+1 on raising the ethical point. I get SO mad when I discover regular old ecommerce businesses treating their customers so poorly that they want to HIDE as much as possible about even minor security breaches...it's just flat out morally repugnant to betray the customer's trust like that, and there's no inalienable right to run a business at all...
And that's really just relating to the risk of damaging someone's credit & hassles of dealing with Identity Theft if payment info is compromised....But when you start talking about PHI and stuff like mental health issues or info about poorly understood medical conditions is being disclosed that could potentially ruin a person's entire career or destroy families / social interactions for the rest of their lives, it just goes so far beyond the pale of moral repugnance that I don't even have the words to describe it...
Since the OP got flagged, I can't comment any more on the thread and it's probably a moot point anyways, but I thought I'd at least add a few more links for anyone interested in seeing what DHS HAS been able to do re: enforcement...
Let's just say that it exists in a Quantum state of simultaneously being both of those things...a Schrödinger's Regulation, if you will...
I've been on all sides of the HIPAA space since it was enacted.
I've worked for firms who either offered health insurance to their employees or accepted insurance payments for products they sold. My mother is a Therapist with a sole practitioner private practice and I've been working with her to get her compliance house in order as she prepares to retire and sell her practice. I've also worked as a consultant with Software, Insurance, Tech Hardware, and other firms across the spectrum of covered entities and business associates and what I can tell you definitively is that:
You're Boss is pretty much correct....RIGHT up until the point when you have a security incident and get compromised in some manner and disclose PHI.
Of course, the bizarre thing is that if you're REALLY large (like Anthem Insurance large) and disclose hundreds of thousands or dozens of millions you will probably NOT be put out of business buy DHS, even though the law indicates you should be fined up to $1 million per disclosed patient records assuming it was a flagrant effort of non-compliance. The reason?
I guess it's Too Big To Fail - there's simply no alternate mechanism in the current insurance marketplace to absorb that many insured without some seriously destructive economic dislocation. Smaller firms, and let's face it - nearly everyone else is smaller, don't get off as easy. DHS has begun increasing enforcement actions, especially for firms who fail to follow notification provisions after a breach.
The appear to be increasingly eager to make examples out of the smaller fish in what one assumes is an attempt to goad the bigger fish into more disciplined action.
And even if you avoid the criminal provisions (yes, some have and more will continue to be sentenced to actual jail time for their involvement in failing to adequately protect PHI), it appears that the market is beginning to correct the imbalances of economic power as more and more class action law suits are being filed against the firms who survive the DHS HIPAA post-mortem - http://www.beneschlaw.com/Lessons-Learned-from-the-Anthem-Cy...
It seems that all those disclosure requirements that are the first things required after a breach (especially if you want to avoid more stringent penalties after your post-breach audit) are producing mountains of evidence that class action trial attorneys just adore digging into...
I've personally gone back and forth in different roles / situations on how much I let the higher-ups paranoia or lackadaisical approach to HIPAA affect me. In the end, if I'm worried they're not taking it seriously enough, I provide a written document for them to sign outlining any concerns I have and documenting when I raised them. I ask that they sign it and further, agree to explicitly acknowledge in the document that they will take the risk of any potential jail sentences, fines that come from activities that wind up piercing the corporate veil of liability protection, and specifically relieve me of any and all liability for any economic impact that may come to damage the company later should my concerns prove well founded and the worst case scenario happens.
They'll either get scared straight and doing the right thing or they'll laugh it off and at least then if I want to stick around I can do so knowing that I've done everything that I could for the time being to inform the stakeholders at the firm and protect myself. But really if it gets THAT bad, I'm probably not going to feel comfortable trusting my economic well being to people who would make such horrible decisions...
I moved here only about 7 weeks ago and the challenge ive discovered is more about deciding WHICH of 3-4 awesome meetups tjat happen every day or the 2-3 conferences scheduled each week i want to attend.
I'd reccomend going to meetup.com and setting your location to SF. My profile of interests matches yours and I found around 300+ groups with regular meetups that were fun.
Note: there are also lots of conferences that are held here but those usually require not-insignificant entry fees (they're paid for by your employer normally) and there isn't a single resource that easily lists all conferences available in the area. I'd start with the meetups since they're usually free and take usually place after normal working hours.
1) Hourly (most common) - determine what the standard rate is per hour for this kind of work in your area, then charge that, making an allowance (read: discount) for your level of skill. This may or may not be done using a "fixed price" estimate, meaning you will charge for X number of hours no matter how long it actually takes you. I'm not in your area, but my guess is that the fair market value of these services is probably in the $75-$150 range, depending on your level of expertise.
2) Value - determine the fair market value of the final output to the client and base your rate upon that estimate. This is more difficult and prone to be influenced by factors you may not be aware of (ie, if this person's relative implemented the site for free, they may attach an unreasonable expectation of value to the proposed change).
As I have progressed in my freelancing career I have found that one of the first set questions I always ask after having the client explain a request to me are:
1. What is your budget. Making them start off the conversation about cost helps set expectations and allows me to immediately reject the request if their expectations are out of line with both the fair market value and my other active projects.
2. What is your timetable. When a client needs a request done quickly and I have to reschedule already planned work to acommodate their request, I charge a premium for a rush job. This is analogous to the way such requests are handled in other media segments like print, video, and audio production.
I really like your last 2 points. I also think having them start off the money conversation so you don't undercut yourself by thinking they may not take you if you charge too much. The last point is also great as it enables them the option to possibly earn you more money.
http://www.bitium.com - can't speak highly enough about them. $200 / month, unlimited web apps, passwords, users, integration with any SSO or SAML system as "authenticaltion system of record" and an unlimited number of others...plus MFA via several options (authy and google authentication), strict password requirements capabilities though use a reasonable default. Ability to change all to random values that no one who uses them can see if you choose, multiple domain support...the ability to request access to your clients passwords and let THEM manage when it's revoked really ups both our tech and marketing teams
When I wrote HFT bots for trading futures contracts a while back, I used Trading Technologies.
Their systems power something like 80% of all electronic futures orders and they have by far the best overall system I've ever tested. This includes the entire stack from networking to low level code.
It's windows only (.net) but incredibly powerful. Starting prices when I was using it was about 1500-2000 per month so it's not really designed for people wanting to dabble, but they have the lowest latency I've ever seen in both pricing data and order routing so if you're serious about trading futures there really isn't any alternative.
80% of all electronic futures orders and the are .net? Call me skeptical (being that I'ved worked in the industry and still do for a very large player), but can't believe you can get a windows stack down to remotely the level of low low latency you can get a Linux stack. I find that statement as woefully wrong on so many different levels it makes me almost want to cry
@SEJeff Exactly, what I just wanted to post! I think SEJeff agrees with me, when I say that people in that business have no mercy, be prepared and learn yourself before accepting raw advices. Question what we say too.
Net and low-level code... well only if they have a fpga-cluster running the .Net code through a specialized compiler like http://www.mono-project.com/Mono_LLVM and then run some commercial optimizers to tune the assembly. Even then, the risk of malfunction due to "undefined behaviour" is too high to take the risk. You're better of with just Ada,Fortran,C or C++ Backends
This is just to illustrate how ridiculous a .Net ultra-low latency trading system sounds.
I'm a Turducken aficionado. In my home town of Lafayette, LA, deep in the heart of Cajun Country, it has become something of masterpiece of both engineering and culinary art.
I have endeavored on a few occasions to prepare one from scratch, but these days I find it much easier to head over to www.cajungrocer.com to have a fully deboned and stuffed Turducken delivered ready for cooking.
Traditionally my family cooks a fried Turkey for our Thanksgiving meal, but we occasionally opt for the Turducken instead. Either way, it's a pretty simple way way to feed an entire extended family on a single dish.
The Turkduckens you get from www.cajungrocer.com are actually prepared by Hebert's Meats (from Maurice, LA) and unlike the Wikipedia article, have intermediary layers if stuffing consisting of Jambalaya and Shrimp and Crawfish étouffée.
You don't have to be born and raised a Cajun to appreciate them, but it may help to have some Cajuns on hand if you want to finish one of these delights. That or an NFL football team (one fact the Wikipedia article gets correct is that these are gargantuan preparations, usually starting in at 40-50 lbs).
And that's really just relating to the risk of damaging someone's credit & hassles of dealing with Identity Theft if payment info is compromised....But when you start talking about PHI and stuff like mental health issues or info about poorly understood medical conditions is being disclosed that could potentially ruin a person's entire career or destroy families / social interactions for the rest of their lives, it just goes so far beyond the pale of moral repugnance that I don't even have the words to describe it...
Since the OP got flagged, I can't comment any more on the thread and it's probably a moot point anyways, but I thought I'd at least add a few more links for anyone interested in seeing what DHS HAS been able to do re: enforcement...
- https://www.hcca-info.org/Portals/0/PDFs/Resources/Conferenc...
- https://www.propublica.org/article/small-scale-violations-of...