Archive for April, 2006

In the News…Potential HIPAA Violations?

Saturday, April 22nd, 2006

Today the Palm Springs, CA Desert Sun reported that a medical marijuana dispensary has to turn over client names; it discusses whether this is a violation of HIPAA.  The key to that answer is whether or not such an organization is considered as a covered entity.  Of course, there could very well be other privacy laws being violated; however, sometimes the main focus for an information health-related automatically goes to HIPAA…which makes sense, but could be the least effective route to take with regard to privacy rights.

"Palm Desert medical marijuana dispensary is being required to turn clients’ names over to authorities, and client advocates say that violates their privacy rights.  Palm Desert city attorney David Erwin said the deal between the city and the CannaHelp dispensary on El Paseo, is merely meant to ensure that the dispensary is obeying state law.  The agreement, negotiated by Erwin and James Warner of San Diego, a lawyer for the CannaHelp dispensary, requires the dispensary to turn over clients’ names and state ID card numbers to the Riverside County Sheriff’s Department.  Calls to Warner on Friday from The Desert Sun were not immediately returned.  Under the agreement, finalized and made public this week, CannaHelp is allowed to sell medical marijuana only to users with a state medical-marijuana ID card.

The Desert Sun obtained a copy of the March 31 agreement signed on April 10 through the city clerk’s office.  The dispensary must also provide the sheriff’s department with weekly sales records, including clients’ names and ID numbers, and allow officers to review sales records at the dispensary every other week.  And that, said Lanny Swerdlow of Palm Springs, head of the Marijuana Anti-Prohibition Project, a patient support group, is a violation of the federal Health Insurance Portability and Accountability Act – HIPAA – which ensures the confidentiality of patients’ medical records. Under the law, patient records can be released if the patient signs a waiver.  "The dispensary should be viewed as a health care provider; all health care providers are bound by HIPAA," Swerdlow said. "I can’t imagine any patient in their right mind wanting their name to be released to the sheriff’s office."

But Erwin said the state and federal laws do not apply to the dispensary because it is not a medical facility and its customers are not patients.  "We’re getting nothing about the individual or anything else," he said. "We are getting information to see if they are complying with the Compassionate Use Act of California.""

It’s not considered a covered entity?  What is a "medical marijauna dispensary"?  Every article I could find referenced the people who got their legal marijuana there as "patients" getting their doctor prescriptions.  It appears from a state of California website that the folks going to these dispensaries are considered as patients.  Would these dispensaries be considered as a type of pharmacy then…dispensing of what seems to be considered as drugs in similar ways?  That’s probably the sticky wicket in this case.

"Passed by ballot initiative in 1996, that act, better known as Proposition 215, legalized medical marijuana for individuals with a doctor’s letter of recommendation. Senate Bill 420, passed in 2003, provided guidelines for implementing the law and required counties to set up offices to help issue the state IDs, which are supposed to be voluntary.  Mike Lerner of La Quinta, a CannaHelp client, said he had not applied for an ID yet, but if he had, he would not mind the sheriff’s office getting his name and ID number.  "You’re putting your name on the county register when you sign up. It’s a matter of public record," he said.

Room for compromise?  At the dispensary, owner Stacy Hochanadel said he would comply with the agreement but was still uncomfortable about turning over clients’ names.  "I’m trying to figure out if giving them just the ID numbers would be good enough to see if they’re verified," he said. "I don’t want to be sued for divulging confidential client information.""

I don’t know…would this be a case of the state of California law preempting HIPAA? 

"Palm Desert Mayor Jim Ferguson indicated Friday there might be room for compromise.  "(The agreement) should probably (be limited to) the ID number," he said. "I am not of the mind to collect information on individuals and turn it over to law enforcement. We honestly are trying to do the right thing."  But Erwin said that without clients’ names, "the agreement is not very effective. All you get is a number. What are we going to do with a number?" 

Conflicts of law

The question of exactly which laws do and don’t apply to the dispensary is further complicated by the conflict between California and federal law.  Using, growing or selling marijuana is illegal under federal law, and the U.S. Supreme Court ruled in June in Raich v. Gonzales that federal law takes precedence over state medical marijuana laws like California’s.  Alan Zamansky of the California Office for HIPAA Implementation said that means medical marijuana users are not covered by federal privacy protections.  And he said SB420 allows the city "to adopt and enforce regulations and laws relative to (the dispensary). The conditions that they made would appear to be helping to enforce that by ensuring only appropriate people would be able (to buy medical marijuana).""

Well…this is interesting…a precedence has been established…that HIPAA should preempt the state law?

"On the other side of the argument, Peter Warren, spokesman for the California Medical Association, notes that the California Supreme Court ruled in 2004 that doctors’ records relating to a patient’s use of medical marijuana are confidential.  And, he said, that protection could extend to dispensary records, like ID card numbers or the doctors’ letters of recommendation required to get them.  "One can presume under Proposition 215, something that authorizes (medical marijuana use) in a legal circumstance for a medically approved use is a medical record," he said."

This is a very good point…if a doctor has to prescribe it to get it from a licensed dispensary, then that would certainly seem to fall under HIPAA TPO…and the accompanying HIPAA PHI protections.

"Another state Supreme Court decision, People v. Mower, in 2002, ruled that state officials have to treat medical marijuana the same as any other doctor-recommended drug, said Kenneth Michael White, a legal adviser for the Marijuana Anti-Prohibition Project, Swerdlow’s group.  "We’re talking about people’s medicine," White said. "You don’t usually have to waive medical privacy to get your medicine at a pharmacy."

Patients come first

Hochanadel said he will be posting notices at the dispensary advising clients that their names may be given to the sheriff’s department.  He is also concerned that sheriff’s officials could turn the biweekly reviews of his sales record into fishing expeditions.  "Am I going to have to justify every person? I have no idea who’s coming into my store, what their educational background is in medicine; it’s up in the air," he said. 

Representatives from the Riverside County Sheriff’s Department did not return calls seeking comment Friday.  Ryan Michaels, a former client at CannaHelp, said he had decided to find other sources for the medical marijuana he uses for his arthritis.  "My decision is to go to a different collective. I can’t be associated with that situation," he said. "When I look at medical marijuana, (dispensaries) come second, patients come first. You protect the patient.""

Hmm…does seem like HIPAA should protect this information, though, doesn’t it?

Technorati Tags

Reasons for Throwing Away Evidence…People Say the Darnedest Things!

Friday, April 21st, 2006

Here in the Des Moines, Iowa area there has been a scandal going on with three executives of a non-profit agency collectively being paid $1.8 million dollars in the last 18 months.  It was reported today that the day after one of these executives resigned because of the investigation, her secretary was found at the office at 4:30am "throwing away" boxes of papers from the executive’s office.   

The secretary said, ""I was unable to sleep well that night and I awoke early," Rieck wrote. "I proceeded to get up and go into work as I knew my cubicle needed to be organized and the boxes of old files reviewed."

Sure!  A restless  sleepless night makes a lot of people get up, get ready, and go into work 4 hours early, doesn’t it?

Well…scandals certainly seem to motivate people to clean house, don’t they?  Shades of Enron pop into mind.

Even if the secretary did not throw away anything involved with the investigation (remember, innocent until proven guilty), it just goes to show how investigations seem to be great motivators to carefully dispose of potentially sensitive or incriminating papers…and how otherwise, without motivation, sensitive personal information, such as credit card information from a beauty supply store, get tossed out into the closest alley dumpster.

Looks like they need to learn about shredders…perhaps at an interesting site, All about Paper Shredders?  Just something I stumbled across…

Technorati Tags

Thief Steals Credit Card Information from Dumpster and Buys Computer; Remember the Disposal Rule

Thursday, April 20th, 2006

Today the Edmonton Sun reported that:

"A crook used stolen credit card information to buy a laptop computer after an Edmonton company dumped 2,606 credit and debit card sales receipts in an unlocked dumpster, says the Information and Privacy Commissioner’s office. Monarch Beauty Supply came to the attention of Information and Privacy Commissioner Frank Work last September after Edmonton city cops advised that someone had turned over documents containing personal information from the Monarch Beauty Supply store in west Edmonton. The documents included the store’s daily financial records along with customer credit and debit sales receipts containing customers’ names, credit card numbers, expiry dates, customers’ signatures and debit card numbers. The receipts were for transactions over a two-year period. Work investigated and found that Monarch Beauty Supply had contravened the Personal Information Protection Act by dumping the sensitive information in the unlocked dumpster."

I’ve seen multiple organizations that have invested huge amounts of financial and human resources to protect their networks, and then have non-existent security over the data and computers they dispose of…many doing similar things, such as dumping large amounts of papers with confidential information into open dumpsters.  This incident happened in Canada, but these types of situations happen all the time in the U.S., and other countries, as well. 

I don’t think a lot of U.S. organizations, especially small- and medium-sized businesses, are aware of the Disposal Rule that is part of the U.S. Fair and Accurate Credit Transactions Act (FACTA).  The Disposal Rule went into effect on June 1, 2005.  The FTC provides a guidance document about how to comply with this rule.

Do you need to comply with the Disposal Rule?  The FTC says:

"The Disposal Rule applies to people and both large and small organizations that use consumer reports. Among those who must comply with the Rule are:

Consumer reporting companies
Government agencies
Mortgage brokers
Automobile dealers
Attorneys or private investigators
Debt collectors
Individuals who obtain a credit report on prospective nannies, contractors, or tenants
Entities that maintain information in consumer reports as part of their role as service providers to other organizations covered by the Rule."

Technorati Tags

Compliance Q&A: Myths, mistakes and management advice

Wednesday, April 19th, 2006

I recently spoke with Jenny Wiseman at TechTarget about some common compliance myths.  The story, "Compliance Q&A: Myths, mistakes and management advice," was published today.

Check it out and let me know what you think…especially if you think I left out something critical during my discussion.

Technorati Tags

U.S. FTC Today Announced They Will Follow the OECD Recommendations for Combatting Spam

Wednesday, April 19th, 2006

Today the FTC issued a press release indicating the U.S. will join with the other 29 OECD member countries to cooperate in combatting spam. 

If only the U.S. congress would use the OECD privacy principles to establish one comprensive data protection (privacy) law applicable for all industries and organizations!

The press release included the following:

"The FTC has joined its foreign partners in calling for stepped up cross-border law enforcement cooperation and increased public/private sector cooperation to combat spam. The Organization for Economic Cooperation and Development (OECD) issued recommendations in this area today. The OECD is an international forum of 30 countries, including the United States, established to promote economic growth, trade, and development.  Spam is a vehicle for deception, for spreading viruses and spyware, and for inducing consumers to provide confidential information that can later be used to commit identity theft. Spam poses unique challenges for law enforcement in that senders can send their messages from anywhere in the world to anyone in the world, thus making spam an international problem that must be addressed through international cooperation. The OECD’s specific recommendations to address these challenges include the following:

Government enforcement agencies should have the necessary authority to take action against spammers located in their territory or against foreign spammers who target consumers in their territory."

This will be interesting to see put to the test.  Considering the proliferation of spam, it should be a long wait.

"Government enforcement agencies should have the ability to share information with foreign law enforcement officials in appropriate cases."

I wonder how far this information-sharing will go with regard to the data collected for investigations?  There are certainly some data protection laws that will conflict with this recommendation.

"Government enforcement agencies should have the ability to provide investigative assistance to foreign authorities in appropriate cases, particularly in obtaining information or locating or identifying people."

Again, it will be a test to see this recommendation put to action with regard to "locating or identifying people."

"Government enforcement agencies should partner with industry and consumer groups to educate users and promote information sharing."

This would be great to have some high-quality awareness and training materials; the government has already created several good training materials that businesses can use as part of their awareness and training efforts.

"Government enforcement agencies should cooperate with the private sector to facilitate the location and identification of spammers."

I will look forward to seeing what these outreach efforts will be.

"Countries should cooperate in international enforcement efforts; efforts to reduce the incidence of inaccurate information about holders of domain names; and efforts to make the Internet more secure.
The FTC has implemented many of the OECD recommendations. For example, it has engaged in aggressive law enforcement against international spammers; worked with an international network of spam enforcement authorities; partnered with the private sector on consumer education; and encouraged the private sector to implement domain-level authentication systems. In addition, the FTC has suggested that Congress enact legislation called the US SAFE WEB Act that would give the FTC new tools to cooperate with foreign counterparts in fighting spam and other types of cross-border fraud."

I think a big problem is that often times the private sector is not aware of the efforts of the government offices, such as the FTC, to partner on education.

Technorati Tags

Great Resource Links from Schmidt Testimony to the House Small Business Committee

Tuesday, April 18th, 2006

Howard Schmidt provided "The State of Small Business Security in a Cyber Economy" testimony to the House Small Business Committee on March 16.  He provided some great links to resources that not only can benefit small businesses, but really any size of business.  An excerpt of some of the testimony containing many of these links include:

"B.                 Awareness and Training
1.                  There is a real need for SMBs to understand that threats against IT systems are not just directed against large companies and large enterprises.  There is a real need to provide the SMBs with a clear understanding that criminal activity is often directed at them as well. Knowing that you are a potential target is important to understand how to keep from becoming a victim.
2.                  The Treasury Department has released a DVD on called ‚ÄúIdentity Theft; Outsmarting the Crooks‚Äù that is available to a wide audience including SMBs. The FTC, USPS, USSS, Army CID as well as other private sectors groups worked to create this DVD. 

3.                  The FTC has long been a leader in providing awareness and continues to lead in this role.  In addition to the multiple efforts that they partner with other public and private entities, they have created a web site in concert with the Department of Commerce, Department of Homeland Security, USPS and the SEC.  This web site provides a wealth of information that is vital to understanding cyber security and helps SMBs understand the threats that they and their customers face. 
4.                  The National Cyber Security Alliance, formed in 2003 is a private-public partnership has a dedicated section to help SMBs learn about Cyber Security, Data recovery and reporting of cyber crimes

5.                  The Multi State ISAC, under the leadership of Will Pelgrin, from Governor Pataki’s office, has worked with the states to provide the awareness and training so states can pass this information on to their businesses and consumers in their jurisdictions.

6.                  The US-CERT, with the Department of Homeland Security  provide free resources that allow businesses of all sizes receive alerts and best practices free of charge. 

7.                  The National Cyber Security Partnership, led by the US Chamber of Commerce, Technet, Business Software alliance and the Information Technology Association of America (ITAA) formed this partnership, in a true private-public partnership, created task forces to provide awareness to SMBs
8.                  The Industry Security Alliance created a SMB ‚ÄúCommon Sense Guide‚Äù to Cyber Security.  This has been distributed through many organizations including the US Cert,, the US Chamber of Commerce as well as a number of other web sites.

Technorati Tags

New Privacy Director At the TSA

Monday, April 17th, 2006

The Transportation Security Administration (TSA) today announced that Peter Pietra has been named the agency’s director of privacy policy and compliance.  He now is TSA’s assistant chief counsel for information law.

"The Homeland Security Department agency said in a press release that Pietra’s appointment, along with expanded staffing of TSA’s privacy office, showed its commitment to privacy protection. "Peter’s appointment extends the privacy functions he currently serves and is expected to build a strong privacy program within the agency," said Kip Hawley, TSA administrator. "That knowledge, along with the close working relationship he has established with the DHS Privacy Office, makes him well suited for this new post." TSA said the pending launch of the Transportation Worker Identification Credential, Registered Traveler and Secure Flight programs highlight the increased workload and need for improved public communication about privacy policies. All three programs involve the use of personal information to conduct background checks needed to approve transportation workers and travelers for speedy transit of checkpoints or access to sensitive facilities. Pietra earned an undergraduate degree from the University of Pennsylvania and was a field artillery officer in the Army. He graduated from Temple University’s law school. He practiced law in the private sector and as an attorney for the Coast Guard before joining TSA’s Chief Counsel Office in 2003."

Appears from the org chart posted on the TSA site that R. Gunderson is/was the current Chief Privacy Officer…in the Acquisition Department.

Technorati Tags

Health Information On Computer Stolen From Vancouver Office

Sunday, April 16th, 2006

Today The Chilliwack Progress reported that a computer disk containing confidential information about Vancouver’s Fraser Health Authority (FHA) employees and their participation in counseling services was stolen in March along with the computer it was in from the Vancouver office of the Employee and Family Assistance Program (EFAP) run by the Vancouver Coastal Health Authority.

"Fraser Health Authority (FHA) employees have been warned that some of them who used an ultra-confidential counselling service may have had their privacy breached as a result of a theft of a computer.  The computer with a disk inside it went missing in March from the Vancouver office of the Employee and Family Assistance Program (EFAP) run by the Vancouver Coastal Health Authority.  The disk contained the names, birth dates, contact information and referral reasons for thousands of Lower Mainland health workers who sought help for intensely personal problems.  The service offers help with relationship counselling, drug or alcohol addictions, sexuality questions, abuse, loss and grief, and stress or emotional traumas – among other issues.  "People who use the EFAP program are often going through a crisis of some kind," said Hospital Employees’ Union spokesman Mike Old. "The theft of that information is of great concern to the union and its members."  Fraser Health Authority spokesman Paul Harris said the authority doesn’t know how many of its employees are affected.  "Because it’s a confidential service we have no idea who has used it," he said.  Old said the HEU is troubled that health authority employees weren’t notified of the theft until April 6 – 10 days after it happened.  The notification from EFAP indicated the data had some degree of encryption and might not be readily viewable.  "We have no reason to believe that the individual who stole the equipment is even aware or has any plans to use the information," it says.  EFAP says it is reviewing its security measures.  B.C.’s Information and Privacy Commissioner is investigating the theft and monitoring the response."

I wonder what "some degree of encryption" means?  Since it then goes on to say "and might not be readily viewable" I wonder if this really means the data was scrambled if viewed as a raw data file, but actually viewable through the software it is used with?

It will be interesting to see what actions the British Columbia Information and Privacy Commissioner takes.  Would this be a possible violation of PIPEDA?

Technorati Tags

Notification Delayed Months after SSNs and birthdates of 40,000 stolen in Hawaii

Friday, April 14th, 2006

The Honolulu Star Bulletin reported today

"Records containing the names, Social Security numbers and birth dates of more than 40,000 individuals were illegally reproduced at a copying business sometime before January while they were waiting to be put onto a compact disc for the state.  State Attorney General Mark Bennett said federal authorities notified his office of the theft in January but asked that the information be withheld while an unrelated drug investigation was ongoing."

This illustrates one of the concerns with the loopholes in the existing and proposed breach notification laws; they allow law enforcement to delay notifications following such theft of personal information that can easily be used for identity theft and fraud, without providing any accompanying accountability to the law enforcement for the bad things that happen to the impacted individuals in the meantime. 

The information was withheld because of "an unrelated" drug investigation?  Someone, or perhaps several people, had 40,000 people’s SSNs and birthdates, and law enforcement thought it was okay that they be kept in the dark because of the remote chance that an unrelated drug investigation may somehow be involved? 

Accountability to law enforcement should be written in with these loopholes.  Perhaps then it would not be such a seemingly flippant decision for law enforcement to restrict notification if they were responsible for fixing all the messes that resulted from the crimes that occurred with the stolen data during that wait time when the corresponding people were kept in the dark.

""We are taking this issue very seriously and strongly advise those affected … to obtain and review their credit reports," state Attorney General Mark Bennett said yesterday in a news release. "Social Security numbers and other personal information can be used by thieves to obtain credit cards, to open fraudulent bank accounts, to mortgage property and purchase automobiles.""

They understand the risks, and yet they waited over four months to notify the individuals?  And now, they are advising them to obtain and review their credit reports?  They should at least be offering to pay for credit monitoring services for these people.  Again, organizations and law enforcement need to be more directly accountable for what happens to stolen personal data when they choose to delay notification.

"The records from the Voluntary Employees Benefit Association of Hawaii were set to be copied at NewTech Imaging in Honolulu when they were apparently illegally reproduced by one or more people, said Bennett’s special assistant, Dana Viola."

This is another surprising risk that was taken; highly confidential data was taken to a local public copy store and left to be reproduced?  Why was such a decision made to leave highly sensitive data in the hands of an untrusted third party, in what appears to be a neighborhood copy store, where the public mills about?

"She could not say when the records were taken, but Bennett believes it was after February 2005.  Federal investigators learned in January that the records had been stolen, Bennett said. Police later found the data on a computer that had been confiscated as part of an investigation into drugs.  Russell Okata, HGEA’s executive director, said the state is to blame for the theft because officials failed to "adequately protect the records" of the union’s members."

The sensitive data should never have been taken to a public store and dropped off for duplication in the first place.  Organizations who collect and maintain sensitive data must be responsible for it at all times, especially when they choose to entrust it to other organizations, for whatever reasons, and they need to be accountable when bad things occur as a result of those decisions.

Technorati Tags

Since This is Health Information Privacy and Security Week…

Thursday, April 13th, 2006

Last week I posted that this was Health Information Privacy and Security Week.  Seems fitting that I should put a few resources out in observance of the week, doesn’t it?  🙂

Technorati Tags