Archive for the ‘BA and Vendor Management’ Category
Tuesday, April 25th, 2017
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement against a Business Associate (BA), CardioNet. This penalty was based on the impermissible disclosure of unsecured electronic protected health information (ePHI) that was a result of not understanding HIPAA requirements.
CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.
This settlement is the first involving a wireless health services provider. CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
Overview:
In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed
- CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.
- CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.
- The Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
See the Resolution Agreement on the OCR website at https://www.hhs.gov/sites/default/files/cardionet-ra-cap.pdf
Tags:business associate, HIPAA, HIPAA sanction
Posted in BA, BA and Vendor Management, HIPAA | No Comments »
Saturday, October 3rd, 2015
Businesses must be aware of risks with outsourcing to other countries activities involving personal information. Over the past couple of months I’ve heard over a dozen organizations express their opinion that if they hire organizations outside the U.S. to do work for them, then those organizations are not bound by U.S. laws. Most were from small to midsized organizations and startups. But it was somewhat surprising to hear also hear this sentiment from an organization with multiple locations and thousands of employees. This has been an incorrect belief of far too many organizations for decades.
I’ve also had clients in other countries ask about the need to comply with U.S. laws, such as for HIPAA compliance, when they provide services for U.S individuals and/or businesses. Many believe they do not need to. (more…)
Tags:BA management, data protection, data protection law, Dell, due diligence, Information Security, IT compliance, policies and procedures, power more, powermore, privacy, privacy professor, privacyprof, Rebecca Herold, risk management, vendor management, vendor risks
Posted in BA and Vendor Management, Information Security, Privacy and Compliance | No Comments »
Thursday, May 21st, 2015
Do you know how well your vendors, business associates, contracted third parties (who I will collectively call “contractors”) are protecting the information with which you’ve entrusted them to perform some sort of business activity? You need to know.
Late last year, a study of breaches in the retail industry revealed 33 percent of them were from third party vendor access vulnerabilities. The largest healthcare breach in 2014 was from a business associate (the contractor of a hospital system) and involved the records of 4.5 million patients.
The list of breaches caused by contractors throughout all industries could fill a large book. The damage that your third parties can cause to your business can be significant. Do you know the risks that your contractors and other third parties bring to your organization? Or, will your contractors take down your business because of their poor security and privacy practices? (more…)
Tags:business associate, contractor, Dell, Information Security, outsourcing, policies, powermore, privacy, privacy professor, privacyprof, procedures, Rebecca Herold, risk management, risks, toprank, vendor management
Posted in BA and Vendor Management | No Comments »
Friday, December 27th, 2013
Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.
“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”
The one word reply to this statement is, (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, due diligence, HIPAA, HITECH, IBM, incidental, Information Security, information security policy, infosec, midmarket, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, training, vendor, vendor contract, vendor oversight
Posted in BA and Vendor Management, Information Security | No Comments »
Wednesday, December 11th, 2013
In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)
Tags:awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, HHS, HIPAA, HITECH, IBM, incidental, Information Security, infosec, midmarket, non-compliance, OCR, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, subcontractor, training
Posted in BA, BA and Vendor Management, HIPAA, Privacy and Compliance | No Comments »
Friday, July 12th, 2013
Someone recently commented that I write a lot of blog posts based on my work and what my clients, students and others I meet at conferences and training classes have said or done. Well, that’s because such interactions often create some very good teaching moments that many others could benefit from! And so, yes, now I have another such experience to share. One of my new Compliance Helper clients recently told me, “I still don’t know what I need to do for HIPAA/HITECH compliance that is not covered under the compliance activities of my business clients. How can I do anything more beyond what they are already doing?” (more…)
Tags:awareness, BA, breach, business associate, CE, compliance, covered entity, data protection, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, monitoring, non-compliance, personal information, personal information identifier, personal information item, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, sensitive personal information, social network, SPI, surveillance, systems security, training
Posted in BA, BA and Vendor Management, CE, HIPAA, HITECH | 1 Comment »
Friday, May 31st, 2013
Last week one of my Compliance Helper clients that is a health insurance company asked me the following question (slightly modified to protect their identity):
For the past two years, we have tried to get business associate (BA) Agreements from some of our BAs. They will not (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, customer service, data protection, e-mail, electronic mail, email, employees, employment, exception management, facebook, FINRA, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, insider threat, insider trading, IT security, job applicants, messaging, midmarket, monitoring, non-compliance, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, Red Flags, risk, risk assessment, risk management, security, sensitive personal information, social media, social network, SPI, surveillance, systems security, training, twitter, walk through
Posted in BA, BA and Vendor Management | No Comments »
Wednesday, May 29th, 2013
I’m getting a lot of déjà vu vibes lately with the old-ish Bruce Willis movie with the catch phrase “I see dead people.” (Remember that?) Only my twist on this phrase for the past few years is, “I see business associates.” A big problem is that (more…)
Tags:audit, awareness, BAs, breach, business associates, CEs, compliance, covered entities, customer service, data protection, employees, employment, exception management, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, midmarket, monitoring, non-compliance, OCR, Omnibus Rule, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social network, SPI, subcontractors, surveillance, systems security, third parties, training, vendor management, vendors, walk through
Posted in BA, BA and Vendor Management, HIPAA | No Comments »
Wednesday, March 27th, 2013
Don’t tell me it depends! Well, sorry, but…
I’ve been involved in several interesting discussions (some with lawyers, some with security folks, some with privacy folks, and a few of the folks wearing all three hats) about the liability of organizations that outsource business processing. Since January 17 I’ve also been working on a wide range of documentation changes to reflect the recently released 563 page tome that is the Final HIPAA Omnibus Rule. A significant part of the documentation and writing involves discussion of the increased liability a covered entity (CE) now has for the bad practices and mistakes made by their business associates (BAs).
Organizations want a clear cut answer to “how liable” they are for the actions of their outsourced entities. One CISO at a conference demanded, “Just tell me; are we going to be held responsible for the actions of our business associates or not? Just (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, exception management, HIPAA, hiring, HITECH, HR, human resources, Information Security, information technology, infosec, IT security, job applicants, laws, liability, messaging, midmarket, non-compliance, Omnibus Rule, patients, personal information, personally identifiable information, personnel, PII, policies, policy exception, policy management, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, vendor management, vendor oversight, walk through
Posted in BA, BA and Vendor Management, CE, HIPAA, HITECH, Information Security, Laws & Regulations | 1 Comment »
