To the Editor:

“A Problem-Oriented Approach to the HIPAA Security Standards” [July/August 2001, page 37] was a welcome change from the usual drone of self-serving hysteria from management consultants about the upcoming regulations. I would add two observations.

First, there’s an element of “let’s pretend” in discussions involving the privacy of online medical information. It is well known that competent hackers (several exist in every high school) can, with the aid of readily available software, hack into virtually any database, anywhere.

Second, even the most determined cyberthief can’t hack into my paper records. Furthermore, the small size of my office staff, all long-term employees, obviates most other concerns.

Is there a lesson here?