Archive | February, 2012

HIPAA Security Risk Analysis Tips – What’s a Threat Again?

The HHS / OCR final guidance on completing a HIPAA Security Risk Analysis is based on the NIST Special Publication 800-30 which covers the subject of Risk Management. As the guidance states, “Organizations must identify and document reasonably anticipated threats to ePHI.” Here’s today’s big tip – Better know what a threat is!… learn more…

Continue Reading

Reconsidering Communication Series: why effectively communicating value drives security success

Effectively communicating the value of security must content with the realization that value varies based on the audience, and the terms selected often have multiple meanings. Success requires the ability to understand and consistently convey key points and outcomes while adapting each message to the audience with the appropriate examples and logic, in a design suited to the outcomes.

Continue Reading

HIPAA Security Risk Analysis Tips – Risk, Threats and Vulnerabilities, Oh My

To say, there is some debate in the security community among the experts surrounding the definitions of Risk, Threats and Vulnerabilities is a slight understatement. Prestigious organizations such as ISO, IEC, NIST and ENISA seem to disagree, and the Information Security industry also offers various definitions. Here’s today’s big tip – Adopt YOUR standard set of definitions and stick with them… learn more…

Continue Reading

State of Illinois – Chief Privacy Officer – Testimonial

I have participated in several educational programs sponsored by Clearwater Compliance. Most recently, I have participated in two HIPAA HITECH Blue Ribbon Panel webinars concerning HIPAA compliance.

I can’t thank you enough for allowing the HIPAA community to participate in these webinars free of charge. I work for a state agency and have no budget for training, and it’s a godsend to have high quality training available from experts in the HIPAA field. Thank you so much for your willingness to support HIPAA education

Continue Reading

What is the Chain of Trust? HITECH Implications for Business Associates and Subcontractors

The deadline for HIPAA Security Rule compliance for Covered Entities (CEs) was April 2005! For Business Associates (BAs), the date was February 2010 thanks to The HITECH Act, when they become statutorily obligated to comply with the HIPAA Security Rule. The Notice of Proposed Rulemaking (NPRM) published in the Federal Register on July 14, 2010 entitled “Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under HITECH” proposes that subcontractors be included in the definition of Business Associates.

Continue Reading

HIPAA Security Risk Analysis Tips – How to Get Started

I admit that I have become so steeped in HIPAA subject matter, in general, and the process of completing a HIPAA Security Risk Analysis, in particular, that I forgot that many organizations are just starting out. This post is aimed at getting back to basics. Here’s today’s big tip – Get a quick baseline education… here’s how…

Continue Reading

HIPAA Security Reminder – Do Not Abuse Your Information System Privileges

All of your workforce members must be mindful of their responsibilities when given access to information “assets” such as hardware, software, storage media, etc. Such access is a privilege and should only be used for legitimate, job-related activity. The recent Resolution Agreement between UCLA Health System and OCR is a clear example of abuse of information system privileges. Learn more about what you and your company should be doing…

Continue Reading