Privacy

A 480-person consulting firm operating almost entirely in the cloud, with teams regularly handling client data, is also preparing to expand into federal, healthcare, and payment card markets. Across twelve NIST CSF 2.0 controls, nine were rated as severe. That number makes more sense in context. The workforce is mostly remote and many engagements require direct access to client systems and data. Each new market also brings its own set of compliance requirements, including FISMA, HIPAA, and PCI DSS. ...

I was given a HIPAA compliance policy manual and asked to review it, propose revisions, and explain my reasoning. The manual belonged to NAIPTA, the Northern Arizona Intergovernmental Public Transportation Authority and was adopted in April 2017. While it demonstrates a solid foundational commitment to HIPAA compliance, it is now approaching nearly a decade old. It was last updated April 19, 2017. Almost eight years have passed, during which the HHS Office for Civil Rights has issued updated guidance, the 2013 Omnibus Rule has been in full effect, and proposed modifications to the HIPAA Privacy Rule were introduced in 2021. None of that was reflected in this manual. ...

A court case about a patient’s roommate ended up teaching me more about privacy than I expected. The case was Rogers v. NYU Hospitals Center. A hospital released the name of a patient’s roommate and someone questioned whether this violated HIPAA. The name came up during a legal proceeding and the patient argued it should have been protected. The court disagreed, noting that the name alone did not reveal any medical diagnosis or treatment. A wide range of rehabilitative services were offered at Rusk Institute of Rehabilitation Medicine, so knowing someone was there didn’t tell you anything about their condition. A name by itself wasn’t protected health information in this situation. ...

Imagine you’re working with a 400-person global consulting firm that operates across healthcare, financial services, and government. AI is everywhere: custom models trained on proprietary client data, RAG systems pulling from internal documents, AI-assisted hiring, automated contract review, and predictive analytics delivered straight to the C-suite. Now someone asks you to figure out where the risks are. Not in theory, but in practice. Which systems could cause the most damage if something goes wrong? What framework do you apply? And how do you build a governance plan that actually fits a firm this size without over-engineering it? ...

My interest in privacy didn’t start with some big “aha” moment. It just kind of grew over time. I’ve been working as a frontend engineer for the past few years, mostly focused on accessibility compliance. My background in systems engineering and human factors shapes how I think about technology. I naturally look at it through the lens of how people actually experience it — does it help them, or does it subtly get in their way? This perspective started to shape how I thought about privacy too. I began to see that principles like consent, transparency, and control were just as important as usability. ...