HIPAA Summit Award & A Note of Thanks
HIPAA Summit Distinguished Service Award to Chris Apgar, CISSP, C-CISO, posthumously.
PHI
Return from Remote Work: How do you secure remotely used data & devices?
As things ease up, and slowly people return to the office, what steps do you need to take to make sure data and devices are secure? It’s not quite a reversal of what covered entities (CE) and business associates (BA) went through when everyone who was non-essential was required to go to remote work, but … Read more
Are All Ransomware Attacks Breaches?
It’s one of those questions that never goes away. The answer is, “Maybe” and very definitely, “Not always.” Contrary to popular belief, even after ransomware attacks, the safe harbor still applies when it comes to breaches. If your PHI data was encrypted prior to the ransomware attack that encrypted (aka “held for ransom”) it, you … Read more
The CCPA and the Iffy Territory of the “HIPAA exemption”
A brief recap: The California Consumer Privacy Act (CCPA) aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. The CCPA takes effect January 1, 2020. And as we said in an earlier blog article, you don’t have to be a California-based business to … Read more
Word of Warning: join.me Does Not Sign Business Associate Agreements
A few days ago, after making multiple attempts on behalf of a client to verify and clarify how join.me supports HIPAA compliance, specifically participating in Business Associate Agreements, I found that they do not. In fact, they do not consider themselves subject to HIPAA regulations, regardless of the possibility of PHI being stored on the … Read more
Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule
Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago. One of the sessions I attended was focused on what’s happening at OCR these days. The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP. I … Read more
What can you charge a patient for a copy of their PHI?
While conducting a workshop focused on privacy, the question came up about what covered entities and business associates supporting covered entities can charge for an electronic copy of a patient’s designated record set (aka PHI). My answer to the audience was partially correct and partially wrong. The following is an excerpt from the preamble to … Read more
Medical Data Blackmail: Another Face of Data Breaches in the Digital Age
The interview and subsequent articles about Charlie Sheen’s disclosure of being the intended victim of medical data blackmail stirred dynamic discussions among my privacy and security colleagues. It’s one more example of how, as our healthcare information continues to be digitized, there are more opportunities for data breaches to occur without an expert hacker’s involvement. What … Read more
OCR News: Single-location Pharmacy Pinged with Penalty & Corrective Action Plan
Remember a few years ago we wrote about When it Comes to HIPAA Violations, Size Doesn’t Matter? Then it was a small specialty physician practice in Arizona that was hit with a penalty – now it’s a Denver pharmacy, Cornell Prescription Pharmacy. A well-known single-location pharmacy serving the greater Denver metropolitan area, they’re being pinged … Read more
Facebook – The Health Care Privacy Time Bomb
A reporter asked me not that long ago how frequently health care providers post patient health information (PHI) that would permit a reasonable person to identify the patient (even without a name included). I hear rumors of such now and again, and I’ve had my share of clients panic over something posted by an employee. … Read more
