By:
On:
In: *Connecting the Dots Blog*, Campus Safety, Emergency Management, Incident Reporting, Legal, Regulatory Compliance, Risk Management, School Safety

  The U.S. Department of Education released the Handbook for Campus Safety and Security Reporting providing step-by-step procedures, examples, and references for higher education institutions to follow in meeting campus safety and security requirements. Lessons Learned:  College and University administrators are overwhelmed with responsibilities for HEOA, FERPA, HIPAA, Clery Act, OCR ‘Dear Colleague’ Letters, and much more and therefore guidance from the Federal Government can be helpful.  It is critical for School Administrators to utilize resources and develop comprehensive campus safety programs and create a culture of compliance and preparedness that is ongoing.  Traditional methodologies are clearly not working based on new handbooks, new regulationsRead More →

By:
On:
In: *Connecting the Dots Blog*, Health Care, Regulatory Compliance

  A recent survey revealed that HIPAA is the most challenging regulation to businesses today. Lessons Learned: Regulatory requirements are updated regularly…Hackers, risks, threats, etc. are constantly changing. Staying up-to-date and within compliance is challenging, but critical.  Organizations must ensure all employees (and third-parties) understand their responsibilities to protect sensitive information.Read More →

By:
On:
In: *Connecting the Dots Blog*, Health Care, Information Privacy, Information Security, Regulatory Compliance

  OCR is offering HIPAA Enforcement Training to help State Attorneys General enforce the HIPAA Privacy and Security Rules and file federal civil lawsuits for HIPAA violations. Lessons Learned:  HHS and OCR are serious about Privacy and Security in Health Care.   Policies and procedures play a critical role in an organization’s culture of privacy and security and need to be updated as requirements, risks, regulations, etc. change.  Health care organizations will need to conduct internal audits and assessments rather than waiting for the OCR or AGs to arrive.  All employees and business associates must understand how to safely handle patient information and maintain a cultureRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Regulatory Compliance

  The HHS Office for Civil Rights plans to use powers authorized under the HITECH Act to tighten up privacy requirements, as well as exponentially increase the penalties for HIPAA privacy and security violations. Lessons Learned:  Organizations will need to ensure they are meeting all requirements and documenting actions under the HIPAA/HITECH Act and maintain a a high level of CYA – compliance year around!  All employees (and third-parties) must be aware of and accountable for their individual requirements as a single data breach or violation can cost an organization up to $50,000…which is much more expensive and costly than new compliance and risk platformsRead More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Regulatory Compliance

  The HHS Office for Civil Rights is asking for $46.7 million in funding, an increase of $5.6 million over the current level.  76 percent of the new funds will be for increased enforcement of health information privacy and security rules. Lessons Learned:  Increased enforcement of existing and new regulatory requirements are on the way.  Is your organization prepared and meeting all compliance requirements for HIPAA/HITECH or are you willing to take your chances?  Based on numerous other lessons learned stories in this blog (search the Lessons Learned Blog for your sector or other keywords), getting your compliance program in shape sooner than later makesRead More →

By:
On:
In: *Connecting the Dots Blog*, Health Care, Regulatory Compliance

  Cignet Health is facing a $4.3 M civil penalty after violating the HIPAA Privacy Rule and failing to cooperative with HHS’s subsequent probe.  This is the first civil money penalty for a violation of HIPAA. Lessons Learned: The Feds mean business and there will be more fines and lawsuits and more embarrassing headlines for health care organizations that do not take compliance, risk assessments and incident management seriously.  Is your organization meeting all HIPAA/HITECH compliance requirements?  Do you have the necessary documentation in place to provide HHS with information in the event of an audit? Does your documentation help your organization demonstrate all appropriateRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Information Security, Regulatory Compliance

  Did everyone see this ultimate lesson regarding lessons learned but not implemented? Remember back in February 2009 when the Federal Trade Commission (FTC) issued a settlement against CVS Caremark?  According to the settlement, CVS Caremark violated the HIPAA privacy rule and the FTC Act when some of its stores improperly disposed of prescription information and pill bottles that had patient information on them.  The settlement resulted in a $2.25 million fine and they must ensure their security program meets the standards of the settlement [including ongoing audits] for the next 20 years. Now roll the clock ahead to July 2010 and another pharmacy chainRead More →

By:
On:
In: *Connecting the Dots Blog*, Human Resources, Incident Reporting, Information Privacy, Information Security, Risk Management

  Recently, Awareity’s CEO, Rick Shaw, was asked to present at the Infotec conference in Omaha.   During his presentation, “The Truths (and Myths) About Assessments, Planning and Implementing”, Rick discussed the three-legged stool each organization is sitting on, and the importance of all three legs (Assessments, Planning/Developing and Implementing). Most organizations understand the importance of assessments and planning, but where many fail to deliver is in the implementation phase.   As we have seen with numerous headlines and lessons learned, a failure to implement can lead to expensive fines, lawsuits, breaches and losses.  Rick used a case study for CVS Caremark.   Due to employees carelessly tossingRead More →

By:
On:
In: *Connecting the Dots Blog*, Incident Reporting, Information Privacy, Regulatory Compliance

If you were busy getting your costume ready for Halloween, you might have missed the news release from HHS on October 30, 2009.  This news release should be taken seriously by all covered entities and organizational leaders that have responsibilities for protected health information (PHI) The news release announces that HHS has issued an interim final rule to strengthen its enforcement of the rules within HIPAA to conform to the HIPAA enforcement regulations made by the HITECH Act. As you may remember, the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act (ARRA)Read More →

By:
On:
In: *Connecting the Dots Blog*, Information Privacy, Information Security, Regulatory Compliance

Health and Human Services (HHS) issued new regulations this week requiring healthcare providers, health plans and other entities covered by HIPAA (Health Insurance Portability and Accountability Act) to notify patients if their electronic health information has been breached. The regulations were developed by HHS Office of Civil Rights (OCR) and require healthcare providers and other HIPAA covered entities to promptly notify people, the HHS and the media in breaches that affect more than 500 people. Earlier this week, HHS announced that they delegated the authority for the administration and enforcement of the HIPAA Security Rule to the Office for Civil Rights (OCR). Any lessons learnedRead More →