Archive for the ‘Privacy and Compliance’ Category

New HHS Guidance States HIPAA Does Not Apply To PHRs

Sunday, December 28th, 2008

I hope you are all having a wonderful holiday season! I hadn’t planned to take the past few days off from blogging, but something like the flu (probably the flu) hit me like a bag of bricks on Christmas day and I’ve been curled in a fetal position in my bed for the past few days. Oddly enough while laying there feeling like my bones were all slowly dissolving (and thinking about the types of body braces you’d need to create to deal with something like that!) I was also thinking about how silly it was for the Health Insurance Portability and Accountability Act (HIPAA; and any industry-specific data protection law) to define that the only organization’s that would legally need to safeguard protected health information (PHI) are the narrowly defined covered entities (CEs); healthcare providers, healthcare insurers and healthcare clearinghouses.

(more…)

Santa Sees All; But Puts The U.S. On Naughty List For Poor Privacy Practices…?

Wednesday, December 24th, 2008

Here’s a great article for Christmas Eve that covers a wide range of surveillance tools and techniques that are increasingly used by governments, law enforcement, employers, suspicious spouses, etc, etc, etc…

(more…)

FEMA Records Of 16,000 Katrina Victims Posted Online

Tuesday, December 23rd, 2008

How did the following happen…there are many options…insider threat? Poor IT storage controls? Poor applications development controls? Perhaps using real personally identifiable information (PII) for test purposes? Hacker break-in? Through an outsourced company with access to the PII, but who also had poor controls? There are so many possibilities…

(more…)

Information Security & Privacy Training Should NOT Be Optional

Monday, December 22nd, 2008

Over the past couple of weeks I’ve heard three different information security and privacy officers talk about making information security and privacy training within their organizations optional…not required…for personnel who have access to information assets and personally identifiable information (PII). Leaving training to the discretion of employees is very risky!

(more…)

HHS’s New Privacy & Security Framework Based Upon The OECD Privacy Principles

Friday, December 19th, 2008

Earlier this week, the Department of Health and Human Services issued a framework, “Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information December 15, 2008” for protecting patient privacy and securing medical records, in particular online protected health information (PHI) records.

(more…)

Effective & Unique Information Security and Privacy Training & Fun Stuff

Thursday, December 18th, 2008

One of my areas of expertise, and a great passion of mine, is information security, privacy and compliance training and awareness activities. No organization will have a successful information security or privacy program without having effective training and ongoing awareness communications. Humans are the most vulnerable, as well as most valuable, component of an information security program. You MUST communicate to your personnel what they need to do to effectively safeguard information…such knowledge is not innate!
One of the most measurably and visibly effective training events I have ever done over the past couple of decades is having employee teams or departments throughout the organization compete with each other to identify the most information security and privacy risks…

(more…)

FTC Publishes Report On SSNs and Identity Theft

Wednesday, December 17th, 2008

Today the U.S. Federal Trade Commission (FTC) released a new report about social security numbers (SSNs), identity theft, and recommended 5 ways to help prevend having SSNs being used for identity theft…

(more…)

Blackberry Disposal Lessons From McCain & Palin

Tuesday, December 16th, 2008

Another real-life example to show the importance of having effective policies and procedures in place for not only information disposal, but also for the disposal of computers and storage media…

(more…)

Example Of Why Business Leaders MUST Ensure Third Party Security

Monday, December 15th, 2008

Below is a good example of why organizations need to do third party (vendor, outsourcers, business partners, etc.) information security and privacy program reviews. A very important sentence to show your business leaders who don’t think they need to ensure third party security is, “The lender made the data vulnerable, the complaint alleges, by allowing a third-party home seller to access the data without taking reasonable steps to protect it.”

(more…)

ED and HHS Gives Guidance for HIPAA and FERPA Relationship

Friday, December 12th, 2008

I saw some interesting news from the OS OCR Privacy List listserve. If you are with an education institution or a healthcare covered entity, take some time to read the new guidance about the relationship between FERPA and HIPAA

(more…)