Posts Tagged ‘breach response’

How Physical Harm Impacts Can Drive Huge HIPAA Penalties

Wednesday, February 20th, 2013

Are you a covered entity (CE) or business associate (BA) as defined by HIPAA? There are literally millions of organizations in the U.S. that fall under these definitions, and possibly additional millions of BAs outside of the U.S. providing services to U.S.-based CEs. The impact is significant, and truly world-wide. If you are a CE or BA, did you know that your information security and privacy activities, or lack thereof, could cause physical harm to patients and insureds, and that you can receive significant penalties under the new HIPAA rules based upon those impacts? (more…)

Is Frictionless Sharing Like Digital Privacy Cancer?

Thursday, May 17th, 2012

I was recently speaking with a friend on the phone, and she said, “I just had the most embarrassing thing happen!  I had one of my Facebook friends send me a text teasing me about reading a rather sleazy article on TMZ. I did not know what she was talking about! So, I went to my Facebook page, and sure enough, down the timeline there was an article I had only briefly gone to the previous day after clicking a headline about moms on Google news and landed on a page; I quickly got off of when I saw it. I was so embarrassed to see that my brief visit to the page had been posted on my Facebook page! I don’t even go to TMZ on purpose, why is Facebook suddenly tattling on me when it accidentally went there?” (more…)

Big Brother Likes Big Data – Balancing Privacy with Innovation

Wednesday, May 2nd, 2012

My 12-year-old son said to me yesterday after getting home from school, “Hey, Mommy, did you know that Wal-Mart can tell when you’re pregnant? And so can Target!  Even before anyone else knows! They got a girl in trouble when they sent her dad coupons for baby stuff and congratulated her!”

Me, “That’s pretty incredible, isn’t it?  Companies are able to discover things like that about people more than ever before through analyzing what is called ‘Big Data’.”

Son, “That’s really creepy. I think you should (more…)

Back to the Future Security Basics: Security through Obscurity Still Does Not Work

Tuesday, April 17th, 2012

Last week I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting. He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.

As background, for those of you who may not have heard of this hack yet, in a nutshell: (more…)

Privacy For The Deceased

Wednesday, September 30th, 2009

Late last month I posted, “HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element” and since then I’ve had around half a dozen or so folks ask me to write about privacy for the deceased…

(more…)

What Happens To Privacy During Pandemics?

Monday, September 14th, 2009

I am talking to increasing numbers of privacy and information security pros who are concerned about not only getting their pandemic plans in place, but also wanting to know what kinds of privacy issues need to be addressed within the plans.

(more…)

Is Encryption Enough to Achieve Privacy?

Thursday, September 10th, 2009

Of course the answer is no. But there are many reasons! Tune in this afternoon at 4:00pm Pacific time to hear Anyck Turgeon, Scott Draughon and me discuss this topic and talk about encryption laws and the impacts to privacy. Here is the information about the event…

(more…)

HITECH Impacts Over 734,178 “Small Business” HIPAA Covered Entities

Wednesday, September 9th, 2009

The Department of Health and Human Services (HHS) 45 CFR Parts 160 and 164: “Breach Notification for Unsecured Protected Health Information; Interim Final Rule” (Breach Notice Rule) has been written about a lot. But much of what is written overlooks some of the very interesting prologue within that document that is very important to consider to frame the context within which the regulation was written…

(more…)

HITECH Act Virtual ToC

Friday, September 4th, 2009

This was another very busy week, and I didn’t have a chance to post as much as I would have liked. Part of what kept me busy was an unusually increased amount of email…

(more…)

HHS & FTC Breach Notice Rules: First Time NIST Standards Specifically Referenced

Monday, August 31st, 2009

The Department of Health and Human Services (HHS) issued their interim final rule for breach notification standards on August 19. Federal Trade Commission (FTC) issued their final rule of breach notification standards on August 17. The HHS rule covers all healthcare covered entities (CEs) and business associates (BAs). The FTC rule covers all personal health record (PHR) vendors and their service providers…

(more…)