This cartoon depicts the challenges of complying with GDPR’s requirements for vendor management. Under the GDPR, there are serious responsibilities when using a vendor to process personal data. Broadly, there are three things that data controllers must do:
1. Data controllers must perform due diligence in selecting vendors and that are complaint with GDPR.
2. Data controllers must have a contract with their vendors that includes certain provisions to ensure that GDPR is being followed.
3. Data controllers must monitor vendors for compliance.
Vendors must also comply with the GDPR.
This post is a reprise of a post I wrote many years ago that has remained popular. I thought I’d repost it now, during exam grading season, to help professors who want to learn the science and art of grading exams.
It’s that time of year again. Students have taken their finals, and now it is time to grade them. It is something professors have been looking forward to all semester. Exactness in grading is a well-honed skill, taking considerable expertise and years of practice to master. The purpose of this post is to serve as a guide to young professors about how to perfect their grading skills and as a way for students to learn the mysterious science of how their grades are determined.
This cartoon is about snooping, one of the most common HIPAA violations. HIPAA prohibits accessing information that people don’t need to do their jobs. It can be easy to look at electronic medical records, and people who snoop in this way might not perceive it as wrong. But the cartoon invites people to imagine how creepy the snooping would appear if it were occurring right in front of patients. Computers remove the interpersonal dynamic, making it harder for people to fully appreciate the wrongfulness of their conduct.
Though the high-profile, celebrity snooping incidents garner all the media attention, smaller cases affecting everyday individuals make up the bulk of the cases and legal activity. A large number of inappropriate access claims involve people checking on protected health information (PHI) about family and friends. Snooping is not intended maliciously. Often a concerned staff member will access the patient records of a family member or acquaintance out of worry or concern. In one case, a nurse in New York was fired for disclosing a patient’s medical history to warn a family member who was romantically involved with the patient of the patient’s STD.
This cartoon depicts the way many people perceive HIPAA training. But it doesn’t have to be this way. When most people hear HIPAA training they prepare themselves to slog through a boring lecture filled with tedious legalese. Many have been subjected to hours of training that is overly technical, not useful for their jobs and not even close to being memorable. I designed my HIPAA training to be different. I believe that training should be fun and engaging. It should have personality. I avoid the wordy and needless filler material and focus on the key concrete things that people must know and do.
Here’s a cartoon on HIPAA and social media use to jump start your week. You can’t think enough about HIPAA these days. HIPAA audits are back, and OCR is having a vigorous enforcement year this year, something I plan to post about soon.