HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule
|
|
- Damian Barry Wilkinson
- 8 years ago
- Views:
Transcription
1 JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On January 17, 2013, the U.S. Department of Health and Human Services (HHS) published the long-awaited Final HIPAA Omnibus Rule, encompassing its modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Director of HHS s Office for Civil Rights Leon Rodriguez said, The final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented and that the changes enhance a patient s privacy rights and strengthen the ability of my office to vigorously enforce HIPAA. The modifications implemented by the Final Rule include: Expansion of the types of entities subject to the HIPAA Privacy Rule regulations to now include business associates, subcontractors of business associates (if the subcontractor routinely handles protected health information (PHI)), patient-safety organizations, health information exchange organizations (HIO), and e-prescribing gateways; Increases patients rights by allowing a decedent s family or close family friends to access the decedent s PHI, the ability to request an electronic copy of their medical records, the opportunity to provide authorization for use of their medical records for research purposes, and share their children s immunization records with schools; Restricts the use of PHI for marketing and fundraising activities; Prohibits the sale of PHI without patient authorization with certain exceptions; Increases the penalties for violations of HIPAA to a maximum of $1.5 million in one calendar year; Clarifies that genetic information qualifies as health information; Clarifies when a data breach must be reported to the Office for Civil Rights (OCR);
2 Alters the breach notification requirement so that unauthorized use or disclosure of PHI is presumed to be a reportable breach, unless the covered entity can conclude, through a documented assessment, that there is a low probability that the information has been compromised. Low probability is determined by: o Then nature, extent, and identifiers of the PHI involved, (such as it involved mental health treatment or substance abuse treatment records); o The unauthorized person who used the PHI or to whom the disclosure was made; o Whether the PHI actually was acquired or viewed; and o To the extent to which the risk to the PHI has been mitigated. Modifications to the HIPAA Privacy Rule The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164, requires that covered entities institute safeguards that protect the privacy of protected health information (PHI), and requires that covered entities who engage business associates to handle PHI have contracts in place to ensure that the business associate also protects the PHI with the same security measures. The Final Rule now extends the scope of the Privacy Rule to business associates and subcontractors of business associates. Subcontractors include any entity or person to whom a business associate has delegated a function, activity, or service other than in the capacity of a member of the workforce of the business associate. Business associates must have business associate agreements with subcontractors who must then comply with the Privacy Rule and provide business associates with satisfactory assurances that it will implement appropriate safeguards for PHI. A business associate is defined as an entity that performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. The revisions add the following entities to the definition of a business associate: Patient Safety Organizations Health Information Organizations (HIO) E-Prescribing Gateways Vendors of Personal Health Records Any other person that provides data transmission services with respect to PHI to a covered entity and that requires routine access to such PHI To clarify, the Final Rule explains that the determination of whether a person has routine access to PHI is fact specific and will be based on the nature of the services provided. If the entity is merely a conduit of the covered entity, then that access to PHI is not considered routine. Entities such as the U.S. Postal Service or other similar courier, and electronic equivalents such as Internet service providers are not considered entities with routine access under the Final Rule, and therefore, not a business associate. 2
3 Additionally, other exceptions to the business associate definition include a health care provider for treatment, plan sponsors, government agencies, and covered entities participating in an organized health care arrangement. The Final Rule also alters the definition of protected health information to not include the PHI of an individual who has been deceased for over 50 years. Further, the Final Rule amends the Privacy Rule to allow covered entities to disclose a decedent s PHI to family members, or other close family friends who were involved in that decedent s care or payment for care prior to death, unless such disclosure is inconsistent with the decedent s expressed preferences prior to death. Moreover, the Final Rule adds to patients rights by providing more access to their PHI. The new Privacy Rule permits patients to ask for an electronic copy of their medical records, and the covered entity must provide access in electronic form if it is readily producible. If the electronic records are not readily producible, then a readable electronic form, as agreed between the patient and the covered entity, will satisfy this new access requirement. This new requirement does not require that a covered entity purchase new software or systems to accommodate the patient s format request. The Final Rule also makes it easier for individuals to authorize the use of their information for research purposes by permitting combined and unconditioned authorizations for research as long as the authorization clearly allows the individual the ability to opt-in to the unconditioned research activities. Authorizations for research do not need to be study specific. Likewise, the Final Rule permits covered entities to share children s immunization records with schools when state or other laws require a school to have such information prior to admitting a student. Written authorization is no longer required, but covered entities will need to obtain oral agreement from a parent, guardian, or other person acting in loco parentis, or by the adult or emancipated minor. The Final Rule will also allow a patient who pays in cash to keep information about their treatment from their health plan if such a request is made to the covered entity. The definition of marketing now requires that there be patient authorization for all treatment and health care operations communications where the covered entity received financial remuneration for making the communications from a third party whose product or service is being marketed. The HIPAA Privacy Rule will treat all subsidized treatment communications as marketing communications. However, the Privacy Rule will continue to allow covered entities to use or disclose PHI without a patient authorization for refill or health care service information, for case management or care coordination, or to describe a health-related product. The Final Rule prohibits the use or disclosure of PHI for fundraising purposes and such must be included in the covered entity s Notice of Privacy Practices. The Rule specifies that each 3
4 fundraising communication must include an opt-out for the individual to elect not to receive further fundraising communications with no more than a minimal cost to the individual, but the covered entity may provide a method for opting back in. However, the Final Rule requires patient authorization for the sale of PHI. The Final Rule defines sale of protected health information as a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for protected health information. Remuneration may include non-financial benefits, but does not include payments received in the form of grants or research studies because any provision of the protected health information to the payer is a byproduct of the service being provided. Other exceptions include for public health purposes; for treatment and payment purposes; or for due diligence for the sale, transfer, merger, or consolidation of all or part of the covered entity. The Final Rule also prohibits health plans (except for issuers of long-term care policies) from using and disclosing genetic information for underwriting purposes, which includes determination of eligibility (including enrollment and continued eligibility) or benefits under the plan; the computation of premium or contribution amounts under the plan (including discounts, rebates, etc. for participating in a health risk assessment or a wellness program); and the application of any pre-existing condition exclusion under the plan. Modifications to the HIPAA Security Rule The HIPAA Security Rule, 45 CFR Part 160 and Subparts A and C of Part 164, protects electronic PHI and applies to covered entities. The Final Rule now requires all business associates to comply with the security standards set forth in the Security Rule. It also requires business associates to enter into contractual agreements with its subcontractors that have access to PHI that the subcontractor will appropriately safeguard the PHI. Business associates must implement policies and procedures and enter into contractual relationships with its subcontractors quickly if they have not done so in order to comply with the Final Rule. Significantly, the Final Rule states that covered entities and business associates will be in compliance with 45 CFR (b), (a), (e), and (e) if business associate agreements are in place by January 25, Accordingly, covered entities should immediately review vendor and subcontractor relationships to determine whether or not compliant business associate agreements are in place or need to be in place to meet the January 25, 2013, deadline. Finally, the Final Rule does not make a single change to the accounting of disclosures rule as previously proposed, no doubt in response to the many comments by covered entities that the proposed changes would be unduly burdensome. 4
5 Modifications to the Enforcement Rule The HIPAA Enforcement Rule, 45 CFR Part 160, Subparts C through E, establishes rules regarding enforcement processes, such as the establishment of an amount of the penalty for a violation. The Final Rule clarifies that the HHS Secretary will investigate any complaint where a preliminary review of the facts indicates a possible violation due to willful neglect and also conduct a compliance review with discretion to investigate any other complaints. HHS will increase cooperation with other law enforcement agencies to refer cases involving possible criminal HIPAA violations. The Final Rule increases the penalties for HIPAA violations, and increases the limit of penalties in one calendar year to $1.5 million based on the degree of knowledge: Did not know $100 $50,000 per violation Reasonable cause defined as circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated $1,000 $50,000 per violation Willful Neglect Corrected $10,000 $50,000 per violation Willful Neglect Not Corrected $50,000 per violation The factors for determining the amount of the civil penalty include: The nature of the claims and the circumstances under which they were presented, The degree of culpability, History of prior offenses, Financial condition of the person presenting the claims, and Such other matters as justice may require. Modifications to the Breach Notification Rule The Final Rule significantly modifies the definition of a breach of unsecured PHI, and clarifies covered entity s and business associates obligations with respect to notifying an individual of a breach. Previously, a breach was defined as: [T]he acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information. 5
6 For purposes of this definition, compromises the security or privacy of the protected health information meant that the unauthorized use or disclosure posed a significant risk of financial, reputational, or other harm to the individual [emphasis added]. 1 Built into the definition was a requirement known as the significant harm standard, which required covered entities to determine whether the impermissible disclosure put the individual at a significant risk of harm. The significant harm standard was intended to ensure that consumers were not flooded with breach notifications for inconsequential events, which could potentially cause unnecessary anxiety and eventual apathy among consumers. The Final Rule removes the significant harm standard from the definition and replaces it with the following language: [A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors [emphasis added]: The nature and extent of the protected health information involved, including the types of identifiers, and the likelihood of re-identification; The unauthorized person who used the protected health information or to whom the disclosure was made; Whether the protected health information was actually acquired or viewed; and The extent to which the risk to the protected health information has been mitigated. 2 The Final Rule removed the significant harm standard due to its subjective nature, which, according to HHS, had the potential to lead to inconsistent interpretations and results. The four factor risk assessment set forth in the Final Rule focuses more objectively on the risk that the PHI was compromised, rather than on the subjective harm to the individual. Breach notification policies will need to be revised to reflect the four factors and other considerations from the Final Rule. The Final Rule also clarifies other aspects of the covered entity s responsibilities with respect to a breach, including: Encryption Safe Harbor: No breach notification is required if the PHI that is improperly disclosed is encrypted pursuant to Guidance Specifying the 1 45 CFR
7 Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals Day Timeframe for Notifying Individuals: The Final Rule clarifies that the time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. Limited Data Set Exception Removed: Previously, a breach exception existed for an impermissible use or disclosure of PHI that qualified as a limited data set which excluded dates of birth and zip codes (both identifiers that may otherwise be included in a limited data set). This was a narrow exception based on the belief that it would be very difficult to re-identify a limited data set that excludes dates of birth and zip codes. The Final Rule removes this exception, and a Covered Entity or Business Associate must now perform a risk assessment following an impermissible use or disclosure of any limited data set. Breaches Treated as Discovered: Commentary to the Final Rule states that when determining whether a covered entity acted with reasonable diligence with respect to the discovery of a breach, covered entities and business associates may wish to observe the standards of practice of other covered entities and/or business associates under similar circumstances. Notification by Business Associate: Commentary to the Final Rule points out that the covered entity is ultimately responsible for providing individuals with notification of a breach, and the clock for notifying individuals of a breach begins upon knowledge of the incident, even if it is not yet clear whether the incident actually qualifies as a reportable breach. For more information on the revisions to the breach notification requirements, click here. Effective date of compliance The official publication of the new Rule will be released January 25, 2013, and will go into effect on March 26, 2013, with September 23, 2013 as the compliance deadline. HHS estimates that these new regulations will cost covered entities and business associates between $114 million and $225.4 million during the first year of implementation, and approximately $14.5 million each year thereafter FR
8 Compliance actions Here are some suggested compliance actions in response to the Final Rule: Identify subcontractors and vendors who have access to PHI to determine whether a business associate agreement is in place or needs to be implemented by January 25, 2013; Review and revise the Notice of Privacy Practices as applicable and post it on your website; Review and implement Privacy and Security Policies for compliance; Review, revise, and implement Breach Notification Compliance Program; Ensure compliance with the Genetic Information Discrimination Act in conjunction with HIPAA; and Ensure compliance with marketing and fundraising requirements. Nixon Peabody, LLP will be hosting a webinar on the Final Rule on February 5, 2013, at 2:00 p.m. (EST). You will receive a separate invitation to that event. If you have any questions concerning compliance with the HIPAA Privacy and Security Rule in the final HIPAA Omnibus Rule, or need assistance with compliance, please contact: Linn Foster Freedman, Privacy & Data Protection Group Leader and Chair of the HIPAA Compliance Team, at lfreedman@nixonpeabody.com or (401) Kathryn Sylvia at ksylvia@nixonpeabody.com or (401) Lindsay Maleson at lmaleson@nixonpeabody.com or (516) Brooke Lane at balane@nixonpeabody.com or (516)
Legislative & Regulatory Information
Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationHIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
More informationBusiness Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
More informationLong-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates
Legal Update February 11, 2013 Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates On January 17, 2013, the Department of Health
More informationHIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com
HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationProtecting Patient Information in an Electronic Environment- New HIPAA Requirements
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
More informationBREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationPOLICY AND PROCEDURE MANUAL
Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More informationCovered Entities and Business Associates: An Evolving Relationship
Covered Entities and Business Associates: An Evolving Relationship Rebecca L. Williams, RN, JD Partner, Chair of HEALTH/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 No health care provider
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationHIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors
Health Care ADVISORY July 16, 2010 HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors On July 8, 2010, the Office for Civil Rights (OCR) of the Department of
More informationDepartment of Health and Human Services. No. 17 January 25, 2013. Part II
Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationHHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI
January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationSUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS
Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020 Cleveland, OH
More informationHIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS
HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience
More informationBUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity
More informationFinal Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan.
AIS Special Report 1 AIS Special Report Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) By Francie Fernald,
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationNew Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs
New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs Executive Summary After years of waiting for all of the anxious HIPAA-chondriacs out there, the HHS Office
More informationADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016
Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationHIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act
International Life Sciences Arbitration Health Industry Alert If you have questions or would like additional information on the material covered in this Alert, please contact the author: Brad M. Rostolsky
More informationSaaS. Business Associate Agreement
SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationOCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act
OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act February 20, 2013 Boston Brussels Chicago Düsseldorf Frankfurt Houston
More informationNew HIPAA Rules: A Guide for Radiology Providers
New HIPAA Rules: A Guide for Radiology Providers Adrienne Dresevic, Esq and Clinton Mikel, Esq The credit earned from the Quick Credit TM test accompanying this article may be applied to the AHRA certified
More informationEverett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
More informationFIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationShipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS
Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009
More informationThe ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760
Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach
More informationGLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014
GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY HIPAA Policies and Procedures 06/30/2014 Glenn County Health and Human Services Agency HIPAA Policies and Procedures TABLE OF CONTENTS HIPAA Policy Number
More informationHIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND
HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS
More informationHIPAA BREACH RESPONSE POLICY
http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting
More informationHIPAA In The Workplace. What Every Employee Should Know and Remember
HIPAA In The Workplace What Every Employee Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS
More informationHIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES
SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationA How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you
More informationFirstCarolinaCare Insurance Company Business Associate Agreement
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
More informationHIPAA Compliance in 2013:
HIPAA Compliance in 2013: National Association for Home Care & Hospice March on Washington March 18, 2013 1 Marcia Augsburger Partner, DLA Piper, LLP (US) Firm HIPAA Officer and HIPAA Working Group Co-Chair
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationBreach Notification Policy
1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists
More informationH I P AA B U S I N E S S AS S O C I ATE AGREEMENT
H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).
More informationREPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.
REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
More informationJanuary 25, 2013. 1 P a g e
Analysis of Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information
More informationHIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule
HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why
More informationBarnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule
HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA
More informationDisclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationHIPAA Privacy Breach Notification Regulations
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationUse & Disclosure of Protected Health Information by Business Associates
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationHIPAA NOTICE OF PRIVACY PRACTICES
HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Protected
More informationHIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013
HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 Federal and Texas Privacy & Security Requirements Minimizing Your Risk of Violations DISCLAIMER The information contained in this document
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
More informationwhat your business needs to do about the new HIPAA rules
what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationAdd a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual.
HIPAA/HITECH Policies and Procedures Please read this in its entirety. Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. Give a copy of this to all staff to read and ask
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationModel Business Associate Agreement
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
More informationBUSINESS ASSOCIATE ADDENDUM
BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate
More informationNACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010
NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA March 2010 Prepared By: Marisa Guevara and Marcie H. Zakheim Feldesman Tucker Leifer Fidell, LLP 2001
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationReproductive Medicine Associates of New Jersey, LLC
NOTICE OF PRIVACY PRACTICES Effective Date: September 20, 2013 Last Modified: May 12, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO
More informationCMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS
CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,
More informationGUIDE TO PATIENT PRIVACY AND SECURITY RULES
AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationGuidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HUMAN RESOURCES Index No. VI-35 PROCEDURES MEMORANDUMS TO: FROM: SUBJECT: MCC Personnel Office of the President Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY 1 School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
More informationBUSINESS ASSOCIATE AGREEMENT ( BAA )
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
More informationHIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update
HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update OCR / WEDI Webinar Series July 17, 2013 Today s Speakers Verne Rinker, JD, MPH Health Information Privacy Specialist
More informationHIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help
HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,
More informationBusiness Associate Agreement Involving the Access to Protected Health Information
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
More informationConnecticut Pipe Trades Health Fund Privacy Notice. 2013 Restatement
Connecticut Pipe Trades Health Fund Privacy Notice 2013 Restatement Section 1: Purpose of This Notice and Effective Date THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationBUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)]
BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] Background By law, the HIPAA Privacy Rule applies only to covered entities health plans, health care clearinghouses, and certain
More informationThe Institute of Professional Practice, Inc. Business Associate Agreement
The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationTerms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013
Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations
More informationOFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)
Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract
More information