A recent survey revealed that HIPAA is the most challenging regulation to businesses today. Lessons Learned: Regulatory requirements are updated regularly…Hackers, risks, threats, etc. are constantly changing. Staying up-to-date and within compliance is challenging, but critical. Organizations must ensure all employees (and third-parties) understand their responsibilities to protect sensitive information.Read More →
OCR is offering HIPAA Enforcement Training to help State Attorneys General enforce the HIPAA Privacy and Security Rules and file federal civil lawsuits for HIPAA violations. Lessons Learned: HHS and OCR are serious about Privacy and Security in Health Care. Policies and procedures play a critical role in an organization’s culture of privacy and security and need to be updated as requirements, risks, regulations, etc. change. Health care organizations will need to conduct internal audits and assessments rather than waiting for the OCR or AGs to arrive. All employees and business associates must understand how to safely handle patient information and maintain a cultureRead More →
Health Net exposed as many as 1.9 million customer records in a breach after its IT vendor misplaced nine server drives. This is the second breach in two years for Health Net when a portable hard drive containing medical and financial information on 1.5 million customers disappeared from a facility in Connecticut. Lessons Learned: Technology is not the problem..People are the weak link and the solution. Devices are often lost and misplaced due to People not being aware of or not being accountable for the policies and procedures that have been put in place by the organizational responsible for protecting customer information. Organizations mustRead More →
The HHS Office for Civil Rights plans to use powers authorized under the HITECH Act to tighten up privacy requirements, as well as exponentially increase the penalties for HIPAA privacy and security violations. Lessons Learned: Organizations will need to ensure they are meeting all requirements and documenting actions under the HIPAA/HITECH Act and maintain a a high level of CYA – compliance year around! All employees (and third-parties) must be aware of and accountable for their individual requirements as a single data breach or violation can cost an organization up to $50,000…which is much more expensive and costly than new compliance and risk platformsRead More →
The HHS Office for Civil Rights is asking for $46.7 million in funding, an increase of $5.6 million over the current level. 76 percent of the new funds will be for increased enforcement of health information privacy and security rules. Lessons Learned: Increased enforcement of existing and new regulatory requirements are on the way. Is your organization prepared and meeting all compliance requirements for HIPAA/HITECH or are you willing to take your chances? Based on numerous other lessons learned stories in this blog (search the Lessons Learned Blog for your sector or other keywords), getting your compliance program in shape sooner than later makesRead More →
Cignet Health is facing a $4.3 M civil penalty after violating the HIPAA Privacy Rule and failing to cooperative with HHS’s subsequent probe. This is the first civil money penalty for a violation of HIPAA. Lessons Learned: The Feds mean business and there will be more fines and lawsuits and more embarrassing headlines for health care organizations that do not take compliance, risk assessments and incident management seriously. Is your organization meeting all HIPAA/HITECH compliance requirements? Do you have the necessary documentation in place to provide HHS with information in the event of an audit? Does your documentation help your organization demonstrate all appropriateRead More →
A new study by the Ponemon Institute shows organizations that perform internal audits spent less per capita on compliance than those that didn’t perform internal audits. Larry Ponemon is chairman of the Ponemon Institute and he commented: “I believe that the reason why internal audits reduce compliance cost is that they help prioritize the organization’s overall compliance efforts. This leads to greater efficiency in managing the total compliance burden. In other words, companies that do not conduct audits appear to be less efficient in their ongoing program management of data protection and privacy efforts.” From my experiences and from lessons learned I agree thatRead More →
I recently came across an interview on BankInfoSecurity entitled, “Banks Must Assume Customers Will Compromise Themselves”. In this interview, Tom Oscherwitz, chief privacy officer and vice president of government affairs for ID Analytics, discussed why online security measures are failing due to basic authentication techniques. With the use of current social networking sites, such as Facebook, customers are often revealing all the information fraudsters need to figure out their log-in credentials. Many experts (and vendors) are recommending banks increase their security measures and implement expensive fraud detection technology solutions and measures. Unfortunately this is merely reacting to a symptom rather than preventing the problem. Read More →
I wrote a couple blogs in December 2010 about importance of solving bullying problems and about the importance of awareness, accountability and measurability in solving problems. The underlying message in each of those 2010 blogs was to point out the need to SOLVE problems rather than just talking about what SHOULD be done. So in honor of Groundhog Day and the movie Groundhog Day, today is the perfect day to shed some light (or shade) on the dreaded “should all over yourself syndrome”. And for you Tony Robbins fans, you may have heard Tony tell us all to: “Stop shoulding all over yourself”. SoRead More →
Under a law signed by Governor Patrick in May 2010, all Massachusetts schools had a December 31, 2010 deadline for filing comprehensive bullying prevention and intervention plans. On November 10, only 3 of the 394 school communities had responded. On December 31, it was reported early in the day that 355 had submitted their plans, but right before the deadline, a flood of plans came in, resulting in 99 percent compliance (only six schools failed to meet the deadline). I believe 99% compliance is an outstanding result, however I do have a few questions: Were the plans submitted comprehensive? Did the schools take theRead More →