Do you really need security to attest to meaningful use?

by Doug Pollack April 29, 2013

CMS (the Centers for Medicare & Medicaid Services) has begun auditing participants in the federally funded electronic health record (EHR) incentive payment program that makes funding available to hospitals and other healthcare organizations who can demonstrate meaningful use of certified EHR systems. And while one of the meaningful use criteria is that the organization carry out a HIPAA security risk analysis, the initial audits have found that one of the two most common adverse findings is non-compliance with the requirement to conduct a security risk analysis.

Lesson Learned by OCR Privacy & Security Audits

by Doug Pollack March 29, 2013

Right on the heels of a terrific inaugural workshop meeting for the PHI Protection Network (PPN) last week in Boston, I wanted to take a moment to revisit some of the key findings presented by representatives of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) at the IAPP Global Summit the prior week. The results that they presented were incredibly detailed, and highlighted just how far healthcare organizations still have to go, in order to comply with HIPAA/HITECH privacy, security and breach notification provisions. Especially important, now that the Final Omnibus Rule has been published and the clock is ticking down on the timeframe for compliance.

Is the Juice Worth the Squeeze?

by Doug Pollack March 11, 2013

HHS/OCR Commissioner Leon Rodriguez presented his views on the state of healthcare privacy, security and data breach notification at the IAPP Global Privacy Summit last week in Washington, D.C. The title of this post is based on a question put to him by a neighbor as to whether the efforts in Rulemaking and enforcement actions by OCR (the squeeze) yield the positive outcomes and benefits (the juice) that the agency is trying to bring about.

Top of the Charts in Cloud Risk: Data Breaches

by Doug Pollack February 26, 2013

The Cloud Security Alliance (CSA) this week, as part of the RSA 2013 Conference, released its “Notorious Nine”. This is a list of the top threats associated with cloud computing. At the top of the charts for 2013 – data breaches. With data breaches going to the top of this list, now is probably a great time to ask yourself the question: When should I consider placing personal privacy information from my customers and others in the cloud?

New HIPAA Rules: Is Your Organization Ready?

by Doug Pollack February 20, 2013

As most of you are already aware at this point, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published the Final HIPAA Omnibus Rule in the Federal Register last month on January 25, 2013. So the question I think many of you should be asking is, so "what does this mean for me and my organization?"

HIPAA Omnibus Final Rule Brings Sweeping Changes

by Doug Pollack January 30, 2013

I was asked recently by HITECH Answers to address some questions about the recently published HIPAA Omnibus Rule which addresses privacy, security and breach notification issues for HIPAA covered entities and business associates. The rules have been characterized as bringing "sweeping changes" in these areas. I think certainly that there are numerous areas within the Final Rules that will require the careful attention of all members of the healthcare ecosystem. Without a doubt, now that the Final Rules have been issued the breadth and intensity of investigations and enforcement actions by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) are only likely to increase, exposing healthcare organizations and their business partners to greater risks. Learn more about the Rules and their implications at the upcoming webinar: HIPAA Final Rules: What you need to know and do. Speakers include Adam Greene, Partner at Davis Wright Tremaine. Previously, Adam was a regulator at the U.S. Department of Health and Human Services, where he played a fundamental role in administering and enforcing the HIPAA rules.

Health Information Privacy in Our Brave New World

by Doug Pollack December 3, 2012

The challenges to maintaining privacy of confidential patient data continue to grow as more and more of this information is going into new electronic systems as mandated by government regulations. The recent article titled "Heart Gadgets Test Privacy-Law Limits" (Marcus and Weaver, Wall Street Journal, November 28, 2012) highlights the controversial collection of medical data from devices that are embedded or attached to patients to monitor various types of activity. This data, interestingly, does not fall within the control of HIPAA regulations that, among other things, dictate the rights that patients have to access to their medical records and data. Given this circumstance, this also opens up the potential that commercial interests can "monetize" data that they collect from patients via medical devices. Given such trends, it is timely that the Ponemon Institute is releasing its 3rd Annual Benchmark Study on Patient Privacy and Data Security later this week, on December 6, 2012. To learn more about the patient privacy landscape and this soon-to-be-released study, consider attending a webinar hosted by the American Hospital Association (AHA) titled "Are Emerging Technologies Putting Your Patient Data at Risk?".

Open Letter to Governor Haley About South Carolina DOR Data Breach

by Doug Pollack November 21, 2012

Most of your citizens are now very aware of the data breach that was perpetrated by cybercriminals against a database at your S.C. Department of Revenue that was discovered last month (October, 2012). The cyber attack appears to have led to the acquisition by criminals of private information including social security numbers, debit and credit card numbers, and even bank account information on some 3.6 million of your citizens (CarolinaLive.com, Tax returns of 3.6 million SC residents are hacked, October 26, 2012). In responding to this breach, you've chosen Experian as a key partner for "taking care" of your citizens. I question whether you could have done better.

Is Beazley Breach Response a Good Fit for Healthcare?

by Doug Pollack October 24, 2012

I was fortunate enough just recently to sit on a Cyber Liability Panel at ASHRM in Washington, D.C., moderated by Mary Anne Hilliard, president of ASHRM. The panel included representatives from two insurance firms that provide cyber insurance, Paul Bantick from Beazley and Kim Holmes from Chubb, as well as an insurance broker that specializes in cyber coverage, Joe Depaul from AJG Risk Management, as well as myself. The panel discussion was very engaging and high energy. All of us are very involved in working with organizations to address data breach risks and incidents. And while there was a shared view as to the current environment, and its associated risks, there was some divergence among the panel as to how best to address these risks, specifically and especially for healthcare organizations.

Tips for Making Patient Privacy Part of a Healthcare Organization’s DNA

by Doug Pollack October 23, 2012

A recent educational event in New York City sponsored by the American Hospital Association (AHA) brought together privacy and compliance experts in healthcare to discuss the challenges and opportunities for creating a culture of patient privacy within these organizations. While one might assume that there is a widespread focus on privacy within healthcare organizations, given the nature of patient medical information, it is probably more likely that in most organizations the urgency around medical need for access to patient information typically trumps any concerns over privacy. Because of these, the panel of experts that were brought together by AHA put together a document that includes "Five Tips to make Patient Privacy Part of your Organizational DNA".