With the advent of technology and globalization, the movement of personal data has taken a turn to a “business need” when it comes to data sharing between entities and countries. Technology has allowed business entities to transform their business models into international ones more easily than ever before. And because data sharing has become a “need” to ensure success for these entities, the personal data that is processed becomes valuable not only to the person the data belongs to and the business that uses it, but for many individuals and organizations out there that want this data for their own, often unlawful, purposes.
As a Security and Privacy Professional with a legal background, my focus is on understanding domestic regulations like HIPAA/HITECH and comparing these to international regulations like the EU’s Data Protection Directive. My experience includes reading, dissecting, and comparing complicated laws and regulations and the management of compliance assessment projects. Therefore, I am excited about this opportunity to share information regarding the importance and sensitivity of protected healthcare information (PHI), potential consequences of a data breach, and the impact of HIPAA/HITECH rules.
Covered Entities and Business Associates must adhere to the HIPAA/HITECH rules domestically. The controls that these entities must implement are not just there to “comply” with HIPAA/HITECH, but more importantly to prevent a data breach and protect the PHI that these entities rely on to survive as a business. This data is sensitive in nature and must be protected from the moment the entity receives it to the moment it leaves their complete control. With Business Associates receiving much speculation over the last few years, they along with Covered Entities must ensure they do their due diligence to ensure any other party (Business Associate) they work with in connection to this PHI, is also complying with the same controls in an effort to safeguard this data.
I will be writing a series of blog posts that will explore this theme by identifying key topics that are intertwined and connect with Covered Entities and Business Associates who share this sensitive data when conducting business together. Specifically, each post in the series will address one of the following six questions:
- Who needs PHI to conduct business?
- Who is interested in obtaining PHI?
- What PHI and sensitive data lies outside of the scope of HIPAA/HITECH?
- Who are the key players enforcing the PHI requirements?
- When and how often are breaches against Covered Entities and Business Associates occurring?
- Why should PHI be protected and who is enforcing these protections?
- What is the solution to preventing breaches instead of reacting to them?
This blog series will be published twice a month starting the week of January 4th and will run until we attend the HIMSS 2016 Convention beginning on February 29th. Please feel free to sign up to receive email notifications when each series is posted. I look forward to sharing my thoughts with the Security and Privacy community.
If you have any questions regarding the healthcare information requirements or other information security needs, please contact us at firstname.lastname@example.org.
Maria Sanchez is a Privacy and Security Professional at CompliancePoint working with Covered Entities and Business Associates in a variety of industries. She is committed to guiding customers through effective assessments covering the Security, Privacy, and Breach Rules from HIPAA/HITECH. Maria has a B.A. in Political Science and Sociology from Georgia State University and a J.D. from Florida Coastal School of Law. As an attorney, Maria concentrated her studies in international and comparative law. As a Privacy and Security Professional, Maria has earned her Healthcare Information Security and Privacy Practitioner (HCISPP) certification and Certified Information Privacy Professional for the US and Europe (CIPP/US and CIPP/EU) certifications.