Don't be obtuse. The name John F. Kennedy was used to illustrate a point, you know an example.
The point of having a fake record would be that it wouldn't have NULL values for the fields. It would appear as a normal record. The fact that it shows up on legitimate searches isn't a problem, and would be a legitimate task for someone in Quality Control or someone involved in reporting to the State or Federal Databases. It all boils down to "need to know." If you are looking in a patient's record and you have no need to know (not treating, billing etc...) you are in violation of HIPAA. The whole point of the honeytoken is to discover someone that is possibly engaging in an unauthorized activity. Could it be a mistake? It sure could, and little would happen after it was investigated. If the same person kept making these mistakes, or made a number of them in a short period of time then it would be time for some training and / or HR procedures ( including termination for repeat offenders).
Each HIPAA violation is a 100.00 fine. Pretty cheap until an entire database is compromised. A local hospital in my area had a temp nurse that also owned her own business. She queried the database for names and SSN's. Once she had them she billed medicaid for services her business never performed. The cost to taxpayers was in the millions. A few honeytokens may have tipped the hospital off, before the feds knocked on the door.
This was pre April 2003 so the HIPAA privacy rule wasn't in force; had it been, that hospital would have had a for sale sign out front.
Sorry, had I known you had a high security clearance I would have made the assumption you knew everything. A clearance is not a measure of knowledge, it is a measure of risk or trust.
Someone with a "high security clearance" should understand the concept of "need to know." If you are a clinician and you access data on a patient without authorization that is a violation of the HIPAA privacy rule. If Doris sees an error on her patient then by all means report it, fix it...whatever. If Doris isn't caring for a bogus entry in a database, she has no authority to query that record. Doris accessing a patient entry in a database which she has no authorization for, violates the HIPAA privacy rule, as in against the Federal Regulation.
Put very simply no clinician can access data on a patient without one of 2 things:
1) Permission by the patient (or representative)
2) Permission by the (previously authorized) attending clinician, such as a doctor seeking consultation with his peer.
This entire article is about using false entries as a way to catch would be HIPAA rule violations and \ or violators.
With a fake record there would be no attending physician or nurse so how would the fake person die from an overdose? In the case of a real patient the attending healthcare worker would have the minimum access necessary to the patients records. This is the concept of least privledge... enough to do the job and no more. It is very apparent you have never been in a healthcare information systems / security setting.
This is a very legitimate action especially in the post HIPAA world of privacy \ security.
Before slamming someone about a statement they make, you should see if the facts presented are plausible. In this case nearly 20 years of windows experience has a ring of truth to it.
Windows 1.0 was released as a concept in 1983 it wasn't a released product until 1985. For those with math challenges 2003-1985 is 18 years.... or nearly 20.
Windows 1 was pretty crappy but it was a windowed environment.
Slashdot Mirror
Don't be obtuse. The name John F. Kennedy was used to illustrate a point, you know an example.
The point of having a fake record would be that it wouldn't have NULL values for the fields. It would appear as a normal record. The fact that it shows up on legitimate searches isn't a problem, and would be a legitimate task for someone in Quality Control or someone involved in reporting to the State or Federal Databases. It all boils down to "need to know." If you are looking in a patient's record and you have no need to know (not treating, billing etc...) you are in violation of HIPAA. The whole point of the honeytoken is to discover someone that is possibly engaging in an unauthorized activity. Could it be a mistake? It sure could, and little would happen after it was investigated. If the same person kept making these mistakes, or made a number of them in a short period of time then it would be time for some training and / or HR procedures ( including termination for repeat offenders).
Each HIPAA violation is a 100.00 fine. Pretty cheap until an entire database is compromised. A local hospital in my area had a temp nurse that also owned her own business. She queried the database for names and SSN's. Once she had them she billed medicaid for services her business never performed. The cost to taxpayers was in the millions. A few honeytokens may have tipped the hospital off, before the feds knocked on the door.
This was pre April 2003 so the HIPAA privacy rule wasn't in force; had it been, that hospital would have had a for sale sign out front.
Sorry, had I known you had a high security clearance I would have made the assumption you knew everything.
A clearance is not a measure of knowledge, it is a measure of risk or trust.
Someone with a "high security clearance" should understand the concept of "need to know." If you are a clinician and you access data on a patient without authorization that is a violation of the HIPAA privacy rule. If Doris sees an error on her patient then by all means report it, fix it...whatever. If Doris isn't caring for a bogus entry in a database, she has no authority to query that record. Doris accessing a patient entry in a database which she has no authorization for, violates the HIPAA privacy rule, as in against the Federal Regulation.
Put very simply no clinician can access data on a patient without one of 2 things:
1) Permission by the patient (or representative)
2) Permission by the (previously authorized) attending clinician, such as a doctor seeking consultation with his peer.
This entire article is about using false entries as a way to catch would be HIPAA rule violations and \ or violators.
With a fake record there would be no attending physician or nurse so how would the fake person die from an overdose? In the case of a real patient the attending healthcare worker would have the minimum access necessary to the patients records. This is the concept of least privledge... enough to do the job and no more. It is very apparent you have never been in a healthcare information systems / security setting. This is a very legitimate action especially in the post HIPAA world of privacy \ security.
Before slamming someone about a statement they make, you should see if the facts presented are plausible. In this case nearly 20 years of windows experience has a ring of truth to it.
Windows 1.0 was released as a concept in 1983 it wasn't a released product until 1985. For those with math challenges 2003-1985 is 18 years.... or nearly 20.
Windows 1 was pretty crappy but it was a windowed environment.