Posts Tagged ‘HHS’
Saturday, November 29th, 2014
It is that time of the year again…time for prognostications about the year ahead!
I was asked to provide a few predictions for 2015. Based upon not only what I’ve seen in 2014, but also foreshadowing from the past two-three decades, here are some realistic possibilities. (more…)
Tags:2015 predictions, big data, big data analytics, breaches, Dell, FDA, FTC, HHS, HITECH, Information Security, information security risks, infosec, Internet of Things, IoT, personal health recordsHIPAA, personal information, PHR, policies, privacy, privacy breach, privacy information, privacy professor, privacy risks, privacyprof, procedures, Rebecca Herold, risks, sensitive information, sensitive personal data, training
Posted in Cybersecurity, privacy | No Comments »
Wednesday, December 11th, 2013
In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)
Tags:awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, HHS, HIPAA, HITECH, IBM, incidental, Information Security, infosec, midmarket, non-compliance, OCR, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, subcontractor, training
Posted in BA, BA and Vendor Management, HIPAA, Privacy and Compliance | No Comments »
Monday, June 17th, 2013
“We Can’t Afford Security and Privacy!”
Recently I was speaking to a healthcare executive (a hospital Chief Financial Officer) at a conference where I had talked in one of the sessions about the needs for information security and privacy not only for compliance reasons, but also to mitigate risks to the business. He seemed a bit short with me when he approached.
Him: “I wish (more…)
Tags:audit, awareness, BAs, breach, budget, business associates, CEs, compliance, covered entities, customer service, data protection, employees, employment, exception management, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, midmarket, monitoring, non-compliance, OCR, Omnibus Rule, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social network, SPI, subcontractors, surveillance, systems security, third parties, training, vendor management, vendors, walk through
Posted in HIPAA, Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Wednesday, May 29th, 2013
I’m getting a lot of déjà vu vibes lately with the old-ish Bruce Willis movie with the catch phrase “I see dead people.” (Remember that?) Only my twist on this phrase for the past few years is, “I see business associates.” A big problem is that (more…)
Tags:audit, awareness, BAs, breach, business associates, CEs, compliance, covered entities, customer service, data protection, employees, employment, exception management, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, midmarket, monitoring, non-compliance, OCR, Omnibus Rule, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social network, SPI, subcontractors, surveillance, systems security, third parties, training, vendor management, vendors, walk through
Posted in BA, BA and Vendor Management, HIPAA | No Comments »
Thursday, January 24th, 2013
The final HIPAA “mega rule” is going to be officially published on the Federal Register tomorrow, January 25, 2013. Currently the version available (https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf) is “pre-publication” version.
Over the past week I’ve had numerous CEs and BAs contacting me, frantic to change their BA Agreements to “avoid complying with the Mega Rule for another year!” Wait, folks. You are misunderstanding; this is a very specific extension that only applies to the BA Agreements. Let me explain… (more…)
Tags:BA, BA Agreement, business associate, compliance, Compliance Helper, covered entity, federal register, Final Rule, healthcare, herold, HHS, HIPAA, HITECH, Information Security, Mega Rule, OCR, privacy, privacy professor, Rebecca Herold, security
Posted in BA, CE, HIPAA, HITECH | No Comments »
Wednesday, November 21st, 2012
Growing numbers of organizations are trying to figure out the benefits of anonymizing, or as HIPAA (the only regulation that provides specific legal requirements for such actions) puts it “de-identifying,” personal information. Healthcare organizations see benefits for improving healthcare. Their business associates (BAs) see benefits in the ways in which they can minimize the controls around such data. Of course marketing organizations salivate at the prospects of doing advanced analysis with such data to discover new trends and marketing possibilities. The government wants to use it for investigations. Historians want to use it for, yes, marking historical events. And the list (more…)
Tags:anonymization, anonymized, audit, awareness, BAs, breach, CEs, compliance, customers, data protection, de-identificaiton framework, de-identification, de-identify, e-mail, electronic mail, email, employees, employment, Herold de-identification, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, OCR, patients, PbD, personal information, personally identifiable information, personnel, PHI, PII, policies, privacy, privacy breach, Privacy by Design, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, SPI, systems security, training
Posted in HIPAA, privacy, Uncategorized | No Comments »
Wednesday, October 31st, 2012
Last week I got the following question:
“By becoming ISO 27001 certified does that automatically mean we comply with HIPAA and HITECH requirements? Are there any requirements of HIPAA/HITECH that are not required to meet ISO 27001 standards?”
This is not the first time I’ve gotten this question, and others similar. As new technology businesses, cloud services and other businesses are popping up to provide services to large regulated organizations, start-ups are increasingly looking for a way to differentiate themselves from their competitors, and also prove that they have not only effective security controls in place, but that they also (more…)
Tags:27001, 27002, audit, awareness, breach, certification, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, ISMS, ISO27001, ISO27002, IT security, job applicants, laws, messaging, midmarket, non-compliance, OCR, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, SPI, systems security, training
Posted in HIPAA, HITECH, Laws & Regulations | No Comments »
Wednesday, June 27th, 2012
July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.
Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies. (more…)
Tags:Alaska, audit, awareness, breach, compliance, fine, HHS, HIPAA, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, OCR, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk assessment, sanction, security, sensitive personal information, SPI, systems security, training
Posted in government, healthcare, HIPAA, HITECH | No Comments »
Friday, July 8th, 2011
Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information. And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)
Tags:accounting of disclosures, BA, business associates, CE, covered entities, herold, HHS, HIPAA, HITECH, Information Security, notice of proposed rule making, NPRM, OCR, privacy, privacy breach, privacy rule, sanctions, security, security rule, UCLA
Posted in CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, Non-compliance Sanctions Examples, privacy, Privacy and Compliance, Privacy Incidents | 4 Comments »
Thursday, June 2nd, 2011
My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD NPRM). I got a lot of questions as a result directly, in addition to the blog comments. When trying to understand regulations, and how to put them into practice within an organization, I’ve found it is best to break them down into bite-sized chunks, starting from the basics and building from there. Today I want to spend a little time looking at what makes up a “designated record set,” or DRS, since the access report requirement is specific to accesses to DRS’s… (more…)
Tags:access report, accounting of disclosures, BA, business associates, CE, Compliance Helper, covered entities, designated record set, DRS, herold, HHS, HIPAA, HITECH, Information Security, NCHICA, notice of proposed rule making, NPRM, privacy, privacy rule, security, security rule
Posted in BA, CE, healthcare, HIPAA, HITECH, Laws & Regulations, Privacy and Compliance | 1 Comment »