March 8th, 2011
I participate in the Focus network and tried to answer the following question from “Caty” on their discussion board:
“How can compliance automation help secure my organization’s IT infrastructure?” Please describe the benefits of compliance automation and discuss how it can be used to secure an organization’s IT infrastructure.
However, after trying to submit my response in around half a dozen ways, I was told my answer was too long. Instead of shaving off some of my content, I decided to post here to my blog, and then point to here from there. Perhaps my other blog readers will be interested in my thoughts on this topic as well.
So, here is my answer… Read the rest of this entry »
Tags: compliance, HIPAA, HITECH, Information Security, privacy, Rebecca Herold, risk assessment, risk management
Posted in HIPAA, HITECH, Information Security, privacy, Privacy and Compliance | 2 Comments »
February 12th, 2011
I recently engaged in an interesting discussion with Rafal Los about the erosion of privacy as it relates to the Internet in general, and social media sites specifically. I think my readers will some useful points and insights within our conversation; especially considering the often perceived adversarial relationship between anonymity and privacy. I welcome your feedback!
So here we go… Read the rest of this entry »
Tags: anonymity, Digital, EULA, facebook, Identity, internet, privacy, privacy professor, rafal los, Rebecca Herold, social media
Posted in Miscellaneous, privacy, Social Media, Training & awareness | 1 Comment »
February 4th, 2011
NOTE: This is a repost for those that have browsers that could not open the original. Hopefully this will fix the problem!
Over the years I’ve had a lot of organizations ask me about whether HIPAA applies to faxes, copy machines, and other types of specific technologies. It is very important that covered entities (CEs), business associates (BAs) and their subcontractors understand that HIPAA applies to protecting the information! It doesn’t matter what the conduit is for how the information is transmitted, or where it is stored or accessed from. The important point is that protected health information (PHI), in all forms, must be protected. The Security Rule applies to only electronic data, but the Privacy Rule and HITECH apply to all forms of PHI. Okay; let’s keep this in mind when considering the following question I got earlier this week from a HIPAA business associate…
Read the rest of this entry »
Tags: Compliance Helper, fax, Rebecca Herold, risk management
Posted in BA, CE, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance | No Comments »
February 4th, 2011
Over the years I’ve had a lot of organizations ask me about whether HIPAA applies to faxes, copy machines, and other types of specific technologies. It is very important that covered entities (CEs), business associates (BAs) and their subcontractors understand that HIPAA applies to protecting the information! It doesn’t matter what the conduit is for how the information is transmitted, or where it is stored or accessed from. The important point is that protected health information (PHI), in all forms, must be protected. The Security Rule applies to only electronic data, but the Privacy Rule and HITECH apply to all forms of PHI. Okay; let’s keep this in mind when considering the following question I got earlier this week from a HIPAA business associate… Read the rest of this entry »
Tags: Compliance Helper, fax, privacy rule, Rebecca Herold, security rule
Posted in BA, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance | 5 Comments »
February 2nd, 2011
I’ve been getting a lot more questions about HIPAA and HITECH lately from folks I’ve never met, but who have concerns about the security and privacy of their health information (“protected health information” or “PHI” as referenced within HIPAA/HITECH), businesses that are trying to understand how to protect PHI according to the regulatory requirements, and a growing number who express frustration with the unsecure ways in which clients, customers, patients and business partners are sharing information with them. There just are not enough hours in the day to answer them all, but I decided I’d start sharing some of the questions, and my corresponding answers, that seem to be topics that a wide range of readers may be interested in.
I was recently contacted by someone who had a question about a recent HIPAA complaint against Rowan Regional Medical Center Read the rest of this entry »
Tags: awareness, healthcare, HHS, HIPAA, HITECH, hospital, Information Security, insider threat, OCR, PHI, privacy, Rebecca Herold, Rowan Regional Medical Center, training
Posted in healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance, Privacy Incidents, Training & awareness | 2 Comments »
January 4th, 2011
On December 20, 2010, the U.S. federal government published “Part II: Regulatory Information Service Center: Introduction to The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions.” If you are a healthcare Covered Entity (CE), Business Associate (BA) or BA subcontractor, as defined under HIPAA and HITECH, this should be of interest to you. Why? Because within it is the long-awaited Department of Health and Human Services (HHS) timeline for when they would publish the final rule of the Notice of Proposed Rule Making (NPRM) that came out in July, 2010. The date? Well, Read the rest of this entry »
Tags: ARRA, BA, CE, compliance, healthcare, HIPAA, HITECH, Information Security, NPRM, privacy, Rebecca Herold
Posted in HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance | 3 Comments »
December 20th, 2010
Looking ahead to what will happen in the coming year is always an interesting exercise. Just like within a great novel, foreshadowing occurs every day in our lives to drop the hints of things that are likely to come. The trick is to separate out the valuable hints from the extraneous breadcrumbs that are dropped by dozens of other inconsequential sources that mislead us and cause us to fail in our predictions. We shall see at the end of the year how close I am with the following predictions… Read the rest of this entry »
Tags: compliance, GLBA, HIPAA, HITECH, Information Security, meaningful use, PIA, privacy, privacy impact assessment, privacy training, risk assessments, security training, smar meter, Smart Grid
Posted in GLBA, Information Security, Laws & Regulations, privacy, Privacy and Compliance, Social Media, Training & awareness | 2 Comments »
November 23rd, 2010
I love marketing and sales folks. Our businesses would be lost (well, at least have less revenues) without them! I’ve worked with many different sales and marketing folks throughout the past couple of decades, and I appreciate their enthusiasm and creativity to find ways in which they can help their organizations make more revenue. Read the rest of this entry »
Tags: consent, facebook, laws, marketing, Opt-in, privacy, Rebecca Herold, sales, social media, spam
Posted in Marketing, privacy, Social Media | 1 Comment »
October 3rd, 2010
As demonstrated over and over again over the past several years, mobile computing devices and storage media present a huge risk to business and personal information. Because of the portability of these devices, organizations are basically entrusting the security of the information stored upon them into the hands of the people using them. It is vital that an effective mobile computing device and storage media security and privacy management program is in place.
A mobile computing device and storage media security and privacy management program should be able to answer the questions: Read the rest of this entry »
Tags: awareness and training, compliance, Information Security, mobile computing, mobile security, privacy, Rebecca Herold, security, security training, wireless
Posted in Information Security, Laws & Regulations, Miscellaneous, mobile computing, Privacy and Compliance, Training & awareness | 2 Comments »
November 28th, 2009
Sorry to be so tardy in getting a blog post out. As many of you know I’ve been working with the NIST Smart Grid Privacy Subgroup since late June. The work done for this group is through time volunteered by all involved.
As a quick recap, I led the privacy impact assessment (PIA) for the consumer-to-utility portion of the planned smart grid during the late June to late August/early September time frame. On Friday, 11/20, I provided an update on our NIST groups activities during the Gridwise Alliance phone conference; perhaps some of you were on that call?
Here are some links showing information about our NIST Smart Grid privacy group’s work:
Read the rest of this entry »
Tags: awareness and training, Information Security, IT compliance, IT training, NIST, personally identifiable information, PIA, PII, policies and procedures, privacy impact assessment, privacy law, privacy training, security training, Smart Grid, Smart Meter, SmartGrid
Posted in Information Security, Laws & Regulations, Privacy and Compliance | 1 Comment »
