Menu
News
All News
Dungeons & Dragons
Level Up: Advanced 5th Edition
Pathfinder
Starfinder
Warhammer
2d20 System
Year Zero Engine
Industry News
Reviews
Dragon Reflections
Columns
Weekly Digests
Weekly News Digest
Freebies, Sales & Bundles
RPG Print News
RPG Crowdfunding News
Game Content
ENterplanetary DimENsions
Mythological Figures
Opinion
Worlds of Design
Peregrine's Next
RPG Evolution
Other Columns
From the Freelancing Frontline
Monster ENcyclopedia
WotC/TSR Alumni Look Back
4 Hours w/RSD (Ryan Dancey)
The Road to 3E (Jonathan Tweet)
Greenwood's Realms (Ed Greenwood)
Drawmij's TSR (Jim Ward)
Community
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Resources
Wiki
Pages
Latest activity
Media
New media
New comments
Search media
Downloads
Latest reviews
Search resources
EN Publishing
Store
EN5ider
Adventures in ZEITGEIST
Awfully Cheerful Engine
What's OLD is NEW
Judge Dredd & The Worlds Of 2000AD
War of the Burning Sky
Level Up: Advanced 5E
Events & Releases
Upcoming Events
Private Events
Featured Events
Socials!
Twitch
YouTube
Facebook (EN Publishing)
Facebook (EN World)
Twitter
Instagram
TikTok
Podcast
Features
Top 5 RPGs Compiled Charts 2004-Present
Adventure Game Industry Market Research Summary (RPGs) V1.0
Ryan Dancey: Acquiring TSR
Q&A With Gary Gygax
D&D Rules FAQs
TSR, WotC, & Paizo: A Comparative History
D&D Pronunciation Guide
Million Dollar TTRPG Kickstarters
Tabletop RPG Podcast Hall of Fame
Eric Noah's Unofficial D&D 3rd Edition News
D&D in the Mainstream
D&D & RPG History
About Morrus
Log in
Register
What's new
Search
Search
Search titles only
By:
Forums & Topics
Forum List
Latest Posts
Forum list
*Dungeons & Dragons
Level Up: Advanced 5th Edition
D&D Older Editions
*TTRPGs General
*Pathfinder & Starfinder
EN Publishing
*Geek Talk & Media
Search forums
Chat/Discord
Menu
Log in
Register
Install the app
Install
Community
General Tabletop Discussion
*Geek Talk & Media
Google admits to reading your emails, claims you should expect it.
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Message
<blockquote data-quote="Janx" data-source="post: 6172858" data-attributes="member: 8835"><p>They're considered part of the staff and thus covered under the NDA and BLA you should have with them</p><p></p><p>My company is a middle-ware and IT company for other medical and insurance handling businesses. I apologize if this sounds like a commercial. I won't tell you where I work, and you've never heard of us anyway. But this may give some perspective from the medical/insurance/legal business as we have clients in these areas and this is what we do.</p><p></p><p>Under HIPPA we have to have NDAs and Business Level Agreements to secure the data and have the other party agree that we secured the data. It's a 2 way street, so as the client audits us, we audit them, and since we're in the middle between their clients, we audit their client and they audit us. The audit intensity varies, and the bar is lower for smaller businesses (though certain minimal expectations are there).</p><p></p><p>Generally speaking, any office staff who has a need, has authorization to read your file (as a patient). So the doctor, the billing department, the med assistant, the scheduling department, they all get to open your file because they have a need to see info from it to do their job.</p><p></p><p>Ideally, they'd only be authorized to see your file WHILE you're in the time frame of needing work done, and they'd see as little as possible.</p><p></p><p>However, that tends to be less practical than logging their access and detecting if they make unusual accesses. It is surprisingly complicated to enable/disable rights for individual employees who sometimes have a need than it is for the main office staff to see what they want, when they want, because if they were going to screw you, they'd do it in the window they have anyway.</p><p></p><p>Generally speaking, they're OK.</p><p></p><p>Now when that office contracts out to a EDI clearing house or something, audits have to happen and contracts get signed. In EDI, there's encryption going on and it's all fairly secure.</p><p></p><p>The sloppy area is when the office emails files to doctors because doctors can't be bother to learn the system, or when insurance people email files because they don't use the web portal.</p><p></p><p>Within your company, Exchange is secure. I can email Patient XYZ to you if we're both employees, and hackers aren't getting it, HIPPA isn't mad. If I email that file your gmail account, as this thread indicates, there's problems.</p><p></p><p>Technically, to include a 3rd party in the transaction requires a BLA under HIPPA. The third party is liable for securing that data, and if they don't KNOW that you're putting Protected Health Information (PHI) on them, how can they comply with HIPPA?</p><p></p><p>On top of that is that email from my server to your server is not secure, unless there's a pre-established encryption between us (TLS, forget what it stands for).</p><p></p><p>We have TLS setup with some specific clients, but our general approach is NEVER send patient data via email. Our products include web portals for logging in to see your authorized patient data/files and emails that contain links to our web portal. We never send any PHI in our automated emails.</p><p></p><p>On top of that Exchange 2010 and above has enforcement rules for preventing a user from sending an email that contains PHI because it looks for the patterns of it (like a social security number)</p><p></p><p>We're a small company, a breach means somebody gets the data we hold, and we pay for notifications for the affected people, and we pay a million dollar fine to the Department of Health. That's what any of these businesses face. For us, we're scared to death of the HIPPA monster.</p></blockquote><p></p>
[QUOTE="Janx, post: 6172858, member: 8835"] They're considered part of the staff and thus covered under the NDA and BLA you should have with them My company is a middle-ware and IT company for other medical and insurance handling businesses. I apologize if this sounds like a commercial. I won't tell you where I work, and you've never heard of us anyway. But this may give some perspective from the medical/insurance/legal business as we have clients in these areas and this is what we do. Under HIPPA we have to have NDAs and Business Level Agreements to secure the data and have the other party agree that we secured the data. It's a 2 way street, so as the client audits us, we audit them, and since we're in the middle between their clients, we audit their client and they audit us. The audit intensity varies, and the bar is lower for smaller businesses (though certain minimal expectations are there). Generally speaking, any office staff who has a need, has authorization to read your file (as a patient). So the doctor, the billing department, the med assistant, the scheduling department, they all get to open your file because they have a need to see info from it to do their job. Ideally, they'd only be authorized to see your file WHILE you're in the time frame of needing work done, and they'd see as little as possible. However, that tends to be less practical than logging their access and detecting if they make unusual accesses. It is surprisingly complicated to enable/disable rights for individual employees who sometimes have a need than it is for the main office staff to see what they want, when they want, because if they were going to screw you, they'd do it in the window they have anyway. Generally speaking, they're OK. Now when that office contracts out to a EDI clearing house or something, audits have to happen and contracts get signed. In EDI, there's encryption going on and it's all fairly secure. The sloppy area is when the office emails files to doctors because doctors can't be bother to learn the system, or when insurance people email files because they don't use the web portal. Within your company, Exchange is secure. I can email Patient XYZ to you if we're both employees, and hackers aren't getting it, HIPPA isn't mad. If I email that file your gmail account, as this thread indicates, there's problems. Technically, to include a 3rd party in the transaction requires a BLA under HIPPA. The third party is liable for securing that data, and if they don't KNOW that you're putting Protected Health Information (PHI) on them, how can they comply with HIPPA? On top of that is that email from my server to your server is not secure, unless there's a pre-established encryption between us (TLS, forget what it stands for). We have TLS setup with some specific clients, but our general approach is NEVER send patient data via email. Our products include web portals for logging in to see your authorized patient data/files and emails that contain links to our web portal. We never send any PHI in our automated emails. On top of that Exchange 2010 and above has enforcement rules for preventing a user from sending an email that contains PHI because it looks for the patterns of it (like a social security number) We're a small company, a breach means somebody gets the data we hold, and we pay for notifications for the affected people, and we pay a million dollar fine to the Department of Health. That's what any of these businesses face. For us, we're scared to death of the HIPPA monster. [/QUOTE]
Insert quotes…
Verification
Post reply
Community
General Tabletop Discussion
*Geek Talk & Media
Google admits to reading your emails, claims you should expect it.
Top