There was an interesting story this weekend about how the Ohio Supreme Court ruled the Ohio law guaranteeing people access to government records outranks HIPAA.  This ruling was reported to be "the nation‚Äôs first ruling weighing a state‚Äôs open-records law against provisions of the federal Health Insurance Portability and Accountability Act."  Basically a newspaper wanted to view lead-paint citations issued by the local health department.  "The Cincinnati Health Department denied access to 10 years‚Äô worth of lead-paint citations, saying they contained children‚Äôs private health information because they listed the addresses of homes with lead hazards."

But is it really a test of HIPAA?  The first question would be, is the local health department a Covered Entity under HIPAA?  Well, does it fall under the definition of a healthcare provider?  Hmm… well, they are not listed as a healthcare provider on the The Health Improvement Collaborative of Greater Cincinnati.  Are they a healthcare insurer?  Not listed in that section, either.  Are they a clearinghouse?  Well, it is doubtful.

They are, however, listed within the "Public Sector" section.  Let’s check out the Cincinnati Health Department website using the link provided… oops!  An invalid URL.  Gee, looks like it should be a .gov site…

Okay…let’s see, where is the website for the Cincinnati Health Department?  Ahh…here it is, a .gov URL, which makes sense.  So, does it indicate that it is a healthcare provider, insurer/payer or clearinghouse?  Appears to be a provider; according to the website, "The Cincinnati Health Department provides many services to the community such as medical and dental care; inspections required under Cincinnati Municipal Code, Ohio Revised Code, and Board of Health Regulations; health education; litter and weed control; and maintaining birth and death records. The Department also investigates communicable disease outbreaks and is a partner in the regional medical response system for responding to medical emergencies in Cincinnati and the surrounding communities."

Now we need to determine if the Department, as a provider, furnishes, bills or receives payment for healthcare (things necessary to be a CE).  Upon a quick skim it appears they probably do, but I cannot verify this.

Let’s assume they are a CE then.

Next question to ask is, what information was in the records?  Lead paint citations and the associated addresses.  Well, addresses ("geographic subdivisions smaller than a state") are one of the 18 items identified as PHI (actually individually identifiable health information) within the HIPAA regs.

An interesting passage from the Dispatch report:  "Justice Terrence O‚ÄôDonnell wrote, however, that city citations contained no medical information, nor did they list names, ages or any other personal information. And even if they had, O‚ÄôDonnell wrote, HIPAA doesn‚Äôt shield information that other laws require to be made available. "The Ohio Public Records Law requires disclosure of these reports and HIPAA does not supersede state disclosure requirements," he wrote."

Okay…very interesting!!  This judge says HIPAA does NOT supersede state disclosure requirements.  However, HIPAA regs state that HIPAA applies if it is stronger than the state requirements.  But then…wait…there are also exceptions to state preemption! 

Bear with me.  There is a Privacy Rule state preemption exception category called "public health and vital statistics" that allows providers to report diseases or injuries, child abuse, births, or deaths, or those that authorize public health surveillance, or public health investigation or intervention.  Ahhh…perhaps this is the loophole. 

So, apparently if this information can be reported as part of public health surveillance or investigation, then it goes into the state government records, to which the public is then guaranteed access?  Perhaps.  Ask your lawyer for his or her interpretation; you’ll probably get 20 different opinions if you ask 20 different lawyers.

Aye yi yi…wouldn’t it be nice to have just one all-encompassing federal privacy law that covered all industries and personal information equally?  (That’s another blog posting…sometime in the near future.) 

Cases like these in Ohio certainly do not help to clarify compliance activities, and they really don’t set any precedents, only stir the pot of confusion.

Technorati Tags
HIPAA
HIPAA compliance
state preemption
health department
privacy
News
medical privacy
government
security
law

If you couldn’t tell by now, I am an almost ardent proponent of encryption.   It is an effective safeguard, and is easier to use and stronger than ever.  It always amazes me when even information security vendors and pros who promote encryption do not use it themselves.  I read with interest the article about how the vendors at the recent CeBIT tradeshow, promoting the use of Wi-Fi honeypots, overwhelmingly did *NOT* use encryption…55%!  Too bad encryption is still so underutilized even by security professionals…how long will it continue to be the Rodney Dangerfield of information security technologies?

Technorati Tags
encryption
information security
encrypt
wireless

The Register reported yesterday more stolen laptops; this time an Ernst & Young employee had a laptop containing personal information for IBM’s current and past employees stolen from his/her car.  Traits similar to other laptops that have been lost or stolen:  1)  The laptop was stolen from the E&Y employee’s car; 2) The data, including SSNs, birthdates and other personal information easily used for fraud and identity theft, was NOT encrypted.

This event apparently happened in January, but the IBM employees whose personal information was on the laptop were not notified until March.

There have been other E&Y laptops with personal information stolen and lost in the past.

When will companies learn to 1) Train personnel on acceptable physical security for mobile computing devices, and enforce policies addressing such requirements; and 2) Encrypt data on mobile computing devices?

Technorati Tags
lost laptop
personal information
privacy
privacy breach
stolen laptop

The Office of Civil Rights (OCR), the agency that is responsible for HIPAA Privacy Rule compliance and support, has just posted a new FAQ addressing the question, "May a health plan disclose protected health information to a person who calls on the beneficiary‚Äôs behalf?"  If you are responsible for HIPAA compliance, or just curious, I encourage you to monitor the OCR site for the many interesting and useful messages the post regarding HIPAA issues.

Technorati Tags
HIPAA compliance
HIPAA faq
HIPAA
Privacy Rule

A newly released study by Foley & Lardner shows private organizations are increasingly adopting Sarbanes-Oxley standards even though they are not legally required to do so.  I learned over the past year or so that three of my colleagues who are responsible for information security or privacy at large private organizations have also been adopting the standards as a demonstration of due diligence following best practices.  They all indicated their board members and/or executives had encouraged…actually required…this so that the leaders themselves would be protected in the event fraud occurred within their organizations. 

So, the trend is there, and it really demonstrates that executive leaders must be motivated to drive information governance (security, privacy and compliance) actions, and then actively support them to get them effectively implemented.

Some of the findings listed within the article include:

"Among the findings:
  — 86% of survey respondents felt that SOX and other corporate governance
     reform requirements have impacted their organizations, consistent with
     the 87% who responded in this manner in 2005.
  — Private organizations continue to self-impose corporate governance
     standards, but are also strongly influenced by their boards and outside
     auditors.
  — Private companies tend to adopt the least expensive reforms, as opposed
     to more costly initiatives such as Section 404 audits of internal
     financial controls.
  — 84% of private organizations responding to the survey felt that
     corporate governance reform is "about right," an increase in comparison
     to 2005, when 78% responded in this manner.
  — Private organizations responding to our survey estimated an average
     annual price tag of $105,000 for corporate governance procedures,
     representing an estimated increase of approximately 26% over their
     estimated costs prior to the enactment of the Sarbanes-Oxley Act."

It will be interesting to see how this trend impacts compliance budgets, along with information security and privacy budgets, as time goes on.

Technorati Tags
sarbanes oxley
corporate governance
compliance
SOX compliance

Yes, I’m still keeping an eye out on those stolen and lost mobile computing devices!  🙂

I’m compiling a list of stolen and lost mobile computing devices…I’ll post it here occasionally as I add to it.

"A thief made off with two laptop computers after breaking into the campaign headquarters of Oakland mayoral candidate Ignacio De La Fuente, officials said today."    "De La Fuente said today that he did not believe the laptops contained any sensitive information." 

Geesh…wonder how many companies and organizations will start claiming there was no sensitive information on the laptops they lose or have stolen?  After all, in California, they would have to notify impacted individuals under SB 1386.  Considering this was a campaign center…collecting donations and names, addresses, etc. of constituents…it is odd there would not be personal information on the laptops used there.  Hmm…

• "Two newly bought laptop computers were reported stolen recently in Sunrise.
  A 43-year-old resident of Argentina paid $1,495 for a Toshiba laptop at Circuit City and drove directly to BrandsMart U.S.A., 12801 W. Sunrise Blvd., in the Sawgrass Mills mall. Between 3 and 4 p.m. Feb. 24, someone smashed a window and stole the laptop from his 2006 Dodge van.
• In another theft four days earlier, an employee at Sam’s Club, 13550 W. Sunrise Blvd., heard a crash and saw a man reaching into the rear driver’s-side window of Salvadore LoPresti’s 1997 Dodge Caravan. The man pulled out a box and left in a gold Ford Crown Victoria.
  LoPresti filed a police report at 2:32 p.m. Feb. 20. He said he had bought a Hewlett-Packard Pavilion laptop for $800 at Circuit City in Pembroke Pines before driving directly to Sam’s Club.
  He said he hid the laptop under the back seat and covered it with a printed advertising section."

Well, the good thing is there was probably no sensitive information on new laptops (unless they had been returned and information still lingered.)  However, this points to the fact that laptops are prime targets for theft.

BTW, another thing to tell employees…print ads are not appropriate safeguards!

Technorati Tags
stolen laptop
SB1386
information security

Yes, the story of the bank in China that was being used to host a phishing site to spoof messages and collect personal information from customers of a different bank, as well as eBay customers, made it all over the news today. 

Such an ironic situation; exploiting the security weaknesses of one bank’s network infrastructure to host a site to exploit the vulnerabilities of another bank’s (and eBay’s) customers.  What is discouraging with regard to security diligence is that the exploit was reported by a customer receiving one of the phishing messages, and not (at least as reported) noticed by the bank itself being used as the host.  In fact, some reports implied the bank may still not be aware of the exploit, but that is hard to believe…or is it? 

Just imagine how many organizations possibly are currently being exploited…and possibly have been for years…because they do no activity logging, vulnerability checks, or audits of their systems on a regular basis.  There have already been many reported instances of the computer systems of several organizations being used as repositories for warez, illegal music and CDs, and porn stockpiles.  Folks, part of an effective regulatory compliance program is establishing safeguards to prevent such situations from happening.

Technorati Tags
privacy
regulatory compliance
phishing
information security
personal information

Today’s report about the recent privacy survey jointly done by Carlson Marketing Canada and Ponemon Institute supports what most privacy proponents have been saying…that a good, strong, ethical privacy program will have a positive business impact.  It is nice to have some formal studies to provide to business leaders to support the theory and make it more likely to become an accepted leading business practice. 

Especially supportive of good compliance and privacy programs is the finding that companies who took a more personal touch, notifying individuals impacted by breaches directly by phone instead of postal mail and email, had less of a negative business impact that other businesses that took the easiest, least expensive means of notificationcontact.  I would imagine that this would also mean that the businesses who spent more time and resources on person-to-person phone contacts for the notifications actually saved more by less lost business…but then, that would probably take another study to verify, wouldn’t it?  🙂

Ethics, and clear personal concern for impacted individuals, should be an important component of any privacy and compliance program; your customers will recognize these characteristics.  You don’t want to be perceived as a privacy and ethics Grinch.

Technorati Tags
privacy breach
privacy study
privacy compliance
privacy ethics
privacy

Okay, I don’t mean to be beating a dead horse, but I find these lost and stolen laptop instances increasingly interesting…

An interesting blurb on the BYU News Net today.

"A Hewlett-Packard laptop computer belonging to a Helaman Halls resident went missing in a delivery mix up March 2. UPS delivered the package to the Helaman Halls front desk; the package, however, bore the name of the student’s father. When front desk employees couldn’t find the name in their computer system, they returned the package to the UPS employee. UPS now cannot locate the laptop, police said."

Odd this was classified by the police as a theft.  How often do you suppose laptops get lost is similar ways?  What kind of informationis on them?  Who ends up seeing it?

Technorati Tags
lost laptop
stolen laptop
privacy

"Fool me once, shame on you…fool me twice, shame on me…"

The same organization, Providence Health System, who had a laptop containing patient information stolen from an employee’s car in January (see my January 27 blog posting) has experienced laptop thefts not just once more, but twice more…each from cars AGAIN!   "The stolen laptops were being used by home care and hospice nurses to chart records on the patients they visit each day."  On February 27 and March 3 laptops were stolen from the cars of the home care nurses; one as the worker ran into a store quick and left the laptop in the car, and the other laptop was stolen from the worker’s car while the worker was visiting a home patient. 

I wrote about the unwise practice of using Lexus laptop lockers in the March Computer Security Institute Alert newsletter.

"Many patients are backing a class-action lawsuit against Providence. So far, none of the stolen records appears to have been exploited by criminals."  Smart thieves will likely wait to do much obvious mischief with the stolen information.  There is also the possibility that the information is being used in unsavory ways that won’t show up in a credit monitoring report…privacy is about more than just identity theft.  And, of course, perhaps the thieves will sell the laptops on eBay to make a little extra pocket money…hmm…something to keep an eye out for.

Two laptops containing clear text patient information were also stolen from Providence last year; the company indicates they are taking a "deeper" look at those thefts.

After the January incident involving information about 365,000 patients, Providence indicated they had paid up to $9 million for credit monitoring…after pressure from the impacted individuals.

"Since the thefts..the company has begun adding encryption to home-care practitioners’ laptops to lock out unauthorized users."  This was done after the thefts this week.

I’m sure the encryption solution cost much less than $9 million. 

With all these reported incidents of stolen laptops, thieves are probably on the lookout more than ever for vulnerable laptops and other mobile computing devices.  I hope this is a bellwether for companies to start encrypting data on these devices as a matter of standard business practice and due care.

Technorati Tags
privacy
stolen laptop
HIPAA
laptop theft
patient privacy
HIPAA compliance
HIPAA violation