There is a topic that has been coming up, over and over and over again over the past 12 years, that I’ve never seen addressed in other publications. What does your organization do with all the personal information you collect from job applicants? Consider a real situation I encountered around ten years ago. (more…)
Archive for the ‘Privacy and Compliance’ Category
Do Subpoenas Trump HIPAA and/or Trample Security Of PHI?
Saturday, December 10th, 2011On October 10, 2011, there was a report in the Baltimore Sun, “Law firm loses hard drive with patient records: Attorneys represent St. Joseph cardiologist sued for malpractice.” I posted about the report to one of the LinkedIn groups I participate in, pointing out that this is yet one more example of (more…)
Another HIPAA Proposed Rule: Patients’ Access to Test Reports
Wednesday, September 14th, 2011Yesterday the HHS proposed rules that would give patients (and their authorized representatives) direct access to their own laboratory test result reports… (more…)
Auditing Patient Records Survey Results
Saturday, September 10th, 2011There are no specific requirements that the Department of Health and Human Services provide with regards to how often to perform patient records audits (understandably so, since it should be based upon an organization’s own risk environment), and so many healthcare providers wonder what others are doing, or what is “standard” practice. So, to help determine this, from mid- to late-August (two weeks) I posted a very short, completely unscientific, survey specifically to get a feel for what some other hospitals and clinics are doing with regard to auditing patient records access and disclosures, as required by HIPAA. Here are the results… (more…)
SHORT Survey For HIPAA Compliance Activity Benchmarking
Thursday, August 18th, 2011Those of you who work for healthcare providers… (more…)
KPMG HIPAA Auditor Caused a Data Breach
Tuesday, August 9th, 2011A KPMG auditor caused a breach for New Jersey hospitals because he or she lost an unencrypted flash drive containing over 4,500 patient records. (more…)
UCLA Health System Pays $865K to Settle Celebrity Privacy HIPAA Violations
Friday, July 8th, 2011Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information. And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)
10 Risk-Reducing Actions for Mobile HIPAA/HITECH Compliance
Sunday, June 19th, 2011I’m giving a free webinar sponsored by Sophos this coming Wednesday, June 22: “10 Risk-Reducing Actions for Mobile HIPAA/HITECH Compliance.” Here is more information about it: (more…)
Don’t Let School Break Be A Privacy Break-In!
Friday, June 3rd, 2011A couple of days ago I published my monthly Privacy Professor Tips message, “Summer Break-in.” I provide these tips free to anyone who wants to sign up for it on my web site and fills out one of the boxes that says, (more…)
Designated Record Sets: Know What They Are! (AD NPRM Discussion #1)
Thursday, June 2nd, 2011My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD NPRM). I got a lot of questions as a result directly, in addition to the blog comments. When trying to understand regulations, and how to put them into practice within an organization, I’ve found it is best to break them down into bite-sized chunks, starting from the basics and building from there. Today I want to spend a little time looking at what makes up a “designated record set,” or DRS, since the access report requirement is specific to accesses to DRS’s… (more…)