Forgot your password?
typodupeerror
Microsoft

Is Win2k + SP3 HIPAA Compliant? 489

Posted by Cliff
from the EULAs-vs-government-regulations dept.
Chris asks: "Our company deals with medical records in a peripheral sort of way (as they pertain to student loans), and due to new laws we are required to be HIPAA compliant by April. After reading the discussion on here about the new EULA for Win2k SP3, I had a disturbing thought. As far as I can tell, if you use Windows 2000 then you're going to be out of compliance whatever you do. If you install the patch, then theoretically Microsoft could access those medical records (possibly by accident) without 'due cause or need' in the process of updating your machine. If you don't patch your system then you'll fail the security requirements of the law." If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?
This discussion has been archived. No new comments can be posted.

Is Win2k + SP3 HIPAA Compliant?

Comments Filter:
  • by danheskett (178529)
    If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

    Running a Windows OS connected to the Internet without a firewall would constitute a violation of the "due cause" clause, with or without SP3.

    Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

    This question has to be some type of joke, right?

    • Additional thouughts:

      Use a firewall to block all traffic into and out of your network, and make the machiens inside use proxy servers (for http) and relays (for smtp) to access the internet. In other words, disallow all traffic that is not explicitly permitted. Log what goes through the proxies and relays, and log attempts at initiation of direct outgoing traffic.
      • We are placing secondary firewalls, between the servers the desktop. We have found that most servers have extra ports open, then even if you them off, some thing will get them turned on again. Like a Patch "fixing" a break.

        By placing isulating the servers from the rest of the network, we are able to control the port issues both ways. So ODBC and Remote Job Submits can be sent. The app is all green screen based.

        Having the second firewall also prevents the servers "getting out" on the internet, becuase we removed the defualt route from the firewalls, so they do not know where the gateway to the internet is.
      • So, you thought desktop/application firewalls were safe? Think again. [grc.com]

        Although MS engineers are not really well-known for implementing clever and working solution, I fear that they might have come up with a similar or even advanced technique of establishing a "stealth" connection.

        A corporate firewall/packet filter with some sort of IDS enabled and all MS IPs blocked _might_ work if used in conjunction with an application firewall on each individual machine. On the other hand it might trade in too much flexibility for security. If the individual machine depends on http availability your pretty much lost. You can piggyback/tunnel basically anything through that. Disabling IE and using Netscape might put a hold to that.

        But there ain't no verification of that unless someone can produce the w2k sources... And if someone does MS will have a patch ready and automatically deployed in RECORD time...
    • by Kristoffor (562485) on Wednesday August 28, 2002 @08:32AM (#4155429)
      Well I cannot speak for the author of the question but I can tell you that *I* was very intreaged when I saw this question. As an IT professional in a healthcare related field I am bombarded by questions re: HIPAA compliance. The HIPAA regs are in such disarry and so unclear that many people in the industry are anxiously waiting for the moment the regs are cleared up and complete so we can "sprint towards compliance".
    • by sphealey (2855) on Wednesday August 28, 2002 @08:41AM (#4155465)
      Running a Windows OS connected to the Internet without a firewall would constitute a violation of the "due cause" clause, with or without SP3.

      Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

      Have to disagree with your police work a bit there.

      The problem is not the service pack or the auto-downloader, which can be disabled. The problem is with the EULA itself, where Microsoft reserves for itself the right to access your system at any time. Installing the service pack off-line still requires acceptance of the EULA.

      sPh

      • "Access to the system" is a broad term... there are many ways to access a system and stay within HIPAA guidlines.
      • by Anonymous Coward on Wednesday August 28, 2002 @09:11AM (#4155613)
        I agree completely. It's the legal issues (not the "probable" or "possible" intrusion).

        At our company, we have NDA agreements like you've never seen before. We host legal documents for Law firms that are engaged in battle.

        No one. And I mean, NO ONE (other than the law firm), is allowed to see the documents that we host.

        The EULA that Microsoft has attached is in absolutely direct violation of our agreements with our clients.

        Ergo, we haven't installed SP3 and doubt that we will.
        • by Anonymous Coward
          good than all your box will belong to me and read them all of your word doc's and put them up on slashdot.
        • by dbrutus (71639)
          Since this effectively cripples your ability to maintain a secure box, when are you going to start migrating off MS in order to maintain your NDAs?
      • True. With MS sooner or later you will have to do a security update (or be stuck with an insecure system), and chances are that there will be a EULA that will conflict with your company's (privacy) policy. I'm currently working on a database project which will contain very privacy-sensitive (medical) data. We chose for postgresql (not to start an mysql pg flamewar, but pg was the more suitable for our purposes) because it's open, and thus safer. We would never trust this data to be stored in a database made by a company that will possibly break into the data. Of course, MS (and Oracle and the rest) will say that they would never do such a thing, but that's beside the point. Once I agree to the EULA they have the _right_ to do it. And even if the current EULA looks OK, there is no guarantee that future ones will be OK.
        • because it's open, and thus safer.

          be warned, this is not a universal truth

        • Liar.

          You claim:

          Once I agree to the EULA they have the _right_ to do it.

          That is untrue. Read the EULA snip:

          * If you choose to utilize the update features within the OS Product or OS Components, it is necessary to use certaincomputer system, hardware, and software information to implement the features. By using these features, you explicitly authorize Microsoft or its designated agent to access and utilize the necessary information for updating purposes. Microsoft may use this information solely to improve our products or to provide customized services or technologies to you. Microsoft may disclose this information to others, but not in a form that personally identifies you.

          Please tell the world what you based your quoted statement on.

          Please explain it. Yes it could change in the future, yes MS could present a new EULA next week. But so could *anyone* who sells software (including all that GPL software you love! ohh no!). You claim they can come in at anytime and do anything, which is false. You give them permission if and only if you use the auto-update features.

          Thats the bottom line.
          • It's the next clause that's bad:

            * The OS Product or OS Components contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that Microsoft may automatically check the version of the OS Product and/or its components that you are utilizing and may provide upgrades or fixes to the OS Product that will be automatically downloaded to your computer.
      • Well, shoot, the US courts have ruled that consumers are allowed to make copies of analog media for personal use, but that hasn't stopped the industry from putting Macrovision on the video tapes to try to stop us.

        Let's turn the tables on them this time.

    • by NumberSyx (130129) on Wednesday August 28, 2002 @08:52AM (#4155514) Journal

      Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

      This is not a technical issue, disabling Auto-Update is trivial. This is a legal issue, the real problem is by agreeing to the EULA they are giving a third party, who has no due cause, access to thier system. Whether or not Microsoft ever actually accesses thier system is not the point, the point is they have given consent and Microsoft could in theory demand access at anytime, say for example to check for unlicensed copies of software. I suggest you get a lawyer who can sort this out for you, it is also possible, however unlikely, a good lawyer could negotiate a different EULA with Microsoft.

    • by volpe (58112) on Wednesday August 28, 2002 @08:54AM (#4155522)
      ... if your own operating system is tunnelling through http to make requests from Microsoft's server to download patches without your knowledge?
      (Unless, of course, you want to cut off MS's websites from your browsers as well.)

      Note that disabling auto-updating is a technical solution that assumes that MS won't ignore that setting for any updates that it consideres to be "really critical", either to your security, or to MS's business needs.
      • How do you know they aren't doing it already? Closed source backdoors are evil! OMG all my boxes are belong to Microsoft! If you are an administrator and your boxes are doing something without your knowledge you should be looking for a job. Just because you don't know how to solves a problem doesn't mean it isn't a solved problem. Firewalls that restirct outbound access, proxies, HIDS, your probelm is not a problem.

        As other's have stated the technical part of this is a non-issue. The only question is the legal one. IANAL, but if you are HIPPA compliant you can't legally agree to Microsoft's EULA. Since I seriously doubt that MS is going to sue you for breach when you don't give them unfetered access I think that is a non-issue as well.
    • by yasth (203461)
      A firewall does not prevent the possibility of MS getting access by other means. If it is an agreed to part of the EULA, then they can take such steps as needed to effect the clauses. I would also be worried about the no cause software audits that some MS volume plans have. I mean obviously if you have a search warrant then you have to let them in, even if they might incidentally find some records, but by lowering the standard needed to perform an audit might have legal implications. I would ask your in house counsel, about both the EULA and the licensing agreements.

      IANAL, and even if I was this would not be legal advice.
    • by rseuhs (322520)
      Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.

      Microsoft has the right to ignore all settings for auto-updating whenever they want.

      Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.

      • by Zocalo (252965) on Wednesday August 28, 2002 @09:14AM (#4155628) Homepage
        Of course they can (and will) bundle the DRM-stuff with the next service packs anyway, so sooner or later they will get DRM into all Windows machines.

        Ah, but they are preventing users of pirated activation codes and Warez copies of XP from accessing the Windows Update site aren't they? Wouldn't that also preclude gaining access to the DRM "upgrade"?

        All of a sudden that Windows XP .ISO and keygen I spotted on P2P seems a lot more appealing... ;)

    • by Anonymous Coward
      The user doesn't have an issue with Auto-update. The problem is with the EULA.
      The problem is with the EULA.
      The problem is with the EULA.

      They have to be compliant with a law that says their system is not accessible to third parties.
      The EULA allows a third party access to the system.
      This is the issue the user has. Why oh why can't you comprehend this?

      Furthermore, Slashdot is not purely a "technical forum".

      Furthermore, disable auto-updating and do it manually and the problem is solved, moot, and done.
  • by TimeTrav (460837) on Wednesday August 28, 2002 @08:27AM (#4155406)
    HIPAA extensions are being granted to anyone who fills out a form requesting one. One of the reasons you can give for requesting one is "awaiting clarification of standards".

    This is one of those standards that has yet to be clearly defined.
  • by edgrale (216858) on Wednesday August 28, 2002 @08:30AM (#4155416)
    If you have a network with Windows 2000 workstations you do not want them to independently access, download and install the patches from Microsoft.

    In stead you have a server running SUS, aka Software Update Services [microsoft.com]. It solves the problem of Microsoft accessing your workstations as you deploy the fixes from a central server of your choosing. This is what Microsoft recommends us to use, I spoke a few weeks ago with the Product Manager for the Finnish division and he recommended this.
    • by spudnic (32107) on Wednesday August 28, 2002 @09:09AM (#4155602)
      From the FAQ:

      Q. Does SUS support Service Packs?
      A. No, it is not possible to use SUS to deploy Service Packs.

      • It has been my experience that one should do a clean install when a new service pack has been released. Integrate it with the original media and install.

        This way you rule out any weird things happening that a hotfix might have caused. And besides, we are talking about hotfixes here. That's what 'Automatic Update' was designed to install, granted it can be used to apply service packs as well.
      • by jeffy210 (214759) on Wednesday August 28, 2002 @11:29AM (#4156530)
        Q. Does SUS support Service Packs?
        A. No, it is not possible to use SUS to deploy Service Packs.


        Yes, but that's not the point of SUS, if you wish to deploy a service pack to a windows 2000 domain, you push it out via an Active Directory published package.

        On a side note, I have realized a lot of people here don't realize the amount of control an adimistrator has with Active Directory. I suggest some of you read up on that.
        • Yes, but that's not the point of SUS, if you wish to deploy a service pack to a windows 2000 domain, you push it out via an Active Directory published package.

          Yeah, you're supposed to use AD to install all the great hotfix MSI's that Microsoft provides.

          What? You mean they don't actually provide .msi format hotfixes? So, essentially, if I want to actually USE the feature the way they're advertising it, I need to repackage the hotfix or manually create a .zap [microsoft.com] file to make it work?

          I guess there's no real rush. I mean, hey, how much can security possibly matter?

  • HIPAA Compliance (Score:4, Insightful)

    by mosch (204) on Wednesday August 28, 2002 @08:31AM (#4155422) Homepage
    If you want an answer, you're going to need to hire a lawyer. Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.

    Besides, would you really want to take legal advice from a group of people who are known to mistake duct tape and baling wire for building materials?

    • Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.

      Normally I would agree wholeheartedly with this statement. However, I have already seen a comment from a person who is going through the same thing and had a bang-up answer that made since. I have seen a lot of crap, but I don't think that the author is intending on using Slashdot in court ("Your honor, but L0053c4nn0n on Slashdot said it was right!") but simply not wanting to duplicate steps that others have already taken.

    • by sphealey (2855) on Wednesday August 28, 2002 @08:52AM (#4155515)
      If you want an answer, you're going to need to hire a lawyer. Asking Slashdot will certainly give you a wide variety of unfounded opinions, and baseless conclusions, but it won't actually be useful. At all.
      In the long run, you are of course correct. This issue will need to be resolved by the hospital's CIO and Legal Dept.

      However, when seeking assistance from a lawyer (or any similar professional) it is best to have a basic understanding of what is going on, and what you need, before you set up a meeting. You will get a lot more accomplished that way.

      Similarily, lawyers aren't born knowing everything (even though they try to foster that impression!). If your hospital's legal dept. primarily handles malpractice and billing cases, and you bring an intellectual property / EULA problem to them, they are also going to have to do some research to get up to speed. Being able to provide background helps here too.

      sPh

    • by Greyfox (87712)
      You mean having watched every episode of "Ally McBeal" doesn't make me a leading legal expert? Damn it!
  • by C0vardeAn0nim0 (232451) on Wednesday August 28, 2002 @08:32AM (#4155428) Journal
    is the head title of this arcticle [theregister.co.uk] in The Reg [theregister.co.uk].

    basicaly it teaches how to deactivate this backdoor M$ is installing in every win2k box.

    now, the original submiter could really consider an alternative.

    if U don't like free (as in freedom) open source tools, why not a Solaris box with Oracle to keep the data ? Or an AIX with DB2 ? or PostgreSQL ?

    does you REALLY need win2k ????
    • Well, for starters, Solaris boxes are rather expensive, the person asking the question may not be able to authorize that kind of purchase even if he wanted to. I believe he was looking for either a software fix, or a cheaper hardware one that would still allow him to use his current setup. I'd suggest a fire wall, and disabling the autoinstallers.
    • Cripes man, have you ever seen the cost of a Unix oracle installation??

      Why did SQL6/7/2000 ever get a foot hold? Look at the prices.

      Yes, indeed medical should have the money to buy this stuff, but a lot of places are on the verge and can't spent this kind of money.

      #2 - Install your sp3 and disable the auto-update. Sometimes I think slashdot puts this kind of crap up as one large troll. Not that microsoft is a saint, or even a normal sinner, but 2 wrongs don't make a right. The stance that you leave out a little information to try to make a point is bias. Every day slashdot slips down the slippery slope and it is starting to get ugly.

    • basicaly it teaches how to deactivate this backdoor M$ is installing in every win2k box.

      Not to be a conspiracy theorist, but that only deactivates the "well known" update service. Once you have SP3 on your machine, you have agreed to the EULA, allowing Microsoft to throw anything, anyway, anytime onto YOUR machine. Once they have the right (that you just agreed to to get the bugfixes), the barn door is open to any way Microsoft can get files onto your machine. Known to you, or not.
      • PS: Could a lawyer please explain how that is not a protection racket?
  • by Kefaa (76147) on Wednesday August 28, 2002 @08:46AM (#4155482)
    HIPAA is like any other oversight group and only it can decide this is "okay" or a "violation". However, since logic cannot be guaranteed to rule, you cannot guess which. Have your company, preferably through your legal consul, submit a binding request for clarification.

    Be certain your lawyer understands he should ask for an exemption until this is clarified. (This will prevent them from sitting on it for two years and then you getting in trouble later.)

    Later when HIPAA says it is okay to do "X" and you find MS (or anyone with such an EULA) has absorbed records, your company is in the clear. Do not presume you can later claim a technical solution that was "just as good as..."

    This is an issue for your lawyer(s) to resolve, not Slashdot.
    • HIPAA isn't an oversight group. It's a law.

      Say it with me now: Health Insurance Portability and Accountability Act.

      • Beat me like a rented mule!

        You are correct (but you knew that). In my haste I typed HIPAA instead of HCFA. In thinking it over however, I seem to recall the GAO got involved some time back and that caused responsibility for enforcement to the States. If so, getting an answer especially if his company is multi-state will be real fun. (Unless they have Federal oversight somewhere)

  • by motardo (74082) on Wednesday August 28, 2002 @08:48AM (#4155495)
    http://www.openhealth.org/ [openhealth.org]


    http://www.euspirit.org/ [euspirit.org]

  • Read the EULA. (Score:3, Insightful)

    by rjh (40933) <rjh@sixdemonbag.org> on Wednesday August 28, 2002 @08:49AM (#4155497)
    Really. It'll clarify things right up. Dollars to donuts there's a clause in there, probably called "Severability" or something to that effect, which states that "if any clause in this EULA is found to be in violation of the law, then it is null and void with all the other clauses still in effect."

    Contracts aren't allowed to violate the law. A contract to kill someone isn't legally binding, because murder is illegal. If Microsoft wants to claim they get remote access at will to your boxes, then you get to say "neener neener neener, no you don't, under HIPAA I'm forbidden from allowing you that access".

    The proper Microsoft response? "Oh. Well, we're sorry about that. All the other clauses of the EULA stick, though."

    So go ahead, get Windows SP3, and then figure out some way to disable remote-root.

    Oh, and one more thing--

    FOR THE LOVE OF GOD, TALK TO LEGAL COUNSEL. WHY THE FSCK ARE YOU ASKING LEGAL QUESTIONS ON `ASK SLASHDOT', ANYWAY?! DO WE LOOK LIKE HARVARD LAW GRADS?!

    (Sorry, just had to get that knee-jerk reaction out of my system.)
    • One might argue that a EULA is more binding because someone agreed to it actively, instead of a law which one basically accepts passively. Oftentimes the laws may have been passed before you were even born, so there's not much realistically you can do, but you have every option of clicking 'accept' or 'do not accept' when the LA comes up.

      Problem is, most companies don't accept the agreement themselves. A contractor installs stuff on their machines for them, clicks 'OK' 50 times, and leaves. Much like if we actually had to *pay* taxes, instead of most people having them withheld, if most people actually READ the LA with most software, there'd be a minor revolution.
    • On a proprietary system ?

      Do you honestly believe that you can do this ?

      I mean, sure there's some "disable remote r00t" clickety-click somewhere - as long as you cannot verify what the OS actually does about it, it means squat. Nobody promised you it would also disable the "remote w00t r00t", or the "hidden remote secret root", or the ...

      There is one perfect solution: Keep proprietary OS machines off the network. Galvanic separation - no cable (and no antennas!) - works 100%

      There is a less than perfect solution: Filter off all machines from vendor-X using products from vendor-Y. Make all machines from vendor-X resistant to attacks from the vendor-Y machines. Oh, and be damn sure that the two vendors are not affiliated, and are not controlled by the same government.

      Sort of limits your options...

      Unless you chose products where you can verify their operation. Note, this does not necessarily mean proof-reading the entire source, if the source is publicly available, the vendor is facing a mutual risk - *if* a backdoor is discovered he loses credibility and goes out of business, *because* there are alternative vendors available. Free Software is very clever in many ways that are not immediately obvious.

      • There is a less than perfect solution: Filter off all machines from vendor-X using products from vendor-Y. Make all machines from vendor-X resistant to attacks from the vendor-Y machines. Oh, and be damn sure that the two vendors are not affiliated, and are not controlled by the same government.


        This won't work, MS is slap happy about RPC over HTTP. They can even do it through a caching proxy. That means any firewall that allows web traffic won't prevent access to their Windows software on your machine. But even if you took the medical records completely off the internet this is a legal problem not a technical one. You gave them access, they might demand physical access if you don't give them electronic access. I don't see it happending, but legally, in any state where EULAs apply, they can.

        The only solution here is to get MS to sign a supplementary agreement either that is satisfactory for HIPAA, or for the congress critters to pass a law forbiding overbroad hacking clauses in contracts, forcing Microsoft to rewrite their EULA for everyone.

        I still think the best thing to do is deny copyright protection to any work distributed with license. Sort of a patent vs. trade secret distinction, instead you get a choice between copyright or contract.
    • But it isn't illegal for Microsoft to have a clause in their contract saying they can view systems, it may be illegal for the hospital to use the Microsoft software with that clause. That's very different to the contract violating law.
    • OK...Like many of you, I was skeptical that this was an issue at all. How realistic is it, in this MS-paranoid forum, that really you're granting MS access to your system "at any time?" The Ask Slashdot sounded like FUD-baiting. But then, someone made the intelligent point that whether or not MS has real access to private data, the fact that the EULA may cause you to AGREE to give them some sort of access may violate HIPPA.

      Well, fight FUD with facts I say, so I downloaded SP3 and here's the actual supplemental EULA. Note bulleted point #3...it does not begin with the same "If you choose..."" qualifier as point #2. I'll leave it the legal scholars and armchair lawyers to talmudically wrangle over what sort privacy violation is inherrent in allowing "OS product" version checking and update installation. I know nothing about HIPPA.

      And as for "Severability" clause the parent post referes to...Not there. So, I've never been clear, do I get Dollars or Donuts for winning the bet? :) (OK, granted, the Win2K EULA which is a superordinate parent of the SP3 EULA, may include such a clause...)

      Long-ass EULA follows:

      SUPPLEMENTAL END USER LICENSE AGREEMENT FOR
      MICROSOFT SOFTWARE

      IMPORTANT: READ CAREFULLY - These Microsoft
      Corporation ("Microsoft") operating system components,
      including any "online" or electronic documentation
      ("OS Components") are subject to the terms and
      conditions of the agreement under which you have
      licensed the applicable Microsoft operating system
      product described below (each an "End User License
      Agreement" or "EULA") and the terms and conditions of
      this Supplemental EULA.
      BY INSTALLING, COPYING OR OTHERWISE USING THE
      OS COMPONENTS, YOU AGREE TO BE BOUND BY THE
      TERMS AND CONDITIONS OF THE APPLICABLE OS
      PRODUCT EULA AND THIS SUPPLEMENTAL EULA. IF
      YOU DO NOT AGREE TO THESE TERMS AND
      CONDITIONS, DO NOT INSTALL, COPY OR USE THE
      OS COMPONENTS.

      NOTE: IF YOU DO NOT HAVE A VALID EULA FOR
      MICROSOFT WINDOWS 2000 PROFESSIONAL, WINDOWS
      2000 SERVER, WINDOWS 2000 ADVANCED SERVER, OR
      WINDOWS 2000 DATACENTER SERVER (each an "OS
      Product"), YOU ARE NOT AUTHORIZED TO INSTALL,
      COPY OR OTHERWISE USE THE OS COMPONENTS AND
      YOU HAVE NO RIGHTS UNDER THIS
      SUPPLEMENTAL EULA.

      Capitalized terms used in this Supplemental EULA and not
      otherwise defined herein shall have the meanings assigned
      to them in the applicable OS Product EULA.

      General. The OS Components are provided to you by
      Microsoft to update, supplement, or replace existing
      functionality of the applicable OS Product. Microsoft
      grants you a license to use the OS Components under the
      same terms and conditions of the OS Product EULA for the
      applicable OS Product (which are hereby incorporated by
      reference except as otherwise set forth below) and the
      terms and conditions set forth in this Supplemental EULA,
      provided that you comply with all such terms and conditions.
      To the extent that any terms in this Supplemental EULA
      conflict with terms in the applicable OS Product EULA, the
      terms of this Supplemental EULA control solely with respect
      to the OS Components.

      Additional Rights and Limitations.

      * With respect to the OS Components only, if the licensor of the
      applicable OS Product was an entity other than Microsoft,
      then for the purposes of this Supplemental EULA Microsoft
      will be the licensor with respect to such OS Components in
      lieu of the "Manufacturer" or other entity and support, if
      any, for such OS Components shall not be provided by
      Manufacturer. With respect to the existing functionality
      contained in the applicable OS Product which is not updated,
      supplemented, or replaced by the OS Components, the EULA
      for the OS Product shall remain in full force and effect as to
      that OS Product.

      * If you choose to utilize the update features within the OS
      Product or OS Components, it is necessary to use certain
      computer system, hardware, and software information to
      implement the features. By using these features, you
      explicitly authorize Microsoft or its designated agent to
      access and utilize the necessary information for updating
      purposes. Microsoft may use this information solely to
      improve our products or to provide customized services or
      technologies to you. Microsoft may disclose this
      information to others, but not in a form that personally
      identifies you.

      * The OS Product or OS Components contain components that
      enable and facilitate the use of certain Internet-based
      services. You acknowledge and agree that Microsoft may
      automatically check the version of the OS Product and/or its
      components that you are utilizing and may provide upgrades
      or fixes to the OS Product that will be automatically
      downloaded to your computer.

      * If you have multiple validly licensed copies of the applicable
      OS Product(s), you may reproduce, install and use one copy
      of the OS Components as part of such applicable OS Product
      (s) on all of your computers running validly licensed copies
      of the OS Product(s) provided that you use such additional
      copies of the OS Components in accordance with the terms
      and conditions above. Microsoft, its subsidiaries and/or
      suppliers retain all right, title and interest in and to the
      OS Components. All rights not expressly granted are
      reserved by Microsoft, its subsidiaries and/or suppliers.

      IF THE APPLICABLE OS PRODUCT WAS LICENSED TO
      YOU BY MICROSOFT OR ANY OF ITS WHOLLY OWNED
      SUBSIDIARIES, THE LIMITED WARRANTY (IF ANY)
      INCLUDED IN THE APPLICABLE OS PRODUCT EULA
      APPLIES TO THE OS COMPONENTS PROVIDED THE OS
      COMPONENTS HAVE BEEN LICENSED BY YOU WITHIN
      THE TERM OF THE LIMITED WARRANTY IN THE
      APPLICABLE OS PRODUCT EULA. HOWEVER, THIS
      SUPPLEMENTAL EULA DOES NOT EXTEND THE TIME
      PERIOD FOR WHICH THE LIMITED WARRANTY
      IS PROVIDED.

      IF THE APPLICABLE OS PRODUCT WAS LICENSED TO
      YOU BY AN ENTITY OTHER THAN MICROSOFT OR ANY
      OF ITS WHOLLY OWNED SUBSIDIARIES, MICROSOFT
      DISCLAIMS ALL WARRANTIES WITH RESPECT TO THE
      OS COMPONENTS AS FOLLOWS:

      DISCLAIMER OF WARRANTIES. TO THE MAXIMUM
      EXTENT PERMITTED BY APPLICABLE LAW, MICROSOFT
      AND ITS SUPPLIERS PROVIDE TO YOU THE OS
      COMPONENTS, AND ANY (IF ANY) SUPPORT SERVICES
      RELATED TO THE OS COMPONENTS ("SUPPORT
      SERVICES") AS IS AND WITH ALL FAULTS; AND
      MICROSOFT AND ITS SUPPLIERS HEREBY DISCLAIM
      WITH RESPECT TO THE OS COMPONENTS AND
      SUPPORT SERVICES ALL WARRANTIES AND
      CONDITIONS, WHETHER EXPRESS, IMPLIED OR
      STATUTORY, INCLUDING, BUT NOT LIMITED TO,
      ANY (IF ANY) WARRANTIES OR CONDITIONS OF OR
      RELATED TO: TITLE, NON-INFRINGEMENT,
      MERCHANTABILITY, FITNESS FOR A PARTICULAR
      PURPOSE, LACK OF VIRUSES, ACCURACY OR
      COMPLETENESS OF RESPONSES, RESULTS, LACK OF
      NEGLIGENCE OR LACK OF WORKMANLIKE EFFORT,
      QUIET ENJOYMENT, QUIET POSSESSION, AND
      CORRESPONDENCE TO DESCRIPTION. THE ENTIRE
      RISK ARISING OUT OF USE OR PERFORMANCE OF
      THE OS COMPONENTS AND ANY SUPPORT SERVICES
      REMAINS WITH YOU.

      EXCLUSION OF INCIDENTAL, CONSEQUENTIAL AND
      CERTAIN OTHER DAMAGES. TO THE MAXIMUM EXTENT
      PERMITTED BY APPLICABLE LAW, IN NO EVENT
      SHALL MICROSOFT OR ITS SUPPLIERS BE LIABLE
      FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR
      CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING,
      BUT NOT LIMITED TO, DAMAGES FOR: LOSS OF
      PROFITS, LOSS OF CONFIDENTIAL OR OTHER
      INFORMATION, BUSINESS INTERRUPTION, PERSONAL
      INJURY, LOSS OF PRIVACY, FAILURE TO MEET ANY
      DUTY (INCLUDING OF GOOD FAITH OR OF
      REASONABLE CARE), NEGLIGENCE, AND ANY OTHER
      PECUNIARY OR OTHER LOSS WHATSOEVER) ARISING
      OUT OF OR IN ANY WAY RELATED TO THE USE OF OR
      INABILITY TO USE THE OS COMPONENTS OR THE
      SUPPORT SERVICES, OR THE PROVISION OF OR
      FAILURE TO PROVIDE SUPPORT SERVICES, OR
      OTHERWISE UNDER OR IN CONNECTION WITH ANY
      PROVISION OF THIS SUPPLEMENTAL EULA, EVEN IF
      MICROSOFT OR ANY SUPPLIER HAS BEEN ADVISED OF
      THE POSSIBILITY OF SUCH DAMAGES.

      LIMITATION OF LIABILITY AND REMEDIES.
      NOTWITHSTANDING ANY DAMAGES THAT YOU MIGHT
      INCUR FOR ANY REASON WHATSOEVER (INCLUDING,
      WITHOUT LIMITATION, ALL DAMAGES REFERENCED
      ABOVE AND ALL DIRECT OR GENERAL DAMAGES), THE
      ENTIRE LIABILITY OF MICROSOFT AND ANY OF ITS
      SUPPLIERS UNDER ANY PROVISION OF THIS
      SUPPLEMENTAL EULA AND YOUR EXCLUSIVE REMEDY
      FOR ALL OF THE FOREGOING SHALL BE LIMITED TO
      THE GREATER OF THE AMOUNT ACTUALLY PAID BY
      YOU FOR THE OS COMPONENTS OR U.S.$5.00. THE
      FOREGOING LIMITATIONS, EXCLUSIONS AND
      DISCLAIMERS SHALL APPLY TO THE MAXIMUM EXTENT
      PERMITTED BY APPLICABLE LAW, EVEN IF ANY
      REMEDY FAILS ITS ESSENTIAL PURPOSE.
    • Re:Read the EULA. (Score:4, Interesting)

      by Zeinfeld (263942) on Wednesday August 28, 2002 @11:19AM (#4156432) Homepage
      FOR THE LOVE OF GOD, TALK TO LEGAL COUNSEL. WHY THE FSCK ARE YOU ASKING LEGAL QUESTIONS ON `ASK SLASHDOT', ANYWAY?! DO WE LOOK LIKE HARVARD LAW GRADS?!

      Oh come on, we know why the question was put. It was a snarky little jibe whose only purpose was to claim that HIPPA prevented the use of Windows.

      It is kind of like a 'proof' that 1 = 2. We are not meant to agree with the conculsion, we are meant to admire the devious application of logic.

      It is quite obvious to anyone but a moron that MSFT is not going to enforce license agreements that prevent sale of their product for use regulated by HIPPA.

      It should also be obvious that the EULA term was written very broadly by a lawyer who was attempting to minimize the probability of a lawsuit if someone complained about auto-update or the like.

      And it should be completely obvious that Microsoft as a US corporation is obliged to comply with HIPPA. Microsoft is one of the few US companies that actually has a privacy policy and has agreed to be regulated under the EU privacy directive.

      The other fact to consider is that the Clinton era HIPPA act has since gbeen gutted by the Bush administration who have issued 'guidance' that essentially negates the whole act. Under the Bush guidelines you lose the right to opt-out. Hospitals can refuse service if you don't waive all your rights to patient confidentiality which they can do in small print. So while the act may require hospitals to install firewalls etc. etc. none of it will make any difference because the hospitals can now sell all your confidential data to the people you least want to have hold of it.

  • Remember this? (Score:3, Insightful)

    by Rogerborg (306625) on Wednesday August 28, 2002 @08:50AM (#4155501) Homepage

    "Nobody ever got sacked for buying IBM"

    If you're just worrying about covering your behind, extent to "Nobody ever got sacked for buying Microsoft" and then to "Nobody ever got sacked for clicking through default Microsoft licenses."

    I actually think that people should get sacked for doing this if they compromise their business for the sake of avoiding raising a thorny issue, but it's not going to happen in our lifetime.

  • by Brento (26177) <brento@brentoz a r . c om> on Wednesday August 28, 2002 @08:50AM (#4155505) Homepage
    As long as you're being anal-retentive, you should be aware that unencrypted instant-messaging protocols are frowned upon, because medical staff can circumvent all your hard work and simply send patient data back & forth over the IM.

    Having said that, if either of these two represents your biggest problems, then you're probably safe for a while. I don't understand what you're trying to accomplish by asking Slashdot - maybe you should try checking with your MS rep first to at least get the company line. MS is wild about HIPAA - they produce a lot of BizTalk stuff for hospital EDI needs.
    • As long as you're being anal-retentive, you should be aware that unencrypted instant-messaging protocols are frowned upon, because medical staff can circumvent all your hard work and simply send patient data back & forth over the IM.
      Indeed. Many Wall Street firms block IM protocols on both the Internet connection and internally due to privacy and recordkeeping regulations.

      sPh

    • Red herrings R us (Score:3, Insightful)

      by alext (29323)
      Breaking confidentiality via the actions of authorized staff is a different risk. The question is about the act of assigning external parties privileges that itself breaks confidentiality agreements.
  • Some clarification? (Score:2, Interesting)

    by dr_dank (472072)
    How exactly would medical records relate in any way, shape, or form to student loans?
    • How exactly would medical records relate in any way, shape, or form to student loans?

      The most obvious reason would be that if you have a physical disability (which requires medical documentation, even if it's something obvious, like, say, a missing limb), you are extremely limited in how much work you can do. Inability to work, for reasons of a physical disability, certainly affects the type of loan re-payment plan you're on.

      I'd venture to say there are also special loans/grants, or special terms for loans if you're physically or mentally challenged.

  • A few thoughts (Score:3, Informative)

    by jayhawk88 (160512) <jayhawk88@gmail.com> on Wednesday August 28, 2002 @08:58AM (#4155547)
    We're currently struggling with HIPPA where I work as well. I'm no expert, but a few things I'd look at:

    - Your W2k workstations should not be exposed to the outside world. Firewall or NAT them (or both), and remove the WindowsUpdate icons from them and let your IT staff update them manually (or via pushed updates through your domain, if you have one).

    - Ideally, the server with your HIPPA stuff on it should be hidden from view as well. Dedicate a server to nothing but HIPPA file serving if you have to. If it's absolutely necessary to access the information from remote locations (i.e., one's outside your lan/wan), consider serving that information up on a web page via an IIS/SQL type of solution of some kind, but with those services running on another server. I'm not sure if HIPPA guidelines provide for this sort of thing, though.
    • consider serving that information up on a web page via an IIS/SQL type of solution of some kind

      Cause we all know how secure *those* products are. :)

      I'm not sure if HIPPA guidelines provide for this sort of thing, though.

      That's the problem - I don't think *anybody* knows for certain at this stage. Things are too ambiguous (yes I've read most of the regulations)
      • Yeah, I know. You should see some of the BS documents we wrote up for a couple departments to put in grant proposals. Lots of fancy phrases like "...have a way to secure workstations (use Windows 2000/XP and show users how to lock their machines)", "...offer a secure networking environment (no one has keys to the coms closets but us)", "...offer secure servers for confidential information (we know how to map a drive to a server on a seperate vlan)".

        It's pretty funny actually. All these departments come to us in a panic about HIPPA, we give them these fancy documents and reassuring words, and then don't hear about it again for two months. Seems to me this HIPPA stuff (right now anyway) is more about making things look good on your grant proposals and what not.

        Oh, and it is possible to run a secure IIS server guys, if you know what you're doing.
    • We're currently struggling with HIPPA where I work as well. I'm no expert, but a few things I'd look at: - Your W2k workstations should not be exposed to the outside world. Firewall or NAT them (or both), and remove the WindowsUpdate icons from them and let your IT staff update them manually (or via pushed updates through your domain, if you have one). - Ideally, the server with your HIPPA stuff on it should be hidden from view as well. Dedicate a server to nothing but HIPPA file serving if you have to. If it's absolutely necessary to access the information from remote locations (i.e., one's outside your lan/wan), consider serving that information up on a web page via an IIS/SQL type of solution of some kind, but with those services running on another server. I'm not sure if HIPPA guidelines provide for this sort of thing, though.

      I agree with what you are saying, but I feel that these questions need to be asked. Well, they shouldn't need to be asked, because MS shouldn't be doing what they are doing, but I digress.

      I work for a very large company and we are implementing HIPAA into our software now. We do all kinds of software for hospitals. The reason I think that this issue needs to be brought up is because most people don't even think about the holes that MS creates. I asked a very similar question to our director of operations a while ago, and he said basically that if the hospitals don't have firewalls, then they have bigger problems. While this may be true, I still think it is good to ask the question, so that people are aware of the "Microsoft issue". The people who maintain the firewall need to know about the autoupdate, so that they can block it at the firewall. They need to know about these vulnerabilitites, so they can plug them. I don't trust that they will be keeping up on these things. After all, who would have thought that the OS you run could create a huge gaping hole in your security and potentially hold you liable for violating federal regulations?

  • by puto (533470) on Wednesday August 28, 2002 @09:04AM (#4155580) Homepage
    The Microsoft Healthcare Users Group. This is a group of vendors that sit togehter on a board that define all standards for healthcare products that run on MS software. To be a member of this group or state that your software is compliant they certify you.

    They strictly adhere to all governmental regulations for healthcare records including EDI and storing of sensitive medical records.

    The medical industry is a huge economic buyer in the hardware and software industry and MS based vendors have always been in strict compliance with government standards.

    1. Check to see if your software is HL7(health care 7) HL7 is a protocol for formatting, transmitting and receiving data in a healthcare environment.

    2. Ask your vendor how they store the medical rcords, is it hl7 compliant. I think you guys have a homegrown product? IF your product is home grown it does'nt apply to the governmental standard for handling medical data, the EULA is the least of your worries.

    3. IF the product is home grown. Cover your ass.

    MSHUG is microsoft centric but a good start for you.

    I did medical software for ten years and dealt with all these issues long ago. Your vendor should be able to point you in the right direction. BUT IF YOUR SOFTWARE CAME FROM A VAR, DONT ASK HIM, CALL THE ACTUAL HOME COMPANY! The developers will give you more of a straight answer than the var.

    PUTO
  • by RobertNotBob (597987) on Wednesday August 28, 2002 @09:06AM (#4155588)
    I work in the healthcare industry and have been following this fairly closely. One alarming thing that I have seen in various discussions is the idea that simply disabling the feature has any affect on the situation.

    It does not.

    The root of the problem is the agreement that M$ CAN download software on your computer without prior notification. If you agree to that, it really makes no difference if you check a box that tells you machine not to do it. At any time, either pre-programed or by an addition that you make, M$ can uncheck that box without letting you know. Think about it, if you sign a document that states I have the privilage to do something (whatever it is) and then you (outside of that document) simply tell me not to do it, am I legally bound not to do it? It is possible that not even using SUS (software update server) will mitigate this.

    Also don't feel secure about non-W2K products either. Most (and soon all, I suspect) products M$ releases contain that same provision. If you have updated MediaPlayer ( I believe it is one with the new verbiage) then you have already given consent for M$ to add software to your machine whenever they choose. NOT Maybe, NOT sometime soon, NOT only if you have W2K, but right now on the box you are currently using. And although I don't have it right infront of me now, I'm pretty sure that mediaplayer even specificly mentions that current features may be removed (playing MP3's) by the unannounced 'upgrades'.

    Although we are still evaluating this with our legal staff, it looks very possible that we will be purging M$ products from the vast majority of our network.

    oh, DARN ! ;)

    And for the record, I am not a lawyer. Don't take this as legal advise. Heck, I could be dead wrong. Localities and Nationalities will obviously differ in their approaches.

  • by Dredd13 (14750) <dredd@megacity.org> on Wednesday August 28, 2002 @09:18AM (#4155649) Homepage
    To make matters worse, remember that as of 9/30, you can't GET Win2K, and the WinXP EULA (the only one you'll have available to you at that point) suffers the same legal issues.

    We're in the process of forwarding this off to our legal staff for review, but in IT, we're now giving serious consideration to a conversion to Macs on the desktop (which would still allow compatibility and ease of use while avoiding the problematic issues involved).

    • Oh, like Apple is so much better. People just don't get as hysterical and up-in-arms over what Apple does. Did you know that every single Mac ever built has a unique serial number that can be used to track you? Did you know that it's impossible to get any information out of the Apple web site without giving them your e-mail address and registering? Blah, blah, blah. Apple is almost as annoying as Microsoft. They just don't have the monopoly position to get away with as much as Microsoft.
    • If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

    Use Macs or Linux?

  • I'm in the middle of upgrading a pharmacy's computers to privacy "compliant" software that is supposed to be secure. One of the perks of the new software is the ability to use the internet for data transfers instead of 56Ghey. While talking to the tech support guy on all the details I'd need to know, I asked him whether the transfer was done VPN and what sort of encryption I'd need to setup. He got back to me a few minutes later and said there is NO VPN, NO ENCRYPTION done at all. This pharmacy deals with hundreds of patients a day and for each one, a stream of data is sent CLEAR TEXT across the internet. Makes you feel secure doesn't it?

  • Remember, Microsoft can always be trusted. Granting a thrid party uninhibited access to your system (for whatever purpose) is a security breach by any means. But come on, it's Microsoft. You trust them. Don't you?

    Discaimer: The poster of this message is not implying that Microsoft is trustworthy. The poster of this message does not trust Microsoft. This was a joke. :)

  • If Win2k with SP3 is not HIPAA compliant (and I stress the if because no one has made a statement either way, yet) what can non-compliant Medical IT departments do?

    Simple use Windows NT 4.0 with SP6a

    and exactly why did you switch from it to begin with? what extremely important feature that Windows 2000 has that you absolutely needed?

    upgrading because you can is never a good reason.. Most of Big Corperate america is just now starting to roll out W2K servers.. and they Keep NT4 servers running becasue there is no reason to upgrade them. (up until last month the very large multi-national corperation I work for had a policy that NO Windows 200 servers were allowed on the network, anyone upgrading their servers to W2K will be fired without question.)

  • by brokeninside (34168) on Wednesday August 28, 2002 @10:03AM (#4155867)
    For the past several days, I've been wondering if a lawsuit against Microsoft over the EULA for W2K Service Pack 3 might not be viable. If I were more motivated, I might even talk to a lawyer about it.

    It seems to me that unacceptable changes to the EULA for a service pack might void the implied warranty usability of Windows 2000. By releasing the service pack, they are admitting that Windows 2000 has problems. If I cannot get access to fixes for those problems without agreeing to a contract substantially different from that which governed my license for Windows 2000, I think that I might have a good basis for a lawsuit to get a court order that Microsoft supply fixes to their software under the terms of the original EULA.

    • "For the past several days, I've been wondering if a lawsuit against Microsoft over the EULA for W2K Service Pack 3 might not be viable. If I were more motivated, I might even talk to a lawyer about it. "

      You will need damages. You can't sue without showing damages.

      However this HIPAA concern carries with it some dire implications. I wonder if it will actually get the attention of the appropriate people (let's say, a large hospital, prefereably one
      that is either a very influential one, e.g., the
      Naval Hospital in Bethesda which has the added benefit of being a governmental body, or say a
      big research institution, Johns Hopkins or Northwestern will do fine).

      If it occurs to the right people (the ones with the bread to make a real difference) that the current licensing is entirely incompatable with the laws that the must follow, and that the exposure to liability is huge (it only takes one malpractice suit to end a doctor's career), then
      we might someday hear about a secondary license that is granted for certain institutions by Microsoft.

      Unfortunately, I don't suppose many people are aware of this problem, so the phones at MS headquarters have not been ringing off the wall
      with attorneys who represent hospitals and physicians demanding satisfaction on this matter.

      I suspect that it will take a federal lawsuit against someone who has been caught with their pants down, and this will be but one of many incidents of noncompliance with various regulations raised in the case.

      The problem that many slashdot posters don't seem
      to understand is that we're not talking about an
      "illegal contract", but rather, that is might be
      technically illegal for a party to agree to a particular contract. This is only a problem if the party with the problematic contract will not negotiate, and is also only a problem if there is no alternative.

      In many cases, there is only one choice for an operating system. If it is illegal for physicians to use that one choice, then it may be too high-risk for a physician to use computer systems for certain tasks at all.

  • by Phoukka (83589) on Wednesday August 28, 2002 @10:20AM (#4155981)
    If your company is of any size whatsoever, you'll need more than just a lawyer who specializes in HIPAA compliance issues. You'll need to acquire the services of a HIPAA compliance and remediation consulting group. Our hospital is using Ernst & Young.

    It sounds like you have multiple areas to look at -- your data storage, your data transmission (you aren't just creating those medical records from thin air, are you?), your partner companies, and how you handle the Patient Identifying Health Information on the desktop. Not to mention that your company should have been preparing for this for QUITE some time now.

    First, you'll need to make sure that your data storage, transmission and handling (includes handing paper copies around), and desktop security are all compliant. Next you'll find that you are also responsible for making sure that any business partner companies are compliant. This task basically means getting your partner companies to sign "HIPAA Business Partner Agreement" contracts that means the partner company states that they are contractually obligated to handle any patient data of yours in a means that is also HIPAA compliant.

    Finally, and most important of all, you'll need to be able to document all of the above, in a form that the government inspectors can easily use to check your compliance. Yay.

    Get yer HIPAA-lovin' lawyers on the stick as fast as you can, and file for any extensions that may apply. You will need a complete inventory of any and all computing infrastructure (servers, workstations, network, and software) that touches identifying patient medical data. You will need to have this inventory so your CIO, lawyers, computer security experts and your HIPAA remediation consultants can check the compliance of everything on the list. Anything failing compliance, you'll need to fix or replace.

    One last thing: you are also responsible for making sure that the source of your medical data is asking permission to use that medical data, and is asking that permission in a way that is compliant.

    I hope this provides you with a decent starting point. Good luck, you have a hard task ahead of you.

  • Every time I ask Google about this it seems like I end up bouncing back and forth between the same three or four sites never quite finding what I'm after -- kinda like pr0n, but not as fun. So here goes...

    Does anyone know of any free/nonfree resources, documents or URLs that list the networking, server and policy encryption and configuration standards required for HIPAA compliance? Consider this from the point of view of a network administrator for a small health services company that buys all of its software from outside vendors (no internal development).

    Please don't answer http://hhs.gov. I know about those, and I'm hoping to find a summary or sorts, not the original regs. I'm also aware that the rules themselves are vague and unspecific, and may or may not specifically mention networking and servers hardware software and practices, so I'd appreciate that someone confirm that if it is the case.

  • Read the FAQ. (Score:3, Interesting)

    by small_dick (127697) on Wednesday August 28, 2002 @11:47AM (#4156674)
    You've got three years to deal with the issue until they start fining you (if your company has under $5 million in annual revenue).

    If over $5 million, you've still got two years to comply.

    Either way, the max fine for non-compliance is $25K/Year, and they don't even know how they're going to find you...

    I'm not saying you should slack on this, I'm just saying it's not a "huge,huge" crisis situation. Deal with basic, common sense security and do more research. You've got time to do this right.
  • Attorney's Take (Score:4, Informative)

    by quoz13 (604624) on Wednesday August 28, 2002 @12:06PM (#4156860)
    I'm an attorney who works with HIPAA. Here are some general observations about the EULA.

    Reasonable Assurances... The writer who states that the covered entity need only take reasonable precautions. What is or is not reasonable depends on too many factors. I happen to think that if you disable the feature, that action seems pretty reasonable. I for one, am not worried about the EULA. I'm more worried about things like password protection, access to the file room and the like.

    Illegal Contracts... As someone else correctly states, contracts that are contrary to law cannot be enforced (at least the illegal provision).

    Covered entites... Chris, who wrote the original message may not need to worry about HIPAA. HIPAA covers mostly medical providers and insurance companies. It also covers self-insured companies and the like, but I don't think it covers loan applications. Of course, Chris could be a business associate of a covered entity.

    Business associates... A covered entity must obtain satisfactory assurances from its business associates (accountants, lawyers, billing companies) that the health information is protected. As someone correctly notes, that requires an agreement known as a business associate agreement/contract.

    As a side note, I've begun to draft an article about what HIPAA requires... the language in the law actually asks the covered entity to make sure that they have "satisfctory assurances" that the business associate safeguard personal health information ("PHI" although some call it "individually identifiable health information")

Whoever dies with the most toys wins.

Working...