[ Wednesday, August 28, 2002 ]


I got an e-mail today from Dean Peters:

Dear Mr.Drummond ,

Please forgive my intrustion, but your site was referred to me
by 'Ernie the Attorney'. As you may be aware, on July 30, 2002,
Microsoft has released a needed security fix with their Service Pack 3
(SP3) for Windows 2000 (Win2k). However, to install the SP3, one is
required to agree to a rather intrusive End User License Agreement
(EULA) - which essentially gives them permission to your operating
systems' internals.

Now my question is, does this jeopardize HIPAA compliant sites placing
them in the following catch 22 ? If such a secure/compliant site is
compelled to update Win2k because of known security issues, are they
not also invalidating their compliance by giving permission a third
party to come in, unsupervised, over the net and snoop?

I post this question on my blog, but would LOVE to hear what a
professional such as your self has to say about such a crazy legal

Dean Peters

My response:

Call me jaded, but generally expect crazy legal conundrums (conundra?) to outnumber straightforward or simple solutions.

First, I'm not considered a techie by anyone but my wife, who not only couldn't program a VCR, but has a hard time with the microwave. However, I think I might be able to lend a little insight. A few specific questions/observations first: I'd suspect the original Win2k program came with an EULA that gave Microsoft the same sort of unconscionable intrusion rights. I also suspect that there are not a whole lot of other (reasonable) options or alternatives to Win2k or some other Microsoft product, other than going to a paper-only system. Finally, I'd note that this is much more a "security" issue than a "privacy" issue (and really isn't a transactions and code sets issue at all). Keep in mind that the final security regs aren't out yet, so anything having to do with security is subject to revision if the final regs look goofy (which they undoubtedly they will). Finally, when you refer to "sites" I assume you mean data bases/computer systems/networks/etc rather than websites.

Under the administrative requirements of the privacy regs (45 CFR 164.530(c)), covered entities are required to maintain technical safeguards to protect the privacy of PHI. Applying the SP3 patch would seem to be a failure to meet that requirement, since there would be a hole in the technology that would allow someone to breach the privacy. However, the implementation requirements for meeting that standard states that the covered entity must "reasonably safeguard protected health information from any intentional or unintentional use or disclosure" in violation of the HIPAA regs. That leads to the key question: what's reasonable? If there's really no other way to keep Microsoft out of your computer, then taking all other precautions and allowing this one breach would probably not be a HIPAA violation. What's the likelihood that Microsoft will access PHI on your system and improperly use or disclose it? And if the trade-off is that the SP3 will give you greater protection against hackers (who might target your site because they know the PHI will be useful to them) at the cost of less protection against Microsoft (who will have the same rights against most of the universe and will be much less likely to target you particularly), then wouldn't you meet the reasonableness standard?

When the security regs come out, we pretty much expect the reasonableness standard to apply to everything there as well. While there may be some more specific issues raised by the security regs, I'd expect the answer will be the same.

Let me know if you disagree.

Or if you know of any other goofy problems like this. Hopefully not Microsoft-specific, or you'll get me talking about why the the DOJ's antitrust case against Microsoft was the right thing to do.

Jeff [4:38 PM]

[ Tuesday, August 27, 2002 ]


One other thing: I posted below that the Houston, Texas lawsuit (Congressman Ron Paul, a doctor, was a party to the suit) against HHS to prevent enforcement of HIPAA was thrown out. Now, I find out that South Carolina case has been decided in the government's favor at the district court level. One of the more interesting things about the South Carolina case is that the plaintiffs argued that HHS overstepped its statutory authority and began drafting laws, as distinguished from regulations. The US District court ruled that you could glean enough legislative intent out of Congress' actions in passing HIPAA to justify the long, broad reach of the HIPAA regs. The South Carolina medical society that brought the suit has apparently decided to appeal.

Jeff [2:27 PM]


HIPAAdvisory, one of the excellent news services on HIPAA matters, remarked today that AHA news is reporting that CMS has announced (following all this?) that fewer than 3% of all Covered Entities have filed for the extension. As my 9-year-old daughter would say, "What's the matter with you people?"

You need to get the extension.

There's no reason not to get one.

It's fast, it's easy, and there are no wrong answers.

Just do it.

Jeff [2:21 PM]

[ Monday, August 26, 2002 ]


Something interesting recently crossed my desk: the latest Technology and Emerging Business Update from Jackson Walker's tech law group. In it, my good friend Collin Hayes has an article on the European Union's Directive on Data Protection. The "Directive" (dontcha just love Euroweenie-speak?) is the EU's comprehensive rule on the privacy of personal information, sort of Graham-Leach-Bliley meets HIPAA. Actually, GLB was at least in part a response to the Directive, which restricts the ability of European companies to deal with companies in other countries unless those countries have similarly-restrictive laws or the companies they deal with agree to the EU level of privacy.

If you regularly deal with EU citizens' personal information, of if you handle information in one of the EU countries, you need to make sure you comply with the Directive. Quesions? Ask Collin at chayes@jw.com.

UPDATE: Collin's piece isn't up on the jwtechlaw website yet, but when I went to look at it and put a link in the post above, I came across something from my partner John Koepke on other electronic records and privacy issues. It's worth a look too, although even further removed from HIPAA than the Directive.

Jeff [9:43 AM]

[ Wednesday, August 21, 2002 ]


There's an interesting case recently decided in Massachusetts that determined that a computer/internet service company that was hired by pharmaceutical companies to assist visitors to the companies websites could access personal information from the computers of the visitors. The case is similar to the In re DoubleClick Inc. Privacy Litigation case, where the marketing company can access that information from the internet visitors if the website owner agrees to allow the marketing company to do so. The plaintiffs styled the case as a wiretap by the marketing company, interfering with the communications between the visitors and the drug companies who owned the website. However, the judge rule that, even though the drug companies didn't give the marketing company specific rights to access the visitors information and "tap" into the communications between the visitors and the host companies, the host companies did agree to the software packet provided by the marketing company, and a part of the software and the ability and capacity to access this information.

Bottom line: if you're communicating with another person or entity on the web, assume that you have no privacy. You can prevent a lot of this by disabling your browser from allowing "cookies" but then you have to reenter your passwords every time and some sites won't let you view without allowing cookies.

Jeff [11:42 AM]

[ Monday, August 12, 2002 ]


And here's the fact sheet.

Jeff [10:19 AM]


Here's the press release on the final revisions.

Jeff [10:19 AM]


The Proposed Chages to the Privacy Rule become final. The proposed changes to the Privacy Rule have been finalized. Well, sort of. They will be when the revisions are published on Wednesday in the Federal Register. I haven't had time to review them yet, but I think they look pretty much like they did back in April when they were first proposed. The requirement for a consent has been removed, but providers must give patients a copy of their Notice of Privacy Practices ("NOPP") as soon as possible and try to get the patients to sign an acknowledgement.

Is this as bad as the Georgetown Privacy Nazis think it is? Not really. Under the original final rule, a provider could refuse to treat a patient if the patient refused to sign a consent. So, the consent itself was a contract of adhesion; the doctor could put whatever he wanted in the consent and the patient was stuck with a take-it-or-leave-it deal. Now, the doctor must provide the NOPP which says what he is going to do with the information; if the patient doesn't like what he sees, he can go elsewhere. What's the difference?

The big question: will Kennedy demagogue this? He threatened to do so during the Senate hearings on these proposed revisions.

Jeff [10:14 AM]

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template