Chris Apgar, CISSP

Chris Apgar, CISSP

CEO & President

Portland, Oregon

Total Contributions 93
Jan 10, 2018What's Wrong With This Picture
Jul 11, 2016The Audit Letters Have Been Sent!
Jun 30, 2016Business associates beware - OCR is watching!
Jun 22, 2016If you say you're compliant, are you really?
Jun 22, 2016If You Say You're Certiied, Are You Really?
Jun 13, 2016The push for HITRUST certification needs work
May 12, 2016The Policy on Policies
May 6, 2016OCR Audit News - What will be included in desk audits
Apr 22, 2016Things not to post on the Internet
Apr 5, 2016Upcoming HIPAA Audits - My thoughts for the day
Apr 1, 2016New audit protocol coming!
Apr 1, 2016New OCR audit protocol likley to be available next week
Mar 22, 2016Undocumented Texas Woman Arrested - HIPAA Violation?
Mar 22, 2016They're here!
Mar 9, 2016Training - Review before you buy
Feb 12, 2016OCR offers new guidance for moble app developers
Jan 25, 201621st Century Cures Act and HIPAA
Sep 23, 2015My Personal Breach Experience: How did I get there?
Sep 23, 2015Yes people are your biggest risk!
Jul 23, 2015PCI DSS Ups the Encryption Anti
Jul 23, 2015Is it PHI?
Jun 24, 2015Was it a reportable breach?
Apr 2, 2015Predictions for healthcare information security - too little, too late.
Apr 2, 2015HIPAA Demystified Out-take 2: Test Your Incident Response Plan
Feb 3, 2015I've seen a lot of discussions related to BAAs over the past year or so. There are many things to consider but I would recommend starting with your regulating body - OCR.
Feb 3, 2015The OCR breach reporting form has changed!
Jan 3, 2015Are you addressing your BAs compliance?
Jun 28, 2016I concur Alan. Good points. HIPAA, especially the security rule, isn't rocket science. What is...
Jun 27, 2016As a follow up, I had an off list exchange with the vendor and the...
Jun 23, 2016A correction to Alan's initial post - BAs are not required by rule to appoint...
Jun 20, 2016This is a bit outdates. The audit protocols were posted in March. The number of...
Jun 13, 2016Justin, Two of the board members are from two of the largest health plans in...
Jun 13, 2016HITRUST continued... I'm also a fan of examining more than just HIPAA compliance. That would...
May 18, 2016I agree Owen. To put it in context, I had already spent three hours on...
May 11, 2016As far as data at rest goes, if you're attesting to Meaningful Use Stage 2,...
Apr 27, 2016In this case no patient authorization was obtained and the information was posted on a...
Apr 25, 2016I think you might want to take a look at 45 CFR 164.510(b). Parents are...
Apr 23, 2016What I would recommend is taking a look at the SOC 2 audit. That covers...
Apr 6, 2016The rest of my post - In the area of security, the audit protocol for...
Mar 24, 2016Great points Keith....
Mar 23, 2016In this case the suspect social security card was not the basis for contacting law...
Mar 23, 2016As an aside Jeff there was no indication that tax dollars were spent to treat...
Oct 28, 2015Beware of snake oil providers! :) Alison has a good point....
Oct 27, 2015There is this wonderful clause in HIPAA that states yes access to the record may...
Oct 23, 2015Harold, I agree. There is likely some validity to the statement but there are all...
Oct 23, 2015First my HITRUST rant... Stating that Fitbit should become HITRUST certified is no different than...
Sep 23, 2015It is a bit worrisome. It may have been from a outsourced test or lab...
Sep 23, 2015This isn't necessarily true. There are laws that permit law enforcement to access PHI for...
Sep 23, 2015Deborah, You're speaking to the choir when it comes to PDMPs. :) I opposed the...
Sep 23, 2015If the data sold by the pharmacies is not de-identified, patient authorization is required prior...
Sep 23, 2015I think Allison is correct. Even if Fitbit was interested in sharing PII (not PHI)...
Jul 24, 2015Unfortunately I'm not all that surprised. I've worked with a few counties when it comes...
Jul 24, 2015Saundra, I think David's post was more for the vendors out there than directed to...
Jul 23, 2015My source is a well known law firm and here's the link to the blog...
Jul 23, 2015And even spell check doesn't check wrong words spelled correctly... :) It should be Ante...
Jul 23, 2015It is PHI - all of the data sets. As has already been noted the...
Jul 23, 2015Yes, there is a business associate relationship between the CE and the vendor. As to...
Jul 23, 2015Also, it is PHI because it is associated with a CE by name. What if...
Jul 23, 2015I'll use a different example. Say this was a privacy care provider. You wouldn't necessarily...
Jun 24, 2015It was not necessarily a violation of HIPAA. See 45 CFR 164.512(j). If the covered...
Jun 24, 2015Also refer to the cite I previously referenced....
Jun 24, 2015Allison, Here a bit more of the story. An employee noticed that her email password...
Jun 24, 2015This was a health care provider but the provider/clinic did not provide services that would...
Jun 24, 2015Let's look at the PHI that could have been breached. Two email addresses like "happy25@gmail.com"...
Jun 24, 2015I don't agree Gerald. I do feel safe if the full name was leaked as...
Jun 24, 2015If the name was associated with a provider where diagnosis could be determined, I agree...
Jun 24, 2015I agree. If it's an identifier included in the privacy rule and it's associated with...
Jun 24, 2015I think my point is the name is PHI. If it's breached and it's not...
Jun 24, 2015I agree with that Bruce. Any unauthorized disclosures are an issue when it comes to...
Apr 2, 2015Alison, I agree - creating an incident response plan is an inexpensive proposition. Unfortunately what...
Apr 2, 2015If a file contains only name and address and it's associated with a clinic, it's...
Mar 2, 2015I would say that if your contracting with another CE or a CE with a...
Mar 2, 2015If it's the 800 pound gorilla and is the only game in town, it may...
Mar 2, 2015David, I don't agree all vendors who are BAs are willing to sign a BA....
Mar 2, 2015Dave, I also look at a BAA as a legal term defined in 45 CFR...
Feb 3, 2015Yigal, As a security professional I fully agree. Risk analyses and risk assessments are not...
Feb 3, 2015Owen, I concur with the importance of a carefully executed bi-lateral BAA. I also believe...
Feb 3, 2015Tina, I agree to the point that it's important no matter where you start in...
Feb 3, 2015I've seen some BAA that weren't canned and were custom crafted that I wouldn't sign...
Feb 3, 2015I would say CEs and BAs have had ten years to figure this out, large...
Feb 3, 2015Yes. It all goes into OCR's database.:)...
Feb 3, 2015One of my clients was reporting a breach to OCR and let me know of...
Feb 3, 2015First, BAs should have privacy policies. All BAs are required to adhere to the use...
Feb 3, 2015I would advise, though, that HIPAA be spelled HIPAA and not HIPPA. :)...
Feb 3, 2015David, As far as the official HHS logo, I fully agree and as David Feinberg...
Feb 3, 2015Barry, There's no requirement that BAs or CEs state they're HIPAA compliant on their websites....
Jan 3, 2015The only thing I would note (back to one of Andy's points). You want to...
Jan 3, 2015I would like to refocus the discussion. My initial points were CEs need to get...
Jan 3, 2015Ps - I concur the SOC 2 is not the end all be all. There...
Jan 3, 2015Owen, A contract means nothing if there is no real due diligence on the part...
Jan 3, 2015Just to add an important point. For those of us who are consultants and also...
Jan 3, 2015My two cents... :) My point about CEs having their own houses n order is...
Jan 3, 2015Laura, When it comes to comparing health care providers and BAs, I agree - BAs...
No Posts found.
No Books found.
No Events found.