MemorableURL.com

Did you see the recent story about the Canadian Imperial Bank of Commerce losing a file that includes the confidential details of 470,000 current and former clients of Talvest Mutual Funds? This is not that unusual but it reminded me of one of my favorite non-compliance stories... 

Since 2001 CIBC have been sending faxes containing confidential information to a scap yard in West Virginia. 

http://www.theglobeandmail.com/servlet/story/RTGAM.20041126.wxcibc1126/BNStory/Business/

Feel free to read the entire story but pay special attention to these 2 gems...

[the owner] said that in an effort to get the bank to [stop sending the faxes], he telephoned some of the CIBC customers in 2002 to inform them that the bank was transmitting their personal and financial information to him.

"They were not real happy. When we started reading off the information that we had — your social security number, your bank account number, your telephone number, all the information — they were real unhappy about it," [the owner] said.

and...

But after CIBC told him that it was not responsible for the deluge, [the owner] said, he started saving the faxed documents in order to prove his point.

The sensitive information now sits in a locked file cabinet in a building, guarded by his junkyard rottweiler.

It was a busy day at Blog Central today. I was peppered with quite a few people asking my opinion. It is quite flattering really - thanks!

Anyway. One question I was asked today was what I though the most important factors  were to consider when keeping records efficiently in a medical practice. Rather than answering it in isolation I said that I'd post my response here for all to see.

I belive that the management of records in a medical practice is similar in many ways to managing any business record but there are some key differences which must be taken in to consideration.

The similarities come from the fact that a medical center has ‘formal records’ in the same way as any other business. These records include tax information, personnel records, real estate records, etc. There are legal and corporate rules that determine how long these records must be kept and whether they can be altered. Companies must also make provision for this information to be ‘discovered’ should the courts order the organization to produce specific information.

One of the key differences that medical offices have is that they store patient’s medical records. Medical records are provisioned under a specific set of laws that protect the data, these records are commonly referred to as Private Health Information (PHI) and are protected in the US by a regulation called the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA as a regulation is over 10 years old and it sets out specific responsibilities to ensure that the privacy of the PHI is maintained as well as ensuring that the information is protected from destruction for a given length of time.

In order to consider the two most important factors, first consider two of the key phrases in the HIPAA regulation. (Note that a ‘covered entity’ in this context is the medical office)

1) A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.

2) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use.

Dealing with the first issue basically says that you must store electronic copies of medical records in a secure repository. This repository must be able to guarantee who can access the information and be able to prove who accessed it and when. Without a robust and secure system to store your content you will not be able to show that you are protecting records to the standards set by HIPAA.

The second issue was trickier until recently. It suggests that a medical institution needs to ensure that people do not see medical records ‘accidentally’ or even see parts of a medical record that they did not need access to. If someone is doing blood work for you then they do not necessarily need to see your entire medical history – just the parts that are relevant. We now have systems which can limit access to records on a page-level basis. This capability is enforced by Information Rights Management and gives the system the ability to grant access to any part of a document and also audit which parts have been accessed, by whom and when.

My book is almost ready to publish so I wanted to start to share some excerpts from it. The book starts with an overview of  what compliance is and why you should be interested in it. Here's a section copied from the introduction of the book. I'll be publishing more thoughts and more ideas that I discuss in the book as well as a summary of the sections over the next few weeks.

The book should be available on Amazon, B&N, Books a million and my own site within a couple of months. If you have any questions, queries or comments then please contact me at:

comments@nevertalkwhenyoucannod.com

Imagine a dark and sinister area deep in the bowels of a building; an area that most people did not even know existed. Inhabited by people with strange powers to find things that mere mortals could not even imagine.

Visitors to this strange, murky world slip bundles of paper through a slot in the wall, eager hands grasp at the papers and hide them in folders. Folders labeled with strange, colorful hieroglyphics. The folders are carefully placed in special boxes and stored lovingly on to shelves. The visitors are left wondering if they will ever see their precious papers again but feel strangely confident that the inhabitants of this dank, shadowy underground world will care for their charges and ensure their protection until they are doomed to a carefully staged and monitored destruction.

What am I describing? A view in to Area 54, a chapter from Harry Potter VIII, a plot from a lost Star Trek episode? [1]

No, this is the vision that people have of the typical records management office, medical records store or drawing office in a company. We have all been there, every company has somewhere where critical business information is stored.

Depending on the size of the storage location it might have been the basement of the office building or in some cases a massive, custom-built warehouse. This location was where you took critical business documents when they needed to be stored as records. The idea was that the people who worked in the records centers were tasked with understanding the appropriate regulations and then protecting your records for the prescribed length of time. They also tracked who had the copies of the records and ensured that they were returned when they were no longer being used.

Is this model flawed? Absolutely not – consider the prerequisites for developing a compliance system for managing business records – you need people who understand the compliance standards, a process to ensure adherence to them and technology to manage the process. The people who run these data centers are typically extremely professional and dedicated to their task. They battle internal and external politics and do their absolute best to ensure that the company is in compliance to records retention, public health information protection, or whatsoever the requirement is.

The problem is that things are changing in the world of compliance. As you know, the amount of data, the number of systems and the number of regulations are all increasing so rapidly that the current ‘silo the data to protect the data’ approach cannot scale to meet our requirements.

The future is upon us and we had better drag compliance kicking and screaming out of the bowels of the building…don’t worry, I am not going to start trying to write science fantasy again but you get the idea – we need to embrace the brave new world, understand how to remain compliant and also reap the benefits that technology can bring us.

When you’ve finished reading my book you should have a good feel for what’s available, what’s realistic and what’s to come. Hopefully you’ll also get some aid navigating the maze of solutions too.

Good luck – I’ve seen the future and it really is bright!

[1] Having read these paragraphs I hope you’ll appreciate why I am writing a book on compliance not a science fantasy novel!