Search Realtime IT Compliance
Entries from Realtime Community | IT Compliance tagged with 'HIPAA'
HIPAA And Surveillance In Hospitals
Over the years there have been many...too many...instances where doctors have performed the wrong types of surgeries on patients, and even the wrong surgeries on completely wrong patients......
CEs and BAs: Be HIPAA/HITECH Compliant Or Pay A Hefty Penalty
The HHS released HITECH Act Enforcement Interim Final Rule today......
6 Critical Factors for Effective Information Security & Privacy Policies
I've been feeling bad about not posting to my blog as often as I have historically......
Who Are Your Business Associates?
Since just before HIPAA went actively into effect I've done a lot of HIPAA compliance work for covered entities (CEs). In the past few years I've done around 200 business associate (BA) information security and program reviews for just one...
HIPAA/HITECH Etc. Retention: Does Your Reality = Your Requirements?
Last month I had the great pleasure of being a guest on Scott Draughon and Anyck Turgeon's MyTechnologyLawyer.com radio show for a segment entitled, "Is encryption enough to achieve privacy?" I was pleasantly surprised to see a large number of...
Proposed HIPAA Privacy Rule Change Explicitly Makes Genetic Info PHI
An important element of data protection compliance is knowing, identifying and inventorying the applicable information......
Privacy For The Deceased
Late last month I posted, "HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element" and since then I've had around half a dozen or so folks ask me to write about privacy for the...
What Happens To Privacy During Pandemics?
I am talking to increasing numbers of privacy and information security pros who are concerned about not only getting their pandemic plans in place, but also wanting to know what kinds of privacy issues need to be addressed within the...
Is Encryption Enough to Achieve Privacy?
Of course the answer is no. But there are many reasons! Tune in this afternoon at 4:00pm Pacific time to hear Anyck Turgeon, Scott Draughon and me discuss this topic and talk about encryption laws and the impacts to privacy....
HITECH Impacts Over 734,178 "Small Business" HIPAA Covered Entities
The Department of Health and Human Services (HHS) 45 CFR Parts 160 and 164: "Breach Notification for Unsecured Protected Health Information; Interim Final Rule" (Breach Notice Rule) has been written about a lot. But much of what is written overlooks...
HITECH Act Virtual ToC
This was another very busy week, and I didn't have a chance to post as much as I would have liked. Part of what kept me busy was an unusually increased amount of email......
HHS & FTC Breach Notice Rules: First Time NIST Standards Specifically Referenced
The Department of Health and Human Services (HHS) issued their interim final rule for breach notification standards on August 19. Federal Trade Commission (FTC) issued their final rule of breach notification standards on August 17. The HHS rule covers all...
Fired Because Photo of Surgery Room Was A "HIPAA Violation"
I received a very interesting question yesterday, and I wanted to share it and my response here because it is a great HIPAA topic to discuss that I have not seen written about before. I've removed the identifying information, and...
8,918 HIPAA Violation Investigations Have Required Corrective Actions
Here are some important websites to bookmark for you to reference when you need help...beyond what I have on my blog and at my website :)...if you are a US Health Insurance Portability and Accountability Act (HIPAA) Covered Entity (CE)...
HIPAA/HITECH Breach Notice Rule: Applies To PHI of Deceased Individuals + Training A Key Element
After a few days unable to make time to post to the blog, or technical difficulties preventing me when I did make time, I'm happy to resume my posting! Today I want to offer a few thoughts about the breach...
You Need These Things When You Get HIPAA Audited!
I get a bit irritated when I see a vendor touting their "compliance solution" products as making organizations "HIPAA Compliant" or "PCI DSS Compliant" or whatever your regulation of choice happens to be, and then, upon inspection of their products,...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
OCR Adding To Staff For Increased HIPAA Compliance Enforcement Activities
Monday the HHS announced they were moving responsibility for both HIPAA Security Rule and Privacy Rule under the OCR. That same day they also announced they were expanding the HIPAA "privacy enforcement team." (Scroll down on this page to see...
HIPAA Enforcement Will Improve With OCR Responsible for Both Privacy Rule & Security Rule
Today the US Department of Health and Human Services (HHS) announced that the OCR will now be responsible for both the HIPAA Privacy Rule and the Security Rule. Perhaps this is an indicator of more enforcement to come. As a...
(Lack Of) Encryption Is A Basis For Notification Under The HITECH Act
This week one of my tweeps asked me the following: "What's your interpretation of encryption obligations for PHI data-at-rest under HITECH? Many parties are sweating this now." Great question!...
HITECH Act: Breach Notification Is Necessary Based Upon Items Used In De-Identification
Continuing along the discussion of the HITECH Act this week, I want to consider a couple of questions I recently discussed with a CISO at a healthcare insurer about when breach notification is necessary......
Is This A Breach Under The HITECH Act Definition?
This week I want to take a closer look at some of the issues and requirements within the HITECH Act, which dramatically expands the reach and requirements under the U.S. Health Insurance Portability and Accountability Act (HIPAA)......
New MO Breach Notice Law: Encryption Safe Harbor? Yes. Encryption Def Good? No!
On July 9, 2009 the Missouri governor signed House Bill No. 62 into law, and it included section 407.1500, which is the requirement for giving privacy breach notice. Since I'm focusing this week on encryption laws, I want to take...
Has Massachusetts Encryption Law Stopped It's Evolution?
This week I want to take a look at encryption laws. Only a few short years ago no law or regulation really had explicit encryption requirements. HIPAA, passed in 1996 with effective compliance deadline requirements in 2003 (Privacy Rule) and...
What is PII? How About "Publicly Available" Info?
There is much debate about what specific types of items should be considered as personally identifiable information (PII). A common topic of debate is; if information can be found publicly does that mean it is not PII?...
What is PII? How About Groups Of Otherwise Non-PII?
I want to continue my look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such......
What is PII? How About IP Addresses?
This week I want to look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such......
Healthcare Worker Gets 1 Year In Prison For Posting HIV Victim's Medical Records On Internet
Today a report discussed how a healthcare worker obtained medical information about a patient with HIV that was then posted on the Internet......
HIPAA, HITECH Act and Disposal Problems
Here's yet another incident that provides very good lessons that could be incorporated into information security and privacy training sessions as a case study, particularly for HIPAA compliance as well as secure disposal training......
HITECH Act does *NOT* make HIPAA, or HIPAA advice, "obsolete"!
A couple of weeks ago I was surprised and concerned by a statement made in one of my many listservs by a lawyer commenting on HIPAA books and past advice given for HIPAA compliance......
Podcast: HITECH Act adds new compliance requirements, penalties
Last week I had the pleasure of speaking with Alexander B. Howard at SearchCompliance.com for a 26 minute podcast......
HIPAA & HITECH Act Sanctions & Penalties
Today I had the great pleasure and opportunity to do a podcast with Alexander Howard over at TechTarget discussing HIPAA and the HITECH Act......
Breach Notices, Securing PHI & PHR Vendor Responsibilities Under HIPAA/HITECH Act
Last Friday the US Department of Health and Human Services (HHS) released, at the last possible moment to meet their deadline, their interim final regulations to require covered entities (CEs) under the Health Insurance Portability and Accountability Act (HIPAA) and...
HIPAA Requirements Changes & Business Associates Impacts From HITECH Act
Last week I engaged in a very interesting tweetversation with David Mortman about when the U.S. Department of Health and Human Services (HHS) needs to get their guidance documents and rules published for the various HITECH Act requirements......
HIPAA Sanctions and Convictions Will Increase with HITECH Act & New Administration
Upon reading and researching HIPAA and the impact of the HITECH Act upon it, basically broadening its applicability as well as adding new requirements for privacy breach notifications, I recently was compelled to write an article about what I foresee...
Most Laws Are Flawed, But It Is Up To Us To Make Them Better & Make Them Work
Rafal Los makes some very good points in his post "Analysis of the Stimulus Bill and Healthcare Privacy" from a few days ago. I started writing all my thoughts as a comment to him, but then decided it would work...
HIPAA & Calling Out Full Names In Waiting Rooms
Over the years I have done several interviews for articles about HIPAA compliance. I recently did an interview for an HCPro article, "Physician offices: Tackle a different set of privacy training challenges." (Sorry, this is not publicly posted to my...
HIPAA Violations: Nurses Allegedly Post X-Ray Photos To Facebook
Okay, here's a perfect real incident to use for a case study to argue discuss whether or not this is a HIPAA violation!...
Report on Healthcare Provider HIPAA Progress
Here's an interesting report from URAC about healthcare providers and HIPAA compliance progress......
2ND HIPAA Sanction: CVS Must Pay $2.25 Million And Improve Info Sec Practices For Improper Disposal
The 2nd ever to date HIPAA sanction has been handed down by the Department of Health and Human Services (HHS)......
President Obama Wants Better Cybersecurity!
I was very happy to see that President Obama kept his Blackberry, and is using it with super good security controls. I am even happier to see that he wants to make sure the U.S. has strong cybersecurity in place;...
FYI: New Website for Health Information Privacy
I just got this email notification from the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) yesterday......
Patient Privacy in Peril: EHRs, HITECH Act and $20B Handouts
On February 2 Allscripts released a report, "The 2009 Economic Stimulus Plan and the Electronic Health Record: Opportunities and Challenges for U.S. Medical Groups; A Survey of 1,800 Healthcare Professionals" (NOTE: Registration is required, but it's free.) A few excerpts...
HIPAA Company-Applied Sanction: Hospital Employee Fired For Snooping Through 431 Patient Files
I thought it would be a good follow-up to my post from Saturday to point out a recent instance for how HIPAA covered entities (CEs) are applying their own organizational sanctions against personnel who violate their information security and privacy...
Another HIPAA Felony Conviction; 8 To Date
Yesterday a lawyer asked me if there had been any more HIPAA sanctions or convictions from the list I posted a few months ago in August. I hadn't seen any, but I thought I'd do a bit of checking since...
New Report Finds HIPAA Privacy Rule Is Ineffective As Written
Today the Institute of Medicine (IOM) released a report, "Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research"......
HIPAA Violation: Medical Clinic Leaves Box With PHI On Public Dumpster
This summer I had planned to do a dumpster-diving project with my sons, but then the Iowa floods postponed those plans. However, after reading the following I'm motivated to plan to do this in the spring after basketball and G&T...
New HHS Guidance States HIPAA Does Not Apply To PHRs
I hope you are all having a wonderful holiday season! I hadn't planned to take the past few days off from blogging, but something like the flu (probably the flu) hit me like a bag of bricks on Christmas day...
HHS's New Privacy & Security Framework Based Upon The OECD Privacy Principles
Earlier this week, the Department of Health and Human Services issued a framework, "Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information December 15, 2008" for protecting patient privacy and securing medical records, in particular online...
ED and HHS Gives Guidance for HIPAA and FERPA Relationship
I saw some interesting news from the OS OCR Privacy List listserve. If you are with an education institution or a healthcare covered entity, take some time to read the new guidance about the relationship between FERPA and HIPAA......
HIPAA Violation: Healthcare Worker Writes About Patients On MySpace
What was this worker for a healthcare provider thinking...didn't/doesn't the provider provide any kind of information security or privacy training or awareness communications...?...
CMS Gets Heat Over Not Actively Enforcing HIPAA
To date the Centers for Medicare and Medicaid Services (CMS) has not actively pursued HIPAA Security Rule compliance. Instead they have depended upon complaints to drive their investigations. However, as this article nicely points out, depending upon patients and healthcare...
Example Of How Many Healthcare Providers Do Not Understand HIPAA
HIPAA is misunderstood by many personnel who work for healthcare providers; probably because they do not receive effective or good training about HIPAA. Here is a good example of how healthcare providers inappropriately withhold information in the name of HIPAA......
Audit Shows That After 5 Years CMS *STILL* Has No Documented Procedures For Ensuring HIPAA compliance
This week the Department of Health and Human Services (HHS) Office of Inspector General (OIG) released a very interesting assessment of how well, and how effectively, the Centers for Medicare & Medicaid Services (CMS) was performing their Health Insurance Portability...
HIPAA Compliance During Emergencies and Disasters
Yesterday the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) posted a new HIPAA frequently asked question (FAQ) to their site; a great question that many organizations do not even consider until after the fact......
New HHS Guides For HIPAA Privacy Rule
Did you see that the Department of Health and Human Services (HHS) released some new guidance documents for the Healthcare Portability and Accountability Act (HIPAA) Privacy Rule compliance activities on September 17? I need to go through them more thoroughly,...
Insider Threat Examples & 7th HIPAA Criminal Conviction
Yesterday I read about the 7th criminal conviction and sentencing that has been given under HIPAA, "Woman gets 14 months in ID theft case."...
Insider Threat Examples: HIPAA Violations Go UnPenalized In Iowa
When I got my Sunday Des Moines Register out of the orange box across the road this morning, the front page headline leaped out at me, "Medical privacy law fails to stop snooping." In one of the incidents described, a...
First HIPAA Sanction Applied! $100,000 + Required Actions
My jaw almost dropped early this morning when I saw the press release from the HHS yesterday, "HHS, Providence Health & Services Agree on Corrective Action Plan to Protect Health Information" Is it about time the HHS actually enforced HIPAA?...
HIPAA Humor: Dumb Robber
Here's a story that gave me a bit of a chuckle, "Note leads police to robbery arrest"......
Business Leader Primer for Effective Information Disposal
I've been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security...
More On The HHS HIPAA Compliance Activities
Today I communicated with Sue Marquette Poremba at SC Magazine for an article she published this afternoon, "Proliferating HIPAA complaints and medical record breaches" She had seen my blog posting from yesterday, "HIPAA Complaints And Associated Resolutions Since 2003" and...
HIPAA Complaints And Associated Resolutions Since 2003
The U.S. Health Insurance Portability and Accountability Act (HIPAA) has required compliance from covered entities (CEs) since 2003. The Department of Health and Human Services (HHS) is the Federal agency with regulatory oversight for compliance; with the Office of Civil...
A Couple Of Little Known HIPAA Facts
Last week I was contacted by Corey Goodman, a reporter for HCPro, about a story he is doing that sounds like it will be quite interesting! He is collecting examples and anecdotes about "little know HIPAA facts" and asked me...
Do We REALLY Need Doctors To Do Consultations Via Email?
A few months ago I had some lively back-and-forth blog postings with a doctor who used email and instant messaging (IM) a lot in his practice; here, here and here. Today my good friend Alec forwarded me another interesting news...
Revisiting Online Medical Information Storage Houses Points To Consistent Need For *1* Federal Privacy Law
Last fall I blogged about Microsoft's HealthVault, "Why Would You Trust Microsoft To Store Your Sensitive Health Information?" It didn't take long before Google got in on the game. Today an interesting story ran in the New York Times, "Warning...
One Word Makes A World Of Difference...To Auditors and To Practitioners
I want to continue the discussion I started yesterday. Is there a difference between "log management" and a "log management system"?...
Misquotes and Misinformation on PCI DSS Log Management
I always invite feedback and comments about my articles and books. I like to know what people have found useful as well as hear how I can improve upon my writing and see if there is any more information I...
Risks & Compliance: Giving Personnel Access to Their Own, And Coworkers', Records is Generally a Bad Idea
I get several questions from folks about various information security, privacy and compliance issues. I answer all I can. Most of them are great, thought-provoking questions that help to spawn a nice discussion! I recently got a very good and...
HIPAA *HAS* Impacted Healthcare Providers...Despite Lack Of Enforcement
I have written many times about how the U.S Department of Health and Human Services (HHS) has severely weakened the planned privacy and security goals of the Health Insurance Portability and Accountability Act (HIPAA) to require healthcare covered entities (CEs)...
3rd HIPAA Criminal Indictment; Another Insider Job
On February 15, Leslie A. Howell, from Oklahoma City, OK, was indicted for violating the Health Insurance Portability and Accountability Act (HIPAA) of 1996 as part of an identity theft scheme....
Will Bad News Come in 3's For Health Net?
In the past several days Health Net made the news...in ways they would rather not have... First this on 2/22:...
New HIPAA Security Information on the CMS website
I just got a notice from the U.S. Department of Health and Human Services (HHS)... New HIPAA Security Information on the CMS website...
Blog Info OK'd To Use To Make Medical Insurance Coverage Decision
Hopefully most people know by now that whatever you post on the Internet is not private, and that basically anyone can read it. Hopefully most people know by now that it is a growing trend for employers to use information...
A Stolen Health Insurer's Laptop With PII Is Not Necessarily A HIPAA Violation
While scanning the news blurb summaries today, the statement, "This is a violation of HIPAA." caught my eye. Hmm...let's see what this is about... This statement was actually within the reader comments to the story, "Blue Cross reports theft of...
CMS Announces Plans To Actively Audit Hospitals For HIPAA Compliance
The U.S. Centers for Medicare and Medicaid Services (CMS) announced last week that they plan to audit 10 - 20 hospitals for HIPAA compliance in the next 9 months according to a Government Health IT article....
CMS Hires A Fox To Guard The HIPAA Henhouse
I just read a very interesting article, "CMS' HIPAA watchdog presents potential conflict" that made me go Hmmm!! The genesis of the article is that the Centers for Medicare and Medicaid Services (CMS), the agency that is responsible for the...
Responding To Customers Asking About Your Company's Use of SSNs
For the past 10 years I have been driving the same, reliable, non-troublesome car. It still looks good enough (I don't really worry about driving an "it" kind of car). However, it is getting a bit rattly, and my friends...
Supporting Compliance With ITIL
Organizations have faced legal and regulatory requirements for literally decades. However, IT compliance is relatively young. U.S. healthcare organizations reacted with alarm over the passage of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The U.S. financial organizations...
7 More Reasons Why Sending Cleartext IM and Email Is *NOT* Secure Even If Your Doc Says It Is...Part 2
As a continuation of my blog posting from Monday, here are 7 additional reasons to add to the previous 4 for why sending cleartext instant messages (IMs) and email is not secure:...
Sending Cleartext IM and Email Is *NOT* Secure Even If Your Doc Says It Is...Part 1
I got some interesting comments and questions, and lots of good direct feedback, about my blog post on sending cleartext patient information last week, "HIPAA: Beware Doctors Who Claim They Don't Have To Follow Safeguard and Privacy Requirements" so I...
HIPAA: Beware Doctors Who Claim They Don't Have To Follow Safeguard and Privacy Requirements
My good friend Alec recently made me aware of a very interesting blog post made by a physician (thanks Alec!) that is frankly quite troubling....
Email Security and Privacy: NY Hospital Retention Ruling Points Out Importance of Policies and Awareness
On October 17, 2007, there was a very interesting ruling regarding a doctor's email communications sent to an attorney and the associated attorney privilege. In the matter of Scott v Beth Israel Med. Ctr. Inc. the New York Supreme Court...
HIPAA, The Insider Threat & Prison Time
It seems there are more and more stories related to patient privacy and HIPAA popping up lately. Today another story caught my eye related to them....
Another Hospital Suspends Staff For Violating HIPAA Requirements
A couple of weeks ago I blogged about the Ivinson Memorial Hospital applying sanctions to their staff for violating HIPAA requirements. They have set a good example...another hospital has also applied sanctions...suspending 27 of their staff members for violating HIPAA...
A Hospital Actively Enforcing HIPAA Requirements!
It is great to see a story published about a hospital, actually any type of organization that is a covered entity (CE), that is actively and seriously trying to be in compliance with HIPAA requirements....
The First Ever HIPAA Audit: Where's The Report? Does It Have Beef?
Gosh, I just had a flashback to the "Where's the Beef" commercial from years ago... :) The U.S. Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule went into effect in April, 2001, and gave covered entities (CEs) two years...
HIPAA & 4 Lessons From an Insider Threat Example: Former Healthcare IT Manager Hacks Into System and Deletes PHI
There are so many ways in which bad things can happen with the authorized access personnel and business partners have to sensitive data, personally identifiable information (PII), and business systems. Many times the bad things that happen are a result...
Confusing Folks: PHR, PHI, PII, NPPI, and Dozens of Other Acronyms...It's Still All Personal Information
I really enjoy reading survey results. I can't help myself. Whether the surveys are well-done, sloppy, long, short, statistically accurate or obviously statistically invalid, I still find them interesting. Especially when they cover what the general public and non-IT/non-infosec person...
HIPAA Violation in Divorce Proceeding?
During a divorce case in Illinios, K.S. Kim claimed a hospital violated HIPAA by sending her health records to her ex-husband's attorney....
Laws, Standards, Mapping, and HIPAA
Today is the last day of Norwich University's Masters programs residency week; this afternoon is graduation. It has been a great week...I have loved chatting with the students and faculty, and I've compiled a page full of topics I want...
Medical Identity Theft and Bill Requiring Criminal Background Checks In LTC Facilities
I have had relatives very close to me who, because of degenerative diseases and medical problems, have had to go to long term care (LTC) facilities. I always worried about the care they were receiving when I was not around....
HIPAA: More Changes and Initiatives by HHS
I've been reading so much about HIPAA lately; no enforcement actions yet, but a lot of changes, proposals and initiatives. Two more I read about recently:...
HIPAA: Advisory Workgroup Proposes PHI Security and Privacy Requirements Should Apply to All Organizations
The Department of Health and Human Services (HHS) has a Confidentiality, Privacy, and Security Workgroup, also known as the American Health Information Community, that is made up of practitioners, IT folks, lawyers and other leaders outside of the government who...
Admitted HIPAA Noncompliance at UPMC: Penalties Must Be Applied to Make Laws Effective
On April 13 the Pittsburgh Tribune-Review reported that the University of Pittsburgh Medical Center (UPMC) admitted to using the records of 80 patients, including names and Social Security numbers, for a presentation they made at a 2002 symposium, in violation...
HIPAA Security Rule and Privacy Rule Enforcement Reportedly Going To Be Pursued In 2007
Something that has bothered me, and many others, for a very long time is how there have been absolutely no enforcement actions for the Health Insurance Portability and Accountability Act (HIPAA) privacy rule or security rule since they went into...
Punitive Actions Pursued Against Professor in Japan Who Had PII About 8,800 on Disk That Was Stolen
The differences throughout the world with which personally identifiable information (PII) privacy breaches are penalized is always interesting to me. Today it was reported that the...
HIPAA: Privacy and the Press
An interesting editorial ran this past Sunday in the Mason City, Iowa Globe Gazette about HIPAA, "The Price of Privacy: HIPAA has far-ranging implications" The title intrigued me. Yes, indeed there will be far-ranging implications to effectively start handling protected...
Privacy Breach: Johns Hopkins University Lost Personal Information on 135,000 Individuals
There now seem to be so many privacy breaches that it is hard to choose which one to discuss... Last Wednesday, 2/7, Johns Hopkins University reported personal information on 135,000 employees and patients on nine backup tapes were missing that...
HIPAA: Congressional and GAO Reports Say HHS Needs To Make Changes To Protect Patient Privacy
According to a congressional testimony report posted February 1, "Private Health Records: Privacy Implications of the Federal Government's Health Information Technology Initiative," the Department of Health and Human Services (HHS) needs to do more to address privacy and security concerns...