Posts Tagged ‘personally identifiable information’
Wednesday, February 20th, 2013
Are you a covered entity (CE) or business associate (BA) as defined by HIPAA? There are literally millions of organizations in the U.S. that fall under these definitions, and possibly additional millions of BAs outside of the U.S. providing services to U.S.-based CEs. The impact is significant, and truly world-wide. If you are a CE or BA, did you know that your information security and privacy activities, or lack thereof, could cause physical harm to patients and insureds, and that you can receive significant penalties under the new HIPAA rules based upon those impacts? (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, breach harm, breach response, business associate, compliance, contracted workers, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, liability, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, outsource, oversight, patients, personal information, personally identifiable information, personnel, physical harm, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in BA, CE, HIPAA, HITECH | No Comments »
Sunday, February 3rd, 2013
Over the years when working with a wide range of organizations, helping them to identify where all forms of their business information (including customer, client, patient and employee information) is located. One of the key activities is identifying and documenting all business associates, service providers, business partners, and all other types of outsourced entities that possess or have other types of access to this information. (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, contracted workers, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, liability, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, outsource, oversight, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in BA | No Comments »
Thursday, January 24th, 2013
A Tale of Two Viewpoints
When I was responsible for information security and privacy at a large financial and healthcare organization throughout the 1990’s I had literally hundreds of business partner organizations to which we outsourced various types of activities that required some type of access to our client and customer information. Add to that several hundred agents and, scarier still because they were not exclusively selling our products, brokers, and you can probably imagine the angst I felt when thinking about the ways in which all those other organizations were putting our information at risk. The contracts with them had a very brief requirement to “provide appropriate security controls” for the information, but that did not alleviate my worries. But, since at that time there were no data protection regulations in effect, the lawyers said this simple clause was enough. And then one of the outsourced entities had an incident resulting from lack of controls which allowed a hacker to enter our network. (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, customers, data protection, due diligence, e-mail, electronic mail, email, employees, employment, Final Rule, HIPAA, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, Mega Rule, messaging, midmarket, non-compliance, Obmnibus, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, right to audit, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in Information Security, Laws & Regulations | No Comments »
Friday, December 21st, 2012
This week I spoke with a small (~25 employees) organization (a business associate providing services to healthcare providers) that contacted me looking for help; they had purchased a whiz-bang “HIPAA compliance GRC” solution that included with everything else information security policies, but they couldn’t make any sense of the policies they were given or how they related to the rest of the expensive GRC tool. Grrr!! There are (more…)
Tags:audit, audits, awareness, BA, breach, business associate, business partner, CE, compliance, covered entity, customers, data protection, e-mail, electronic mail, email, employees, employment, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, procedures, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, walk through
Posted in BA, CE, HIPAA, Information Security | 1 Comment »
Monday, December 17th, 2012
There have been a lot online posts and talk lately about risk management and the “proper” or “acceptable” way to do risk assessments. It seems that the overwhelming talk, though, is only about the right and wrong way to do a risk assessment whenever considering a risk management program. Certainly, using the best risk assessment method to fit your business environment is very important; one size, and one method, does not fit all! However, there are so many more activities necessary within a risk management program than just occasionally doing a risk assessment. Regulatory agencies are (more…)
Tags:audit, awareness, breach, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, facebook, fake IDs, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, social media, social networking, SPI, systems security, test data, training, twitter, walk through
Posted in Information Security | 2 Comments »
Thursday, November 29th, 2012
Are you faking it online? Or faking it at work? While faking it certainly has its benefits in both places, I want to touch upon a couple of concerns I have with using fake identities. (more…)
Tags:awareness, breach, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, facebook, fake IDs, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, social media, social networking, SPI, systems security, test data, training, twitter
Posted in Social Media | 2 Comments »
Wednesday, November 21st, 2012
Growing numbers of organizations are trying to figure out the benefits of anonymizing, or as HIPAA (the only regulation that provides specific legal requirements for such actions) puts it “de-identifying,” personal information. Healthcare organizations see benefits for improving healthcare. Their business associates (BAs) see benefits in the ways in which they can minimize the controls around such data. Of course marketing organizations salivate at the prospects of doing advanced analysis with such data to discover new trends and marketing possibilities. The government wants to use it for investigations. Historians want to use it for, yes, marking historical events. And the list (more…)
Tags:anonymization, anonymized, audit, awareness, BAs, breach, CEs, compliance, customers, data protection, de-identificaiton framework, de-identification, de-identify, e-mail, electronic mail, email, employees, employment, Herold de-identification, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, OCR, patients, PbD, personal information, personally identifiable information, personnel, PHI, PII, policies, privacy, privacy breach, Privacy by Design, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, SPI, systems security, training
Posted in HIPAA, privacy, Uncategorized | No Comments »
Wednesday, October 31st, 2012
Last week I got the following question:
“By becoming ISO 27001 certified does that automatically mean we comply with HIPAA and HITECH requirements? Are there any requirements of HIPAA/HITECH that are not required to meet ISO 27001 standards?”
This is not the first time I’ve gotten this question, and others similar. As new technology businesses, cloud services and other businesses are popping up to provide services to large regulated organizations, start-ups are increasingly looking for a way to differentiate themselves from their competitors, and also prove that they have not only effective security controls in place, but that they also (more…)
Tags:27001, 27002, audit, awareness, breach, certification, compliance, customers, data protection, e-mail, electronic mail, email, employees, employment, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, ISMS, ISO27001, ISO27002, IT security, job applicants, laws, messaging, midmarket, non-compliance, OCR, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, SPI, systems security, training
Posted in HIPAA, HITECH, Laws & Regulations | No Comments »
Monday, October 22nd, 2012
Last week one of my Facebook friends started a “friends only” discussion on his wall. It was a very interesting discussion, and one of his friends took the discussion, pretty much verbatim, and posted within a “public” (as in meant for the world to see) popular blog site. So the information on the Facebook page, where around 250 – 300 people could see the posts were now in a location where the bazillion (possibly a bit fewer) blog readers could see all the posts and the full names of those who made them. This is not the first time a situation like this has occurred. A lot of the information posted on people’s social media pages are really tempting to take and use as examples, or for business activities such as for marketing and promotions. However, doing so could get you into some personal and/or legal hot water. As organizations and individuals consider taking information they find on social media sites, they need to consider the reasons why doing so may not be a good idea after all.
Reason #1: It will (more…)
Tags:awareness, breach, compliance, copyright, Creepshots, customers, data protection, e-mail, electronic mail, email, employees, employment, facebook, Gawker, hiring, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, LinkedIn, messaging, Michael Brutsch, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, Reddit, reputation, risk, security, sensitive personal information, social media, social network, SPI, systems security, training, twitter, Violentacrez
Posted in Social Media | 2 Comments »
Tuesday, October 2nd, 2012
Okay, I just finished the 3rd conversation in just the past two weeks alone with an organization that is using Social Security Numbers (SSNs) as their primary form of customer and/or employee identification. I’ve written about this topic numerous times over the past 15 years. Seriously; all businesses out there doing this, please make a plan to stop doing this! Why? Here are three good reasons. (more…)
Tags:awareness, breach, compliance, customers, e-mail, electronic mail, email, employees, employment, hiring, HR, human resources, IBM, ID theft, identifiers, identity theft, IDs, Information Security, information technology, infosec, IT security, job applicants, messaging, midmarket, non-compliance, patients, personal information, personally identifiable information, personnel, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, security, sensitive personal information, social security number, SPI, SSN, systems security, training
Posted in Information Security, Laws & Regulations | 1 Comment »