HIPAA

Security Basics (Part Three) THE DIFFERENCE BETWEEN INFORMATION SECURITY AND DATA PROTECTION

Posted by Thomas Davon on

People often use the term data protection interchangeably with information security, however, both of them are not the same. Information security and data protection were both established by different Acts. The Data Protection Act (DPA) which established data protection rules to a large extent also included information security in the lists of its 8 principles of data protection.   The principles of data protection Personal data shall be processed fairly and within the law. Personal data can only be held for specific and lawful purposes. Personal data shall be adequate, relevant and not excessive in relation to the purpose or...

Read more →


Security Basics (Part Two) INFORMATION SECURITY IDENTIFIERS

Posted by Thomas Davon on

In information security, the Stanford Data Classification Guidelines is what is used to classify information as either having no risk at all, or having a low risk or having a high risk. The guidelines highlight health information as having a high risk. According to the guidelines, the Protected Health Information (PHI) is a High-Risk Data which must be protected against any form of risk. According to the guidelines, a PHI is any information relating to the past, present or future of an individual and can be used to identify the individual. Such information must be treated with utmost privacy. It...

Read more →


Security Basics (Part One)

Posted by Thomas Davon on

SOME CORE AREAS OF INFORMATION SECURITY Information security has been a major issue in recent times. The use and disclosure of information in such a way that the information does not cause any harm to the persons concerned is very important. There different areas of information security, these include:   Access: This is the ability to use, manipulate, modify, or affect another subject or object. Information access is only granted to those considered as authorized users. Any user who accesses information without authorization is considered a hacker and such an act is a violation of the information security laws.  ...

Read more →


Why you have to have a Risk Management Program (Part Two) fifty-six thousand reasons

Posted by Thomas Davon on

On April twenty-fourth Dignity Health allowed approximately fifty-six thousand patient records to be compromised by their subcontractor Healthgrades. On my thirty-first Dignity Health reported the breach to the Office of Civil rights (OCR) under HHS as required by HIPAA, given the breach was over five hundred records.Surely it will be found that due to a lack of proper vendor oversight, due to a lack of Risk Management, a sorting error in an email list caused the breach. In a press release Dignity Health said “Dignity Health and Healthgrades investigated and corrected the problem and the companies are putting appropriate steps...

Read more →


Why you have to have a Risk Management Program (Part One) 2.2 million reasons

Posted by Thomas Davon on

Risk Management is a mandatory part of the HIPAA HITECH law that Congress put into place to protect the data of patient’s and their identity. Below is the exact language from the Government Publishing Office (GPO).“§ 164.308 Administrative safeguards. (1)(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.”I can hear you now, so what if I don’t want to maintain a Risk Management Program? What is the Government really going to do to me? Well that depends...

Read more →