PDA

View Full Version : Employment form



kathrynm
11-05-2007, 06:13 PM
Hello Naval; I have done a new form, but cannot get it to work. Could you please review this form and tell what I have done incorrectly.
www.southeasternservicegroup.com/employment.html (http://www.southeasternservicegroup.com/employment.html)
Thank You
Kathryn

Andy128
11-05-2007, 07:25 PM
Check your form parameters. It appears that a majority of the fields, to include the submit botton, are outside the form.

If you find that this is the case- I am afraid that you will have to start from scratch. Delete all fields and make sure to stretch the form parameters so that all your fields will fit inside the form. The start building the form again paying close attention to the form parameters. If in your building you find that you are comming close to the end of the form, stop and stretch it down and then continue to place fields on it.

Sorry to be the bearer of bad news. I really do not belive that, at this point, you can simply stretch the form parameters to encompass all the fields as they have not been set to the form.

The only way to ensure that it will work would be to start over.

Andy

I

Karen Mac
11-05-2007, 08:22 PM
For this kind of form you need ssl as you are collecting private personal information relevant to a persons identity. You might do better to create this is a word document or a pdf document and have them download it and fax it in. You cannot have ssl and have this form post to email. email is NOT protected for the conveyence of this type of information. As a HEALTHCare Provider you are also in violation of the HEPA Acts with it unsecured. I wont even get into the state statutes for providing health services and background checks for Correctional Facilities and what their requirements for protecting privacy online are.

Karen

kathrynm
11-05-2007, 08:56 PM
thanks all for the information. I will check the barriers with the form and re-do it. Karen, we are not a healthcare provider such as Blue Cross or any other provider like that. What we do is provide nurses and doctors to the Correctional industry. We have a process of hiring and do all background checks etc... in compliance with state and federal laws.
I hope we have cleared this up, but if you still think we are in violation of any laws, just let me know and we will do the research.
Thanks, Kathrynm
www.southeasternservicegroup.com

Andy128
11-05-2007, 09:34 PM
Karen was just giving food for thought in that many correctional facilities have strict privacy policies with regard to their employees and inmates. You are collecting information pre-employment and not with regard to any health info of inmates or employees and as such would not violate HIPA.

I do agree with Karen though. If I am filling out a form that has such personal info as my drivers license etc.... I will not do so unless it is a secure connection- encrypted. I think Karen's suggestion of providing a word doc or pdf that the user could fill out and then fax might get you more participation. A ssl certificate for your site runs about $100/year.

Cheers-
Andy

navaldesign
11-05-2007, 10:33 PM
Hehe... Good Idea, for the next version of ABVFP... Encryption using the Public key method, so that emails content is encrypted.

Thank you ladies and gentlemen!!!

Andy128
11-05-2007, 11:22 PM
Naval- always thinking. Hello my friend. Keep up the good work.

Andy

Karen Mac
11-06-2007, 01:07 AM
Yes, youre correct that you personally arent the health care provider, but you provide the services, therefore, HIPA applies or (HEPA) whichever it is, as you are providing third party information and its you that has the contract with the actual practitioner and the state who houses the PATIENT. So not only can you not divulge patient info, you cant provide provider info either and leave it open to the internet. Thats what i was pointing out. ICANN i believe also covers internet law and specifics about the kind of information you can gather UNPROTECTED without encryption and that would include your online application. If you collect it without encryption and some gang members family had access to your info and got a fix on a nurse and or doctor who may or may not have access to their interest, theyd have a good place to start finding out WHO Does work there and all their personal info and using it. Not to mention the identity thieves, youve given them background history, employment dates drivers license numbers and the whole 9 yards, residence and its just one jump to family members as well.

I was simply giving you food for thought while collecting the info. You cant collect it even with an ssl unless it goes to a database or file on the server and then you run a script to generate the report.

Even if Naval develops a public encryption for email, I WOULDNT USE it to divulge personal info unless it was an INHOUSE server never reaching the internet.

Thus the suggestion to pdf or word doc it and have it faxed in.

Karen

Andy128
11-06-2007, 02:27 AM
Karen-
Respectfully- I disagree. And actually it is HIPAA (Health Insurance Portability and Accountability Act of 1996). I specifically deals with "patient" information. This does not apply to pre-employment information and credentials for same. Infact, the privacy rule specifically relates to "individually identifiable health information".

Don't get me wrong- you and I are in agreement as to the method she is using is un-secure. And, the prisons she deals with may take issue with the un-secure gathering if info. But HIPAA does not apply here.

Also, I must ask. You stated that you cannot gather such personal info via a form and transmit to email but ONLY to a database. That statement implies that there is some law or rule that regulates information gathering. Is there such a rule or law, because I am unaware of any?

Also- encryption is encryption be it sent to a database or an email.

Andy

Karen Mac
11-06-2007, 04:48 AM
Yes Check ICANN for internet law, and email is not safe encrypted or not, I dont have time now to find it. I said it has to be a database or a file on the server in some format. Email servers are not secure because they are public and even encrypted, dont run a dedicated ip, so the encryption keys are much less.

Theres a law newer than the 1996 one, that deals with all health care related information, not just patient, but under what circumstances and who may or may not treat patients or have access to patients information. Not encrypting employment files, might jeapordize who provides services when, times of their employment and makes public record of who worked where when and might have access or knowledge of these patient records.

You can collect information per se, but collecting unencrypted is what gets you into trouble, and ALL websites should have a privacy policy even for delivering cookies and collecting ip addresses under ICANN. So collecting personal identifying information without encryption yes, is illegal, and if your email or database is hacked, and you didnt do everything you could to protect it, you are liable legally, and civally for tort, damages etc.

Karen

Karen Mac
11-06-2007, 04:59 AM
Heres the updated SECURITY section of HIPPA as found on wikipedia
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Ac t#The_Security_Rule



The Security Rule
The Final Rule on Security Standards was issued on February 20 (http://en.wikipedia.org/wiki/February_20), 2003 (http://en.wikipedia.org/wiki/2003). It took effect on April 21 (http://en.wikipedia.org/wiki/April_21), 2003 (http://en.wikipedia.org/wiki/2003) with a compliance date of April 21 (http://en.wikipedia.org/wiki/April_21), 2005 (http://en.wikipedia.org/wiki/2005) for most covered entities and April 21 (http://en.wikipedia.org/wiki/April_21), 2006 (http://en.wikipedia.org/wiki/2006) for “small plans.” The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Heath Information (PHI) including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications. The standards and specifications are as follows:

Administrative Safeguards - policies and procedures designed to clearly show how the entity will comply with the act
Covered entities (entities that must comply with HIPAA requirements) must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures.
The policies and procedures must reference management oversight and organizational buy-in to compliance with the documented security controls.
Procedures should clearly identify employees or classes of employees who will have access to electronic protected health information (EPHI). Access to EPHI must be restricted to only those employees who have a need for it to complete their job function.
The procedures must address access authorization, establishment, modification, and termination.
Entities must show that an appropriate ongoing training program regarding the handling of PHI is provided to employees performing health plan administrative functions.
Covered entities that out-source some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. Companies typically gain this assurance through clauses in the contracts stating that the vendor will meet the same data protection requirements that apply to the covered entity. Care must be taken to determine if the vendor further out-sources any data handling functions to other vendors and monitor whether appropriate contracts and controls are in place.
A contingency plan should be in place for responding to emergencies. Covered entities are responsible for backing up their data and having disaster recovery procedures in place. The plan should document data priority and failure analysis, testing activities, and change control procedures.
Internal audits play a key role in HIPAA compliance by reviewing operations with the goal of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits. Audits should be both routine and event-based.
Procedures should document instructions for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.


Physical Safeguards - controlling physical access to protect against inappropriate access to protected data
Controls must govern the introduction and removal of hardware and software from the network. (When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.)
Access to equipment containing health information should be carefully controlled and monitored.
Access to hardware and software must be limited to properly authorized individuals.
Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts.
Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public.
If the covered entities utilize contractors or agents, they too must be fully trained on their physical access responsibilities.

Karen Mac
11-06-2007, 05:14 AM
Heres wikipedia on personal identifying information and a list of the laws and resources:

http://en.wikipedia.org/wiki/Personally_identifiable_information

Karen

navaldesign
11-06-2007, 05:58 AM
Even if Naval develops a public encryption for email, I WOULDNT USE it to divulge personal info unless it was an INHOUSE server never reaching the internet.
Karen

???

Encryption through a Public Key is 100% safe. It uses the same 128 bit encryption that ssl uses. The key is only known to the the form owner, so the content can NOT be decrypted by anyone else. Once the mail arrives to the desktop, he can decrypt and read it.

The alternative, as i have always suggested, would be to simply store the info in a database, and view this info through a ssl connection.

Karen Mac
11-06-2007, 07:54 AM
LOL.. are you going to EMAIL them the codes? You can harvest emails off a server for 7 years forensically, and how many people who are employed will be handling this key? And how many places will it be written down, or how many computers accessing the internet will have it stored on them and then be hacked by some download or email virus. You can TELL me all day long that encrypted email is 100% safe and im STILL not buying into it. Ive seen too many college and school servers hacked and supposedly inhouse secure and should have been secure but the wrong email was downloaded or the codes were left out a disgruntled student or employee gave out their access codes etc etc.

Yes servers get hacked, stores get hacked, but email gets harvested alot more often, encrypted or not. Ive even watched hackers access a persons COMPUTER thru the internet after they gave them an infected file. Granted encrypted email makes it tougher, but it wouldnt be my choice of security, or my choice of protection given that id be liable for some pretty pertinent info.

Karen

navaldesign
11-06-2007, 11:27 AM
I believe that we are confusing issues.

Issue nr 1: can an email be encrypted so that it can travel through a normal Internet connection ? Answer: yes. No one will ever be able to decrypt the mail unless he has the key.

Issue nr 2: Can a key be stolen ? answer : Yes, as everything else. But this is not different from theft of the database or CP password / username. So, from this point of view, the security level of an encrypted email is the same as the ssl connection and whatever other security measures one can take.

It is up to the company to establish those internal procedures / methods to protect the data once they have been transfered.

I am NOT dealing here with the legal aspect, i only deal with the technical one. From this point of view, the security level between viewing the email content as stored in a database, through a ssl connection, and recieving an encrypted email, is the same.

To add more, a public key encrypted email can also be encrypted with a 256 or even 1024 bit key, making far more safer than a ssl connection-

Andy128
11-06-2007, 12:10 PM
Karen-

Well- we're going to have to simply disagree on this one.

Yes- HIPAA does extend to vendors in as much as how they handle, and disemenate "patient" personal and health information. What she is gathering is no where near "patient" information and at this point has nothing to do what so ever with any prison "patient".

I still maintain that HIPAA pertains to "patient" personal and health related information. It does not reach as far as a pre-employment process.

As to the list of other resources that you gave- I looked each one up. Not one regulates or stipulates "encryption" of gathered personal information over the internet. They speak to the regulation of purchacing and sale of personal info (like mailing lists) or in the case of the Wireless 411 Privacy Act where it prohibits cell phone companies from giving out or publishing your cell phone number with out consent first. Or in the case of the Online Privacy Protection Act in California. This simply states that a website must post its privacy policy on its website.

One day I hope that there is a standard for data gathering and transfer.

For now it is left up to self policing and companies often put inplace policies and procedures to help limit their liability in the event sensitive info is intercepted or stolen. These companies often require encryption and proof of secure storage and often lists of personal who have access to such info. But that is on the company side and not by law as yet.

Bottom line of which we both agree on- gathering personal information via a form should be done in a secure manner to protect it from being intercepted or stolen.

Andy

kathrynm
11-06-2007, 12:28 PM
well I have read all the points of view. I want you to realize that we presently have a pdf file on the site to gather this information. We felt that the form would be an easier way to have the potential employee communicate with us. Let's say they don't have a fax machine. The fact that we have the ability to produce this form on our sites is fantastic. I wonder what's the difference with our contact us form versus this employment application form. I realize that this form has much more personel information, but the contact forms out there gathers up a lot of personel information as well. Naval, I think you have a challenge ahead regarding this. As for now, we will look into the SSL certificate and decide if this is in compliance with state and federal laws. Untill then we will only offer the pdf file method.
Again thank you, and I look forward to any more points of view here.
Kathryn

Vasili
11-06-2007, 08:26 PM
As for now, we will look into the SSL certificate and decide if this is in compliance with state and federal laws. Untill then we will only offer the pdf file method. Again thank you, and I look forward to any more points of view here. KathrynThe technology exists to safely and securely transmit personal data via email as General Naval mentions (without the use of a SSL even), and is permissable as long as you act in compliance with the Federal provisions regarding the handling of personal information (Privacy Act of 1988 (http://www.privacy.gov.au/publications/ipps.html)) and verification of identity (methods, personal certifiability :: Patriot Act sec. 326 (http://www.epic.org/privacy/terrorism/hr3162.html)).

Both of these Acts require even private sector businesses to have a detailed written Policy that complies to these two (and additional) specific laws, and to appoint a Compliance Officer who is made responsible for proper implementation and monitoring of the compliance. There is no gray area --- all businesses must comply, and the processes are in black and white.

The issues mentioned here were regarding:

1) Technology : The technology exists and performs exactly as Naval describes (there is no need to overcomplicate things), and things like SSL and burdensome add-ons are not necessary to utilitze available technology if paired with compliant procedures.

2) Practice: Despite the rectitation of various laws and Acts inappropriately, the fact remains that there are indeed compliance issues all businesses must address specifically as mentioned above. (ICANN has no bearing on this discussion, nor does Healthcare stipulations.) It is all a matter of procedure --- the weakest link in the whole chain is the handling of data once un-encrypted (delivered) and how it is distributed, stored, used, and archived. Karen's recollections only point out the very real challenge all Compliance Officers must contend with.

Naval is correct in suggesting a simple encryption utility as he described, which must be supported by a cognizant Compliance Policy as mentioned above to assure proper processing of information according to current law.
Ther performance of those duties are what is being confused as stipulation, and should be paid attention to and presented to Users, clients, applicants, and associates accordingly.

It is obvious that many well-intentioned suggestions may lead to improper business practices if the business person does not do their due diligence to understand the requirements, laws, regulations, and best business practices that they uniquely face. Resources to search for issues and topics of law include US Small Business Administration, OSHA, US Chamber of Commerce, US Commercial Code, Patriot Act, Privacy Act of 1988, COPPA, CANSpam Act, and other State or local administrations.

Andy128
11-06-2007, 09:43 PM
Vasili,
The Privacy Act of 1988 you sited, from what I can gather, pertains to Australia. And having looked at the Patriot Act- I cannot find the section that pertains to the collection of pre-employment information via a form on the internet.

Yes- there are laws that pertain to what the company can do and cannot do with the information -once in their posession. But the crux of this debate began with the form, it's content and the avenue by which it is transmitted back to the company.

Not trying to beat a dead horse, but there is an instance here that this form violates some law and no one has specified that law- chapter and verse yet.

Your BV friend-

Andy

Vasili
11-06-2007, 10:55 PM
Vasili,
The Privacy Act of 1988 you sited, from what I can gather, pertains to Australia. And having looked at the Patriot Act- I cannot find the section that pertains to the collection of pre-employment information via a form on the internet.

Yes- there are laws that pertain to what the company can do and cannot do with the information -once in their posession. But the crux of this debate began with the form, it's content and the avenue by which it is transmitted back to the company.

Not trying to beat a dead horse, but there is an instance here that this form violates some law and no one has specified that law- chapter and verse yet.

Your BV friend-

AndyNo, it does not.
Our Privacy Acts govern yet today (google to prove it....same base law with amendments out the yin-yang), and the introduction to the Patriot Act specifically mentions the instructions for private sector to adopt and implement provisions as detailed which were originally penned for financial institutions and DOJ procedures (premise to enforce).

With regard to what you percieve as a violation of some sort regarding Employment Applications (this is US Labor Law, and State Code), there is none, other than possible unenforceability of verification of identity.....all acts require physical submission of valied ID to certify genuineness of the inormation being submitted (this is a procedural issue, for to be personally certifiable, it is understood that it must be done in person, and that the ID can be evaluated or "proved".....taking a full-blown app online is not reccomended by me whatsoever, as there are too many areas of personal liability left open).

For comparable addressing of this issue, examine the processes, technologies, and even the disclaimers during an online credit application procedural form.....it may indeed be a secure site (SSL), most definitely involves encryption (gateway, scripting), and deals with the same type of information as would be at issue in an Employment App, correct?? The same applies to whaterever personal information is collected or communicated online, and is really only a matter of degree of protection employed to minimize degrees of risk to both parties.

You need to realize that Federal Laws are purposely written rather general and sometimes vague so that the burden of implementation is not confined: they want you to adopt and adapt according to your particular operational structure.

A good example is OSHA and how the Materials Safety Act morphed into an "Safety & Enviornmental Managemnt Program" ..... now it is required by all businesses (undr additional State auspices) not just for those who habdle hazzardous materials, and it covers everything from those materials to Fire Drill, emotional trauma, etc.

I disagree with your statement about the original topic of the thread ("musings" aside, I clearly see the issues): I see that there was a discussion about personal feelings regarding how information is processed (with inappropriate citations of Policy) and total confrontation of available technology. That is why I broke it down the way I did, and gave examples of precedence. Usually, each State expands the provisions and under different agencies.....everything from The Fair Credit Reporting Act (which also stipulates Privacy, ID, and collections issues, and which also apply to more than financial institutions or "banks") to the US Commercial Code have specific methods of implementation and enforcement detailed. THAT is why I mentioned the resources for each to discover their own applications development.

I am not a lawyer, and I do not make this stuff up......nor am I wiling to do what I consider "other people's work" for them, believing that most learn best by doing for themselves. http://www.vodahost.com/vodatalk/images/icons/icon12.gif
I know how much effort it has been to create, compile, implement, and maintain Policies for each of my businesses, and how each industry poses its own challenges. And, unfortunately, I am also aware of how many people in business have no clue as to how they are supposed to operate....

BUT....it does seem that I offered an incorrect link: (try these) The Privacy Act of 1974 (Amended) (http://www.usdoj.gov/oip/privstat.htm) and Dept. Homeland Security The Privacy Office (http://www.dhs.gov/xabout/structure/editorial_0338.shtm)

Vasili
11-07-2007, 05:00 AM
>> LOL >> And, another starting point for the long-read of the week: http://www.ibls.com/internet_law_news_portal_region.aspx?s=United%20St ates&id=1&t=Online+Security (http://www.ibls.com/internet_law_news_portal_region.aspx?s=United%20St ates&id=1&t=Online+Security)