag unusual patterns. If unusual flow is spotted this responsibility includes direct content sniffing of unencrypted communications.

No real hacker would identify as Googlebot when vacuuming out an internal-use database, for fear of setting off trip wires. If only such trip wires had been in place...

Ask Slashdot: How Do You Tell a Compelling Story About IT Infrastructure?

I hereby submit this one.

The HHS has explicitly said private coverage in all of the releases I've seen. That wouldn't include Medicaid.

So, are you saying that we lost our Freedom around 1914? I'm very curious, what was happening then? Well, there was the build up to the Great Depression. I'm probably giving you too much credit. You probably just don't know how old our country is.

Federal Income Tax. Evidently, I know your history at least somewhat better than you do.

The Free Market is a lie. It has never existed, and it never will.

That's putting it straight, sure... Completely false, but nicely straightforward, thank you.

Mind you, the CIA and the NSA have been doing this shit for decades now

CIA and NSA are only invading my privacy. It is a serious transgression, to be sure, but they don't care, how I raise my children, what I am paid, what sort of light-bulbs I use (a new excuse for the government to check my bedroom), nor, indeed, where and I how I buy my car — just to put this conversation back on topic.

You should read up on what the US did in South America

Stopping the spread of Communism — the deadliest school of thought known to man (even Hitler's peculiar strand of Fascism is but a distant second) — was and remains something to be proud of. Compare Chile, where we succeeded, with Cuba, where we failed... One is Latin America's top economy, the other a crap-hole, which even Michael Moore's brilliant propaganda can't turn into a chicken sandwich.

But we are talking about domestic laws, not foreign policy, so let's stick to that.

If you don't want to help the needy, fund basic education for the betterment of all

I don't want to be forced at gun-point to pay for all those things — and that's exactly, how IRS collects the monies. But, if I must subsidize those poor, would you accept their disenfranchisement? For any recipient of public assistance is to state the Pauper's Oath — and not participate in any poll while receiving such assistance and for, say, three more months after recovering their self-sufficiency?

Why wouldn't you accept that — the unfortunates temporarily down on their luck will not care, while the life-long takers will, at least, lose their say in the affairs of the country. No, it is neither a poll tax nor a property requirement — you can be dirt poor and still vote, as long as you don't ask for public assistance.

Still a no?..

I don't know where you got shelter and telephone service from...

From the government's subsidies for housing projects, fuel assistance, and the telephones — both wired and cellular (affectionately referred to as "Obamaphones"). Evidently, I know more about the country's present than you as well — not just history.

go live in fucking Somalia

(Manners, young man, manners. If you lose your temper, I win.) Why don't you instead go live in fancy North Korea — where laws abound, effective taxes exceed 90% (what is not government-provided is unaffordable) and every one is equally poor?

With my taxes, I buy civilization. I'm going to bike my hippy ass to work tomorrow on publicly funded roads

Is not it terrible, that one still has to pay for the bicycle to e

No threat of punishment == no compliance.

Don't worry, there's no lack of authoritarian punishment built into the system.

But you know, if merely punishing people stopped them from complying with rules we'd be living in paradise. Our punishment-oriented culture serves to gratify the sadism of our rulers, and doesn't really do much to prevent crime. In real life the most effective way to prevent crime is to ensure the availability of rewarding work... and hospital paperwork, I have to tell you, is the opposite of rewarding labor.

The problem is, comply with WHAT? Have you ever read the various "standard compliance requirements"?

Yes I have. I've read the entire HIPAA and HITECH acts, including the data transfer standards. It takes weeks just to get through the non-standards documents. Luckily I'm paid to do it.

They're usually worded in a way that leaves holes big enough to move planets through. You'll find a lot of talk about "reasonable" and "adequate" security without any kind of definition whatsoever what these words would mean.

That's not entirely false. There are many references to clarifications that will be provided by the Secretary of HHS (who tends to pass the buck to NIST these days) and also implicit references to industry best practices and explicitly to the "reasonable man" legal standard (which seems to be what you're referring to).

You will NEVER EVER find something that they could be pinned with, like "leave no default passwords" or "no guest accounts" or even "stateful firewall with [[list of features]]". Never. No chance.

Wrong. The only people who can't be "pinned" are the government regulators themselves - the compliance standards, as officially and legally clarified by the Secretary, explicitly reference things like FIPS 140-2 which have exact requirements. Failure to comply with those is punishable. The weasel-wording you've pointed out serves to protect and empower the regulators who are outside of the congressional legislative process, it does nothing to protect non-compliant hospitals, for example.

Of course it's a consultant's dream because no matter what you sell, you're complying. And it's of course no problem for the customer in question to be compliant to rules like that.

It's a consultant's dream alright, for two reasons - one, it's a gold mine because the rules constantly change as the Secretary makes "statements", and two, because people like you are spreading inaccurate information about liability. I can't tell you how many times I've heard fools say that "nobody will prosecute us for this..." setting themselves up for a board-mandated takeover of the IT department by consultants.

There is a law, it's called HIPAA. Healthcare organizations are very cognizant of HIPAA and do work to avoid breaches of healthcare data. The Department of Health and Human Services does hand out significant fines for breaches. http://www.hhs.gov/ocr/privacy... Additionally, for large breaches, healthcare organizations are required to notify prominent news media, which arguably has a larger financial impact than the fines themselves.

Is this (below) what you are talking about? It doesn't look like they are looking for private medical records but rather the diagnostic codes that wouldn't be personally identifiable in and of themselves. Either that or they are instructing EPA to code the PHI prior to release, which would render it safe to release. ( See PHI, and De-identification ) The US Congress is the one that makes the rules, and it appears that release of it may be mandated already. The EPA isn't complying. The EPA is doing making its rules both in secret and based on secrets, and I thought we were against that on Slashdot.

3. Request: That underlying data used to promulgate Clean Air Act rules be made public so the public can independently examine cost/benefit and other issues. That the EPA release a full set of data files for the American Cancer Society Study; the Harvard Six Cities Study; HEI/Krewski et al. 2009; Laden et al. 2006; Lepeule 2012; and Jerrett 2009. This request includes the coding of Personal Health Information (PHI).

Background: Since 1997, Congress has requested the underlying data for particulate matter studies (PM2.5) be made available to Congress and the public. Then-EPA Administrator Carol Browner went back and forth with Members regarding Congressional and public access to the underlying data, citing legitimate scientific inquiry qualifications and confidentiality concerns. In response to the continued reticence by EPA to publicly release data, the Shelby amendment, a rider to the FY1999 Omnibus Appropriations Act (P.L. 105-277), mandated that OMB amend Circular A-110 to require federal agencies to ensure that "all data produced under a [federally funded] award be made available to the public through the procedures established under FOIA."

A March 4, 2013, letter to EPA from Ranking Member Vitter and House Science, Space, and Technology Committee Chairman Lamar Smith requested the underlying data from additional long term cohort studies that rely on updates from the Harvard Six Cities Study and the American Cancer Society Study, including: Krewski e. al. (2009); Pope et al. (2002); Pope et al. (2009); Krewski et al. (2000); Laden et. al (2006); and Lepeule et al. (2012). This letter repeated multiple communications from Congress requesting the release of the underlying data which are the basis for nearly all the health and benefit claims from CAA rulemaking in this Administration.

Status: Wholly unresponsive.

The HIPAA defines three categories of "covered entities". They are health care providers, health plans and health care clearinghouses. Because the site is government run it is not classified as a clearinghouse. Some people claim that it wouldn't be defined as a clearinghouse anyway. After reading the relevant section of the law I wasn't so sure, but the question is moot. The project is government run and the contractors enjoy sovereign immunity.

http://www.hhs.gov/ocr/privacy...

The "Health Exchange Security and Transparency Act of 2014" would at least require notification. That bill passed the House with bipartisan support on January 10. I've not seen any reports on how or if the bill is proceding in the Senate.

http://docs.house.gov/billsthi...

As for me, I'm willing to give you the benefit of the doubt simply because you said "HIPAA" and not "HIPPA". There seem to be several "HIPPA experts" on Slashdot that I've mixed it up with, but for some strange reason, they don't even know the proper acronym for it.

The HHS is a public agency and as such it is not covered by the HIPAA. In any case, considering HHS is tasked with enforcing the HIPAA....

I expect there are other laws that do apply. There are lots of laws governing how federal agencies and their contractors handle sensitive information.

http://www.hhs.gov/ocr/privacy...

FBI statistics, that is. Where offender race could be identified, 5,486 were murders by blacks, 4,729 by whites, and 256 by "other." As blacks make up 13.1% of the population, the inescapable conclusion is that a wildly disproportionate share of U.S. murders are committed by black males. The fact that 72.5% of all black children are born out of wedlock might have something to do with that, which in turn may be due to greater welfare dependency among blacks than whites.

Now go ahead and tell me how my government statistics are racist...

That's what they are arguing: Those that think contraception is wrong shouldn't have to buy it. As employers, they are being told to pay for something they believe is morally wrong.

It's more attenuated than that. Employers aren't required to pay for birth control. Insurance companies are. The employers aren't buying birth control for anyone. What they're fighting for is the right to affirmatively put barriers in the way of their employees getting access to birth control through basic health insurance. In fact, by providing contraceptive coverage they would actually REDUCE their costs; so what they're trying to do is the opposite of what they claim. They're not trying to avoid purchasing something. They are trying to actively purchase more specifically to prevent their female employees from having convenient access to birth control. The actuarial tables on this are clear. Providing birth control actually makes an individual woman statistically CHEAPER to insure, since she's less likely to become pregnant and thereby incur pregnancy-related costs (both medical costs and costs to her employer, e.g., from missing work, etc.):

Similarly, the PwC actuaries state that after all effects are taken into account, providing contraceptive services is “cost-saving.”

From a review of existing research on HHS's website

VMware's new cloud is signing BAAs (Business Associate Agreements) to ensure HIPPA regulation compliance with it's customers.
press release

How HIPPA works