HIPAA and Business Associates. Tempest in a Teapot or Perfect Storm?

Size: px
Start display at page:

Download "HIPAA and Business Associates. Tempest in a Teapot or Perfect Storm?"

Transcription

1 HIPAA and Business Associates Tempest in a Teapot or Perfect Storm?

2 Introduction... 3 The Paragraph... 4 The Page... 5 The Detail... 6 The Dawning of the Digital Age... 6 Putting Dollars and Teeth in HIPAA... 8 HITECH Dollars... 9 HITECH Teeth HIPAA / HITECH Fine Structure What to Do? Are you a Covered Entity? Are You Business Associate? Storing Protected Health Information Summary Elements of the Perfect Storm Page 2 of 23

3 Introduction The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996 but its Security, Privacy, and Breach Rules saw little enforcement. Several forces have combined in the past few years that will change how HIPAA impacts not only insurance companies, clearinghouses, and healthcare providers (all considered Covered Entities) but Business Associates (those who have access to patient data in performance of their contracted duties). HealthCare Too specializes in HIPAA compliance through its medical- grade HIPAA Cloud Service, technology management, and consulting services. We are pleased to share our insights with you and available to assist with your cloud hosting and HIPAA compliance needs. This white paper is structured as four separate, stand- alone modules: The Paragraph provides an ultra high- level overview of the coming changes. The Page gives a few more insights but avoid details and reference materials. The Details places tomorrow s changes in the context of HIPAA s history through a detailed analysis of various regulations, enforcement actions, technologies, and industry trends. The Summary lists all the points made throughout this white paper in one easy to find location. This work is licensed under the, Attribution- NonCommercial- NoDerivs 3.0 United States (CC BY- NC- ND 3.0 US). nc- nd/3.0/us/ Page 3 of 23

4 The Paragraph HIPAA became law in 1996 but there was no mechanism for enforcement of Privacy or Security until 2003 and not much happened even after those rules went into effect. The Health Information Technology for Economic and Clinical Health (HITECH) became law in 2009 and took effect 2010, with a new fine structure of up to $1.5 million per violation per calendar year. There were more enforcement mechanisms for Privacy and Security but Health and Human Services (HHS) used them sparingly with Covered Entities and did not use its HITECH powers with Business Associates. Starting in 2009, HHS worked on a HIPAA Final Rule that would give it appropriate powers to regulate more fully the Covered Entities, Business Associates, and subcontractors who had access to patient data. In January 2013, HHS published this needed (and long- awaited) Final Rule. The Final Rule took effect March 26, Covered Entities, Business Associates and subcontractors with access to patient data must be in compliance by September 23, As part of HITECH, HHS now has the ability to perform audits for HIPAA compliance and conducted over 100 randomized audits in 2012 where there were nearly 1,000 audit findings and observations. All the elements for a HIPAA compliance perfect storm for Business Associates are in place. Page 4 of 23

5 The Page The Health Insurance Portability and Accountability Act of 1996 has five major parts (or titles ) that address many aspects and implications for Americans moving among health insurance plans, such as guidance on: pre- existing conditions, tax implications, group health plans, and many more. In order to reduce fraud, waste, and abuse HIPAA included a section (i.e., Title Two, Subtitle F) called Administrative Simplification. Health and Human Services (HHS) is responsible for Administrative Simplification and from that legislative foundation HHS published a series of five rules to address concerns around patient data and to put in place standards to make healthcare transactions more efficient for electronic systems: Privacy Rule (2000) Security Rule (2003) Transactions and Code Sets (2003) Enforcement Rule (2006) Unique Identifiers (2007) Of these five rules only the Privacy, Security, and Enforcement rules focus on Protected Health Information (PHI), or patient data. However, these rules have been some of the least understood and least enforced parts of HIPAA. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) was passed as part of the American Recovery and Reinvestment Act (ARRA) and went into effect in Designed to jump start the US economy after the Great Recession, HITECH contained roughly $25 billion for investment and support for electronic health records. HITECH also contained much more aggressive enforcement provisions and much higher fines to protect and secure the health information that would be in those electronic health records. HHS did step up enforcement somewhat on insurers, clearinghouses, pharmacies, and providers; however, HHS purposefully left Business Associates off the enforcement radar until it could properly address Business Associates through a new Final Rule. The HIPAA Final Rule was published January 25, The Final Rule took effect March 26, 2013 and required compliance by Covered Entities, Business Associates, and subcontractors who have access to protected health information as part of their jobs by September 23, In addition to this much broader application, the Final Rule is more aggressive in protecting patient data through higher standards and higher fines (up to $1.5 million per violation per calendar year). Business Associates who are not already fully compliant to safeguard Protected Health Information will soon find themselves at the mercy of a perfect storm. Page 5 of 23

6 The Detail The Dawning of the Digital Age In 1996 the Health Insurance Portability and Accountability Act (HIPAA) became law in order to address a challenge faced by many Americans- - portability of insurance coverage for American workers who changed jobs (e.g., pre- existing conditions, gaps in coverage). President Clinton and the US Congress also wanted to ensure that the growing exchange of electronic health information would benefit the US healthcare system through greater efficiency and patient outcomes but would not violate a patient s right to privacy regarding health matters or give rise to new forms of waste and mismanagement. To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law , included Administrative Simplification provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information. (http://www.ama- assn.org/ama/pub/physician- resources/solutions- managing- your- practice/coding- billing- insurance/hipaahealth- insurance- portability- accountability- act.page) To help us keep this in context in terms of the evolution of technology and ecommerce at the turn of the last century, Amazon.com went live as an online bookstore in 1995 and Google was incorporated in The late 1990 s also saw the rise of on- line stock trading that made it possible for individual investors to participate in trading that had been reserved for commissioned brokers. The US (and world) could see more happening online and the potential benefits that could be applied to healthcare. Fast forward to 2003 Amazon.com is branching out into markets beyond books, Google has practically become its own verb, day trading across the globe has become commonplace. HHS, on the other hand, adopts the Security Rule, Privacy Rule, and Transactions and Code Sets. The Information Superhighway had largely bypassed healthcare while many other industries raced at full speed. Over a year later, the first prosecution under HIPAA came in November of 2004 when Richard W. Gibson was convicted for using his access to Protected Health Information in order to steal patient data and use it to get credit cards. Page 6 of 23

7 (Source: The Seattle Times, In 2004, Facebook was founded by a group of Harvard students and by October 24, 2007, Microsoft announced that it had purchased a 1.6% share of Facebook for $240 million, giving Facebook a total implied value of around $15 billion. (https://en.wikipedia.org/wiki/facebook). In 2006, HHS announced the Enforcement Rule for HIPAA and in 2007 came Unique Identifiers. Again HIPAA was generating much paper, and some arguably good ideas, but HIPAA and health information technology were moving at analog speed in a Digital World. It was not for another four years, in 2008, that HHS implemented its first Corrective Action Plan when Providence Health & Services agreed to an HHS Corrective Action Plan and to pay $100,000 (note: this was not a civil monetary penalty), stemming from a loss of backup media and laptops in the period Page 7 of 23

8 This was the first time HHS required a Resolution Agreement from a Covered Entity, more than a decade after HIPAA had been enacted and five years after compliance was required. With only a handful of high- profile cases, HIPAA was either an extraordinary success in the annals of compliance and did not require enforcement or simply did not have sufficient resources and mandate to enforce compliance. If our story stopped here, this would be a tempest in a teapot for both Covered Entities and Business Associates. Putting Dollars and Teeth in HIPAA In battling the Great Recession, the Obama Administration worked with Congress to pass the American Recovery and Reinvestment Act of (ARRA). In the ARRA was the Health Information Technology for Economic and Clinical Health (HITECH 2 ) Act that targeted increased spending for the US healthcare system. While many dollars flowed to different parts of healthcare from the ARRA, two parts of the HITECH Act are important here: Roughly $25 billion for investments in and incentives for Health Information Technology, New enforcement for HIPAA. 1 This should not be confused with the Affordable Care Act (or its correct name, the Patient Protection and Affordable Care Act) or Obamacare. 2 We do not come up with the titles we just report them. Page 8 of 23

9 HITECH Dollars $25 billion for incentives would certainly lead to greater adoption of health information technology (HIT), as the following graphic on adoption of Electronic Medical Records (EMR), or Electronic Health Records (EHR), from the CDC shows: (Source: Hsiao CJ, Hing E. Use and characteristics of electronic health record systems among office- based physician practices: United States, NCHS data brief, no 111. Hyattsville, MD: National Center for Health Statistics After a decade or more of limited progress for Security and Privacy in health information technology, this is the first element in our perfect storm for HIPAA and Business Associates a substantive incentive from the Federal Government for HIT that spurred not only adoption but Meaningful Use 3 of HIT by providers and hospitals which means greater and easier access to electronic Protected Health Information. There are many (many, many) articles that debate the effectiveness of Meaningful Use (or even HIT) but there is little doubt that more providers and hospitals are using HIT and have received Meaningful Use payments. We should also note here that of the 15 Core Requirements for Stage One of 3 Meaningful Use is the term used by CMS that encapsulates the Core and Menu Requirements that an Eligible Provider or Eligible Hospital must demonstrate in order to collect incentive payments under HITECH. Page 9 of 23

10 Meaningful Use, compliance with the HIPAA Privacy and Security Rules is explicitly targeted in the criterion Ensure Privacy and Security for Personal Health Information. In other words, an Eligible Provider or Eligible Hospital must demonstrate HIPAA compliance to receive Meaningful Use payments. HITECH Teeth While HITECH offers billions of dollars in the way of financial and other incentives for providers and hospitals to make greater use of electronic health records, a number of teeth have also been added through HITECH to enhance compliance with HIPAA. Fines When HIPAA was introduced in 1996 there were fines associated for non- compliance. However, the civil penalty structure was no more than $100 for each violation and not more than $25,000 for identical violations during a calendar year. Most Covered Entities had until April 2003 (and small providers had until April 2004) to comply. As we saw from the preceding pages, there was very little enforcement activity and no large fines under the 1996 HIPAA. HITECH changed that. Under HITECH the fine structure changed considerably, from arguably a nuisance fine to the potential for millions of dollars. HIPAA / HITECH Fine Structure Violation Category Per Violation Per Calendar Year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect $10,000 - $50,000 $1,500,000 Corrected Will Neglect Not Corrected $50,000 $1,500,000 While this Fine Structure was implemented in HITECH in 2009 and took effect in 2010, the Office for Civil Rights (OCR), charged with enforcing HIPAA / HITECH for Health and Human Services (HHS), has only needed to use it sparingly so far to demonstrate that compliance will be taken more seriously. On February 22, 2011 HHS imposed its first Civil Monetary Penalty (CMP), $4.3 million, on Cignet Health of Prince George s County, MD. The fine stemmed from complaints from 41 patients who had been denied access to their medical records. That denial of access totaled $1.3 million in fines. Cignet received an additional $3 million in fines due to its willful neglect to comply with OCR requests during the investigation. Page 10 of 23

11 The second element of the perfect storm for Business Associates and HIPAA was in place, a fine structure that was no longer for nuisance amounts but impactful and directly linked to real compliance with OCR demands. Audits HITECH also provided for periodic audits by OCR to ensure Covered Entities and Business Associates complied with HIPAA / HITECH. SEC AUDITS. The Secretary shall provide for periodic audits to ensure that covered entities and business associates that are subject to the requirements of this subtitle and subparts C and E of part 164 of title 45, Code of Federal Regulations, as such provisions are in effect as of the date of enactment of this Act, comply with such requirements. And OCR actually implemented a fairly robust round of audits in 2012 where OCR developed a 169- point audit protocol 4 that was then used with 115 Covered Entities during OCR has spent a significant portion of 2013 developing a better understanding of the audit findings and observations. Here are two graphs from a July 13, 2013 OCR / WEDI webinar that show the results: 4 The audit protocol is located at Page 11 of 23

12 Page 12 of 23

13 13 entities of the 115 had no findings, leaving 979 audit findings and observations among 102 entities. Considering that Covered Entities have been aware of HIPAA since 1996 and directly accountable for compliance since at least 2004, this does not portend well for Business Associates who have never been directly subject to HIPAA until this year. This is a third element to the perfect storm for HIPAA and Business Associates: there is a legal mandate for HHS to conduct audits ( shall provide for periodic audits, not may provide for periodic audits ) and OCR has already compiled and executed on a formalized audit program with 115 Covered Entities. BAs Included So finally we get to the Business Associate! For some this may come as a surprise and for others it is common knowledge: the reason for Business Associate Agreements (or Contracts) was that HHS had no jurisdiction over Business Associates 5. OCR simply could not hold Business Associates directly accountable for HIPAA violations. This was (somewhat obliquely) referenced in a posting on the HHS Frequently Asked Questions: Since its passage in 1996, HIPAA had not applied directly to Business Associates. To work around this HHS and OCR did the next best thing ensure that Covered Entities had a contractual arrangement in place with Business Associates, the Business Associate Agreement (BAA). If the Covered Entity did not have a BAA in place then the Covered Entity could be held in violation of HIPAA. HITECH, on the other hand, did directly apply HIPAA provisions to Business Associates when it 5 Kirk J. Nahra of Wiley Rein, LLP has particularly insightful analyses of the business associate and HIPAA Page 13 of 23

14 passed in However, HHS and OCR operated under an Interim Final Rule that did not directly apply to Business Associates until a Final Rule could be published. With the Final Rule (also called Omnibus or Mega Rule) published in January 2013, HIPAA / HITECH (without question or apology) now applies directly to Business Associates. The following is an excerpt from the Omnibus published in January 2013, explaining the change concerning Business Associates (the HealthCare Too translation is located in the box to the right). 2. Modifications to the HIPAA Security Rule in Subpart C a. Business Associates Proposed Rule Before the HITECH Act, the Security Rule did not directly apply to business associates of covered entities. However, section of the HITECH Act provides that the Security Rule s administrative, physical, and technical safeguards requirements in , , and , as well as the Rule s policies and procedures and documentation requirements in , apply to business associates in the same manner as these requirements apply to covered entities, and that business associates are civilly and criminally liable for violations of these provisions. To implement section of the HITECH Act, we proposed to insert references in Subpart C to business associate following references to covered entity, as appropriate, to make clear that these provisions of the Security Rule also apply to business associates. In addition, we proposed additional changes to , , , , and of the Security Rule, as discussed below. HealthCare Too Translation: HHS did not have jurisdiction over business associates to hold them directly accountable for the HIPAA Security Rule, even with HITECH, until the appropriate changes were made via the Final Rule (published January 25, 2013). Those changes have been made and starting September 23, 2013 business associates are directly accountable for implementing and following the entire Security Rule. This, however, should not be a problem since business associates were supposed to implement Security Rule safeguards as part of the Business Associate Agreements they should have been using since For those few Business Associates who have not implemented the appropriate safeguards, there is guidance on the HHS website and it should not be that difficult. Overview of Public Comments Some commenters argued that the time, implementation expense, transaction cost, and liability cost burdens on business associates and subcontractors to comply with the Security Rule, especially small and midsize entities, would be significant. Other Page 14 of 23

15 commenters supported the direct application of the Security Rule to business associates and subcontractors. Final Rule We adopt the modifications to the Security Rule as proposed to implement the HITECH Act s provisions extending direct liability for compliance with the Security Rule to business associates. In response to the concerns raised regarding the costs of compliance, we note that the Security Rule currently requires a covered entity to establish a business associate agreement that requires business associates to implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that they create, receive, maintain, or transmit on behalf of the covered entity as required by the Security Rule; and to ensure that any agent, including a subcontractor, to whom they provide such information agrees to implement reasonable and appropriate safeguards to protect it. See (a). Consequently, business associates and subcontractors should already have in place security practices that either comply with the Security Rule, or that require only modest improvements to come into compliance with the Security Rule requirements. Moreover, the requirements of the Security Rule were designed to be technology neutral and scalable to all different sizes of covered entities and business associates. Covered entities and business associates have the flexibility to choose security measures appropriate for their size, resources, and the nature of the security risks they face, enabling them to reasonably implement any given Security Rule standard. In deciding which security measures to use, a covered entity or business associate should take into account its size, capabilities, the costs of the specific security measures, and the operational impact. Thus, the costs of implementing the Security Rule for large, mid- sized, or small business associates will be proportional to their size and resources. Notwithstanding the above, based on the comments, we acknowledge that some business associates, particularly the smaller or less sophisticated business associates that may have access to electronic protected health information for limited purposes, may not have engaged in the formal administrative safeguards such as having performed a risk analysis, established a risk management program, or designated a security official, and may not have written policies and procedures, conducted employee training, or documented compliance as the statute and these regulations would now require. For these business associates, we include an estimate for compliance costs below in the regulatory impact analysis. We also refer these business associates to our educational papers and other guidance on compliance with the HIPAA Security Rule found at: These materials provide guidance on conducting risk analyses and implementing the other administrative safeguards required by the Security Rule, which may prove helpful to these business associates and facilitate their compliance efforts. (highlighting added) Page 15 of 23

16 The fourth element of the perfect storm for Business Associates and HIPAA is now in place: Business Associates are directly liable for compliance with the HIPAA Security Rule. The HIPAA Omnibus assumes that Business Associates are already in compliance or will be in compliance with only modest changes since they were already doing so historically through the requirements of the Business Associate Agreements. Funding One might think the preceding four elements would be enough to make the perfect storm for Business Associates and HIPAA. But wait there is more. According to the Director of the Office for Civil Rights (the enforcement agency for HIPAA / HITECH): We ve been slowly ramping up enforcement. It s worth noting that the HITECH act permitted the Office for Civil Rights to retain the recoveries and utilize them for 2 purposes: Fund more enforcement, which is what we ve done with the proceeds until now, and to make restitution to the victims. We are now developing a formula for restitution. 6 So HITECH allows OCR to use whatever it recovers in order to fund more enforcement. In a time of budget sequestration and cuts, OCR will increasingly be required to fund its own operations and will also need to help the victims of HIPAA breaches. Yet another element for a perfect storm for HIPAA and Business Associates: HITECH provides OCR with the mechanism for independence from sequestration and budget cuts in pursuit of its mission to protect patient data through enforcement of HIPAA. Leon Rodriguez - - Appointed Director September 13, 2011 Leon Rodriguez became the Director of the HHS Office of Civil Rights (OCR) and, thereby, the chief enforcer of HIPAA / HITECH. Before taking over OCR, Mr. Rodriguez was with the Department of Justice in its Civil Right Division. With a background as both a prosecutor and a healthcare litigator, Mr. Rodriguez is known for his phrase that enforcement promotes compliance. HHS Secretary Kathleen Sebelius said of Mr. Rodriguez appointment, He will also spearhead the department s continued work to ensure great consumer confidence through strong and effective enforcement of the privacy and security of protected health information. 6 hitech- world- hipaa- violations- rise- according- director- ocr Page 16 of 23

17 Not two months later, Director Rodriguez testified before the Senate Judiciary Committee s Subcommittee on Privacy, Technology and the Law that I am the first Director of the Office of Civil Rights to come to the Office with experience, extensive experience, both in law enforcement and a healthcare provider lawyer and it s my commitment to ramp up the enforcement of the Office saw the introduction of an OCR pilot program, an uptick in financial settlements with Covered Entities, and the HIPAA Omnibus release in January 2013 after several years. A sixth element in the perfect storm for Business Associates and HIPAA is the appointment of Leon Rodriguez, a seasoned prosecutor and healthcare attorney, as Director of the Office of Civil Rights who has testified before the Senate of his commitment to ramp up the enforcement. Demand for Stolen Data While much of HIPAA / HITECH has been focused for the past decade on compliance and enforcement among the good guys who run legitimate businesses there has been a growing economic interest among the bad guys in that same protected health data: A thief downloading and stealing data can get $50 on the street for a medical identification number compared to just $1 for a Social Security number. For those 7 At 37:12 of the testimony st=420 Page 17 of 23

18 receiving the medical ID number and using it to defraud a health care organization, the average payout is more than $20,000, according to Pam Dixon, executive director of the World Privacy Forum. "Compare that to just $2,000 for the average payout for regular ID theft. 8 Though many online businesses that started in the late 1990 s or early 2000 s (the same time as HIPAA and many health information technologies) have developed sophisticated security systems and invested heavily in proper data centers for performance and managed, many Covered Entities and Business Associates still rely on an unprotected server in the storage room of their office, a $7.95/month shared hosting account, a free Internet storage service, a hodgepodge of different cloud services that they have to maintain, and itinerant IT help. In a December 25, 2012 article The Washington Post pointed out how serious this vulnerability has become: As the health- care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews. Security researchers warn that intruders could exploit known gaps to steal patients records for use in identity theft schemes and even launch disruptive attacks that could shut down critical hospital systems. A year- long examination of cybersecurity by The Washington Post has found that health care is among the most vulnerable industries in the country, in part because it lags behind in addressing known problems. I have never seen an industry with more gaping security holes, said Avi Rubin, a computer scientist and technical director of the Information Security Institute at Johns Hopkins University. If our financial industry regarded security the way the health- care sector does, I would stuff my cash in a mattress under my bed. 9 8 Protected Health Information (PHI): High Value to Hackers: Medical Facilities at Risk, 9 O'Harrow, Robert, Jr. "Health-care Sector Vulnerable to Hackers, Researchers Say." The Washington Post 25 Dec The Washington Post, 25 Dec Web. 1 Aug <www.washingtonpost.com/investigations/health- care- sector- vulnerable- to- hackers- researchers- say/2012/12/25/ e50-11e2- ae43- cf491b837f7b_print.html>. Page 18 of 23

19 This brings us to the seventh, and final, element in the perfect storm for HIPAA and Business Associates: an increasing economic reward to hackers and others for healthcare data against a backdrop of poorly understood practices and vulnerable systems. What to Do? The Final Rule went into effect March 26, 2013 and allowed 180 days for implementation. September 23, 2013 is the date by which Covered Entities and Business Associates (and any subcontractors who have access to Protected health Information as part of their duties) must be in compliance. In the next few pages we will clarify Covered Entity and Business Associate and also highlight a long- neglected function data storage and the Business Associate arrangement. Are you a Covered Entity? Though HIPAA has been around since 1996, HealthCare Too has found there are many Covered Entities who do not know they are Covered Entities or that they believe their HIPAA obligations begin and end with a Notice of Privacy Practices. Under HIPAA, a Covered Entity is: (1) A health plan. (2) A health care clearinghouse. (3) A health care provider who transmits any health information in electronic form 10 in connection with a transaction covered by this subchapter. A health care provider is not limited to the traditional notion of medical doctor. There is a definition of health care provider in the Final Rule (CFR Definitions) that basically says anyone who furnishes, bills, or is paid for health care in the normal course of business is a health care provider. That may still be a bit vague. Luckily, HIPAA also requires healthcare providers to register for a National Provider Identifier (NPI) to assist with administrative and financial transactions (for more information click here). The Health Care Provider Taxonomy Code Set offers very specific classifications for health care providers, with over 800 codes to give more definitive guidance on who is a health care provider. This taxonomy includes such professions as: Non- emergency Medical Transport X, Home Delivered Meals - 332U00000X, Respite Care - 385H00000X, Nursing Facility/Intermediate Care Facility - 313M00000X, Speech- Language Pathologist - 235Z00000X, and Massage Therapist X. 10 Note: If someone conducts an electronic transaction on behalf of the provider, the provider is a Covered Entity. In this day and age, most providers will be Covered Entities. Page 19 of 23

20 Many Covered Entities who attend HealthCare Too presentations ask for a checklist to help them understand what needs to be done beyond a Notice of Privacy. The Maryland Department of Health and Mental Hygiene has published a nice checklist on its website to which we often refer people: s/privacy_security_checklist.pdf HealthCare Too associates have referred Covered Entities to this checklist because it addresses is some detail not only the various Security Rule safeguards (i.e., Administrative, Physical, and Technical) like many checklists but also the Privacy Rule and updates from HITECH. With the changes in the Final Rule, this checklist may also be useful to Business Associates. Are You Business Associate? Given that the perfect storm has arrived for Business Associates and HIPAA compliance, it is imperative for both Covered Entities and Business Associates to understand who is a Business Associate. While Business Associates have not been directly covered by HIPAA until now, subcontractors have always been off the radar until now. The Omnibus defines subcontractor and requires a Business Associate Agreement between the Business Associate and the subcontractor. Of course, this now means the subcontractor is now also a Business Associate and so on if there are more subcontractors in the Protect Health Information trust chain. WEDI has produced a very useful decision tree to help identify a Business Associate. HealthCare Too has simplified it on the following page but the original is located here Decision- Tree_V2.pdf. Page 20 of 23

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule Understanding Health Insurance Portability Accountability Act AND HITECH HIPAA s Privacy Rule 1 What Is HIPAA s Privacy Rule The privacy rule is a component of the Health Insurance Portability and Accountability

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

HIPAA: AN OVERVIEW September 2013

HIPAA: AN OVERVIEW September 2013 HIPAA: AN OVERVIEW September 2013 Introduction The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, was enacted on August 21, 1996. The overall goal was to simplify and streamline

More information

HIPAA Violations Incur Multi-Million Dollar Penalties

HIPAA Violations Incur Multi-Million Dollar Penalties HIPAA regulations have undergone major changes in the last few years giving both the federal and state Governments new and enhanced powers and resources to pursue HIPAA violations HIPAA Violations Incur

More information

HIPAA Violations Incur Multi-Million Dollar Penalties

HIPAA Violations Incur Multi-Million Dollar Penalties HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability

More information

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Compliance and the Protection of Patient Health Information HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability

More information

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010 Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 As Required by the Health Information Technology for Economic and Clinical Health (HITECH)

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,

More information

OCR/HHS HIPAA/HITECH Audit Preparation

OCR/HHS HIPAA/HITECH Audit Preparation OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education

More information

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C. HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results

More information

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

More information

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance

More information

Analysing the US HIPAA legacy and future changes on the horizon

Analysing the US HIPAA legacy and future changes on the horizon Volume: 10 Issue: 2 Analysing the US HIPAA legacy and future changes on the horizon The US Department of Health and Human Services issued the long-awaited final omnibus rule under the Health Insurance

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.

More information

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

What Virginia s Free Clinics Need to Know About HIPAA and HITECH What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics

More information

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746

More information

The Case For HIPAA Risk Assessment. Leader s Guide

The Case For HIPAA Risk Assessment. Leader s Guide 4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Meaningful Use and Security Risk Analysis

Meaningful Use and Security Risk Analysis Meaningful Use and Security Risk Analysis Meeting the Measure Security in Transition Executive Summary Is your organization adopting Meaningful Use, either to gain incentive payouts or to avoid penalties?

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Presented by: Don Waechter, Managing Partner Health Compliance Partners Ann Breitinger, Attorney Blalock Walters Legal Disclaimer

More information

Easing the Burden of Healthcare Compliance

Easing the Burden of Healthcare Compliance Easing the Burden of Healthcare Compliance In This Paper Federal laws require that healthcare organizations that suspect a breach of sensitive data launch an investigation into the matter For many mid-sized

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

HIPAA COMPLIANCE AND

HIPAA COMPLIANCE AND INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery

More information

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014 OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2 Linda Sanches, MPH Senior Advisor, Health Information Privacy HCCA Compliance Institute March 31, 2014 Agenda Background Audit Phase

More information

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind

Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and

More information

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements Sara Kashing, JD, Staff Attorney July/August 2012 The Therapist If you are considered a Covered Entity

More information

Answering to HIPAA. Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM. Brought to you by. www.duxware.com

Answering to HIPAA. Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM. Brought to you by. www.duxware.com Answering to HIPAA Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM Brought to you by www.duxware.com The Event On February 20, 2014 at 8:00 PM an Internal Medicine specialist received a

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

White Paper #6. Privacy and Security

White Paper #6. Privacy and Security The Complexity of America s Health Care Industry White Paper #6 Privacy and Security www.nextwavehealthadvisors.com 2015 Next Wave Health Advisors and Lynn Harold Vogel, Ph.D. The Complexity of America

More information

2012 HIPAA Privacy and Security Audits

2012 HIPAA Privacy and Security Audits Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background

More information

Bridging the HIPAA/HITECH Compliance Gap

Bridging the HIPAA/HITECH Compliance Gap CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

HIPAA Changes 2013. Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13

HIPAA Changes 2013. Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13 HIPAA Changes 2013 Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13 BEI Who We Are DC Metro IT Service Provider since 1987 Network Design/Upgrade Installation/Managed IT Services for small to medium-sized

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

Dissecting New HIPAA Rules and What Compliance Means For You

Dissecting New HIPAA Rules and What Compliance Means For You Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act! A White Paper for HIPAA Business Associates (And Agents & Subcontractors!) Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act! Introduction Two years ago we first published

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013 Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,

More information

HEALTH IT SECURITY AND THE SMALL PROVIDER

HEALTH IT SECURITY AND THE SMALL PROVIDER HEALTH IT SECURITY AND THE SMALL PROVIDER A Primer for 2013 Ben Watts EMRSOAP 2800 156TH Ave SE Suite 100 Bellevue WA 98007 Table of Contents Summary... 2 Why should a Small Provider care about protecting

More information

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq. The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed

More information

GENERAL OVERVIEW OF STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Part 160 and Subparts A and E of Part 164]

GENERAL OVERVIEW OF STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Part 160 and Subparts A and E of Part 164] GENERAL OVERVIEW OF STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Part 160 and Subparts A and E of Part 164] OCR HIPAA Privacy The following overview provides answers to

More information

BNA s Health Law Reporter

BNA s Health Law Reporter BNA s Health Law Reporter Reproduced with permission from BNA s Health Law Reporter, 20 HLR 1272, 08/18/2011. Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com HHS

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles dskyles@mcginnislaw.com

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles dskyles@mcginnislaw.com HIPAA Overview Darren Skyles, Partner McGinnis Lochridge HIPAA Health Insurance Portability and Accountability Act of 1996 Electronic transaction and code sets: Adopted standards for electronic transactions

More information

HIPAA COMPLIANCE PLAN FOR 2013

HIPAA COMPLIANCE PLAN FOR 2013 HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt

More information

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Bridging The Gap Between Healthcare & Hipaa Compliant Cloud Technology and outsource computing resources to external entities, would provide substantial relief to healthcare service providers. Data stored

More information

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16 NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

HIPAA Refresher. HIPAA Health Insurance Portability & Accountability Act

HIPAA Refresher. HIPAA Health Insurance Portability & Accountability Act HIPAA Health Insurance Portability & Accountability Act This presentation and materials provided are for informational purposes only. Please seek legal advisor assistance when dealing with privacy and

More information

Network Security and Data Privacy Insurance for Physician Groups

Network Security and Data Privacy Insurance for Physician Groups Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit

More information

Business Associate Agreement (BAA) Guidance

Business Associate Agreement (BAA) Guidance Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity

More information

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information

More information

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use Securing Patient Portals What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use September 2013 Table of Contents Abstract... 3 The Carrot and the Stick: Incentives and Penalties for Securing

More information

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement. Learning Objectives

OCR Reports on the Enforcement. Learning Objectives OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

HIPAA Cyber Security: Your Vendor is a Back Door to Your Server

HIPAA Cyber Security: Your Vendor is a Back Door to Your Server HIPAA Cyber Security: Your Vendor is a Back Door to Your Server Prepared for the American Health Lawyers Association s Fraud and Compliance Forum held October 6, 2014 John E. Kelly, Esq. Member Bass, Berry

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Department of Health and Human Services. No. 17 January 25, 2013. Part II

Department of Health and Human Services. No. 17 January 25, 2013. Part II Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach

More information

HIPAA Enforcement Training for State Attorneys General

HIPAA Enforcement Training for State Attorneys General : State Attorneys General Enforcement of Federal Health Privacy Law HIPAA Enforcement Training for State Attorneys General Module Introduction : Introduction This module of the HIPAA Enforcement Training

More information

The Impact of HIPAA and HITECH

The Impact of HIPAA and HITECH The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients

More information

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com Mahmood Sher-Jan VP of Product Management mahmood.sher-jan@idexpertscorp.com Chris Apgar

More information

HIPAA WEBINAR HANDOUT

HIPAA WEBINAR HANDOUT HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and

More information

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security 2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009

More information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

Anatomy of a Healthcare Data Breach

Anatomy of a Healthcare Data Breach BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared

More information

Industry leading Education Todays Webinar

Industry leading Education Todays Webinar Compliance Simplified Achieve, Illustrate, Maintain Industry leading Education Todays Webinar Please ask questions Todays slides are available http://compliancy- group.com/slides023/ Certified Partner

More information

Will the Feds Really Buy Me an EHR?

Will the Feds Really Buy Me an EHR? Steven Waldren, MD, David C. Kibbe, MD, MBA, and Jason Mitchell, MD Will the Feds Really Buy Me an EHR? and Other Commonly Asked Questions About the HITECH Act The economic stimulus package offers $19

More information

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1 HIPAA/HITECH Privacy and Security for Long Term Care 1 John DiMaggio Chief Executive Officer, Blue Orange Compliance Cliff Mull Partner, Benesch, Healthcare Practice Group About the Presenters John DiMaggio,

More information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how

More information

A s a covered entity or business associate, you have

A s a covered entity or business associate, you have Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

troinet.com When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse

troinet.com When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse The Health Insurance Portability and Accountability Act of 1996

More information

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013

Cybersecurity for Meaningful Use. 2013 FRHA Annual Summit Setting the Health Care Table: Politics, Economics, Health November 20-22, 2013 Cybersecurity for Meaningful Use 2013 FRHA Annual Summit "Setting the Health Care Table: Politics, Economics, Health" November 20-22, 2013 Healthcare Sector Vulnerable to Hackers By Robert O Harrow Jr.,

More information

The HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia

More information

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37. Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Healthcare Applications and HIPAA. BA590-IT Governance Final Term Project Prof. Mike Shaw

Healthcare Applications and HIPAA. BA590-IT Governance Final Term Project Prof. Mike Shaw Healthcare Applications and HIPAA BA590-IT Governance Final Term Project Prof. Mike Shaw Michael McIntosh 5/4/2007 Table of Contents 1. Abstract 3 2. Introduction 3 3. Section 1: HIPAA definition and history

More information