Those of you who work for healthcare providers… (more…)
Archive for the ‘CE’ Category
SHORT Survey For HIPAA Compliance Activity Benchmarking
Thursday, August 18th, 2011HIPAA/HITECH Compliance Is All or Nothing
Tuesday, August 16th, 2011I’m seeing growing numbers of business associates, particularly those who do technology-based services, expressing the belief that they don’t need to worry about complying with most of HIPAA. I wrote a guest blog post for Credant about this misguided thinking that was published today. I welcome your feedback!
KPMG HIPAA Auditor Caused a Data Breach
Tuesday, August 9th, 2011A KPMG auditor caused a breach for New Jersey hospitals because he or she lost an unencrypted flash drive containing over 4,500 patient records. (more…)
UCLA Health System Pays $865K to Settle Celebrity Privacy HIPAA Violations
Friday, July 8th, 2011Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information. And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)
10 Risk-Reducing Actions for Mobile HIPAA/HITECH Compliance
Sunday, June 19th, 2011I’m giving a free webinar sponsored by Sophos this coming Wednesday, June 22: “10 Risk-Reducing Actions for Mobile HIPAA/HITECH Compliance.” Here is more information about it: (more…)
Designated Record Sets: Know What They Are! (AD NPRM Discussion #1)
Thursday, June 2nd, 2011My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD NPRM). I got a lot of questions as a result directly, in addition to the blog comments. When trying to understand regulations, and how to put them into practice within an organization, I’ve found it is best to break them down into bite-sized chunks, starting from the basics and building from there. Today I want to spend a little time looking at what makes up a “designated record set,” or DRS, since the access report requirement is specific to accesses to DRS’s… (more…)
Preliminary Thoughts about the HIPAA Accounting of Disclosures NPRM
Tuesday, May 31st, 2011On Friday, May 27, 2011, the Department of Health and Human Services (HHS) published the HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act Notice of Proposed Rule Making (NPRM). I’m still going through it but here are my preliminary thoughts… (more…)
HIPAA: It is About the Information!
Friday, February 4th, 2011NOTE: This is a repost for those that have browsers that could not open the original. Hopefully this will fix the problem!
Over the years I’ve had a lot of organizations ask me about whether HIPAA applies to faxes, copy machines, and other types of specific technologies. It is very important that covered entities (CEs), business associates (BAs) and their subcontractors understand that HIPAA applies to protecting the information! It doesn’t matter what the conduit is for how the information is transmitted, or where it is stored or accessed from. The important point is that protected health information (PHI), in all forms, must be protected. The Security Rule applies to only electronic data, but the Privacy Rule and HITECH apply to all forms of PHI. Okay; let’s keep this in mind when considering the following question I got earlier this week from a HIPAA business associate… (more…)