ProjectSend
-
@scottalanmiller said:
@Dashrender said:
@scottalanmiller said:
Let's think of it in another way.... would you be happy having this conversation with a judge:
"Your honor, I accessed private healthcare data because I felt that I could use that information for the purpose of securing a network that I was managing."
and...
"No, I was not directly told to access this data or to secure the network in this manner."
Yes I would, on the assumption that it was part of my purview to protect my network to my own levels. I.E. I am the one who decides what is and isn't needed to protect my network.
So you feel that the privacy of HIPAA data is okay to breach if the reason is for protecting YOUR network? I don't believe that a judge would see that in a kind light. Protecting your network, protecting any network, is not something that health data is allowed to be used for.
The difference is that I don't consider it a breach. I work for the company that has the data. If said company feels that it's within my job duties to access that data, then I'm allowed to do so. Period.
You were trying to compare IT to a Business Associate (BA) but internal IT is not a BA because it's internal, and therefore falls under the normal coverage of the Covered Entity itself, not a BA.
-
@scottalanmiller said:
As someone with health data out there, it worries me that people who are entrusted to protect it probably routinely feel their their own security needs would justify the theft and misappropriation of my data for their own, personal uses which is not just wrong on its own, but puts my data at greater risk as it would then be being stored and used outside of HIPAA regulated systems. No one would be looking for that data to be being stored with network records, for example.
That was one heck of a leap. Why would you assume for even one second that I would pull the actual data out of the HIPAA controlled system? If the IP's and the phone numbers and the logon IDs are all inside the HIPAA controlled system, why would I need to leave it? Perhaps I could make an external document stating that I made a phone call regarding this information, again something I would never do at this company, but that external data could only refer to say a chart number, but no name or phone number.
-
@Dashrender said:
The difference is that I don't consider it a breach. I work for the company that has the data. If said company feels that it's within my job duties to access that data, then I'm allowed to do so. Period.
That's completely not true. That is anything but a "period." That would simply make managers culpable too. That will would constitute data theft no matter who in that company decided to do so.
-
@Dashrender said:
You were trying to compare IT to a Business Associate (BA) but internal IT is not a BA because it's internal, and therefore falls under the normal coverage of the Covered Entity itself, not a BA.
Are you sure because the mentioned external entities separately.
-
@Dashrender said:
That was one heck of a leap. Why would you assume for even one second that I would pull the actual data out of the HIPAA controlled system?
Because you said that you would use mine (a client's) personally identifiable data that ties me to the facility and provisioning for your own purposes. Only going by what you stated.
-
@Dashrender said:
If the IP's and the phone numbers and the logon IDs are all inside the HIPAA controlled system, why would I need to leave it?
Because it goes to you, you being IT and not being part of the health care delivery system are the breach yourself. You are personally the system outside of the HIPAA control. The point of HIPAA is to restrict who gets access to my records to the people who need it in order to deliver my healthcare, you are not one of those people.
-
@Dashrender said:
Perhaps I could make an external document stating that I made a phone call regarding this information, again something I would never do at this company, but that external data could only refer to say a chart number, but no name or phone number.
But the point is that the breach has already happened. And not to protect your systems either, because it isn't your data being protected. That's a fundamental thing to consider. None of this, in any way, is to protect you.
-
@scottalanmiller said:
@Dashrender said:
If the IP's and the phone numbers and the logon IDs are all inside the HIPAA controlled system, why would I need to leave it?
Because it goes to you, you being IT and not being part of the health care delivery system are the breach yourself. You are personally the system outside of the HIPAA control. The point of HIPAA is to restrict who gets access to my records to the people who need it in order to deliver my healthcare, you are not one of those people.
you implied the healthcare part of this. Not sure that's actually there. The Covered Entity decides who does and who doesn't get access to the HPI.
-
You are basically saying that a Covered Entity can't decide that they want to do this, and do it... and I'd like to know why you feel that way?
Also, why do you feel that puts you at more risk?
-
@Dashrender said:
you implied the healthcare part of this. Not sure that's actually there. The Covered Entity decides who does and who doesn't get access to the HPI.
Is that true? The covered entity gets unlimited choice in that matter? Having worked in hospitals doing HIPAA work consulting, that was very much not true by our and their belief. I've never seen anything in the HIPAA regulations that suggested that a covered entity had any such say.
-
@Dashrender said:
You are basically saying that a Covered Entity can't decide that they want to do this, and do it... and I'd like to know why you feel that way?
I feel this way because it is my understanding of the law and the only way that the law makes sense. Why would ANY unnecessary use or unauthorized use of my private data be allowed when we are talking about a law specifically to stop the unnecessary and unauthorized use of that data?
-
@Dashrender said:
Also, why do you feel that puts you at more risk?
What is the risk that HIPAA is to protect against? Unnecessary people getting access to my data.
What has happened? Exactly that.
-
@scottalanmiller said:
@Dashrender said:
You are basically saying that a Covered Entity can't decide that they want to do this, and do it... and I'd like to know why you feel that way?
I feel this way because it is my understanding of the law and the only way that the law makes sense. Why would ANY unnecessary use or unauthorized use of my private data be allowed when we are talking about a law specifically to stop the unnecessary and unauthorized use of that data?
Just because you consider it unnecessary does not mean others don't. You consider this entire approach pointless boarding on meaningless, I simply don't agree.
Again, and I'll continue to state this, I would never do as @dafyre suggested and call patients based on an IP seeming to be coming from a bad location.
-
@Dashrender said:
Just because you consider it unnecessary does not mean others don't. You consider this entire approach pointless boarding on meaningless, I simply don't agree.
But... is it your call at all? It's not your data. Why would you have an association with the data at all?
-
@Dashrender said:
Again, and I'll continue to state this, I would never do as @dafyre suggested and call patients based on an IP seeming to be coming from a bad location.
So how would you use it, then?
-
And more importantly.... why?
-
@Dashrender said:
Again, and I'll continue to state this, I would never do as @dafyre suggested and call patients based on an IP seeming to be coming from a bad location.
I never suggested I'd be calling patients. Only employees of the company that I work for.
-
@dafyre said:
@Dashrender said:
Again, and I'll continue to state this, I would never do as @dafyre suggested and call patients based on an IP seeming to be coming from a bad location.
I never suggested I'd be calling patients. Only employees of the company that I work for.
My mistake.
-
@Dashrender 8-) --
But this is one of the reasons that IT can be such a complicated field. You get ten different people talking about the same thing, you get three rabbit holes, 2 topics, and a whole mess of confusion, lol.
-
Agreed.
When it comes to direct patient access, I probably wouldn't care where they access it from, and if I could skip all tracking of that I might consider it. That said who's to blame if a patients account is accessed using their credentials and the account holder didn't authorize it? The Covered Entity (CE)?