Audit Log Monitoring: Tiresome But Oh-So-Necessary

audit-log-monitoring

Audit log monitoring is probably one of the most unsexy, uninteresting activities a healthcare organization or business associate has to do.  But neglect it at the risk of your solid bottom line and reputation. Last time we talked about how you can get into legal (and costly) hot water with badly aligned policies and procedures … Read more

Healthcare Organizations: What can get you into [costly] hot water?

healthcare org costly hot

For healthcare organizations and the businesses that support them, regulation and legislation too often turn into lawsuits and settlements. What’s happening to get you into trouble in the first place? How can you avoid the serious costs they bring – to the bottom line and to reputation? Here’s what Julia and I often see from … Read more

What’s the California Assembly’s Course Correction mean to CCPA?

CCPA Course Correction HIPAA Exemption

Well, remember the issues around what the “HIPAA exemption” in the California Consumer Privacy Act (CCPA) really applied to?  We wrote about it here all the way back in May 2019. Turns out our impression was correct – so correct that California just passed a law to correct it! Here’s the skinny: On September 5, … Read more

Attention Business Associates! New OCR Announcement re PHI during COVID-19 Relates to You

Business Associates HIPAA National Emergency

On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that effective immediately, it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the … Read more

When It’s OK to Share: OCR’s Novel Coronavirus Disease (COVID-19) Limited Waiver

OCR Limited Waiver HIPAA

Novel Coronavirus, aka COVID-19, is on track to stretch our healthcare system to the breaking point, and our healthcare providers along with it. In effect as of March 15, 2020, the OCR’s published a Limited Waiver of HIPAA Sanctions and Penalties that during this National Emergency could give care providers one less source of anxiety … Read more

Business Associate or Conduit? Why a BAA likely applies to you.

BAA protect PHI

Ever run into a vendor who claims to be a conduit versus a business associate (BA)? It happens all too often, in my experience. Here’s the problem: the conduit exception is a narrow one. If you’re storing PHI data, even encrypted PHI where you don’t have the encryption key, you’re a BA. Sign the Business … Read more

Should you trust Alexa with your health information?

alexa HIPAA health info privacy

By now you’ve likely heard that Amazon is moving into the HIPAA space with Alexa.  In conjunction with their partners, they’re launching what Amazon calls “HIPAA compliant” apps.  If only it were that easy to create a HIPAA covered app, or as Amazon calls it, skill.  As with Amazon Web Services (AWS) it’s ultimately up … Read more

How to Harden Laptops, Tablets & Smartphones to Protect PHI

harden devices protect phi

When your goal is to protect PHI on laptops and mobile devices, keep in mind that information security is only as strong as its weakest link. Lenient information security standards exponentially increases the risk to sensitive healthcare data. It can also place you in non-compliance with the HIPAA Security Rule. On top of that the … Read more

Word of Warning: join.me Does Not Sign Business Associate Agreements

Vendors HIPAA BAA

A few days ago, after making multiple attempts on behalf of a client to verify and clarify how join.me supports HIPAA compliance, specifically participating in Business Associate Agreements, I found that they do not. In fact, they do not consider themselves subject to HIPAA regulations, regardless of the possibility of PHI being stored on the … Read more

Privacy and Security Training: Less hype, less myth, more HIPAA realities.

HIPAA privacy and security training

I’m often taken aback by some of the marketing material I receive from privacy and security training vendors.  This is clearly a “buyer beware” moment.  The review of a training vendor’s material can give you some insight into their credibility. Particularly if you’re already somewhat knowledgeable of the material that needs to be covered in … Read more