Posts Tagged ‘privacy rule’
Saturday, January 3rd, 2015
Yesterday I read a news story about how a woman, Mrs. Anita Chanko, saw an episode of the Dr. Oz show “NY Med” that included video of her husband, who had died 16 months earlier, in the hospital receiving care after being hit by a truck while crossing the street. She did not know that such a video even existed.
The picture was blurred, but the woman knew it was her recently deceased husband because she recognized his voice when he spoke, the conversation topic, the hospital where the care was occurring, along with other visual indicators. She heard her husband ask about his wife; her. She then watched his last moments of life, and then his death on television. (more…)
Tags:ABC, Chanko, Dr. Oz., HIPAA, HITECH, Information Security, infosec, medical devices, NewYork-Presbyterian Hospital, NY Med, patient information, personal information, PHI, privacy, privacy professor, privacy risks, privacy rule, privacyprof, protected health information, Rebecca Herold, security rule
Posted in HIPAA, PHI, Privacy and Compliance | No Comments »
Thursday, December 18th, 2014
Once or twice a week I get a question from an organization that is considered to be a healthcare covered entity (CE) or business associate (BA) under HIPAA (a U.S. regulation) asking about the types of information that is considered to be protected health information (PHI). Last week a medical devices manufacturer, that is also a BA, asked about this. I think it is a good time to post about this topic again.
If information can be (more…)
Tags:HIPAA, HITECH, Information Security, infosec, medical devices, patient information, personal information, PHI, privacy, privacy professor, privacy risks, privacy rule, privacyprof, protected health information, Rebecca Herold, security rule
Posted in HIPAA, PHI | No Comments »
Friday, March 2nd, 2012
I am looking forward to the day when we can look at the news headlines and not see some report about a lost or stolen computing device or storage device that contained unencrypted personal information and/or other sensitive information. And, I also want to stop seeing stories reappear about such an incident, such as the stolen NASA laptop with the clear text Space Station control codes that was stolen last year, but is making the headlines yet again today. NASA is a large enough, and tech savvy enough, organization to know better! However, there are many organizations that simply don’t understand what a valuable information security tool encryption is. I work with many small to medium sized businesses (SMBs), all of which have legal obligations (such as through HIPAA and HITECH, along with contractual requirements) to protect sensitive information, such as personal information. Over the past year I’ve heard way too many of them make remarks such as… (more…)
Tags:BA, business associate, CE, covered entity, encrypt, encryption, HIPAA, HITECH, IBM, medium business, midmarket, PHI, privacy, privacy professor, privacy rule, privacyprof, protected health information, Rebecca Herold, safeguards, security, security rule, small business, SMB, W-2, W2
Posted in Information Security | 1 Comment »
Monday, February 27th, 2012
“Is a W-2 form protected health information?” is a simple question with a complex answer that begins (I know, to the nail-biting chagrin of many), “It depends…”
First the full question: (more…)
Tags:BA, business associate, CE, covered entity, HIPAA, HITECH, IBM, midmarket, PHI, privacy, privacy professor, privacy rule, privacyprof, protected health information, Rebecca Herold, safeguards, security, security rule, W-2, W2
Posted in BA, CE, HIPAA, HITECH | No Comments »
Friday, July 8th, 2011
Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the information to reporters, who then published the information. And, it is likely based upon the required actions that go beyond the fine, that the policies, procedures, training, awareness, and access logging processes was lacking as well. (more…)
Tags:accounting of disclosures, BA, business associates, CE, covered entities, herold, HHS, HIPAA, HITECH, Information Security, notice of proposed rule making, NPRM, OCR, privacy, privacy breach, privacy rule, sanctions, security, security rule, UCLA
Posted in CE, healthcare, HIPAA, HITECH, Information Security, Laws & Regulations, Non-compliance Sanctions Examples, privacy, Privacy and Compliance, Privacy Incidents | 4 Comments »
Thursday, June 2nd, 2011
My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD NPRM). I got a lot of questions as a result directly, in addition to the blog comments. When trying to understand regulations, and how to put them into practice within an organization, I’ve found it is best to break them down into bite-sized chunks, starting from the basics and building from there. Today I want to spend a little time looking at what makes up a “designated record set,” or DRS, since the access report requirement is specific to accesses to DRS’s… (more…)
Tags:access report, accounting of disclosures, BA, business associates, CE, Compliance Helper, covered entities, designated record set, DRS, herold, HHS, HIPAA, HITECH, Information Security, NCHICA, notice of proposed rule making, NPRM, privacy, privacy rule, security, security rule
Posted in BA, CE, healthcare, HIPAA, HITECH, Laws & Regulations, Privacy and Compliance | 1 Comment »
Tuesday, May 31st, 2011
Tags:accounting of disclosures, BA, business associates, CE, covered entities, herold, HHS, HIPAA, HITECH, Information Security, notice of proposed rule making, NPRM, privacy, privacy rule, security, security rule
Posted in BA, CE, HIPAA, HITECH, Laws & Regulations, privacy, Privacy and Compliance | 10 Comments »
Friday, February 4th, 2011
Over the years I’ve had a lot of organizations ask me about whether HIPAA applies to faxes, copy machines, and other types of specific technologies. It is very important that covered entities (CEs), business associates (BAs) and their subcontractors understand that HIPAA applies to protecting the information! It doesn’t matter what the conduit is for how the information is transmitted, or where it is stored or accessed from. The important point is that protected health information (PHI), in all forms, must be protected. The Security Rule applies to only electronic data, but the Privacy Rule and HITECH apply to all forms of PHI. Okay; let’s keep this in mind when considering the following question I got earlier this week from a HIPAA business associate… (more…)
Tags:Compliance Helper, fax, privacy rule, Rebecca Herold, security rule
Posted in BA, HIPAA, HITECH, Information Security, Laws & Regulations, privacy, Privacy and Compliance | 5 Comments »
Tuesday, June 16th, 2009
Today the FTC issued a consent order against mortgage lender James B. Nutter & Company for GLBA Privacy Rule and Safeguards Rule violations resulting from having an inadequte information security program and safeguards. The requirements will result in, among other actions, 20 years of ongoing activities by James B. Nutter & Company; much more costly than it would have been to have established appropriate information security safeguards to begin with…
(more…)
Tags:awareness and training, GLBA, Gramm Leach Bliley Act, Information Security, IT compliance, IT training, policies and procedures, privacy rule, privacy training, risk management, Safeguards Rule, security training
Posted in Information Security, Laws & Regulations, Non-compliance Sanctions Examples, Privacy and Compliance | No Comments »
Thursday, February 19th, 2009
The 2nd ever to date HIPAA sanction has been handed down by the Department of Health and Human Services (HHS)…
(more…)
Tags:awareness and training, CVS, HIPAA, HIPAA sanction, Information Security, IT compliance, IT training, policies and procedures, privacy rule, privacy training, risk management, security rule, security training
Posted in Information Security, Laws & Regulations, Non-compliance Sanctions Examples, Privacy and Compliance | No Comments »