The
individual is not covered under HIPAA, only entities. And since the security
piece is not in effect, I do not see where the institution is reportable under
HIPAA either; even if the security piece were in place. The laws of the state as
noted cover this matter. I certainly would not make any inference that this
situation falls under HIPAA in that it ends up potentially broadening covered
entities' responsibility and potential liability. In fact, we had an
employee steal face sheets and other PHI from a facility in retaliation for
their termination. Although there was no selling of the information
stolen, we reported this incident to OCR and they declined to get involved
and so stated that it was not a HIPAA violation.Obviously this case goes far
beyond that one.
Here is an
interesting article from the Houston Chronicle this morning. I have been in
touch with the reporter as well as the D.A.s office regarding this matter. The
D.A. is relying on us to assist them in interpreting HIPAA law and how it
pertains to the hospital worker(s) that stole the patient records, the
hospital that had the patient records stolen, the company that knew the
records that they bought were in fact stolen records and the attorney's
that purchased the stolen records.
Happy
reading!
James
Holler
HIPAA
Connection
713.927.2390
All you can do is document the current capabilities of the system in
place, when and if they are planning on adding the features that you are
concerned about in future upgrades. I would then add this to the risk
analysis and figure out what the risk of not having these security features
in place would cost your organization monetarily as well as standing within
the community should the EPHI be compromised in some
way.
Often times you will find that the risk does not outweigh the cost,
other times risk will outweigh the cost and if you have documentation to
support that claim, it is much easier for administration to accept financial
responsibility for changing out a system that is HIPAA compliant...I
know...there is no such thing! :o)
Documentation is the key and once you have done all that, you have
met the intent of the rule.
Cathy Skinkis
St. Mary's Hospital
Green Bay, WI
To
Anyone that can help,
I would
like to know how other Hospitals are handling the security of their
clinical computer equipment. Our main HIS was recently updated before the
April deadline to accommodate the HIPAA regs (ability to mark patient's
confidential, individual log-ins, audit trail, etc) but from the looks of
things - nothing has been done to our clinical computer monitoring
systems. We use GE computer
systems for our MRI, Cat Scan, and Nuclear Medicine departments - the
system has a password upon entry into the system, but not individual
log-ins. It is not possible to tell who did what. We recently had problems
with someone "messing" with our Nuclear Medicine computer - so we
installed locks on all the doors and secured the room (which is always
supposed to be manned - but of course it isn't!). I have a call into the
Chief Privacy Officer at GE - hasn't returned it
yet. We also use a cardiac
monitoring system by Phillips (Agilent Technologies) - it is Internet
based - Doc's can get into the system (they each have their own log-in)
and monitor the cardiac activity of the patient's in ICU, CCU, telemitry
and ER. My problem with this is that any Doc can see any patient, not just
their own. Isn't that a no no? They can't edit or make changes, just view.
Does anyone have any specific
references for this? Any help would be appreciated. Thanks.
Cecelia
Sheridan, HIPAA Privacy/Security Officer Southampton Hospital 240
Meeting House La Southampton, NY 11968 (631)
726-8576 [EMAIL PROTECTED]
CONFIDENTIAL
COMMUNICATION
THIS TRANSMISSION IS INTENDED ONLY FOR THE INDIVIDUAL
OR ENTITY TO WHICH IT IS ADDRESSED AND CONTAINS INFORMATION THAT IS
CONFIDENTIAL. IF YOU HAVE RECEIVED THIS COMMUNICATION IN ERROR,
PLEASE DESTROY THE EMAILED MATERIAL AND CONTACT THE SENDER IMMEDIATELY AT
SOUTHAMPTON HOSPITAL (631)726-8576. THANK
YOU.
--- The WEDI SNIP listserv to which
you are subscribed is not moderated. The discussions on this listserv
therefore represent the views of the individual participants, and do not
necessarily represent the views of the WEDI Board of Directors nor WEDI
SNIP. If you wish to receive an official opinion, post your question to the
WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs
should not be used for commercial marketing purposes or discussion of
specific vendor products and services. They also are not intended to be used
as a forum for personal disagreements or unprofessional communication at any
time.
You are currently subscribed to wedi-security as:
[EMAIL PROTECTED] To unsubscribe from this list, go to the
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank
email to [EMAIL PROTECTED] If you need to
unsubscribe but your current email address is not the same as the address
subscribed to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are
subscribed is not moderated. The discussions on this listserv therefore
represent the views of the individual participants, and do not necessarily
represent the views of the WEDI Board of Directors nor WEDI SNIP. If you
wish to receive an official opinion, post your question to the WEDI SNIP
Issues Database at http://snip.wedi.org/tracking/. These listservs should
not be used for commercial marketing purposes or discussion of specific
vendor products and services. They also are not intended to be used as a
forum for personal disagreements or unprofessional communication at any
time.
You are currently subscribed to wedi-security as:
[EMAIL PROTECTED] To unsubscribe from this list, go to the
Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank
email to [EMAIL PROTECTED] If you need to
unsubscribe but your current email address is not the same as the address
subscribed to the list, please use the Subscribe/Unsubscribe form at
http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
---
The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time.
You are currently subscribed to wedi-security as: [EMAIL PROTECTED]
To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED]
If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org
|