How Do You Weigh Vendor Risk Exposure?

vendor risk exposure risk management

When it comes to vendor risk exposure and its management, you need to know how to implement a proper program that aligns with HIPAA compliance. Because whether you’re talking Cloud Service Providers or others, a solid vendor risk management program is key to potentially how well your organization can avoid a serious PHI security incident. … Read more

What the End of PHE Means to Telehealth Services

telehealth services after PHE

Hello everyone!  The White House just announced that the COVID-19 Public Health Emergency (PHE) will end on May 11, 2023. This directly affects how telehealth services can be delivered. If you haven’t blocked out all memories of Spring 2020, you may recall that the Office for Civil Rights issued a Notice of Enforcement Discretion on … Read more

Security in a Remote Access World, Revisited

It’s time to circle back to the topic of remote access.  Earlier I provided you a checklist to send to your remote working employees to assess workspace and workstation security. With new portable devices and web apps that support working from home, including transmitting large amounts of data with minimum resources, I feel it’s important … Read more

What’s the California Assembly’s Course Correction mean to CCPA?

CCPA Course Correction HIPAA Exemption

Well, remember the issues around what the “HIPAA exemption” in the California Consumer Privacy Act (CCPA) really applied to?  We wrote about it here all the way back in May 2019. Turns out our impression was correct – so correct that California just passed a law to correct it! Here’s the skinny: On September 5, … Read more

Telework & Telehealth: How Can We Work Securely During a Pandemic?

how to telework telehealth securely

Remember that brief moment when we thought the COVID-19 business impact was lifting? It was a nice thought, but we were wrong. We’re firmly in the midst of the pandemic with alleviation an ever-moving target. What does this mean for businesses, especially covered entities (CE) and business associates (BA)? Telework and telehealth present security risks, … Read more

Video Hijacking Have You Worried? Try these 5 Steps from the FBI

video hijacking fbi advice apgar

The healthcare industry reports that video hijacking, or teleconference hijacking, emergence on the rise as telehealth appointments replace typical in-person ones during the COVID-19 crisis. The FBI has received multiple reports of conferences being disrupted by pornographic images, hate images and threatening language. Yet another reason that, even though OCR has indicated it will not … Read more

Attention Business Associates! New OCR Announcement re PHI during COVID-19 Relates to You

Business Associates HIPAA National Emergency

On April 2, 2020, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that effective immediately, it will exercise its enforcement discretion and will not impose penalties for violations of certain provisions of the HIPAA Privacy Rule against health care providers or their business associates for the … Read more

Are All Ransomware Attacks Breaches?

ransomware-breach or incident only

It’s one of those questions that never goes away.  The answer is, “Maybe” and very definitely, “Not always.” Contrary to popular belief, even after ransomware attacks, the safe harbor still applies when it comes to breaches.  If your PHI data was encrypted prior to the ransomware attack that encrypted (aka “held for ransom”) it, you … Read more

Business Associate or Conduit? Why a BAA likely applies to you.

BAA protect PHI

Ever run into a vendor who claims to be a conduit versus a business associate (BA)? It happens all too often, in my experience. Here’s the problem: the conduit exception is a narrow one. If you’re storing PHI data, even encrypted PHI where you don’t have the encryption key, you’re a BA. Sign the Business … Read more

The CCPA and the Iffy Territory of the “HIPAA exemption”

CCPA HIPAA exemption

A brief recap: The California Consumer Privacy Act (CCPA) aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. The CCPA takes effect January 1, 2020. And as we said in an earlier blog article, you don’t have to be a California-based business to … Read more