Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

HIPAA privacy records and guidelines: How to achieve compliance

Learn how to achieve compliance with HIPAA certification and learn to avoid and fix risks with password security, privacy regulations, records, guidelines.

HIPAA Bridgework
While we may argue the dental status of HIPAA ("HIPAA-ocricy," December 2006), good security practices in a health care environment equate to good business practices.

Yes, HIPAA can be overbearing, but it can be used as a guideline for what is expected in an environment expected to be secure, if not by federal law, then at least by the patient community.

To have a chief physician boast that his doctors don't believe in password security, that one doctor logs in for all the others, is unbelievable in this litigious society. Without password security, anybody who has access to the computer workstation--doctor, nurse, housekeeper or visitor--has the ability to change patient information in a medical chart without detection or tracking.

This does not make for good medicine nor good business. What happens when an untoward medical outcome brings an investigation? Are you going to take the witness stand and say: "It might be my diagnosis, but maybe someone changed it. Someone might have altered the meds, I don't know. I cannot vouch for this medical record which has my signature."

It may be human nature to rebel against strong password policies, but some sort of access control has to be used to prevent unauthorized access. Sloppy HIPAA compliance probably means sloppy security all around.

What other corporate data besides patient information is readily available to prying eyes? I hope my doctor doesn't work this way--nor my bank, nor my DMV.

Roy Gottlieb
Information Security Liaison,
Kingsboro Psychiatric Center, Brooklyn, NY

Treating Risk
There really are two holes in HIPAA: the lack of incentives--pro or con--to comply, and the lack of a plausible minimal technical standard for hardened networks. But, I would like to talk about the part of HIPAA that works.

Your doctors are telling you the blunt truth and that is a healthy thing. Medical professionals swim in risk like fish; they can smell an under-baked risk profile a mile a way. Further, they may even QA your risk case by deliberate defiance, just to see what happens in a low-risk situation. Meeting your medical professionals where they live can cut off useless measures and inspire effective action.

Suggestions for the first hole:

  • Make the connection between patient privacy and data security. Most medical records are also useful for identity theft against their patients. More laws than HIPAA are in play here.
  • Make the connection between public service and fault tolerance. Robust information system designs enable them to provide medical help--rain or shine.
  • Make the connection between liability control and computer forensics. Unique IDs and traceable data events can provide defensive court records.
  • Make the connection between preventative health and data security reviews of new medical systems. Medical professionals know about the payoff of prevention.
Trouble spots from the second HIPAA hole:
  • No one has yet defined the HIPAA equivalent of the credit card industry standards for hardened data systems.
  • The acceptable risk profile of doctors is much higher than data privacy normally can tolerate.
  • The subcontractor status of doctors makes the fluid flow of data in PDAs a network with a mobile perimeter. The doctor-in-Starbucks scenario is very challenging.
I wish I had better news for you. But, if you keep connecting with the built-in risk management of medical professionals, they will hear you better than you know.

But, for now, it must be understood that data security risks fit more into business risk than medical risk. And doctors sometimes will accept bankruptcy as secondary to the noble cause of saving lives.

Don Turnblade

Send your e-mails to

Article 10 of 18

Dig Deeper on HIPAA

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All