Tuesday, September 11, 2012

Is your shipping, “Hippocratic” of HIPAA? Mind Maps!


See if you fall in any of these sets:
  • You have (or want to have) medical insurance(s) to you and for near-dear ones.
  • Your medical health information is recorded. You (don't) know where and how.
  • You reimburse the medical bills.
  • You contact physician and pharmacist through web.
  • You buy or inquire about medicines via online regularly using insurance.
  • You think critically that, health details not to be shared with others whom you know and don't know.
  • You are uncomfortable when nowhere people looking at health details.
  • You are a researcher from drug company or employer handling ergonomics of your employees.
  • You are an advertising or marketing or promoting person; or you received a call from unknown customer service asking health details of you, family, friends etc.
  • Oh, you use technologies to seek medical help as well.
  • Then you use web apps, mobile apps, chat over technologies etc., to reach out Medicare assistance and help?
  • OK, wait you also do a business of writing software application for medical, pharmacy, insurance, data or information analytic dataware house, etc., which is place holder for collecting health information?
  • Your health details are outsourced (Medical Transcription) to write and type it and send back. Does this operations involved software and hardware which you sell? You know the people who all are involved in this gap and are in which places?
Did you or your customer pay money for any of these? Ever felt health information is privacy and protected? Did you glimpse that your health details are more secured? If yes, you have just ignored the obvious daily happenings around you.

There are other factors that make ePHI (electronic protected health information) of a person to be unsecured and no more private protected. HIPAA covers them under Privacy Rule and Security Rule. Both of these rules are compliment to each other and cannot be neglected.

For an example, the most company's internal web apps to maintain details of employees, will also collect health information. Most would enter the details for getting benefits of health plans provided there. I have noticed, the health details are not protected nor have privacy. It is open, in most times. Then what about the software apps which are written to handle health data? It is neglected most times.

See the below instances how few are sued legally for violating HIPAA compliance. Multibillion penalty for breaching the compliance!

  • CVC Caremark Corporation - here and here.
  • Virginia Prescription Drug Monitoring web app - here.
  • Kaiser fined by $250000 - here.
  • Palmetoo General Hospital case - here.
  • Alaska Dept. of Health and Social Services penalized for $1.7 million - here.
  • Lovely smile lady, Farrah Fawcett, fights for disclosing her protected health data of Anal Cancer - here.
*Note: These URL's shows the details at time of publish this post and not broken.


Today software intruders concentrates on cracking humans than the software or/and hardware. As that makes the job quicker and easier. Hence protecting the health data outside the software app arena is also mandate. So why this post and what it is talking about, is the question you have now?

Effective testing includes tests of environment (includes users as well). So how can I have them covered in my test coverage and test result? Shouldn't I know what the sections in HIPAA privacy and security rule are?

I have come up with mind maps for HIPAA Privacy Rule (HPR) and HIPAA Security Rule (HSR) in knowing what they ask for. These mind maps have more text than a word or two in each node. Reason is, most of does not know or cannot make out what rules or section tells. Here is the mind map for HPR and HSR.

Each mind map tells lot more measures to be taken care apart from the implementing software which adheres to HIPAA. Connect any node to any other node, find ideas to test.


Are you "Hippocratic" of HIPAA in your shipment?


**Note: Don't rely on these mind maps as *complete* and legal data. It is built as heuristics for doing better testing. I don't love killing creativity and thinking ability of a tester. Hence I don't share one liner test ideas from these Mind Maps. Instead I'm sharing these resourceful Mind Maps for free and in non-commercial purpose. Make use of it to your good extent, if it is of help to you.