The Privacy Professional

Health Information Technology for Economic and Clinical Health (HITECH) is the also known as the HIPAA (healthcare) security Rule. The purpose of this rule is to ensure the confidentiality, integrity and availability (CIA) of all Personal Health Information (PHI) the Covered Entity (CE) and or Business Associate (BA) creates, receives, maintains and transmits. In order to achieve this, the CE or BA must implement safeguards. An example of a physical safeguard are locks on a door. An example of a administrative safeguards is a Privacy Officer assigning role base access of PHI for employees. So that only employees who are involved in the patients care can access the PHI of that patient. Technical Safeguards include : configured computer servers and the encryption of PHI during transmission or at rest.  Further, HITECH requires CEs to provide notice to individuals IF there is an unauthorized disclosure of that PHI and there a risk of harm that exposure o

Privacy impact assessments (PIAs) are a tool that can be used to identify and reduce privacy risks. A PIAs can reduce the risks of harm to individuals by preventing the misuse of their personal information. PIAs are an integral part of taking a privacy by design ( PbD ) approach. They are used to design more efficient and effective processes for handling personal data. The use of PIAs is not something new, in fact the process has been used by a number of companies, entities and governments for over forty years now.  The PIA was created by the United States Office of Technology Assessment. The U.S. office of Management and Budget (OMB) publishes guidance on the implementation the privacy provisions by Federal Agencies under E-Government Act of 2002, including when to conduct a PIA. Under GDPR,  PIAs have become a centerpiece and necessary in certain situations. A PIA must be completed if a company is doing one of the following: Data controller or the data processor o

Approaching Risk Assessments a.    A privacy risk assessment is a tool used to assess the impact and risks to the privacy of personally identifiable information (PII) stored, used and exchanged by information systems. b.     Risk Analysis involves conducting an accurate and thorough assessment of the potential risks and  vulnerabilities to the confidentiality, integrity, and availability of personal identifiable information held by the organization. c.     Risk analysis process usually involves: reviewing existing polices, identifying any issues/holes, accessing the likelihood of a breach, developing ways to mitigate risks and monitoring the results of the assessment and plan development. This is how I envision approaching risk assessments. d.     For example, health care providers are required to conduct risk assessments under HIPAA and attest to meaningful use criteria of EHR systems under HITECH. These providers must provide also documentation of this process, if audited by DHHS.