Growing numbers of organizations are trying to figure out the benefits of anonymizing, or as HIPAA (the only regulation that provides specific legal requirements for such actions) puts it “de-identifying,” personal information. Healthcare organizations see benefits for improving healthcare. Their business associates (BAs) see benefits in the ways in which they can minimize the controls around such data. Of course marketing organizations salivate at the prospects of doing advanced analysis with such data to discover new trends and marketing possibilities. The government wants to use it for investigations. Historians want to use it for, yes, marking historical events. And the list (more…)
Archive for the ‘HIPAA’ Category
Implementing a Data De-Identification Framework
Wednesday, November 21st, 2012ISMS Certification Does Not Equal Regulatory Compliance
Wednesday, October 31st, 2012Last week I got the following question:
“By becoming ISO 27001 certified does that automatically mean we comply with HIPAA and HITECH requirements? Are there any requirements of HIPAA/HITECH that are not required to meet ISO 27001 standards?”
This is not the first time I’ve gotten this question, and others similar. As new technology businesses, cloud services and other businesses are popping up to provide services to large regulated organizations, start-ups are increasingly looking for a way to differentiate themselves from their competitors, and also prove that they have not only effective security controls in place, but that they also (more…)
Lack of Basic Security Practices Results in $1.7 Million Sanction
Wednesday, June 27th, 2012July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.
Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies. (more…)
Back to the Future Security Basics: Security through Obscurity Still Does Not Work
Tuesday, April 17th, 2012Last week I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting. He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.
As background, for those of you who may not have heard of this hack yet, in a nutshell: (more…)
Is A W-2 PHI?
Monday, February 27th, 2012“Is a W-2 form protected health information?” is a simple question with a complex answer that begins (I know, to the nail-biting chagrin of many), “It depends…”
First the full question: (more…)
Do Subpoenas Trump HIPAA and/or Trample Security Of PHI?
Saturday, December 10th, 2011On October 10, 2011, there was a report in the Baltimore Sun, “Law firm loses hard drive with patient records: Attorneys represent St. Joseph cardiologist sued for malpractice.” I posted about the report to one of the LinkedIn groups I participate in, pointing out that this is yet one more example of (more…)
Another HIPAA Proposed Rule: Patients’ Access to Test Reports
Wednesday, September 14th, 2011Yesterday the HHS proposed rules that would give patients (and their authorized representatives) direct access to their own laboratory test result reports… (more…)
Auditing Patient Records Survey Results
Saturday, September 10th, 2011There are no specific requirements that the Department of Health and Human Services provide with regards to how often to perform patient records audits (understandably so, since it should be based upon an organization’s own risk environment), and so many healthcare providers wonder what others are doing, or what is “standard” practice. So, to help determine this, from mid- to late-August (two weeks) I posted a very short, completely unscientific, survey specifically to get a feel for what some other hospitals and clinics are doing with regard to auditing patient records access and disclosures, as required by HIPAA. Here are the results… (more…)
Request for Your Participation – SHORT Survey #2: Workstation Timeouts and Lost SSO Badges
Friday, September 2nd, 2011I’ve posted the 2nd in a series of SHORT and ANONYMOUS surveys to determine important HIPAA/HITECH compliance activities at hospitals and clinics. However, for this topic it would be good to have all types of organizations/industries participating… (more…)
SHORT Survey For HIPAA Compliance Activity Benchmarking
Thursday, August 18th, 2011Those of you who work for healthcare providers… (more…)