HIPAA Compliance: Are you prepared for the new regulatory changes?

Size: px
Start display at page:

Download "HIPAA Compliance: Are you prepared for the new regulatory changes?"

Transcription

1 HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Baker Tilly Virchow Krause, LLP

2 2 Your Presenters Dan Steiner, Manager MBA, CPA, CFE, ARM >Dan Steiner is a Manager in the Risk Services Group >Specializes in enterprise risk management, internal controls, risk transfer solutions, HIPAA compliance, Service Organization Control (SOC) reporting, crisis management, and business continuity 2

3 3 Your Presenters Christine Duprey, VP and Co-Owner >Chris has over 19 years of health care experience >Has spent the past six years consulting many organizations in the public and private sector through their HIPAA initiatives in assessment, planning and execution. >Performed business analysis for hospital practices to streamline business processes, increasing efficiency and increase awareness to employees to eliminate waste within their processes. 3

4 4 Your Presenters Megan Blaser, Consultant >Has a Master s of Arts and Education in Adult Education and Training >Helps companies with their compliance initiatives by conducting risk assessment > provides the necessary education and training for companies to successfully implement their compliance plans 4

5 Agenda > HIPAA Regulation Integration and Relationship > HIPAA - Omnibus Final Rule Modification Impacts to Privacy, Security, Breach and Enforcement Business Associate Responsibilities Satisfactory Assurances Breach Notification (Final Rule) Civil Monetary Penalties > Unsecured PHI > Security and Privacy Rule Overview > Compliance Readiness > Next Steps > Appendix 5 5

6 A Brief History of HIPAA HIPAA Health Insurance Portability and Accountability Act (1996) Security (2003) American Recovery and Reinvestment Act ARRA (2009) Division A- Appropriations Provisions Title XIII Health Information Technology Improved Privacy and Security Provisions Electronic Data Interchange Privacy (2000) Genetic Information Nondiscrimination Act GINA (2008) Patient Protection and Affordable Care Act HIPAA Final Omnibus Rules Published January 25 th, 2013 (Effective March 26 th, 2013, compliance required by September 23 rd, 2013) 6

7 Modifications Privacy Security > Modifies the notice of privacy practices > Modifies the individual authorization > Enables access to decedent information > Sets limitations on use and disclosure of PHI for Marketing and Fundraising > Modifies Privacy to incorporate GINA Act requirements > Expands individual rights > Business Associates are directly liable > Business Associates are directly liable > Modifies Security regulations to include business associate requirements of ARRA Breach Notification > Final rule on Breach Notification Enforcement > Increased and tiered Civil Money Penalties > Adopt HITECH Act enhancements to the Enforcement Rule addressing willful neglect 7 7

8 Business Associates > Business Associate a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate. > Examples of Business Associates include: Third Party Administrators Patient Safety Organizations - New Print and Mail Services IT Troubleshooting and Support Shredding and Disposal Data Management Companies 8 8

9 Business Associate Requirement Changes 1996 Covered entity must obtain the written assurances (Business Associate Agreement) monitoring not required ARRA deems the Business Associate just as responsible for the execution of the Business Associate Agreement and applies Civil Monetary Penalties to BA s Business Associates are responsible to obtain BAA with their subcontractors. May need to provide or obtain satisfactory assurances that they or their subcontractors are compliant. 9 9

10 Business Associate Agreement Compliance due date September 23, 2013 or September 23, 2014? 10

11 Where are you? >Have all Business Associates been identified?» Are the Business Associate Agreements updated and executed since 2009? >Have you identified situations when you are the Business Associate to others?» Are the Business Associate Agreements updated and executed since 2009 >What work is left?» Updating and re-execution of ALL Business Associate Agreements by 9/23/2013» Agreements executed by January 25, 2013 will have until 9/23/2014 to complete these BAAs. 11

12 Polling Question > Have you identified the relationships where you are the business associate and others are a business associate to you? A. Yes B. No C. Somewhat D. Not sure 12 12

13 Satisfactory Assurances > Organizations will need to determine the level of satisfactory assurances it will need to feel comfortable that compliance is met. Direction has not been provided as to the level of satisfactory assurances; Business Associates will need to consider for Subcontractors; Implementation; and Oversight > Expectations from Covered Entity s by September 23, 2013 Satisfactory Assurances 13 13

14 Breach Notification The Final Rule was published on January 25, 2013 to be effective on March 23, 2013 with compliance required by September 23, In 1996 HIPAA did not require notification when patient PHI was inappropriately disclosed, covered entities may have chosen to include notification as part of the mitigation process. In 2009 ARRA/HITECH does require notification of certain breaches of unsecured PHI to the following: Individuals Department of Health and Human Services (HHS) Media On January 25, 2013, the Final Breach Notification Rule was published, requiring an entity to assess the probability that the protected health information has been or may be further compromised based on a risk assessment

15 Risk Factors to Consider for Breach Notification (1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification (2) The unauthorized person who used the protected health information or to whom the disclosure was made (3) Whether the protected health information was actually acquired or viewed (4) The extent to which the risk to the protected health information has been mitigated 15 15

16 Application of Provisions and Penalties to Covered Entities CE responsible for BA, and subject to fines and penalties. HITECH/ARRA penalties introduced by increasing the fines and levels of penalties. Omnibus Rule- CE & BA responsible for the compliance and satisfactory assurances. Final modification which enhanced civil monetary penalties. Example: How will fines be assessed? > Company X was in violation, and were fined according to Tiered description. > Company X was in violation, Company X will be evaluated to determine the degree of the penalties

17 Penalty Considerations > Nature and extent of the violation > Nature and extent of the harm resulting from the violation > History or prior compliance with the administrative simplification provision, including violations by the covered entity or business associate, consideration of which may include but is not limited to: Financial condition of the covered entity or business associate Such other matters as justice may require 17 17

18 Unsecure PHI > Unsecured PHI: Means PHI that is not secured through the use of a technology or methodology specified by the Guidance Specifying the Technologies and Methodologies that render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under HITECH/ARRA; Request for information

19 Compromising PHI Data Data in Motion data that is moving through a network, including wireless transmission; Data at Rest data that resides in databases, file systems, and other structured storage methods; Data in Use data in the process of being created, retrieved, updated, or deleted; or Data Disposed discarded paper records or recycled electronic media 19 19

20 Have you implemented? > Encryption Recommendations for the industry encryption standards to meet definition for secured PHI > Destruction Recommendations for the industry destruction standards to meet the definition of secured PHI > Storage Recommendations for the industry storage of electronic media to meet the definition of secured PHI 20

21 Polling Question > Based on our discussion are you comfortable that your organization is adequately protecting PHI? A. Yes B. No C. Still not sure 21 21

22 Security Rules > Applicability. > Definitions. > Security Standards: General Rules. > Administrative Safeguards. > Physical Safeguards. > Technical Safeguards. > Organizational Requirements. > Policies and Procedures and Documentation Requirements. > Compliance Dates for the Initial Implementation of the Security Standards. Standards in bold represent the requirements applicable to the Business Associate via the ARRA 22 22

23 Have you completed necessary tasks? > Has the Security Risk Assessment been Performed? Have the Risks, Threats and Vulnerabilities been identified? Have controls been implemented to mitigate the risk identified? > Has Access to systems, workstations, programs been assessed? Have appropriate authorization and supervision of access has been implemented? Have workforce members been identified? > Has the Contingency Plans been developed and updated? Do they include: Back-up plans, disaster recovery, emergency mode of operation plans > Has the Security Awareness Training been Completed? Security Reminders Protection from Malicious Software Log-in Password Management 23

24 Privacy Rules Uses and Disclosures > Applicability > Definitions > Uses and Disclosures of PHI: General Rules > Uses and Disclosures: Organizational Requirements > Consent for Uses or Disclosures to Carry Out Treatment, Payment, or Health Care Operations > Uses and Disclosures for which an Authorization is Required > Uses and Disclosures Requiring an Opportunity to Agree or to Object > Uses and Disclosures for which an Authorization, or Opportunity to Agree or Object is Not Required > Other Requirements Relating to Uses and Disclosures of PHI 24

25 Privacy Rules Patient Rights > Notice of Privacy Practices for PHI > Rights to Request Privacy Protection for PHI > Access of Individuals to PHI > Amendment of PHI > Accounting of Disclosures of PHI > Administrative Requirements > Transition Provisions > Compliance Dates for Initial Implementation of Privacy Standards. 25

26 COMPLIANCE READINESS Are you a Compliant Entity?

27 Required Tasks Performing the PHI Trail Privacy HIPAA has been around for 10 years, lack of these basic tasks are Willful Neglect OCR Speaker Conduct the Gap Assessment to: > Create the PHI trail for information created, received, accessed, modified, stored, transmitted, or destroyed > Analyze uses and disclosures throughout the organization > Identify gaps in policies, procedures and current processes > Identify and execute BAAs with Business Associates Create Necessary Documents: > Notice of Privacy Practices > Authorization for the Release and Disclosure of PHI > Policies and Procedures for each Privacy requirement, standard and implementation specification > Create minimum necessary rules > Perform annual training and education > Create final compliance documentation Performance of an Annual Assessment to mitigate risks of non-compliance, ensure policy reflects practice and employees are educated 27

28 Required Tasks Performing the e-phi Trail Security Conduct Security Risk Assessment to: > Analyze electronic use and disclosure of e-phi > Determine mechanisms utilized to create, transmit, store and/or destroy information > Review current access authorizations and supervision > Review contingency plans > Assess risks, threats and vulnerabilities Create Necessary Documents: > Document compliance assessment findings > Identify implementation and remediation tasks > Policies and Procedures for each Privacy requirement, standard and implementation specification > Create final assessment documentation Complete Remediation Tasks > Perform annual Security Awareness and Training > Perform system control tests > Implement remediation controls > Implement secure transmissions > Implement physical facility securities 28

29 Compliance Planning How would exposure and risk of your company reputation affect your business if there was a breach or penalty for non-compliance? > Build a compliance plan that ensures compliance can be maintained > Daily observance and enforcement of the Privacy and Security regulations are the best source of maintaining compliance > Annual Activities should include: > Compliance review and assessments > Training for Privacy and Security Awareness > Security risk assessments > Contingency planning and testing > Policy and procedure review and modification > Control remediation and implementation > Budget process should include dollars for the daily observance and enforcement, annual assessments and remediation tasks > New Products or Services > Keep compliance on the front end and avoid costly mistakes in product development > Test the compliance components to ensure they meet the requirements for securing PHI 29

30 Polling Question > Do you feel confident that if the OCR were to audit your company today, you would not be left with a fine or penalty? A. Yes B. No C. Not sure 30

31 Next Steps > Make a plan for compliance > Assess the Business Associate Relationships > Update all existing Business Associate Agreements > Obtain signatures from all parties > Complete necessary requirements, standards and implementation specifications > Train all workforce members and management > Develop, or modify all Policies and Procedures > Determine the satisfactory assurances required from your subcontractors > Make a plan to budget and maintain compliance 31

32 Contact Information Christine Duprey Co-Owner/Partner CARIS Innovation, Inc. (920) (office) (920) (mobile) Megan Blaser Consultant CARIS Innovation, Inc. (920) (office) (920) (mobile) Dan Steiner Manager Baker Tilly (920) (office) (608) (mobile) 32

33 APPENDIX A Security Regulations

34 Administrative Safeguards > (1) Standard: Security Management Practices Implement policies and procedures to prevent, detect, contain and correct security violations Implementation Specifications: Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) > (2) Standard: Assigned Security Responsibility 34

35 Administrative Safeguards > (3) Standard: Workforce Security Implement policies and procedures to provide workforce with the access they need and prevent those workforce members from accessing information they do not need Implementation Specifications: Authorization and/or Supervision (A) Workforce Clearance Procedures (A) Termination Procedures (A) 35

36 Administrative Safeguards > (4) Standard: Information Access Management Implement policies and procedures to provide access to PHI in accordance with Privacy Implementation Specifications: Isolating Health Care Clearinghouse Functions (R) Access Authorization (A) 36

37 Administrative Safeguards > (5) Standard: Security Awareness and Training Implement a security awareness and training program for all workforce members Implementation Specifications: Security Reminders (A) Protection from malicious software (A) Log-in Monitoring Access (A) Password Management (A) 37

38 Administrative Safeguards > (6) Standard: Security Incident Procedures Implement policies and procedures to address security incidents Implementation Specifications: Response and Reporting (R) > (7) Standard: Contingency Plan Establish and implement as needed policies and procedures for responding to an emergency or other occurrence that damages systems that contain PHI Implementation Specifications: Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) 38

39 Administrative Safeguards > (8) Standard: Evaluation Perform a periodic technical and non-technical evaluation > Standard: Business Associate Contracts and other arrangements Applicability of the Business Associate Agreement to the covered entity and those entities they do business with Implementation Specification: Written contract or other arrangement (R) 39

40 Physical Safeguards > (1) Standard: Facility Access Controls Implement policies and procedures that limit physical access to the electronic systems that contain information for the facilities in which they are housed while ensuring authorized access is allowed Implementation Specifications: Contingency Operations (A) Facility Security Plan (A) Access control and validation procedures (A) Maintenance Records (A) 40

41 Physical Safeguards > Standard: Workstation Use Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and physical attributes of the surroundings of a specific workstation or class of workstation that can access ephi. > Standard: Workstation Security 41

42 Physical Safeguards > Standard: Device and Media Controls Implement policies and procedures the govern the receipt and removal of hardware and electronic media that contain ephi iinto and out of a facility, and the movement of these items within the facility. Implementation Specifications: Disposal (R) Media re-use (R) Accountability (A) Data backup and storage (A) 42

43 Technical Safeguards > Standard: Access Control Implement technical policies and procedures for electronic information systems that maintain ephi to allow access only to those persons or software programs than have been granted access rights under Administrative Safeguards. Implementation Specifications: Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) 43

44 Technical Safeguards > Standard: Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi. Implementation Specifications: Mechanism to authenticate ephi (A) > Standard: Person or entity authentication Implement procedures to verify that a person or entity seeking access to ephi is the one claimed. 44

45 Technical Safeguards > Standard: Transmission Security Implement technical security measures to guard against unauthorized access to ephi that is being transmitted over an electronic communications network. Implementation Specifications: Integrity Controls (A) Encryption (A) 45

46 Organizational Requirements > Standard: Business Associate Contracts or Other Arrangements. Contracts between the covered entity and the business associates Implementation Specifications: Business Associate Agreements (R) > Standard: Requirements for Group Health Plans Ensuring plan documents are updated appropriately Implementation Specifications: Amend Plan Documents (R) 46

47 Policies and Procedures and Documentation Requirements > Standard: Policies and Procedures Implement reasonable and appropriate policies and procedures comply with the standards, implementation specifications, or other requirements of Security. > Standard: Documentation Maintain policies and procedures implemented to comply with Security in written (electronic) form; and If an action, activity or assessment is required by this subpart to be documented, maintain a written (electronic) record of the action, activity, or assessment. Implementation Specifications: Time Limit 6 years (R) Availability (R) Updates (R) 47

48 APPENDIX B Privacy Regulations

49 Uses and Disclosures of PHI: General Rules > (a) Standard. A covered entity or business associate may not use or disclose PHI, except as permitted or required by Privacy or by Compliance and Enforcement of part 160 of General Administrative Requirements > (b) Standard. Minimum Necessary > (c) Standard. Uses and Disclosures of PHI subject to an agreed upon restriction. > (d) Standard. Uses and Disclosures of De-Identified PHI > (e) Standard. Disclosures to Business Associates > (f) Standard. Deceased Individuals > (g) Standard. Personal Representatives > (h) Standard. Confidential Communications > (i) Standard. Uses and Disclosures Consistent with Notice > (j) Standard. Disclosures by Whistleblowers and Workforce Member Crime Victims 49

50 Uses and Disclosures: Organizational Requirements > (e)(1) Standard. Business Associate Contracts (e)(2) Implementation Specifications: Business Associate Contracts (e)(3) Implementation Specifications: Other Arrangements (e)(4) Implementation Specifications: Other Requirements for Contracts and Other Arrangements > (f)(1) Standard. Requirements for Group Health Plans (f)(2) Implementation Specifications: Requirements for Plan Documents (f)(3) Implementation Specifications: Uses and Disclosures > (g)(1) Standard. Requirements for a Covered Entity with Multiple Covered Functions. 50

51 Consent for Uses or Disclosures to Carry out Treatment, Payment or Health Care Operations > (a) Standard. Permitted Uses and Disclosures > (b) Standard. Consent for Uses and Disclosures Permitted (c) Implementation Specifications: Treatment, Payment or Health Care Operations 51

52 Uses and Disclosures for which an Authorization is Required > (a) Standard. Authorizations for Uses and Disclosures (b) Implementation Specifications: General Requirements (c) Implementation Specifications: Core Elements and Requirements 52

53 Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object > (a) Standard. Uses and Disclosures for Facility Directories > (b) Standard. Uses and Disclosures for Involvement in the Individual s Care and Notification Purposes. 53

54 Uses and Disclosures for which an Authorization, or Opportunity to Agree or Object is Not Required > (a) Standard. Uses and Disclosures Required by Law > (b) Standard. Uses and Disclosures for Public Health Activities > (c) Standard. Disclosures about Victims of Abuse, Neglect, or Domestic Violence > (d) Standard. Uses and Disclosures for Health Oversight Activities > (e) Standard. Disclosures for Judicial and Administrative Proceedings > (f) Standard. Disclosures for Law Enforcement Purposes > (g) Standard: Uses and Disclosures About Decedents > (h) Standard: Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation Purposes > (i) Standard: Uses and Disclosures for Research Purposes > (j) Standard: Uses and Disclosures to Avert a Serious Threat or Safety > (k) Standard: Uses and Disclosures for Specialized Government Functions > (l) Standard: Disclosures for Workers compensation 54

55 Other Requirements Relating to Uses and Disclosures of PHI > (a) Standard. De-identification of PHI (b) Implementation Specifications: Requirements for De-Identification of PHI. (c) Implementation Specifications: Re-identification > (d)(1) Standard. Minimum Necessary Requirements (d)(2) Implementation Specifications: Minimum Necessary Uses of PHI (d)(3) Implementation Specifications: Minimum Necessary Disclosures of PHI (d)(4) Implementation Specifications: Minimum Necessary Requests for PHI (d)(5) Implementation Specifications: Other Content Requirement > (e)(1) Standard. Limited Data Set (e)(2) Implementation Specifications: Limited data set (e)(3) Implementation Specifications: Permitted Purposes for Uses and Disclosures (e)(4) Implementation Specifications: Data Use Agreement > (f)(1) Standard. Uses and Disclosures for Fundraising (f)(2) Implementation Specifications: Fundraising Requirements > (g)(1) Standard: Uses and Disclosures for Underwriting and Related Purposes > (h)(1) Standard: Verification Requirements (h)(2) Implementation Specifications: Verification 55

56 Notice of Privacy Practices for PHI > (a) Standard. Notice of Privacy Practices (b) Implementation Specifications: Content of Notice (c) Implementation Specifications: Provision of Notice (d) Implementation Specifications: Joint Notice by Separate Covered Entities (e) Implementation Specifications: Documentation 56

57 Rights to Request Privacy Protection for PHI > (a)(1) Standard. Right of an Individual to Request Restriction of Uses and Disclosures (a)(2) Implementation Specifications: Terminating a Restriction > (b)(1) Standard. Confidential Communications Requirements (b)(2) Implementation Specifications: Conditions of Providing Confidential Communications 57

58 Access of Individuals to PHI > (a) Standard. Access to PHI (b) Implementation Specifications: Requests for Access and Timely Action (c) Implementation Specifications: Provision of Access (d) Implementation Specifications: Denial of Access (e) Implementation Specifications: Documentation 58

59 Amendment of PHI > (a) Standard. Right to Amend (b) Implementation Specifications: Requests for Amendment and Timely Action (c) Implementation Specifications: Accepting the Amendment (d) Implementation Specifications: Denying the Amendment (e) Implementation Specifications: Actions on Notices of Amendment (f) Implementation Specifications: Documentation 59 59

60 Accounting of Disclosures of PHI > (a) Standard. Right to an Accounting of Disclosures of PHI (b) Implementation Specifications: Content of the Accounting (c) Implementation Specifications: Provision of the Accounting (d) Implementation Specifications: Documentation 60

61 Administrative Requirements > (a)(1) Standard. Personnel Designations (a)(2) Implementation Specifications: Personnel Designations > (b)(1) Standard. Training (b)(2) Implementation Specifications: Training > (c)(1) Standard. Safeguards (c)(2)(i) Implementation Specifications: Safeguards > (d)(1) Standard. Complaints to the Covered Entity (d)(2) Implementation Specifications: Documentation of Complaints > (e)(1) Standard. Sanctions. (e)(2) Implementation Specifications: Documentation > (f) Standard. Mitigation. > (g) Standard. Refraining from Intimidating or Retaliatory Acts > (h) Standard. Waiver of Rights > (i)(1) Standard. Policies and Procedures > (i)(2) Standard. Changes to Policies or Procedures (i)(3) Implementation Specifications: Changes in Law (i)(4) Implementation Specifications: Changes to Privacy Practices stated in the Notice (i)(5) Implementation Specifications: Changes to Other Policies or Procedures > (j)(1) Standard. Documentation (j)(2) Implementation Specifications: Retention Period > (k) Standard. Group Health Plan 61

62 Transition Provisions > (a) Standard. Effect of Prior Authorizations (b) Implementation Specifications: Effect of Prior Authorization for Purposes Other Than Research (c) Implementation Specifications: Effect of Prior Permission for Research > (d) Standard. Effect of Prior Contracts or Other Arrangements with Business Associates (e) Implementation Specifications: Deemed Compliance 62

63 Questions? Dan Steiner Christine Duprey Megan Blaser

64 Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought Baker Tilly Virchow Krause, LLP 64

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Health Information Privacy Refresher Training. March 2013

Health Information Privacy Refresher Training. March 2013 Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health

More information

OCR HIPAA AUDIT PROTOCOL PUBLISHED APRIL 2016

OCR HIPAA AUDIT PROTOCOL PUBLISHED APRIL 2016 OCR HIPAA AUDIT PROTOCOL PUBLISHED APRIL 2016 Please note: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to HIPAA.

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Presented by: Gina L. Campanella, JD, MHA Rules that Control Privacy A collection of laws and regulations including:

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Joseph Suchocki HIPAA Compliance 2015

Joseph Suchocki HIPAA Compliance 2015 Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address

More information

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA TRAINING MANUAL HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA Table of Contents INTRODUCTION 3 What is HIPAA? Privacy Security Transactions and Code Sets What is covered ADMINISTRATIVE

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

Legislative & Regulatory Information

Legislative & Regulatory Information Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA 1 Amended January 23, 2014 This HIPAA compliance manual was prepared for the

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION ELKIN & ASSOCIATES, LLC HIPAA Privacy Policy and Procedures INTRODUCTION The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict a Covered Entity

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

Business Associate and Data Use Agreement

Business Associate and Data Use Agreement Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

More information

TABLE OF CONTENTS. University of Northern Colorado

TABLE OF CONTENTS. University of Northern Colorado TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...

More information

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES I acknowledge that I have been provided a copy of Fiorillo Cosmetic and General Dentistry s Notice of Privacy Practices, which has an effective

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

District of Columbia Health Information Exchange Policy and Procedure Manual

District of Columbia Health Information Exchange Policy and Procedure Manual District of Columbia Health Information Exchange Policy and Procedure Manual HIPAA Privacy & Direct Privacy Policies (Version 1 November 27, 2012) Table of Contents Policy # Policy/Procedure Description

More information

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual.

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. HIPAA/HITECH Policies and Procedures Please read this in its entirety. Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. Give a copy of this to all staff to read and ask

More information

HomeCare Rehab and Nursing, LLC (HCRN) (DBA - Baker Rehab Group) Notice of Privacy Practice

HomeCare Rehab and Nursing, LLC (HCRN) (DBA - Baker Rehab Group) Notice of Privacy Practice HomeCare Rehab and Nursing, LLC (HCRN) (DBA - Baker Rehab Group) Notice of Privacy Practice THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate

More information

Understanding changes to the Trust Services Principles for SOC 2 reporting

Understanding changes to the Trust Services Principles for SOC 2 reporting Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding changes to the Trust Services Principles for SOC 2 reporting

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience

More information

Dr. Adam Apfelblat 5140 Highland Road Waterford 48327 Phone: (248)618-3467 Fax: (248)618-3515

Dr. Adam Apfelblat 5140 Highland Road Waterford 48327 Phone: (248)618-3467 Fax: (248)618-3515 Dr. Adam Apfelblat 5140 Highland Road Waterford 48327 HIPAA NOTICE OF PRIVACY PRACTICES PLEASE REVIEW THIS NOTICE CAREFULLY. IT DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information