News

Baltimore Bead Society – Intellectual Property Presentation

On March 13, 2012, I presented a primer on intellectual property to the membership of the Baltimore Bead Society.  Below you will find the presentation file embedded as a quick time movie.

IP Overview (for online) medium

The membership had a number of questions about intellectual property issues, particularly the controversial “Hon” trademark dispute.  Look for additional postings later on some of those questions and issues.

Comparing Meaningful Use Stage 1 and Stage 2

The following two tables compare the Stage 1 and Stage 2 meaningful use criteria under the Meaningful Use proposed/interim regulations that were issued last month.  These tables illustrate some of the changes to the existing criteria, and also the changes in the metrics for the measures (generally increasing the compliance rate required to continue to qualify for the incentive payments).

Table 1 – Core Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

Eligible Providers must meet all of the Core Criteria to Qualify for the Incentives.  Stage 1 had 15; Stage 2 has 17.  Stage 1 meaningful use Core Criteria are found in section 495.6(d) for eligible providers.  Stage 2 meaningful use Core Criteria are found in section 495.6(j) for eligible providers.

Core Criteria for EPSubsections (d), (j) Stage 1 Metric Stage 2 Metric
§ 495.6(j)(1) – provider use of CPOE for medication, lab, and radiology orders [§ 495.6(d)(1)] 30% of orders 60% of orders
§ 495.6(d)(2) – drug-drug and drug-allergy checking Enabled during period N/A
§ 495.6(d)(3) – maintain up to date problem list 80% of patients N/A
§ 495.6(j)(2) electronic prescriptions [§ 495.6(d)(4)] 40% of Rx 65% of Rx
§ 495.6(d)(5) – active medication list 80% of patients N/A
§ 495.6(d)(6) – active allergy list 80% of patients N/A
§ 495.6 (j)(3) demographics [§ 495.6(d)(7)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(4) vital signs [§ 495.6(d)(8)]50% of patients with encounters 80% of patients with encounters
§ 495.6 (j)(5) smoking status [§ 495.6(d)(9)]50% of patients with encounters 80% of patients with encounters
§ 495.6(d)(10) – reporting clinical measures to CMS or State Successful testing N/A
§ 495.6 (j)(6) decision support [§ 495.6(d)(11)] Implement 1 decision support intervention Implement 5 decision support interventions
§ 495.6 (j)(7) lab results as structured data [§ 495.6(e)(2)] Was Menu in Stage 1; 40% of all lab results 55% of all lab results
§ 495.6 (j)(8) patient lists by specific condition for QI [§ 495.6(e)(3)] Was Menu in Stage 1; at least 1 list At least 1 list
§ 495.6 (j)(9) patient reminders [§ 495.6(e)(4)] Was Menu in Stage 1; 20% of patients sent during period 10% of patients seen in last 2 years receive a reminder
§ 495.6 (j)(10) patient electronic access of health information [§ 495.6(e)(5)] Was Menu in Stage 1; 10% of patients receive timely access 50% of patients receive timely access
§ 495.6 (j)(11) clinical summaries at patient visit [§ 495.6(d)(13)] 50% receive summary from office visit 50% receive summary from office visit
§ 495.6 (j)(12) patient education resources [§ 495.6(e)(6)] Was Menu in Stage 1; 10% of patients receive ed. resources 10% of all office visits
§ 495.6 (j)(13) medication reconciliation for transition of care [§ 495.6(e)(7)] Was Menu in Stage 1; 50% of transitions have recon 65% of transitions of care have medication recon
§ 495.6 (j)(14) patients transitioned to another provider’s care have care summary prepared by provider [§ 495.6(e)(8)] Was Menu in Stage 1; 50% of transitions have recon 65% of transitions of care have patient summary
§ 495.6 (j)(15) capability to submit electronic data to immunization registry [§ 495.6(e)(9)] Was Menu in Stage 1; perform 1 test to registry Ongoing submission of data to registry during CY
§ 495.6 (j)(16) security risk assessments under HIPAA security regulations [§ 495.6(d)(15)] Conduct security assessment Conduct security assessment
§ 495.6 (j)(17) use electronic messaging to communicate with patients N/A 10% of patients seen during period received secure message from provider
[§ 495.6(d)(14)] – capability to exchange key clinical information among care providers and patients One test of exchange N/A
[§ 495.6(d)(12)] 50% of patients receive timely access 50% in 3 days on patient request N/A

 

Table 2 – Menu Criteria Under Stage 1 and Stage 2 Meaningful Use Comparison

In Stage 1, EP had to meet 5 out of 10 Menu Criteria to qualify.  In Stage 2, EP must meet 3 out of the 5 Menu Criteria to qualify.  Stage 1 meaningful use Menu Criteria are found in section 495.6(e) for eligible providers.  Stage 2 meaningful use Menu Criteria are found in section 495.6(k) for eligible providers.

Menu Criteria for EPSubjections (e), (k) Stage 1 Metric Stage 2 Metric
§ 495.6(k)(1) – access to imaging results in EHR N/A 40% of imaging results in HER
§ 495.6(k) (2) patient family health history in structured data N/A 20% of all patients seen
§ 495.6(k) (3) capability to submit syndromic surveillance data to public health agency [§ 495.6(e)(10)] Was Menu in Stage 1; perform 1 test to registry Successful ongoing submission of data for period
§ 495.6(k) (4) capability to identify and report cancer cases to State cancer registry N/A Successful ongoing submission of data for period
§ 495.6(k) (5) capability to report other specialized registry (other than cancer) to specialized registry N/A Successful ongoing submission of data for period
[§ 495.6(e)(1)] – implement drug formulary checking Enable functionality N/A
[§ 495.6(e)(2)] – lab results as structured data 40% of lab results are structured data Moved to Core
[§ 495.6(e)(3)] – generate lists by specific conditions 1 reporting list Moved to Core
[§ 495.6(e)(4)] – send reminders to patients for follow-up care 20% of patients Moved to Core
[§ 495.6(e)(5)] – Provide patients with timely access to health information 10% of patients have electronic access Moved to Core
[§ 495.6(e)(6)] – Use EHR for patient education 10% of patients Moved to Core
[§ 495.6(e)(7)] – Incoming transition of care to EP medication reconciliation 50% of patients have medication recon Moved to Core
[§ 495.6(e)(8)] – Outgoing transition of care from EP care record summary 50% of patients have care summary Moved to Core
[§ 495.6(e)(9)] – immunization registry 1 certified test Moved to Core

Maryland EHR Incentives

I’m willing to bet you didn’t know about Maryland’s best kept EHR incentives secret: namely, six private insurers will pay up to $15,000 each to each Maryland practice that implements an EHR before 2014.  Here are some details about the program and where you can find further information about it.

There are six insurers that participate in this incentives program: Aetna, CareFirst, Cigna, Coventry, Kaiser Permanente, and United Healthcare.  Each insurer will pay up to $15,000 in two parts to participating providers.  Half the incentive is calculated based on the total number of Maryland patients either assigned to the practice as a PCP, or at $8 per member for each Maryland insured seen by the practice in the last 24 months.  So, if in two years, you treat 938 members of one of the six insurers, you can maximize the first part of the incentive payment.  The other half of the incentive is based on your ability to meet one of the following three criteria: (a) sign up with a state MSO, (b) demonstrate advanced use of your EHR, or (c) participate in a quality improvement initiative with the insurer.

To obtain the incentive payments, you first file an Incentive Application with the appropriate private insurer prior to December 21, 2014.  The insurer will then acknowledge your application.  Then, six months after the application, you submit a Payment Application to the insurer, who will adjudicate the claim in 60 days and make your incentive payment.  These incentives are per practice (rather than by individual physician or provider), however, these are in addition to any federal incentive payments your practice may qualify to receive from CMS under the Medicare or Medicaid programs through the HiTech Meaningful Use incentives.

You can read more about this on the MHCC web site here.

iPhone Call Log For Follow-up

An increasing number of attorneys, including me, use an iPhone in their practice.  As a practicing attorney, I’ve been looking for some kind of application that could permit me to track and follow-up on phone calls made or received.  Without such an application, it is a manual effort to review calls made and either document or otherwise follow-up on the issue that generated the phone call.  In my research, I had found an application that performed the “simple” task of taking calls from the call log of the iPhone and importing them into a designated calendar in iCal on my Macbook.  However, at one of the last major releases of the iOS, this application stopped working (probably because the call log database on the phone was upgraded to a later version of SQL Lite).

So, I endeavored to cook up a way to accomplish a simple-enough process to get at the call log on my iPhone and import the data to a web application.  Here is basically how this works:

  1. Backup your iPhone to your laptop using iTunes.  This creates a set of backup files that are stored locally.
  2. Using the free iPhone Backup Extractor, extract the iOS backup files to a particular location on your laptop’s hard drive.  Within this directory, /IOS Files/Library/Callhistory, is a SQL Lite version 3 database called call_history.db.  This database is presently not encrypted (unlike, apparently your SMS history).
  3. Using the application I wrote, import your call_log history into a pre-installed MySQL database.  In addition, my import process will also import my address book entries (used to match up calls with people that are known to me) from my Mac Address Book database (another SQL Lite version 3 database that is stored on your laptop).

Once this process is complete, I have a recent list (the most recent 100 calls, including missed calls) of people that I have talked to or missed.  This data is presented in a php-based web application.  The status of each entry can be changed to reflect whether I need to do something, or whether the issue is closed or otherwise resolved.  I also have links to a reverse phone lookup site to check numbers that I don’t recognize in my call log.  Resolved calls drop off of the list so only calls that require follow-up or have just been imported appear on the home page.

Because the phone call log only keeps the last 100 calls, I worked on importing call data from my AT&T phone bill into the database based on the .csv file export that AT&T provides.  I was able to import the last 12 months of calls into my application (though the process is a manual one to process the invoice data points so that they can be imported).

I’ve written some rudimentary reporting to track time and number of calls per month.  I plan to work on some additional features as time permits.  Do you think this would be helpful to your practice?  Let me know in the comments.  Thanks.

Meaningful Use Stage 2 Regulations Released

The Meaningful Use Stage 2 proposed rule has been released earlier this week.  You can download a copy of the full 455 page regulation here: MU Stage 2 Proposed Rule.  For those keeping score at home, there are three stages of “meaningful use” as that term is defined in section 495.6 of the regulations.  Stage 1 set certain Core (required) and Menu (pick from the list to implement) Criteria, and established minimum compliance metrics for a “eligible professional” to qualify for the federal incentives.  The original regulations that defined “meaningful use” indicated that there would be future changes to the definition in two more stages.  We initially expected Stage 2 to be defined for compliance in 2013.  However, the regulations have pushed out compliance for Stage 2 to 2014.  This article will take a look at what’s been proposed for Stage 2.

First off, there are more “Core” or required Criteria in Stage 2.  Stage 1 had a total of 15 Core Criteria, some of which any certified electronic health record would have to meet (such as collecting certain demographic and vital signs data for patients seen in the office).  In addition, there were several Core criteria that, when originally published, no one had yet defined how you might actually comply.  For example, there is a Core Criteria in Stage 1 where providers were required to submit certain quality data to either CMS or their State Medicaid program.  But, no one had indicated when the regulations were published what data, exactly, or how this data was to be provided.  The metric in Stage 1 was merely the ability to submit a test file.

Stage 2 has 17 total Core Criteria.  In several cases, CMS has proposed to terminate a prior Stage 1 Core item entirely in Stage 2.  And in a number of cases, Criteria that were previously on the “Menu” in Stage 1 are now incorporated as Stage 2 Core Criteria.  For example, structured lab data, patient lists by specific condition for use in a quality improvement initiative, patient reminders, patient access to electronic health information, patient education resources, medication reconciliation for transition of care, care summary for patients transitioned to another provider, and data submission to an immunization registry were all Menu Criteria in Stage 1 and are now Core Criteria in Stage 2.

Also, where a Stage 1 Criteria was kept, the minimum compliance percentage has increased, in some cases substantially, in Stage 2.  For example, where a 50% compliance rate was sufficient for Stage 1 for collecting patient smoking status, in Stage 2, the compliance rate minimum is 80%.  In Stage 1, a single decision support rule needed to be implemented for compliance.  In Stage 2, five such rules must be implemented.

As for the Menu Criteria, Stage 1 required that you implement 5 of the 10 on the list as an eligible provider.  In total, therefore, a provider had a total of 20 Criteria that had to be met to achieve meaningful use.  In Stage 2, there are only 5 menu criteria, and the provider must meet at least three.  So the total number of required criteria is no different, but providers have fewer menu criteria to choose to comply with.  In addition, the Menu Criteria in Stage 2 include three interfaces with specific state or public health registries, and the remaining two involve access to imaging results in the EHR and storing family health history in a structured data format.  You may be able to waive out of some of these if there isn’t a way in your state to submit surveillance or other registry data electronically.  However, if you elect to implement one of these interfaces, the compliance requirement under Stage 2 is full year data submission to the registry (not just submitting a test file).  If you plan on doing one of these, start early to make sure you can get to the compliance target by 2014.

Overall, Stage 2 appears to “up the game” for providers who wish to continue to receive incentive payments in out years of the program.  The Stage 2 rules that were published this week are interim rules.  The public has 60 days to submit comments.  After that, CMS will ultimately publish a final rule, taking into account comments made during the comment period.  While it is possible that CMS may back down on some of these measures, providers should get plan to comply with much of this Rule.  Talk with your EHR vendor, consultant, MSO or other service providers to analyze and plan for compliance.

Living in the Cloud(s)

I wrote about cloud computing in an earlier post and discussed some of the general pros and cons involved with the idea.  For attorneys, doctors and other professionals that are regulated, cloud computing creates some new wrinkles.  For attorneys, protecting the confidences of clients is an ethical obligation.  The unauthorized disclosure of client secrets can lead an attorney to disciplinary action and disbarment.  For physicians and other health care providers, federal laws on the privacy of patient information put providers at risk for substantial fines for inappropriately disclosing patient health information (or otherwise not complying with HIPAA’s privacy and security rules).  Using the cloud for applications that might have such confidential information adds a layer of uncertainty for the practitioner.

On the other hand, cloud computing is coming to a practice near you whether you like it or not.  For example, an increasing number of attorney practice management systems are cloud-based, such as Clio.  Legal research tools like FastCase, LexisNexis, Westlaw and Google Scholar are all cloud-based systems (in the sense that the information being searched is not stored on your local network but in internet-based database repositories that you access through your web browser).  And a growing number of email providers, including Google Apps for Business, Mailstreet.com, and others have been providing cloud-based email solutions for custom domain names.

State bar ethics groups and the ABA have been working on ethics opinions about these cloud-based systems.  North Carolina’s Bar had initially proposed a restrictive rule on the use of cloud computing systems by attorneys in the state.  The NC Bar had suggested that the use of web-based systems like directlaw.com (which allows clients to complete a questionnaire online for specific legal documents which are reviewed by an attorney before becoming final) represented a violation of the state’s ethics rules.  However, the NC Bar later revised its opinion and indicated that cloud computing solutions can be acceptable, so long as the attorney takes reasonable steps to minimize the inadvertent disclosure of confidential information.  “Reasonable,” a favorite word of attorneys for generations, has the virtue and vice of being subject to interpretation.  However, given the pace of change of technology, a bright line rule that favors one system over another faces prompt obsolescence.

In the context of the NC Bar 2011 Formal Opinion 6, for software as a service providers, ethics considerations include: (a) what’s in the contract between the vendor and the lawyer as to confidentiality, (b) how the attorney will be able to retrieve data from the provider should it go out of business or the parties terminate the SAAS contract, (c) an understanding of the security policy and practices of the vendor, (d) the steps the vendor takes to protect its network, such as firewalls, antivirus software, encryption and intrusion detection, and (e) the SAAS vendor’s backup and recovery plan.

Can you penetrate past the marketing of a vendor to truly understand its security practices?  For example, Google does not even disclose the total number of physical servers it uses to provide you those instant search results (though you can learn where its data centers are – there is even one in Finland as of the writing of this article – here).  And, in spite of Google’s security vigilance, Google and the applications it provides have periodic outages and hack attacks, such as the Aurora attack on gmail that became known in 2010.  Other data centers and service providers may be less transparent concerning these security issues.  In some cases, the opacity is a security strategy.  Just as the garrison of a castle wouldn’t advertise its weak spots, cloud providers aren’t likely to admit to security problems until either after the breach is plugged, or the breach is irreparable.

What’s your alternative?  For you Luddites, perhaps paper and pencil can’t be hacked, but good luck if you have a fire, or a disgruntled employee dumps your files in a local dumpster for all to see one weekend.  For those of you that want computer system in your practice, can you maintain these systems in-house in a cost-effective manner?  Do you have the resources to keep up with the software and hardware upgrades, service contracts, backup & recovery tests, and security features to reasonably protect your data?  How does that stack with professional-grade data centers?  Are you SAS-70 or SAS-16 compliant?  Do you know how data you access is encrypted?  In functional terms, do you really exercise more effective control over your security risks if you have IT people as employees rather than a data center under a reasonable commercial contract?

There are a lot of considerations.  And the best part?  They keep changing!

Don’t Be Fooled (Domain Name Registration)

One of my clients forwarded to me an email he received regarding the renewal of his domain name.  The email had the appearance of an invoice for the renewal.  The problem?  The invoice was not from my client’s domain name registrar, but from a vendor that wants my client to transfer his domain away from his existing registrar.

How Does This Work?

If you have a web site, your web site has a registered domain name.  That name (ending with a .com, .net, or another .something) has to be registered with an authorized domain name registrar, like Network Solutions or GoDaddy.  There is an international body, ICANN, that is responsible for approving registrars for the “top level domain names.”  ICANN acts as a coordinator to make sure that a particular domain name is controlled by one responsible registrar, who is the host for translating the domain name into an IP address, which your computer needs to find each internet site that you are trying to reach.  Without such a coordination, the internet would likely stop functioning in that you would be unable to consistently find a web site when you went to visit it.

Underneath the covers, each time you go to visit a web site, your computer asks what the IP (internet protocol) address the domain name you’ve asked for translate to.  For example, my domain, faithatlaw.com, has an IP address of 63.147.127.12.  My computer finds this IP address by asking a domain name server close to it (usually on the same local area network as my computer).  This local domain name server, in turn, asks itself whether it is an “authoritative” server for the domain name, and if not, asks a domain name server above it who is the authoritative server to tell it what the IP address for this domain name is.  Most DNS servers have a list programmed into them of “root hint” or upstream servers to ask when the local server does not know.  Ultimately, (and usually within a few seconds, which is kind of incredible, given that there are billions of computers on the worldwide internet), the local domain name server finds the address and tells my computer, 63.147.127.12.  My computer, in turn, uses this information to point my web browser to where I was trying to go.

This architecture only works if there is one authoritative domain name server out on the internet.  If there were many authoritative servers, each might have a different IP address for the same name, which would mean my question of where to go might be answered differently each time I asked it.  Talk about mass confusion.  So, if you own a domain, you registered it with a registrar.  You pay a fee to have a registration.  Usually you need to pay this fee annually.

The Problem

The problem is that for many business owners, the registration is handled by a web developer, or was done years ago (because you can purchase a web site registration for several years at a time).  It is easy, then, to forget about who you registered with when it comes time to renew your domain name.  And then, it is even easier to be fooled into sending your credit card information to “Domain Services” (the originator of the spam that spurred this posting).  One way to solve this is to setup your domain names to automatically renew with your current registrar.  You can also determine who is your current registrar by performing a “WhoIs” query on your domain name.  You can use this information to determine when your domain name is due to renew.

Be careful – the internet is a wild place.  This is but one way to get into trouble!

Lion Migration from IIS, A Novel

For the new year, we decided to take the plunge and migrate from our old friend, Windows server 2003 with IIS 6 over to Apple’s Lion Server on a shiny new Mac Mini with 8 GB of RAM and a quad processor.  The conversion from Microsoft’s to Apple’s server operating system is not too bad, though much is different between the two systems.  This article discusses some issues and resources for reference for those that are new to Lion.

MySQL

So, first off, we host web sites using IIS 6.  Some of our sites utilize WordPress, which means that we use a back-end mySQL database, and we also run php.  Neither of these applications were originally written for Windows, so both run ok there, but with issues over time.  Lion, of course, underneath is really a flavor of Unix.  This makes mySQL and php happy.  And, the nice people at Apple even have pre-loaded php onto Lion server for you.  However, you will need to install mySQL on your Lion box ahead of time for this conversion.  Here is a link to downloads for mySQL.  Here is also a very good walkthrough of installing and verifying your php, Apache, and mySQL installations.

Also note that with mySQL that there are three separate installation packages that you have to run – the main one is called mysql-5.5.19-osx10.6-x86_64.pkg (yes you want the 64 bit version of this application, not that crappy 32 bit thing you were running on your sad Windows server), but you also need to run the MySQL.prefpane and MySQLStartupItem.pkg so that you can get to this in the Preferences Pane and have it set to automatically run when you reboot).

Remote Access

Oh, but wait.  You might be wondering how you get into your Lion box in the first place to do all of this stuff.  For Windows people, we are used to the whole Remote Desktop thing (or if you are truly desperate, breaking out that spare monitor, mouse and keyboard and plugging them into your shiny new server).  Don’t worry: Apple has some tools for the sysadmin’s remote access.  If you are using, perish the thought, a Mac workstation or laptop, you can use Screen Sharing.  To connect for the first time, you authenticate to the Lion server with a blank user name, and the password is the Mac Mini’s hardware serial number.  From there, you will walk through the initial setup steps (like giving your box a network name, and the like).  Apple also shows you the other couple of options here (because, no, you are not the only person to want to access your box remotely).

The Server and Server Admin Apps

Ok, so now you have you setup the box and have installed mySQL, php and your Apache server.  In case you don’t know where Apache is (because you like to click a play button in the services applet in Windows), there is an application in Lion aptly called, “Server.”  Within that is a big “on/off” button for the web server that you can click to get Apache running.  By the by, there is a more sophisticated set of server tools called “Server Admin” that all the cool kids have downloaded to their Lion server.  (Click here to download that).  You can also do this stuff at the command line in the application called “Terminal” which is in the Utilities group of Applications.  I won’t get into the command line in this article, though there are a number of good references out there if you like that kind of thing (and sometimes, that is the best way to do something!).

Setting Up the Web Root Location

So you now have some setup choices to make, like where you are going to put your web site directories for the web sites you want to host on your Lion.  I’d say put them somewhere isolated, perhaps in their own little folder in the root where you have a way to limit access.  In Lion’s world, this will be a location where “Everyone” will have access, because, you know, the world wide web can come to your little box and see the contents.  I’d guess that putting all this stuff in the middle of your server’s system files would be a bad idea.  If you bought a server with two harddrives, and you aren’t going to mirror the one to the other, you might use the other disk to locate your web files.  Or you could create a partition from the free space and isolate your web files from the rest of the server’s files. Do what you need to do here.

Local DNS for Dev

Once you get things setup, you can then copy your files from your production IIS server over to their new location on the Lion server.  By default, Lion is running DNS for the .home domain (the equivalent of the .dom domain in Windows – local only).  However, you can’t configure DNS with the “Server” application.  Instead, you need “Server Admin” (aren’t you glad you already downloaded this and installed it?  Oh, you didn’t do that yet.  Well, come on.)  DNS lives there (or you can do your unix command line voodoo if you are in to that sort of thing).  The home domain is configured and your server is in it.  If this server is an internet DNS server, you could configure this server to run DNS for an internet domain here.  However, if you want to test your migrated web sites (why would anyone test anything before putting it into production?), you can configure your names here.

Setting up your Web Pages

Once you have done this, you can then declare your new sites in the “Server” application in the Web application.  You add a domain at a time (like test1.home, test2.home, or something lame like that), and tell the web service the location of the files for each site.  You’ll note that the service doesn’t ask you what the default document is for your web site; I think it is assuming that the default page is index.htm (or index.php if you are running php).  If you have a funny named default page, you will probably have to edit httpd.conf to modify the line for DirectoryIndex as follows (or you can just rename your page to index.php/index.htm.  I know, I know, that is too much effort):

#see below, replacing the text in square brackets 
#with your unusual default page
DirectoryIndex [yourcrazyindexpagename].[crazyextension]

Now, you are going to chuckle a bit at this point once you have added your multiple domains into DNS and you configure your multiple web sites, because Lion only will serve up one.  I don’t know why Lion ships this way.  But there is a solution.  Edit httpd.conf and add some entries for multiple domains as noted in the article.  You can also alias subdomains if you want, like http://www.  The downside to this is that if you have to change IP addresses later, you will need to edit internet DNS, add these addresses to your Lion server’s network settings, and then come back here and edit httpd.conf.  And for some reason with Lion, Apple has taken away a GUI configuration for Apache for advanced things like this.  Maybe someone out on the interweb will write one for those of us that are sad and don’t like trying to change these oddly named text files in the System directory.  Also, even more sadly I note that the Snow Leopard version actually had a GUI to do this and Apple took it away from us sysadmins.  I now wander alone in the desert, cast out by Apple.

Ok, I’m out of cheese so I will stop whining.  Needless to say, Apple has its problems too.  If they had everything figured out, we wouldn’t know what to do with ourselves and would probably not have a fabulous  job in IT.

FTP

By the by, you might want to configure ftp access to your web server.  Here is an article to do that.  (If you are going to allow ftp access, this is yet another reason to isolate your web files from the rest of your server files).  FTP access might be helpful if you are going to upload and download files from the web server periodically, and you can stop and start the service if you want to further limit access.  Probably best to also not use root as the user to access files by ftp (or just post your social security number, date of birth, license number, bank account numbers, and all your passwords to all of your accounts to the internet – you know, whatever).

Setting up new MySQL Databases

So, just a few more things to do in order to get your web sites up and running.  If you are using WordPress, you will want to export the tables in your production mySQL database to your new Lion mySQL database.  Ahead of this, you can get ready by creating blank databases on the Lion mySQL server with the same names as in production.  This can be done by logging into mySQL from Terminal, and running the commands:

create database [databasename];
grant all privileges on [databasename].* to
"[webusername]"@"localhost" identified by "[password]";
flush privileges;

In addition, if you have already copied the web files to your Apache server, and configured Apache to serve up these pages, you should be able to run the initial WordPress setup on your Lion box (won’t impact production), and you should be able to get into the wp-admin section and check out your plugins and themes to make sure they are good before importing your data into your mySQL database.  This will create blank tables with the default data of a default WP install – these will all get overwritten in the next step below.

Export/Import MySQL Database Tables

Happily, mySQL for Windows comes with an application you can use to export your database into a single .sql file that you can then execute in mySQL to import the tables and their data.  In Windows, the program is called “mysqldump.exe” and it is installed in Program FilesMySQLMySQL Server 5.0bin.  You run this program at the dos prompt.  With the proper syntax, it will create a .sql file where you tell it to, which you can then use to import all of your data and tables into your fresh mySQL install on Lion.  Here is an article on the syntax for using this function.

Once you have your .sql file for your database, and you have copied it to your Lion server, you can use mysqlimport from within the Terminal application in order to import these tables and data into the appropriate shell database you have for your WP site.  I’ve found that this process works better than using the Export/import features within WP admin, particularly if your site has custom tables for a particular widget or plugin.  My site, for example, had a customized menu that didn’t work in the new site until I just exported all of the data and tables and imported into the Lion install.  You can also simply execute a command at Terminal to process the .sql file that is created by exporting using mysqldump that looks like this:

mysql -u root -pYourPasswordHere NameOfYourDatabase <
/locationofyourMySqlExportFile.sql

Once you run that command, mysql will import and overwrite whatever is in the shell database that you have on your new mysql server.  Of course, if you have anything in there that you want, it will be overwritten.

So that’s it.  Ha ha.  This is not a thing you do in a half an hour, even for an experienced sysadmin.  But this is a perfectly reliable way of hosting web sites.  Lion’s not bad, mostly because you are just running Apache, php and mySQL, all of which work pretty well and have been around for quite a while.  But Lion is cute and cuddly.  For the most part, as long as you avoid those fangs, claws, and don’t get squished under the command line.  Happy computing!

Spam Spam Spam Spam Spam Spam Baked Beans and Spam

“18” year old virgins have recently found online resellers of non-prescription viagra for Magic Jack users that want cheap ski vacations that need health insurance, iPads and Dyson vacuum cleaners at rock bottom, knock off prices!  And all of these thousands of emails have been sent to my account online so that I can help a gentleman from Nigeria move $55 million in money from an African bank account into the U.S. and I can charge a humble $5 million fee to help.  I just need to send my social security number, credit card numbers, street address, and a sample of my signature to a person I’ve never met by email, deposit the bogus cashier’s check in my trust account, and then immediately write a check off the account the next day, well before the bogus check is returned by the collecting bank.

I feel as though I have ended up in the 21st century Monty Python skit about the restaurant that only seems to have “spam” on the menu.  I hear this problem continues, with more than 70% of all email amounting to spam, according to a 2011 article from Symantec (though there was a time that more than 90% of email was spam, so there has been some improvement since those dark days in 2009).  Progress has been made with some service providers that have waged a counter war against spam.  Gmail, for example, group-sources and marks messages as spam based on all messages identified by users as spam across the gmail platform.  This is a surprisingly effective strategy.  My experience has been that there are few false positives.

Previously, email systems were implemented that would check if a message was sent from a known, blacklisted IP address based on a series of independently maintained blacklist databases on the internet.  There have also been other improvements in the background, including the use of special DNS entries, and email gateways that pre-filter messages before reaching the mail server (Symantec had a product it had acquired from Brightmail; Google Apps includes a single-domain license for Postini, which is also generally effective at cutting down spam).  Spam messages often include phishing links, virus-laden email attachments, and other nefarious attacks on users.  Reducing spam makes sense for service providers that are paying, ultimately, for the bandwidth and storage space to process and deliver this junk to users.  We clearly have a way to go to reduce this problem for users.  Until then, if you need male enhancement medicine, are missing out on a $1,000 transfer to your bank account, want to help a political refugee move his family fortune to the U.S., need a usurious student loan, or want to work from home – I’m your guy!

Entertainment Contracts for Businesses

Entertainment businesses operate like many other business enterprises: ultimately, the business must make a profit in order to survive.  One way to help sustain and protect an entertainment business is to document the business relationships through written entertainment contracts between parties that participate in the providing of services to clients.

Ownership Contracts
For example, if several people are business owners, having a written agreement between those owners is an essential ingredient to the business’ success.  Such an agreement will vary based on the business entity, but generally, the agreement should describe each owner’s ownership interest, how management decisions are made, how owners join and depart from the organization, and how the business finances will be managed.

The forms of these agreements will vary based on the kind of business.  If the entity is unincorporated and there are two or more owners (“partners”) who share in the profit or loss of the business, the entity is likely a general partnership and would be governed by a partnership agreement (and, in its absence, state law for partnerships).  If the entity is an incorporated limited liability company, the owners (“members”) would typically enter into a membership agreement.  If the entity is a corporation, the owners (“shareholders”) would enter into a shareholders agreement.  The absence of such written agreements can make things much more expensive later should disputes arise among the owners.

Agency Contracts
For entertainment businesses that act as a booking agent for performers, having a written agency agreement with the performer is an important document.  This contract would clarify the procedures for scheduling and booking performances, might determine whether the agent is exclusive for the performer, what geographic area the agent would book the performers within, how the agent is compensated, among other considerations.

Performer Contracts
Also important to an entertainment business are the individual performers that work for the entertainment business.  Whether or not these performers are employees or independent contractors is an important distinction with substantial legal and tax implications for the business.  Employers understand that an independent contractor can potentially be less expensive than a full time employee because employers can avoid paying certain payroll taxes for independent contractors (shifting the tax burden to the contractor).  However, if the business mistakenly determines a staff member to be an independent contractor, the business may quickly face some very costly back taxes and penalties.

Independent Contractor vs. Employee
Determining whether a performer is an independent contractor or employee is highly fact specific.  There are a series of factors that are used to determine this distinction; these factors may vary by state and by the regulating entity.  However, at its roots, an employee is a person over whom the employer controls both the results of the work performed, and the methods and tools to achieve the result.  According to IRS Publication 1779, the IRS looks at three basic areas to determine if a staff person is an employee or independent contractor: (a) behavioral control, (b) financial control, and (c) the relationship of the parties.

Generally, the more control the business exercises over how the job is done (not just what results are expected), the more the staff person is likely to be viewed as an employee.  With regards to financial control, if the staff person can incur a profit or loss from his/her activities, you have a significant investment in the work that you do, and/or you pay your own business expenses, you are more likely to be viewed as an independent contractor.  And on the relationship of the parties, if the business pays benefits for you (like health insurance, pensions, and paid time off), and there is no written agreement between the parties, the IRS is more likely to view you as an employee.[1]  Independent contractors typically are able to work for several businesses providing similar services within their field.

In Maryland, the Department of Labor and Licensing also considers whether the business retains the right to discharge the staff member, and whether the business provides the tools, materials and the place to work for the staff member.  Typically, the independent contractor would have his/her own tools and materials, and would work from his/her own office or location.  DLLR also indicates that independent contractors are usually in a business that is different from the hiring business; professionals like lawyers, dentists, and public accountants are commonly independent contractors in business for themselves.

There may be other factors to consider besides the ones noted above.  In the entertainment business, musicians are may be independent contractors because they (a) have their own tools (e.g., instruments), (b) they may work for more than one business or band, (c) they typically have a fair amount of time and money invested in their education and equipment to be musicians, (d) the business they work for tends to exercise control over the result (the performance), rather than the specific methods of how the work is performed, and (e) typically organizations that schedule or coordinate performances are in a different business from the performers.  In some cases, performers take a percentage of ticket sales, and won’t get paid if either no one shows up for the event or if the event is canceled.  In those cases, a performer is more likely to be viewed as an independent contractor.

However, there are also factors that might tend to make a performer an employee: (a) benefits for the performer like paid sick or vacation time or health insurance, (b) the exercise of control by the busiess over practice times and location and how a particular musical piece is performed, and (c) the lack of a written agreement between the parties, suggesting that the business may terminate the relationship at will with the performer, without further obligation.

If you aren’t sure if the performer is an independent contractor or employee, you can request that the IRS provide a private letter ruling through filing Form SS-8.  An attorney in your state may also be able to advise you on the state-specific factors and your circumstances.

Other Contracts
There may be other relationships for an entertainment business (such as licensing and royalty agreements for the licensing of copyrighted works, contracts with merchandise distributors, record label and publisher agreements, venue agreements, just to mention a few).  The more that can be documented, the more likely it is that you will get paid and the less likely it is that parties will have disputes.

Documenting relationships in the form of formal, written agreements at the beginning of the relationship can help save headaches and costly mistakes down the road.  Consulting with an experienced attorney can help you to craft effective and binding agreements.


[1] In close cases, the written agreement may determine that the staff person is an independent contractor.