Nicole Lewis, iHealthBeat, Thursday, November 12, 2015
As health care organizations increasingly share patient data with public health entities and use patients' information for big data analytics and precision medicine initiatives, the consensus is that de-identification will become a more important tool for health care researchers and academics to minimize privacy risk.
Robin Hattersley Gray, Campus Safety Magazine, Saturday, October 03, 2015
It seems like practically every U.S. police department is buying or considering the adoption of body-worn cameras, but are they appropriate for hospitals? If so, how should they be deployed? HIPAA compliance is just one of several challenges associated with this type of technology. Training and policies are some others.
Tracy Mitrano, Inside Higher Ed, Tuesday, September 22, 2015
Review the Business Associate’s Agreement (BAA) because there is vendor variation among them. Not all BAAs are alike. Some fully meet legal requirements to protect the institution, and others not so much. It is critical to test the veracity of the statements and commitments made in BAAs with third-party audits, for example a successful ISO audit w/27018 controls as a decent proxy for HIPAA privacy and security rule requirements. Careful attention to the quality of these documents will lower institutional risk and raise the bar among vendors. These efforts will continue an on-going process of harmonizing standards in cloud computing contracts. Make sure your legal counsel has seen the BAA, been in contact with the leading attorneys who set the bar for appropriate or consult NACUA or ACE documents designed for this purpose.
By Daniel Solove, LinkedIn, Wednesday, September 02, 2015
For so many healthcare providers, HIPAA is a source of great aggravation. It's difficult. It's boring. It seems to consist of a lot of inconvenient and costly requirements. I believe that these attitudes about HIPAA are due to a failure to educate healthcare professionals about the reasons why HIPAA matters. HIPAA is not about doing all sorts of needless things for their own sake. It is about protecting patients.
Paul Lannon, Holland & Knight, Wednesday, September 02, 2015
When is it legal and proper for higher education institutions to use student medical records other than for a student's healthcare? In answering that question, institutions have to balance students' privacy interests, including federal rights under the Family Educational Rights and Privacy Act (FERPA), against legitimate institutional needs. Finding the right balance is not always easy, as highlighted by recent well-publicized cases. Too much access may facilitate misuse or discourage students from seeking campus-based medical services, while too little access may deprive an institution of information important to satisfying a legal obligation or responding effectively to a health or safety emergency.
Mahesh Kalva and Andrew Underhill, GCN, Wednesday, August 05, 2015
Health care IT departments are building private cloud networks and functioning as brokers, offering a private option, but also allowing business managers to choose a range of commodity and hybrid models through the providers with which the internal IT groups already work. When initiating use of a private cloud in health care, a few key steps vital to success include performing ample research, developing a solid risk management policy and ensuring that the ends justify the means from a business perspective.
AG Strategy Group
Monday, June 15, 2015
More employers are considering whether to encourage or even require employees to use wearables to reduce workplace injuries, lower workers’ comp claims and even lower health care benefit costs. But they should take note: any potential exposure to workers’ private health information could subject employers to rules under the Health Insurance Portability and Accountability Act (HIPAA). Wearables such as Google Glass, smart safety helmets and any number of sensor-enabled devices can identify hazardous conditions on worksites such as toxic chemical fumes or equipment under excessive pressure. Employers are also looking into clothing that carry embedded biosensors, actuators and gyroscopes to follow movement, heart rate, stress level, fatigue, and countless other metrics … all of it connected wirelessly to mobile devices and computers. But can the use of such devices expose employers to claims of HIPAA violations? What kind of due diligence will they need to do in order to ensure that their use of wearables can’t come back to haunt them later? Julie Anderson, a principal at AG Strategy Group in Washington, D.C. said this is a murky area as policy always lags behind the development and use of technology. HIPAA was passed in 1996, and nine years later in 2005 HIPAA released its first privacy rule as it related to health care data. In 2013 those rules were updated. “It’s a complex set of issues, and it can take that long for policymakers to react to what’s happening in the marketplace, particularly regarding how health care entities are using technology and handling the data they collect,” Anderson said.
AG Strategy Group
Thursday, May 14, 2015
With the development of wearable technologies such as the Nike Fuel Band, Fitbit, and Apple Watch, consumers suddenly have more options to monitor their fitness performance than ever before. And the way these devices capture data poses serious privacy and security issues to individually-identifiable health information that must be addressed.
AG Strategy Group
Monday, April 27, 2015
A new international privacy standard for cloud providers — ISO 27018 — brings an effective means to better protect health data. The privacy standard mirrors some of HIPAA’s tenets while providing an all-important third-party audit mechanism.
AG Strategy Group
Wednesday, April 22, 2015
A 2013 update to HIPAA’s privacy standards put greater restrictions on profit-making uses of PHI but did not go far enough. With the update, cloud providers have the option of adopting stronger voluntary privacy standards. Released in August 2014, the ISO/IEC code of practice (known formally as 27018) outlines standards for how providers of public cloud services should handle personally identifiable information). Though there is some overlap with HIPAA, the ISO/IEC code of practice draws several important distinctions: