Archive for the ‘BA’ Category

You Need to Actually Do What Your Policies Say!

Friday, December 21st, 2012

This week I spoke with a small (~25 employees) organization (a business associate providing services to healthcare providers) that contacted me looking for help; they had purchased a whiz-bang “HIPAA compliance GRC” solution that included with everything else information security policies, but they couldn’t make any sense of the policies they were given or how they related to the rest of the expensive GRC tool.  Grrr!! There are (more…)

Back to the Future Security Basics: Security through Obscurity Still Does Not Work

Tuesday, April 17th, 2012

Last week I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting. He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.

As background, for those of you who may not have heard of this hack yet, in a nutshell: (more…)

Is A W-2 PHI?

Monday, February 27th, 2012

“Is a W-2 form protected health information?” is a simple question with a complex answer that begins (I know, to the nail-biting chagrin of many), “It depends…”

First the full question: (more…)

Do Subpoenas Trump HIPAA and/or Trample Security Of PHI?

Saturday, December 10th, 2011

On October 10, 2011, there was a report in the Baltimore Sun, “Law firm loses hard drive with patient records: Attorneys represent St. Joseph cardiologist sued for malpractice.” I posted about the report to one of the LinkedIn groups I participate in, pointing out that this is yet one more example of (more…)

HIPAA/HITECH Compliance Is All or Nothing

Tuesday, August 16th, 2011

I’m seeing growing numbers of  business associates, particularly those who do technology-based services, expressing the belief that they don’t need to worry about complying with most of HIPAA.  I wrote a guest blog post for Credant about this misguided thinking that was published today.  I welcome your feedback!

KPMG HIPAA Auditor Caused a Data Breach

Tuesday, August 9th, 2011

A KPMG auditor caused a breach for New Jersey hospitals because he or she lost an unencrypted flash drive containing over 4,500 patient records. (more…)

10 Risk-Reducing Actions for Mobile HIPAA/HITECH Compliance

Sunday, June 19th, 2011

I’m giving a free webinar sponsored by Sophos this coming Wednesday, June 22: “10 Risk-Reducing Actions for Mobile HIPAA/HITECH Compliance.”   Here is more information about it: (more…)

Designated Record Sets: Know What They Are! (AD NPRM Discussion #1)

Thursday, June 2nd, 2011

My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD  NPRM).  I got a lot of questions as a result directly, in addition to the blog comments. When trying to understand regulations, and how to put them into practice within an organization, I’ve found it is best to break them down into bite-sized chunks, starting from the basics and building from there.  Today I want to spend a little time looking at what makes up a “designated record set,” or DRS, since the access report requirement is specific to accesses to DRS’s… (more…)

Preliminary Thoughts about the HIPAA Accounting of Disclosures NPRM

Tuesday, May 31st, 2011

On Friday, May 27, 2011, the Department of Health and Human Services (HHS) published the HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act Notice of Proposed Rule Making (NPRM).  I’m still going through it but here are my preliminary thoughts… (more…)

Physician Learns A Hard PHI Lesson

Tuesday, April 19th, 2011

News broke  yesterday about a physician in Rhode Island, at the Westerly Hospital, who was sanctioned for posting protected health information (PHI) on her Facebook page: (more…)