.st0{fill:#FFFFFF;}

Podcast

Quick Recap – Ep 399 

 March 24, 2023

By  Donna Grindle

Share0
Tweet0
Share0

Today’s episode we are going to do a quick recap from the PriSec Boot Camp and we will discuss the recent FTC case involving GoodRx. The PriSec Boot Camp was a lot of fun and Donna’s Bourbon and Breaches was a hit with everyone!

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Quick Recap – Ep 399

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Quick Recap

[03:58] GoodRx FTC case

Lots of discussion about the GoodRX case at the HIPAA Summit

  • Sharing info for ads and sending drug coupons based on the data they collected about patient demos and use of medications
  • FTC says they violated all their jurisdictional areas
    • Unfair practices that could cause harm to consumer with consumer unable to prevent it themselves
    • Deceptive practices because they never said they were going to disclose the medication information to anyone else and implied they were protecting patient privacy when they knew they were not
    • Failure to notify anyone about health data breaches as required under FTC notification rules for health data. The other two caused the breaches that should have been reported to individuals, media and FTC
  • Everyone sees this as an important case when it comes to health data protections that border HIPAA, but do not fall directly under HIPAA
  • The settlement with GoodRX is extensive:
    • Includes being banned from using data for advertising ever again
    • $1.5M fine
      • The IAPP prez lead roundtable mentioned it seemed like an afterthought. It was so small compared to what you would normally see
      • other requirements implementation costs will far exceed that amount. That makes up for it
    • Get consent to share patient info
    • Collect as little as necessary and delete it as soon as possible based on a publicly available data retention policy
    • Ask 3rd parties to delete information in the same manner when shared
    • Implement a formal data privacy program
[13:40] PriSec Boot Camp

First off, it was a lot of hard work but it was fun!

  • We reviewed an OCR investigation letter which always opens people’s eyes to see that they don’t know what they don’t know.
  • Our review on managing the supply chain in healthcare and the things to worry about in contracts and vetting was quite eye opening for both covered entities and business associates. You need to have a valid contract (wording is important) because if that’s not right the whole contract in invalid. Plus, if you are involved in an investigation, one of the first questions OCR will ask is to show them your BAA.
  • Business associates are a much bigger risk that you realize. Vetting them is important.
  • Lisa from HHS 405d was there to talk about all of the HICP resources that are FREELY available, the new tools coming out soon, etc
  • Alison from OCR answered questions from the attendees regarding investigations, what OCR is looking for, etc
  • We discussed recognized security practices and how to document what you are doing. OCR is now including questions about recognized security practices in their investigation letters.
  • [24:59] The tabletop exercise where we picked a few attendees that had various titles in their organization and had them go through a cyber attack scenario and make decisions on what to do as the situation unfolded and the investigation produced results little by little, was also eye opening. Even though it was a scenario training type of situation, the stress and tension of it was still real. We got a lot of good feedback from that exercise.
  • Other topics covered included:
    • What to look for and what is being asked of entities involved in mergers and acquisitions revolving around HIPAA
    • Answering cyber policy questions and what happens if you aren’t truthful (or certain) or can’t prove you are doing things
    • Training your entire workforce on policies and procedures and basics of HIPAA and security awareness topics… and not just once a year.
    • Documentation, documentation, documentation…

And most importantly for Donna, Bourbon and Breaches was a hit! Donna paired three bourbons with three breaches stories. Everyone loved it.

Thanks again to our partners that joined us for the PriSec Boot Camp…. ComplyAssistant, SPHER, Black Talon Security, Security Metrics!

Go to top

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: