My New Year’s resolutions will likely be broken early and often in 2016. My consequences are mostly non-monetary: a few more pounds, a little less savings, and not winning the triathlon in my age group. Your consequences, as a HIPAA-covered entity or business associate, for not complying with the Privacy and Security Rules could be much greater, and could put you into serious debt to the HHS Office of Civil Rights (OCR). Therefore, we propose that you resolve now to become fully HIPAA compliant in 2016.

OCR delivered an early holiday gift, wrapped in the Director’s Sept. 23, 2015, report to the Office of Inspector General. In that report, she disclosed that OCR will launch Phase 2 of its HIPAA audit program in early 2016, focusing on noncompliance issues for both covered entities and business associates.

So, grab that cup of hot cocoa and peruse this review of 2014-2015 HIPAA enforcement actions, which should help identify noncompliance issues on which OCR will focus in 2016. 
Continue Reading HIPAA compliance: another year older, but hopefully not deeper in debt

Do you often feel that despite best efforts to circle the wagons your information security team is fighting a losing battle with broken down tools? Even though information security budgets have increased in the last couple of years—likely in response to the very visible increase in high-profile data breaches—discretionary budget dollars are scarce. I recently heard the poker term “dead money”  used to describe that large portion of every IT budget that has been committed long before it is received, much like the money we all must dedicate to mortgages, utilities, food, and transportation. Thus, for every $100 of total IT spend, we may be left with just $0.60 for new baubles and geegaws, as my grandmother used to say.
Continue Reading Broke, bothered, and beleagured

So, your organization has committed to Information Governance, and you’ve been tasked with making it a reality. Now what?

You’ll need a framework on which to build your program, a platform that will help you bridge across siloed functions (IT, InfoSec, Legal/Compliance, Records Management, Internal Audit, Operations…) and siloed perspectives (privacy, data security, records & information management, litigation discovery…). You’ll also need to come to grips with three persistent barriers to operationalizing Information Governance:
Continue Reading The internal control platform for information governance