Comments on: HIPAA Training Observations

By: Pete’s Hot, HIPAA’s Not? | RiskAnalys.is

Pete’s Hot, HIPAA’s Not? | RiskAnalys.is — Thu, 13 Sep 2007 13:20:22 +0000

[...] information we do have “leaked” looks like a high level review of documentation, and dentists trolling Infosec blogs mocking the whole HIPAA thing because of their risk [...]

By: Mike Milkhe

Mike Milkhe — Tue, 12 Jun 2007 15:37:08 +0000

Complying with HIPAA regulation can help complying with many other regulations and standards. A crosswalk between different regulations poster from Symantec is a very useful tool. This poster is crosswalk between: ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada) http://www.compliancehome.com/symantec/

By: Security Ripcord » Blog Archive » SRP 03032007 - Policy Scope Creep

Security Ripcord » Blog Archive » SRP 03032007 - Policy Scope Creep — Sun, 04 Mar 2007 07:28:55 +0000

[...] Security Ripcord Blog Post – HIPAA Training Observations – http://www.cutawaysecurity.com/blog/archives/112 [...]

By: Michael Ehart

Michael Ehart — Fri, 02 Mar 2007 20:28:48 +0000

“In all of history, how many paper charts would you guess have been exposed to thieves? Thousands? Here is how well HIPAA has done: In the last 14 months, 100 million electronic health records have been fumbled.”

Electronic health records being fumbled is not caused by HIPAA— it is caused by poor practices in handling information, which will continue as long as we fail to turn back the clock and return to those halcyon days of paper only records in every sphere of endevour— shoot, while we are at it, lets just go back to clay tablets, as information theft is far more difficult if each patient record weighs 4 ounces per page.
We could do this with banking, too! No more easily stolen and tapped ATM cards! If all we had were passbooks and cash, identity theft would be so much more difficult. In fact, let’s return to barter— then if you want to steal from me, you will have to be able to tuck my oxen under your coat.

I agree that Bush’s gutting of HIPAA and the current administration’s reluctance to enforce what remains is a problem, but as far as it being a full-employment program for the worthless infosec parasites like us, try typing in a job seach at Monster with a key word of HIPAA. Not much, and not high-paying. There are many real factors causing medical costs to be ridiculously high, but HIPAA compliance is not one of them.

By: Michael Ehart

Michael Ehart — Fri, 02 Mar 2007 17:39:01 +0000

Glad to see that HIPAA training is starting to be a little less alarmist in nature— back in the earliest days most trainings were given by lawyers, and scared the living daylights out of folks. You are certainly correct, there is not much about HIPAA that defies common sense, and many of the standards in a perfect world would be best practice even without the regulation.
HIPAA was pretty much written to be technology independant— combining the latest infomation security technology with the guidelines should be small trouble for most Covered Entities, except for the lamentable tendancy of most businesses to think of security only after there has been some sort of breach. This absense of a critical component of protection from the mindspace of management leads to many other problems, not just regulatory incidents.

Michael Ehart
CISSP, MCSA, CHA, CHP, Certified HIPAA Security Specialist
Comply With Me— a HIPAA Forum

By: Darrell Pruitt DDS

Darrell Pruitt DDS — Fri, 02 Mar 2007 15:53:24 +0000

Dear Cutaway:
A lot of smart people have worked long hours perfecting the HIPAA rules, both when they were passed a decade or so ago and ever since. Unfortunately, those working the hardest were clever people employed by the insurance industry. HIPAA is about portability, not privacy. As for the word �accountability�? That is a waste of English. Virtually nobody has ever been prosecuted for a violation.

In 2003 the act was quietly amended by the Bush administration to make it more insurance friendly, totally disregarding Americans� privacy. The amendment made HIPAA an expensive farce, but it assured employment of a lot of people like you, whose salaries are tacked onto already high medical bills. I guess it is more like a capitalists� WPA project in that respect.

Did they teach you that the forms one signs in a doctor�s office are meaningless? One cannot prevent the insurer from sharing patient information with over 600,000 business entities, which can include bankers, bosses (if self insured), and virtually anyone else who is interested enough to pay for the data. Yes, you heard me correctly. The insurers are planning for profits from selling personal information. Did your instructor cover that as well? (Source: patientprivacyrights.com)

Your concern that HIPAA only concerns electronic records and not paper records is absurd. In all of history, how many paper charts would you guess have been exposed to thieves? Thousands? Here is how well HIPAA has done: In the last 14 months, 100 million electronic health records have been fumbled. That equals one-third of the nation.

So you and your instructors are worried about the security of paper records. What is the caliber of an instructor who lies to students? Darrell Pruitt DDS