Social media and healthcare privacy laws: 10 tips to avoid a PHIA violation or getting fired (part 2 of 2)

Social media and healthcare privacy laws: 10 tips to avoid a PHIA violation or getting fired (part 2 of 2)

This is the second Pers J RP podcast episode, and the second part of a two part series on using healthcare social media without violating patient privacy or getting fired. If you want to learn more about healthcare social media, check out the first episode in this series published on 31 Aug 2014, or Healthcare social media and you! published on 13 Feb 2012.


Podcast script for…

View On WordPress

What is HIPAA?

HIPAA (or the Health Insurance Portability and Accountability Act) is a law regarding patient privacy. If you’re attending UOP and reading this, Dr. Uchizono probably just announced the certification requirement for your PharmO class, huh? If you’re not attending UOP and reading this, feel free to keep reading anyway!

HIPAA protects patients from being identified. Note I say identified, and not named, because you can identify patients without naming them. You can identify people pretty easily, actually, just by describing their appearance, their situation, or their habits. 

The rule-of-thumb which I’ve been told (I volunteer at the UCI Medical Center) is, “tell information only if it helps the listener do their job”. If you find out information which could help a physician make a diagnosis or help a nurse care for a patient, then by all means tell. But there is a difference between informing a caregiver and gossiping. You don’t need to tell the receptionist or your friends about patients, do you? Telling them won’t help them do their jobs, or help the patient in any way. So let’s keep quiet there.

If you want to get really specific, the law has two parts—a privacy rule, and a security rule. The privacy rule is what I explained above—it governs caregivers (specifically health plans, healthcare clearinghouses, and healthcare providers) who interact with patients and deal with electronic records. The security rule sets sets standards for electronic security, so you know your information is safely stored once it has been collected. The HIPAA law basically sets standards for all information transactions and protection.

Pre-pharmacy students at UOP, you will be required to be HIPAA-certified for your PharmO class. Dr. Uchizono will explain everything you need to know, so don’t worry. The test will be listed online, and it will be very, very reasonable (it’s just common sense!). Once you pass, you will be certified for one full year, and you can renew it again if you want.



Item Description From The National Archives:

Senate Roll Call for the Health Insurance Portability and Accountability Act, August 2, 1996 

As Chairman of the Senate Committee on Labor and Human Resources, Senator Kennedy became the voice of support in the Senate in favor of health insurance coverage for Americans who change or lose their job. Senator Kennedy and Senator Nancy Kassebaum [R-KS] introduced the Senate version of a bill which eventually resulted in the Health Insurance Portability and Accountability Act (HIPAA). This roll call shows the unanimous vote in favor of passing HIPAA and is a testament to Kennedy’s legislative influence in the Senate.

RG 46, Records of the U.S. Senate

HIPAA was signed into public law by President Bill Clinton 18 years ago this month on August 21, 1996. To learn more about HIPAA’s legislative history and to view the full bill text and all roll call votes, visit

Currently, HIPAA is more well known for its privacy rules concerning certain health information belonging to a patient. You can learn more about its statutes by visiting the U.S. Dept. of Health and Human Services website.

New Federal Regulations Define Scope of Health Care Operations

By Abe Martinez

The term “health care operations” represents a vast breadth of duties. Key tasks in this field include hiring and retaining critical personnel, managing daily business, planning long-range strategies, and developing facilities. In addition, those professionals who take on the responsibility of a hospital or hospital system’s operations also carry responsibility for regulatory compliance that encompasses privacy laws and the rules inherent in the Health Insurance Portability and Accountability Act (HIPAA).

“Health care operations have always encompassed a wide range of duties,” said Abe Martinez, whose long career in Texas health care includes roles as the Chief Executive Officer of the Cedar Park Regional Medical Center, Laredo Medical Center, and Southeast Baptist Hospital in San Antonio. “Patient care and patient privacy, including security that protects personal information on paper and on servers, remain vitally important considerations for the industry.”

According to a new federal definition that went into effect in 2009, health care operations focuses on such undertakings as quality assessment aimed at improving clinical activities. Such evaluations prove invaluable in the correction of issues related to care, customer service, and time and resource management. In addition, health care operations requires managers to develop protocols that guide case management, communication with doctors and other providers, contact with insurance organizations, and coordination of care. All of these protocols, according to the federal definition, should incorporate when possible such elements as better patient care and reduced costs.

Health care operations also comprise reviews of certifications and qualifications of medical personnel by the facility’s management team. Most hospitals utilize a peer review board made up of key medical staff as well as members of the executive staff to ensure that all employees or partners who practice medicine or care for patients are competent to serve in their assigned capacity. This process also involves education programs for medical students, nursing students, and other trainees to gain experience and knowledge that will promote their capabilities.

How to Set up Server-to-Server Sharing in ownCloud 7 on Linux

How to Set up Server-to-Server Sharing in ownCloud 7 on Linux

How to Set up Server-to-Server Sharing in ownCloud 7 on Linux

[adrotate banner=”9”]

The Future is Binary –  Most of the buzz around The Cloud is devoted to commercial services such as Google’s online apps, Amazon’s cloud services, and tablets and smartphones that are shortchanged on storage because they want to suck you into commercial cloud services. While commercial cloud services can be…

View On WordPress

Social media and healthcare privacy laws: 10 tips to avoid a PHIA violation or getting fired (part 1 of 2)

Social media and healthcare privacy laws: 10 tips to avoid a PHIA violation or getting fired (part 1 of 2)

This is the first ever Pers J RP podcast episode, and the first part of a two part series on using healthcare social media without violating patient privacy or getting fired. If you want to read more about healthcare social media, check out Healthcare social media and you! published on 13 Feb 2012.


A podcast episode! I didn’t think I’d ever make one of those. Feel free to leave a…

View On WordPress

Office for Civil Rights (OCR) to Begin Phase 2 of HIPAA Audit Program

Office for Civil Rights (OCR) to Begin Phase 2 of HIPAA Audit Program

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) will soon begin a second phase of audits (Phase 2 Audits) of compliance with Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy, security and breach notification standards (HIPAA Standards) as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Unlike…

View On WordPress

New Post has been published on Kernel | IT Security & Applications

New Post has been published on

Compliance and Pentesting

One of the subjects I get asked time-and-time again about is compliance standards for certain industries and how securing their data comes into play.  It’s pretty important to know which compliance standards affect you and why!  So, here is a quick list of some of the compliance regulations which center around Information Security:

FISMA (Federal Information Security Management Act) of 2002

FISMA requires federal agencies to develop, document, and implement programs to provide information security that are in the best interests of the United States.  The same stipulations are passed on to government contractors and 3rd parties.

Many of the Information Security / Computer System standards & guidelines for hardening and securing systems are created by NIST and are publicly available for most major Operating Systems.  FISMA sets up a framework that companies need to follow to be in compliance and Kernel can help!

HIPAA (Health Insurance Portability & Accountability Act)

HIPAA was created to protect health information through security safeguards while providing access to that same information to the parties that need it, such as healthcare providers, insurance companies, etc.).  The information that HIPAA is meant to protect is called e-PHI, or ‘electronic protected health information’.  Specifically, the HIPAA ‘Security Rule’ requires the following from those that use/store/maintain e-PHI:

  1. CIA (Confidentiality, Integrity, & Availability) of all e-PHI that is created, received, maintained, or transmitted.
  2. Identify & protect against reasonability anticipated threats to the security and/or integrity of e-PHI.
  3. Protect against ‘reasonably’ anticipated impermissible uses of information disclosure.
  4. Ensure compliance

Some of the +’s for the Pentest Industry are:

  • Risk Analysis must be performed on a regular basis
  • Risk Analysis must be performed after any significant network systems changes such as upgrades, replacement, installations.

PCI-DSS (Payment Card Industry Data Security Standard)

PCI has become a pretty popular standard in the news considering the likes of the latest Target breach (and others!).  This is a standard that the Credit Card merchants (Visa, Mastercard, AMEX, etc.) created to protect credit card data.  Believe it or not, PCI standards really apply to anyone that does something with a credit card, from a gas station with a credit card swiping machine, to, well… Target sized companies!

PCI-DSS sets forth some standards:

  1. Build & Maintain a Secure Network
  2. Protect Cardholder Data
  3. Maintain a Vulnerability Management Program
  4. Implement strong access control measures
  5. Regularly monitor & test networks
  6. Maintain an Information Security Policy

There have also been some additions that many companies aren’t aware of:

  1. Penetration Testing – A pen test should be performed at least ONCE annually and anytime there is a significant change or upgrade to the network or systems.
  2. Code Review & Application Firewalls – Just like it sounds, mainly setup for companies to go through a legit code audit to avoid the pitfalls of a web application attack such as SQL injection, XSS, etc.
  3. Wireless Security – Securing your wireless networks to transmit cardholder data.

The biggest thing to note is that the PCI industry actually imposes some pretty hefty fines if you claim to be PCI compliant but aren’t … say, a breach happens.  For those SMBs out there, the fine is set at $15,000 per incident!  So, if two customer credit card records are stolen, then you’re looking at a hefty $30,000 fine!  Of course, getting compliant isn’t always the easiest task and Kernel can help!

In Summary…

Of course, these are only a few standards that affect certain industries.  There are others like GLB, SOX, etc. that affect other industries as well.  Securing data is incredibly important regardless of the industry your company is in because, like it or not, your company can easily be on the hook if a data breach happens, so be prepared and reach out to Kernel for the assistance you need to be as secure as possible in this ever-so-dangerous world of threats!

Government’s New Mobile Code of Conduct: PIIs Get Noticed

You know those short notices that pop up right before you install a mobile app? That’s the splash screen that provides some information about what functions are being accessed and, in general terms, what information is being collected from users. After…

View Post

Personally Identifiable Information Hides in Dark Data

To my mind, HIPAA has the most sophisticated view of PII of all the US laws on the books. Their working definitionencompasses vanilla identifiers: social security and credit card numbers, and all the other usual suspects. With the additional words…

View Post