ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ProjectSend

    Scheduled Pinned Locked Moved IT Discussion
    storageprojectsend
    157 Posts 9 Posters 81.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      From hhs.gov

      Basic Principle. A major purpose of the Privacy Rule is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by covered entities. A covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        Required Disclosures. A covered entity must disclose protected health information in only two situations: (a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          And notice that IT is not even considered a business associate:

          Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. Business associate functions or activities on behalf of a covered entity include claims processing, data analysis, utilization review, and billing.9 Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            Access and Uses. For internal uses, a covered entity must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller
              last edited by

              I would say that ANY access by IT (or facilities, or janitorial or decorating) staff is a very clear violation of the intent of the law.

              1 Reply Last reply Reply Quote 0
              • scottalanmillerS
                scottalanmiller
                last edited by

                Let's think of it in another way.... would you be happy having this conversation with a judge:

                "Your honor, I accessed private healthcare data because I felt that I could use that information for the purpose of securing a network that I was managing."

                and...

                "No, I was not directly told to access this data or to secure the network in this manner."

                DashrenderD 1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller
                  last edited by

                  If you were asked the questions that led to those answers, would you feel that the access and potential disclosure of that data was allowed or justified? In the first case, I think HIPAA is violated. In the second, I fear that the "corporate veil" would be pierced and it might become a personal liability rather than a corporate one.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    Let's think of it in another way.... would you be happy having this conversation with a judge:

                    "Your honor, I accessed private healthcare data because I felt that I could use that information for the purpose of securing a network that I was managing."

                    and...

                    "No, I was not directly told to access this data or to secure the network in this manner."

                    Yes I would, on the assumption that it was part of my purview to protect my network to my own levels. I.E. I am the one who decides what is and isn't needed to protect my network.

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Dashrender
                      last edited by

                      @Dashrender said:

                      @scottalanmiller said:

                      Let's think of it in another way.... would you be happy having this conversation with a judge:

                      "Your honor, I accessed private healthcare data because I felt that I could use that information for the purpose of securing a network that I was managing."

                      and...

                      "No, I was not directly told to access this data or to secure the network in this manner."

                      Yes I would, on the assumption that it was part of my purview to protect my network to my own levels. I.E. I am the one who decides what is and isn't needed to protect my network.

                      So you feel that the privacy of HIPAA data is okay to breach if the reason is for protecting YOUR network? I don't believe that a judge would see that in a kind light. Protecting your network, protecting any network, is not something that health data is allowed to be used for.

                      DashrenderD 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller
                        last edited by

                        As someone with health data out there, it worries me that people who are entrusted to protect it probably routinely feel their their own security needs would justify the theft and misappropriation of my data for their own, personal uses which is not just wrong on its own, but puts my data at greater risk as it would then be being stored and used outside of HIPAA regulated systems. No one would be looking for that data to be being stored with network records, for example.

                        DashrenderD 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @scottalanmiller
                          last edited by

                          @scottalanmiller said:

                          @Dashrender said:

                          @scottalanmiller said:

                          Let's think of it in another way.... would you be happy having this conversation with a judge:

                          "Your honor, I accessed private healthcare data because I felt that I could use that information for the purpose of securing a network that I was managing."

                          and...

                          "No, I was not directly told to access this data or to secure the network in this manner."

                          Yes I would, on the assumption that it was part of my purview to protect my network to my own levels. I.E. I am the one who decides what is and isn't needed to protect my network.

                          So you feel that the privacy of HIPAA data is okay to breach if the reason is for protecting YOUR network? I don't believe that a judge would see that in a kind light. Protecting your network, protecting any network, is not something that health data is allowed to be used for.

                          The difference is that I don't consider it a breach. I work for the company that has the data. If said company feels that it's within my job duties to access that data, then I'm allowed to do so. Period.

                          You were trying to compare IT to a Business Associate (BA) but internal IT is not a BA because it's internal, and therefore falls under the normal coverage of the Covered Entity itself, not a BA.

                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            As someone with health data out there, it worries me that people who are entrusted to protect it probably routinely feel their their own security needs would justify the theft and misappropriation of my data for their own, personal uses which is not just wrong on its own, but puts my data at greater risk as it would then be being stored and used outside of HIPAA regulated systems. No one would be looking for that data to be being stored with network records, for example.

                            That was one heck of a leap. Why would you assume for even one second that I would pull the actual data out of the HIPAA controlled system? If the IP's and the phone numbers and the logon IDs are all inside the HIPAA controlled system, why would I need to leave it? Perhaps I could make an external document stating that I made a phone call regarding this information, again something I would never do at this company, but that external data could only refer to say a chart number, but no name or phone number.

                            scottalanmillerS 3 Replies Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said:

                              The difference is that I don't consider it a breach. I work for the company that has the data. If said company feels that it's within my job duties to access that data, then I'm allowed to do so. Period.

                              That's completely not true. That is anything but a "period." That would simply make managers culpable too. That will would constitute data theft no matter who in that company decided to do so.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @Dashrender
                                last edited by

                                @Dashrender said:

                                You were trying to compare IT to a Business Associate (BA) but internal IT is not a BA because it's internal, and therefore falls under the normal coverage of the Covered Entity itself, not a BA.

                                Are you sure because the mentioned external entities separately.

                                1 Reply Last reply Reply Quote 0
                                • scottalanmillerS
                                  scottalanmiller @Dashrender
                                  last edited by

                                  @Dashrender said:

                                  That was one heck of a leap. Why would you assume for even one second that I would pull the actual data out of the HIPAA controlled system?

                                  Because you said that you would use mine (a client's) personally identifiable data that ties me to the facility and provisioning for your own purposes. Only going by what you stated.

                                  1 Reply Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said:

                                    If the IP's and the phone numbers and the logon IDs are all inside the HIPAA controlled system, why would I need to leave it?

                                    Because it goes to you, you being IT and not being part of the health care delivery system are the breach yourself. You are personally the system outside of the HIPAA control. The point of HIPAA is to restrict who gets access to my records to the people who need it in order to deliver my healthcare, you are not one of those people.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said:

                                      Perhaps I could make an external document stating that I made a phone call regarding this information, again something I would never do at this company, but that external data could only refer to say a chart number, but no name or phone number.

                                      But the point is that the breach has already happened. And not to protect your systems either, because it isn't your data being protected. That's a fundamental thing to consider. None of this, in any way, is to protect you.

                                      1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @scottalanmiller
                                        last edited by

                                        @scottalanmiller said:

                                        @Dashrender said:

                                        If the IP's and the phone numbers and the logon IDs are all inside the HIPAA controlled system, why would I need to leave it?

                                        Because it goes to you, you being IT and not being part of the health care delivery system are the breach yourself. You are personally the system outside of the HIPAA control. The point of HIPAA is to restrict who gets access to my records to the people who need it in order to deliver my healthcare, you are not one of those people.

                                        you implied the healthcare part of this. Not sure that's actually there. The Covered Entity decides who does and who doesn't get access to the HPI.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender
                                          last edited by

                                          You are basically saying that a Covered Entity can't decide that they want to do this, and do it... and I'd like to know why you feel that way?

                                          Also, why do you feel that puts you at more risk?

                                          scottalanmillerS 2 Replies Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said:

                                            you implied the healthcare part of this. Not sure that's actually there. The Covered Entity decides who does and who doesn't get access to the HPI.

                                            Is that true? The covered entity gets unlimited choice in that matter? Having worked in hospitals doing HIPAA work consulting, that was very much not true by our and their belief. I've never seen anything in the HIPAA regulations that suggested that a covered entity had any such say.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 7
                                            • 8
                                            • 4 / 8
                                            • First post
                                              Last post