Striving for HIPAA Compiance?

krisguy asks: "As a Oxygen Transfill Technician for a DME (Durable Medical Equipment - wheelchairs, oxygen, and such) company, my only regulatory problems have been with the FDA. Recently, due to good management of FDA regulations, I was appointed HIPAA security officer for my company. I looked at the 'helpful' compliance manual from our buying group, and realized that I have to try to get over twenty people who have 'limited knowledge of computers' (read: don't want to learn) to begin to use stuff like PGP, ANSI X12 codes, and having to write, train, and enforce procedure rules. To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down. I am wondering if any Slashdot readers in medical fields are feeling the pain of HIPAA like I am right now, and what ways can I get everyone to comply besides "You don't do it, you don't work here."?" Ask Slashdot last touched on HIPAA issues when this article which concerned itself with Windows 2000 and HIPAA issues. For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done?

Why not try this?

[demonlapin]

Although it's another side of health care, why not take a look at the AMA's page on HIPAA? Much of the advice is geared toward small practitioners, and as such would be useful in helping you figure out where to start.

Re:Why not try this?

[blake182]

In general, it is a difficult problem to say "we need to be HIPAA-compliant". It generally needs to break down to finding all of the points where healthcare information flows outside the organization, and then protecting that information.

From the standpoint of email, there was a great amount of effort put into this in 2001. Check out this press release which summarizes the effort. Basically, there was a group of email vendors led by the Massachusetts Health Data Consortium (MHDC) that got together and standardized a method of doing server to server encryption of email. This effort is currently an Internet Draft, draft-ramsdell-enc-smime-gateway, and it will actually be moved to the IETF-SMIME working group in time for the next meeting. It is basically a profile of the DOMSEC effort, which is in turn a profile of S/MIME. I participated in this effort on behalf of Tumbleweed, and at the end of it all, the products were all working together, and I am a co-author and editor of the draft.

The bottom line is that there exist commercially available solutions from multiple vendors which satisfy the HIPAA requirements for secure email, which is most likely a large part of your charge. These products are generally usable in a "gateway" configuration where they can be placed next to an existing mail server to automatically encrypt / decrypt mail according to policy. Further, this effort is being discussed and documented in the IETF so that new implementations can be created.

Re:Why not try this?

[crusher-1]

As an R.N. in a level 3 hospital we had to comply with hipaa regs as well. Regarding information, IIRC any patient/client data is to be locked down, any diagnosis, name, SS#, address, etc... on any piece of documentation. This would include billing statements and product/equipment order, ad nausea. Yes, email must be locked down. However, any patient data, repeat any, must be secured. That means that if your delivering a wheel chair to someone or O2, any of those forms must be secure both on any system and by the person that handles it.

The regs given out by HIPAA are vague at best. Essentially a bunch of fat cats in congress got together with a bunch of big wigs in the medical field (i.e. doctors, suppliers, etc) and drafted the guidelines. As is expected in congress, those that put the bill into law wrangled back and forth and came up with a bill not even they can really define.

So, as an admin your network (sans internal lan, external anything), record data base, billing and orders, accounting, blah blah must be secure.

Regrading employees not wanting to get in with all the joy and fun must be told that it's not your idea of fun, but its a law that if not met will cause the company to be shut down until compliance is met. Tell them that translates into a possible layoff if not compliant and then mortage, car, daycare payments become a problem.

Re:Why not try this?

[cyways]

Most of the (smaller) health care providers I've spoken with on this issue are more concerned about communications between providers and patients. Do you expect every possible e-mail service provider to adopt this system? Perhaps you can convince some of the big players like Hotmail or AOL, but I can't see this being adopted by ISPs everywhere.

While I'd agree that a large chunk of health communications are between providers (e.g., a general practitioner and a medical specialist), in the future more and more patients are going to want to communicate with their doctors via e-mail. Any solution that requires either the patients or their ISPs to install a new messaging protocol won't go far, IMHO.

Misleading...

[httpamphibio.us]

I thought this was about some new car club for cool people.

Don't just tell them...

[SaturnTim]

Don't just tell them you will fire them, Actually fire a couple. The rest shape up real quick.

When it is a matter of compliance, they don't have an option. The sooner they understand it, the better. If management isn't behind you, then ask to be reassigned.

--ST

Re:Don't just tell them...

[FreeLinux]

If management isn't behind you, then get another job. Because, if that is the case with management the company will be shut down in short order. Then everyone will be out of work.

Re:Don't just tell them...

[Zeinfeld]

Don't just tell them you will fire them, Actually fire a couple. The rest shape up real quick.

Dilbert's boss posts on Slashdot!

There is no point in threats when people have no idea what to do. And there is simply no point in trying to solve an enterprise security problem with tools designed by geeks for geeks.

PGP is as you point out not an easy concept to explain to an end user. In particular PGP is designed arround an ideology of personal security, and not enforcing an enterprise wide security policy.

First you need someone to write the security policy. 'We don't believe in security' is probably not a starter, might put off the patients. Fortunately the more complex privacy issues have been punted on - for now, expect them to return in due course. For the time being you need your network security measures and application security. But don't buy into a system unless the vendor is likely to be arround in a couple of years to provide privacy management infrastructure as well.

What you need for messaging security is a PKI that enables the encryption features of Outlook, Lotus Notes, Netscape etc. Given your time constraints it would probably be best to look at an outsourced solution so you don't have to worry about building secure infrastructure or write a CPS or anything stupid. This is also much cheaper up front on capital costs.

The other thing you will need to do is to draw up some sort of survey that describes the circumstances under which you report confidential patient information to outside bodies - under HIPPA that includes external medical practices, labs etc. You will need to make sure that their privacy practices align with the ones you communicate to the patients.

Re:Don't just tell them...

[benedict]

In French they say "pour encourager les autres".

Re:Don't just tell them...

[Scutter]

What you need for messaging security is a PKI that enables the encryption features of Outlook, Lotus Notes, Netscape etc

Hmm...Lotus Notes and Novell's Groupwise do this right out of the box, and as a bonus, aren't susceptible to OE viruses....

Re:Don't just tell them...

[Saturn49]

Also tell them that sending any medical info in unencrypted e-mail is as good as yelling medical info down the block, where anyone in the right place at the right time can listen in. Everyone in the medical industry knows about confidentiality. If they can't keep that same confidentialily in the electronic world, then they need to find a new industry. Whining and bitching because they don't want to learn is not an attitude anyone in the medical industry should be allowed to take, computers or not. It is a fast paced field. Those that linger get left behind.

How can you do this job without authority?

[fishbowl]

You need the authority to say "you will follow these procedures, or you will work elsewhere; preferably in another industry."

Until you have THAT authority, you do not really have the job that you think you have.

Re:How can you do this job without authority?

[karlm]

Until you have THAT authority, you do not really have the job that you think you have.

I think the author realizes this, but also realizes that "the carrot is better than the stick" when trying to motivate people for long-term results.

Re:How can you do this job without authority?

[malfunct]

I am certain that there are a great number of ways that you can set up the system within which these people work correctly so that the guidlines are met with minimal training on the part of the majority of people.

For instance I think you can implement PGP in many places behind the scenes and manage keys and transactions without necessarily telling anyone. This seems to be a problem where technology is a solution so why can't we give him some technology advice.

Unfortunately I don't know what is required for the guidelines or I might be able to give some suggestions.

Re:How can you do this job without authority?

[ESarge]

Apply standard change management advice.
If you don't know what that is then go get someone to tell you. (Disclosure: I work for a large company that, amongst a lot of things, does change management).

The project I'm working on has a large change management component and I'm impressed with the sense of the person in charge of it.

Things to do:
Get the users together and explain HIPAA to them. Explain why it is important to the public (i.e. why you need good security). Explain the consequences of failure. People will understand if you actually explain the reasoning to them.
Give them chances to ask question and modify what you do. People are happier to sign on to things if they feel they've got some input into it.

Work on the IT side and get it work pretty well. Create detailed, clear, easy step by step instructions that work. Make sure you've got staff (i.e. you) available to provide quick support when it inevitably doesn't quite work.

Make sure you've got a high level executive sponsor who understands the political issues and is happy to give you the support you need. (i.e. authority to fire if need be.)

I would put in place a monitoring process. If a user isn't doing the right thing then grab them and talk to them.
If there's something you can do to fix their problem then do that. There may be technical things you can do that will get to them to do it right.
If they don't shape up once you've done that then you grab your executive sponsor and have a solemn meeting telling them to do things right. (This meeting has an implicit threat of firing behind it so it tends to work). Make a written record of this meeting.
If all that doesn't work then you start going through the due diligence firing process i.e. written warnings before firing. HR people know how to do this.

Re:How can you do this job without authority?

[dillon_rinker]

The stick is the only thing you have. Look at it from the owner's perspective:

I own a healthcare company. I will lose my livelihood if the people working for me don't adhere to these regulations. Therefore, anyone who refuses to comply CAN NOT work for me. Just like anybody else, I've got a spouse and kids and a house payment. Unlike most other people, I've got 20 other people working for me, all of whom have a spouse and kids and a house payment. I CAN NOT permit some nimrod to jeopardize the business. The reward for complying is a job. There is no punishment for failure to comply; you simply won't work for me.

Carrots are nice for persuading people to do things that are not essential, but in this kind of a situation, a stick is all that exists. If you disagree, I encourage you to find the carrots in the regulations that mandate compiance.

Re:How can you do this job without authority?

[juliao]

Until you have THAT authority, you do not really have the job that you think you have.

I think the author realizes this, but also realizes that "the carrot is better than the stick" when trying to motivate people for long-term results.

I fully agree. Still, for short-term tangible results, a stick works so much better than waiting for the donkey to get hungry...

Re:How can you do this job without authority?

[Herkum01]

Does not help if you don't have a carrot to motivate people either. If people have no enthusiam for the job, that is one thing. If they don't get up to speed they are not being productive which actually hurts others. At that point you would need to fire some people because they need to realize that you are serious and that it needs to get done, that it is not just another job.

Re:How can you do this job without authority?

[aquarian]

That "preferably in another industry" sounds like a threat, which could really get you into trouble.

Re:How can you do this job without authority?

[fishbowl]

The languange universities use regarding cheating,
is "...repeat the course, possibly at another institution."

I was paraphrasing that and applying it here. My intention was not to suggest specific strategies, but to point out that, if one is not in a position to enforce policy, then he is merely in an advisory role. Either his employees are empowered to ignore his suggestions or they are not.

I have seen workplaces where the security guards have as much authority as I am suggesting for this *regulatory* role (MANDATED by the Federal Government, mind you!). So why not have teeth? Have everyone agree to the policy, have them understand that the consequences for not supporting the company policy will *begin* with firing and could include *prosecution*, get it in writing. Either do that, or else communicate to them that it really isn't all that important, and they can choose to comply or not, with no real consequences either way.

I understand your message, but, I still say you should approach taking this kind of authority from a position of strength -- one where exceptions are not made, not even for the president or board members. If it were something like air traffic controllers and hard drug use, you'd be able to say "follow this policy or don't work in this industry." What makes this scenario so fundamentally different from that one?

Re:How can you do this job without authority?

[sbjornda]

<pedantic>The carrot and the stick are used together, not as opposites. To make a donkey bear you forward you tie a carrot to a stick then sit on the donkey's back. You hold the stick such that it dangles the carrot in front of the donkey, who moves forward to try to eat the carrot, carrying you and the stick & carrot forward. The stick is not used to beat the donkey.</pedantic>

.nosig

Do these guys care?

[Dirtside]

"HIPAAA"? (It's HIPAA.) "Compiance"? (Try "compliance.") I don't want this to turn into another "stupid editor tricks" rant, but I'm really getting annoyed.

Do these guys really care? Honestly, this is sad. The /. editors, we know, have wants and desires like any other human. Most of them seem to want open source to win. Do they not realize that taking the tiny amount of effort necessary to proofread and edit the story submissions and titles, would go a significant way toward reducing the perception of /. as a bunch of hyperactive nerds? (No, I don't see us that way, but a lot of non-geeks do.) If the editors really truly do want open source to "win" (whatever that would mean), they could do a lot just by ensuring that the front of the site looks competent, rather than incompetent.

I'm not claiming they have some kind of journalistic duty here; it's just normal freakin' common sense. If you write like you don't care, people will assume you don't care, and will ignore you. (Not, of course, the /. regulars who don't come here for what the editors have to say, but rather the discussions by the users.)

HIPAA

Well its a lot worse than you might think. Its now illegal to send personally identifiable information via electronic means (such as email).

The net result is, in a government office dealing with MediCare or MediCaid, they can't talk about anything in email if it can be used to identify who a person is.

You can't even get updates on the status of your perscription refill by email legally any more... EVEN IF YOU AUTHORIZE IT!

Re:HIPAA

Well its a lot worse than you might think. Its now illegal to send personally identifiable information via electronic means (such as email).

I've been working with HIPAA for a while now and this is not how I understand it. Can you provide a reference to the section which establishes this rule? AFAIK you can send the information electronically, however it must be secure and you must provide an audit trail that identifies any individual who has accessed the data.

-just another coward

Re:HIPAA

Yes, JAC, you're quite right. Lots of FUD being generated on this issue by folks who like to claim the sky is falling, consultants who will take money in order to hold the sky up for you, etc. Not that it's all sweetness and light - not nearly. But this "you can't get your own info even if you *want* it" stuff is ludicrous. (In fact, it's a HIPAA requirement that you be provided with your own info on request.) I know of a doctor's office that refuses to call out patients' names (even first names) in the waiting room to tell them it's time to come back for their exams. They point and such. Not necessary, folks.

Actual implementation not clear cut.

[PIPBoy3000]

I'm a web/database developer in a large healthcare organization, and the phrase "HIPPA compliance" has been thrown around quite a bit lately. Some of this makes quite a bit of sense, like not sending patient information over the Internet via e-mail. Others are much more fuzzy, and seem to do more harm than good.

For example, only the people who "need to know" should have access to the data. The catch is that I'm somehow supposed to magically determine who needs to know what. Do I get to tell my directors that they can't see something? How much do I really get to question someone else who knows their job better than I?

Plus there's the catch-22 situations. There's data on which physicians can perform what procedures. I personally think that everyone in our organization should see it, as I don't want any physician performing procedures they're not supposed to. The catch is that not everyone "needs to know", so that increases the chance that the information won't be seen.

Re:Actual implementation not clear cut.

[karlm]

Tangential question: anyone know if Postress supports Kerberos encryption yet, or is it still limited to only using Kerberos for authentication?

Re:Actual implementation not clear cut.

Do I get to tell my directors that they can't see something?

Yes. And if you are the "security officer", (like poor krisguy), then you are the one who goes to jail if the company violates HIPAA. It is a very deadly position to have unless you have an incredible amount of authority (in essence, no one with less power than a member of a company's board of directors should ever take this position).

Re:Actual implementation not clear cut.

[letchhausen]

Man it gets a lot worse, due to HIPPA's seeming ties to Oracle and Microsoft, they seem to see security only in Enterprise level solutions, so that anything that gets called a "database" is scary. At the hospital where I work I was creating a reporting tool based on Access that would import data, format it and then dump out a spreadsheet, not storing any data. But when it was seen that I was using Access I got lots of flak that our IS department is going to have to okay it, that there are lots of HIPPA rules concerning the use of Access for storage of patient data. Even though I told them that I wasn't storing data, and when I asked what the difference was with all the data that they all store on their computers using Excel and with what I was doing, I just got 'Homer-eyes' of non-comprehension. "Excel is just used more and therefore is more accepted", was the answer. They kept using the mantra that Access is a database and I couldn't get them to realize that I am not storing data there. It's scary the FUD that HIPPA generates and it gets worse with the technologically inept administrators that freak out over it. Not even realizing that they have tons of data in their emails to one another that is far less secure than what they imagine that I am doing.

It sucks but that's what happens with these corrupt bureaucratic orgs.....

Tell The Truth

From my work with HIPPA compliance, there are two important things to remember. One, there are no HIPPA police out there that will kill you and eat your children if your compliance comes into questions. Second, all they really want you to do is tell the thruth about the measures you have taken to secure patient or other sensitive data. For example, if you say your data is in a data safe, make sure it does. The problem you will have with lawsuits can only be brought up if you have not truly done what your compliance form says you did.

Re:Tell The Truth

[Lucas+Membrane]

That's not all. If you disclose any data, you must be able to comply with requests from the subject to tell the subject what was disclosed when and to whom for up to six years later. This means that if you ship something with a label on it that says "Handle with Care -- Prosthesis", and the UPS people see the label, you should be able to let the patient to whom you shipped know this for up to six years later. Very onerous.

They haven't yet pronounced whether HIPAA prohibits doctors offices from using sign-in sheets, for example. This is a disclosure to each person signing in who the other patients are. After all, you can see them in the office and might recognize them, so how can it be a violation of 'privacy'? But it's exactly the kind of promiscuous disclosure that this act is supposed to prevent. The law is an ass.

Re:Tell The Truth

Actually parts of the act provide for up to ten years per violation in club fed if I remember correctly. Multiple counts could result in some very heavy time. So they might not eat your children but it is not exactly light weight stuff.

HIPAA's goodness

[fean]

I currently have 3 seperate jobs (I'm a college student), and each one is affected by HIPAA in different ways... one is a branch of an insurance company, where I'm sure eventually all of our inter-company emails will have to be encrypted, reguardless of content, and we'll be very limited on what we can actually talk about on the phone (I'm in the phone cube all day)

the second is a hospital, where I work registration and transfers. Completely different setting, as I'm dealing with the patients face-to-face instead of over the phone, but there are lots of restrictions there, from where the monitors can be located (can't have a non-employee looking over your shoulder...) to how long the screen saver is set for (1 minute, and it's password protected, pain in the ass when you have to type that EVERY time you want to touch the computer)

for the third I work as a programmer for my college, we recently bid on a programming project to develop internet-based training for a very large hospice-based corporation. we'll be designing 20 modules to train volunteers and other very non-technical (i.e. retired, or first time workers) workers how to manage information correctly.

all of my jobs will be having INTENSIVE seminar type classes on what we need to stop doing so we don't get shut down. every one of them has taken a "do it or lose it" attitude about it because of the very short time frame to work with. There are still HIPAA mandates that are being changed, which means that nobody has even started creating the training, much less the training itself, and the compliance checks...

Re:HIPAA's goodness

[GigsVT]

Security's a bitch, get over it.

Those things are things you should have already been doing. No sensitive email should ever be sent in plain text, nor should any personal information be given out over insecure phone lines.

I'm against vague government mandates, probably more than most people are, but after seeing how even the most basic security is routienely ignored by users, managers, and administrators alike, fuck em. They have no business with my personal medical data if they can't even use good information security practices.

Re:HIPAA's goodness

[gmhowell]

The problem is that the HIPAA guidelines will not lessen the liklihood that someone will pilfer your medical data. Those most likely to want it and get it are researchers and insurance companies (for the latter, I'm thinking life insurance). In both instances, if they want it, they can get it. You've probably already signed forms to that effect. If I have to submit a diagnosis code to get reimbursed by your insurance company, they have the information. It will churn around until it gets to the correct place. All the regs do is require an extra slip of paper here and there.

Now suppose you are in a messy marriage, and want to find out what that discharge was that your wife complained of. Simple: you give a guy on the cleaning crew a c-note, and you'll have her chart in minutes.

HIPAA rules are barely one step above security through obscurity.

Re:HIPAA's goodness

[Chanc_Gorkon]

Yep! Wish the government would get this way about property records. I get more damn telephone calls from Mortgage companies the I ever want to hear. I also get people calling me about replacing my windows and my house was built in 1998! Lord I won't need windows for another 20 years!

Educational Institutions have had to live with similar things with FERPA, and trying to be honest and get everything hunky dory is a PITA. I imagine that our folks in the Records Area mail stuff back and forth unencrypted as the norm as if you ask any of our Novell Network Admins about encryption and what kind of encryption is used and they are like duh yeah it's encrypted. Funny thing is I think it's real easy to encrypt e-mail in Groupwise, although I never e-mail main critical stuff anyway. My favorite is we are in the middle of implementing a new package system on AIX machines and I have asked time and time again has anyone sniffed the packets that the client sends out to verify it's secure? Anyone checked out how it gets to the server's command line if your an admin on it? Anyone sniffed it's packets? And all I get is blank stares. Really frustrating. All I can do is be sure mystuff is OK (telnet is disabled as well as standard LPD (I run a product called Easyspooler) and quite possibly ftp will be disabled as well soon. The feeling I get from some of the guys in charge of implementing this thing is they feel that since our stuff is in a isolated VLAN, they can be lax with security nevermind that STUDENTS have access to this VLAN at certain points (the desktops that they use are secured, but it would be nothing to plug another device in in place of the normal desktop which then would not be secured). I also recently detected a wireless LAN on campus and noticed it was not running WEP (I know, a basic form of security, but it's at least something...). All I can do is cover my ass and make sure my machines are as secure as I can make them and keep my patches up to date.

Re:HIPAA's goodness

[cide1]

As far as research, my understanding is that it is fine to freely transmit medical data, as long as all patient identifying information is removed. I work in medical imaging research, and all cases we receive have just an identifying number, no way to actually link to a patient. Many of the sites that send us data do not understand the strict guidelines, however, and we often find that we are the ones stripping the identifying data. I think this is the weakest link in HIPAA compliance, is that many people simply do not know the requirements, and what I learned, was in the trenches, of more knowledgeable people telling me what I can and can not do. If there is a general website that gives the generalities of HIPAA compliance, I think it would help the average worker to understand much better.

Re:HIPAA's goodness

>>They have no business with my personal medical data if they can't even use good information security practices.

Good, may you come into the ER and rot while they try and get your prior med history decrypted. Say you are passed out and can't tell them about that you are known to have suffered anaphylactic shock when exposed to nut derivatives. Ultra-safe information will do you a lot of good 6' under.

Re:HIPAA's goodness

[Zwack]

They have no business with my personal medical data if they can't even use good information security practices.

I'm so happy for you. You are aware that if the HIPAA Regulations are taken at their word then your healthcare organisation can't give out ANY information to anyone that says that you MIGHT have received treatment. So, I hope that you can find the Emergency Room when you need it. We're covering all the signs for the Hospital up in case people see your car outside the building. We don't want them jumping to conclusions. After all they might know that you've been to hospital.

I won't mention the stealth ambulances, if I did people might realise when we're parked outside your door that you might have a healthcare issue.

Yes, Security IS a bitch. And you're right that we shouldn't be emailing medical records around in plain text. Oh, Sorry... WE DON'T! Nor do we we give out any personal information whether over insecure phone lines or any other way.

The problem isn't just that "basic security is routinely ignored" but that the "vague government mandates" are so badly written. HIPAA Stands for Health Insurance Portability and Accountability Act... And is intended to reduce costs and administrative overhead of healthcare by standardizing the electronic transmissions of certain administrative and financial transactions while protecting the security and privacy of healthcare information.

The privacy legislation covers all medical record and other individual identifiable information maintained or disclosed in any form, whether electronic, paper or orally. (From a summary I found online). Notice the words in bold. This does mean that if your car is recognised in a hospital parking lot then there is a lack of compliance.

Now, tell me how your healthcare provider is supposed to meet THAT strict a standard...

Z.

Re:HIPAA's goodness

[gmhowell]

If there is a general website that gives the generalities of HIPAA compliance, I think it would help the average worker to understand much better.

Don't count on the government helping a great deal. There is a profit motive for the public to not understand how it works. That's the reason that the IRS doesn't have to give out accurate information on filling out your taxes.

This sounds like a management problem.

[teamhasnoi]

Since you work with oxygen, I would suggest making it worth their while by giving those who comply with your procedures a small bottle of the 'good stuff' to suck on at their desk.

You could accelerate compliance by filling the office full of acrid smoke from a bad power supply, or making Friday 'Nitrous Oxide Day'.

Re:This sounds like a management problem.

[karlm]

Damit, I've got 5 good moderator points but I just posted here. Someone mod parent up to 5.

By the way, just for the kiddies out there: breathing pure oxygen slowly harms the lungs (especially at elevated pressures, which is why they use heliox instead of pure oxygen for really deep sea dives), so don't do it unless you need it. Oxygen bars are such a joke. I saw one in the local mall. $15 for 10 minutes of breathing pure oxygen.... Oooooh, and kids, don't do whippits too much.. excessive nitrous use can lead to muscular weakness.

Re:This sounds like a management problem.

[mindstrm]

Oxygen becomes toxic to humans under pressure.

Your implied reason for using heliox is totally wrong, however...

Pure oxygen is NEVER used in diving (rebreathers aside.. that's another story).

Breathing pure oxygen for a short time is not harmful at all, under normal pressure.

Heliox is used because it doesn't contain nitrogen.. not to reduce the oxygen %. (Nitrogen is what gives you the bends).

Again.. pure oxygen is NEVER used in diving; The closest thing you get is enriched air diving, and that has a very limited depth (much less than what you can do on standard compressed air, which is what most recreational divers use). Enriched air is used to stay at shallower depths longer (you can train yourself to breathe slower, due to the higher oxygen count, and stay down longer) and is great for sightseeing on coral reefs and whatnot. You would never use it for deep diving.

Different gas mixes are used the deeper you go, but all of them have a lower oxygen percentage than standard air; the higher the pressure, the less actual oxygen you want in that air.

Oxygen bars are not a joke; raising the O2 count in your blood for a short time can have good effects on a fatigued person. IT is usually beneficial.

You don't breathe pure oxygen at normal pressure because it screws with your blood chemistry, and the chemical triggers that tell you it's time for another lungful tend to not fire... meaning you end up forgetting to breathe.

Re:This sounds like a management problem.

[DeanPentcheff]

Off topic as all hell, but now that we're on diving...

The reason nitrox extends time in shallow-water diving is because one gets less nitrogen in a gas mixture where the fraction of oxygen is increased. It is not because you can "train yourself to breathe slower". That is a very dangerous idea, since it will inevitably lead to at least some breath-holding, which can easily lead to embolism (major injury or death).

Again: nitrox is used because the larger fraction of oxygen in the gas mixture means a smaller fraction of nitrogen. Since it's nitrogen that causes decompression sickness (bends), less nitrogen in the mix permits longer times at a given depth without decompression.

Some information is available at http://www.iantd.com

Re:This sounds like a management problem.

[pmc]

Pure oxygen is NEVER used in diving (rebreathers aside.. that's another story).

Not quite true - some people (mainly deep divers) use 100% O2 for accelerated decompression.

The closest thing you get is enriched air diving, and that has a very limited depth (much less than what you can do on standard compressed air, which is what most recreational divers use). Enriched air is used to stay at shallower depths longer (you can train yourself to breathe slower, due to the higher oxygen count, and stay down longer) and is great for sightseeing on coral reefs and whatnot

Close - there are a couple of reasons for using Nitrox:

1) Reduces risk of decompressions sickness
2) Reduces Nitrogen Narcosis.
3) Reduces fatigue (could be psychological, but it's definitely true)
4) Extends no decompression bottom time (the time you spend at your target depth).

I've certainly not noticed a decrease in air consumption at depth when using nitrox.

Different gas mixes are used the deeper you go, but all of them have a lower oxygen percentage than standard air; the higher the pressure, the less actual oxygen you want in that air.

Absolutely not true - while, when you start going to silly depths, you do get what are called hypoxic mixes (less than 21% O2), these are rare. Most Trimix divers use normoxic mixes (21% 02) or hyperoxic mixes. The main reason is that if you are using a hypoxic mix you have more helium and less oxygen, and this gets really expensive. Hypoxic mixes can also make you pass out if you try breathing them in shallow water.

Re:This sounds like a management problem.

[Carnivore]

You don't breathe pure oxygen at normal pressure because it screws with your blood chemistry, and the chemical triggers that tell you it's time for another lungful tend to not fire... meaning you end up forgetting to breathe.

Actually, the breathing trigger is CO2. There are sensors on the carotid arteries right before the brain. This is why you hyperventilate to hold your breath longer. You supersaturate your system with oxygen _and_ blow off CO2 and other volitile acids. That gives more time for CO2 to collect before the sensors want you to breathe.

Re:This sounds like a management problem.

[mindstrm]

Thanks.
That makes more sense anyway.

Regarding deep diving though.. isn't that what I said? Less O2 for deep diving?

And when you say deep diviser user 100% O2 for accelerated decompression.. I assume you mean as part of the ascent...

I guess my point was that, as you probably know, the common man often thinks divers breathe pure O2.

Re:This sounds like a management problem.

It is not nitrogen which gives you the bends - it's the bubbles in which the gas emerges from solutions in blood, liquids and tissues.
And your body doesn't care abotu whether it's nitrogen or helium in these bubbles. They block your capilars and squeeze your nerves and if they're strategic enough, you're bent.

slovon

Re:This sounds like a management problem.

[MaxQuordlepleen]

There are non-medical uses for nitrogen. In natural gas pipeline installation nitrogen is used to pressure the lines to test for leaks before they are filled with gas. In some large pipelines water is used but in smaller lines especially in urban areas where an excess of water can be a problem, nitrogen is used. Maybe a construction company left them sitting there.

Re:This sounds like a management problem.

[pmc]

Less O2 for deep diving

Most mixes will be normoxic or hyperoxic. It is only when you go below about 65m do you start dabbling with hypoxic mixes. I've never been this deep and have no intentions of going - these sorts of dives take months of planning, support teams, the whole nine yards [*]and are uncommon. It's barely recreational diving anymore.

As for the accelerated deco - the trick is to get as little N2 in the gas you are breathing as possible - so the higher O2 the better (=quicker). Most people use 80% as you get a bit more margin on the depth you can go to before 02 toxicity gives you a convulsion (and you therefore die) (80% allows 10m depth, 100% allows only 6m [**]). As you normally decompress at 6m using 100% you have to be very sure of your depth control. The other reason is that it is very hard to get 100% O2 at 200bar anywhere, whereas 160bar is reasonably common (which you top with air to 200bar). Use 100% O2 as part of the ascent and you will die - instant O2 toxicity. There have been several cases of people dying from this by using the wrong bottle.

And no, your point about the common man went completely over my head - must have been having a slow day: sorry. Absolutely true though - goggles, flippers, and oxygen bottles are all a diver needs.

[*] actually, you only need all the planning and support if you want to live. Lots of people have forgone these and did the one way trip.

[**] these depths are the depth where you start playing russian roulette with O2 toxicity - as you get deeper you stand a bigger chance of getting a hit. The rule of thumb during deco is 1.6 bar you're ok, 2.6 bar your probably dead, and the chances of you being dead increase between these two marks.

Re:Well excuse me...

I dont think the above is a troll posting. I for one see no relation between health care procedures and PGP (computer encryption --for clueless), would someone care to explain.

HIPAA compliance

[ThoreauHD]

HIPAA is being sorted through at my place of work, which happens to be a hospital. We are basically turning our MS shop into a Citrix shop due to the impossibility of configuring thousands of computers at the user level.

We use ICA protocol with 128 bit encryption and rotating passwords.. but with all of the applications that one employee has to access, it's becoming a major breaking point remembering all of the passwords.

The apps can only be accessed via login, and each app has a separate login and password. It's bordering on the rediculous to get work done for people that's skillsets are RN's or MD's. MD's tend to be more technically adept(aka AOL), but the rest are hapless technoweenies(to quote a cheese movie).

Things are moving toward http browser based access, and temernical serviced applications. These things come in waves, and HIPAA is accelerating that wave towards TS clients.

As this is done, I hope to then be in a position to kill off MS clients and servers one by one. We can then concentrate on getting some real work done, rather than worrying about how W2K SP3/WinZP SP1 is a HIPAA violation or if MS will sue us next week cause they aren't making their stock margins.

And after all of this, we will have some work cut out for us(not much)- but it's OUR work. And we get to reap the benefits of our labor. No more Jakob Fugger and his gateway tariff between east/west. If the government can't do it, then I surely can. And so, there you have it.

Re:HIPAA compliance

[gmhowell]

I feel your pain. I work in a clinical environment, I can only imagine the extra amount of shit you hospital guys have to do for this. Right now, I'm trying my damnedest to avoid being appointing HIPAA officer:)

One of our problems is that many EMR 'solutions' are inextricably tied to an Exchange backend.

no security regs yet

They don't even have the final security regs out yet
its a bloated pile of crap that only lawyers love.
In fact they will be the only ones to make any money off of it

Re:Bureaucratic filth

[Jeremiah+Cornelius]

Part of the problem with HIPAA is the earnest attempt to create a standard for Information Security controls, without a requirement for implementation specifics on individual security controls. The aim is admirable - do not specify technologies which could be tied to a vendor, or rendered obsolete within the decade. Also, do not make assumptions about the specific sensitivity of individual data elements in the custody of various regulated entities.

The unfortunate consequence is that the resulting guidelines are very general, and require a continuous lifecycle process for evaluation, iplementation, audit and compliance. The healthcare industry must now involve itself in a regieme of regulatory overhead analogous to that of Securities or banking.

I don't think this is bad, per se. There is no history here for an emergence of industry best practices, etc. Expect it to be messy for a while.

BS7799 and ISO9000/1

[tezza]

I was a developer at a Medical IT firm in London. We went through the process of BS7799 and ISO 9000/1.

BS7799 is the British Standard for Data Protection. We had to have a paper free desk and shred everything. Despite having a double sided laser printer, all the damn staff still printed single. Everyone is a lot greener back in Australia.

Anyway, moral from that successful drive is... get in early. Twenty something staff? That's nothing. Push it through now. What came across most was that the accreditations make sure you have 'Systems' in place. New staff come in knowing the system. Old staff, well they're not going to be easy.

Read Peopleware under the section 'Believers But Questioners' and work towards that. At least then you get to read a darn good book on company time.

"You don't do it, you don't work here" is about it

[starseeker]

That's pretty much the only way on Earth you're going to force people who don't want to learn anything to get up to speed. One way to make the process smoother however, would be to lay out a simple series of steps they need to follow, and write it up into a little instruction sheet for them to refer to until they get the hang of it. It sounds like you'll be writing something like that, but remember simple and clear whenever possible. Golden rules in documentation writing.

Another point which will help (at least it would help ME in such a position) would be to explain to them in detail why these procedures are a good thing and what bad stuff might happen (besides being shut down) if they aren't followed. People may be less resistant to the changes if they know that said changes aren't just time wasting BS.

I guess that doesn't really help you if the people really don't want to learn, period. Then it's back to the "or else" stuff. But you can try to make them at least willing to do it by making them part of the "in the know" crowd who understand why these changes are made. You might find some of them will even support the improvements! So I guess I'd say try to change them from unwilling to willing, which lord knows is easier said than done.

Re:Bureaucratic filth

[Mr.+Slippery]

Simple -- don't implement it if it hinders you and ignore it, and go on with business as usual.

...and wait to get your ass sued into oblivion when the first privacy violation occurs. Brilliant.

A Few Things

[danielgast]

Yes, many of us who are in the industry, or in tangentally related ones, such as myself, are feeling the frustration from HIPAA. Here's the survival guide as I've seen it:

1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.

2) There are a few companies that provide HIPAA compliance insurance, especially for software products developed to support medical information systems. MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products designed for medical users that might be helpful. (No relation to them other than having heard about their products in a .ppt presentation)

3) Solve the problem with vendor pressure. No software provider in the industry wants to admit they're not HIPAA compliant, so grill them on it. They know it's a priority and should (hopefully) be releasing software that will accomodate the new rules.

4) Solve as much of the problem as you can technically. If you're the vendor of the products you use (in house software), redouble your efforts to make as much of the compliance transparent as possible. As you've outlined, most people in the industry do NOT want to deal with the technical aspect of computers, they just use them to get their jobs done. Putting all of the encryption / security management stuff in plain view is only going to make the learning curve more difficult and allow more room for human error (which equates to HIPAA violations and fines for your employer).

5) (this is very much not to be interpreted as legal advice) Patch the big holes first. If you know you can't meet HIPAA by the deadlines, patch the big problems, and the things that will be obvious violations and noticable by people inside and outside the company. There are zillions of possible violations, but if you show due diligence any fines you do receive will hopefully be tempered by the fact that you've done as much as possible to accomodate the law.

-Dan

Re:A Few Things

[LinuxWoman]

Dan made some very good points. File extensions where possible, that shows you're at least aware that you still have issues but have plans in the works to fix them. Start with the larger problems (and the ones you CAN fix) and get those holes patched. Plan on doing a lot of user training, the less technically savvy are often convinced proper security makes computer use insanely difficult. Inform the users that if they dont' follow security procedures you'll fire them because you can't afford to have the company shut down. Finally, keep copies to document EVERY single step you take in trying to reach compliance. If you can document that, in most govt. audit situations you'll get a warning and a date for a re-audit. If, for some reason, you DO get fined it'll certainly lessen the fine - from the insane level of you're stupid so you must have lots of money down to you've tried so here's a light slap on the wrist. Good luck.

Re:A Few Things

[koreth]

MD Online, LLC (no web site but phone at: 703-450-0331) has VPN security products

Yeah, like I'm gonna trust my network security to a company that isn't even on the net.

Re:A Few Things

There is no extension for the April 2003 date. The extension was for the standardized transactions rule, not the patient privacy rule.

Also, it is a patient privacy rule. Provider information, such as specialties, can be shared without any problems.

Re:A Few Things

Yes well, I bet their servers are rather secure from internet attacks ;-)

Re:A Few Things

[Lucas+Membrane]

That's a good way to keep MS from automatically updating your software without telling you.

Re:A Few Things

[gmhowell]

Any names for ins. cos. that provide HIPAA compliance insurance? Might want to run it by our broker.

I haven't looked into it, but I suspect that vendors who receive HIPAA compliance certs. (or claim compliance) are much like NT being a C2 operating system: it is, but only if you disable functionality to the point of uselessness.

Re:A Few Things

[gmhowell]

Not sure of the details (luckily, others are handling them:) but the April deadline is firm for some things. Luckily, 100% of those who ask for extensions are getting them. 100%.

Our current plan is monthly training sessions from here on out. The idea is for everyone in the company to know as much as possible.

Have seen others recommend immediate firing (for cause!) and will probably take up that discussion at my workplace.

Re:A Few Things

[abcess]

Working for an insurance company, I'd have to say the first two items are quite important. However, there is alot of misinformation regarding how HIPAA relates to electronically stored data.

First off, file an extension ASAP. We've done so and been given until October 2003 to comply with the currently completed rules.

An important thing to note is that the HIPAA rules are NOT all completed. Most notably the rules regarding data security as relates to data stored and transmitted electronically. This means that there is currently NO DEADLINE for you to electronically secure your data. Additionally, when these rules are completed, there will be a 2 year period during which to become compliant, extensions not withtanding.

Most of the current rules deal with procedural issues and security of information held on paper. Computers can ease some of these issues, but they can also get in the way of timely compliance.

The bottom line? Deal with the regulations that you are faced with, not the ones that aren't there yet.

Re:A Few Things

Actually they ARE on the Internet. They simply don't have a website. Since when is websites a mandatory business practice?

You shouldn't trust your bank either since they are not selling on ebay.

Re:A Few Things

1) File for any and all extensions you can. A lot of this policy is BS and will probably get softened, but filing for extensions is probably the easiest way to stick it back to the man, at least for a little while.

First off, it's too late to file for an extension, since that deadline passed on Oct. 15. But that was just for the Transactions and Codesets part of the regulation (basically requiring billing stuff to be sent back and forth in the same format.) There's no extension available for the Privacy regulation. The Security regulation has yet to be released, so most of the technical stuff like encryption won't need to be done for two years after that.

And if you're in a "tangentially related" industry (software vendor, etc.) HIPAA doesn't apply to you directly. You only have to comply with HIPAA if you conduct one or more of the designated electronic transactions, which you wouldn't do unless you're an insurance company or a healthcare provider. Instead, you're more likely to be a Business Associate of a covered entity, in which case the actions you need to take will be dictated by the Business Associate Contract between you and the covered entity.

Re:A Few Things

[grandrollerz]

the extension deadline for CMS has passed. it was oct 15.

http://ugsmedicare.com/HotTopics/2002/100202HIPA AD eadline.htm

"You don't do it, you don't work here."

I work in regulatory here, and I agree with the statement above.

Keep in mind, HIPAA is here to protect. Anyone who says that it should be removed is begging for Enron-esque games otherwise.

Re:Well excuse me...

I dont know how to explain but possibly PGP might be something to do with the person's securty health? I mean if you want to be secure healthwise in terms of a digital measure, for example; if you want to be aware and repell computer generated viri, then this could be a health issue to your computer which in turn could be directly related to your job preformance and health issues such as RSI and so on, Overall I just feel that that is the case.

--

John Murdock II
IAAL (intellectual/property rights and international consignments and overall geek )

from the forcibly-changing-the-way-you-work dept.

[teamhasnoi]

hehe - the irony.

the truth

Why not tell them the truth? All you have to do is explain the situation. Haven't you thought of this? Let me form a basic blueprint for your speech...
"Folks, we have some new regulations that are industry wide, that if we do not comply with these regulations, the company gets shut down. Everyone must do their part." As far as training goes, you will have to conduct classes. PGP is relatively simple to use once you give the proper training. As a security officer, it is your duty to verify compliance, which will require regular security audits. I suggest you provide classes on the PGP, give them a book on codes, explain the rules, and have a few security audits before the 'go live' date. You have plenty of time.

argh

[Transcendent]

I work for a medical billing software vendor.... the worst part about HIPAA is listening to our clients call in and ask and complain about when we're gonna be hipaa complaint. We had to basically fill out over 200 HIPAA extention forms for them because we knew they wouldn't know what to do... ...but it's not that bad for software vendors right now. All we have to do (because all the changes of HIPAA aren't even set yet.... they don't have their act together) is change some code for the electronic transmission...

Re:HIPAAA Compliance?

[American+AC+in+Paris]

Tsk. There you go again, using the Editor Stick. I thought y'all had outgrown that.

It's really quite undignified of you.

Re:Bureaucratic filth

[fanatic]

It's nothing but more government interference in private business that chains capitalism

Fine - let's have EVERY bit of your medical history made poublic please, and given to every insurrer, loan company or employer to whom you apply.

That's a great idea.

In the software end of things

[cr@ckwhore]

I work for a company with 2 medical practice management software packages. These packages each sell for big bucks... a single installation can be $100,000, with annual fees on top of that.

HIPAA isn't new news. We've known about HIPAA for a long time, and only now, as the deadline stares us in the face, are we beginning to make our software HIPAA compliant.

This late action comes from a long stem of procrastination. Updating expensive software to be HIPAA compliant is a time consuming task... from the standpoint of a software manager (an incompetent one), why make the software HIPAA compliant today, when today could be used to implement a new requested feature?

After pushing off HIPAA compliancy day after day after day, we're now finally getting around to implementing the mandated changes. This isn't easy for other people in the healthcare industry, namely people working at the practices that need to teach HIPAA to billing clerks.

The delays of software authors cause delays at the practice, which causes healthcare costs to rise.

Don't thank me, thank my managers. Only a few days ago I enlightened my Technical Operations Manager that "HIPAA" isn't spelled "HIPPA". I guess he didn't get the memo yet.

Re:In the software end of things

[OnsightFlash]

the whole thing is designed to take more money out of the health care system. i am a solo practiciioner and have a unix system that works just fine but i'm getting pooched by this thing. i really don't have the money for this., but i have to re-vamp my stuff. bad situation.

i think that in my office ( there are only 3 employees) we can fly under radar for a long time. we plan to procrastinate as long as possible.

Checklist

[GMontag]

1. Get a CUSTOM form written by a sleezy lawyer absolvig you of all responsibility and have an Principle of the firm sign it.

2. Get a raise, in writing, for the new monumentous duties.

3. ???

4. PROFIT!!!!

Move what you can to the server..

[jcurious]

If possible handle encryption at the mail server... there are smime based email encryption servers that will handle encryption/decryption... if this is not satisfactory then at a minimum put up an email policy server that will verify that any email going out is encrypted... if the users aren't willing encrypt thier messages, then don't let them email... below are examples of email encryption and policy enforcement servers (btw I belive tumbleweed can do policy enforcement as well)

Email encryption server:
http://www.tumbleweed.com/en/products/sol utions/ma il.html

Policy enforcement server:
http://www.ciphertrust.com/ironmail/index .htm

Re:Move what you can to the server..

[karlm]

Repeat after me: "All networks are hostile by nature."

One misconfigured laptop with a wireless card attached to your wired network and suddenly you've got a wireless network! People steal data and blackamil companis with it all the time. The HIPAA may make this thing more lucrative for the thieves. The blackamil is usually of the form "pay me a consultant fee and I'll tell you how I did it. I won't fix anything, just tell you what I found wrong."

Re:Move what you can to the server..

ZixMail (www.zixcorp.com) will handle policy based email encryption AND has the ability to send it encyrpted straight from the users desktop. In fact the emails can be kept in an encyrpyted format in the mail folders if desired so physical access won't compromise the information.

Re:Move what you can to the server..

HIPAA also has requirements for user-level security which implies things like idle timeouts and individual passwords. Having unencrypted and open email within the LAN is not acceptable...particularly with WiFi devices becoming popular for medical applications. You need user identification, so also use it for LAN encryption.

Or from what i am seeing....Don't comply....

I have done some work with a few companies regarding becoming compliant. They pretty much across the board have decided not to do so. I find it pretty amusing.

Re:Well excuse me...

PGP is a health issue as defined by the FDA. Please check all your TLA before making any more innocent posts that might be seen as a troll posting by overly trigger-happy moderators.

Bonjour.

Good email encryption tool

A good email encryption tool for users who aren't too computer savy can be found at www.zixit.com.

It is pay ($) software but free stuff is usually too hard for a general user to comprehend.

Re:Well excuse me...

Yes, definitely; Infact, I've seen two such cases in the past; one a seemly harmless suite against Network Associates, and another against a popular pop-up advertisment coporation (I would like those guys bitten rather than the NetAssociate guys), anyway these things are very common in the industry and much more common in the entertainment and retail industry than our industry.

--
John Murdock II
IAAL (intellectual/property rights and international consignments and overall geek )

Get to know your lawyer now

[gcrocker]

Go ahead and start setting up meetings with your company's HIPAA attorney. They're getting VERY busy, and if you don't already have a lawyer that knows HIPAA, getting one should be your top priority. They can help you with extensions, prioritizing what to get fixed first, etc.

If you "don't have budget" for HIPAA attorney time, or if you don't have authority to make decisions and force them on the company, just work on your resume and start looking for a new job. No point sticking around for the fireworks.

Dealing with your end users not wanting to learn new stuff is a whole separate problem, and honestly, you probably don't have time to even worry about it. Consider a good-cop/bad-cop approach and have one person in charge of training (good cop) and another in charge of deployment (bad cop). This may help minimize turnover of angry employees. The good cop and the bad cop must share a brain for this to work.

-glenn

Re:Get to know your lawyer now

[eam]

> If you "don't have budget" for HIPAA attorney
> time, or if you don't have authority to make
> decisions and force them on the company, just
> work on your resume and start looking for a new
> job. No point sticking around for the
> fireworks.

That's what I wanted my wife to do, but she owns the practice.

hipaa schmipaa

It breaks down like this : the regs have been so loosened to be almost ineffectual.

You (as an individual and as an institution) only get jail time and big time fines if you get a proveable financial gain from violating hipaa regs, i.e. you sell a bunch of kidney transplant patient info to a dialysis machine company, and someone can produce records to prove this happened.

Ignorance or other non-compliance (if reported) only gets the institution (not you as a worker) fined $1000 per incident max, and the total fines can only be up to $25,000 a year. So in many cases it's cheaper to be non-hipaa compliant than it is to upgrade everything to be hipaa compliant.

Then there's the extension you can file to get another 6 months on your deadline to be hipaa compliant. If you file that you get until October 2002 or something like that. There will probably be more options to file extensions for even later than that if October is too soon for you.

Don't worry kids. HIPAA, much like 911, is a joke.

Re:hipaa schmipaa

You obviously have no idea the first thing about HIPAA. Go find a different thread to open your mouth in.

Re:hipaa schmipaa

[asavage]

If you file that you get until October 2002 or something like that. There will probably be more options to file extensions for even later than that if October is too soon for you.

Too bad October 2002 is almost over. You mean October 2003.

Re:hipaa schmipaa

[krisguy]

The extension is only for the electronic transfer of patient info to CMS. Everything else related to privacy needs to be in effect by April 14, 2003.

You think you have problems?

[/dev/trash]

Wait to the companies that use Medical Software find out that Joe Tech Support can't dial in and fix the latest (minimum wage data-entry clerk's) goof up. They'll have to *gasp* do it themelves. Of course they'll blame Joe Tech Support.

1996

[Charlton+Heston]

The act was passed in 1996. And just now you are getting around to complying with it. Seems like you have advance notice, so there's no excuse.

Don't bother firing anyone who doesn't comply. It's too late to comply, and too late to save your sorry company.

Go ahead and mod me down, but someone has to have the balls to speak the truth.

Re:1996

Yoh, big mouth. The act passed in 1996 merely instructed the bureacrats to make up 2 sets of regulations. Within a couple of years they got the portability reg finished. But the first draft of the privacy reg wasn't published until 2000-12-28; they were last modified on 2002-08-14, and the revised final text incorporating the modifications was published on 2002-10-10.

So software vendors have had somewhat less time to prepare than the 7 years you imply. Granted, we've all known for some time some of the general issues to be addressed. But it wasn't until early 2001 that anybody got a peek of actual proposed regulations, and not until late 2002 that anybody knew what the real regulations would be.

The likeliest outcome

[SPiKe]

It's been said before, but ...

In the end, the timetable set for HIPAA compliance will be pushed back further and further.

Some of the stuff they're asking for is just unreasonable. I don't remember a lot of it, but I'm just glad to be out of the world of health care.

Procrastinator

You realize that you've had 8 months to think about this. Why are all these idiots waiting till the last minute?

"a Oxygen Transfill Technician" ???

"As a Oxygen Transfill Technician"

I suppose you dont have to be familiar with the word "AN" to be AN Oxygen fucking whatever technician, you dumb fuck.

Slashdot not HIPAA compliant...

I doubt you could be HIPAA compliant if you spell it HIP + Automobile Association of America.

Re:Slashdot not HIPAA compliant...

[SEWilco]

"I doubt you could be HIPAA compliant if you spell it HIP + Automobile Association of America."

I've fallen down and I can't get a tow truck!

Don't Panic!!! HIPAAA is BS

[Llama+Keeper]

I too am in charge of tons of HIPAAA stuff for my company. I've been to some seminars and such and have even read the PROPOSED regulations. My best advice, don't file an extension, don't panic, don't worry. HIPAAA is a typical unfunded mandate. Ask yourself who is going to enforce this? (Answer: NOBODY) Are the regulations even 100% absolute yet. (Answer: Hell No)

Don't sweat this stuff, get a template package or a nifty little book, (e-mail me for my recs, I'm not going to past advertisements for the "consultants") and don't panic! If you use industry standard best practices you should be pretty darn close to compliant anyway, if you don't use best practices, well maybe its time to panic. :)

For Christ's sake

[abe+ferlman]

I love Slashdot, I read and post here all the time. I am also a database programmer who works in a research hospital. I would love to show some of my co-workers this article and some of the comments in it to get them thinking about HIPAA and free software.

But when the editors spell the regulations "HIPAAA" in big white letters at the top of the article, I can't share this with anyone who I want to respect me.

C'mon Cliff, and whoever (if anyone) is checking your work. It's not HIPPA, HIPPO, HIPAAA, HIPSTER or HIPAAPATAMAS. It's HIPAA, as krisguy manages to note 5 times in his writeup.

Hopefully the headline will be changed soon and this comment will eventually be modded away as offtopic, but basic spelling, grammar and usage are important to the community that makes your website worth reading.

ps- I'm sure someone will point out that the average slashdot post is worse than the Slashdot editorial crew, but to that I can only say that they will be equally culpable when they are paid for posting.

Re:For Christ's sake

note: it says HIPAAA compiance

Re:For Christ's sake

[Chris+Colohan]

He also says "what did you have to insure was done?". Do you really think he was asking about insurance issues?

Slashdot. News for the terminally stupid. I think slashdot is going to disappear from my bookmark list...

its the INTERFACE stupid

the best way to get people on the track for encryption and securing toys like you mentioned is to first provide the appropriate tools for them with intuitive and a "familiar" user interface. If no tools exist like that, then consider an investment in consulting groups to take existing tools and write UI modules or wrappers for them, perhaps in HTML. The other tool besides the actual implement would be the registration/configuration tools. People want their computing to be like driving a car. Everyone knows how to drive "A" car so a new car of a different model has a very small learning curve due to consistent design.

Perhaps a very wise person in your organization has already begun a "common interface" initiative that you can use for the basis of your new user registration and application interface. (the actual tool using said security knick-knack)

Sounds like (mostly) a technical problem.

[hamsterboy]

From a programmer's point of view, this seems fairly straightforward, from what little I know of HIPAA. Sure, the bill is draconian, but since it's pretty much a blanket "encrypt everything", a general solution shouldn't be so bad, right?

• Make sure email apps do the official encryption automatically to ALL emails
• Put the database servers behind a nice firewall
• Write up some policy on sensitive operations

Granted, the management end isn't so simple, but when people realize that they could face fines or jail time for violations, they'll go along, even if they think it's stupid. The hardest part seems to be training people on a new email app.

-- Hamster

Nitrous day all good

Who wouldn't turn up for work? I'd be there early, and work late!

My company doesn't care.

[RazzleDazzle]

All we got was a packet of 30 pages of fluff then just locked off a section of our warehouse with a digital key lock and just store everything in there now. Electronically we are not doing anything different than before. This is the most half-assed effort I have ever seen. Of course that fits right in with standard operational procedure. Jimmy rig it so it just barely works then when shit breaks, scream at your already depressed/frustrated tech workers and tell them, "You need to fix it and make it work so this never happens again.... in 1 day"

Don't do it by yourself, use the employees...

[joto]

First, make a HIPAA working group with 3 or 4 non-IT members. Help them put out the guidelines, while you take care of the technical stuff, and checks the guidelines for technical sanity. Make HIPAA courses mandatory for everyone. Make the different departments audit each other for HIPAA compliance. Do everything you can to avoid actual HIPAA work yourself.

By involving employees, you will at not only free yourself from a lot of grunt-work, but you will also avoid becoming the nasty HIPAA police everyone ignores and hates. And you will probably also get a bit of enthusiasm from at least some of the co-workers. This is the right approach, because what you are after is mostly a culture-change, not a technical change. Besides, management will love you...

HIPAAA, uh, ok, is that, like, the cool triple A?

[rumba]

It's because Slashdot editors never check for spelling errors. I can't believe how many go by every day. I mean, when your job is to post half a dozen stories, wouldn't you think there would be a system for catching even the most common spelling mistakes? Get it together. Use your perl hax0ring skillz to run the articles through aspell or ispell.

PGP use not hard to achieve

[BrianWCarver]

It should be relatively easy to get people to start using PGP to encrypt all of their internal e-mails. So long as you can switch everyone to Mozilla or Netscape as their e-mail program of choice, then the Enigmail plugin makes using GPG or PGP encryption a breeze, and it can be easily set up to automatically ask for your password every time. That would be the only difficult part: Getting people to choose decent passwords and remembering them...but if you're in IT, you've faced that problem before.

Brian

Build it into the Tools...

[liquidbrains]

I worked on a team that developed a medical claims processing system. We built all the compliance requirements right into the system. It was a pain, for the UI developers in particular, but worth it. The idea was for the app to lead the human element away from things they should not do and do the things they should for them. We used strictly configured systems that did not permit, or made very dificult, non-complient use. It just seemed easier to not give them the option of not following the rules.

HIPPAA = Revenue Scheme

Auditors show up, find violations, issue fines, move on ...

Re:Faster, More Reliable Alternative

[stephenisu]

If you were to activate an account then go into preferences you could disable this section of slashdot. For many this is a section of slashdot where they can get answers from others real life experiences.

This is a software engineering windfall!

[ChicoLance]

I work with Radiation Therapy, and HIPAA is causing quite a bit of concern. All of the patients that come through there for treatment have nice binders with their name on the spine. We've got warning stickers when two patients may have similar names. This makes it easy when you set them down on the table for the radiation treatment, that you're looking at Nancy Johnson's chart, and you don't get it confused with somebody else.

However, under HIPAA, all names that are viewable by any public must be removed. Those names on the binders -- they've got to be replaced with some ID number. The names on the whiteboards of the patients must also be removed. QA is _much_ harder when to confirm that you've got the right chart, you somehow have to verify you're looking at the right ID number, instead of just asking, "Are you Nancy Johnson?"

Federal compliance has been delayed before for some of these same problems, and there is any indication that it will be delayed again. Our director is moving towards HIPAA compliance, but not at the expense of care and safety.

This also has all of the earmarks of a Software Engineering windfall -- all of the medical systems have to be modified to remove names from public places. That's a lot of work!

Re:This is a software engineering windfall!

[geekoid]

haha.

here is a plan, you ready? I hope you got a pencil, cause its a toughy.

Put the names inside the book,. Ta-Da! that will be 5000 dollars please.
My God, an ID, nobody in the history of the world has had to deal with an ID system!!! ahhhh the pain.

I can tell you how to solve the ID problem for 250 per hour, 100 hour minimum.

thanks you, and good night!

BizTalk Accelerator for HIPAA

[MSwanson]

I'll probably be shot, but you should really take a look at http://www.microsoft.com/biztalk/evaluation/hipaa/ default.asp. I'm aware of many companies that have used this to get up-to-speed quickly, and they are very satisfied with the results.

Re:BizTalk Accelerator for HIPAA

[leftism11]

This only applies to the Transaction Rule and is just a tool to facilitate transaction mappings to the ANSI X12 EDI transactions.

You still need to develop trading partner agreements, work with all of your partners, work with a transaction validation firm, work with any clearinghouses that you may use, etc, etc, etc.

Lotsa work.

Oh, and the BizTalk HIPAA Accelerator is quite pricey depending on your needs and your systems. Also consider that as the HIPAA Transaction standards change and evolve, your systems need to be flexible enough to change with them. MS may end up charging for 'subscription updates' for their mappings--not sure about how they plan on supporting the product long term.

Yet another trollhouse cookie...

Tsk.

The bill itself is not the issue. The issue is the set of regulations promulgated by Health and Human Services (DHHS) regarding standardization, security, and identification requirements. Three of those rules remain in proposed form, while only two (on standardization and privacy) were published as final in 2000. These are huge tomes, each one set forth as administrative, not statutory, law, and therefore liable to be amended. Any organization that cheerfully attempts to comply with regulations in flux will quickly destroy itself dealing with often contradictory standards that can change according the the whims of those on the 7th floor. (Hey, I'm with the government; I have no illusions about our ability to provide clear and concise rules.)

In addition to HIPAA compliance rules, we also have around 5500 pages of "guides" designed to help organizations and perplexed citizens come into compliance with the statutory requirements alone. Of course, those were published four years after Kennedy-Kassebaum, since DHHS is at least as confused as its private-sector counterparts. IHS -- the Indian Health Service -- only began its own HIPAA compliance effort a year ago, despite its close association with (as in "being a part of") DHHS.

However, feel free to troll away, actual thought and understanding being much more difficult than just vomiting over your keyboard and pushing "submit."

Re:Bureaucratic filth

[rgmoore]

It's nothing but more government interference in private business that chains capitalism to the ground and makes us as weak and inefficient as the old Soviet Union was. This does not simplify anything with electronic transactions -- it just bogs down the already efficient electronic systems in place with red tape.

Since you don't like government interference in your business, I hope that your health care firm will give up access to funding in the form of Medicare, Medicaid, NIH research funds, etc. It would be terrible if you were to behave hypocritically by taking lots of government money and then turn around and complain about government regulations.

Privacy != Security in HIPAA

[peacefinder]

Okay, I know this sounds wierd, but my HIPAA expert tells me that Privacy and Security are totally different things according to HIPAA. You have *much* less to worry about by next spring than it seems like you might.

(From an IT perspective, one wonders what good privacy without security? For us, if it ain't secure, it's silly to call it private. But HIPAA was not written from an IT perspective...)

The Privacy portion of the rules take effect next spring, and you will have to deal with that. HOWEVER, the privacy rules deal with how you decide who is allowed to see the data, *not* how you protect the data... that's the Security portion of the HIPAA standard. Privacy is about rules and procedures for intentional data disclosure, and data security is NOT within the scope of the Privacy rules.

(So, for instance, HIPAA considers an e-mail over the public internet *private*, so long as you're sure the person you addressed it to is authorized to see the information it contains. Bonkers, but true.)

The HIPAA Security standard will address how you protect your data. It will address security issues from encrypting e-mail in transit to physical security of your data storage. These rules have not yet been published, although they are due at any moment. Once published, we'll have two years to comply... so not before October 2004 will they be in effect.

I advise you to get in touch with your state's medical association and attend their training seminars on HIPAA right away. Make sure to take along the office manager or medical records guru. It's information you WILL need.

Oh, and don't panic. :)

Re:Privacy != Security in HIPAA

[leftism11]

This is correct--the HIPAA Privacy rule and the Security rule are two different regulations that are quite different (although somtimes complimentary) with their requirements.

READ THE ACTUAL REGULATIONS.

http://aspe.hhs.gov/admnsimp/

They are well written and will give you a very good working knowlege of the requirements. "Experts" can be helpful at clarifying some details regarding how a particular requirement applies to your organization, but after reading the actual regs, you will have a very strong understanding of what needs to be done for Privacy and Security rule compliance.

Re:Privacy != Security in HIPAA

[SEWilco]

But notice the identification requirements on user terminals require privacy protection by ensuring use by authorized people. So everyone will have to identify themselves and they'll get logged out if they are idle too long.

When you're configuring those things, be prepared for the next steps such as tying encryption keys to individuals.

Apply For an extenstion

[LowellPorter]

I work in the healthcare industry too. I believe there are certian circumstances where you can apply for an extension to the April 2003 date. Look more carefully at the law itself and not what your buying group gave you.

Re:Apply For an extenstion

[leftism11]

HR 3323 was passed a while back and allowed organizations to apply for an extension to the TRANSACTIONS DEADLINE ONLY. Unfortunately, the deadline for submitting the extension was October 16, 2002.

I haven't checked lately to see if they extended that deadline--they previously said that no late submissions would be considered.

Again, that extension DOES NOT apply to the Privacy rule or Security rule.

IT ISN'T AS HARD AS IT LOOKS!

[leftism11]

I worked as a HIPAA compliance consultant and have contributed a chapter to a CIO-level book to discuss HIPAA compliance.

If you can read and have a general understanding of the healthcare industry, you can easily understand HIPAA.

First, and foremost, you MUST read the *actual* HIPAA regulations (Privacy and Security) in order to properly understand the HIPAA requirements. They are NOT difficult to read--they just look intimidating, but are actually VERY well written, generally easy to understand, and are accompanied by a ton of background and explanations. Do NOT, under any circumstances, rely on the claims of vendors or any other "HIPAA Analyst" etc. regarding HIPAA compliance issues unless you have read the regs and can validate the claims, and ensure that they are even relevant to your organization. Educate yourself and you will be amazed at how much simpler HIPAA becomes. (If you need to implement HIPAA transactions, there is very little to read--just the transaction specs.)

Second, after you have personally read and understand the requirements, put them in the context of your organization. I believe that you will find that the reality of HIPAA compliance is relatively simple, and consists primarily of policies, procedures, and general best practices. Any time you hear someone saying "You HAVE to do X, Y, and Z" to be compliant, and those steps sound unreasonable or very difficult, you should be skeptical and verify that 1) that interpretation of the requirements is valid, and 2) they actually apply to your organization.

After doing these two things, you will be in control of your HIPAA compliance effort. There may still be some hot items with short deadlines depending on which rules (Transactions, Privacy, and/or Security) apply to you, but it should not be a crisis.

I no longer do HIPAA compliance consulting, but if you want some URLs to start with or general recommendations, feel free to e-mail me at leftism11@yahoo.com.

You can start here by downloading the PDFs of the Privacy and Security HIPAA regs:

http://aspe.hhs.gov/admnsimp/

A site to check for updates and HIPAA news is:

http://www.hipaadvisory.com/

(They have good news updates, but again, use your knowlege of HIPAA and understanding of your organization to filter any opinions you get from their site.)

Re:Bureaucratic filth

[karlm]

I believe in privacy, but there's no simple way to make everything ultra-secure with encryption and such -- and that should be a move taken by the businesses themselves, not forced upon them by a distant bureaucracy.

Then this will never happen, pure and simple, unless cracktivism is legalized (cracking inscured systems to publically disgrace the company into bolting thiings down).

Redundant??!!

how was that Redutant? looking at post in CRONOLOGICAL ORDER it is not a repeat, but maybe it is just my level set at 2 or my lack of moderator bias

General Security

[photon317]

As far as I'm aware (I do some coding for a small medical company, I've had to deal breifly with HIPAA), there's not actually any set-in-stone rules for what makes up HIPAA compliance. It boils down to you coming up with a HIPAA plan that describes how you will effectively secure patient information and sending it in and having it approved. Your plan might include PGP for email and SSL for web apps if that's where patient information flows at. Or you might devise your own schemes to protect it.

I guess what I'm saying is that all you have to do is treat patient records like you would your root password, follow good security practices, document them, and send them in for approval, and all should be ok.

Re:General Security

[leftism11]

Well, it isn't quite that simple. The regulations are relatively clear on which organizations must take what steps to be compliant.

Documented policies and procedures make up a large portion of Privacy compliance, but so do training and changes in organizational practices (adhering to the procedures).

The Security rule is a bit different, where the technical implementation of a solution may differ dramatically from one organization to another.

Just read the regs:

http://aspe.hhs.gov/admnsimp/

Re:General Security

[Yottabyte84]

I guess what I'm saying is that all you have to do is treat patient records like you would your root password, follow good security practices, document them, and send them in for approval, and all should be ok.

I wouldn't let anyone at all see my root password. Nobody needs it. If I were admining a server at work, I would try my damnedist not to give out the root password. All the other admins han just have sudo access.

Email gateway filters?

[karlm]

Anyone know of any email gatewways capable of looking for any non-PGP content in the body of an email and then rejecting non-compliant emails?

Re:Email gateway filters?

[hey]

Postfix's body_checks can do it easily.

Re:Email gateway filters?

Check out the Zix VPM at http://www.zixit.com/products/zixvpm.htm

Uhhhh

[isa-kuruption]

First, if you are a 'security officer' means you are a VP level or better. Are you paid for this? As an officer, you have the authority to tell people to do what you want, you also have the authority to hire and fire as needed, etc....

Look, I work for a pharmacy benefits company, and we've been dealing with HIPAA regulations for about 3 years now... the fact your organization chose to wait until 6 months before the mandatory date just says they are ill prepared to be in business. HIPAA is not something that showed up overnight... it's been known about for a few years now, and any decent company would have already arranged for the changes to be put into place.

Also, referring to my first statement, if you are an "officier" of the company, it means you COULD go to jail if you break the law (e.g. like not being HIPAA compliant), so I would be VERY careful about accepting that title. Maybe they made you the fall guy?

Re:Uhhhh

[geekoid]

"Also, referring to my first statement, if you are an "officier" of the company, it means you COULD go to jail if you break the law (e.g. like not being HIPAA compliant), so I would be VERY careful about accepting that title. Maybe they made you the fall guy?"

you know, I got a job offer that was a little off my skillset. At the interview, they said I would be the "guy who handled hippa compliance". I wonder if I'm being set up as a fall guy?
Different industry, a lot of money, not a skillset match..man I'm screwed.

HIPPA compliance simplified...

Here is a company that makes a product that allows you to VERY quickly create a HIPPA compliant security policy. Using their software you can also create implementation standards to streamline system setup to ensure compliance, and even monitor and archive compliance remotely. VERY COOL!

http://www.polivec.com/polivecbuilder.html
http ://www.polivec.com/polivecscanner.html

Hope it helps some of you.

Loved you in Planet of the Apes

you are the man!

Almost there now anyways

[Archfeld]

Soon there will only be ONE giant MEGA corp health care provider, and they can share your data with "umbrella companies" no matter what you say or want.

Take a deep breath

[Aron+S-T]

While HIPAA compliance is serious, no one is going to shut you down if you aren't compliant by April. First of all, the privacy rule just was finalized a few weeks ago, and the security rules haven't even been finalized yet. This isn't Y2K - the deadlines are artificial, and, as was done for the transaction deadline, extensions no doubt will be offered.

The key though is this:

The first step you must take now is build a compliance plan! This is important because you will need it to get an extension. It is also the only way to make HIPAA compliance manageable.

Keep in mind, as well, that HIPAA is mostly about best practices regarding security and privacy. Even if HIPAA didn't exist you should be doing it. Not just you. Everyone out there. HIPAA is just a stick.

So
1. Look at your organization
2. Build a plan
3. Educate your employees why this is important
4. Implement the plan
5. Educate your employees how this will be done
6. Test the plan
7. Educate your employees what needs to be done

I think you get the picture. And don't feel pressured. Just do it right, step by step.

You don't understand...

[cathyy]

I am not only a geek, but a nurse. Let me try to explain how technophobic most nurses are. Every other nurse I know is incapable of setting up and running an IV pump or feeding pump without at least an hour of instruction on how to do it. Never mind yhat the differences between them are negligible. Never mind that the instructions are printed on the side of the machine. They don't understand them, even when they have PICTURES as well as words. These are the people who need to implement HIPAA. These are also the people you CANNOT fire, due to a severe national shortage of nurses. Something about the low pay, and double shifts if your relief calls in sick, and too much work in too little time to do it RIGHT, the way you want to. It's why I no longer work as a nurse, contributing to that shortage.

Off topic but

[Timwit]

I'm wondering how many people out there have a Primary Care Physician (PCP) willing to communicate with them via email. Mine does, but from what I gather, she is unusual.

It is inevitable that email communication between doctors and patients will become commonplace in the future. No doubt it will be limited at first to a narrow set of circumstances; for example, delivering test results, or detailed instructions for taking medication. (Having said that, my physician hasn't mentioned any limits. But then again, I make sure not to ask her questions that require more than a one-line answer.) Because the physical examination is so central to medicine, email usage might never move beyond this, but I have no doubt that for at least these purposes, it will become standard practice, eventually.

I can think of two factors that will delay its widespread adoption: 1) Older, senior-level physicians resistant to change will probably have to retire before it can become truly standard. 2) Compensation--how will physicians be compensated for writing email? This becomes important if it is to be used for time consuming things like answering detailed questions, etc.

Then there is the issue of electronic privacy (i.e. the need for encryption), which is why my question is vaguely relevent to HIPAA and this article

Re:Off topic but

The good news is that typically, a patient and a physician actually physically meet. Thus, they can securely exchange PGP keys. That's a lot better relationship, than say, some guy I buy CDs from on eBay.

The email part of the HIPAA regulations

[sportal]

I've mainly been dealing with the effect of the HIPAA regulations on email. The organization I work for primarily communications with other health care organizations, not patients directly. We will probably implement a mix of solutions and make the option available to the other organization of what they want to use. You only need to worry about encrypting email that contains PHI (patient health information).

1. STARTTLS - Implement it in you mail server or border mail gateway, and you email gets encrypted on the fly without requiring any user intervention. Works great only a couple of things you need to look out for. An informal agreement with the other organization will help iron these out. (a) You need to ensure that the other mail server (the one in the MX record) is the last hop across public networks. You don't want that server forwarding on the message unencrypted after you send it encrypted. (b) You need to enforce the use of TLS for some domains. Postfix allows this and I'm sure others do. (c) Signed SSL certificates by a proper CA (not self-signed) help prevent man in the middle style attacks.

2. S/MIME - Works, but you got to train the users on both ends. Put your S/MIME public keys up on your website so that users can download them.

3. PGP - Works, but same as S/MIME, you got to train the users on both ends. Put your PGP public keys up on your website so that users can download them.

4. A secure web mail contact form - Good for only one-way communication (them sending messages to you), but it works a lot easier than trying to train an AOL User/patient how to use S/MIME. Prevents them from broadcasting to the Internet their SSN, and health problems in clear text.

5. An S/MIME gateway - Most mail servers can act as STARTTLS servers, but most don't have the option of being an S/MIME gateways, so you have to add an additional commercial piece of software, and so do all the other organizations that you are communicating to. Also it only helps the organization to organization level, since AOL is running an S/MIME gateway, and neither is hotmail.

Personally I would like to see the HIPAA regulations jumpstart the use of STARTTLS enabled SMTP servers. S/MIME and PGP are difficult for users, and will probably not end up being used if it isn't easy.

Re:The email part of the HIPAA regulations

[Yottabyte84]

4. A secure web mail contact form - Good for only one-way communication (them sending messages to you), but it works a lot easier than trying to train an AOL User/patient how to use S/MIME. Prevents them from broadcasting to the Internet their SSN, and health problems in clear text.

The ideal way to do this is.....

Please provide a password. This password will be required to read our response, so don't forget it. If you have a PGP public key, you can use that instead. (or pick one for them, and a corrospondnace id)

Then, when you reply, you send them a link to an ssl page that asks for thier password, and displays the message for them.

HIPAA dictates screen savers?

[mgkimsal2]

I didn't know HIPAA dictated screen savers. Can someone point me to the legislation online somewhere?

Re:HIPAA dictates screen savers?

[Student_Tech]

Yeah can I also get some more info on this. At a hospital my grandma was staying at after a car accident there were some computers accross the hall from her room, I could watch what the screen of the attendants' (yes 2 computers) computers were doing from the door of my grandma's room and although they were running windows2000 they never locked them, you could just walk over and use use them. Although they had passworded access to the patients data you could still browse the internet with them. We were told that if we were caught using them again (yeah of course we were using them for the internet use only, like the cost of the car that was destroyed) that person would be escorted out of the building.

Re:HIPAA dictates screen savers?

I forgot to add this to my prevous comment. The attendents seemed to speed a bit of time on the internet (that was how I noticed they were on the internet, I didn't assume they were), and where they were located, my family members who were using them used them for over an hour before anybody came by, and even then the person wasn't sure and had to ask their supervisor. The supervisor said that some people had been fired for telling non-employees that they could use the computers.

I also need to say that this started when my sister mentioned she needed to check her email and I pointed out that the 2 male attendants on the computers were using the internet, she asked and they said ok and let her use the computer.
So no, we just didn't hop on the computers, we asked first.

Re:HIPAA dictates screen savers?

Oh, one more thing I forgot to add to my comment.

When my grandma asked for the bedpan, while I was putting it into position, I snuck a peek at the snatch. Man, I really want some of that stuff!

(Consider it a hint man, don't reply to yourself as anon, or other people will start doing it and people will think it's you... It's only karma)

Re:Bureaucratic filth

[biostatman]

Actually HIPAA is a real pain for the growing number of medical researchers who use EMR (Electronic Medical Records) for academic research (like me). Many useful study designs in which patients are still completely anonymous will suddenly be in murky legal waters after April. For example, one of the (many) "identifiers" that must be removed to use EMR's without explicit consent is the date of any procedure. This restriction alone makes many otherwise useful datasets extremely limited and not worth spending resources on.

So it is good to protect EMR's from (e.g.) Pharmaceuticals trying to use sensitive information for marketing, but some of the shackles that HIPAA will put on researchers are not a good thing (TM). There are already many measures in place within academic research to protect the privacy of patients.

MS & HIPAA compliance

[Lucas+Membrane]

Unfortunately, MS sees HIPAA as a big marketing opportunity. If you've got to replace or upgrade everything to comply, why not go with the firm with the biggest market share? The responsible authorities are not going to shoot everyone who buys from MS, no matter how badly MS might mung it up. But they might shoot everyone who buys from some small operator, just to show that enforcement exists, given that compliance is impossible. MS is investing much in offering some ways to attempt HIPAA compliance via it's .NET smokeandmirrorsware, so this isn't going to hurt them much.

It takes people like MS to make people like linux, just as it takes people like health insurers to make people like undertakers.

Re:MS & HIPAA compliance

Citrix is hardly a "small operator"!

HIPAA simplified?

[CokoBWare]

Hi guys,

I work in a company where HIPAA compliance has been mandated by our legal counsel for liability reasons. Here's what I've managed to synthesize from the requirements...

1. HIPAA is meant to protect the patient and their medical information from getting leaked out into the public.

2. HIPAA is good, and it requires organizations working with medical data to treat it as sensitive information. Medical data of patients should be kept safe like your own children (not the best example, but you get the point).

3. Protect the association between a paitient and their medical information. There is nothing wrong with having medical information less secure unless it is accompanied by anything traceable to a patient (like SSN, address, name, next-of-kin, etc.).

4. HIPAA demands that any time personal medical information is viewed or used, it needs to be tracked somehow to show the fingerprint trail.

5. Protect all information systems from unauthorized access, including computer systems, physical claims, etc. Your premises should be as secure as your network!

6. Read the HIPAA proposal, AND look for summaries on HIPAA. If the HIPAA proposal is too dense a read, then the summaries will help you get started.

7. Form a HIPAA committee... usually one person from each department or overseeing group to help make implementations possible.

8. Get your company audited for HIPAA compliance after you have implemented your measures. This way, you can have an "objective" 3rd-party evaluate your compliance and suggest remedies before the deadline.

9. Don't get caught up in "If they can't enforce it, why should I bother?" That's lazy... would you want your personal medical information left on the sidewalk for someone to pick up and use against you? These are peoples lives we're talking about!

Well I've said enough. I am NO expert on HIPAA, but I have our CIO's and Security Manager's ear. These few points are what I've managed to make sense of while discussing the topic with them.

Good luck on your own HIPAA compliance efforts.

CokoBWare

Personally Identifiable Info

[peacefinder]

Its now illegal to send personally identifiable information via electronic means (such as email).

It is also illegal to send personally identifiable healthcare information on a postcard to a person claiming to be a patient. You're not certain who you're sending it to, and it can be read by anyone handling it. This is not at all different from the process as it exists on paper.

HIPAA Privacy rules are meant to ensure that the intentional disclosure of personal healthcare data happens according to your pre-defined policies. It is actually a lot like ISO9000 in that your certification is not dependent on how stupid your policies are, only that you follow them. (With HIPAA though, there *is* a legal bound on the stupidity of your policies. :)

2002

[bill_mcgonigle]

Go ahead and mod this guy down like he asked, he's confused as to what the truth is. The HIPAA legislation was passed in 1996, but the Final Rule version of the Privacy Rule was only promulgated this August, and only went into effect less than a week ago, which means it's definately not going to change again before the implementation date.

Up until then, anything could have changed in the Privacy Rule, otherwise known as a 12000 line set of government regulations.

The Security and Electronic Signature Rule is still in a proposal state. The Universal ID proposals are not really even being considered at this time and won't be until Democrats are back at the helm. The first proposed privacy rule was promulgated in 1998 and has gone through several substantial iterations. Just because Congress said, "do it," in 1996 doesn't mean this guy had any chance of getting started at that point. Maybe in 2001 he had a fair chance of getting the gist of the Privacy Rule, but he had no way of knowing what, if anything (or everything) would change until this August.

It only takes balls when you know what you're talking about - this isn't a set of tablets with 10 simple rules, Chuck.

Re:2002

[SN74S181]

The Universal ID proposals are not really even being considered at this time and won't be until Democrats are back at the helm.

Wow, now you've made me enthusiastic about voting Democrat, dude.

Re:2002

[Arandir]

Woo hoo! Universal IDs! I hope they stamp them on my forehead while they're at it!

Re:Bureaucratic filth

[chuckwroks]

Blah, blah, blah. If the businesses saw the need to protect their customers then they would have already done it, already. They're not concerned with protecting the privacy of their customers because THEY DON'T HAVE TO BE. Why should they go to the expense when the only reprecussions to that data getting away from them is an 'Oops' out of them. What a lot of knee-jerk hot air. This guy doesn't want to fight it, his question was about how to COMPLY with it.

Re:Bureaucratic filth

To top this all off, I only have until April 14, 2003 to get most of this fully functional or forced to have the company shut down.
Yea Right the economy sucks the president wants to go to war and "the big bad guys" are going to shut your piddling company down. If you believe that I have some ocean front property in Nebraska that is real cheap. Can anyone name me even one company that the government has shutdown? I shouldn't but I will allow comments along the lines that "they made it too expensive for us to comply that we 'had' to shutdown". As long as we are on this subject then who makes the decision on what is too "expensive" for a company to abide by the laws that they knew existed when they filed their charter.(Or articles of incorporation I didn't take much business classes.) Do most other corporations decide that the cost of converting their existing infrastructure to a "new" law or do they decide to pass the cost along to their clients/customers?
If it is going to cost X amount of dollars to convert then ask for 150% of X and if it doesnt't cost that much then add to your resume that you completed a project under budget.
Just don't say I have six months to turn coal into diamonds or the company will perish.

Real HIPAA Problems

[PerlPunk]

I currently work as a developer in a company that acts as an online link between doctors and the insurance companies. Here are the problems we face:

• Making our legacy NSF/UB systems HIPAA complient
• Trying to accomodate our other clients whims who want to be HIPAA complient and also mix their proprietary data with the X12s they send us
• The working committe who produces these $%@# specifications changes it every so often. We don't get the (real) specs until the only way we can possibly finish the work to become HIPAA complient is to go into emergency mode.
• Dealing with stupid clients (on both sides) who eat up our development time.

'Nuff said.

From the other side of things...

[jgrider]

Several comments have been made to the effect of "Why bother complying". This shows lack of understanding of the problems at hand. Compliance with HIPAA is required for all healthcare providers who submit medicare/medicaid claims electronically (all doctors will basically have to by 2005 anyway). Non-compliance could cost a doctor his medicare number )which can take years to get in the first place). Without the ability to be paid for medicare/medicaid patients, the doc will stop seeing those patients, which nationwide make up about 20% of the average medical practice patient base. Go ahead, YOU take a 20% pay cut voluntarily. :)

As a medical student, (with a BS in computer engineering), I can vouch for the current mood of uncertainty in this area. Much of this is because so many doctors, nurses, billing staff, etc. are not computer saavy. Check the computer labs at your local medical school, and you will find all of the Macs occupied, and the PCs gathering dust because no one has the time/desire to use M$ windows. I am sure that I am the only person at my school who uses anything other than windows/mac for anything...

What we need is obvious: Secure desktop systems with billing and practice management software, secure email, and basic wordprocessing. Here's the catch: It has to be incredibly easy to use. Many nursing students, billing lackys, transcriptionists, etc. have those trade-school jobs because they only barely graduated high school. Steep learning curves are bad, since it wastes the office staff time that the doctor is paying $10-$20/per hour/per person for.

Re:From the other side of things...

He just said If you don't comply you don't get paid.

Insurance companies and federal programs will use HIPAA procedure codes for billing. It will be obvious and awkward if you're trying to bill with old proprietary codes.

And with HIPAA having a Y2K-level effect on the medical industry, several times a year someone who is aware of the privacy part of HIPAA will pass through and might notice if they can see patient information in the numerous places where you're placing it... You want to gamble on how many times a year or day someone will notice and be able to report or sue?

That lawyer? He's just a HIPAA chaser...

Re:From the other side of things...

Most doctors are limiting their medicare/medicaid patients anyways because the government pays so little to the doctor for seeing these patients.

Doctors are voluntarily turning away medicaid patients just so their salary DOESN'T go down.
So the threat of losing their medicare number doesn't sound like much of a threat to me.

Re:Bureaucratic filth

[Usquebaugh]

The US is about as capatilist as the USSR was communist.

Free market means no loans/grants/tariffs etc, bye bye airlines, steel etc.

An investor should be able to see everything about a company, no more Enrons.

Without a common enemy America is finished, let's split up the assets and re-distriubte the wealth.

Hmmm...

[Compuser]

I am beginning to really like HIPAA. It seems
to require that everyone in each medical
organization be mindful of security and privacy.
With any luck, this will force all the
boneheaded medical stuff to get a second
bachelors degree in computer science. Then
maybe this will propagate until computer
literacy (sufficient to run and configure e.g. HURD)
will be required for any job, just like
regular literacy is today. With laws like these
twenty years from now could be sweet time to
be around.

Re:Hmmm...

[SN74S181]

With laws like these twenty years from now could be sweet time to be around.

Except, 20 years from now you could be in a nursing home and no matter how much you press the button to get them to bring you fresh water, they're busy fucking around recompiling the kernal on the bedpan.

HIPAA Resources

[alkatraz]

This site published some pretty good HIPAA articles a few weeks ago, and they also have a free HIPAA resource library that helped me out clear some of the HIPAA issues.

Hope it helps.

Helpful site

[JoshMKiV]

http://www.hipaadvisory.com/
You can also join one of several mailing lists. Some of the CISSP lists will be very helpful.

Re:Bureaucratic filth

While I have already commented on the parent post
I have to add this.

You have a (hopefully) very large customer base to "share" the added expenses. If any company can't pass the cost of doing business then they have no business doing "business".
I am a consumer and regret paying higher prices for anything but if we blame the gov't then we have no one to blame but the ones that elected
the A**holes that passed the laws.

Re:Bureaucratic filth

[duffbeer703]

I'm willing to share my medical history to the world to protect medical insurers from the grinding influence of government.

THe only problem is when health care executives and medical specialists are unable to purchase porches and drink $2,000 bottles of wine, the entire universe will come to a halt.

ah Linux Journal has covered thi ssubject

[linuxislandsucks]

Linux Journal has had several article sin the past 19 months covering these issues all the way from making a computer system compliant to prccedures and etc..

Off hand I can not rember the issue sthe articles are in but you should be able to search the site to find them....

From someone in the Banking IT security field

[flinxmeister]

The good news is that most auditors are just as clueless as the people who you're working with.

In all seriousness, if it's anything like banking, it's about one thing: paper. For state and federal regulators, paper is reality. This is not to say you should be fraudulent in creating your paper, just make sure you alter your view of reality when preparing for an audit.

Shut yourself into a room for a week. Make up the greatest security policies you can. Then come up with a realisting phase-based approach for implementing it. Produce lots and lots of paper. Then do screenshots of progress. Keep huge huge archives of logfiles of all kind. Don't get rid of anything. Print them out and put them in binders. Burn them to CDs. Turn out as much paper as you can, and when the auditors show up...have boxes and boxes of paper waiting for them.

Know what they're looking for and give them reams and reams of paper addressing the individual items. Those things that aren't covered, yet...make a 'due date' and implementation schedule then somehow create some paper relating to it. You'll do fine.

Easy HIPAA Compliant Email

[eprosenx]

Using PGP email is impractical for most company's due to the need for software on both ends and the training required to use it. I am currently using a product from a new internet startup http://www.kryptiq.com that allows you to send secure email to anybody without them having to have client software on the other end. The only requirement is that they have a HTTPS capable browser. Their software runs as a plugin to Outlook (yes I know its Outlook, but that is what most health care providers use) and it is brain dead simple to use. Every time you send an email it pops up and asks if you want to send it secure or insecure (which can be annoying, but is a good way to ensure compliance).

Re:Easy HIPAA Compliant Email

Heh, "requiring software" makes PGP impractical.
That's a good one! ;)

Re:Bureaucratic filth

[lairdb]

Since you don't like government interference in your business, I hope that your health care firm will give up access to funding in the form of Medicare, Medicaid, NIH research funds, etc. It would be terrible if you were to behave hypocritically by taking lots of government money and then turn around and complain about government regulations.

Which is precisely what many are doing. (Google on "refuse medicare" for examples.)

Your answer, however, indicates precisely the problem: the presumtion that no business, and in particular no healthcare business, can exist without government aid. Pfui.

Hypothetical Question, Just Checking

[Lucas+Membrane]

If I get a prescription for some of my personal hygiene needs (for tax and insurance purposes), and go to a MegaMegaMart Pharmacy to buy them, and carry them to the cash register, and the checkout clerk gets on the public address and hollers "PRICE CHECK ON _use_your_imagination_here_, GIANT ECONOMY SIZE" again, can I sue?

Re:Hypothetical Question, Just Checking

[gmhowell]

Funny, yes, but an interesting question. In this case, probably not. But there are certain medications that are only useful in the treatment of ONE condition, or a narrow enough collection that merely the knowledge that you are taking (and I'm 100% guessing here) insulin means you are a diabetic.

Prove It

Prove to users that unencrypted emails are easily accessible. Sit down at a terminal, run ethereal and have two people exchange an email over your network. Demonstrate how easy it is to get ahold of other people's data and then everyone will understand why it is important not to send personally identifiable information over email.

The truth is, most people, even people who use a computer a lot, do not understand the basics of networking. If they understood a little bit of how it works, they would know what is secure and what is not.

link karma whoring

[loconet]

Here is another link that might help.

http://www.vennix.com/hipaalibrary.php

I bet you laughed while Rome burnt...

[crovira]

Man, you must be a criminal lawyer, or, more likely. a criminal.

Your advice is about as morally reprehensible as the lawyers calculations that the settlement by people killed by having their hearts ripped out because they were impaled on solid steering columns would probably be less than the cost of replacing these with collapsible columns which would save their lives.

It never entered the lawyer's minds that people might rather pay a little extra for riding in a car that wouldn't FUCKIN' KILL EM LIKE BUGS ON PINS!!!

You are one sorry-ass son-of-a-bitch. It must suck to be you and HAVE to use an electric razor'cause you might slit your throat in knee-jerk remorse if you tried scraping the stubble with a straight-edge.

HIPPA compliance

[jlechem]

This is so true! I used to work for a company that was required to be HIPPA compliant. While we strived to be compliant the insurance and pharmacy companies that we were courting as customer pretty much ignored HIPPA regulations. There are no teeth in this legislation. It looks good on paper, but unless someone steps up to enforce it it does us consumers no good.

Documentation is the key.

[RandomIO]

I have done a great deal of consulting around the technology required to be HIPAA compliant. While there are many technology parts, one of the main issues is documenting and implementing proper procedures and policies.

Most of the physical security aspects can easily undo all the hard work that is put into securing things at the datacenter level.
It is important to publish your standards, and ensure they are clear, and that your employee's are trained on them. It is your responsability to communicate the policies, but it is typically up to each department's manager to ensure they are followed.

As for the technology side, it is important to document how your systems and software were made compliant.

RandomIO

People depend on those services.

[mmol_6453]

Including people without the means to stay adequately informed on the politics of the situation, in addition to finding/keeping a steady job to feed too many children.

Even if they had free Internet, they wouldn't have time to both read public opinion and legislative movements.

The closest they could come would be NPR, and then they'd have their resulting opinions fed to them.

(And it still wouldn't free them from needing medicare and medicaid to get by.)

I hate it when this happens.

[twitter]

Gods, another one. The frequently asked questions is a f****** M$ Word Doc! I was shocked and angered when I found the local Society of Profesional Engineers had forms like this, but the AMA?

Wait, it gets worse. Opened it with KWord. The only formats are bolds, centering, ?unicode?, and a few hyperlinks, that differ from normal html by only a few control characters which must only work for word. Why, oh why, would anyone use Word to publish something like that? Nothing different or useful was added by word. All word did was make it a little harder for me to read the thing presented.

I appreciate the effort, but please don't use Word. If you must use Word, save it as text or html. If word won't do that don't use word for things you want to share or cut and paste into another text editor that will do this. Remember that you yourself may not be able to read what you write in Word after the next "upgrade" and that most of your effort making the format just so will be wasted.

Re:I hate it when this happens.

(sarcastic comment about Word violating HIPPA...and simple HTML could deal with making it pretty while still being legible in a text editor...)

Re:I hate it when this happens.

[barole]

Ha, I tried to contact them to let them know they should use html and got an error from their MS server. They are hopeless

Re:I hate it when this happens.

[h4mmer5tein]

Use OpenOffice instead. Copes with word documents ( including this one ) just fine.
Yes, yes, I know they shouldnt be using word documents in the first place, but they are, and given that they are a monolithic government department thats not likely to get changed in a hurry. By all means mail them, but dont expect any sense out of them.
I wonder who Kathleen Fyffe is......

Re:I hate it when this happens.

[Random+Walk]

Why, oh why, would anyone use Word to publish something like that?

First, because many/most users do not know any other editor than Word (in fact, for many/most Word is the only piece of software they know - you would be surprised how many users never have used the file manager, or even know it exists).

Second, because most Word users don't know that Word can export into other formats than .doc

Mod parent flamebait!

Lawyers don't design steering columns dumbass!

I worked for a medical center IS dept in 1998-1999

[dumbunny]

Everybody who had anything to do with HIPAA compliance went to at least one HIPAA workshop. HIPAA was the focus of many, many meetings. We had one person whose primary focus was HIPAA, and every manager was on board with the program. My advice is that you find a good HIPAA workshop, make sure your managers attend, and develop a coherent strategy together. If you don't take intelligent steps toward compliance, you risk becoming the fall guy.

At the workshop, the topic of jail time for non-compliance came up. We jokingly asked about how the jail time could be divided up, and whether a 90-day sentence could be turned into 45 2-day sentences to be shared among all employees. The response was, basically, that it'd have to be a pretty blatent violation to warrant jail time, and the people charged would probably those most responsible.

It's to your benefit to quickly determine whether management is informed and ready to make this a high priority. Asking them to attend a short workshop is a good way for you both get things started and get a feel for the situation, IMO. After that, you can decide whether to stay on or jump ship.

Re:Bureaucratic filth

[shadowj]

THe only problem is when health care executives and medical specialists are unable to purchase porches and drink $2,000 bottles of wine, the entire universe will come to a halt.

My heart goes out to all those poor, unbalconied people...

afterthought on consequences.

[twitter]

Imagine 1,000,000 doctors or members of their staff want to read the FAQ. Now imagine that they have the same M$/non M$ ownership as everone. Some 10 to 15% or 100,000 to 150,000 folks are going to be pained in one way or another to read that DOC, or they won't read it. Now add to that number the percentage that don't have a version of M$ Word that deals with unicode and hypertext links and realize that these people will have to find a computer sompeplace else that does have that. What is it, 60% of PCs are running win98? More pain.

Is there an computer man in the house? Ahhhh!

Oh, no!

[twitter]

That FAQ is on a government site. The same government that found M$ to be an illegal monopoly is pushing Word. Ahhhh, it's like there are M$ Adverts in the Post Office and Bill Gates is electing himself leader of US minitruth.

Re:Oh, no!

[Zork+the+Almighty]

So what you're saying is that the government is a HIPAAAcrit ?

You need a compliance management system

like this one http://www.compli.com

ya, I work there. shameless plug, but our customers do hippa stuff on the system for policy training and enforcement.

Muhmuhmonkey!

Muhmuhmonkey!

Just starting now???

[Zed2K]

Maybe the bigger question should be: Why are you just starting to worry about this now? You should have started a year ago. I've worked with customers who have been working their way toward compliance and talking about compliance for a long time now.

I work for an HMO

[hrieke]

Here in Boston. Take my advice- don't get sick next year.
HIPAA is not simple, companies are starting off way too late, like our dear poster here, and I'm sure the very first thing that he will be filling out is the extention form. The HMO that I work for started last year with the privacy questionnaire to all 2500 employees asking what data they released and if it was the min. needed to get the job done.
The fact that you are now just beinging scares the shit out of me, and let's face it, you're going to be closed down.

Sounds like a set up

[rossz]

If they gave you the responsibility to do it, but not the authority to make it happen, then I'd say they purposely made you the fall guy.

Automated Software System?

Look into a software system that can keep you in compliance, handle all of the transaction processing for you... X12 stuff, etc.

www.omnitechdev.com

From personal experience, Omnitech is the best in the industry. I think their average client grosses about 3 mil. a month.

Use Parables

They used to do it with Tarot cards as illustrations to the illiterate. Have some good examples and hypothetical scenarios, and just some logic traps for the unwary.

Show them what they think is wrong, why it will get them fired, sued, or will ruin the life of someone.

And then you can fire them.

they don't use good information security.

[twitter]

"Features" that do little more than inconvinience the user don't add security. Screen saver passwords, what a joke. Trying to fix the configuration of and applications on the OS that was not designed for security from a company that will sell you the same for a price is wasted effort.

As a patient, the only things I've seen out of this are new outrageous consent forms. Read what you sign the next time you use insurance payments for a doctor's visit. Getting a pair of eyeglasses, I was confronted with "sign this or pay for yourself". The this there included disclosures to unamed partners and was essentially permission to tell anyone. I was told that I could not strike out the offending portion and the doctor herself was conerned. I was a great volunteer there.

I sure hope this set of laws gets more specific and makes such "voluntary" consent requirements to recieve insurance benifits illegal.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Compliance

[Luveno]

Thank God I work for a financial services company where we don't get any (tangible) oversight at all.

Re:Bureaucratic filth

Many useful study designs in which patients are still completely anonymous will suddenly be in murky legal waters after April.

Check with your lawyer whether those studies with anonymous patients could use aliases instead of names. Deal with updating of records if a judge orders it. Yeah, I'm sure there will be new HIPPA systems that will have trouble with that update...

Is my situation any easier?

[bscott]

I'm in the planning stages of building a custom patient-info database for a small (2-3 docs) medical office. I haven't yet really dug into what HIPAA will mean, but I've been hoping that just keeping the database on a server isolated from the Internet (and not on a wireless network or anything) would be enough to solve MOST of the issues. That, and making sure that everyone who has physical access to keyboards is already authorized to look at the data (almost everyone in the office who's not a doctor is already entering the data into the current system anyway, at one time or another).

How much more is going to be necessary? We're hoping to keep this project simple - Access2k-based, custom GUI, little-to-no need for outside communication - as it's only being done because none of the off-the-shelf products my client has tried really fits his needs.

Incorrect

[s.fontinalis]

"There is no point in threats when people have no idea what to do."

One of the most effective ways to get people to learn is for them to play the game at stakes they can't afford to lose. To often companies try to enforce compliance by strident language alone - to obtain true compliance some amount of threats are necessary (but pay docking & negative performance reviews work better than outright firing)

Re:Incorrect

[Zeinfeld]

One of the most effective ways to get people to learn is for them to play the game at stakes they can't afford to lose. To often companies try to enforce compliance by strident language alone - to obtain true compliance some amount of threats are necessary (but pay docking & negative performance reviews work better than outright firing)

Hopefuly you will never be a manager of any kind. Idiotic macho talk like that is exactly the way companies are run into the ground.

How many billion dollar companies have you helped to create? I helped to build one with over a billion dollars in revenues.

Fear is a pretty useless method of motivating staff. The best people know their worth and will either leave or make sure that you fail and take the blame for it.

Believe it or not there are other options besides 'strident language', dismissals pay docking and all the rest of the stupid stuff you suggest. Every time you make a threat you make another enemy.

Don't count on the idiot in the Whitehouse keeing the unemloyment rate high enough to give you a disosable workforce. Not so long ago it could take twelve months to fill a position. Dilbert boss tactics will only mean that your staf will leave en-masse the minute things look up

Re: Incorrect

[s.fontinalis]

"Fear is a pretty useless method of motivating staff."

It's not fear. My point is only the carrot is not the sole management tool - as too many managers believe it is. It can work wonders in the right evironment - but fail miserably in others. It's particularly ineffective at motivating staff to follow small, niggling details like cleanroom policy or security policy. I've talked to experts on this(at research labs, semiconductor firms & telcom), believe me, and worked on implementing them myself - the only way to receive full compliance (and this is true even at Intel) was with a stick - like pay docking, or demerits.

Furthermore. I'll bet your from a "new" industry. Not all companies can grow quickly, nor are all industries staffed with transient workers who "know" their value. Many industries (healthcare, however, is fast leaving this group) are staffed by persons who just want to collect a paycheck - and they're paid so lowly there's little chance of them being headhunted away, and have little motivation to find a new job(and depending on the region there may not be a new job). For these employees incentives, while it would be wonderful if they did work, rarely do.

My talk wasn't meant to be "macho", more realistic - you'll never, ever receive 100% compliance with any policy that only rewards employees for doing their job - but if you graft a policy of rewards for top performers, and penalties for the bottom you can come near these numbers.

Re: Incorrect

[Zeinfeld]

It's not fear. My point is only the carrot is not the sole management tool - as too many managers believe it is. It can work wonders in the right evironment - but fail miserably in others. It's particularly ineffective at motivating staff to follow small, niggling details like cleanroom policy or security policy. I've talked to experts on this(at research labs, semiconductor firms & telcom), believe me, and worked on implementing them

Al Dunlap? Is that you?

Ahh you have 'talked to experts'.

I have yet to read a management book that does anything other than argue against what you suggest. So much for your 'experts'.

As for 'too many managers' not behaving like tin pot tyrants, nah exactly the opposite.

When I see a company being run like that I consider it a potential short. The Tyco/Enron/Worldcom school of management just went out of fashion.

Re: Incorrect

Question is who is legally liable?

If the individuals involved are legally liable for their actions, and not the company, then It will only take ONE very public lawsuit to scare the employee's into compliance.

If the company is liable, then you will have to fire the staff who don't follow the procedures, as otherwise they will cost the company LOTS and LOTS of bucks.

That's not Pointy-Haired Boss behaviour, that's fullfilling your responsibilities to the companies share-holders.

Besides, if you don't keep track of changes in the tech in your field, then your company will eventually go bust. Those employees who have kept track will get new jobs, those who haven't won't.

Re:Bureaucratic filth

Can anyone name me even one company that the government has shutdown? ... As long as we are on this subject then who makes the decision on what is too "expensive" for a company to abide by the laws that they knew existed when they filed their charter.

Take a look in Monday's Wall Street Journal. The article about the U.S. tariff on timber from Canada. Although the government increased the cost of imported timber, the effect was to increase the flow of timber from Canada...and several U.S. timber mills have shut down.

And if you'll take a glancing look at HIPPA you'll see that the government created that law very recently, so most companies existed long before that law appeared. Nobody's property is safe while a legislative body is in session.

His Approach...

[s.fontinalis]

Is actually rather common among corporations.

Remember those CAFE(Corporate Average Fuel Economy) standards that there was all the fuss over? Mercedes and BMW don't meet them. So they pay the fine. And have for a decade. There are other industries that plot the same course.

In the medical profession this attitude would be a serious liablility methinks though - patients would probably quickly defect to a company that would offer them data security.

Re:His Approach...

[SnakeStu]

In the medical profession this attitude would be a serious liablility methinks though - patients would probably quickly defect to a company that would offer them data security.

Sure, that would be the case for informed, motivated patients. That probably accounts for, say, 1% of all patients. The rest will either be ignorant or apathetic or both (i.e., willfully ignorant) and won't "defect to a [better] company" unless they are led by the hand.

The typical consumer pays virtually zero attention to how their money (or information) is used once their purchase/transaction is complete. They're just focused on the immediate result. That's why massive corporations just keep on growing while small businesses that try to "compete" struggle until they collapse, and only those small businesses that find a niche unserved by the massive corporations can expect to survive and have a chance to thrive.

Re:His Approach...

That is, until the competetor runs an add pointing it out. Suddenly your office is deserted.

Re:Don't Panic!!! HIPAAA is BS

[annubis]

Who is going to enforce it ? The Feds go after Blue Cross. Blue Cross mandates it to everyone else.

Worse than you think

[gmhowell]

I'm in a similar situation. Right now, there are four of us who are playing hot potato about who will be the compliance officer. Since I'm in the office least of us, I'll probably be stuck with it (since I won't be able to protest when the paper is sent in:) I suggest a simple method of dealing with the problem: get a job in another industry. I understand there are many openings for 'drug mule' listed in the Miami Papers.

Seriously though, trudge through it. There's no easy way. Threats of beatings and sacking is a good place to start (and yes, that's serious).

I read through many comments saying "why haven't you done this already" and "there's nothing to worry about." Bullshit. First, the regulations STILL aren't cast in stone. This is hitting a moving target. Second, there are things to worry about, both from patients, doctors, and affiliated companies (where I would place suppliers of DME). There are going to be a myriad of subtle changes. Our current reading of the regulations is that we can no longer call patients the day before an appointment to remind them. Well, we can call, but if they don't answer, tough shit. Can't leave it on the machine anymore. Similar with callbacks for lab results.

The 'privacy' improvements will be neglible, particularly compared to the extra hassles. Since I won't be able to say it at work, I'll say it here: folks, you asked for it. You begged your congresspeople to do something. Well, they did. And it sucks ass. I'm going to pay for it, and so are you. But when you bitch about all the hoops and extra forms you have to sign, just remember: you asked for it. When we have to raise prices (which won't help, since insurance, medicare, and medicaid won't pay any more) to pay for capital improvements, just remember: you asked for it.

A special note for the people who literally asked for it (HIPAA, that is): I hope you die, painfully, bleeding to death on the street, waiting for some medical info to get to your location, but it can't because of some form you didn't fill out properly.

I'm not a people person. I would have an awful bedside manner. That's why I'm in IT. That's why I get called in when HR has to do something shitty. Because I don't give a damn. I have seen the light, and it is the Scorched Earth Party.

Hipaa is bad for the patient

[barole]

The privacy requirements put a crimp on research institutions. In order for research to proceed, information needs to flow freely. For example, you are at at research hospital developing software to diagnose some condition. You will not be able to do this because your software will not be hipaa compliant (how can it be, it is just a research project). I agree that privacy is important, but hipaa solves a problem that does not exist and the regulations were written by people (beaurocrats) who don't know anything about what they're regulating.

Consider that you are a patient with a problem. Hipaa now prevents other doctors from examining your case without permission. How many problems get diagnosed accidently by doctors checking on patients that are not theirs? This will no longer happen because they don't have permission to check.

FDA and You

First off Cliff take a serious breath, you are getting ready to embarrass yourself.

All this assumes you are not bottling death (and it seems hard to imagine that your company is).
Most government regulations (including FDA regulations) are based on "Do what you say you are going to do", meaning make sure your procedures match your actions. In other words, if you can't make it happen in time, make sure you have a plan in place to make it happen in a timely manner. Make your regulations match your plans, and show progress.

Big ships are hard to turn quickly, the gov knows that.

[OT] SNIP

From http://www.cms.gov/hipaa/hipaa2/default.asp:

Strategic National Implementation Process (SNIP) - A collaborative healthcare industry process for the development and implementation of standards. Site includes white papers on transactions, security, and privacy.

For some reason, when I hear the phrase "SNIP" from the medical industry I have a tendancy to wince. *g*

Well...

[NiftyNews]

"For those who have already hopped thru the rings that represent HIPAA compliance on an general basis, what did you have to insure was done? "

At my companie, we convarted all of the spel-checking staff into compliance ofisers to spede up the work.

It's a Hardware Problem

The electronic privacy requirements will cause many more identification situations than many workers use. Users often walk away from terminals and will have to log in again. Doctors flit between rooms. I've always seen my doctor and nurse log in to the display in exam rooms, but it sounds like this is not as common as it should be.

Biometric identification is not very reliable, so the alternative now to typing passwords is to have a token. If you're not going to require everyone to type passwords whenever they need to use a terminal then they have to carry something to identify themselves.

Any storage device could be used to create your own key storage device, but they could be copied. Web searches for "security token" (precede with your favorite technology - USB, Java...) show there are several possibilities.

My favorite for this situation is an active IR badge. I don't know if one is commercially available. Hands-free, which is convenient to reduce contamination (My hands can't touch the keyboard now and I got an idle timeout warning!). Simple ones broadcast a code often...the code could change in a way which the validation system recognizes, or the system could issue a challenge which would cause the badge to give a coded reply. Codes have to be used which can't be remotely copied. Monitors and keyboards could lock when there is no badge within view, while individual stations could require a specific badge in order to continue an interrupted session.

Re:It's a Hardware Problem

[crusher-1]

Yep, at the hospital I work in the medications administration sheets have all been converted to electronic. We have laptops in everyroom with the software on it. We log in using a password and use Cisco wireless pcmcia cards to connect to the main database server. I tried tell the IT department that perhaps using a wireless system may not be the best option becuase it's easily infiltrated, just need some guy sitting on a park bench with the proper tools to scan for open access. Well, to prove my point someone is obviously doing just that. Why? Because all the icons on the destop have been renamed. What are they renamed with? The nurses logins (e.g. my computer now reads creyyy, etc.. nice!). I tried to point this out but WTF do I know, I'm just a dumb R.N.

That's not the only issue. One time on a weekend one of the admins remotely logged in to all the laptops on our unit to update/fix the programs. Well, guess what? She didn't log of and I had full admin on any laptop on our unit. Told my boss and sent the admin an email on her own account say this is a major no no. Well never heard from her (but then I kinda expected that) but my boss looked at me like with that "deer caught in the headlights" when I tried to explain (as simply as possible) about having full access to the system due to the admin forgetting to log out after remotely logging in. And let's not get into the amount of time no nurse can extend (but now must) waiting for a page to come up at 08:00 to give the patients their morning meds --- when every unit in the hospital is doing the same thing -- oh joy!

Cheers :)

HIPPA from a physician's perspective...

Quite a few interesting comments on HIPPA. As a physician in a small group practice, here's a few points to ponder:

1. Someone commented on HIPPA as an "unfunded mandate." That's a very apt characterization. I have seen estimates of the total cost for HIPPA implementation as high as 3 billion dollars. Where is that money going to come from? Basically, it comes from the operating budgets of physician's offices, hospitals, etc. Remember that healthcare deliverers (doctors, hospitals, etc) are essentially the only industry in which costs rise year by year, but revenues decline. If you look at the average physician's office (and mine is no exception), what you see is a shrinking margin between the cost of keeping the office operational and the monies collected. Since that margin represents a) doctor's salaries and b) monies for expansion, program development, etc, what you are seeing is a industry in decline. Adding an additional cost (HIPPA) had darn well be worth the financial (and time and labor) impact. I doubt that will be the case.

2. People often complain about like of privacy in medical records, and with good reason, because your records should be private. However, whatever goes on in your doctor's office, I feel confident that more of your medical information circulates outside the doctors' offices that within. Further, the harder is becomes to share information from your chart, the more your care may suffer. Example: It is routine in my practice (as we are largely consultants to other physicians) for us to get records sent over in advance of a new patient visit. Often, the records we request do not arrive in time, so my staff will call the referring physician's office when the patient arrives and get records faxed. Now, with HIPPA, said "electronic transmission" may not be feasible - meaning that crucial information may not be available, meaning a second visit once that information has been received - less convenient for all involved.

3. Given that HIPPA requires logging of all accesses to the medical record as to date, purpose, person, how can that be done efficiently (and reliably) with a paper chart? It can't. This has let some pundits to postulate that to become fully HIPPA compliant, ALL medical records will have to become electronic. Even assuming that there were available enough good EMR software packages to accomplish this, imagine the time and cost of doing so. (BTW: It is not clear to me from the regs that non-electronic charts MUST be converted to electronic, or that the access logging rules apply to non-electronic data. I've asked a number of "experts" on this and have not gotten any clear answer).

4. It is not unlikely that "HIPPA compliance" in many small practices will amount to little more than a "HIPPA compliance manual" stuff on a shelf, coupled with a bunch of letters from insurance companies, billing clearinghouses, and software vendors attesting to their HIPPA compliance. What a collosal waste of time and money once again.

Don't get me wrong: I fully believe that medical information should (and maybe can) be protected and that people's private and personal information should remain private. In fact, I am very concerned about the overall loss of privacy we all face (and yes, I do have a shredder which I use liberally before throwing things in the garbage). It infuriates me each time I get a letter from an insurance company advising me which of my patients (by name) are on drug A and advising me that I could (?must) switch to "equivalent" drug B which (of course) is cheaper for that company. And so on. I'm just not sure that an increasing paperwork burden on the small practitioner, hospital, or payor is going to do the job here.

Re:HIPPA from a physician's perspective...

[Timwit]

Often, the records we request do not arrive in time, so my staff will call the referring physician's office when the patient arrives and get records faxed.

Often is right! "Missing records" happens to me at every possible opportunity, except that no one ever bothers with faxing. In that regard, the medical profession appears to be even more screwed up than the service department at my incompetent car dealer.

And since you are in the business...recently I've started thinking about the area of email communication between physicians and patients. My PCP publishes her address on her practice's web site--in stark contrast to my last PCP, who scoffed at my request for her address (this was a couple of years ago). I haven't had the chance to ask many physicians what they think about it. Are they planning to follow suit? Are they worried about being overloaded with gigantic lists of questions from their patients? Would it make sense to limit such email to very specific functions, such as reporting test results? It seems to me that in certain cases, it would be invaluble to a busy doctor, primarly because it is asychronous, i.e. no phone tag headaches just to deliver a short communication that still requires a little interactivity.

Risks of automatic Windows updates, and HIPAA lega

[_alpha_]

This article in Risks Digest talks about WinXP in the HIPAAA context:

Apparently, the latest Service Packs for the popular Microsoft Windows 2000
and XP operating systems contains new licence language that allows Microsoft
to install new updates on your machine at will and without notifying you.

...

The article quotes a systems manager at a teaching hospital:

"Our procedures sometimes involve surgery to place over 100 recording
electrodes in the patient, sometimes on the surface of the brain. These
PC-based systems use Microsoft Windows..."

Having a Windows application controlling the voltage to 100 pins surgically
embedded in your brain is scary enough, but what happens if it updates to
the latest Service Pack and that causes the systems to fail? While the pins
are in your brain...

And the follow ups.

HIPAA Comliance..

I'm a dentist and only have to deal with a small staff of 3 people. There are a bunch of silly new rules that don't involve IT. The Biggest problem we are facing is that the companies that do electronic insurance claims are not up to HIPAA standard and are not going to make the deadline. So no matter what we do we are not going be in compliance. The only redeeming grace is that I filed for my extension. I really don't think that enforcement is going to be that strict for a while because no one(including the government) really knows what needs to be done. I really don't think enforecement will initially be as draconian as the law spells out, because it is going to take some time for every one to figure out what exactly what needs to be done.

HIPAA Compliant FW,etc

[dkuntz]

I work at an ISP that needed a content filter for a customer... what we wound up getting claimed to be a HIPAA compliant firewall/gateway. The company is eSoft. The biggest drawback to it is the cost... we had just a 25 user license, and 25 user content filtering... it's time to renew the license... and they want like $1500... and thats for only 25 people. But it WORKS, and it fairly simple to setup... and if you dont need filtering like that, it shouldnt be too pricy.

+1 Accurate Headline

[g0at]

So, if I had to pick a glaring proofreading pothole in the headline, would it be "HPAAA" or "Compiance"... or would I get quadruple points for having both?

Way to go editorial quality.

Why did you stop consulting?

[Timwit]

Why did you stop consulting in the area of HIPAA compliance? Was there some overarching issue that made consulting in that area less than lucrative?

When you were in the business, did you hear any talk about doctor-to-patient email (and vice versa)? I'm curious about that area, but I haven't done any research on it aside from a few informal conversations. So far, most physicians seem pretty skeptical that it will catch on, ironically except for my own doctor, who encourages it.

Re:Why did you stop consulting?

[leftism11]

The focus of my HIPAA compliance was to serve middle-market healthcare clients. Although we worked with a few clients, we found that the market tended to consist of very big organizations, and relatively small organizations. The big guys used Big 5 and other very large healthcare consultancies and were out of our scope.

The small guys were lazy, procrastinating, too busy, and lacked the funds to pay for consulting services, despite the fact that they desperately need help and will never meet the compliance deadlines by themselves. They just didn't seem to care enough to take it seriously, and were largely hoping to just stay off of the radar until some magical time at which point they might become compliant.

A few of the mid-sized guys tended to do it themselves or use existing relationships with consultancies, even if those vendors had no HIPAA experience.

It was a strange situation, and we eventually shut down the practice due to lack of motivation from the prospects that we spoke with.

As far as your e-mail question, based on what I have seen, there is extremely limited use of e-mail for doctor-to-patient communications. There are obviously a few leading edge adopters, but they are apparently the exception. Electronic delivery of information between healthcare organizations is growing rapidly, but those communications tend not to have the sticky issues of communication with patients.

The technical challenges of any type of secure e-mail are much greater than those surfaced by HIPAA, and managing those communications is yet another huge issue, both of which have been around since e-mail was 'invented'. Until the IT industry can solve the issues in a reasonable manner, I don't see e-mail becoming a popular means of confidential or private communications.

Re:Why did you stop consulting?

[Timwit]

It was a strange situation, and we eventually shut down the practice due to lack of motivation from the prospects that we spoke with.

That's too bad. In any industry, you figure there is some opportunity at the lower-middle end of the market, because even large players have a hard time being everywhere at once, and their cost structures tend to be too high to justify fanning out to pursue smaller clients. But then there is that little problem of smaller customers being backward and stingy!

... Until the IT industry can solve the issues in a reasonable manner, I don't see e-mail becoming a popular means of confidential or private communications.

It seems that some good solutions are being rolled out as we speak. There is a company called Medem that is offering a comprehensive web-based system enabling physicians to interact with patients electronically. It goes far beyond secure communications (via browser SSL) to include a whole infrastructure for "Online Consultations." Although I doubt that particular practice will catch on anytime soon, it looks very interesting. Parts of the service could be useful without buying into their whole vision. Too bad they are offering it for free--just another example of how anything think up is already being given away by somebody else :(

If I may ask one more question...how did you get involved in the business in the first place? I'm curious about this because I am interested in business myself, but I am having trouble making the leap out of my cube (I'm an embedded programmer). I think I need to be working in a field position of some sort (in whatever industry) in order to spot a problem begging for a solution. At this point I don't even care about the size and scope of the potential venture, I need to find some way to get out there and see things.

What is your opinion...

[Timwit]

Perhaps you are a programmer like me, with little connection to the business side of things in your company, but then again, perhaps you are in a position to have an educated opinion on the issue of secure doctor to patient (and vice versa) email communication. Does your industry expect it to become prevelant soon enough to deliberately target it? Or have people concluded that it is too far off in the future to pursue at this time?

HIPAA is HUGE

[MikeyNg]

The Health Insurance Portability and Accountability Act of 1996 will have extremely large ramificiations with the IT industry. Some have said that it'll be bigger than Y2k compliance.

The reason? HIPAA basically means that every single company out there that deals with the health care industry must meet standards to ensure that information can be transferred readily as well as securely. Think about it. That not only means hospitals and physician groups, but insurers, employers, welfare, Medicare, Medicaid, anybody that has anything to do with the health care industry.

If your company is only starting NOW, I feel sorry for you - the Act was signed back in 1996, and the compliance dates have already been pushed back a few times already. HIPAA-compliance involves programmatic and systematic changes in the way things are done. Ideally, someone would set up the back-end so that features like electronic security and data retrieval are handled without the people on the front-end having to worry about it too much.

My advice: learn how serious HIPAA-compliance is and translate that to the upper-level management. Maybe do a little research on what other entities are doing to achieve HIPAA-compliance. Take a look at HCFA, for instance, as a beginning. You need to make those people understand that HIPAA-compliance is a big deal, and their waiting this long to begin to get compliant spells doom. All of the employees are going to have to change their methodology, and a change like that can only come from the top.

watch it, d00d...(I'm serious!)

[alizard]

DISCLAIMER: IANAL... and I think you need your own legal counsel RIGHT NOW!

You're a Oxygen Transfill Technician and you're ALSO the HIPAA Compliance Officer?

Are you being given authority (as the guy said, "FOLLOW THESE RULES OR FIND ANOTHER INDUSTRY TO WORK IN!) and budget for consultants, including legal and software and clerical assistance to help you get your company up to speed on this? Have you gotten a pay raise? Are you now at VP level at your company?

If not, you might as well get used to an unofficial job title of "Company Fall Guy"... they have no intention of getting into compliance until they are forced to. I suggest you document your activities CAREFULLY (start with your initial assignment... names, dates, places) in the likely event that you're going to wind up in court... with the company blaming YOU for incompetence.

And start putting out resumes NOW for another gig in the field of Oxygen Transfill Technician, you need another job a lot closer to your training and experience. The real skill set that fit your assignment are a combination of law and system administration... the minimum set would be a telecommunications lawyer who understands the underlying technology or at least enough of it to work with an IT pro to figure out what this really means to your organization... or IT pro with IMMEDIATE access to HIPAA-qualified legal counsel.

Your immediate responsibility to yourself is to get some legal advice... which I suspect strongly will be along the lines I suggested.

There is some very good advice on compliance and technology here, but if you don't have authority and budget, get your ass out of there... you probably ought to get out of there even if you do, because if anything goes wrong, you will be blamed.

PGP not good for newbies

[0x0d0a]

Much as I hate to say it, PGP is not a good choice if you're (a) a company with deep pockets doing business-related stuff, and (b) have lots of people that aren't interested in understanding what's going on.

The good parts of PGP are anonymity and zero cost. Both of these points are much less valueable in a business setting.

The bad: the only good UI I've seen for PGP is mutt+gpg, where unknown keys are automatically fetched, defaults are set, the password is cached for a short period of time, verification is automatically done... Outlook's PGP interface is lame. Also, a lot of users seem to not get the whole "web of trust" concept, and tend to break it by trusting everyone.

Boiling the Ocean

[salesgeek]

Getting end users to comply with HIPAA is tough because getting the average person to understand HIPAA isn't easy. Getting people to actually do the things they'll have to do is going to be about as easy as boiling the ocean. Something about old dogs, new tricks...

HIPAA promotes ignorance?

If they're all about MS, then they probably don't use win98 anymore (the last version of windows I used). I'll work for you, I don't care to learn any more proprietary stuff.
I'll screw around with my linux box all day, and pretend to be busy whenever it detects management presence.

Ohh ohh ohh

[DJPenguin]

How do I do my job? Please help!

Word and not PDF/TXT/HTML

They posted it in word because that is what they use in the office. If the final version looks good printed, they will post it on the web the way that it looks on their computer, and if you try to change it (convert it to text/pdf/html), and change the formatting in ANY way, there will be hell to pay before and after all the forms and level of red tape you have to get.

Covered Entities.

Are you sure you really, really need to be HIPAA compliant? Last time I checked HIPAA is only relevant to payers, providers, and clearinghouses as "covered entities". Also it's only relevant to individually identifiable health information (IIHI). Now as a medical device manufacturer you already know about FDA regs and compliance, but I'm not too sure where HIPAA comes in with your company. Any of your customers that are covered entities should have a "business associate" agreement with you in order to protect any IIHI, but that's up to the covered entity.

Of course that's the letter of the law/reg. You might have decided to be "HIPAA compliant" because of market pressures since you are a vendor to entities that have to be compliant.

Seeded? - Yes it is - read the FAQ

Can we avoid boring questions that have been answered many times in many places for example:
http://www.channel4.com/science/microsites/S/scrap heap/show/FAQ.html

to quote:
Is the scrapheap 'seeded' with appropriate materials?
Almost everything that is used in the programme is general scrap. But in order for us to be able to set a wide variety of challenges, we sometimes have to place something specific on the site. We always make sure that there are the materials to build at least two different solutions to the challenges we have set.

Re:Don't Panic!!! HIPAAA is BS

[eam]

A perfect example of why HIPAA won't work. I don't mind that the slashdot editors got it wrong, but here is someone who is "in charge of tons of HIPAAA stuff" and he doesn't know that it is "HIPAA" not "HIPAAA".

Reality check, please.

[budalite]

A few items that are of note here:
1. The HIPAA mandates have been in place for about 3 years. The final date for compliance has been similarly known by all who need to be aware and compliant with HIPAA. There are no excuses.
2. For those who don't know what HIPAA is, it essentially mandates that anyone who handles personal medical information must insure the confidentiality of that personal medical information, ESPECIALLY when it is placed on-line or when it is sent anywhere electronically. As in YOUR RIGHTS ONLINE sort of personal confidentiality. As in securing personal data so it won't be viewed, handled, or sold by unauthorized people. This is not a trivial issue.
3. Just as I have no patience with companies that collect, mishandle, and/or sell my personal data, I have little patience for people or companies who, having known about this for over 3 YEARS, have done nothing to get into compliance with the securing of patient data. Your medical data.

Would you like your medical information passed out around like any old text file or even sold to the highest bidder, like your credit card info has been? It's happening and HIPAA is meant to stop it. I think this is a good thing.

Thank you.

simple solution

[misterhaan]

if you're really worried about HIPAA, don't use computers! as far as i know, it only applies to electronic information, but then again, i work at a healthcare SOFTWARE company, so most of the worries are on our customers. we don't actually have to be HIPAA compliant, but customers wouldn't want to buy our software if it didn't help them to be.

But think of the children!

[bill_mcgonigle]

Wow, now you've made me enthusiastic about voting Democrat, dude. I just calls 'em like I sees 'em. Really, though, a Universal ID would probably save a few lives a year - preventing adverse events (medication allergies, etc.) on ER patients, etc. I once worked up a cryptographic protocol that ran like DNS whereby records could be non-centralized and a web of trust would allow proper retrieval. But then I found out that the thought leaders were behind the universal ID primarily for cost savings, not for the patients, and liberties be damned. The Universal ID isn't the only way to solve these problems either. There are certain costs to liberty, and this may be one of them. You know, the world would be a much safer place if everybody was in jail. Some people like to back off of that extreme until enough people are happy, others like to back off the other extreme until enough people are happy. And there we have American politics.

HIPAA vs. Patriot Act

[ken_i_m]

I was at a security conference a couple of weeks ago and this subject came up. One of the attendees there is the CIO for a backbone provider who has been looking at these two edicts from Congress.

The problem? They conflict. And not just a little.

I have not had time to read these acts in full. Thus I am unable to offer specific details. The 40k feet view is that the Patriot Act requires user identification and burdensome record keeping that in detail is intended to make it extremely easy to determine who, what, when, where.

HIPAA on the other hand is almost the exact opposite.

A lot of time and effort went into the crafting of HIPPA. On the other hand, the Patriot Act was a kneejerk approval of a very focused special interest group's agenda. An agenda that they have been forcing before Congress every year for many years and were soundly shot down every year.

What the hell is it with the naming of the nasty ones that get passed by Congress? The "Patriot Act" guts all the ideals that the United States was founded on.

I better stop here before I started on rant mode.

I think, therefore, ken_i_m

Re:Don't Panic!!! HIPAAA is BS

[MaxQuordlepleen]

isn't that more an example of why slashdot doesn't work ;)

Re:Bureaucratic filth

[chialea]

Latanya Sweeney at CMU is working on a notion called k-anonymity. Should be another paper coming out sometime, from what I hear. Anyways, "completely" anonymous doesn't really mean that in a lot of cases. They've had great sucess identifying people by linking differnt sets of information. But in any case, I doubt that the regs right now do anything useful anyways. Hopefully they'll get changed if something provably good comes up.

Lea

Re:Risks of automatic Windows updates, and HIPAA l

[SuiteSisterMary]

If the computer controlling your brain electrodes is networked in any way, other than one way send to a monitoring station, I'd say that they NEED to send more voltage through said nodes.

Re:Don't Panic!!! HIPAAA is BS

[eam]

I guess it's an example of both ;-)

Why not try this?

[NastyGnat]

Our HR director is scared to death of these new HIPAA Rules. Main thing that worries him is that we are going to overlook something and that it will come down on him.

We spoken with our "insurance managers" and since we are a small group (less than $5 Mil/yr) we have that extended deadline to be in full compliance. Still, we were asked to find a simple and convenient way to encrypt email.

What I ended up using, even though our provider isn't ready for it yet, is a little tool called GPGRelay. This tool allows you to use GPG transparently of the email client. It might be easier to use a server based product to do this, but then you'd have to have some way for the server to authenticate the sender without a password being sent plain text across the network.

Anyhow, thats what we'll probably do unless our provider makes us do otherwise.

Hope this Helps...

HIPAAA

[MeBadMagic]

We recently were asked to develop an infrastructure to facilitate the sharing of patient demographics among a large group of practitioners. To be HIPAAA compliant we designed an intelligent, web based infrastructure that would act like a data warehouse except the data wasn't actually centrally stored. What we did was to use HL7 to communicate with each practices separate system regardless of what practice management software they had and what version. We were able to learn what each system did and what it expected and required both the practice that was making the information available as well as the practice that was requesting it to sign off on the transaction. This itself didn't necessarily make us HIPAAA compliant, however, putting the responsibility on the users of the infrastructure to be HIPAAA compliant. Unfortunately, they have not moved forward to implement this design because we didn't have previous medical or HIPAAA experience. Makes you wonder what they want. I mean do they want computer/networking people to design the infrastructure or their doctors? To sum up an answer for you, giving your staff tools that require or force the user to follow procedure is one of the best ways in my opinion to ensure compliance. -- Sounds like a programmer! hehehe B-)

Databases? What about online pharmacies then?

[BlueUnderwear]

If databases really are so scary to HIPAA, then how can these "cheap Viagra" online pharmacies get away with it? These e-commerce sites are often backed by databases which hold the data that customers type into the online forms used to grant or deny the prescription. These forms include medical details such as allergies, past surgeries, various medical conditions such as Herpes, misc cardiovascular problems, etc.

CORRECTION Re:IT ISN'T AS HARD AS IT LOOKS!

[leftism11]

One correction--I don't have a magical list of URLs that will provide you with any HIPAA secrets.

The two I have already listed serve as my sole sources of HIPAA information. Nearly every other site that I have read either has unreliable info or is out of date.

Start with a thorough reading of the regs and I think you will find that you only need to scour the web to find others in your specific industry to help you tackle some detailed issues that you will run into.

Netilla?

Is anyone using Netilla to give remote access to users in a HIPAA environment?

http://www.netilla.com/

No government funding? Careful what you wish for!

[ccmay]

Since you don't like government interference in your business, I hope that your health care firm will give up access to funding in the form of Medicare, Medicaid, NIH research funds, etc. It would be terrible if you were to behave hypocritically by taking lots of government money and then turn around and complain about government regulations.

It's attitudes like this that ensure that physicians will continue to flee from Medicare. Their reimbursements become more paltry every year, and with the unfunded mandates of HIPAA compliance piled on top, it will soon be impossible for many physicians to see Medicare patients and still remain in business. And that's without even considering the effect of the spiraling cost of malpractice insurance.

From 2001 to 2004, payments will fall by 17%. That doesn't sound too awful until you realize that a lot of doctors' offices run on a 25% or 30% profit margin. Depending on how many Medicare/Medicaid patients your doctor sees (and for some it is virtually 100%), a 17% Medicare cut can trim your doctor's take-home pay by more than 50%.

There are already a lot of doctors who have decided to go cash-only. You pay 100% of the bill at the receptionist's desk, and you take your own bill to your insurance company and fight them for reimbursement. They refuse Medicare patients altogether and thereby stay free of Federal regulation. This is a worrisome development in my opinion, and further unfunded mandates like HIPAA will only worsen the trend.

-ccm

CMHC Systems

One company I know who is actively trying to get people up to speed on HIPAA as well as get the product they sell compliant is CMHC Systems.
http://www.cmhcmis.com/
They have a few links on HIPAA on the main page.

A little warning.

[geekoid]

I have been in the Financial, Banking, and logistics industries. In ALL those industries, I have seen many government mandates, and they all seem like how you present HIPAA. At first. Then one day the government says "Its final, no more extensions." When you complain they pull out a stack of paper and say "You've been given many extensions now get in line. oh buy the way, since you filed for extensions, we no longer have the appropriet confidence in your complients,please prove to us your complien, you have 15 days."

Then they goernment releases some document, in some Journal that says how happy they are the following companies are complient." if you are a medium or larger sized company, and you are not on there compliance list, you will loose a lot of money because you can bet your ass the people who buy your product and sell you products, and conduct "high level businss" with your company read that list, and they will go away.

so you see, the government knows how to get compliences with out "complience police". I have seen banks have a severe decline in stock value just for not being on preliminary list of complience for some new regulations.

OTOH, maybe business in the medical world is that radically different, but I doubt it.

Shut up, you!

[geekoid]

I get paid 150 an hour to get my cutomers complien cause it needs to be done, real fast.

Just like I got paid 150 an hour to build web pages, and 150 an hour to "fix" the Y2K thing.

so I reall get 150 an hour for the next 2 year, minimum. Daddies gettin a new 'Vet!