Employment form

kathrynm · #1 11-05-2007, 07:13 PM

Hello Naval; I have done a new form, but cannot get it to work. Could you please review this form and tell what I have done incorrectly.
www.southeasternservicegroup.com/employment.html
Thank You
Kathryn

Andy128 · #2 11-05-2007, 08:25 PM

Check your form parameters. It appears that a majority of the fields, to include the submit botton, are outside the form.

If you find that this is the case- I am afraid that you will have to start from scratch. Delete all fields and make sure to stretch the form parameters so that all your fields will fit inside the form. The start building the form again paying close attention to the form parameters. If in your building you find that you are comming close to the end of the form, stop and stretch it down and then continue to place fields on it.

Sorry to be the bearer of bad news. I really do not belive that, at this point, you can simply stretch the form parameters to encompass all the fields as they have not been set to the form.

The only way to ensure that it will work would be to start over.

Andy

I

Karen Mac · #3 11-05-2007, 09:22 PM

For this kind of form you need ssl as you are collecting private personal information relevant to a persons identity. You might do better to create this is a word document or a pdf document and have them download it and fax it in. You cannot have ssl and have this form post to email. email is NOT protected for the conveyence of this type of information. As a HEALTHCare Provider you are also in violation of the HEPA Acts with it unsecured. I wont even get into the state statutes for providing health services and background checks for Correctional Facilities and what their requirements for protecting privacy online are.

Karen

kathrynm · #4 11-05-2007, 09:56 PM

thanks all for the information. I will check the barriers with the form and re-do it. Karen, we are not a healthcare provider such as Blue Cross or any other provider like that. What we do is provide nurses and doctors to the Correctional industry. We have a process of hiring and do all background checks etc... in compliance with state and federal laws.
I hope we have cleared this up, but if you still think we are in violation of any laws, just let me know and we will do the research.
Thanks, Kathrynm
www.southeasternservicegroup.com

Andy128 · #5 11-05-2007, 10:34 PM

Karen was just giving food for thought in that many correctional facilities have strict privacy policies with regard to their employees and inmates. You are collecting information pre-employment and not with regard to any health info of inmates or employees and as such would not violate HIPA.

I do agree with Karen though. If I am filling out a form that has such personal info as my drivers license etc.... I will not do so unless it is a secure connection- encrypted. I think Karen's suggestion of providing a word doc or pdf that the user could fill out and then fax might get you more participation. A ssl certificate for your site runs about $100/year.

Cheers-
Andy

navaldesign · #6 11-05-2007, 11:33 PM

Hehe... Good Idea, for the next version of ABVFP... Encryption using the Public key method, so that emails content is encrypted.

Thank you ladies and gentlemen!!!

Andy128 · #7 11-06-2007, 12:22 AM

Naval- always thinking. Hello my friend. Keep up the good work.

Andy

Karen Mac · #8 11-06-2007, 02:07 AM

Yes, youre correct that you personally arent the health care provider, but you provide the services, therefore, HIPA applies or (HEPA) whichever it is, as you are providing third party information and its you that has the contract with the actual practitioner and the state who houses the PATIENT. So not only can you not divulge patient info, you cant provide provider info either and leave it open to the internet. Thats what i was pointing out. ICANN i believe also covers internet law and specifics about the kind of information you can gather UNPROTECTED without encryption and that would include your online application. If you collect it without encryption and some gang members family had access to your info and got a fix on a nurse and or doctor who may or may not have access to their interest, theyd have a good place to start finding out WHO Does work there and all their personal info and using it. Not to mention the identity thieves, youve given them background history, employment dates drivers license numbers and the whole 9 yards, residence and its just one jump to family members as well.

I was simply giving you food for thought while collecting the info. You cant collect it even with an ssl unless it goes to a database or file on the server and then you run a script to generate the report.

Even if Naval develops a public encryption for email, I WOULDNT USE it to divulge personal info unless it was an INHOUSE server never reaching the internet.

Thus the suggestion to pdf or word doc it and have it faxed in.

Karen

Andy128 · #9 11-06-2007, 03:27 AM

Karen-
Respectfully- I disagree. And actually it is HIPAA (Health Insurance Portability and Accountability Act of 1996). I specifically deals with "patient" information. This does not apply to pre-employment information and credentials for same. Infact, the privacy rule specifically relates to "individually identifiable health information".

Don't get me wrong- you and I are in agreement as to the method she is using is un-secure. And, the prisons she deals with may take issue with the un-secure gathering if info. But HIPAA does not apply here.

Also, I must ask. You stated that you cannot gather such personal info via a form and transmit to email but ONLY to a database. That statement implies that there is some law or rule that regulates information gathering. Is there such a rule or law, because I am unaware of any?

Also- encryption is encryption be it sent to a database or an email.

Andy

Karen Mac · #10 11-06-2007, 05:48 AM

Yes Check ICANN for internet law, and email is not safe encrypted or not, I dont have time now to find it. I said it has to be a database or a file on the server in some format. Email servers are not secure because they are public and even encrypted, dont run a dedicated ip, so the encryption keys are much less.

Theres a law newer than the 1996 one, that deals with all health care related information, not just patient, but under what circumstances and who may or may not treat patients or have access to patients information. Not encrypting employment files, might jeapordize who provides services when, times of their employment and makes public record of who worked where when and might have access or knowledge of these patient records.

You can collect information per se, but collecting unencrypted is what gets you into trouble, and ALL websites should have a privacy policy even for delivering cookies and collecting ip addresses under ICANN. So collecting personal identifying information without encryption yes, is illegal, and if your email or database is hacked, and you didnt do everything you could to protect it, you are liable legally, and civally for tort, damages etc.

Karen

Karen Mac · #11 11-06-2007, 05:59 AM

Heres the updated SECURITY section of HIPPA as found on wikipedia
http://en.wikipedia.org/wiki/Health_..._Security_Rule

Quote:

The Security Rule
The Final Rule on Security Standards was issued on February 20, 2003. It took effect on April 21, 2003 with a compliance date of April 21, 2005 for most covered entities and April 21, 2006 for “small plans.” The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Heath Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. The standards and specifications are as follows:

Administrative Safeguards - policies and procedures designed to clearly show how the entity will comply with the act
- Covered entities (entities that must comply with HIPAA requirements) must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures.
- The policies and procedures must reference management oversight and organizational buy-in to compliance with the documented security controls.
- Procedures should clearly identify employees or classes of employees who will have access to electronic protected health information (EPHI). Access to EPHI must be restricted to only those employees who have a need for it to complete their job function.
- The procedures must address access authorization, establishment, modification, and termination.
- Entities must show that an appropriate ongoing training program regarding the handling of PHI is provided to employees performing health plan administrative functions.
- Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
- A contingency plan should be in place for responding to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedures in place. The plan should document data priority and failure analysis, testing activities, and change control procedures.
- Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits. Audits should be both routine and event-based.
- Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.

Physical Safeguards - controlling physical access to protect against inappropriate access to protected data
- Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
- Access to equipment containing health information should be carefully controlled and monitored.
- Access to hardware and software must be limited to properly authorized individuals.
- Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts.
- Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public.
- If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities.

Karen Mac · #12 11-06-2007, 06:14 AM

Heres wikipedia on personal identifying information and a list of the laws and resources:

http://en.wikipedia.org/wiki/Persona...le_information

Karen

navaldesign · #13 11-06-2007, 06:58 AM

Quote:

Originally Posted by Karen Mac

Even if Naval develops a public encryption for email, I WOULDNT USE it to divulge personal info unless it was an INHOUSE server never reaching the internet.
Karen

???

Encryption through a Public Key is 100% safe. It uses the same 128 bit encryption that ssl uses. The key is only known to the the form owner, so the content can NOT be decrypted by anyone else. Once the mail arrives to the desktop, he can decrypt and read it.

The alternative, as i have always suggested, would be to simply store the info in a database, and view this info through a ssl connection.

Karen Mac · #14 11-06-2007, 08:54 AM

LOL.. are you going to EMAIL them the codes? You can harvest emails off a server for 7 years forensically, and how many people who are employed will be handling this key? And how many places will it be written down, or how many computers accessing the internet will have it stored on them and then be hacked by some download or email virus. You can TELL me all day long that encrypted email is 100% safe and im STILL not buying into it. Ive seen too many college and school servers hacked and supposedly inhouse secure and should have been secure but the wrong email was downloaded or the codes were left out a disgruntled student or employee gave out their access codes etc etc.

Yes servers get hacked, stores get hacked, but email gets harvested alot more often, encrypted or not. Ive even watched hackers access a persons COMPUTER thru the internet after they gave them an infected file. Granted encrypted email makes it tougher, but it wouldnt be my choice of security, or my choice of protection given that id be liable for some pretty pertinent info.

Karen

navaldesign · #15 11-06-2007, 12:27 PM

I believe that we are confusing issues.

Issue nr 1: can an email be encrypted so that it can travel through a normal Internet connection ? Answer: yes. No one will ever be able to decrypt the mail unless he has the key.

Issue nr 2: Can a key be stolen ? answer : Yes, as everything else. But this is not different from theft of the database or CP password / username. So, from this point of view, the security level of an encrypted email is the same as the ssl connection and whatever other security measures one can take.

It is up to the company to establish those internal procedures / methods to protect the data once they have been transfered.

I am NOT dealing here with the legal aspect, i only deal with the technical one. From this point of view, the security level between viewing the email content as stored in a database, through a ssl connection, and recieving an encrypted email, is the same.

To add more, a public key encrypted email can also be encrypted with a 256 or even 1024 bit key, making far more safer than a ssl connection-

Andy128 · #16 11-06-2007, 01:10 PM

Karen-

Well- we're going to have to simply disagree on this one.

Yes- HIPAA does extend to vendors in as much as how they handle, and disemenate "patient" personal and health information. What she is gathering is no where near "patient" information and at this point has nothing to do what so ever with any prison "patient".

I still maintain that HIPAA pertains to "patient" personal and health related information. It does not reach as far as a pre-employment process.

As to the list of other resources that you gave- I looked each one up. Not one regulates or stipulates "encryption" of gathered personal information over the internet. They speak to the regulation of purchacing and sale of personal info (like mailing lists) or in the case of the Wireless 411 Privacy Act where it prohibits cell phone companies from giving out or publishing your cell phone number with out consent first. Or in the case of the Online Privacy Protection Act in California. This simply states that a website must post its privacy policy on its website.

One day I hope that there is a standard for data gathering and transfer.

For now it is left up to self policing and companies often put inplace policies and procedures to help limit their liability in the event sensitive info is intercepted or stolen. These companies often require encryption and proof of secure storage and often lists of personal who have access to such info. But that is on the company side and not by law as yet.

Bottom line of which we both agree on- gathering personal information via a form should be done in a secure manner to protect it from being intercepted or stolen.

Andy