Return from Remote Work: How do you secure remotely used data & devices?

return from remote work

As things ease up, and slowly people return to the office, what steps do you need to take to make sure data and devices are secure? It’s not quite a reversal of what covered entities (CE) and business associates (BA) went through when everyone who was non-essential was required to go to remote work, but … Read more

Are All Ransomware Attacks Breaches?

ransomware-breach or incident only

It’s one of those questions that never goes away.  The answer is, “Maybe” and very definitely, “Not always.” Contrary to popular belief, even after ransomware attacks, the safe harbor still applies when it comes to breaches.  If your PHI data was encrypted prior to the ransomware attack that encrypted (aka “held for ransom”) it, you … Read more

The CCPA and the Iffy Territory of the “HIPAA exemption”

CCPA HIPAA exemption

A brief recap: The California Consumer Privacy Act (CCPA) aims to give California consumers greater control over their personal information by imposing certain obligations on entities covered by the law. The CCPA takes effect January 1, 2020. And as we said in an earlier blog article, you don’t have to be a California-based business to … Read more

Word of Warning: join.me Does Not Sign Business Associate Agreements

Vendors HIPAA BAA

A few days ago, after making multiple attempts on behalf of a client to verify and clarify how join.me supports HIPAA compliance, specifically participating in Business Associate Agreements, I found that they do not. In fact, they do not consider themselves subject to HIPAA regulations, regardless of the possibility of PHI being stored on the … Read more

Privacy & Security Forum Update: OCR Activity, Audit Protocols, Ransomware & the HIPAA Security Rule

Julia and I had the pleasure of attending the 2018 Privacy & Security Forum a couple of weeks ago.  One of the sessions I attended was focused on what’s happening at OCR these days.  The speaker was Roger Severino, Director of OCR, and the moderator was Adam Greene, partner at Davis Wright Tremaine, LLP.  I … Read more

What can you charge a patient for a copy of their PHI?

While conducting a workshop focused on privacy, the question came up about what covered entities and business associates supporting covered entities can charge for an electronic copy of a patient’s designated record set (aka PHI).  My answer to the audience was partially correct and partially wrong.  The following is an excerpt from the preamble to … Read more

Medical Data Blackmail: Another Face of Data Breaches in the Digital Age

The interview and subsequent articles about Charlie Sheen’s disclosure of being the intended victim of medical data blackmail stirred dynamic discussions among my privacy and security colleagues. It’s one more example of how, as our healthcare information continues to be digitized, there are more opportunities for data breaches to occur without an expert hacker’s involvement. What … Read more

OCR News: Single-location Pharmacy Pinged with Penalty & Corrective Action Plan

Remember a few years ago we wrote about When it Comes to HIPAA Violations, Size Doesn’t Matter? Then it was a small specialty physician practice in Arizona that was hit with a penalty – now it’s a Denver pharmacy, Cornell Prescription Pharmacy. A well-known single-location pharmacy serving the greater Denver metropolitan area, they’re being pinged … Read more

Facebook – The Health Care Privacy Time Bomb

A reporter asked me not that long ago how frequently health care providers post patient health information (PHI) that would permit a reasonable person to identify the patient (even without a name included). I hear rumors of such now and again, and I’ve had my share of clients panic over something posted by an employee. … Read more