Posts Tagged ‘HHS’

4 Privacy Predictions for 2015

Saturday, November 29th, 2014

It is that time of the year again…time for prognostications about the year ahead!

I was asked to provide a few predictions for 2015. Based upon not only what I’ve seen in 2014, but also foreshadowing from the past two-three decades, here are some realistic possibilities.  (more…)

If it was Intentional it is *NOT* Incidental

Wednesday, December 11th, 2013

In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)

Don’t Be Penny Wise and Privacy Foolish

Monday, June 17th, 2013

“We Can’t Afford Security and Privacy!”

Recently I was speaking to a healthcare executive (a hospital Chief Financial Officer) at a conference where I had talked in one of the sessions about the needs for information security and privacy not only for compliance reasons, but also to mitigate risks to the business. He seemed a bit short with me when he approached.

Him: “I wish (more…)

I See Business Associates…Do You See Yours?

Wednesday, May 29th, 2013

I’m getting a lot of déjà vu vibes lately with the old-ish Bruce Willis movie with the catch phrase “I see dead people.” (Remember that?) Only my twist on this phrase for the past few years is, “I see business associates.” A big problem is that (more…)

Should You Rush to Execute a BA Agreement Today? Probably Not

Thursday, January 24th, 2013

The final HIPAA “mega rule” is going to be officially published on the Federal Register tomorrow, January 25, 2013.  Currently the version available (https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf) is “pre-publication” version.

Over the past week I’ve had numerous CEs and BAs contacting me, frantic to change their BA Agreements to “avoid complying with the Mega Rule for another year!” Wait, folks. You are misunderstanding; this is a very specific extension that only applies to the BA Agreements.  Let me explain… (more…)

Implementing a Data De-Identification Framework

Wednesday, November 21st, 2012

Growing numbers of organizations are trying to figure out the benefits of anonymizing, or as HIPAA (the only regulation that provides specific legal requirements for such actions) puts it “de-identifying,” personal information. Healthcare organizations see benefits for improving healthcare. Their business associates (BAs) see benefits in the ways in which they can minimize the controls around such data. Of course marketing organizations salivate at the prospects of doing advanced analysis with such data to discover new trends and marketing possibilities.  The government wants to use it for investigations. Historians want to use it for, yes, marking historical events. And the list (more…)

ISMS Certification Does Not Equal Regulatory Compliance

Wednesday, October 31st, 2012

Last week I got the following question:

“By becoming ISO 27001 certified does that automatically mean we comply with HIPAA and HITECH requirements?  Are there any requirements of HIPAA/HITECH that are not required to meet ISO 27001 standards?”

This is not the first time I’ve gotten this question, and others similar. As new technology businesses, cloud services and other businesses are popping up to provide services to large regulated organizations, start-ups are increasingly looking for a way to differentiate themselves from their competitors, and also prove that they have not only effective security controls in place, but that they also (more…)

Lack of Basic Security Practices Results in $1.7 Million Sanction

Wednesday, June 27th, 2012

July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.

Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies. (more…)

UCLA Health System Pays $865K to Settle Celebrity Privacy HIPAA Violations

Friday, July 8th, 2011

Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list.  In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information.  And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)

Designated Record Sets: Know What They Are! (AD NPRM Discussion #1)

Thursday, June 2nd, 2011

My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD  NPRM).  I got a lot of questions as a result directly, in addition to the blog comments. When trying to understand regulations, and how to put them into practice within an organization, I’ve found it is best to break them down into bite-sized chunks, starting from the basics and building from there.  Today I want to spend a little time looking at what makes up a “designated record set,” or DRS, since the access report requirement is specific to accesses to DRS’s… (more…)