After the 2013 HIPAA Omnibus rules went into effect, there was a delay as the Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) brought their auditing program in line with the new requirements. Based on last month’s announcement in the Federal Register, it seems like they are about ready to start auditing organizations again. I suppose most healthcare covered entities and business associates don’t read the Federal Register regularly, so here are the pertinent details. OCR is planning an information collection (survey) effort, targeting 1,200 covered entities (typically health plans, health care clearinghouses, and health care providers) as well as business associates. The announced goal of the survey is: to determine suitability for the Office for[…]

While the headlines are dominated with tales about recent breaches at Target, Neiman Marcus, and others, those businesses will survive. What about smaller companies? Turns out that just last year, two separate title and escrow companies have had to shut their doors after suffering cyber attacks. Leaked emails from a small regional bank resulted a successful theft of money from a client. And thieves are using the access that small accounting and financial management firms have to individual and corporate bank accounts to steal hundreds of thousands of dollars. What do these incidents all have in common? They are all financial industry firms. And they are all relatively small. Most of them neglected to provide even the minimum viable security[…]

“What can it hurt for us to perform our own security self-assessment?”  is a question that many organizations ask themselves.  After all, they have competent IT staff, and the staff must know something about information security to keep things running.  So, why doesn’t it make sense to do your own self-assessment? Familiarity The first reason to seek an outsider to do a security assessment is they lack familiarity with your organization.  Just as you gloss over misspellings and mistakes in your own writing, you can gloss over assessment topics because you believe that you’re familiar with them.  Sometimes an outside assessment reveals the folks in that department are doing things differently than you expect.  An un-biased third party can help[…]

One of the things that caught my eye in PWC’s most recent The Global State of Information Security® Survey 2014 report was the bits and pieces of information shared about the importance of evaluating the security of third parties. As data proliferates and is shared among more partners, suppliers, contractors, and customers, it is increasingly critical that businesses understand the risks associated with sharing data with third parties. What’s more, organizations should ensure that third parties meet or beat their requirements for data security. This is a refrain I have been using for years, even having presented about it at the 2009 Drug Information Association Annual Meeting in San Diego, as well as the 2010 Pharma Outsourcing Congress in Munich. Unfortunately, the[…]

This article describes the HIPAA contingency planning and security incident response requirements. The relevant subsections of the HIPAA law are §164.308(a)(6) and §164.308(a)(7).  HIPAA contingency planning is a term used broadly to cover security incident response procedures and contingency planning for emergency situations that may compromise protected health information. HIPAA contingency planning is one of the administrative safeguards that a covered entity must employ. The audit requirements for HIPAA contingency planning is covered in a separate post. HIPAA Security Incident Procedures “Implement policies and procedures to address security incidents.” [§164.308(a)(6)] A covered entity is required to be able to identify, mitigate and respond to security incidents in a timely and reasonable fashion. The procedure for responding to security incidents should be[…]

This article describes the HIPAA workforce security requirements for restricting access to protected health information. The relevant subsection of the HIPAA law is §164.308(a)(3).  Section §164.308 of the Health Insurance Portability and Accountability Act describes the required administrative safeguards for covered entities. This article explores section §164.308(a), which deals with ensuring that workforce members have appropriate (yet limited) access to protected health information. HIPAA Workforce Security “Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information.” [§164.308(a)(3)] This[…]