Re: Electronic Storage of Class 1/ 2 Medical forms... "Best Practice"?

In article <1158193374.898958.187230@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
Junto wrote:
We have several ideas floating around that could potentially resolve
some administrative headaches regarding the Class 1/ 2 forms, but there
is a lot of well-founded concern regarding privacy and security of this
information. Some adults say that HIPPA regulations have to be
followed, but countering that, some say that HIPPA does not apply
because our Troop is not a healthcare organization.

You have to follow the rules but some HIPAA regulations are not applicable.

Couldn't find much on the Boy Scout side but the Girl Scouts had some

***
http://www.ilcrossroads.org/ThisMonth.jsp
Important Information Regarding Medical Consent!

Portions of the Health Insurance Portability Accountability Act
(HIPAA) now apply to nonprofit organizations. Volunteers and girls
received a Consent for Release Form in their Spring Registration
materials. Signing this form allows medical information to be passed
on to the appropriate family members and medical professionals to
facilitate the care of a sick or injured individual. Please list the
names of parents, grandparents, emergency contact, or anyone else who
might need access to medical information. (You do not need to list
your family physician. Medical personnel are automatically included
under HIPAA.)

Remember that all medical information is confidential and should be
treated as such. The girl and adult health history cards need to be
kept in a secure place, so that only volunteers or medical
professionals who need this information have access to it. If the
Consent for Release Form is not signed, then no medical information
can be given to outside medical professionals or family members of the
sick or injured. Please follow the law strictly and encourage all
members to sign the Consent for Release Form, so that they may receive
the best care possible.
***

What I'd like to know is if the BSA has a policy, specific
guidelines, or perhaps a "best practice" regarding what I'd like to
do. Specifically, we have several adult leaders who need to get to
the forms to have them on hand for various functions. We also want
to have adult backups without having to rely of the physical
transferring of the forms. This has proven to be more of a security
issue than it should be. The idea is to scan the forms and store
them as pdf files on the server that also has our website. The
website will not have posted links that will allow people to
navigate to the forms. The forms will be stored in a
password-protected directory. Browsing of the website, which
permits people to snoop, is turned off. What link that does exist
to a specific form will be in TroopMaster, access to which is also
password-protected. The last level of security is to encrypt the pdf
copy of the form so only specific individuals with digital IDs can
read/print them. Sounds like overkill to me, but I'm confident that
it will be as secure as most of the stuff at the NSA (National
Security Agency).

In summary, a person would have to be granted assess to TroopMaster to
get to the link. When the user clicks on the button/link to the form,
the user is taken to the server directory where the form is stored. He
is challenged for a username/password. If the user correctly enters
the username/password, he/she would not get access to the pdf file if a
digital ID on the form has not previously been established for that
person. That's about three levels of security.

I've looked at as much BSA info as available regarding medical
information, but I have yet to spot any reference to guidelines
regarding the electronic storage and access to that information. If
this bridge has been crossed before, I'd like to see a guideline or
best-practice, or somehow obtain a documented "non-objection" from
someone within BSA.

Can anyone in this group give me some direction on this?

You need to look at the security on the end computers as well as link
between. I would make sure the link is https (i.e., encrypted) not
http since otherwise someone sniffing might pull passwords and/or the
pdf document down. Is each person going to have a separate
username/password? That way if someone leaves you just have to
disable access for that one person. Are the passwords sufficiently
strong (e.g., no four letter passwords). Is the file for the
passwords on the web server outside the web space so there is no
chance of it being retrievable by a browser and sufficiently protected
so that random users on the server can't access it. Do not give
passwords via email (email is not secure).

I assume the web server is a secure machine but you might want to make
sure that the troop leaders' home machines are also secure. For
instance what type of access do the leader's kids have to the leader's
computer? Does he or she keep the computer up-to-date on patches and
firewalled? Will the computer's hard disks be properly wiped cleaned
or destroyed before leaving the leader's control?

One possibility is to encourage downloads to a password encrypted usb
memory stick and not to the computer's hard disks. The stick can be
removed from the computer when not needed and locked in a filing
cabinet and if stolen the data isn't easily accessible.


--
\----
|\* | Emma Pease Net Spinster
|_\/ Die Luft der Freiheit weht
.