“We Can’t Afford Security and Privacy!”

Recently I was speaking to a healthcare executive (a hospital Chief Financial Officer) at a conference where I had talked in one of the sessions about the needs for information security and privacy not only for compliance reasons, but also to mitigate risks to the business. He seemed a bit short with me when he approached.

Him: “I wish (more…)

Last week one of my Compliance Helper clients that is a health insurance company asked me the following question (slightly modified to protect their identity):

For the past two years, we have tried to get business associate (BA) Agreements from some of our BAs. They will not (more…)

I’m getting a lot of déjà vu vibes lately with the old-ish Bruce Willis movie with the catch phrase “I see dead people.” (Remember that?) Only my twist on this phrase for the past few years is, “I see business associates.” A big problem is that (more…)

A new data breach research report is out, and it is a good read.  This is the annual Experian/Ponemon Institute “Is Your Company Ready for a Big Data Breach?” report.  I want to focus on one of the findings in that report; that most organizations are not willing to assist those affected by a breach of their personal information. (more…)

Allowing Wall Street privacy law exemption is crazy! Why, you ask? Why, I’m happy to explain. In March, 2012, I wrote “6 Good Reasons NOT To Ask for Facebook Passwords“.  Since that time legislation prohibiting employers from requiring access to their employees’ protected areas of their social media accounts has been introduced or is pending in at least 35 states. Three states–Arkansas, New Mexico and (more…)

Locate it to protect it

I love speaking with folks about privacy, information security and compliance.  I am sincerely interested in hearing about their challenges, and then also identifying common challenges amongst them all.  We can then get to solutions. 

One of the consistently common challenges I’ve heard from privacy and security folks in the past several months is trying to (more…)

Don’t tell me it depends! Well, sorry, but…
I’ve been involved in several interesting discussions (some with lawyers, some with security folks, some with privacy folks, and a few of the folks wearing all three hats) about the liability of organizations that outsource business processing. Since January 17 I’ve also been working on a wide range of documentation changes to reflect the recently released 563 page tome that is the Final HIPAA Omnibus Rule. A significant part of the documentation and writing involves discussion of the increased liability a covered entity (CE) now has for the bad practices and mistakes made by their business associates (BAs).

Organizations want a clear cut answer to “how liable” they are for the actions of their outsourced entities. One CISO at a conference demanded, “Just tell me; are we going to be held responsible for the actions of our business associates or not? Just (more…)

Over the past few months I’ve been in increasingly more discussions, online and at in-person group meetings, about information security policies and exceptions; often more like venting sessions. A common theme is that the information security folks were complaining about how their companies’ managers are granting exceptions to their information security policies, or that they are always getting (more…)

Are you a covered entity (CE) or business associate (BA) as defined by HIPAA? There are literally millions of organizations in the U.S. that fall under these definitions, and possibly additional millions of BAs outside of the U.S. providing services to U.S.-based CEs. The impact is significant, and truly world-wide. If you are a CE or BA, did you know that your information security and privacy activities, or lack thereof, could cause physical harm to patients and insureds, and that you can receive significant penalties under the new HIPAA rules based upon those impacts? (more…)

Over the years when working with a wide range of organizations, helping them to identify where all forms of their business information (including customer, client, patient and employee information) is located.  One of the key activities is identifying and documenting all business associates, service providers, business partners, and all other types of outsourced entities that possess or have other types of access to this information. (more…)