NORTH CAROLINA COMMUNITY CARE INC. Privacy Policy Manual

Save this PDF as:

Size: px
Start display at page:

Download "NORTH CAROLINA COMMUNITY CARE INC. Privacy Policy Manual"

Transcription

1 NORTH CAROLINA COMMUNITY CARE INC. Privacy Policy Manual 0

2 Contents Contents... 1 Privacy Policy... 2 Privacy Official Policy... 3 Privacy Safeguards Policy... 5 Workforce Policy... 9 Business Associates Policy Privacy Complaints Policy Privacy Incidents Policy Breach Notification Policy De-Identification and Limited Data Set Policy Legal Occurrences Policy Research Policy Use and Disclosure Policy Sanctions Policy Figure 1 Fax Cover Sheet Figure 2 Visitor Control Log Figure 3 Pledge of Confidentiality Figure 4 Confidentiality Agreement Figure 5 Privacy Incident Form Figure 6 Incident Reponse Figure 7 Incident Log Figure 8 Disclosure Log

3 Privacy Policies Purpose This Policy Manual has been developed for the Community Care of North Carolina to provide policies that will allow for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rules and HITECH. Roles and Responsibilities The CCNC Privacy Officer provides the oversight for the use and disclosure of health information and serves as the primary point of contact for privacy related issues within the organization. Policy 1. CCNC will develop and implement policies in order to protect the privacy of protected health information that is created, received, and maintained during its regular course of business. 2. Policies will be reasonably designed to comply with state and federal laws, taking into account the scope of the requirement and the nature of activities undertaken that relates to protected health information. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule will be the primary resource for these privacy policies. Policies, procedures, and privacy documentation required by the HIPAA Privacy Rule will be maintained in writing. 3. Policies will address essential administrative privacy requirements so CCNC will use and/or disclose protected health information in a confidential and secure manner. 4. All policies will be located in the CCNC HIPAA Privacy Policy and Procedure Manual, which will be maintained by the Privacy Officer and placed in a folder available to all staff on the CCNC N Drive. 5. Policies and Procedures will be modified as necessary. Policy revisions shall be documented and maintained for at least 6 years. Enforcement, Auditing, and Reporting 1. Any workforce member found to have violated the policies herein may be subject to corrective action, up to and including termination of employment. NC COMMUNITY CARE NETWORKS, INC. Approval Date: 12/10/12 POLICIES AND PROCEDURES MANUAL Effective Date: 12/11/12 Revision History: 5/11/12

4 Privacy Official COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/29/12 Purpose CCNC is committed to safeguarding the confidentiality of protected health information (PHI) to ensure that any patient information created, received, or maintained by the organization is only used or disclosed in accordance with federal and state regulations. This policy addresses the requirement of the Health Insurance Portability and Accountability Act (HIPAA) Privacy rule to designate a Privacy Officer to serve as the primary point of contact for privacy related issues for CCNC. Roles and Responsibilities CCNC will ensure a Privacy Officer maintains the development and implementation of policies and procedures that conform to the privacy regulations and other state and federal laws that protect patient information. Policy The CCNC Privacy Officer provides the oversight for the use and disclosure of health information and serves as the primary point of contact for privacy related issues within the organization. CCNC is a business associate of the Division of Medical Assistance (DMA). As such, CCNC is required to have a Privacy Officer in place to ensure that the permissible exchange of health information is taking place based on contractual agreements and federal/state requirements. The following is a list of responsibilities set forth for the Privacy Officer: 1. Develop policy and procedures for implementation of the HIPAA Privacy regulation requirements. 2. Maintain current knowledge of applicable federal and state privacy laws and accreditation standards. 3. Monitor advancements of emerging privacy technologies to ensure that the organization is positioned to adapt and comply with these advancements. 4. Establish and recognize best practices relative to the management of the privacy of health information. 5. Serve as a liaison to DMA/DHHS or CCNC Network staff, as necessary. 6. Perform initial and annual information privacy risk assessment and conduct related ongoing compliance monitoring activities in coordination with applicable directives. 7. Document and report findings as required. 8. Ensure a mechanism is in place within CCNC for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization s privacy policies and procedures in coordination and collaboration with legal counsel, when necessary. 9. In collaboration with the Security Officer, institute a mechanism to audit access to protected health information, within the scope of organizational policy and as required by law, and allow qualified individuals to review or receive a report on such activity as needed. 3

5 10. Oversee, direct, and ensure delivery of initial privacy training and orientation to all employees, volunteers, contractors, business associates, and other appropriate third parties. Subsequently records results in accordance with the organization s training documentation requirements. 11. Create a process to ensure annual refresher training is conducted in order to maintain workforce awareness and to introduce any changes to privacy policies. 12. Initiate, facilitate, and promote activities to foster information privacy awareness within the organization and related entities. 13. Serve as the advocate for the confidentiality and privacy of health information. 14. Understand the content of health information in its clinical and business context. 15. Understand the decision-making processes throughout the organization that rely on health information. 16. Identify and monitor the flow of information within the organization and throughout the local healthcare networks. 17. Review all system-related information security plans throughout the organization s network to ensure alignment between security and privacy practices and act as a liaison to the information systems department. 18. Collaborate with other information systems staff and healthcare professionals to ensure appropriate security measures are in place to safeguard protected health information. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 4

6 Privacy Safeguards COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To establish privacy safeguards that protect from unauthorized use or disclosure and to further protect such information from tampering, loss, alteration, or damage. Many of the safeguards necessary to protect electronic data containing protected health information are included in the Security Policies. Roles and Responsibilities The CCNC Privacy Officer will implement appropriate administrative, physical and technical safeguards to avoid unauthorized use or disclosure of protected health information. Policy CCNC will put into place appropriate administrative, physical, and technical procedure that will safeguard protected health information that is generated, received, and/or maintained at CCNC. Administrative Safeguards 1. Minimum Necessary. Workforce members must make every effort to reasonably limit uses or disclosures of PHI to the minimum necessary to accomplish the intended purpose of the use (internal to the organization) or disclosure (external to the organization). Workforce members will be identified by their role and level of access to PHI needed to carry out their job function. Categories or levels of access will be identified and workforce members will have access to PHI in accordance with the level of access to PHI necessary to perform their job function. All levels of access will be documented based on job function and workforce members will be limited to the information necessary to perform their job functions only. Workforce members should review requests for information on an individual, case-by-case basis to determine the types and amounts of information that constitute the Minimum Necessary in each instance. Before fulfilling such a request, the workforce member should consult with his/her Privacy Officer for guidance before using or disclosing information if it is not a routine use or disclosure of PHI. 2. Mail. Before protected health information is disclosed for any purpose, workforce members must ensure that the disclosure is prudent and the following requirements have been considered: a. The recipient has been verified; b. The disclosure is permitted for treatment, payment or healthcare operations; 5

7 c. The disclosure is authorized by the patient; d. The disclosure does not violate a communications or use and disclosure; e. restriction that the patient has requested and the agency has granted; or f. The disclosure is required or permitted by law. Hard copy or electronic media for distribution outside of CCNC will be either hand delivered or mailed using the United States Postal Service, courier service or other delivery service such as FedEx. 3. Fax. All outgoing faxes must be accompanied by the CCNC approved Fax Cover sheet. Incoming faxes that contain confidential health information are to be removed promptly to prevent unintentional exposure of confidential information. The Fax Cover Sheet 1 template must also contain the following which must be filled in: a. Sender s name, mailing address, address, telephone number and fax number; b. Recipient s name, telephone number and fax number; c. Number of pages being transmitted including the cover sheet; d. Instructions for verification of fax receipt (pre-printed on the sheet) Workforce members will not transmit s containing protected health information to persons within CCNC, to business associates, or to other covered entities (e.g., health plans, health care providers). If it is essential for the efficiency of business operations to send protected health information via , the following requirements must be met: a. has a password protected 7-zip attachment (See Security Policy); b. has been sent via secure messaging with encrypted mobile device requirement or CMIS messaging; c. Document has been shared via CCNC Secure folder (I or N drive) or IC Share File. Passwords will not be inserted into messages or other forms of electronic communication without proper encryption. Passwords for attachments will be provided to recipients by phone. In the event of a misdirected with a file attachment that contains individually identifying health information, the recipient must be contacted immediately and will be asked to delete the and attachment. -Misdirected s are considered accidental disclosures and must be accounted for with an Incident Report. 5. Oral Communication/Phone. Workforce members are responsible for conducting all conversations regarding patient information in a location and manner which should prevent them from being overheard by others. (E.g. in a private office, in a soft voice) Workforce members should not disclose protected health information when phone calls are received unless they can confirm the identity the caller through voice recognition or by calling back to validate the number and person calling. 6

8 Physical Safeguards 1. Workstation. Workforce members will ensure protected health information is secured when staff is not available to monitor the area by: a. Locking material in a file cabinet; b. Removing the information from sight and placing in a desk drawer; c. Clearing information from the computer screen when it is not actually being used; d. Locking the keyboard when leaving the office; e. Turning off computer when not in use; f. Relocating the workstation or repositioning the computer monitor so only the authorized user can view it; or g. Clearing information from the computer screen when it is not actually being used, turning off computer when not in use, or by locking (Ctrl + Alt + Delete) their monitor when they leave their office, even for a brief period of time; h. Establish precautions to prevent conversations regarding patient information from being overheard by others; i. Ensure that confidential information is reasonably protected to prevent inadvertent disclosures this may include placing a cover sheet over records sitting on a desk or positioning a patient s information so that the confidential information is not visible. 2. Visitor Access Control. The receptionist will ensure that all visitors sign-in on the Visitors Sign in Sheet 2 and receive a Visitors Badge when entering the building. Where there is no receptionist, hosts will direct visitors to sign in at the reception desk to obtain a visitor badge. All visitors will sign the Pledge of Confidentiality Form 3 prior to participating in activities exposing sensitive information. See the Human Resources Policy on Visitor Control. 3. Disposal of PHI. Workforce members are responsible for ensuring that all confidential information, in paper format, that is ready for disposal be placed in the locked shred bins or immediately shredded in the office. Technical Safeguards (See Security Policies) 1. Passwords. Workforce members are responsible for protecting their passwords and should never reveal them to anyone, including a supervisor, family member or co-workers. In special cases where a user is required to divulge his/her personal password such as for system support, the user must immediately change the password: a. Passwords should never be included in messages or unencrypted files; b. Passwords should never be stored in a location readily accessible to others (e.g. Desk drawer, note on computer, under the key board, etc.). 2. Mobile Devices. Workforce members should recognize that there are security risks associated with using mobile devices. Sharing confidential information using the text, or other modes of data transmission on a mobile device should be avoided unless such communication methods are encrypted in accordance 7

9 with CCNC Security Policies. Video and camera functions on mobile devices should never be used in areas where patient information is visible. 6. Thumb Drives. Workforce members must ensure that any equipment and devices which display memory connect to another system or transfer data must be protected from unauthorized access to health information. Iron Key flash drives are provided by the IT department for transferring sensitive information. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 8

10 Workforce COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To ensure all workforce members make reasonable efforts to protect PHI from intentional or unintentional use or disclosure that is in violation of policies. Roles and Responsibilities The CCNC Privacy Officer will ensure all workforce members are aware of reasonable efforts to protect (PHI) from intentional or unintentional use or disclosure that is in violation of policies and/or procedures. Policy CCNC will put into place appropriate Privacy awareness, training, and mitigation of unsecured breaches. Confidentiality Statement 1. All workforce members and contractors will sign a Confidentiality Agreement 4 acknowledging their understanding of CCNC privacy policies and procedures and the consequences of any violation. This Agreement will be signed before a new employee or contractor is given access to CCNC systems and equipment. The CCNC Privacy Officer maintains copies of all Confidentiality Agreements. These agreements must be maintained for at least as long as the individual is an active member of the workforce. HIPAA Training 1. The Privacy Officer will ensure that all members of the workforce and extended workforce are trained on basic HIPAA privacy policies and procedures. Basic privacy training must include awareness of the vulnerabilities of the health information in CCNC s possession and procedures that must be followed to ensure the protection of that information as necessary for each individual to carry out his/her required job functions, including possible consequences for violation of privacy policies or procedures. New employees and contractors should complete the training within 30 days of employment. In the event that substantial changes are made to privacy policies or procedures the Privacy Officer is responsible for training workforce members on the new policies/procedures within a reasonable period of time. The Privacy Officer will maintain documentation of all training for at least six years from the last date of the individual s active participation as a member of the workforce. The training log documents: a. Training material, b. Name and title of each staff trained c. Date of training/refresher 9

11 d. Type of training (e.g. basic privacy, name of specific policy/procedure) Employee Status Changes 1. CCNC will ensure that all records of workforce members are updated promptly after a change in status. The following departments will update records as needed; a. Human Resources b. Managers and supervisors c. System Administrators d. Information Technology Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 10

12 Business Associates COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To ensure all individuals or organizations who perform specific functions, activities or services for Community Care of North Carolina (CCNC) that involve the sharing of protected health information are appropriately identified according to the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule as a business associate; and to further ensure that agreements are developed to support such contractual relationships, as appropriate. Roles and Responsibilities CCNC will identify persons or entities that provide specific function, activities, or services that involve the use, creation, or disclosure of protected health information. Policy CCNC will review all contractors to determine whether the participant will be acting in the role of a Business Associate. External contract organizations will be required to sign the same agreement. Information that can be shared with any business associate is limited to that which is necessary to perform the duties/tasks identified in the business associate agreement. CCNC will train contractors acting in the role of employees on CCNC HIPAA Privacy and Security policies and procedures. CCNC will not train external contract organizations. CCNC will maintain Business Associate agreements for six years from the date of contract termination. 11

13 Privacy Complaints COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To ensure all complaints relating to patient confidentiality are investigated within a reasonable timeframe. Roles and Responsibilities The CCNC Privacy Officer shall facilitate a process for patients to file a complaint regarding CCNC s privacy policies or the handling of protected health information by CCNC. Policy CCNC will investigate all complaints relating to breaches of confidentiality within one business day after a complaint is received. Patients or their legal representatives may file formal complaints with CCNC or with the Secretary of Health and Human Services, if they believe their privacy rights have been violated. CCNC will not intimidate, threaten, coerce, discriminate against, or take any other form of retaliatory action against any patient filing a complaint or inquiring about how to file a complaint. CCNC may not require patients to waive their rights to file a complaint as a condition for participating in any program. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 12

14 Privacy Incident COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To establish requirements for reporting, documenting, and investigating a known or suspected action or adverse event resulting from unauthorized use or disclosure of protected health information. Roles and Responsibilities Workforce members should report any event or circumstance that is believed to be an inappropriate use or disclosure of a patient s protected health information to the Privacy Officer. The Privacy Officer investigates a suspected privacy incident and attempts to resolve it and prevent future occurrences. Policy CCNC s Privacy Officer immediately investigates and attempts to resolve all reported suspected privacy incidents wherein the protected health information of a patient has not been used or disclosed in accordance with CCNC s privacy policies. The Privacy Officer completes the Privacy and Security Incident Report Form 5 when a privacy or security incident is suspected of breach. This form holds documentation of the privacy incident and the attempted resolution that ensures the incident has been remediated. Each incident will be evaluated to determine if additional workforce training is needed. Unintentional/Inadvertent Disclosure 1. Unintentional access of PHI by the workforce or person acting under authority of the Covered Entity or Business Associate, if acting in good faith and within the their scope of authority and the information is not use or disclosed in violation of the privacy rule is considered an inadvertent disclosure and an exception to the Notification requirements. If there is disclosure by a person authorized to access PHI operated by another person authorized to access PHI at the level as the covered entity or business associate and the information received is not further used or disclosed in violation of the Privacy Rule, this is considered an inadvertent disclosure and is not considered a breach under this Act. The following are exemptions to a breach; a. Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a Covered Entity (CE) or Business Associate (BA) if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule. An example might be leaving PHI on the copy machine and someone who should not have access to PHI picks up the information, sees who printed the material and hands the material to the intended recipient. No malice or ill intent 13

15 was involved. b. Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under the Privacy Rule. c. A disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Incident Response The Privacy Officer will recommend sanction for confirmed violations to Department Management, considering the following factors: 1. The facts of the investigation: a. The nature of the violation, b. The severity of the violation c. Whether the violation was intentional or unintentional, and d. Whether the violation indicates a pattern or practice of improper use or disclosure of private data. 2. Earlier precedents set; 3. Any approved sanction guidelines established. CCNC does document and retain documentation of Privacy Incidents, the record is in no way considered a part of a patient s record and is intended only to keep track of the types of incidents that are occurring and the sanctions being applied based on the type of incident. All incidents are documented on the Incident Response Form 6 to be signed by the individual and the official. This form is maintained on file and logged in the Incident database. Incidents that are suspected as breaches shall have risks determined on the Privacy and Security Incident Report and documented in the Privacy and Security Incident Log 7 Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 14

16 Breach Notification COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To provide guidance for implementation of the American Recovery and Reinvestment Act (ARRA)/Health Information Technology for Economic and Clinical Health Act (HITECH or the Act). In addition, this policy will provide direction on the breach notification requirements of the Act to covered entities when unauthorized access, acquisition, use and/or disclosure of an organization s protected health information (PHI) occurs. The Office of Civil Rights will be responsible for the enforcement of both the Privacy and Security Acts of the HIPAA regulation. Roles and Responsibilities The CCNC Privacy Officer will ensure breaches of unsecured PHI are investigated and properly reported. Policy CCNC s Privacy Officer immediately investigates and attempts to resolve all reported suspected privacy incidents wherein the protected health information of a patient has not been used or disclosed in accordance with CCNC s privacy policies. The Privacy Officer completes the Privacy Incident Form when a privacy incident is suspected or has been reported. This form holds documentation of the privacy incident and the attempted resolution that ensures the incident has been remediated. Each incident will be evaluated to determine if additional workforce training is needed. Breach Notification Rule 1. Upon the discovery of a breach of unsecured protected health information (see definitions), Covered Entities are required to notify each individual whose unsecured PHI may have been, or is reasonably believed to have been accessed, acquired, used, or disclosed as a result of a breach of unsecured PHI. If the covered entity also has business associates, the business associates are also required to notify the covered entity of the discovery of a breach or potential breach of unsecured PHI. 2. Unsecured PHI. PHI that is not rendered unusable, unreadable or undecipherable to unauthorized individuals using technology or methodology specified by the Secretary. Examples of specified methods include: a. Electronic PHI has been encrypted as specified in the HIPAA Security rule by the use of an algorithmic process to transform data into a form in which there is a low probability of assigning 15

17 meaning without the use of a confidential process or key and such confidential process or key that might enable decryption has not been breached. To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. The following encryption processes meet this standard. i. Valid encryption processes for data at rest (i.e. data that resides in databases, file systems and other structured storage systems) are consistent with NIST Special Publication , Guide to Storage Encryption Technologies for End User Devices. ii. Valid encryption processes for data in motion (i.e. data that is moving through a network, including wireless transmission) are those that comply, as appropriate, with NIST Special Publications , Implementations; , Guide to IPsec VPNs; or , Guide to SSL VPNs, and may include others which are Federal Information Processing Standards FIPS validated. b. The media on which the PHI is stored or recorded has been destroyed in the following ways: i. Paper, film, or other hard copy media have been shredded or destroyed such that the PHI cannot be read or otherwise cannot be reconstructed. ii. Redaction is specifically excluded as a means of data destruction. iii. Electronic media have been cleared, purged, or destroyed consistent with NIST Special Publications , Guidelines for Media Sanitization, such that the PHI cannot be retrieved. 3. Breach. A breach of PHI occurs when the acquisition, access, use or disclosure of PHI that is not permitted under HIPAA occurs and poses a significant risk of financial, reputational or other harm to the individual. 4. Breach Notifications. Once the breach has been discovered, a Breach Investigation Team (broadly defined as the Privacy and Security Officer but may contain additional personnel, as needed) will initiate a breach investigation outlined in the procedures for this policy. 5. Providing Information to DMA. As a Business Associate of DMA, CCNC is required to report to DMA certain data elements so that they may notify the patients impacted by a breach. The risk assessment page of the Privacy Incident Form will be used for reporting to DMA. 6. Providing Information to other Payors. As a Sub Business Associate of other Payors, CCNC is required to report to the covered entity certain data elements so that they may notify the patients impacted by a breach. CCNC must be prepared to give the covered entity the necessary information so they may fulfill their obligation to notify patients involved in a breach. Examples of Breaches of Unsecured Protected Health Information 1. Stolen lost laptop or lost flash drive containing unsecured protected health information that is not encrypted, per policy. 2. Misdirected of listing of drug seeking patients to an external group list. The information in the is not encrypted using 7-zip, as required by policy. 16

18 3. Lost flash drive containing database of patients participating in a disease management and compliance study. This was a personal flash drive, not a company issued flash drive so it was not encrypted or secured in any manner. 4. Individual accessing the health record of divorced spouse for information to be used in a custody hearing. 5. Workforce members accessing electronic health record for information on friends or family members out of curiosity/without a business-related purpose. 6. Misdirected fax of patient records to a local grocery store instead of the requesting provider s fax. (This is why you verify the fax number before you send any documentation and verify it was received AFTER it was faxed.) 7. Intentional and non-work related access by staff member of neighbor s information. Sanctions enforced by Federal Law Violation Category Each Violation All such violations of an identical type in a calendar year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect Corrected $10,000 - $50,000 $1,500,000 Willful Neglect Not Corrected $50,000 $1,500, North Carolina Identity Theft Protection Act (NCITPA). In addition to the HITECH Breach requirements, the NCITPA requires in that Any business that owns or licenses personal information of residents of North Carolina or any business that conducts business in North Carolina that owns or licenses personal information in any form (whether computerized, paper, or otherwise) will provide notice to the affected person that there has been a security breach following discovery or notification of the breach. Examples of identifiers under this act include; a. SSN s or Employee Identification Number (EIN s), b. Driver s License, State ID Card, or Passport Numbers, c. Checking and Saving Accounts, d. Credit and Debit Card numbers, e. PIN codes, 17

19 f. Electronic identification numbers, electronic mail names or addresses, g. Digital Signatures, h. Biometric Data, fingerprints, i. Passwords, j. Parent s legal surname prior to marriage. In addition, the business must notify without unreasonable delay the Consumer Protection Division of the Attorney General's Office of the nature of the breach, the number of consumers affected by the breach, steps taken to investigate the breach, steps taken to prevent a similar breach in the future, and information regarding the timing, distribution, and content of the notice. Notice to individuals must include a description of the following: a. The incident in general terms; b. The type of Personal Information subject to breach; c. General acts of the business to protect information from further breaches; d. A telephone number that a person may call for further information; e. Advice that directs the person to remain vigilant in reviewing account statements and monitoring free credit reports; f. A telephone number for the business providing the notice; g. Toll-free numbers and addresses for the national credit reporting agencies; and h. Toll-free numbers, addresses and web site addresses for the Federal Trade Commission and the North Carolina Attorney General s Office along with a statement that individuals can learn about preventing identity theft from these sources.) Submit the notice to the North Carolina Consumer Protection Division of the Attorney General using the form found at the following link. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 18

20 De-Identification and Limited Data Sets COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose The purpose of this policy is to define methods by which CCNC may remove specific elements from health information so the resulting information will not be considered protected health information. HIPAA defines data elements allowed in deidentified and limited data sets. Roles and Responsibilities The CCNC Privacy officer will determine if the desired data set meets the intended purposes of the use and disclosure as permitted by Federal and/or state laws. Policy CCNC will de-identify health information whenever protected health information is not necessary to accomplish the intended purpose for the use or disclosure of health information or when use or disclosure of protected health information is not permitted by federal or state laws. CCNC will determine if a limited data set would meet the intended purpose of the use or disclosure. When a limited data set is deemed appropriate, CCNC will enter into a data use agreement with the recipient of the information. When information cannot be de-identified or included in a limited data set, CCNC will ensure that disclosure of the health information is permitted by law and is in accordance with CCNC Privacy Policies. Individual Identifiers 1. For the purposes of Privacy Policies, the following elements are considered individual identifiers if they apply to patients or relatives, guardians, employers, or household members of patients. If the elements below are associated with health information, the information becomes protected health information that must be protected from improper use or disclosure: a. Names, b. All geographic subdivisions smaller than a State, including street address, city, county, precinct, ZIP Code, and their equivalent geo codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census the geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a ZIP Code for all such geographic units containing 20,000 or fewer people is changed to 000. c. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates 19

21 (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older, d. Telephone numbers, e. Fax numbers, f. Electronic mail addresses, g. Social Security Numbers, h. Medical record numbers, i. Health plan beneficiary numbers, j. Account numbers, k. Certificate/license numbers, l. Vehicle identifiers and serial numbers, including license plate numbers, m. Device identifiers and serial numbers, n. Web Universal Resource Locators (URLs), o. Internet Protocol (IP) address numbers, p. Biometric identifiers, including finger and voice prints, q. Full face photographic images and any comparable images, r. Any other unique identifying number, characteristic, or code that can be re-identified. 2. De-Identified. Protected health information is considered de-identified when elements have been removed that could identify an individual and there can be no reasonable basis to believe that the information may be used, with or without other available information, to identify an individual. Deidentified health information may be used and shared as necessary in the performance of work, unless federal or state laws otherwise restrict the information. Health information that has been considered deidentified does not meet the de-identification criteria if a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified. Limited Data Set 1. When a limited data set is deemed appropriate for a use or disclosure, CCNC will enter into a data use agreement with the recipient of the information unless state or federal law permits the use or disclosure, which negates the need for such an agreement. When limited data sets are used or disclosed with an appropriate data use agreement executed an authorization is not required for the use or disclosure of a limited data set; and Limited data sets do not need to be included in an accounting of disclosures. To qualify as a limited data set the following identifiers for patients can be associated with health information: a. State, county, city or town, ZIP Code, b. Birth date, admission date, discharge date, date of death, c. Age, and/or d. Unique identifying number, characteristic, or code exclusive of identifiers such as Social Security Numbers, account numbers, medical record numbers, health plan beneficiary numbers etc., 2. Re-Identification. A code may be assigned or another means of identification to allow information that has been deidentified to be re-identified within CCNC provided that: a. The code or other means of identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual (examples would be codes containing a Social Security Number or health plan beneficiary numbers); 20

22 b. CCNC does not use or disclose the code (or other means of identification) for any purpose other than that originally intended; and CCNC does not disclose any methods that can be used to reidentify information that has been de-identified. 3. Data Use Agreement. CCNC will enter into a data use agreement with the limited data set recipient. The data use agreement must contain the following: a. A requirement to use or disclose such information only for the purposes of research, b. public health, or health care operation activities, c. Specifications regarding who can use or receive the limited data set, d. Specifications of the permitted uses and disclosures, e. A stipulation that the recipient will not use or disclose the limited data set for any purposes other than those specified in the data use agreement or as otherwise required by law, f. Adequate assurances that the recipient will use appropriate safeguards to prevent the use or disclosure of the limited data set for any purposes other than those specified in the data use agreement. These assurances may be addressed through language similar to that provided in the DHHS Data Use Agreement. g. Commitment by the recipient to report to DMA any use or disclosure of the information not provided for by the data use agreement of which it becomes aware, h. Assurance that any agent, including a subcontractor, to whom the recipient provides the limited data set agrees to the same restrictions and conditions that apply to the limited data set recipient with respect to such information, and i. A commitment by the recipient that they will not re-identify the information or contact any of the individuals whose data is being disclosed. 4. The minimum necessary rule. The minimum necessary rule will apply to limited data sets; therefore, only data elements that are necessary to perform the purpose(s) specified in the data use agreement should be included in the limited data set released to the recipient. When use or disclosure of protected health information is necessary for public health, research, or health care operation activities, and the particular instance of use or federal or state laws do not permit disclosure, workforce members must determine if a de-identified or limited data set would meet the intended purpose of the use or disclosure. When information cannot be de-identified, workforce members will use a limited data set, if possible, instead of disclosing protected health information. Workforce members will ensure a Data Use Agreement has been signed prior to using or disclosing a limited data set. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 21

23 Legal Occurrences COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose This policy establishes requirements for disclosing protected health information when responding to judicial and administrative proceedings, court orders (including protective orders), subpoenas, law enforcement, and other legal mandates. Roles and Responsibilities Disclosures of protected health information (PHI) will ensure that it is required by law. Any request for data received by an employee should be sent to the CCNC Privacy Officer for disposition. Policy Requests for disclosing protected health information including judicial and administrative proceedings, court orders (including protective orders), subpoenas, law enforcement, and other legal mandates will be referred to the CCNC Privacy Officer. Required by Law 1. The CCNC Privacy Officer will use or disclose protected health information as required by law wherein a federal, state, tribal, or local law compels CCNC to make a use or disclosure. 2. Preemption of North Carolina Law. CCNC Privacy Officer will review North Carolina and federal laws to determine if any provision is contrary to a requirement of the HIPAA or HITECH Privacy and Security Rule. a. If the state law relating to the privacy of protected health information is more stringent than a privacy regulation, state law shall not be preempted due to greater privacy protections. 3. Disclosures Requiring Authorization. The following types of disclosure required CCNC to obtain written authorization from the patient or the patient s personal representative, unless there is a court order; a. Judicial or administrative proceeding requests; b. Subpoenas; c. Law enforcement officials d. Warrants. 22

24 4. Disclosures not requiring authorization. The following types of disclosures may be disclosed without authorization; a. Court orders; b. Health oversight auditing, licensing, auditing, corrective action; c. Responding to law enforcement officials for crimes. 5. Accounting of Disclosures. CCNC will maintain record of disclosure for legal occurrences using the Disclosure log 8 6. Reporting. CCNC will report requests for legal disclosures of Medicaid recipients to DMA Privacy Official. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 23

25 Research COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose To describe how protected health information must be protected when it is accessed, used, or disclosed for research purposes. Roles and Responsibilities The CCNC Director of Evaluation will provide guidance on requests for data for evaluating a CCNC program for research and/or publication. Policy Requests for Medicaid data for research or evaluation will be referred to the CCNC Director of Evaluation to determine the needs and options of available resources. The HIPAA Privacy Rule establishes the conditions under which protected health information may be used or disclosed by covered health care components and their internal business associates for research purposes. Research is defined in the Privacy Rule as a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalized knowledge. The HIPAA definition of research also applies to the development of research repositories and research databases. Workforce members working with data for research purposes will follow the Policy De-Identification and Limited Data Sets. Standard Operating Procedures Procedures associated with this policy can be found in the document titled Privacy Operating Procedures. 24

26 Use and Disclosures COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 DISCLOSING DATA OBTAINED FROM THE INFORMATICS CENTER PURPOSE: To provide a secure process for the disclosure of data accessed from the Informatics Center ( Data ) that is converted into any other electronic or non-electronic format, to parties that have not entered into a System Access Agreement. To ensure recipients are aware of their responsibilities regarding use and disclosure of Data. POLICY: Any organization, provider, or other entity that has executed a System Access Agreement may disclose Data (hereinafter, a Disclosing Entity ) if: a. Disclosure of Data is permitted under applicable state and federal law; b. Disclosure of Data is: i. To the individual who is the subject of the Data or to such individual s personal representative, as such term is defined under 45 C.F.R (g); ii. For purposes of treatment, quality assessment and improvement activities, or coordination of appropriate and effective patient care, treatment, or habilitation; or iii. Otherwise required under applicable state or federal law with respect to the Disclosing Entity; and c. The Disclosing Entity obtains the individual s written authorization to disclose such Data if required under applicable state or federal law. PROCEDURE 1. Requests for Data. A Disclosing Entity may disclose Data in response to a request from an agency, entity, or provider (a Requesting Entity ), for purposes of patient care or care coordination, in accordance with the following procedures. a. The Requesting Entity must submit a signed Request for Data from the Community Care of North Carolina, Inc. Informatics Center (a Request Form ). b. The Request Form must be accompanied by a list of individuals who are the subject of the requested Data. Multiple patients may be identified. The list of patients shall not include any Protected Health Information, and shall be sent as an attachment with the Request Form. c. Upon receiving the signed Request Form, the Disclosing Entity may disclose the Data. d. The Disclosing Entity shall ensure secure transmission via encrypted or fax. 25

27 e. Each Disclosing Entity shall have its own internal process for ensuring a record of each disclosure transaction is maintained for each patient. 2. Disclosures Initiated by Disclosing Entity. A Disclosing Entity may initiate a disclosure of Data to an agency, entity, or provider that has not entered into a System Access Agreement (a Receiving Entity ), in accordance with the following procedures. a. The Disclosing Entity shall provide notice of the Receiving Entity s responsibilities regarding use and disclosure of Data. The Disclosing Entity may use the Notice to Accompany Informatics Center Data Disclosures form provided by CCNC. b. The Disclosing Entity shall verify that the Receiving Entity provides care, treatment, habilitation, or rehabilitation to the individual or individuals who are the subject of the Data. c. The Disclosing Entity shall ensure secure transmission via encrypted or fax. d. Each Disclosing Entity shall have its own internal process for ensuring a record of each disclosure transaction is maintained for each patient. 26

28 Use and Disclosures (Sensitive Information) COMMUNITY CARE OF NORTH CAROLINA Eff. Date: 12/11/12 POLICIES AND PROCEDURES MANUAL Rev. History: 5/28/12 Purpose This policy establishes requirements for the use of protected health information when obtaining, documenting, and disclosing behavioral health and substance abuse that is subject to Federal and State Law. Roles and Responsibilities CCNC shall enforce all users of the informatics center on the use and disclosure of sensitive information. Policy CCNC shall provide a process for handing Protected Health Information on patients that reference behavioral health or substance abuse which may be subject to Federal and State Law that have more restrictions than HIPAA. Behavioral Health Definitions under NCGS 122C: Facility: Any person at one location whose primary purpose is to provide services for the care, treatment, habilitation, or rehabilitation of the mentally ill, the developmentally disabled, or substance abusers. N. C. General Statutes 122C provides exceptions for CCNC effective January 1, Specifically 122C-52(b) permits a HIPAA covered entity or business associate receiving confidential information that has been disclosed pursuant to Section 122C may use and disclose such information as permitted or required under HIPAA. Data obtained from the Informatics Center may be disclosed without patient consent if, 1. The disclosure is permitted under HIPAA, and 2. The disclosure is permitted under the applicable System Access Agreement. See the Data Disclosure Policy. 27

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

Breach Notification Policy

Breach Notification Policy 1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

HIPAA 101: Privacy and Security Basics

HIPAA 101: Privacy and Security Basics HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

Gaston County HIPAA Manual

Gaston County HIPAA Manual Gaston County HIPAA Manual Includes Gaston County IT Manual Action Date Reviewed and Revised December 2012 Gaston County HIPAA Policy Manual has be updated and combined with the Gaston County IT Manual.

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

HIPAA BREACH RESPONSE POLICY

HIPAA BREACH RESPONSE POLICY http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Table of Contents INTRODUCTION AND PURPOSE 1

Table of Contents INTRODUCTION AND PURPOSE 1 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

HIPAA and You The Basics

HIPAA and You The Basics HIPAA and You The Basics The Purpose of HIPAA Privacy Rules 1. Provide strong federal protections for privacy rights Ensure individual trust in the privacy and security of his or her health information

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA

More information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training

SCHOOL OF PUBLIC HEALTH. HIPAA Privacy Training SCHOOL OF PUBLIC HEALTH HIPAA Privacy Training Public Health and HIPAA This presentation will address the HIPAA Privacy regulations as they effect the activities of the School of Public Health. It is imperative

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable

More information

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.

More information

Policy Scope: The policy applies across the Division to all DPH workgroups who maintain, use, have access to, or come into contact with IIHI.

Policy Scope: The policy applies across the Division to all DPH workgroups who maintain, use, have access to, or come into contact with IIHI. Title: DPH Current Effective Date: September 22, 2003 Original Effective Date: April 14, 2003 Revision History: April 22, 2004 May 1, 2011 January, 2014 Purpose The purpose of the Division of Public Health

More information

HIPAA Compliance for Students

HIPAA Compliance for Students HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits

More information

Information Privacy and Security Program. Title: EC.PS.01.02

Information Privacy and Security Program. Title: EC.PS.01.02 Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH

More information

Administrative Services

Administrative Services Policy Title: Administrative Services De-identification of Client Information and Use of Limited Data Sets Policy Number: DHS-100-007 Version: 2.0 Effective Date: Upon Approval Signature on File in the

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

BUSINESS ASSOCIATE AGREEMENT Tribal Contract DEPARTMENT OF HEALTH SERVICES Division of Enterprise Services F-00714 (08/2013) STATE OF WISCONSIN BUSINESS ASSOCIATE AGREEMENT Tribal Contract This Business Associate Agreement is made between the Wisconsin

More information

HIPAA and Privacy Policy Training

HIPAA and Privacy Policy Training HIPAA and Privacy Policy Training July 2015 1 This training addresses the requirements for maintaining the privacy of confidential information received from HFS and DHS (the Agencies). During this training

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared; Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014

More information

Health Information Privacy Refresher Training. March 2013

Health Information Privacy Refresher Training. March 2013 Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal

More information

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION Summary November 2009 On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the Rule ) that

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done? Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514

More information

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3 INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS I. Introduction 2 II. Definitions 3 III. Program Oversight and Responsibilities 4 A. Structure B. Compliance Committee C.

More information

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance

HIPAA-G04 Limited Data Set and Data Use Agreement Guidance HIPAA-G04 Limited Data Set and Data Use Agreement Guidance GUIDANCE CONTENTS Scope Reason for the Guidance Guidance Statement Definitions ADDITIONAL DETAILS Additional Contacts Web Address Forms Related

More information

University of Cincinnati Limited HIPAA Glossary

University of Cincinnati Limited HIPAA Glossary University of Cincinnati Limited HIPAA Glossary ephi System A system that creates accesses, transmits or receives: 1) primary source ephi, 2) ephi critical for treatment, payment or health care operations

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014 GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY HIPAA Policies and Procedures 06/30/2014 Glenn County Health and Human Services Agency HIPAA Policies and Procedures TABLE OF CONTENTS HIPAA Policy Number

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary The Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which became law in February of this

More information

Patient Privacy and HIPAA/HITECH

Patient Privacy and HIPAA/HITECH Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,

More information

G REATER H OUSTON H EALTHCONNECT. HIPAA/HITECH Privacy Compliance Manual

G REATER H OUSTON H EALTHCONNECT. HIPAA/HITECH Privacy Compliance Manual G REATER H OUSTON H EALTHCONNECT HIPAA/HITECH Privacy Compliance Manual Adopted by the Board of Directors on December 14, 2011and amended on September 12, 2012 and February 27, 2013 TABLE OF CONTENTS Page

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach

More information

CHART YOUR HIPAA COURSE...

CHART YOUR HIPAA COURSE... CHART YOUR HIPAA COURSE... HHS ISSUES SECURITY BREACH NOTIFICATION RULES PUBLISHED IN FEDERAL REGISTER 8/24/09 EFFECTIVE 9/23/09 The Department of Health and Human Services ( HHS ) has issued interim final

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA COMPLIANCE INFORMATION. HIPAA Policy HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014 HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1

HIPAA Data Use Agreement Policy R&G Template Updated for Omnibus Rule HIPAA DATE USE AGREEMENT 1 HIPAA DATE USE AGREEMENT 1 This Data Use Agreement (the "Agreement") is effective as of (the "Agreement Effective Date") by and between ("Covered Entity") and ("Data User"). RECITALS WHEREAS, Covered Entity

More information

HIPAA-Compliant Research Access to PHI

HIPAA-Compliant Research Access to PHI HIPAA-Compliant Research Access to PHI HIPAA permits the access, disclosure and use of PHI from a HIPAA Covered Entity s or HIPAA Covered Unit s treatment, payment or health care operations records for

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

HIPAA Privacy & Security Rules

HIPAA Privacy & Security Rules HIPAA Privacy & Security Rules HITECH Act Applicability If you are part of any of the HIPAA Affected Areas, this training is required under the IU HIPAA Privacy and Security Compliance Plan pursuant to

More information

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Name of Policy: Policy Number: Department: Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Approving Officer: Interim

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual Updated 9/17/13 1 Overview As of April 14, 2003, the State of Connecticut Department of Social Services (DSS) is

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,

More information

Winthrop-University Hospital

Winthrop-University Hospital Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

Health Insurance Portability and Accountability Policy 1.8.4

Health Insurance Portability and Accountability Policy 1.8.4 Health Insurance Portability and Accountability Policy 1.8.4 Appendix C Uses and Disclosures of PHI Procedures This Appendix covers procedures related to Uses and Disclosures of PHI. Disclosures to Law

More information

DEPARTMENT: POLICY DESCRIPTION: HealthTrust Ethics and Compliance. PHI: Managing Protected Health Information

DEPARTMENT: POLICY DESCRIPTION: HealthTrust Ethics and Compliance. PHI: Managing Protected Health Information PAGE: 1 of 15 SCOPE: All departments within HealthTrust Purchasing Group, L.P. ( HealthTrust LP ); Invivolink LLC; and to the extent applicable, direct and indirect subsidiaries or affiliates of HealthTrust

More information

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA? 6/28/2012

HIPAA PRIVACY DIRECTIONS. HIPAA Privacy/Security Personal Privacy. What is HIPAA? 6/28/2012 DIRECTIONS HIPAA Privacy/Security Personal Privacy Catholic Charities On-line Training July 2012 1. Read through entire online training presentation 2. Close the presentation and click on Online Trainings

More information

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability

More information

POLICY AND PROCEDURE MANUAL

POLICY AND PROCEDURE MANUAL Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10 HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10 CHICAGO DEPARTMENT OF PUBIC HEALTH

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

HIPAA Compliance. 2013 Annual Mandatory Education

HIPAA Compliance. 2013 Annual Mandatory Education HIPAA Compliance 2013 Annual Mandatory Education What is HIPAA? Health Insurance Portability and Accountability Act Federal Law enacted in 1996 that mandates adoption of Privacy protections for health

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and

More information

VENDOR / CONTRACTOR. Privacy Basics

VENDOR / CONTRACTOR. Privacy Basics VENDOR / CONTRACTOR Privacy Basics Introduction Premera s mission is to provide our customers with peace of mind about their healthcare. This requires that everyone who works with or for Premera (the Company

More information

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule

Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule AA Privacy RuleP DEPARTMENT OF HE ALTH & HUMAN SERVICES USA Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule NIH Publication Number 03-5388 The HI Protecting Personal

More information

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA TRAINING MANUAL HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA Table of Contents INTRODUCTION 3 What is HIPAA? Privacy Security Transactions and Code Sets What is covered ADMINISTRATIVE

More information