Return from Remote Work: How do you secure remotely used data & devices?

return from remote work

As things ease up, and slowly people return to the office, what steps do you need to take to make sure data and devices are secure? It’s not quite a reversal of what covered entities (CE) and business associates (BA) went through when everyone who was non-essential was required to go to remote work, but … Read more

Are All Ransomware Attacks Breaches?

ransomware-breach or incident only

It’s one of those questions that never goes away.  The answer is, “Maybe” and very definitely, “Not always.” Contrary to popular belief, even after ransomware attacks, the safe harbor still applies when it comes to breaches.  If your PHI data was encrypted prior to the ransomware attack that encrypted (aka “held for ransom”) it, you … Read more

Data Privacy & Security: 2018 Reflections & the Year Ahead

2018 its a wrap data privacy

It’s been a tumultuous 2018 for data privacy and information security. New regulations here and abroad show that data privacy will continue to be a hot topic as we move into 2019. We’re seeing the OCR’s investigations and penalties aren’t limited to large entities or to large breaches. Expect that will continue. Over 60 organizations … Read more

How can you avoid the costly price tag of unauthorized ePHI access?

data access unauthorized

We’re talking millions. Take a look at the largest HIPAA-violation related fines of 2017. Companies like dialysis-giant Fresenius, Memorial Healthcare Systems, and 21st Century Oncology (21CO), which operates 143 centers nationwide, have been fined millions thanks to unauthorized access (21CO has filed for Chapter 11 bankruptcy). In 21CO’s case, the access was through a vulnerable … Read more

Who has access to PHI? Should they?

That was the title of an early January eblast to our subscribers where we talked about insider risk and audit controls. Then OCR sends out an email about a recent $5.5 million settlement with Memorial Healthcare Systems (MHS) about PHI being “impermissibly accessed” and “impermissibly disclosed” to doctors’ staff. The email serves as an expensive … Read more

Employees & ePHI: Who has access to your healthcare data?

The risk is real. With all of the attention on external threats to ePHI, like ransomware and cyberattacks, healthcare organizations and their digital health vendors may be distracted from threat of insider risk. Yet according to a recent HHS OCR newsletter “insider threat is becoming one of the largest threats to organizations and some cyberattacks may … Read more

Migrating to a Cloud Service: Is your BAA in place?

In a recent LinkedIn discussion between colleagues in our HIPAA Survival Guide group, a member posed an interesting question that probably doesn’t usually garner much attention in the general scheme of things when upgrading technology: If a company is a HIPAA Covered Entity and is migrating to Microsoft Office 365 (which is a cloud-based solution) … Read more

Never mind Big Brother, OCR is watching! HIPAA Enforcement Developments

It was a busy 2014 for the Office for Civil Rights (OCR). OCR entered into several resolution agreements and corrective action plans last year. Pay attention to the enforcement trend Covered entities (CE) and business associates (BA)! No matter how large or small, OCR is taking aim at CEs and likely soon BAs when it … Read more