Posts Tagged ‘business associate’
Tuesday, April 25th, 2017
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced a Health Insurance Portability and Accountability Act of 1996 (HIPAA) settlement against a Business Associate (BA), CardioNet. This penalty was based on the impermissible disclosure of unsecured electronic protected health information (ePHI) that was a result of not understanding HIPAA requirements.
CardioNet has agreed to settle potential noncompliance with the HIPAA Privacy and Security Rules by paying $2.5 million and implementing a corrective action plan.
This settlement is the first involving a wireless health services provider. CardioNet provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
Overview:
In January 2012, CardioNet reported to the HHS Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. OCR’s investigation into the impermissible disclosure revealed
- CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.
- CardioNet’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented.
- The Pennsylvania –based organization was unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices.
See the Resolution Agreement on the OCR website at https://www.hhs.gov/sites/default/files/cardionet-ra-cap.pdf
Tags:business associate, HIPAA, HIPAA sanction
Posted in BA, BA and Vendor Management, HIPAA | No Comments »
Thursday, May 21st, 2015
Do you know how well your vendors, business associates, contracted third parties (who I will collectively call “contractors”) are protecting the information with which you’ve entrusted them to perform some sort of business activity? You need to know.
Late last year, a study of breaches in the retail industry revealed 33 percent of them were from third party vendor access vulnerabilities. The largest healthcare breach in 2014 was from a business associate (the contractor of a hospital system) and involved the records of 4.5 million patients.
The list of breaches caused by contractors throughout all industries could fill a large book. The damage that your third parties can cause to your business can be significant. Do you know the risks that your contractors and other third parties bring to your organization? Or, will your contractors take down your business because of their poor security and privacy practices? (more…)
Tags:business associate, contractor, Dell, Information Security, outsourcing, policies, powermore, privacy, privacy professor, privacyprof, procedures, Rebecca Herold, risk management, risks, toprank, vendor management
Posted in BA and Vendor Management | No Comments »
Saturday, February 1st, 2014
I first started working on truly easily mobile computing device (not counting the first programmable pocket calculator, or the luggable computers that could not be hidden in your pocket) security in the workplace when the IT folks in my company at the time started bringing Psion devices to meetings somewhere around 1992 – 1993. They presented some serious information security risks to the company. If the information security risks were considered to be significant 20 years ago, now the new additional information security and privacy risks are comparatively staggering.
Where is it?
Probably the number one risk back then was the tendency to lose or misplace the device. It seemed like these little gadgets would be forgotten the moment they were laid down, despite how highly prized they were by their owners. Mobile computing devices today (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, compliance, covered entity, data protection, disclosure, due diligence, Google Glass, IBM, incidental, Information Security, information security policy, infosec, iWatch, midmarket, mobile device, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, third party, training, vendor, vendor contract, vendor oversight, wearable device, wireless
Posted in Information Security, mobile computing | No Comments »
Friday, December 27th, 2013
Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.
“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”
The one word reply to this statement is, (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, due diligence, HIPAA, HITECH, IBM, incidental, Information Security, information security policy, infosec, midmarket, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, training, vendor, vendor contract, vendor oversight
Posted in BA and Vendor Management, Information Security | No Comments »
Wednesday, December 11th, 2013
In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)
Tags:awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, HHS, HIPAA, HITECH, IBM, incidental, Information Security, infosec, midmarket, non-compliance, OCR, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, subcontractor, training
Posted in BA, BA and Vendor Management, HIPAA, Privacy and Compliance | No Comments »
Wednesday, November 20th, 2013
One of the things I love about helping all my Compliance Helper (CH) clients with their information security and privacy compliance activities is that they often ask questions that most other small and mid-size organizations also have. So, I then have a great opportunity to share advice! One of my recent conversations dealt with the challenges my mid-size client was having in trying to appropriately customize the data and records retention policy and procedure I provide through the CH service to fit his organization’s unique type of business associate service, while also meet compliance with the HIPAA retention requirements. The paraphrased questions below started our conversation after I advised that there are many types of documents that must be retained for at least 6 years to meet compliance: (more…)
Tags:21 CFR Part 11, awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data management, data protection, data retention, GLBA, HIPAA, HITECH, IBM, information management, information retention, Information Security, information technology, infosec, IT security, midmarket, non-compliance, Omnibus, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, retain, retention, risk assessment, risk management, security, SSA, systems security, training, USA PATRIOT Act
Posted in HIPAA, Laws & Regulations | No Comments »
Monday, October 28th, 2013
“What’s the minimum shred size?”
Recently I got a great question from one of my Compliance Helper clients:
“This may seem like a silly question, but is there any type of HIPAA compliance requirements for shredder types? For example, minimum shred size?”
Not a silly question at all! Of the organizations that shred their paper documents (there are still way too many that don’t), a large portion of them are not shredding their documents to a point that they are actually doing so effectively. Here are some points and tips (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, disposal, dispose, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, Omnibus, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, reassemble, Rebecca Herold, risk assessment, risk management, security, shred, shredder, systems security, training, unshred
Posted in Information Security | No Comments »
Tuesday, October 22nd, 2013
Compliance, like much of life, takes ongoing effort
Okay, folks. Time for a reality check for what data protection compliance involves.
You know what’s often tedious and hard? Well, a lot of things in life. (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, systems security, training
Posted in Laws & Regulations, Privacy and Compliance | No Comments »
Thursday, September 26th, 2013
I’ve received numerous questions from various news outlets, clients and colleagues since the published revelation that the NSA was getting the assistance of encryption vendors to decrypt messages throughout a very wide range of activities. A lot of folks are now throwing their hands in the air, claiming that encryption is now no longer effective, and planning to use something completely different. Hmm…wait! Don’t throw out the encryption baby with the unsafe practices bathwater yet. Encryption is still an effective, and necessary, information security control to use. The following are (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, encrypt, encryption, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, monitoring, NIST, non-compliance, NSA, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, RSA, security, social network, surveillance, systems security, training
Posted in government, Information Security | No Comments »
Friday, August 30th, 2013
Over the past week a few reporters who were following up on a recent breach of 9 million patient records for stories they were writing asked me basically the same question amongst all their others, “What are the barriers that stop healthcare organizations from encrypting their devices?” One of the resulting stories, by Marianne McGee, has been posted at HealthCareInfosecurity. During my work with a wide range of small to large organizations, in a wide range of industries, I’ve found there are some common reasons why encryption is not implemented. Here are the top four I’ve run across. (more…)
Tags:awareness, BA, BAA, breach, business associate, CE, compliance, covered entity, data protection, encrypt, encryption, HIPAA, HITECH, IBM, Information Security, information technology, infosec, IT security, midmarket, monitoring, non-compliance, Omnibus, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, risk assessment, risk management, security, social network, surveillance, systems security, training
Posted in HIPAA, Information Security | No Comments »
