Sunday, September 29, 2013

Out of all the homework I did this week, I was very intrigued by the various different types of policies. If I had to nail down a good policy type, I'd say the issue specific type. First, they describe the technology that is discussed in the policies and they mention what problems could arise that would necessitate the need for the policy.

Could these types of policies leave gaps? Possibly. I can recall a story about a hospital that had identity theft of patient information. The perps would view patient information in the course of their routine work but then would use it to open fake accounts. The institution could not have foreseen that employees would steal patient information. So, in a situation like this would an issue policy forbidding the unauthorized access of information be applicable?

Not really because they had to see the patient's social security number. A new policy would need to be created to mention that any illegal use of patient information would be prosecuted.

Unfortunately, the mentality of our society dictates the need to craft a policy for any type of foreseeable problem.

Sunday, September 22, 2013

This week's class gave me a chance to research things like disaster recovery and business continuity plans. I had never researched or read about either topic prior to this week.

So, what did I learn?

I learned that some people use these terms as synonyms for each other. In actuality, a business could have a continuity plan but not necessarily have a disaster recovery plan.

I also learned that some people did not have recovery plans until major catastrophes happened like hurricanes or terrorist attacks.

I think it definitely makes sense for any business to have both of these plans but does this create paranoia? I don't think so because we have evidence that the unexpected do happen.

As information security professionals, we will need to prepare individuals in a way that demonstrates a proactive approach instead of a reactive one.

If we can manage to exude confidence in being prepared, we should be able to obtain buy in for both disaster recovery and business continuity plans.

Monday, September 9, 2013

Lower Insurance Premiums or Higher Security Violations: Employee Wellness Reduction Programs

Every September, everyone in my department is up in arms about choosing next year's medical benefits. We work for a healthcare company and are often surprised by the high cost of healthcare.

So, a few years ago, a program was started to reduce yearly premiums. Each fall, employees are asked to go to a provider and have the followed information collected:

- BMI (body mass index)
- Weight
- Height
- Blood Pressure
- CBC (all basic laboratory bloodwork)

If an employee and spouse/domestic partner complete these studies, they can have reductions in their monthly premium costs. I am the only one in my department who refuses to do it. (Of course, my coworkers think I'm crazy and independently wealthy).

However, I have a valid reason for not participating in this. I do not know anything about the people who maintain this information.

As a woman, my BMI (along with weight) and basic bloodwork can reveal a LOT of personal information about me and I do not know who has this information or what happens to it after I'm given a discount.

I was reading a post on the privacyrights.org site regarding California laws regarding this subject. Basically, there are a few gaps in the law pertaining the vendors maintaining the information. This did not help my paranoia about this subject as I'm pretty sure other states may also have some of these gaps.

For me, the biggest problem I have is who's using this information after my employee determines "Well, Dorian Harris eats too much of the free donuts?"

Who's seeing and/or using my BMI? Or after open enrollment, then what? Where's it stored?

It is bad enough that healthcare providers sometimes do a lousy job of securing information that we have to give them but someone wants me to voluntarily submit my information to an unknown source?

Maybe my concern is completely unfounded, maybe I'm overracting or maybe I'm justified.

I'm sure the day will come when I am mandated to participate in this employee reduction program... Until then I'll keep paying the higher price financially and lower the risk for security issues.

Friday, September 6, 2013

A proper introduction ...

I realized at 3:00 a.m. this morning that I did not properly introduce myself or my intention for this blog.

My name is Dorian and I have a very personal interest in privacy issues, especially as they relate to medical care. I worked as a Medical Billing Manager for years. I reported what I believed was an inappropriate billing action by a colleague. 2 months later, the Legal department where I worked offered me a position as an auditor (I had other qualifications which also made me a candidate).

While I worked as a Compliance Auditor and HIPAA Auditor, I was privy to violations in medical facilities around our city. During my tenure at a particular facility, my son suffered an injury that left him paralyzed from his chest down at age 17. The injury was featured in our local papers and news.

When I returned to work, I was greeted by a former colleague who stated "I was really concerned about your son, so I looked at his scans and xrays. I'm sorry about what's happened".  I was livid. "You violated his privacy", I quipped and stormed out.

After I cooled off, I thought about something... People do foolish things sometimes. In fact, sometimes they think they are doing good, especially when it relates to issues of medical care. Medical privacy has to be respected and honored by everyone - patients, physicians, nurses, ancillary staff, etc.

My long winded story really sums up to this - people need to be informed about what they can and cannot do as it relates to medical information. It only takes one time.

I plan on using this blog as a means to discuss medical privacy issues, violations and education as I'm come to learn over the past 7 years.

Thursday, September 5, 2013

I recently went to a new physician's office. I'm probably a front desk worker's worst nightmare. For 3 & 1/2 years I worked for a hospital and physician group corporate compliance office as a compliance auditor and a HIPAA auditor. I routine emptied trash cans, sat in waiting rooms or walked by nurse's stations documenting numerous HIPAA violations. Needless to say, whenever I enter a physician's office, I have an even higher level of anxiety regarding privacy because I know what can go wrong. I have to be honest - when I read about medical privacy or HIPAA or ePHI standards, I start to sweat. The reality of the situation is that despite the best efforts from our government, individuals overall do not yet fully grasp the imminent danger facing us through careless actions in a medical setting. Computer screens left unattended, openly displaying lab results, x-rays or worse, electronic progress notes. Ah! Medical privacy? Does anyone really care about our medical privacy?