After a data breach, everything you have done, everything you have discovered, and everything you have reported must be documented.
In Part One of a planned series of articles to look at Incident Response best practices, we start by discussing who is required to report a security incident to regulatory authorities, government agencies, or consumers/patients.
Future HIPAA compliance audits could result in more costly enforcement action. But being prepared is about more than a possible audit.
When your sales team and account managers can speak to your company’s compliance efforts and data security, prospects are reassured that your organization values security as much as they do.
When your organization runs into a new sort of vendor or contractor, you may wonder if the expectations of a BA applies. To protect your organization and your patients’ data, don’t guess, be sure.
If your organization has been operating under a BAA that was grandfathered in, your final deadline is now just a few weeks away.
You know that security training is a key component of compliance. Making the necessary training a regular and effective part of the organization’s procedures can be difficult for any organization.
We often see costly breaches caused by stolen laptops or equipment. There are usually simple steps the organization could have taken to increase physical on-site security to prevent the loss of data and resulting fines.
Should You Wait for HHS to Come Calling? In February, Health and Human Services’ Office for Civil Rights (HHS OCR) announced the return of the HIPAA audit program conducted in 2012. Best to be prepared.
Recently, Google announced that it would be willing to sign HIPAA Business Associate agreements (BAA) for organizations required to have such agreements for compliance.