Archive for the ‘Laws & Regulations’ Category

« Older Entries
Newer Entries »

Disposal Dummies Cause Privacy Problems

Thursday, May 31st, 2012

A couple of weeks ago I was doing a consulting call with a small startup business (that in a short span of time is already performing outsourced cloud processing for a number of really huge clients) about information security and privacy.  They had implemented just the basic firewall and passwords, but otherwise had no policies, procedures, or documented program in place.  I provided an overview of the need for information security and privacy controls to be in place throughout the entire information lifecycle; from creation and collection, to deletion and disposal.  They were on board with everything I was describing until we got to (more…)

Tags:, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted in Laws & Regulations | 5 Comments »

Do Subpoenas Trump HIPAA and/or Trample Security Of PHI?

Saturday, December 10th, 2011

On October 10, 2011, there was a report in the Baltimore Sun, “Law firm loses hard drive with patient records: Attorneys represent St. Joseph cardiologist sued for malpractice.” I posted about the report to one of the LinkedIn groups I participate in, pointing out that this is yet one more example of (more…)

Tags:, , , , , , , , , , , , , , , , , ,
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance | 6 Comments »

Another HIPAA Proposed Rule: Patients’ Access to Test Reports

Wednesday, September 14th, 2011

Yesterday the HHS proposed rules that would give patients (and their authorized representatives) direct access to their own laboratory test result reports… (more…)

Posted in CE, HIPAA, HITECH, Information Security, Laws & Regulations, Privacy and Compliance | No Comments »

HIPAA/HITECH Compliance Is All or Nothing

Tuesday, August 16th, 2011

I’m seeing growing numbers of  business associates, particularly those who do technology-based services, expressing the belief that they don’t need to worry about complying with most of HIPAA.  I wrote a guest blog post for Credant about this misguided thinking that was published today.  I welcome your feedback!

Tags:,
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, privacy | No Comments »

KPMG HIPAA Auditor Caused a Data Breach

Tuesday, August 9th, 2011

A KPMG auditor caused a breach for New Jersey hospitals because he or she lost an unencrypted flash drive containing over 4,500 patient records. (more…)

Tags:,
Posted in BA, CE, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance | 1 Comment »

UCLA Health System Pays $865K to Settle Celebrity Privacy HIPAA Violations

Friday, July 8th, 2011

Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list.  In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information.  And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)

Tags:, , , , , , , , , , , , , , , , , , ,
Posted in CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, Non-compliance Sanctions Examples, privacy, Privacy and Compliance, Privacy Incidents | 4 Comments »

10 Risk-Reducing Actions for Mobile HIPAA/HITECH Compliance

Sunday, June 19th, 2011

I’m giving a free webinar sponsored by Sophos this coming Wednesday, June 22: “10 Risk-Reducing Actions for Mobile HIPAA/HITECH Compliance.”   Here is more information about it: (more…)

Tags:, , , , , , , , , , , , , , ,
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, mobile computing, privacy, Privacy and Compliance | 1 Comment »

Don’t Let School Break Be A Privacy Break-In!

Friday, June 3rd, 2011

A couple of days ago I published my monthly Privacy Professor Tips message, “Summer Break-in.”  I provide these tips free to anyone who wants to sign up for it on my web site and fills out one of the boxes that says, (more…)

Tags:, , , , , , , , , , , , , , , ,
Posted in Information Security, Laws & Regulations, privacy, Privacy and Compliance, Training & awareness | No Comments »

Designated Record Sets: Know What They Are! (AD NPRM Discussion #1)

Thursday, June 2nd, 2011

My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD  NPRM).  I got a lot of questions as a result directly, in addition to the blog comments. When trying to understand regulations, and how to put them into practice within an organization, I’ve found it is best to break them down into bite-sized chunks, starting from the basics and building from there.  Today I want to spend a little time looking at what makes up a “designated record set,” or DRS, since the access report requirement is specific to accesses to DRS’s… (more…)

Tags:, , , , , , , , , , , , , , , , , , , ,
Posted in BA, CE, healthcare, HIPAA, HITECH, Laws & Regulations, Privacy and Compliance | 1 Comment »

Preliminary Thoughts about the HIPAA Accounting of Disclosures NPRM

Tuesday, May 31st, 2011

On Friday, May 27, 2011, the Department of Health and Human Services (HHS) published the HIPAA Privacy Rule Accounting of Disclosures under the Health Information Technology for Economic and Clinical Health Act Notice of Proposed Rule Making (NPRM).  I’m still going through it but here are my preliminary thoughts… (more…)

Tags:, , , , , , , , , , , , , , ,
Posted in BA, CE, HIPAA, HITECH, Laws & Regulations, privacy, Privacy and Compliance | 10 Comments »

« Older Entries
Newer Entries »