Posts Tagged ‘protected health information’
Saturday, January 3rd, 2015
Yesterday I read a news story about how a woman, Mrs. Anita Chanko, saw an episode of the Dr. Oz show “NY Med” that included video of her husband, who had died 16 months earlier, in the hospital receiving care after being hit by a truck while crossing the street. She did not know that such a video even existed.
The picture was blurred, but the woman knew it was her recently deceased husband because she recognized his voice when he spoke, the conversation topic, the hospital where the care was occurring, along with other visual indicators. She heard her husband ask about his wife; her. She then watched his last moments of life, and then his death on television. (more…)
Tags:ABC, Chanko, Dr. Oz., HIPAA, HITECH, Information Security, infosec, medical devices, NewYork-Presbyterian Hospital, NY Med, patient information, personal information, PHI, privacy, privacy professor, privacy risks, privacy rule, privacyprof, protected health information, Rebecca Herold, security rule
Posted in HIPAA, PHI, Privacy and Compliance | No Comments »
Thursday, December 18th, 2014
Once or twice a week I get a question from an organization that is considered to be a healthcare covered entity (CE) or business associate (BA) under HIPAA (a U.S. regulation) asking about the types of information that is considered to be protected health information (PHI). Last week a medical devices manufacturer, that is also a BA, asked about this. I think it is a good time to post about this topic again.
If information can be (more…)
Tags:HIPAA, HITECH, Information Security, infosec, medical devices, patient information, personal information, PHI, privacy, privacy professor, privacy risks, privacy rule, privacyprof, protected health information, Rebecca Herold, security rule
Posted in HIPAA, PHI | No Comments »
Saturday, February 1st, 2014
I first started working on truly easily mobile computing device (not counting the first programmable pocket calculator, or the luggable computers that could not be hidden in your pocket) security in the workplace when the IT folks in my company at the time started bringing Psion devices to meetings somewhere around 1992 – 1993. They presented some serious information security risks to the company. If the information security risks were considered to be significant 20 years ago, now the new additional information security and privacy risks are comparatively staggering.
Where is it?
Probably the number one risk back then was the tendency to lose or misplace the device. It seemed like these little gadgets would be forgotten the moment they were laid down, despite how highly prized they were by their owners. Mobile computing devices today (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, compliance, covered entity, data protection, disclosure, due diligence, Google Glass, IBM, incidental, Information Security, information security policy, infosec, iWatch, midmarket, mobile device, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, third party, training, vendor, vendor contract, vendor oversight, wearable device, wireless
Posted in Information Security, mobile computing | No Comments »
Friday, December 27th, 2013
Here’s a statement I’ve answered over 100 times (seriously!) in the past few years.
“We’ve outsourced that IT activity, so we don’t we don’t need a policy for it.”
The one word reply to this statement is, (more…)
Tags:audit, awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, due diligence, HIPAA, HITECH, IBM, incidental, Information Security, information security policy, infosec, midmarket, non-compliance, outsourcing, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy policy, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, security procedure, subcontractor, training, vendor, vendor contract, vendor oversight
Posted in BA and Vendor Management, Information Security | No Comments »
Wednesday, December 11th, 2013
In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same question in a month, then it is something worth writing about; why are so many (well, a handful) of the same questions occurring in such a short period of time? Is some vendor out there spreading horribly bad advice? Let’s consider the topic… (more…)
Tags:awareness, BA, BA Agreement, BA contract, BAA, business associate, CE, compliance, covered entity, data protection, disclosure, HHS, HIPAA, HITECH, IBM, incidental, Information Security, infosec, midmarket, non-compliance, OCR, personal information, personal information identifier, personal information item, PHI, PII, policies, privacy, privacy laws, privacy professor, privacyprof, protected health information, Rebecca Herold, risk assessment, risk management, security, subcontractor, training
Posted in BA, BA and Vendor Management, HIPAA, Privacy and Compliance | No Comments »
Thursday, May 31st, 2012
A couple of weeks ago I was doing a consulting call with a small startup business (that in a short span of time is already performing outsourced cloud processing for a number of really huge clients) about information security and privacy. They had implemented just the basic firewall and passwords, but otherwise had no policies, procedures, or documented program in place. I provided an overview of the need for information security and privacy controls to be in place throughout the entire information lifecycle; from creation and collection, to deletion and disposal. They were on board with everything I was describing until we got to (more…)
Tags:big data, breach, compliance, data analytics, data mining, degauss, disposal, disposal rule, facebook, FACTA, frictionless sharing, IBM, Information Security, information technology, infosec, IT security, midmarket, Netflix, non-compliance, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, SB 3159, security, Senate Bill 3159, sensitive personal information, shred, SPI, systems security, trash
Posted in Laws & Regulations | 5 Comments »
Thursday, May 17th, 2012
I was recently speaking with a friend on the phone, and she said, “I just had the most embarrassing thing happen! I had one of my Facebook friends send me a text teasing me about reading a rather sleazy article on TMZ. I did not know what she was talking about! So, I went to my Facebook page, and sure enough, down the timeline there was an article I had only briefly gone to the previous day after clicking a headline about moms on Google news and landed on a page; I quickly got off of when I saw it. I was so embarrassed to see that my brief visit to the page had been posted on my Facebook page! I don’t even go to TMZ on purpose, why is Facebook suddenly tattling on me when it accidentally went there?” (more…)
Tags:audit, big data, breach, breach response, change controls, compliance, DailyMotion, data analytics, data mining, encryption, facebook, foursquare, frictionless sharing, gartner, IBM, Information Security, information technology, infosec, IT security, Keywords: personal information, Metacafe, midmarket, Netflix, non-compliance, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, Socialcam, SPI, spotify, systems security, Viddy, Washington post, WPO, Zuckerberg
Posted in Miscellaneous | 2 Comments »
Wednesday, May 2nd, 2012
My 12-year-old son said to me yesterday after getting home from school, “Hey, Mommy, did you know that Wal-Mart can tell when you’re pregnant? And so can Target! Even before anyone else knows! They got a girl in trouble when they sent her dad coupons for baby stuff and congratulated her!”
Me, “That’s pretty incredible, isn’t it? Companies are able to discover things like that about people more than ever before through analyzing what is called ‘Big Data’.”
Son, “That’s really creepy. I think you should (more…)
Tags:audit, big data, breach, breach response, change controls, compliance, data analytics, data mining, encryption, IBM, Information Security, information technology, infosec, IT security, midmarket, non-compliance, personal information, personally identifiable information, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, SPI, systems security, Target, Wal-Mart
Posted in privacy | 1 Comment »
Tuesday, April 17th, 2012
Last week I provided Howard Anderson at HealthInfosecurity.com with some of my thoughts about the recent Utah Department of Health breach of the files of 900,000 individuals, and counting. He included some of my thoughts in his blog post, along with thoughts from others. I wanted to provide my full reply here, along with some expanded thoughts.
As background, for those of you who may not have heard of this hack yet, in a nutshell: (more…)
Tags:audit, breach, breach response, change controls, compliance, DTS, encryption, IBM, Information Security, information technology, infosec, IT security, Medicaid, midmarket, non-compliance, personal information, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, Rebecca Herold, security, security engineering, sensitive personal information, SPI, systems security, Utah
Posted in BA, CE, healthcare, HIPAA, HITECH, Information Security, Privacy Incidents | No Comments »
Friday, March 30th, 2012
De-identification is a great privacy tool for all types of businesses, of all sizes. If you have personal data that you want to use for research, marketing, testing applications, statistical trending or some other legitimate purpose, but you don’t need to know the specific individuals involved in order to meet your goals, then you should consider de-identifying the personal data. Even though it sounds complicated there are many good methods you can use to accomplish de-identification. And the great thing is, (more…)
Tags:anonymous, breach, compliance, de-identified data, de-identify, employment practice, encryption, IBM, Keywords: personal information, midmarket, non-compliance, personally identifiable information, PHI, PII, policies, privacy, privacy breach, privacy professor, privacyprof, protected health information, re-identification, re-identify, Rebecca Herold, security, sensitive personal information, SPI
Posted in privacy | 2 Comments »