► The National Institute of Standards and Technology (NIST) has issued procedures for testing information technology systems used for storing and processing electronic health records. The set of 45 test procedures are designed to ensure that electronic health records work across systems developed by different vendors. The procedures evaluate issues such as the level of encryption and whether access is limited to authorized users only.
► A federal appeals court has ruled that a contract security firm did not discriminate against an applicant who wore dreadlocks as part of his Rastafarian religion. A manager with Wackenhut, Clarence McCuller, interviewed Lord Osunfarian Xodus for a security guard position. McCuller immediately told Xodus that dreadlocks were against company grooming policy and that they would have to be cut before Xodus could begin working for the company. McCuller also told Xodus that he could wear dreadlocks for positions in a shipping warehouse but that none of those jobs were open at the time. Xodus told McCuller that cutting his hair was “against his belief.” Xodus then left the interview. Xodus sued Wackenhut for religious discrimination. Wackenhut claimed that McCuller did not know that dreadlocks had religious significance. The court ruled in favor of Wackenhut, noting that Xodus had a duty to clearly state that cutting his hair was against his religious beliefs. In the written opinion of the case, the court noted that “Xodus claims that his use of the word ‘belief’ and the dreadlocks themselves sufficed to notify McCuller of the religious nature of his hairstyle. But unlike race or sex, a person’s religion is not always readily apparent.”
► The U.S. Department of Health and Human Services (HHS) has withdrawn its final rule on breach notification for healthcare data. The rule provided healthcare providers and insurance companies with the appropriate steps to take if private health information were stolen or improperly disclosed. HHS received more than 120 comments on the rule. Many of the comments were critical of the provision that healthcare providers and insurers provide notification of a data security breach only if they felt there was a “significant risk” of harm. Commenters felt that this gave too much discretion to those who were charged with protecting the data in the first place. The agency did not announce when a new final rule would be issued. In the meantime, the interim final rule issued in September 2009 remains in effect.