Designated Record Sets: Know What They Are! (AD NPRM Discussion #1)
My last blog post provided a preliminary overview of the Accounting of Disclosures Notice of Proposed Rulemaking (AD NPRM). I got a lot of questions as a result directly, in addition to the blog...
View ArticleUCLA Health System Pays $865K to Settle Celebrity Privacy HIPAA Violations
Here’s yet another HIPAA violations penalty to add to what seems to be a quickly growing list. In this case it was a violation of the minimum necessary access principle, in addition to providing the...
View ArticleClik here to view.
Lack of Basic Security Practices Results in $1.7 Million Sanction
July 4 Update to Original Post: See additional recent statements from the OCR and the Alaska DHSS about this case here. Here is a significant sanction, just applied, that all organizations, of all...
View ArticleClik here to view.
ISMS Certification Does Not Equal Regulatory Compliance
Last week I got the following question: “By becoming ISO 27001 certified does that automatically mean we comply with HIPAA and HITECH requirements? Are there any requirements of HIPAA/HITECH that are...
View ArticleClik here to view.
Implementing a Data De-Identification Framework
Growing numbers of organizations are trying to figure out the benefits of anonymizing, or as HIPAA (the only regulation that provides specific legal requirements for such actions) puts it...
View ArticleClik here to view.
Should You Rush to Execute a BA Agreement Today? Probably Not
The final HIPAA “mega rule” is going to be officially published on the Federal Register tomorrow, January 25, 2013. Currently the version available...
View ArticleClik here to view.
I See Business Associates…Do You See Yours?
I’m getting a lot of déjà vu vibes lately with the old-ish Bruce Willis movie with the catch phrase “I see dead people.” (Remember that?) Only my twist on this phrase for the past few years is, “I see...
View ArticleClik here to view.
Don’t Be Penny Wise and Privacy Foolish
“We Can’t Afford Security and Privacy!” Recently I was speaking to a healthcare executive (a hospital Chief Financial Officer) at a conference where I had talked in one of the sessions about the needs...
View ArticleClik here to view.
If it was Intentional it is *NOT* Incidental
In the past week I got the third question in a one month time-frame about the same topic. My unwritten, loosely followed rule is that if three different organizations ask me pretty much the same...
View ArticleClik here to view.
4 Privacy Predictions for 2015
It is that time of the year again…time for prognostications about the year ahead! I was asked to provide a few predictions for 2015. Based upon not only what I’ve seen in 2014, but also foreshadowing...
View Article