Iowa Health Information Network (IHIN) Security Incident Response Plan

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Iowa Health Information Network (IHIN) Security Incident Response Plan"

Transcription

1 Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security Policy 9: Notification, Investigation and Mitigation requires both the Iowa Department of Public Health (the Department ) and all Participants in the IHIN to investigate, respond to and report known or suspected Security Incidents related to IHIN in compliance with applicable federal and state law, the Participation Agreement signed by all Participants, and the IHIN Privacy Policies and Security Policies. Security Policy 9 describes in general terms the responsibilities of Participants and the Department with respect to Security Incidents. II. Definitions Capitalized terms not defined shall have the meanings ascribed to in the IHIN Privacy Policies and Security Policies. Breach includes, for purposes of this Plan, breach as defined in the HIPAA Privacy Rule (see Appendix A). Personally identifiable information or PII means information about an individual maintained by an organization, including (1) any information that can be used to distinguish or trace an individual s identity, such as name, social security number, date and place of birth, mother s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Protected Health Information or PHI means protected health information as defined in 45 C.F.R that is created or received by a Participant. Security Incident is the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information available through the IHIN or interference with IHIN operations, including attempted and successful privacy Breaches. III. Incident Response Process A. IHIN Incident Response Team Final Workgroup Review 1 09/2013

2 The IHIN Incident Response Team includes Department staff, a representative from the IHIN vendor, representatives from the e-health Privacy and Security Workgroup recommended by the Workgroup. The composition of the Incident Response Team may vary depending on the nature of the Security Incident under investigation. The Incident Response Team composition for each Security Incident under investigation will be approved by the Executive Director of the IHIN. Appendix B contains additional details regarding the composition and role of the Response Team. The Incident Response Team will convene when activated by the Department s IHIN Privacy and Security Officer. The Incident Response Team will support the IHIN Privacy and Security Officer by providing technical expertise and accessing resources with respect to investigation, mitigation, and other necessary responses, and will consult with legal counsel as necessary. B. Report or Discovery of Security Incident This phase of the plan begins with the awareness that a Security Incident has occurred. Any person may submit a complaint or concern about a Security Incident to the IHIN Privacy and Security Officer or the IHIN security hotline, Once the Department discovers or is made aware of a Security Incident, the IHIN Privacy and Security Officer will open an incident ticket using the Incident Form (Appendix C), which will include a brief description of the basis of the discovered or reported Security Incident. This standardized form will be used to compile information, categorize the Security Incident, and document all steps in the discovery process and stages of the Security Incident, through mitigation and resolution. Completeness and consistency of documentation of all discovered and reported Security Incidents will facilitate accurate documentation, demonstrate due diligence, and support mitigation and reporting activities. 2. The IHIN Privacy and Security Officer and IHIN Project Manager at the Department will confer regarding the circumstances of the Security Incident, and seek information as needed from the IHIN vendor to assess immediate risks to Participants and/or the IHIN. 3. The IHIN Privacy and Security Officer will notify the Incident Response Team of discovered or reported Security Incidents. Depending upon the nature or severity of the Security Incident, the IHIN Privacy and Security Officer will activate the Incident Response Team. C. Identifying the Origin of Security Incident A key step in the discovery process is identifying the origination point of the Security Incident. The two basic sources are: i) Security Incidents originating from a Participant and Final Workgroup Review 2 09/2013

3 impacting the IHIN and/or other Participants; and ii) Security Incidents originating from the IHIN that may or may not also have an impact on Participant(s). Identifying the origin of the Security Incident will determine the parties roles in the response. This process is described in more detail in the Security Incident Process Flow in Figure If the Security Incident originates with a Participant and impacts the IHIN and/or other Participants, the Participant will lead the investigation with support from the Department. The Department may also have a role in mitigation activities. Note that if it is later determined that IHIN was not at risk, the Participant will become solely responsible for all actions. 2. If the Security Incident originates with the IHIN and may involve one or more Participant, the Department will lead the investigation with support from involved Participants. 3. Without undue delay but in any event no more than eight (8) business days following the report or discovery of a possible Security Incident, the Department will contact the entities suspected to be involved in and impacted by the Security Incident. D. Determining the Type and Magnitude of the Security Incident The process flow for determining the type and magnitude of the Security Incident appears as Figure Determine the category of Security Incident. More than one of these categories may apply in complex incidents. Category 1: Lost or stolen equipment, inappropriate information disposal, insider threats, and other events not covered in Categories 2-6. Category 2: Denial of Service (DoS) attacks; malicious network activity; port or vulnerability scan; and other types of network attacks. Category 3: Virus; worm; spyware; bot/botnet; Trojan/backdoor; smartphone malware; and similar types of malware events. Category 4: Inappropriate website; website defacement; unapproved software; unapproved hardware; and similar types of hardware, software and website events. Category 5: Social engineering; phishing; blackmail; and similar types of human target events. Category 6: Event involves, or probably involves, PHI or some other type of PII. 2. Determine the magnitude by identifying the systems and technology impacted by the Security Incident. This will guide the immediate mitigation activities. Final Workgroup Review 3 09/2013

4 a. IHIN network/server - IHIN hardware b. IHIN software or application c. IHIN databases d. Participant systems or technology not connected to IHIN e. Other 3. Ascertain who within the source organization was responsible for the Security Incident. 4. Establish who received or accessed the disclosed information? a. Was the recipient a covered entity or BA? b. Was it an Authorized User of a Participant? c. Was it an unauthorized member of a Participant s workforce (or ex-employee)? d. Was it the IHIN vendor? e. Was it the Department? f. Was it from outside the Department or IHIN Participants? The following questions (5-7) apply only for Category 6 incidents, i.e., those that involve PHI or PII. 5. Determine what type(s) of data were released: a. PII (name, SSN, DL#, Medicaid or Student ID #, health information?) b. PHI (of any kind) c. Genetic information, HIV, SA, MH? 6. Determine Severity of Security Incidents and Probability that PII or PHI was compromised. a. Were data unsecured or unencrypted? If encrypted, assess likelihood of reidentification (nature of the recipient). b. Was the PII or PHI actually viewed or used? If so, by whom (risk of malice)? c. Was risk mitigated to the extent practicable? (e.g., assurances that recipient returned or destroyed the information). Final Workgroup Review 4 09/2013

5 d. Were there any mitigating circumstances that should be considered? (objective is to help determine the reason for the violation: for example - inadvertent, acting in good faith, recipient could not have reasonably retained the data) i. Did recipient inadvertently or unknowingly obtain restricted information? ii. iii. iv. Was information accessed due to causes other than willful neglect? Was violation willful or deliberate (vs. accidental or inadvertent), but corrected in a timely manner? Was violation due to willful neglect and not corrected in a timely manner? v. Were 500 or more people affected? 7. Did the Security Incident trigger a reporting requirement? 8. The Incident Form guides the Incident Response Team through this fact-finding process (see Appendix C for the sample form). The incident assessment will be documented in the Incident Form, even if it is determined that no breach occurred. Final Workgroup Review 5 09/2013

6 Figure 1. Security Incident Process Flow Final Workgroup Review 6 09/2013

7 IV. Determine Necessary Actions A. Mitigation Activities Specific mitigation activities will vary depending on the category and circumstances of each Security Incident and cannot be prescribed prior to investigation. All available options will be considered as the need arises. Immediate mitigation activities focus on containment of the Security Incident and communication between all parties involved. Category 6 PHI/PII Category 5 Human event Category 4 - Website event (clinical portal) Category 3 - Malware Immediate (containment) 1. Determine which Category (1-5) led to breach of PHI/PII 2. Mitigation activities will be dependent on category 1. Suspend affected user accounts 2. Determine if there are infected devices and act accordingly 3. Assess impact to stakeholders and remediate 1. Determine depth and type of intrusion 2. Isolate any infected devices 3. Take appropriate counter measures to stop attack 4. Assess impact, if any, to system and remediate 1. Identify infected devices (IHIN and/or Participant) 2. Isolate infected devices 3. Assess impact to stakeholders and Communication 1. Participant/Xereox notifies IHIN Privacy and Security Officer/Project Manager of Category 6 Incident 2. Privacy and Security Officer notifies Executive Director and Attorney General s Office of Category 6 Breach 3. Incident Response Team is notified as appropriate 4. Participants notified as appropriate 5. OCR guidelines for notifications utilized as appropriate 1. Participant/Xerox notifies Privacy and Security Officer of Category 5 incident 2. Privacy and Security Officer notifies Xerox onboarding specialist of user account name to suspend account/reset passwords 3. Department notifies Incident Response Team as appropriate 4. Department notifies other involved Participants as appropriate 1. Xerox becomes aware of event 2. Xerox notifies Project Manager/Privacy and Security Officer 3. Department notifies Participants as appropriate 1. Xerox becomes aware of malware incident 2. Xerox notifies Project Manager/Privacy and Security Officer Final Workgroup Review 7 09/2013

8 Category 2 - Network attack Category 1 Lost or stolen equipment or media remediate 1. Determine network access points attacked and depth of intrusion 2. Take appropriate counter measures to stop attack 3. Assess impact, if any, to system and remediate 1. Identify what has been lost or stolen 2. Determine what information or system access may be available via lost/stolen device and take appropriate actions 3. Disable user account if individual device with IHIN access or individual accessing inappropriately 4. Department will provide support to Participant to investigate and remediate 3. Department notifies Participants as appropriate 1. Xerox becomes aware of successful network attack. 2. Xerox notifies Privacy and Security Officer/Project Manager 3. Department notifies Participants as appropriate 1. Participant/Xerox notifies IHIN Privacy and Security Officer/Project Manager of lost/stolen equipment with IHIN access or access to IHIN for unapproved purpose 2. If required, Department will notify Xerox onboarding specialist of user account to suspend/reset password B. Involve Others in Response, as Needed The Incident Response Team will determine whether a forensic response and/or law enforcement response is necessary. 1. Forensics Response: The Department will work with IHIN vendors and other state government IT resources (e.g., the Iowa Department of Administrative Services as needed to coordinate the forensics action steps. In particular, the Department will assist with the following: a. Identifying possible sources of forensic data. b. Acquiring the forensic data. i. Developing a plan to acquire forensic data ii. Coordinating with forensics team to acquire the forensic data iii. Secure/confiscate applicable equipment iv. Secure/confiscate applicable software v. Secure/confiscate applicable system logs vi. Secure/confiscate applicable data vii. Verifying the integrity of the forensic data 2. Law Enforcement Response: If the investigation into the Security Incident suggests possible criminal activity, the Department will work with legal resources Final Workgroup Review 8 09/2013

9 (e.g., the Iowa Attorney General s Office) as needed to facilitate the legal response. In particular, the Department will assist with the following: a. Providing documentation regarding the Security Incident. b. Facilitating acquisition of necessary evidence. c. Contacting appropriate stakeholders (or supplying contact information as requested) to respond to law enforcement needs. C. Corrective Action Under the terms of the Participations Agreement, the Department may suspend or terminate a Participant s access to the IHIN to protect the security, integrity, and availability of the IHIN to other users. V. Reporting and Communication The IHIN Privacy and Security Officer will be responsible for documenting all processes and findings (or obtaining and archiving this information). The Incident Response Team will be involved in making the necessary determinations and recommendations to the Department, which will determine the necessary reporting and communications. The IHIN Privacy and Security Officer will help coordinate communication with those involved in the investigation. A. Documentation and Reports 1. The Incident Form will facilitate a uniform investigational and documentation effort of all Security Incidents; even if the investigation concludes that no Security Incident occurred. 2. The Department will use discretion consistent with applicable law when sharing information with employees, Participants, law enforcement, vendors, business partners, the media, etc. 3. The Department will notify law enforcement as required, based on advice of legal counsel. 4. The IHIN Privacy and Security Officer will create a confidential document 1 summarizing the Security Incident that will include information such as, but not limited to: 1 This document, which shall include the forms, documents, and data comprising the investigative file, will be Confidential Records pursuant to the Iowa Health Information Network Security Policies and Iowa Code 22.7(50)(2013). Final Workgroup Review 9 09/2013

10 a. High-level description of the Security Incident and its scope b. Impact on the IHIN c. Actions taken to prevent further occurrences d. Recommendations for further action This report will be reviewed by the Incident Response Team, who will have an opportunity to provide feedback. 5. At each meeting of the e-health Executive Committee and Advisory Council, the Privacy and Security Officer will provide a high-level description of any confirmed Security Incidents and Breaches that may have occurred since the Council s last meeting. The description will include the number and severity levels of Security Incidents and a high-level description of the Department s actions taken in response to them. Such information may be presented orally, rather than in writing. B. Communication 1. Participant will notify individuals when their PHI is breached as required by law, and will provide the IHIN Privacy and Security Officer with findings and any actions taken in response to investigation. 2. If there has been a confirmed Breach caused by a failure in the IHIN, the Department will determine whether reporting of a PHI Breach to HHS is required and if so, whether the magnitude of the breach requires reporting to HHS within 60 days of discovery (in cases of 500 or more affected individuals) or within 60 days of end of year. If Breach notification is required, the Department will work with legal counsel to determine the specific legal obligations and the content and timeline for notification. 3. If during the investigation of a Security Incident the breach of an applicable data breach law protecting personally identifiable information (e.g., social security number, mother s maiden name, biometric records) is discovered, the party having responsibility under the law shall comply with the law s reporting requirements. Final Workgroup Review 10 09/2013

11 Appendix A HIPAA Breach Definition 45 C.F.R Breach means the acquisition, access use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information. 1. Breach excludes: a. Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part. b. Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part. c. A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. 2. Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: a. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; b. The unauthorized person who used the protected health information or to whom the disclosure was made; c. Whether the protected health information was actually acquired or viewed; and d. The extent to which the risk to the protected health information has been mitigated. Unsecured protected health information means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology Final Workgroup Review 11 09/2013

12 or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law Final Workgroup Review 12 09/2013

13 Appendix B Incident Response Team The IHIN Incident Response Team is convened as needed to contain, investigate, and prevent future Security Incidents. 1. Team Composition. The Department, in consultation with the Privacy and Security Workgroup, will determine the skill sets necessary for effective incident response. The qualifications needed and the size of the team may vary by incident; therefore a core team will be identified, along with as needed team members. Members of the Incident Response Team should be available on short notice to quickly address needs. Members should be familiar with IHIN, including its objectives and the general network design. Team members are expected to share their knowledge and expertise, and help develop recommendations and action items related to Security Incident response. The IHIN Privacy and Security Officer will serve as the Security Incident lead for all Security Inc., and will coordinate all activities for the Incident Response Team. 2. Responsibilities of the Incident Response Team include: a. Collect and/or review the incident documentation and event reports b. Verify facts c. Maintain data integrity -- maintain baselines of normal activity to use for comparison d. Start forensic analysis how, what, why did this happen? e. Keep detailed logs f. Develop and record a hypothesis regarding the cause of the Security Incident: i. How does the evidence support/contradict it? ii. What evidence was discovered, and how was the hypothesis tested? iii. What important interactions took place? 3. Documentation The IHIN Privacy and Security Officer will be responsible for maintaining all evidence, logs, and data associated with the Security Incident, as well as preserving an Audit Trail. The IHIN Privacy and Security Officer will use care to avoid dissemination of confidential information in sharing reports and documents associated with Security Incident. All documentation associated with a breach will be retained for a period not less than seven years. All forms and documents Final Workgroup Review 13 09/2013

14 associated with a Security Incident are Confidential Records pursuant to the Iowa Health Information Network Security Policies and Iowa Code 22.7(50). 4. Contact Information The Department will create and distribute an Incident Response Phone List that is updated at least quarterly. Each member s name, role on the Incident Response Team, work/cell/home phone numbers, and address. For each Team member outside the Department, there will be an alternate or backup contact person. Final Workgroup Review 14 09/2013

15 Incident Response Team Phone List Last Updated: Role Name Work Phone Home Phone Cell Phone IDPH P&S Officer IDPH IT Project Manager PIO Forensics Expert Sarah Brooks Tracy Donner Polly Carver-Kim DAS ICA Rep Xerox Rep Workgroup and Participant Volunteer members (and alternates, in case of conflict of interest) e-health P&S WG rep (not from Participant already having team membership) Alternate Privacy Officer from Participant Alternate Security Officer from Participant Alternate Final Workgroup Review 15 09/2013

16 Appendix C Incident Form (Insert Excel Workbook) Final Workgroup Review 16 09/2013

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

POLICY AND PROCEDURE MANUAL

POLICY AND PROCEDURE MANUAL Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

Information Privacy and Security Program. Title: EC.PS.01.02

Information Privacy and Security Program. Title: EC.PS.01.02 Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of

More information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

Data Security Incident Response Plan. [Insert Organization Name]

Data Security Incident Response Plan. [Insert Organization Name] Data Security Incident Response Plan Dated: [Month] & [Year] [Insert Organization Name] 1 Introduction Purpose This data security incident response plan provides the framework to respond to a security

More information

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach

More information

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr. Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier gstegmaier@wsgr.com @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million

More information

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A. Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A., UC Health 7093020v1 Examples from the News Review of HIPAA Breach Regulations

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement I. Definitions Catch-all definition: The following terms used in this Agreement shall have the same meaning as those terms in the HIPAA Rules: Breach, Data Aggregation, Designated

More information

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Name of Policy: Policy Number: Department: Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Approving Officer: Interim

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

BUSINESS ASSOCIATE AGREEMENT Tribal Contract

BUSINESS ASSOCIATE AGREEMENT Tribal Contract DEPARTMENT OF HEALTH SERVICES Division of Enterprise Services F-00714 (08/2013) STATE OF WISCONSIN BUSINESS ASSOCIATE AGREEMENT Tribal Contract This Business Associate Agreement is made between the Wisconsin

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations

HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations Health Care Litigation Webinar Series March 22, 2012 Spence Pryor Paula Stannard Jason Popp 1 HIPAA/HITECH

More information

Breach Notification Decision Process 1/1/2014

Breach Notification Decision Process 1/1/2014 WEDI Strategic National Implementation Process (SNIP) Privacy and Security Workgroup Breach Risk Assessment Issue Brief Breach Notification Decision Process 1/1/2014 Workgroup for Electronic Data Interchange

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA

More information

FACT SHEET: Ransomware and HIPAA

FACT SHEET: Ransomware and HIPAA FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS

SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS Reference Purpose Health Insurance Portability and Accountability Act of 1996 (HIPAA); 45 United States Code 1320d et seq.;

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

Table of Contents INTRODUCTION AND PURPOSE 1

Table of Contents INTRODUCTION AND PURPOSE 1 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE

More information

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On

More information

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI

More information

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda

4/9/2015. One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification. Agenda One Year After the HIPAA Omnibus Rule: Lessons Learned in Breach Notification Adam H. Greene, JD, MPH Partner Davis Wright Tremaine HCCA Compliance Institute April 22, 2015 Doug Pollack Chief Strategy

More information

Anatomy of a Health Care Data Breach (a.k.a. Breaches, Breaches, and More Breaches)

Anatomy of a Health Care Data Breach (a.k.a. Breaches, Breaches, and More Breaches) Anatomy of a Health Care Data Breach (a.k.a. Breaches, Breaches, and More Breaches) Presented by: Allyson Jones Labban, Esq. 300 N. Greene Street, Ste. 1400 Greensboro, NC 27401 T: 336.378.5200 E: allyson.labban@smithmoorelaw.com

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 12 I. Policy The Health Information Technology for Economic and Clinical Health Act ( HITECH ) regulations contain requirements for notifying individuals in the event of a breach of their unsecured

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION Summary November 2009 On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the Rule ) that

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared; Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

Policies and Procedures POLICY: Breach Notification and Mitigation Policy Policy #21 Effective Date: November 7, 2013

Policies and Procedures POLICY: Breach Notification and Mitigation Policy Policy #21 Effective Date: November 7, 2013 Policies and Procedures POLICY: Breach Notification and Mitigation Policy Policy #21 Effective Date: November 7, 2013 Purpose: HIPAA, HITECH, the Illinois Personal Information Protection Act ( PIPA ),

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

BUSINESS ASSOCIATE AGREEMENT. Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and

BUSINESS ASSOCIATE AGREEMENT. Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and BUSINESS ASSOCIATE AGREEMENT Emory University and/or Emory Healthcare, Inc. ( Emory ) ( Covered Entity ) and Associate ) ( Business This Business Associate Agreement (this Agreement ) effective as of (the

More information

Sample Business Associate Agreement Provisions

Sample Business Associate Agreement Provisions Sample Business Associate Agreement Provisions Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions. Definitions Catch-all

More information

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers

More information

Breach Notification Policy

Breach Notification Policy 1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014

HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014 HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014 9/3/14 Gerald Jud E. DeLoss Disclaimer 2 o This presentation and its materials are for informational purposes only and not for the purpose

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings:

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings: HITECH/HIPAA Breach Notification Regulations This summary was prepared by the New Jersey Department of Human Services Privacy Officer on February 24, 2010 for distribution at the Division of Addiction

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY 1 School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Your Agency Just Had a Privacy Breach Now What?

Your Agency Just Had a Privacy Breach Now What? 1 Your Agency Just Had a Privacy Breach Now What? Kathleen Claffie U.S. Customs and Border Protection What is a Breach The loss of control, compromise, unauthorized disclosure, unauthorized acquisition,

More information

District of Columbia Health Information Exchange Policy and Procedure Manual

District of Columbia Health Information Exchange Policy and Procedure Manual District of Columbia Health Information Exchange Policy and Procedure Manual HIPAA Privacy & Direct Privacy Policies (Version 1 November 27, 2012) Table of Contents Policy # Policy/Procedure Description

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

HIPAA Update Focus on Breach Prevention

HIPAA Update Focus on Breach Prevention HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process

More information

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

University of Colorado at Denver and Health Sciences Center HIPAA Policy. Policy: 9.2 Latest Revision: 04/17/2005 Security Incidents Page: 1 of 9

University of Colorado at Denver and Health Sciences Center HIPAA Policy. Policy: 9.2 Latest Revision: 04/17/2005 Security Incidents Page: 1 of 9 Security Incidents Page: 1 of 9 I. Purpose, Reference, and Responsibility A. Purpose The purpose of this policy is to define a security incident and to provide the procedures for notification, investigation,

More information

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN. 1250 Siskiyou Boulevard Ashland OR 97520 AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN 1250 Siskiyou Boulevard Ashland OR 97520 Revision History Revision Change Date 1.0 Initial Incident Response Plan 8/28/2013 Official copies

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ), entered into and effective this day of,, is by and between ( Business Associate ) and Black, Gould & Associates, Inc.

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

HIPAA POLICY REGARDING BUSINESS ASSOCIATES

HIPAA POLICY REGARDING BUSINESS ASSOCIATES HIPAA POLICY REGARDING BUSINESS ASSOCIATES SCOPE OF POLICY: What Units Are Covered by this Policy?: This policy applies to the following units of Emory University: School of Medicine; School of Nursing;

More information