Breach Notification Laws: An Evolving Mine Field

by Mahmood Sher-jan May 15, 2013

In 2012 there were a number of states, which made changes to their breach laws including Connecticut, Texas and Vermont. The most noteworthy was Texas' House Bill 300, which amended the state's existing data breach law effective September 1, 2012, requiring covered entities in Texas to notify affected individuals regardless of their state of residency. This is ground breaking because it is the first time that a state has expanded the reach of its obligations beyond its own borders by basically saying that the obligations of a breached entity that does business in the state does not stop at the borders of the state but it follows the affected patients where ever they may reside.

Patient Identity Infection—A Multi-Faceted Risk Facing Patients

by Mahmood Sher-jan May 7, 2013

At ID Experts we have been helping identity theft victims and patients protect and restore their identities for over a decade. It is our mission after all. It shapes our company culture and values. We know very well that identity theft and medical identity theft are growing problems. So what are the risks to patients’ identity in the healthcare setting and how to we protect against these risks? We know intuitively that prevention is the best medicine but how can we truly prevent a problem with so many root causes—some intentional but most unintentional?

ID Experts RADAR 2.5: Final Rules Ready

by Mahmood Sher-jan February 7, 2013

Today we announced the availability of the latest release of our ID Experts RADAR 2.5, our HIPAA and States data breach risk assessment and incident management software. The timing of this release also coincides with the recent publication of the HIPAA Final Breach Notification Rule as part of the HIPAA Omnibus rule. I want to congratulate my team and our clients including hospitals, health plans and insurance carriers who have contributed significantly to this release through their participation in our Beta testing and feedback process.

HHS’ Sensible Compromise on the Controversial Harm Threshold

by Mahmood Sher-jan January 22, 2013

The HIPAA Final Rule is finally here, which means the end of uncertainty about the future of the controversial “risk of harm” assessment introduced by the Interim Final Rule (IFR). Now it is time to analyze the Final Rule and get on with the preparations for compliance. The focus of this analysis is on the implications for covered entities and business associates of the change to the definition of “breach.” The definition removed the controversial “risk of harm” language without compromising the spirit of the HITECH Act, which is to mitigate harm to individuals. This article will cover:

South Carolina Data Breach Slam Fest – Tough Talk But Little Comfort

by Mahmood Sher-jan October 29, 2012

The governor of South Carolina wants the hacker(s) that got away with sensitive information on millions of state's residents slammed against the wall! You can bet that three quarter of the state's residents whose unencrypted social security numbers were stolen, would like to do the same. The bad news is that it looks like the attack came from a foreign country so no slamming is the cards. Unlike the governor, I suspect that the residents also would like to slam those responsible for protection their highly sensitive data as more information gets out about the lack of basic safeguards that could've significantly reduced the risk of harm to those affected. I say the chance of finding someone to slam here is better

The Rise of Incident Response Planning

by Mahmood Sher-jan October 2, 2012

Lately we have seen a strong uptick in requests for incident response planning and testing. What is driving this trend and why now? Maybe the better question is to ask why it took so long given the growing number data breach incidents among large and small healthcare organizations? I can only speculate about the drivers for the sudden surge in focus on this issue, which has long been a requirement under the HIPAA Security Rule and it was further codified through the burden of proof requirements under the HITECH Breach Notification interim final rule (IFR).

The Risk Posed by Unauthorized PHI & PII Disclosure is Contextual

by Mahmood Sher-jan August 13, 2012

The list of data elements that the HIPAA data breach notification rule and states breach laws have designated as PHI or PII vary from mundane and publicly available items like name, and mailing address to more private information such as account numbers and medical record numbers. When PHI or PII is hacked, one of the factors that determine the level of risk to the individuals affected is the sensitivity of the PHI or PII involved. For example social security and full account numbers and pins are treated as high risk. It is very easy to dismiss any significant risk of harm with unauthorized disclosures of PHI/PII that include only names, email addresses, partial account number (last 4 digits) and mailing addresses since it is believed that this information can be assembled from publicly available sources and do not pose a significant risk of harm.

What Do HIEs and Cracked Windshields Have in Common?

by Mahmood Sher-jan July 19, 2012

If you are a patient, like most, you are probably assuming that your protected health information (PHI) is well "protected" by those who are custodians of the data. You also may think that the data is yours and you control its primary and secondary use. I hate to be the bearer of alarming news but both of these assumptions may be faulty. The topic of "who owns patient data in EHRs" was extensively explored in a great blog post by Doug Pollack of ID Experts, which has already generated well over 100 comments on the HIMSS' LinkedIn group alone. I encourage anyone interested in the topic to check it out.

ID Experts RADAR Wins Best Privacy Technologies of 2012 Award

by Mahmood Sher-jan June 7, 2012

Today I had the honor of accepting the Best Technologies of 2012 Award on behalf of my entire ID Experts RADAR team. This was the recognition of our success in creating an intuitive and simple to use solution that addresses a very complex problem of compliance with HIPAA / HITECH and state data breach laws for the healthcare industry. RADAR's growing adoption by covered entities and now this acknowledgement by Health Privacy Summit is a testament to the value of RADAR as the right privacy incident management (PIM) tool properly balances regulatory compliance and patient protection.

Does HIPAA Require Forensics Investigation?

by Mahmood Sher-jan May 16, 2012

The HealthcareIT News, recently interviewed me 5 Reasons to Use Forensics, for an article about the reasons for using digital forensics as an investigation tool when an electronic incident is discovered. There's a mystery about the term computer forensics since to many non-geeks, forensics can be hard to grasp.