In testing a new blog, I'm down to making it work in IE6. I haven't done much testing in IE6 for a while and have forgotten how incredible obtuse it can be. So far I've only worked with CSS issues (javascript is next) and it's making me tear my hair out (which is hard since it's cut very short).

I really we wish we could all refuse to support this abomination any more, but for some reason it still commands 20% or so of the market. I installed a neat little app on my windows XP partition (on my MBP) called Multiple IE which at least lets me test IE6 (and actually older versions but who cares).

I'm thinking of using something from Save The Developers or doing it myself to tell me people to please upgrade to a reasonable browser (even IE7 is better). If I get really pissed during the testing I may simple refuse to show the site at all in IE6. Some people have already resorted to this. For a technology blog like this one (with 70% non-IE readers) it's not a big issue; for a more general blog it might not be as acceptable.

The more sites refuse to display in IE6 the more likely people might upgrade (assuming they can). Sadly there are a lot of companies who still use IE6 as their only acceptable browser and target its quirks and non-standard features without regard to anything else.

So to cop a slogan from President Gerald Ford,

WIN!

Whip IE6 Now!

My Tags: browsers css

When I started Mac programming in 1985, all I needed was K&R C, a 680000 assembly language manual and the three loose-leaf binders of Inside Macintosh. For those who started in Pascal all you needed was in the binders.

Just this year I have worked in Java, PHP, Javascript, Objective-C (iPhone) and Ruby; evaluated systems from GridGain, Terracotta and GigaSpaces; learned and wrote an API for Edifec's HIPAA Validation engine and the various X12 formats. Plus the usual frameworks like Prototype, Spring, etc and HTML/CSS for all the web projects. How can anyone remember all of the details of so many different things?

Of course you can't; unless you are a freak of nature a brain can only hold so many details in its working memory. These days it's imperative that you learn to work with lots of online (and offline if you still like books) reference material. I call it "just in time information" - all you have to remember is where the information is stored, and have a clear understanding of how to absorb, learn and apply the information to your problem.

And then you forget it again. That's not Alzheimer's, it's the only way to work today without becoming narrowly specialized. In 1985 I could remember virtually everything I needed during a day's coding. Today, I continuously juggle references to supplant the working knowledge I have from my current project. Switching from language to language and framework to framework it's tough sometimes to keep things straight so even language syntax is sometimes a mystery ("do I need semicolons here?").

Today you can actually do this kind of mental juggling, since virtually all documents are online or searchable, unlike the early days of paper and books. Brains are not really all that well designed for multitasking, but with the aid of easy to find information, you can manage it. The basics of programming are the root knowledge and (mostly) are applicable to every kind of coding task.

Sadly being this type of multi-environment coder is not very conducive to job interviews, where often people who focus on only a few technologies expect you to have the precise memorization that they have. I'm sorry, I can't remember the home interface of an EJB2.X Entity bean that I haven't touched in years.

It's hard to convince people that your knowledge is merely an extension of the documentation, with added experience from years of switching from technology to technology. I'm only a master of what I worked on this week. Something I haven't looked at in a couple years is a distant memory; yet given the requirement to learn it again it takes almost no time to remaster. Learning something completely new isn't hard either since I have so much experience learning something new and delivering projects in it. Of course it's a tough sell; people find specialists easier to identify.

The future is only going to get more complicated; if you read about programming technology, the amount of development and invention is ever increasing. Just pick a Javascript/Ajax web framework for example. There are hundreds to choose from. How do you evaluate them? How do you learn more than one and switch back and forth (or start a new job with a different choice)? The only way to really survive the modern programming world is to learn to be flexible and refuse to over-specialize unless you work in a stable job where nothing ever changes (and these do still exist).

The only alternatives are to memorize as little as possible and extend your brain with references; or wait until one can plug in memory chips into your brain.

My Tags: programming development essay

MAMP is best helper for coding PHP apps on OS X I've found since Textmate.

The abbreviation MAMP stands for: Macintosh, Apache, Mysql and PHP and it installs as a simple OS X application (drag folder into /Applications). Once you run it it starts up a local Apache and MySQL and shows a simple control panel which you can use to administer them. A full PHP stack is also included (either 4 or 5).

I was using the local Apache and PHP but this is actually much easier to work with, you can change configurations easily, making working with multiple sites much quicker. Although I don't use MySQL at this point (SQLite works for the small sites I am doing) I imagine it's a big help there too.

There is a pro version as well with many more features for managing testing and deployment of larger sites. It also supports external viewing of different sites for folks who want to let others see their progress. Base MAMP is not for serving to the public.

Sure you can do it yourself locally but this makes it totally painless.

My Tags: php macosx

HIPAA (Health Insurance Portability and Accountability Act of 1996) is a big law which covers a whole host of things in the realm of healthcare in the U.S. Although the phase-in of its many parts are almost complete, the changes are still rippling across the country. Why a topic for this blog? I recently worked at a healthcare company and got to learn a whole lot of about it and its impact on privacy, security and IT.

Why Should I Care?

If you are alive in the U.S. HIPAA affects you. Most people have very little idea of what it is and what those affects (both public and behind the scenes) are, so I thought I would share what I learned.

HIPAA Overview

HIPAA has a number of sections, divided into two Titles (I) Health Care Access, Portability, and Renewability and (II) Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform. Title II is further broken up into a number of rules (1) Privacy (2) Transactions (3) Security (4) NPI and (5) Enforcement.

Generally (I) and (II,1) are what the general public sees. Everywhere you go you need to give permission for people to look at and access your healthcare information; and finally you can take your healthcare coverage with you when you switch jobs (provided you follow the rules) and not be denied coverage. At my local pharmacy for example you can't stand in line direct behind someone picking up a prescription (so you can't see what they are getting).

Privacy

The key term for this type of private healthcare information is called "PHI", which means Protected Healthcare Information, and is relatively well defined. This type of data is anything relating to your health care and any information which might tie you to your healthcare (even such details as phone numbers or your geographical information, and certainly stuff like your SS number). Access to this type of information is restricted to those (1) you give explicit permission to (2) or those who have implicit access, name entities like Insurance companies and clearinghouses (more on those later). Even with either permission, there are many rules on where and how and how much access is enough and what must be done to protect it.

If it sounds onerous, you are right, it's supposed to be. It's your personal information of a nature you really don't want anyone to casually have access it. Before HIPAA, all of your medical and personal information could be accessed by anyone anywhere in any fashion without any real consequence. The wild, wild west of the 1850's had more law that this.

Electronic Information

The law however goes way beyond simple portability and privacy: the other major part of this was to standardize how medical information was transmitted and shared electronically. Before HIPAA everyone was free to describe health care information in any way they felt like; filing a claim with an insurance company was an exercise in futility as every one had different forms, different codes and even then you were lucky it didn't change without any notice. Electronic (EDI) claims were basically a joke unless the doctor or hospital limited coverage to very few plans.

HIPAA provides (1) a standardized set of transactions for different uses (2) a defined (and continuously updated) set of codes to define virtually anything in a consistent way (like a diagnosis or test or explanation). The upshot of all this is that a healthcare Provider can now file and interact with a Payer either directly or more generally, via a Clearing House) electronically and mostly be assured of success in the transaction.

One further addition that only recently became required (for the most part) is NPI, the National Provider Identifier, which uniquely identifies all entities using electronic communications. Think of it as an IP address for healthcare. Note that the NPI defines the entity, there may still be additional identifiers such as a DEA number for a drug prescriber.

Security

You might think, I don't care really, I just go to the doctor and get well, and get irritated by all those blasted forms I have to fill out giving permission. That's where the other parts of HIPAA affect you, even though you don't see them. It's called the Security rule (and its brother, the Enforcement rule).

An electronic healthcare claim (I was working on the validation engine at a clearinghouse) is a wealth of personal information, highly suitable for (1) identify theft (2) blackmail (3) job loss (4) fraud and (5) mischief. Being a standardized coded chunk of information (generally in the X12 EDI format) in plain text it can be ripe for criminal usage. Protecting it during processing, storage and transmission is crucial otherwise there is nothing keeping it from becoming your worst nightmare. The Security rule covers a number of safeguards which must be followed to (hopefully) ensure that these nuggets of gold don't become someone's idea of a profit center. The rule covers (1) Administrative (2) Physical and (3) Technical safeguards, basically having procedures to protect the data from various forms of theft or attack.

Remember there are both explicit and implicit access to this data. Generally you give explicit permission to healthcare Providers (like your doctor or dentist), but Covered Entities (as they are official known under HIPAA) such as clearinghouses and insurance companies are granted implicit permission. Imagine if everyone who touched a healthcare claim had to obtain a consent form; the whole electronic system would collapse. So the law allows these folks to handle your PHI with the big requirement that they must follow all of the Security rule or face the Enforcement rule.

Insurance companies and HMOs are people everyone knows (and generally dislike as well). Clearing houses are not something most people even know about. Since HIPAA made electronic claims and other transactions available, most of this traffic is handled by thousands of these entities (from huge to one person places) who act as the intermediaries between the Providers and the Payers. Think of them as routers. Often a claim will move from a provider through multiple clearing houses before finally winding up at a Payer; then responses (such as rejections or notices of payment) flow the opposite way. The whole system is like a HipaaNet!

Enforcement

So what keeps your information safe? It's the Enforcement rule and is both really scary and really wimpy at the same time.

Generally each HIPAA violation can get an individual violating the basic rules a $100 fine up to $25,000 which doesn't sound all that bad. However the real teeth is knowingly violating the more serious rules which are considered a criminal felony, which can result in a year in jail and $50,000 fines for each violation. The documents I have read discussing how this applies seems to show that the government, if it cannot determine a precise number of violations, will use statistical calculations to come up with a number (e.g. you knowingly allowed someone to steal an unknown amount PHI from claims in your database with no audit trail, you processed 1M claims last year, we'll pick some percentage and thats the violation). Violations in a Covered Entity are supposed to be the higher penalties since they have the highest need to protect the information, and the penalties would fall to the corporate officers if no individuals can be found to blame.

For any healthcare provider, payer or clearinghouse, the penalties are pretty scary, and in the worst (and not unlikely) case a business-ender if convicted. So far it seems that the Provider community, which is generally liable for the lesser fines, has gone out of their way to be careful. So far very few prosecutions have actually happened, and that's the sad part, as there are no actual requirements for specific audits, and the government office responsible for enforcing HIPAA (CMS, the horribly named Centers For Medicare and Medicaid Services) will only investigate if a formal complaint is received. Violations of the privacy portion are handled by yet another agency (Office for Civil Rights).

Thus your HIPAA healthcare privacy and the security is tightly controlled yet loosely enforced. Are you at risk? Probably, at least until some major violators are prosecuted and publicly whipped. Like so many things in security (and even personal things like backing up your hard drive) nothing much happens until something really bad happens. Ask TJX about security and bad publicity.

HIPAA is a massive but generally well written law which was badly needed; it has made healthcare privacy, portability and transactability possible and public. How effective it is remains to be seen.

In a following post, I want to cover what a health care claim technically looks like.

My Tags: law it hipaa

In my current project at home I had need to build a plain text report (for an email) which will be temporarily saved in a database in its final form.

Naturally I wanted to use PHP5 to generate the report layout since it is after all a templating system. It turns out to be quite easy to do.

// define data here, referenced in the report
if(ob_start())
{
  include_once 'inc/registrationreport.php';
  $str=ob_get_contents();
  ob_end_clean();
}

// in in the report, lines like:

Name:         <?= $reg_firstname ?> <?= $reg_lastname ?>

Birthdate:    <?= $reg_birthdate ?>

Easy as pie. The only odd thing was making sure I wound up with the right linebreaks I had to add blank lines after the data references. You also have to make sure that the ob_end_clean() is properly balanced with the ob_start() or interesting things begin to happen.

Yes, I know that the short form is deprecated.

My Tags: php