Posts Tagged ‘OCR’
Wednesday, December 11th, 2013
In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)
Tags:awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, HHS, HIPAA, HITECH, IBM, incidental, Information Security, infosec, midmarket, non-compliance, OCR, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, subcontractor, training
Posted in BA, BA and Vendor Management, HIPAA, Privacy and Compliance | No Comments »
Monday, June 17th, 2013
“We Can’t Afford Security and Privacy!”
Recently I was speaking to a healthcare executive (a hospital Chief Financial Officer) at a conference where I had talked in one of the sessions about the needs for information security and privacy not only for compliance reasons, but also to mitigate risks to the business. He seemed a bit short with me when he approached.
Him: “I wish (more…)
Tags:audit, awareness, BAs, breach, budget, business associates, CEs, compliance, covered entities, customer service, data protection, employees, employment, exception management, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, midmarket, monitoring, non-compliance, OCR, Omnibus Rule, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social network, SPI, subcontractors, surveillance, systems security, third parties, training, vendor management, vendors, walk through
Posted in HIPAA, Information Security, Laws & Regulations, Privacy and Compliance | No Comments »
Wednesday, May 29th, 2013
I’m getting a lot of déjà vu vibes lately with the old-ish Bruce Willis movie with the catch phrase “I see dead people.” (Remember that?) Only my twist on this phrase for the past few years is, “I see business associates.” A big problem is that (more…)
Tags:audit, awareness, BAs, breach, business associates, CEs, compliance, covered entities, customer service, data protection, employees, employment, exception management, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, midmarket, monitoring, non-compliance, OCR, Omnibus Rule, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy laws, privacy practice, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social network, SPI, subcontractors, surveillance, systems security, third parties, training, vendor management, vendors, walk through
Posted in BA, BA and Vendor Management, HIPAA | No Comments »
Thursday, January 24th, 2013
The final HIPAA “mega rule” is going to be officially published on the Federal Register tomorrow, January 25, 2013. Currently the version available (https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf) is “pre-publication” version.
Over the past week I’ve had numerous CEs and BAs contacting me, frantic to change their BA Agreements to “avoid complying with the Mega Rule for another year!” Wait, folks. You are misunderstanding; this is a very specific extension that only applies to the BA Agreements. Let me explain… (more…)
Tags:BA, BA Agreement, business associate, compliance, Compliance Helper, covered entity, federal register, Final Rule, healthcare, herold, HHS, HIPAA, HITECH, Information Security, Mega Rule, OCR, privacy, privacy professor, Rebecca Herold, security
Posted in BA, CE, HIPAA, HITECH | No Comments »
Wednesday, November 21st, 2012
Growing numbers of organizations are trying to figure out the benefits of anonymizing, or as HIPAA (the only regulation that provides specific legal requirements for such actions) puts it “de-identifying,” personal information. Healthcare organizations see benefits for improving healthcare. Their business associates (BAs) see benefits in the ways in which they can minimize the controls around such data. Of course marketing organizations salivate at the prospects of doing advanced analysis with such data to discover new trends and marketing possibilities. The government wants to use it for investigations. Historians want to use it for, yes, marking historical events. And the list (more…)
Tags:anonymization, anonymized, audit, awareness, BAs, breach, CEs, compliance, customers, data protection, de-identificaiton framework, de-identification, de-identify, e-mail, electronic mail, email, employees, employment, Herold de-identification, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, OCR, patients, PbD, personal information, personally identifiable information, personnel, PHI, PII, policies, privacy, privacy breach, Privacy by Design, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, SPI, systems security, training
Posted in HIPAA, privacy, Uncategorized | No Comments »
Wednesday, October 31st, 2012
Last week I got the following question:
“By becoming ISO 27001 certified does that automatically mean we comply with HIPAA and HITECH requirements? Are there any requirements of HIPAA/HITECH that are not required to meet ISO 27001 standards?”
This is not the first time I’ve gotten this question, and others similar. As new technology businesses, cloud services and other businesses are popping up to provide services to large regulated organizations, start-ups are increasingly looking for a way to differentiate themselves from their competitors, and also prove that they have not only effective security controls in place, but that they also (more…)
Tags:27001, 27002, audit, awareness, breach, certification, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, ISMS, ISO27001, ISO27002, IT security, job applicants, laws, messaging, midmarket, non-compliance, OCR, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, SPI, systems security, training
Posted in HIPAA, HITECH, Laws & Regulations | No Comments »
Wednesday, June 27th, 2012
July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.
Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies. (more…)
Tags:Alaska, audit, awareness, breach, compliance, fine, HHS, HIPAA, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, OCR, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk assessment, sanction, security, sensitive personal information, SPI, systems security, training
Posted in government, healthcare, HIPAA, HITECH | No Comments »
Friday, July 8th, 2011
Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information. And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)
Tags:accounting of disclosures, BA, business associates, CE, covered entities, herold, HHS, HIPAA, HITECH, Information Security, notice of proposed rule making, NPRM, OCR, privacy, privacy breach, privacy rule, sanctions, security, security rule, UCLA
Posted in CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, Non-compliance Sanctions Examples, privacy, Privacy and Compliance, Privacy Incidents | 4 Comments »
Wednesday, February 2nd, 2011
I’ve been getting a lot more questions about HIPAA and HITECH lately from folks I’ve never met, but who have concerns about the security and privacy of their health information (“protected health information” or “PHI” as referenced within HIPAA/HITECH), businesses that are trying to understand how to protect PHI according to the regulatory requirements, and a growing number who express frustration with the unsecure ways in which clients, customers, patients and business partners are sharing information with them. There just are not enough hours in the day to answer them all, but I decided I’d start sharing some of the questions, and my corresponding answers, that seem to be topics that a wide range of readers may be interested in.
I was recently contacted by someone who had a question about a recent HIPAA complaint against Rowan Regional Medical Center (more…)
Tags:awareness, healthcare, HHS, HIPAA, HITECH, hospital, Information Security, insider threat, OCR, PHI, privacy, Rebecca Herold, Rowan Regional Medical Center, training
Posted in healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance, Privacy Incidents, Training & awareness | 2 Comments »
Sunday, December 28th, 2008
I hope you are all having a wonderful holiday season! I hadn’t planned to take the past few days off from blogging, but something like the flu (probably the flu) hit me like a bag of bricks on Christmas day and I’ve been curled in a fetal position in my bed for the past few days. Oddly enough while laying there feeling like my bones were all slowly dissolving (and thinking about the types of body braces you’d need to create to deal with something like that!) I was also thinking about how silly it was for the Health Insurance Portability and Accountability Act (HIPAA; and any industry-specific data protection law) to define that the only organization’s that would legally need to safeguard protected health information (PHI) are the narrowly defined covered entities (CEs); healthcare providers, healthcare insurers and healthcare clearinghouses.
(more…)
Tags:awareness and training, Google Health, Healtvault, HHS, HIPAA, Information Security, IT compliance, IT training, MedicAlert, OCR, patient privacy, PHI, PHR, policies and procedures, privacy training, risk management, security training
Posted in Laws & Regulations, Privacy and Compliance | No Comments »
