Minimize Risk: Healthcare’s Need to Address the Unknown Unknowns

risk management

Government agencies – state and federal – have spent the past several months trying to get healthcare’s attention about cybersecurity and simple steps that organizations can take to reduce their risk of ransomware (aka minimize risk). “There are known knowns; there are things we know we know. We also know there are known unknowns; that … Read more

What’s the California Assembly’s Course Correction mean to CCPA?

CCPA Course Correction HIPAA Exemption

Well, remember the issues around what the “HIPAA exemption” in the California Consumer Privacy Act (CCPA) really applied to?  We wrote about it here all the way back in May 2019. Turns out our impression was correct – so correct that California just passed a law to correct it! Here’s the skinny: On September 5, … Read more

Telework & Telehealth: How Can We Work Securely During a Pandemic?

how to telework telehealth securely

Remember that brief moment when we thought the COVID-19 business impact was lifting? It was a nice thought, but we were wrong. We’re firmly in the midst of the pandemic with alleviation an ever-moving target. What does this mean for businesses, especially covered entities (CE) and business associates (BA)? Telework and telehealth present security risks, … Read more

Video Hijacking Have You Worried? Try these 5 Steps from the FBI

video hijacking fbi advice apgar

The healthcare industry reports that video hijacking, or teleconference hijacking, emergence on the rise as telehealth appointments replace typical in-person ones during the COVID-19 crisis. The FBI has received multiple reports of conferences being disrupted by pornographic images, hate images and threatening language. Yet another reason that, even though OCR has indicated it will not … Read more

Consumers in the Regulatory Driver’s Seat: Protecting Personal Data Privacy

protect personal data privacy

Consumers on the warpath to protect personal data privacy are making strides in state houses. For instance, here’s an update on Oregon’s Senate Bill 703 re selling health information. If you use Big Data at all, you’ve probably been following this Bill. It’s basically saying that anyone selling personal health information, although thoroughly de-identified, would … Read more

Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule

Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago.  One of the sessions I attended was focused on what’s happening at OCR these days.  The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP.  I … Read more

How to lose data & money: The cost of unmitigated risk

why unmitigated risk

[vc_row][vc_column][vc_column_text]The OCR announcement of a $4.3 million price tag on MD Anderson’s Cancer Center for noncompliance highlights the cost of unmitigated risk. A 2006 security risk analysis showing that a lack of encryption posed a PHI security threat prompted the Center to develop policies for portable device encryption. Smart. But then an OCR breach investigation … Read more

Doctors, have you heard? MACRA changes how you’ll be paid.

In MACRA (the Medicare Access and CHIP Reauthorization Act), it looks as though CMS is taking HIPAA compliance to the next level. The agency makes the security risk analysis a lynchpin in one of the primary MIPS measures. MIPS, the new Merit-based Incentive Payment System, incentivizes quality, improvement and advancing care information performance. If clinicians … Read more