Welcome to LinuxMedNews
 up a level
 post article

  Followup on HIPPA and Microsoft EULA
HIPAA Posted by Jubal on Friday April 18, 2003 @ 09:34 AM
from the was it just hype? dept.
Some of you will recall the previous discussion on HIPPA vs Microsoft EULA (the claim that MS having the right to silently modify system files breached HIPPA) (article). Now that 14th April deadline for HIPPA implementation has passed, I am curious to hear how seriously this issue has been considered in the US? has this issue had any really implications or was it just talk?

<  |  >


  Related Links
  • Articles on HIPAA
  • Also by Jubal
  • Contact author
  • The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    Re: Followup on HIPPA and Microsoft EULA
    by will ross on Friday April 18, 2003 @ 03:19 PM
    my short answer is that it was just talk, with a low signal to noise ratio. brian livingston's original infoworld article relied upon a couple of common misconceptions about HIPAA, and the discussion on slashdot veered even farther away from useful information (though as usual in any /. discussion about msft it had its spirited moments).

    first misconception:   HIPAA rules about protected health information (PHI) mandate privacy safeguards, but that doesn't mean no one else can see PHI, it just means that an auditable chain of trust needs to be established and monitored. the simple solution is that facilities which store PHI need to have a business associate contract with anyone with access to PHI. as the obvious front door to PHI, healthcare software providers circulated their boilerplate versions of these contracts to their customers earlier this year. obviously there are many back doors to PHI, such as anyone with r00t access to any device with PHI. technically each health care facility needs a business associate contract with every one of these external back door PHI nodes. i have not heard any *serious* discussions about business associate contracts with system software vendors such as microsoft, but it seems to be a fairly trivial side issue to me.

    second misconception:   HIPAA compliance inspectors are not exactly coming soon to our local health care facilities. i have no doubt that this nascent enforcement arm of the bureaucracy may some day be funded and begin functioning and at some point even further in the future may actually address the issue of r00t access to devices with PHI, but like all discussions about security, privacy and technology, i think in the end social vulnerabilities far outweigh any technical or contractual issues. but to your original question, yes ultimately the issue of r00t access to devices with PHI may be addressed by formal HIPAA enforcement functionaries. i wouldn't rule it out.

    btw, i think we could make a great prank next april first by announcing the repeal of HIPAA! :-)
    [ Reply to this ]
    • Re: Followup on HIPPA and Microsoft EULA
      by Pat Evans on Friday April 18, 2003 @ 06:57 PM
      Actually, I told someone I think JACHO will probably wind up being the inspection arm of the process, at least for any Healthcare Organization seeking acreditation. NCQA may serve a similar role. After all JACHO checks an organizations compliance with policies and every organization will need to have policies that meet HIPAA requirements. The best one I ever heard Re; JACHO was, just throw out the policy book. Only 1 gig on the inspection and no violation for policies you didn't have, couldn't comply with anyway. Pat
      [ Reply to this ]

    The Fine Print: The following comments are owned by whoever posted them.
    ( Reply )

    www.linuxmednews.com Web
    Advertisement: CCHIT certified EMR and Medical Practice Management Software from Medical Software Associates makes patient management easy. Free practice management and medical billing software demo available.
    All trademarks and copyrights on this page are owned by their respective companies. Comments are owned by the Poster. The Rest ©2000-2006 Ignacio Valdes, MD, MS.