Discussion: View Thread

In my "conventional" employment, I work with a lot of protected health information (PHI). The computers I work with it on are part of various organizational IT systems, with the attendant firewalls, malware protection, etc. These are, of course, of variable effectiveness--we all read the news about data breaches and system intrusions in many places.

I take data privacy and digital security very seriously. Even behind those organizational defenses, I tend to use hardware-encrypted thumb drives (when one is necessary), whole-disk encryption where possible, public-key encryption, etc. Even have an air-gapped computer in one office.

If things go to plan, I'll potentially be working with PHI in my solo consulting business--on my own computer, probably from home. How have other solo consultants handled this?   Again, I try to be serious about this. I run Linux at home with whole-disc encryption, have a VPN, and measures similar to the above. The difference is that there is no "corporate" IT department to take the hit if things go awry.

And what is your approach to Business Associate Agreements" vis-a-vis HIPAA?

I plan to get a "cyber-insurance" policy, along with typical E&O.

Thanks for any insights.

In my "conventional" employment, I work with a lot of protected health information (PHI). The computers I work with it on are part of various organizational IT systems, with the attendant firewalls, malware protection, etc. These are, of course, of variable effectiveness--we all read the news about data breaches and system intrusions in many places.

I take data privacy and digital security very seriously. Even behind those organizational defenses, I tend to use hardware-encrypted thumb drives (when one is necessary), whole-disk encryption where possible, public-key encryption, etc. Even have an air-gapped computer in one office.

If things go to plan, I'll potentially be working with PHI in my solo consulting business--on my own computer, probably from home. How have other solo consultants handled this?   Again, I try to be serious about this. I run Linux at home with whole-disc encryption, have a VPN, and measures similar to the above. The difference is that there is no "corporate" IT department to take the hit if things go awry.

And what is your approach to Business Associate Agreements" vis-a-vis HIPAA?

I plan to get a "cyber-insurance" policy, along with typical E&O.

Thanks for any insights.

Do you have an option to use a laptop, thumbdrives and vpn etc. provided by the client? That may be something to discuss directly with client IT engineers.   Do you need or have SOP's (standard operating procedures) in place in case a client wants to review your HIPAA procedures and complance? 

In my "conventional" employment, I work with a lot of protected health information (PHI). The computers I work with it on are part of various organizational IT systems, with the attendant firewalls, malware protection, etc. These are, of course, of variable effectiveness--we all read the news about data breaches and system intrusions in many places.

I take data privacy and digital security very seriously. Even behind those organizational defenses, I tend to use hardware-encrypted thumb drives (when one is necessary), whole-disk encryption where possible, public-key encryption, etc. Even have an air-gapped computer in one office.

If things go to plan, I'll potentially be working with PHI in my solo consulting business--on my own computer, probably from home. How have other solo consultants handled this?   Again, I try to be serious about this. I run Linux at home with whole-disc encryption, have a VPN, and measures similar to the above. The difference is that there is no "corporate" IT department to take the hit if things go awry.

And what is your approach to Business Associate Agreements" vis-a-vis HIPAA?

I plan to get a "cyber-insurance" policy, along with typical E&O.

Thanks for any insights.

In my "conventional" employment, I work with a lot of protected health information (PHI). The computers I work with it on are part of various organizational IT systems, with the attendant firewalls, malware protection, etc. These are, of course, of variable effectiveness--we all read the news about data breaches and system intrusions in many places.

I take data privacy and digital security very seriously. Even behind those organizational defenses, I tend to use hardware-encrypted thumb drives (when one is necessary), whole-disk encryption where possible, public-key encryption, etc. Even have an air-gapped computer in one office.

If things go to plan, I'll potentially be working with PHI in my solo consulting business--on my own computer, probably from home. How have other solo consultants handled this?   Again, I try to be serious about this. I run Linux at home with whole-disc encryption, have a VPN, and measures similar to the above. The difference is that there is no "corporate" IT department to take the hit if things go awry.

And what is your approach to Business Associate Agreements" vis-a-vis HIPAA?

I plan to get a "cyber-insurance" policy, along with typical E&O.

Thanks for any insights.

I have been working with PHI for decades from my consulting business and have observed significant increases in security requirements from both the client and their sources. If you can bring the data in-house, I recommend requesting de-identified records that still suit the analytical requirements of your client. Otherwise, I agree with Chris Barker's suggestion, let your client handle security requirements on their platform which you can use for the required analysis. 

In my "conventional" employment, I work with a lot of protected health information (PHI). The computers I work with it on are part of various organizational IT systems, with the attendant firewalls, malware protection, etc. These are, of course, of variable effectiveness--we all read the news about data breaches and system intrusions in many places.

I take data privacy and digital security very seriously. Even behind those organizational defenses, I tend to use hardware-encrypted thumb drives (when one is necessary), whole-disk encryption where possible, public-key encryption, etc. Even have an air-gapped computer in one office.

If things go to plan, I'll potentially be working with PHI in my solo consulting business--on my own computer, probably from home. How have other solo consultants handled this?   Again, I try to be serious about this. I run Linux at home with whole-disc encryption, have a VPN, and measures similar to the above. The difference is that there is no "corporate" IT department to take the hit if things go awry.

And what is your approach to Business Associate Agreements" vis-a-vis HIPAA?

I plan to get a "cyber-insurance" policy, along with typical E&O.

Thanks for any insights.

I have been working with PHI for decades from my consulting business and have observed significant increases in security requirements from both the client and their sources. If you can bring the data in-house, I recommend requesting de-identified records that still suit the analytical requirements of your client. Otherwise, I agree with Chris Barker's suggestion, let your client handle security requirements on their platform which you can use for the required analysis. 

In my "conventional" employment, I work with a lot of protected health information (PHI). The computers I work with it on are part of various organizational IT systems, with the attendant firewalls, malware protection, etc. These are, of course, of variable effectiveness--we all read the news about data breaches and system intrusions in many places.

I take data privacy and digital security very seriously. Even behind those organizational defenses, I tend to use hardware-encrypted thumb drives (when one is necessary), whole-disk encryption where possible, public-key encryption, etc. Even have an air-gapped computer in one office.

If things go to plan, I'll potentially be working with PHI in my solo consulting business--on my own computer, probably from home. How have other solo consultants handled this?   Again, I try to be serious about this. I run Linux at home with whole-disc encryption, have a VPN, and measures similar to the above. The difference is that there is no "corporate" IT department to take the hit if things go awry.

And what is your approach to Business Associate Agreements" vis-a-vis HIPAA?

I plan to get a "cyber-insurance" policy, along with typical E&O.

Thanks for any insights.

I have been working with PHI for decades from my consulting business and have observed significant increases in security requirements from both the client and their sources. If you can bring the data in-house, I recommend requesting de-identified records that still suit the analytical requirements of your client. Otherwise, I agree with Chris Barker's suggestion, let your client handle security requirements on their platform which you can use for the required analysis. 

In my "conventional" employment, I work with a lot of protected health information (PHI). The computers I work with it on are part of various organizational IT systems, with the attendant firewalls, malware protection, etc. These are, of course, of variable effectiveness--we all read the news about data breaches and system intrusions in many places.

I take data privacy and digital security very seriously. Even behind those organizational defenses, I tend to use hardware-encrypted thumb drives (when one is necessary), whole-disk encryption where possible, public-key encryption, etc. Even have an air-gapped computer in one office.

If things go to plan, I'll potentially be working with PHI in my solo consulting business--on my own computer, probably from home. How have other solo consultants handled this?   Again, I try to be serious about this. I run Linux at home with whole-disc encryption, have a VPN, and measures similar to the above. The difference is that there is no "corporate" IT department to take the hit if things go awry.

And what is your approach to Business Associate Agreements" vis-a-vis HIPAA?

I plan to get a "cyber-insurance" policy, along with typical E&O.

Thanks for any insights.

My most recent client, IBM, was tasked with providing national healthcare data (HCUP US) that was both public facing and for internal use only. The available public data was carefully de-identified, but even then there was concern  over the use of "vulnerability analysis or penetration testing" (from the data use agreement that users must complete). I was not involved in the process to de-identify the records, so I cannot comment on this.  To complicate the security issues further, each state that submits their data has specific data security requirements. To access the data for analysis I used an IBM laptop connected to the IBM secure network from my office. I also license the SAS product, but was not using it for this work.. For an other client I ran SAS on their system using their client's data, which satisfied their security agreement with the client.. For all this work I needed business specific security training. As any breech must be reported and documented, anyone  with access to the data must be certified as having been trained on procedure and process. It is a rigorous  process due to the potential  liabilities.

In my "conventional" employment, I work with a lot of protected health information (PHI). The computers I work with it on are part of various organizational IT systems, with the attendant firewalls, malware protection, etc. These are, of course, of variable effectiveness--we all read the news about data breaches and system intrusions in many places.

I take data privacy and digital security very seriously. Even behind those organizational defenses, I tend to use hardware-encrypted thumb drives (when one is necessary), whole-disk encryption where possible, public-key encryption, etc. Even have an air-gapped computer in one office.

If things go to plan, I'll potentially be working with PHI in my solo consulting business--on my own computer, probably from home. How have other solo consultants handled this?   Again, I try to be serious about this. I run Linux at home with whole-disc encryption, have a VPN, and measures similar to the above. The difference is that there is no "corporate" IT department to take the hit if things go awry.

And what is your approach to Business Associate Agreements" vis-a-vis HIPAA?

I plan to get a "cyber-insurance" policy, along with typical E&O.

Thanks for any insights.