In today’s data-driven world, organizations handle vast amounts of sensitive information daily. Data compliance and robust governance are crucial for maintaining data integrity, confidentiality, and availability while avoiding the pitfalls of a privacy breach or noncompliance. This article discusses what it means to implement data governance policies for data compliance across several different (privacy-centric) frameworks. … Read More
The Kaiser Data Breach and the Importance of HIPAA for Vendor Relationships
Unfortunately, HIPAA data breaches are increasingly common. Kaiser Permanente, one of the largest healthcare insurance providers in the U.S., recently reported a massive exposure of millions of patient records (Protected Health Information, or PHI). This unfortunate event also serves as a learning moment for companies who may not understand how to avoid such unintended consequences.… Read More
The OCR HIPAA Report and Proper Breach Requirements
HIPAA is a core cybersecurity framework for patients and healthcare providers in the U.S. Unfortunately, a new report from the OCR shows an increase in significant events and a lack of resources to follow up on critical compliance issues. We’re covering some of this report and the underlying HIPAA requirements reflected in it.
Endpoint Security and Modern Compliance
With all the focus on network security, SaaS compliance, and big data protection, it’s sometimes very easy to forget that the most vulnerable parts of any given system are often those tied to the user. These devices (endpoints) are where these users do most of their work and where a lack of security best practices… Read More
Implementing SOC 2 Requirements for Cloud Environments
SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More
Understanding the Difference Between HIPAA and HITRUST
Within the world of healthcare compliance and information security, there’s been increasing confusion around some terms and organizations. We’ve heard a bit about some of this confusion, specifically around HITRUST and HIPAA. Both are connected to the preservation of health information, yet they fulfill separate functions and are founded on differing principles. This article clarifies… Read More
HIPAA and the Use of Online Tracking for Marketing Purposes
Due to some recent actions against online medical providers like BetterHealth and GoodRX, the Department of Health and Human Services has released a new warning for covered entities regarding the tracking methods they use on their websites. While web tracking has become a typical technology for most businesses, it’s not a cut-and-dry proposition for healthcare… Read More
HIPAA and Internal Security Controls
In June 2023, the US. The Department of Health and Human Services (HHS) reached an agreement with Yakima Valley Memorial Hospital over a significant breach of privacy and security rules. Specifically, HHS found that several security guards had inappropriately accessed the private records of up to 419 patients. This settlement demonstrated administrative and internal security… Read More
HIPAA, Security Incidents, and Reportable Events
In the interconnected world of digital health information, safeguarding Protected Health Information is paramount. Healthcare providers must legally follow the Health Insurance Portability and Accountability Act (HIPAA) to protect patient privacy and maintain trust, and this compliance includes understanding what it means to identify and deal with security incidents. Among these, the concepts of security… Read More
What Does the HIPAA Security Rule Say About Mobile Computing?
With modern computing increasingly moving into a mobile paradigm of remote workers, laptops, and smart devices, the threat to security in various industries is only increasing. This is no more true than in healthcare, where HIPAA breaches related to mobile devices are becoming more common. This article will discuss the HIPAA security rule, how it… Read More
What Are the Proposed Rule Changes to HIPAA Coming in 2023?
In response to changes in the medical industry due to COVID-19, the Department of Health and Human Services (HHS) and Substance Abuse and Mental Health Services Administration (SAMHSA) have put forth a Notice of Proposed Rulemaking to streamline how doctors can access mental health information. This article will discuss this rule change and why it… Read More
Maintaining HIPAA Compliance with IoT Devices
In previous blog posts, we’ve discussed the role of technology and HIPAA (related explicitly to HITECH regulations). However, the growth of intelligent devices and the Internet of Things (IoT) has led to a sea change in how Covered Entities (CEs) and Business Associates (BAs) manage their patients. Likewise, it adds new wrinkles to how these… Read More
Protected Health Information, File Sharing and Email
Protecting patient information is a crucial and necessary part of healthcare… but so is communicating effectively with patients. Considering that email continues to be the most common form of electronic communication, it stands to reason that providers meet patients where they are. However, HIPAA regulations have rather strict requirements for protecting PHI, and plain email… Read More
What Are the Penalties for HIPAA Violations?
In October of 2015, the Excellus Health Plan suffered what was the largest HIPAA data breach of the year, with some 9.5 million patient records compromised. An investigation concluded in January 2021, stating that Excellus had five critical violations of HIPAA, including a failure to conduct risk analysis, implement sufficient network security measures and enact… Read More
OMG USB! Physical Media and Protecting PHI
Imagine this scenario: you’ve received some test results from some procedure. Those results are to be moved between institutions because you have doctors in different departments of a healthcare system. Normally, we’d think that these institutions would electronically transmit these results through some secure channel… but then you see that your doctor has your results,… Read More
What is NIST 800-66?
Securing protected health information (PHI) is one of the paramount cybersecurity concerns of many organizations, both inside and outside the healthcare industry. This information, if released to unauthorized parties, could lead to significant personal harm to patients that organizations must avoid at all costs. The Healthcare Insurance Portability and Accessibility Act (HIPAA) governs the protection… Read More
What Are Health Industry Cybersecurity Practices (HICP)?
Any organization in the healthcare industry knows that cybersecurity is a critical component of doing business. So much so, in fact, that any enterprise handling protected health information (PHI) must implement and maintain strict cybersecurity and privacy controls to protect patient data from unauthorized disclosure. However, understanding that HIPAA is a requirement for operation doesn’t… Read More
The HIPAA Security Rule and Risk Management
The Healthcare Insurance Portability and Accountability Act (HIPAA) is one of the more complex regulations in the U.S., due in no small part to the complicated and open-ended nature of the law. What should companies do? In this case, covered organizations are turning to risk-based assessments to help them support their security approaches. Here, we… Read More
Survival Guidance! FedRAMP and FISMA Resource for Assessing the Security Controls in Federal Information Systems and Organizations
Survival Guidance! MichaelPeters.org and LazarusAlliance.com is making our auditor’s resource for assessing the security controls in federal information systems and organizations free. This is a resource based on the NIST 800-53A framework you may freely use to conduct your organization’s FedRAMP, HIPAA or best practice based security audits. Your results are private and the output… Read More
Survival Guidance! Resource for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
HIPAA Survival Guidance! MichaelPeters.org and LazarusAlliance.com is making our auditor’s resource for implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule free. This is a resource you may freely use to conduct your organization’s HIPAA security audits. Your results are private and the output is sent to you without charge. It’s just on… Read More
Weekly Digest for September 8th
mdpeters posted 2 items. HIPAA HITECH mdpeters posted User:Unitu.
Expanding Security Breach Notification Requirements in California
A new amendment to California’s security breach notification law will raise the stakes for businesses required to give notice of a data security breach affecting California residents. California Senate Bill 24 (“SB 24”), signed by Governor Brown on August 31, 2011, imposes detailed new requirements for the content of security breach notices. Significantly, SB 24… Read More
Weekly Digest for September 1st
mdpeters posted HIPAA. mdpeters posted 5 items. Protected computer Legal Electronic Data Exchange Standard Electronic data interchange Computer Fraud and Abuse Act Computer Fraud and Abuse Act mdpeters posted 2 items. User:Ballahelm1985 User:Ghumphry