The U.S. Department of Health & Human Services (HHS) has entered into a Resolution Agreement with Seattle-based Providence Health & Services (Providence) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. In the agreement, Providence agrees to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.
Ouch. This follows a recent warning by the Department of Justice that HIPAA is now being taken seriously and will be enforced.
The incidents giving rise to the agreement involved two entities within the Providence health system, Providence Home and Community Services and Providence Hospice and Home Care. On several occasions between September 2005 and March 2006, backup tapes, optical disks, and laptops, all containing unencrypted electronic protected health information, were removed from the Providence premises and were left unattended. The media and laptops were subsequently lost or stolen, compromising the protected health information of over 386,000 patients. HHS received over 30 complaints about the stolen tapes and disks, submitted after Providence, pursuant to state notification laws, informed patients of the theft. Providence also reported the stolen media to HHS. OCR and CMS together focused their investigations on Providence’s failure to implement policies and procedures to safeguard this information.
It is vital to note in the above text how breach notification played a role.
Blame the victim? Unfair market? Legitimate fraud? But seriously, studies continue to show that American shoppers are highly susceptible to simple tricks:
Shoppers do crazy things. And retailers bank on it.
Several studies reveal how Americans shop in irrational ways, and increasingly scientists are figuring out how easily we can be duped. Retailers in turn use these tricks to get inside our heads, encouraging window shoppers to become real shoppers, driving purchases of sales items regardless of real value, and helping buyers feel good about the things they walk out with … often for no good reason.
I find the “retailers bank on it” phrase a bit cold-hearted. Now that we have motive out of the way, tell me the difference between a retailer and an underground economy site.
I am always asked about interpretation of rules and regulations related to information security. Hopefully someone will bring up the “wardrobe malfunction” example in discussion soon, so I can point to the recent court ruling. This seems like a fair interpretation to me:
“The Commission’s determination that CBS’s broadcast of a nine-sixteenths of one second glimpse of a bare female breast was actionably indecent evidenced the agency’s departure from its prior policy,” the court found. “Its orders constituted the announcement of a policy change — that fleeting images would no longer be excluded from the scope of actionable indecency.”
And people think it is hard to figure out what constitutes virtual system security compliance…
The AP has posted some of the controversy regarding the Police search of public computers at a Vermont Library:
[Children’s Librarian] Flint was firm in her confrontation with the police.
“The lead detective said to me that they need to take the public computers and I said `OK, show me your warrant and that will be that,'” said Flint, 56. “He did say he didn’t need any paper. I said `You do.’ He said `I’m just trying to save a 12-year-old girl,’ and I told him `Show me the paper.'”
Cybersecurity expert Fred H. Cate, a law professor at Indiana University, said the librarians acted appropriately.
“If you’ve told all your patrons `We won’t hand over your records unless we’re ordered to by a court,’ and then you turn them over voluntarily, you’re liable for anything that goes wrong,” he said.
The conflict stems from the urgency of the investigation to find a missing child, and the fact that the Police attempted to seize and search public systems without oversight authorization. On the one hand it is easy to see the need for expediting a search for information, but on the other it is hard to imagine why there was any delay in getting a warrant.