PHI Archives - Page 3 of 6 -

Posts Tagged ‘PHI’

Good Intentions Often Lead to Bad Privacy Results

Monday, April 29th, 2013

Allowing Wall Street privacy law exemption is crazy! Why, you ask? Why, I’m happy to explain. In March, 2012, I wrote “6 Good Reasons NOT To Ask for Facebook Passwords“. Since that time legislation prohibiting employers from requiring access to their employees’ protected areas of their social media accounts has been introduced or is pending in at least 35 states. Three states–Arkansas, New Mexico and (more…)

Tags:audit, awareness, breach, compliance, data protection, e-mail, electronic mail, email, employees, employment, exception management, facebook, FINRA, hiring, HR, human resources, IBM, Information Security, information technology, infosec, insider threat, insider trading, IT security, job applicants, messaging, midmarket, monitoring, non-compliance, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy laws, privacy professor, privacyprof, Rebecca Herold, Red Flags, risk, risk assessment, risk management, security, sensitive personal information, social media, social network, SPI, surveillance, systems security, training, twitter, walk through
Posted in Laws & Regulations, privacy | No Comments »

The PHI PII Egg Hunt

Saturday, March 30th, 2013

Locate it to protect it

I love speaking with folks about privacy, information security and compliance. I am sincerely interested in hearing about their challenges, and then also identifying common challenges amongst them all. We can then get to solutions.

One of the consistently common challenges I’ve heard from privacy and security folks in the past several months is trying to (more…)

Tags:audit, awareness, BA, BA Agreement, BA contract, breach, business associate, compliance, customers, data inventory, data protection, e-mail, electronic mail, email, employees, employment, exception management, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, liability, messaging, midmarket, non-compliance, Omnibus Rule, patients, personal information, personally identifiable information, personnel, PHI, PII, policies, policy exception, policy management, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk, risk assessment, risk management, security, sensitive personal information, SPI, systems security, training, vendor management, vendor oversight, walk through
Posted in Information Security, PHI | 1 Comment »

Implementing a Data De-Identification Framework

Wednesday, November 21st, 2012

Growing numbers of organizations are trying to figure out the benefits of anonymizing, or as HIPAA (the only regulation that provides specific legal requirements for such actions) puts it “de-identifying,” personal information. Healthcare organizations see benefits for improving healthcare. Their business associates (BAs) see benefits in the ways in which they can minimize the controls around such data. Of course marketing organizations salivate at the prospects of doing advanced analysis with such data to discover new trends and marketing possibilities. The government wants to use it for investigations. Historians want to use it for, yes, marking historical events. And the list (more…)

Tags:anonymization, anonymized, audit, awareness, BAs, breach, CEs, compliance, customers, data protection, de-identificaiton framework, de-identification, de-identify, e-mail, electronic mail, email, employees, employment, Herold de-identification, HHS, HIPAA, hiring, HITECH, HR, human resources, IBM, Information Security, information technology, infosec, IT security, job applicants, laws, messaging, midmarket, non-compliance, OCR, patients, PbD, personal information, personally identifiable information, personnel, PHI, PII, policies, privacy, privacy breach, Privacy by Design, privacy professor, privacyprof, Rebecca Herold, reputation, risk, security, sensitive personal information, SPI, systems security, training
Posted in HIPAA, privacy, Uncategorized | No Comments »

Lack of Basic Security Practices Results in $1.7 Million Sanction

Wednesday, June 27th, 2012

July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here.

Here is a significant sanction, just applied, that all organizations, of all sizes, need to take notice of. Even if you are not in the healthcare industry, this case points out the elements of an information security and privacy program, and the supporting safeguards, which will be used as a model of standard practices to by all types of regulatory oversight agencies. (more…)

Tags:Alaska, audit, awareness, breach, compliance, fine, HHS, HIPAA, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, OCR, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, Rebecca Herold, risk assessment, sanction, security, sensitive personal information, SPI, systems security, training
Posted in government, healthcare, HIPAA, HITECH | No Comments »

Back to the Future Security Basics: Security through Obscurity Still Does Not Work

Tuesday, April 17th, 2012

Last week I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting. He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.

As background, for those of you who may not have heard of this hack yet, in a nutshell: (more…)

Tags:audit, breach, breach response, change controls, compliance, DTS, encryption, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, SPI, systems security, Utah
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Privacy Incidents | No Comments »

6 Good Reasons to De-Identify Data

Friday, March 30th, 2012

De-identification is a great privacy tool for all types of businesses, of all sizes. If you have personal data that you want to use for research, marketing, testing applications, statistical trending or some other legitimate purpose, but you don’t need to know the specific individuals involved in order to meet your goals, then you should consider de-identifying the personal data. Even though it sounds complicated there are many good methods you can use to accomplish de-identification. And the great thing is, (more…)

Tags:anonymous, breach, compliance, de-identified data, de-identify, employment practice, encryption, IBM, Keywords: personal information, midmarket, non-compliance, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, re-identification, re-identify, Rebecca Herold, security, sensitive personal information, SPI
Posted in privacy | 2 Comments »

Encryption: Myths and Must Knows

Friday, March 2nd, 2012

I am looking forward to the day when we can look at the news headlines and not see some report about a lost or stolen computing device or storage device that contained unencrypted personal information and/or other sensitive information. And, I also want to stop seeing stories reappear about such an incident, such as the stolen NASA laptop with the clear text Space Station control codes that was stolen last year, but is making the headlines yet again today. NASA is a large enough, and tech savvy enough, organization to know better! However, there are many organizations that simply don’t understand what a valuable information security tool encryption is. I work with many small to medium sized businesses (SMBs), all of which have legal obligations (such as through HIPAA and HITECH, along with contractual requirements) to protect sensitive information, such as personal information. Over the past year I’ve heard way too many of them make remarks such as… (more…)

Tags:BA, business associate, CE, covered entity, encrypt, encryption, HIPAA, HITECH, IBM, medium business, midmarket, PHI, privacy, privacy professor, privacy rule, privacyprof, protected health information, Rebecca Herold, safeguards, security, security rule, small business, SMB, W-2, W2
Posted in Information Security | 1 Comment »

Is A W-2 PHI?

Monday, February 27th, 2012

“Is a W-2 form protected health information?” is a simple question with a complex answer that begins (I know, to the nail-biting chagrin of many), “It depends…”

First the full question: (more…)

Tags:BA, business associate, CE, covered entity, HIPAA, HITECH, IBM, midmarket, PHI, privacy, privacy professor, privacy rule, privacyprof, protected health information, Rebecca Herold, safeguards, security, security rule, W-2, W2
Posted in BA, CE, HIPAA, HITECH | No Comments »

Make Privacy One of Your 2012 Resolutions

Tuesday, January 3rd, 2012

Happy New Year! I hope your year is starting out great. Have you made it to day 3 without breaking any of your resolutions? How about adding one more… (more…)

Tags:awareness, compliance, education, HIPAA, Information Security, personal information, PHI, PII, privacy, privacyprof, Rebecca Herold, training
Posted in privacy, Training & awareness | No Comments »

Do Subpoenas Trump HIPAA and/or Trample Security Of PHI?

Saturday, December 10th, 2011

On October 10, 2011, there was a report in the Baltimore Sun, “Law firm loses hard drive with patient records: Attorneys represent St. Joseph cardiologist sued for malpractice.” I posted about the report to one of the LinkedIn groups I participate in, pointing out that this is yet one more example of (more…)

Tags:BA, Baltimore, business associate, cardiologist, CE, compliance, covered entity, HIPAA, HITECH, hospital, Information Security, lawyer, malpractice, PHI, privacy, privacy breach, Rebecca Herold, St. Joseph, subpoena
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance | 6 Comments »

Posts Tagged ‘PHI’

The PHI PII Egg Hunt

Implementing a Data De-Identification Framework

Lack of Basic Security Practices Results in $1.7 Million Sanction

Back to the Future Security Basics: Security through Obscurity Still Does Not Work

6 Good Reasons to De-Identify Data

Encryption: Myths and Must Knows

Is A W-2 PHI?

Make Privacy One of Your 2012 Resolutions

Do Subpoenas Trump HIPAA and/or Trample Security Of PHI?

Search Privacyguidance

Categories

Archives

Blogroll

Meta

Syndicate