[ Wednesday, August 28, 2002 ]


I got an e-mail today from Dean Peters:

Dear Mr.Drummond ,

Please forgive my intrustion, but your site was referred to me
by 'Ernie the Attorney'. As you may be aware, on July 30, 2002,
Microsoft has released a needed security fix with their Service Pack 3
(SP3) for Windows 2000 (Win2k). However, to install the SP3, one is
required to agree to a rather intrusive End User License Agreement
(EULA) - which essentially gives them permission to your operating
systems' internals.

Now my question is, does this jeopardize HIPAA compliant sites placing
them in the following catch 22 ? If such a secure/compliant site is
compelled to update Win2k because of known security issues, are they
not also invalidating their compliance by giving permission a third
party to come in, unsupervised, over the net and snoop?

I post this question on my blog, but would LOVE to hear what a
professional such as your self has to say about such a crazy legal

Dean Peters

My response:

Call me jaded, but generally expect crazy legal conundrums (conundra?) to outnumber straightforward or simple solutions.

First, I'm not considered a techie by anyone but my wife, who not only couldn't program a VCR, but has a hard time with the microwave. However, I think I might be able to lend a little insight. A few specific questions/observations first: I'd suspect the original Win2k program came with an EULA that gave Microsoft the same sort of unconscionable intrusion rights. I also suspect that there are not a whole lot of other (reasonable) options or alternatives to Win2k or some other Microsoft product, other than going to a paper-only system. Finally, I'd note that this is much more a "security" issue than a "privacy" issue (and really isn't a transactions and code sets issue at all). Keep in mind that the final security regs aren't out yet, so anything having to do with security is subject to revision if the final regs look goofy (which they undoubtedly they will). Finally, when you refer to "sites" I assume you mean data bases/computer systems/networks/etc rather than websites.

Under the administrative requirements of the privacy regs (45 CFR 164.530(c)), covered entities are required to maintain technical safeguards to protect the privacy of PHI. Applying the SP3 patch would seem to be a failure to meet that requirement, since there would be a hole in the technology that would allow someone to breach the privacy. However, the implementation requirements for meeting that standard states that the covered entity must "reasonably safeguard protected health information from any intentional or unintentional use or disclosure" in violation of the HIPAA regs. That leads to the key question: what's reasonable? If there's really no other way to keep Microsoft out of your computer, then taking all other precautions and allowing this one breach would probably not be a HIPAA violation. What's the likelihood that Microsoft will access PHI on your system and improperly use or disclose it? And if the trade-off is that the SP3 will give you greater protection against hackers (who might target your site because they know the PHI will be useful to them) at the cost of less protection against Microsoft (who will have the same rights against most of the universe and will be much less likely to target you particularly), then wouldn't you meet the reasonableness standard?

When the security regs come out, we pretty much expect the reasonableness standard to apply to everything there as well. While there may be some more specific issues raised by the security regs, I'd expect the answer will be the same.

Let me know if you disagree.

Or if you know of any other goofy problems like this. Hopefully not Microsoft-specific, or you'll get me talking about why the the DOJ's antitrust case against Microsoft was the right thing to do.

Jeff [4:38 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template