Posts Tagged ‘privacy breach’
Tuesday, April 17th, 2012
Last week I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting. He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.
As background, for those of you who may not have heard of this hack yet, in a nutshell: (more…)
Tags:audit, breach, breach response, change controls, compliance, DTS, encryption, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, SPI, systems security, Utah
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Privacy Incidents | No Comments »
Friday, March 30th, 2012
De-identification is a great privacy tool for all types of businesses, of all sizes. If you have personal data that you want to use for research, marketing, testing applications, statistical trending or some other legitimate purpose, but you don’t need to know the specific individuals involved in order to meet your goals, then you should consider de-identifying the personal data. Even though it sounds complicated there are many good methods you can use to accomplish de-identification. And the great thing is, (more…)
Tags:anonymous, breach, compliance, de-identified data, de-identify, employment practice, encryption, IBM, Keywords: personal information, midmarket, non-compliance, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, re-identification, re-identify, Rebecca Herold, security, sensitive personal information, SPI
Posted in privacy | 2 Comments »
Saturday, December 10th, 2011
On October 10, 2011, there was a report in the Baltimore Sun, “Law firm loses hard drive with patient records: Attorneys represent St. Joseph cardiologist sued for malpractice.” I posted about the report to one of the LinkedIn groups I participate in, pointing out that this is yet one more example of (more…)
Tags:BA, Baltimore, business associate, cardiologist, CE, compliance, covered entity, HIPAA, HITECH, hospital, Information Security, lawyer, malpractice, PHI, privacy, privacy breach, Rebecca Herold, St. Joseph, subpoena
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance | 6 Comments »
Friday, July 8th, 2011
Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information. And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)
Tags:accounting of disclosures, BA, business associates, CE, covered entities, herold, HHS, HIPAA, HITECH, Information Security, notice of proposed rule making, NPRM, OCR, privacy, privacy breach, privacy rule, sanctions, security, security rule, UCLA
Posted in CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, Non-compliance Sanctions Examples, privacy, Privacy and Compliance, Privacy Incidents | 4 Comments »
Wednesday, September 30th, 2009
Late last month I posted, “HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element” and since then I’ve had around half a dozen or so folks ask me to write about privacy for the deceased…
(more…)
Tags:awareness and training, breach notice, breach response, deceased, HIPAA, HITECH, Information Security, IT compliance, IT training, personally identifiable information, PIA, PII, policies and procedures, privacy breach, privacy impact assessment, privacy training, security training
Posted in Privacy and Compliance | No Comments »
Wednesday, July 1st, 2009
Tags:awareness and training, identity fraud, identity theft, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy breach, privacy training, risk management, security training
Posted in Privacy Incidents | No Comments »
Wednesday, July 1st, 2009
Tags:awareness and training, identity fraud, identity theft, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy breach, privacy training, risk management, security training
Posted in Privacy Incidents | No Comments »
Monday, April 6th, 2009
Once more, here is an example of how carelessness and/or a mistake leads to a privacy breach…
(more…)
Tags:awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy awareness, privacy breach, privacy training, risk management, security awareness, security training
Posted in Information Security, Privacy and Compliance, Privacy Incidents | No Comments »
Tuesday, March 31st, 2009
Upon reading and researching HIPAA and the impact of the HITECH Act upon it, basically broadening its applicability as well as adding new requirements for privacy breach notifications, I recently was compelled to write an article about what I foresee as likelihood that, after a very frustratingly slow start (by several years!) of HIPAA enforcement, increasingly more HIPAA sanctions will be made in the coming months and years.
SearchCompliance printed my article in three parts in their Compliance Tips section…
(more…)
Tags:awareness and training, convictions, HIPAA, HITECH Act, Information Security, IT compliance, IT training, policies and procedures, privacy awareness, privacy breach, privacy training, risk management, sanctions, security awareness, security training
Posted in Laws & Regulations, Non-compliance Sanctions Examples, Privacy and Compliance | No Comments »
Thursday, March 26th, 2009
I first realized the need for information security and legal compliance areas to closely collaborate on converging issues in the mid-1990’s while establishing the information security and privacy requirements for one of the first online banks. Over the past 5+ years I’ve been actively evangelizing through my 2-day classes, conference and meeting speeches, and many articles and other publications about the need for information security, privacy and legal compliance areas to collaborate, and pointing out the areas where these responsibilities converge.
(more…)
Tags:awareness and training, Information Security, information security and privacy convergence, IT compliance, IT training, laptop theft, policies and procedures, privacy awareness, privacy breach, privacy training, risk management, security awareness, security training
Posted in Information Security, Privacy and Compliance | No Comments »
