2 Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing on your comfort zone. It s vague, but comes with hefty fines if not followed to the blurry letter, and those fines can run as high as $1.5 million. In fact, six of the 10 settlements announced by the U.S. Department of Health and Human Services (HHS) have exceeded $1 million dollars. i Don t panic. To help you through this transition, we ve developed this guide. Think of it as your towel. If you have this, you can make it through anything. This guide provides an easy-to-read overview of the new HIPAA legislation basics, and enables you to access more resources to further help you on your journey into HIPAA compliance. If you re a HHGTTG fan, you re going to like this. And even if you re not, you ll learn some valuable lessons about life, the universe and everything as it relates to the new HIPAA regulations that impact you. What s the story? Congress recently expanded the Health Information Technology for Economic and Clinical Health Act (HITECH) to include technology solution providers that service health care companies. How does the new HITECH legislation impact you? 1. You must now comply with certain HIPAA requirements 2. You can be audited for HIPAA compliance at any time 3. You can be fined up to $1.5 million per year for failing to comply Use the high-level overview in this guide to further familiarize yourself with the new requirements that went into full effect on September 23, Important notice: This resource was not written by lawyers. It is not legal advice, so please do not use it that way. It is intended as an overview written in everyday language. If you need legal advice about HIPAA/HITECH compliance, please consult an experienced attorney. No warranties. You are provided with this ebook Guide as a convenience. Much of its content is adapted from the HIPAA Administrative Simplification Regulation text issued by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), March You are encouraged to visit the OCR website for clarification and for updates. LabTech Software makes no representations or warranties of any kind, express or implied, regarding the accuracy, completeness, reliability or suitability of this Guide and the information it contains, or as to the availability of the ebook. LabTech Software and its affiliates disclaim any and all liability for injuries or damages that may arise from relying on the information contained in this Guide or the unavailability of the ebook.
3 1Why IT Service Providers Must Be HIPAA/HITECH Compliant Business Associates account for approximately 22.7% of all reported major breaches. ii Melamedia LLC The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to provide for the protection and confidential handling of protected health information (PHI). The intent was to ensure anyone who had access to or control of private or protected health care information would maintain certain requirements and duties for auditing and compliance. The Health Information Technology for Economic and Clinical Health Act (HITECH) was passed by Congress in 2009 and expands on the original HIPAA standards. The most recent requirements, known as the HIPAA/HITECH Omnibus Final Rule, provide clarification of the regulations and extend the liability of protecting PHI beyond covered entities those that generate or directly process PHI as part of their regular business activities to Business Associates. Who is considered a Business Associate (BA)? As defined in the HITECH Act, a BA is anyone who may handle, touch or access PHI in any potential way. BAs are also subcontractors that create, receive, maintain or transmit PHI on behalf of a covered entity or on behalf of another BA. IT service providers and managed service providers (MSPs) are deemed BAs because they are performing functions on behalf of a covered entity that may require access to or result in accidental or inadvertent exposure to PHI while performing services for a covered entity. It s All About Access Even if you aren t made aware that you have potential access to or are storing PHI, you are still subject to the HITECH BA requirements for that PHI. If you have access to a covered entity s IT infrastructure, whether you use it or not, whether it s part of your function or not, whether it s part of your contracted services or not, you are considered a BA under HITECH and must comply with the regulations.
4 Why IT Service Providers Must Be HIPAA/HITECH Compliant And the regulatory requirements descend all the way down the chain to any and all entities that have access to the data, which means any of your subcontractors who may potentially or inadvertently be exposed are also considered BAs. Off-site storage, hosted , spam filtering and archiving providers all fit this bill, as do many others. Your Responsibilities Under the HIPAA/HITECH Omnibus Final Rule, BAs are now responsible for complying with certain HIPAA requirements. Specifically, BAs must comply with the following HIPAA subparts: If you have access to a covered entity s IT infrastructure, whether you use it or not, whether it s part of your function or not, whether it s part of your contracted services or not, you must comply with certain HIPAA requirements. Security Standards for the Protection of Electronic Protected Health Information Certain sections of Privacy of Individually Identifiable Health Information Certain sections of Notification of Breach of Unsecured Protected Health Information For the remainder of this ebook, these items will be referred to as the Security Rule, the Privacy Rule and the Breach Notification Rule. We will outline the requirements of each in the coming chapters.
5 The Security Rule: General Requirements 2The Security Rule applies to PHI that is in electronic form. The purpose of the Security Rule is to make certain anyone who has access to electronic protected health information (ephi) will: 1. Ensure the confidentiality, integrity and availability of all ephi it creates, receives, maintains or transmits. 2. Protect against any reasonably anticipated threats or hazards to the security or integrity of ephi. 3. Protect against any reasonably anticipated uses or disclosures of ephi. 4. Ensure compliance by its workforce. To accomplish this, the Security Rule outlines specific safeguards and requirements that must be addressed by covered entities, BAs and any subcontractor of either that may have access or potentially be exposed to ephi. The requirements are divided into four categories: 1. Administrative Safeguards 2. Physical Safeguards 3. Technical Safeguards 4. Policies and Procedures and Documentation Requirements Each of the four categories includes specific standards that must be met and provides specifications for how each standard should be implemented.
6 The Security Rule: General Requirements Some of the implementation specifications outlined must be followed and others are considered addressable. And addressable doesn t mean optional. For specifications that are addressable, it is up to you to assess whether the specification is a reasonable and appropriate safeguard for your particular environment. If the specification is found to be reasonable and appropriate, you must proceed with the implementation. If deemed not reasonable and appropriate, you must document the reason and then implement an equivalent alternative measure, if reasonable and appropriate to do so. The Security Rule also includes a flexibility factor, so you can use any security measures you choose, so long as the security measures selected allow you to reasonably and appropriately address the standards and implementation specifications set forth. In deciding which security measures to use, you may take the following factors into account: The size, complexity and capabilities of your business Your technical infrastructure, hardware and software security capabilities The cost of security measures The probability and criticality of potential risks to ephi It is important to note that the flexibility factors must be considered as a whole. Cost alone is not an acceptable reason for not following the implementation standards outlined.
7 3The Security Rule: Administrative Safeguards The Security Rule defines administrative safeguards as, administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s [business associate s] workforce in relation to the protection of that information. iii There are eight technical standards and one business standard that you must meet under the Administrative Safeguards section of the Security Rule. security policies and procedures. D. Information System Activity Review Implement procedures to regularly review information system activity records, such as audit logs, access reports and security incident tracking to determine if any ephi was used or disclosed in an inappropriate manner. 2. Assigned Security Responsibility Identify a security official within your business who will be responsible for the development and implementation of the required policies and procedures. About 76% of network intrusions involve weak credentials. iv InformationWeek Technical Standards 1. Management Process Implement policies and procedures to prevent, detect, contain and correct security violations. Required Implementation Specifications A. Risk Analysis Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ephi. B. Risk Management Implement security measures sufficient to reduce risks and vulnerabilities. C. Sanction Policy Apply appropriate sanctions against employees who fail to comply with your 3. Workforce Security Implement policies and procedures to ensure all employees have appropriate access to ephi and prevent employees who do not have access from obtaining access to ephi. Addressable Implementation Specifications A. Authorization and/or Supervision Implement procedures for the authorization and/or supervision of employees who work with ephi or who work in locations where ephi could be accessed. B. Workforce Clearance Procedure Implement procedures to determine whether access to ephi by an employee is appropriate.
8 The Security Rule: Administrative Safeguards C. Termination Procedures Implement procedures for terminating access to ephi when employment is terminated or when an employee no longer needs access to ephi. 4. Information Access Management Implement policies and procedures for authorizing access to ephi. Required Implementation Specifications A. Isolating Health Care Clearinghouse Functions If your business is part of a larger organization, you must implement policies and procedures that protect ephi against unauthorized access by the larger organization. Addressable Implementation Specifications A. Access Authorization Implement policies and procedures for granting access to ephi, for example, through access to a workstation, transaction, program, process or other mechanism. B. Access Establishment and Modification Implement policies and procedures that establish, document, review and modify a user s right of access to a workstation, transaction, program or process based upon your access authorization policies. 5. Security Awareness and Training Implement a security awareness and training program for all members of your workforce, including management. Addressable Implementation Specifications A. Security Reminders Provide periodic security updates to all members of your workforce. B. Protection From Malicious Software Implement policies and procedures for guarding against, detecting and reporting malicious software, including training employees on their role in protecting against malicious software. C. Log-in Monitoring Implement policies and procedures for monitoring log-in attempts and reporting discrepancies. D. Password Management Implement policies and procedures for creating, changing and safeguarding passwords. 6. Security Incident Procedures Implement policies and procedures to address security incidents. A security incident is defined as, the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. iii Required Implementation Specifications A. Response and Reporting Identify and respond to suspected or known security incidents, mitigate harmful effects of known security incidents to the extent practicable, and document security incidents and outcomes. 7. Contingency Plan Establish policies and procedures for responding to an emergency or other occurrence that could damage systems containing ephi such as fire, vandalism, system failure or natural disaster and implement as needed. Required Implementation Specifications A. Data Backup Plan Establish and implement procedures to create and maintain retrievable exact copies of ephi. B. Disaster Recovery Plan Establish procedures to restore any loss of data and implement as needed. C. Emergency Mode Operation Plan Establish procedures to enable continuation of critical business processes to protect the security of ephi while operating in emergency mode and implement as needed. Addressable Implementation Specifications A. Testing and Revision Procedures Implement procedures for periodic testing and revision of contingency plans. B. Applications and Data Criticality Analysis Assess the relative criticality of specific applications and data and develop a prioritized list of the applications and information systems that need to be restored first or that must be available at all times. 8. Evaluation Perform a periodic technical and nontechnical evaluation based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of ephi that establishes the extent to which your security policies and procedures meet the requirements of the Administrative Safeguard standards. Business Standards 1. Business Associate Contracts and Other Arrangements You may permit a subcontractor to create, receive, maintain or transmit ephi on your behalf only if you obtain satisfactory assurances that the subcontractor will appropriately safeguard the information. Required Implementation Specifications A. Written Contract or Other Arrangement Satisfactory assurances must be provided via a written agreement that meets the applicable requirements set forth by HIPAA. BA contract requirements are outlined in Chapter 9 of this ebook. Need assistance with your Risk Analysis? The National Institute of Standards and Technology (NIST) published a Guide for Conducting Risk Assessments that can help.
9 4The Security Rule: Physical Safeguards The Security Rule defines physical safeguards as physical measures, policies, and procedures to protect a covered entity s [business associate s] electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. v There are four standards that must be met under the Physical Safeguards section of the Security Rule. 1. Facility Access Controls Implement policies and procedures to limit physical access to your electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Addressable Implementation Specifications A. Contingency Operations Establish procedures that allow facility access so that lost data can be restored in accordance with your disaster recovery and emergency mode operations plan and implement as needed. B. Facility Security Plan Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering and theft. 80% of data breaches would have been stopped or forced to change tactics if a suitable replacement (such as multifactor authentication) to passwords had been used. iv InformationWeek
10 The Security Rule: Physical Safeguards C. Access Control and Validation Procedures Implement procedures to control and validate a person s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. D. Maintenance Records Implement policies and procedures to document repairs and modifications to the physical components of a facility that relate to security, such as hardware, walls, doors and locks. 2. Workstation Use Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ephi. or electronic media on which it is stored to ensure it is unusable or inaccessible. B. Media Re-use Implement procedures to remove ephi from electronic media before the media are made available for re-use. C. Accountability Maintain a record of the movements of hardware and electronic media and any person responsible for them. D. Data Backup and Storage Create a retrievable, exact copy of ephi, when needed, before movement of equipment. 3. Workstation Security Implement physical safeguards for all workstations that access ephi to restrict access to authorized users. 4. Device and Media Controls Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ephi into and out of a facility, and the movement of these items within the facility. Required Implementation Specifications A. Disposal Implement policies and procedures to address the final disposal of ephi and/or the hardware
11 The Security Rule: Technical Safeguards 5The Security Rule defines technical safeguards as the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. vi There are five standards that must be met under the Technical Safeguards section of the Security Rule. 1. Access Control Implement technical policies and procedures for electronic information systems that maintain ephi to allow access only to those persons or software programs that have been granted access rights as specified in your Administrative Safeguards. Required Implementation Specifications A. Unique User Identification Assign a unique name and/or number for identifying and tracking user identity. B. Emergency Access Procedure Establish procedures for obtaining necessary ephi during an emergency and implement as needed. Addressable Implementation Specifications A. Automatic Logoff Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. B. Encryption and Decryption Implement a mechanism to encrypt and decrypt ephi.
12 The Security Rule: Technical Safeguards 2. Audit Controls Implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi. 3. Integrity Implement policies and procedures to protect ephi from improper alteration or destruction. Addressable Implementation Specifications A. Mechanism to Authenticate ephi Implement electronic mechanisms to verify that ephi has not been altered or destroyed in an unauthorized manner. 4. Person or Entity Authentication Implement procedures to verify that a person or entity seeking access to ephi is the one claimed. 5. Transmission Security Implement technical security measures to guard against unauthorized access to ephi that is being transmitted over an electronic communications network. Addressable Implementation Specifications A. Integrity Controls Implement security measures to ensure ephi is not improperly modified without detection. B. Encryption Implement a mechanism to encrypt ephi whenever deemed appropriate.
13 The Security Rule: Policies and Procedures and Documentation Requirements 6There are two standards that must be met under the Policies and Procedures and Documentation section of the Security Rule. 1. Policies and Procedures Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of the Security Rule, taking into account the flexibility factors outlined in Chapter 2 of this ebook. Policies and procedures can be changed at any time, provided the changes are documented and implemented in accordance with the Security Rule. 2. Documentation Maintain the policies and procedures implemented to comply with this section of the Security Rule in written form. If an action, activity or assessment is required to be documented, maintain a written record of the action, activity or assessment. Written records may be kept in electronic format. Required Implementation Specifications A. Time Limit Retain the required documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later. B. Availability Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. C. Updates Review your documentation periodically and update as needed in response to environmental or operational changes affecting the security of ephi.
15 8Breach Notification Rule According to HIPAA, breach means the acquisition, access, use or disclosure of PHI in a manner that compromises the security or privacy of the PHI. A breach does not include: Any unintentional acquisition, access or use of PHI by a workforce member or person acting under the authority of a BA, if such acquisition, access or use was made in good faith and within the scope of authority and does not result in further use or disclosure. Any inadvertent disclosure by a person who is authorized to access PHI to another person who is authorized to access PHI in the same organization, and the information received as a result of such disclosure is not further used or disclosed. A disclosure of PHI where a BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Except as provided above, any acquisition, access, use or disclosure of PHI is presumed to be a breach unless you can demonstrate that there is a low probability that the PHI has been compromised based on a risk assessment that looks at the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification The unauthorized person who used the PHI or to whom the disclosure was made 26,898,943 patients were affected by major breaches (data breaches involving more than 500 patients) year-to-date through September 17, ii Melamedia LLC
16 Breach Notification Rule Whether the PHI was actually acquired or viewed The extent to which the risk to the PHI has been mitigated Breach Notification Requirements of Business Associates Following the discovery of a breach of unsecured PHI PHI that is not rendered unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or allowed methodology a BA must notify the covered entity of such breach without unreasonable delay and no later than 60 days after the breach is discovered. A breach is considered discovered as of the first day on which the breach is known or, by exercising reasonable diligence, would have been known to any employee, officer or other agent of the BA. The notification must include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed to have been, accessed, acquired, used or disclosed during the breach. The BA must also provide the covered entity with any other information required if the information is available or as the information becomes available in the future, including: A brief description of what happened, including the date of the breach and the date the breach was discovered. A description of the types of unsecured PHI that were involved in the breach, such as full name, social security number, date of birth, home address, account number, diagnosis, disability code or other types of information. Any steps individuals should take to protect themselves against potential harm resulting from the breach. A brief description of what you are doing to investigate the breach, to mitigate harm to individuals and to protect against any further breaches. Contact procedures for affected individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an address, website or postal address. Be sure to document all of the above, because in the event of a use or disclosure violation, you have the burden of demonstrating that all notifications were made as required, or that the use or disclosure did not constitute a breach.
17 Business Associate Agreements 9BAs must have a BA agreement in place with any covered entity that it does business with, as well as with any subcontractors that do work on its behalf and that may have access to PHI. A BA agreement must meet the following requirements: 1. Establish the permitted and required uses and disclosures of PHI by the BA. The contract may not authorize the BA to use or further disclose the information in a manner that would violate HIPAA requirements, except that: The contract may permit the BA to use and disclose PHI in its capacity as a BA. The contract may permit the BA to provide data aggregation services relating to the health care operations of the covered entity. 2. Provide that the BA will: Not use or further disclose the information other than as permitted by the agreement or as required by law.
18 Business Associate Agreements Use appropriate safeguards to prevent the use or disclosure of the information. Report to the covered entity any use or disclosure of the information that falls outside the scope of the agreement, including breaches of unsecured PHI. Ensure that any subcontractors that create, receive, maintain or transmit PHI on behalf of the BA agree to the same restrictions and conditions that apply to the BA with respect to PHI. Make available PHI in accordance with an individual s right of access to inspect and obtain a copy of their own PHI. Make available PHI for amendment and incorporate any amendments to PHI in accordance with an individual s right to have a covered entity amend PHI or a record about the individual in a designated record set. Make available the information required to provide an accounting of disclosures in accordance with an individual s right to receive an accounting of disclosures of PHI made by a covered entity in the six years prior to the date on which the request is made. To the extent the BA is to carry out a covered entity s obligation of this requirement, comply with the requirements that apply to the covered entity in the performance of such obligation. Make its internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by the BA on behalf of the covered entity available for purposes of determining the covered entity s compliance. At termination of the contract, if feasible, return or destroy all PHI received from, or created or received by the BA on behalf of the covered entity that the BA still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. 3. Authorize termination of the contract if it is determined that the material terms of the contract have been violated. Note that a BA is not in compliance if they knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor s obligation under the contract, unless reasonable steps were taken to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract, if feasible.
19 10 Additional Responsibilities of Business Associates In addition to meeting the requirements of the Security Rule, Privacy Rule and Breach Notification Rule, BAs are also required to comply with the following: 1. Provide Records and Compliance Reports You must keep all of your compliancy records, including documentation, and submit such records, in such time and manner and containing such information, as the Secretary or other agent of HHS may determine to be necessary to enable HHS to ascertain whether you have complied or are complying with the applicable requirements. 2. Cooperate with Compliancy Investigations and Compliance Reviews You must cooperate with HHS if HHS undertakes an investigation or compliance review of your policies, procedures or practices to determine whether you are complying with the applicable requirements. 3. Permit Access to Information You must permit access by HHS during normal business hours to your facilities, books, records, accounts and other sources of information, including PHI, that are pertinent to ascertaining compliance with the applicable requirements. If HHS determines that exigent circumstances exist, such as when documents may be hidden or destroyed, you must permit access by HHS at any time and without notice. If any information required of you is in the exclusive possession of any other agency, institution or person and the other agency, institution or person fails or refuses to furnish the information, you must certify and set forth what efforts you have made to obtain the information.
20 11 Penalties for Non-compliance A BA is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the BA, including a workforce member or subcontractor, acting within the scope of the agency. Monetary Penalties $ If you are unaware a violation occurred and, by exercising reasonable diligence, could not have known: $100 to $25,000 per violation, not to exceed $1.5 million per year If a violation occurs due to reasonable cause and not willful neglect: $1,000 to $50,000 per violation, not to exceed $1.5 million per year If a violation occurs due to willful neglect, but is corrected within 30 days of discovery: $10,000 to $50,000 per violation, not to exceed $1.5 million per year If a violation occurs due to willful neglect and is not corrected: $50,000 to $1.5 million per violation
21 Summary Now that you ve explored this guide, you re well on your way to becoming compliant with the requirements set forth in the HIPAA/HITECH Omnibus Final Rule. Keep this guide on hand, and start building out your strategy for bringing your team up to speed on HIPAA compliance. A little awareness can go a long way in helping you avoid hefty fines. Your action items: Build and implement a HIPAA compliance plan Document all compliance methods (in case of an audit) Give HIPAA compliance training to all employees Drive accountability to compliance standards Always know where your HIPAA/HITECH compliance guide is About LabTech Software LabTech Software is the brainchild of a managed service provider (MSP) that struggled with the usual challenges and inefficiencies of a reactive IT maintenance and support model. LabTech its flagship solution was born of the urgent need to eliminate technician inefficiencies and the desire to provide preventive and proactive service. Developed with cutting-edge, agent technology, LabTech is the only remote monitoring and management (RMM) platform created by system administrators for systems administrators to automate your IT services and eliminate inefficiencies. For more information, please visit labtechsoftware.com or call George Road, Suite 200 Tampa, Florida labtechsoftware.com i Mondaq. United States: 5 Critical To Do s Before The Next HIPAA Compliance Deadline. September 2013 ii Health Information Privacy/Security Alert. HIPAA & Breach Enforcement Statistics for October Melamedia LLC. iii HIPAA Security Series. Volume 2/Paper 2. Security Standards: Administrative Safeguards. Department of Health & Human Services. March iv The 8 Most Common Causes of Data Breaches and How You Can Prevent Them. InformationWeek. May v HIPAA Security Series. Volume 2/Paper 3. Security Standards: Physical Safeguards. Department of Health & Human Services. March vi HIPAA Security Series. Volume 2/Paper 4. Security Standards: Technical Safeguards. Department of Health & Human Services. March 2007.
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. firstname.lastname@example.org www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
District of Columbia Health Information Exchange Policy and Procedure Manual HIPAA Privacy & Direct Privacy Policies (Version 1 November 27, 2012) Table of Contents Policy # Policy/Procedure Description
Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
MAX Insight Whitepaper An Effective MSP Approach Towards HIPAA Compliance An independent review of HIPAA requirements, detailed recommendations and vital resources to aid in achieving compliance. Table
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business
Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap
Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor
Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance
SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you
AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October
Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A., UC Health 7093020v1 Examples from the News Review of HIPAA Breach Regulations
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE
Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH
Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security