An investigation by a TV station discovered that CVS pharmacies disposed of labels from prescription and old prescription bottles containing patient health information in unsecured dumpsters outside of their locations across the country. 

The U.S. Department of Health and Human Services Office of Civil Rights and the Federal Trade Commission charged CVS with failure to implement adequate policies and procedures to reasonably and appropriately safeguard protected health information during the disposal process. 

CVS agreed to a settlement of $2.25 million with the U.S. Department of Health and Human Services.  The FTC now requires CVS to “establish, implement, and maintain a comprehensive information security program”.  CVS will also be required to obtain an independent third-party audit every two years for the next 20 years. 

Jordan Lawrence’s Privacy Management gives you deep insights into where personal and sensitive information resides.  Privacy Management shows how information moves across the enterprise, outside of the organization and how it is being disposed.  Knowing this information may save you $2 million.

The Federal Government has been vigorously enforcing the HIPAA Security Rule.  Recently they released draft guidance regarding the risk analysis requirements in the HIPAA Security Rule. 

The guidelines call for identifying where electronic protected health information is stored, received, maintained or transmitted.  The risk analysis process should be periodically reviewed and updated. 

With GRIP^TM Privacy Management Services creating and maintaining a Personal Data Inventory has never been easier or more accurate.  In just 30 days, an inventory of where all your structured and unstructured data containing all privacy related information can be developed .  GRIP^TM provides detailed datamaps and reports showing what departments, media, applications, vendors and record types that contain personally identifiable information (PII). 

Privacy Management Services leverages automation, benchmarking and best practice standards to automatically identify and highlight areas of immediate concern.

A Hartford, Connecticut woman found more than she bargained for when she stopped and picked up a cabinet that had a “free” sign on it.  She brought it home and inside discovered documents that contained Social Security numbers and names, death benefits, medical records with hospital admissions and medication records of Aetna policy holders.

According to Aetna someone made a “serious human error”.  The fact is that 88% of breaches are caused by insider negligence.  In order to eliminate human error and properly safeguard records containing personally identifiable information (PII) you need to know where those records exist.  To know this, an organization must have an inventory of what records contain PII, what media it resides in, who has access to it and how it is maintained and disposed.  Jordan Lawrence’s Privacy Management allows you to proactively identify where human error and process breakdowns can occur within your organization.

Judge Shira Scheindlin has entered an order amending her recent opinion in Pension Comm. Univ. of Montreal Pension Plan v. Bank of Am. Secs., LLC.  The amended opinion cites negligence for failure to “obtain records from all those employees who had any involvement with the issues raised in the litigations or anticipated litigation, as opposed to just the key players.”

When litigation arises, it is critical for an organization to implement and enforce a hold order notice quickly and accurately to avoid sanctions.  Hold Management Services allows you to filter and search notice recipients by typical attributes like job classification or business area so you can identify all employees who had any involvement.  And you can deliver those hold notices through a secure, closed communication channel for compliance verification every time.

The Massachusetts privacy law, that went into effective March 1, 2010, is not a law that only Massachusetts businesses need to be concerned about, but any company that retains personally identifiable information (PII) about a Massachusetts resident needs to be compliant. 

Requirements to comply with this law include creating an inventory of all paper and electronic records and media that contain PII, perform regular threat assessments to identify risks and vulnerabilities for a breach, and maintain a written security policy.

Most companies struggle with how to develop a data inventory, which is the foundation of any privacy program, as well as the costs associated with the typical approach of using spreadsheets, the man hours and the disruption to the business.  With Privacy Management Services you can create a personal data inventory in 30 days and update and maintain that information with minimal costs.