HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

Size: px
Start display at page:

Download "HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule"

Transcription

1 JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On January 17, 2013, the U.S. Department of Health and Human Services (HHS) published the long-awaited Final HIPAA Omnibus Rule, encompassing its modifications to the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. Director of HHS s Office for Civil Rights Leon Rodriguez said, The final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented and that the changes enhance a patient s privacy rights and strengthen the ability of my office to vigorously enforce HIPAA. The modifications implemented by the Final Rule include: Expansion of the types of entities subject to the HIPAA Privacy Rule regulations to now include business associates, subcontractors of business associates (if the subcontractor routinely handles protected health information (PHI)), patient-safety organizations, health information exchange organizations (HIO), and e-prescribing gateways; Increases patients rights by allowing a decedent s family or close family friends to access the decedent s PHI, the ability to request an electronic copy of their medical records, the opportunity to provide authorization for use of their medical records for research purposes, and share their children s immunization records with schools; Restricts the use of PHI for marketing and fundraising activities; Prohibits the sale of PHI without patient authorization with certain exceptions; Increases the penalties for violations of HIPAA to a maximum of $1.5 million in one calendar year; Clarifies that genetic information qualifies as health information; Clarifies when a data breach must be reported to the Office for Civil Rights (OCR);

2 Alters the breach notification requirement so that unauthorized use or disclosure of PHI is presumed to be a reportable breach, unless the covered entity can conclude, through a documented assessment, that there is a low probability that the information has been compromised. Low probability is determined by: o Then nature, extent, and identifiers of the PHI involved, (such as it involved mental health treatment or substance abuse treatment records); o The unauthorized person who used the PHI or to whom the disclosure was made; o Whether the PHI actually was acquired or viewed; and o To the extent to which the risk to the PHI has been mitigated. Modifications to the HIPAA Privacy Rule The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164, requires that covered entities institute safeguards that protect the privacy of protected health information (PHI), and requires that covered entities who engage business associates to handle PHI have contracts in place to ensure that the business associate also protects the PHI with the same security measures. The Final Rule now extends the scope of the Privacy Rule to business associates and subcontractors of business associates. Subcontractors include any entity or person to whom a business associate has delegated a function, activity, or service other than in the capacity of a member of the workforce of the business associate. Business associates must have business associate agreements with subcontractors who must then comply with the Privacy Rule and provide business associates with satisfactory assurances that it will implement appropriate safeguards for PHI. A business associate is defined as an entity that performs functions or activities on behalf of, or certain services for, a covered entity that involve the use or disclosure of PHI. The revisions add the following entities to the definition of a business associate: Patient Safety Organizations Health Information Organizations (HIO) E-Prescribing Gateways Vendors of Personal Health Records Any other person that provides data transmission services with respect to PHI to a covered entity and that requires routine access to such PHI To clarify, the Final Rule explains that the determination of whether a person has routine access to PHI is fact specific and will be based on the nature of the services provided. If the entity is merely a conduit of the covered entity, then that access to PHI is not considered routine. Entities such as the U.S. Postal Service or other similar courier, and electronic equivalents such as Internet service providers are not considered entities with routine access under the Final Rule, and therefore, not a business associate. 2

3 Additionally, other exceptions to the business associate definition include a health care provider for treatment, plan sponsors, government agencies, and covered entities participating in an organized health care arrangement. The Final Rule also alters the definition of protected health information to not include the PHI of an individual who has been deceased for over 50 years. Further, the Final Rule amends the Privacy Rule to allow covered entities to disclose a decedent s PHI to family members, or other close family friends who were involved in that decedent s care or payment for care prior to death, unless such disclosure is inconsistent with the decedent s expressed preferences prior to death. Moreover, the Final Rule adds to patients rights by providing more access to their PHI. The new Privacy Rule permits patients to ask for an electronic copy of their medical records, and the covered entity must provide access in electronic form if it is readily producible. If the electronic records are not readily producible, then a readable electronic form, as agreed between the patient and the covered entity, will satisfy this new access requirement. This new requirement does not require that a covered entity purchase new software or systems to accommodate the patient s format request. The Final Rule also makes it easier for individuals to authorize the use of their information for research purposes by permitting combined and unconditioned authorizations for research as long as the authorization clearly allows the individual the ability to opt-in to the unconditioned research activities. Authorizations for research do not need to be study specific. Likewise, the Final Rule permits covered entities to share children s immunization records with schools when state or other laws require a school to have such information prior to admitting a student. Written authorization is no longer required, but covered entities will need to obtain oral agreement from a parent, guardian, or other person acting in loco parentis, or by the adult or emancipated minor. The Final Rule will also allow a patient who pays in cash to keep information about their treatment from their health plan if such a request is made to the covered entity. The definition of marketing now requires that there be patient authorization for all treatment and health care operations communications where the covered entity received financial remuneration for making the communications from a third party whose product or service is being marketed. The HIPAA Privacy Rule will treat all subsidized treatment communications as marketing communications. However, the Privacy Rule will continue to allow covered entities to use or disclose PHI without a patient authorization for refill or health care service information, for case management or care coordination, or to describe a health-related product. The Final Rule prohibits the use or disclosure of PHI for fundraising purposes and such must be included in the covered entity s Notice of Privacy Practices. The Rule specifies that each 3

4 fundraising communication must include an opt-out for the individual to elect not to receive further fundraising communications with no more than a minimal cost to the individual, but the covered entity may provide a method for opting back in. However, the Final Rule requires patient authorization for the sale of PHI. The Final Rule defines sale of protected health information as a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for protected health information. Remuneration may include non-financial benefits, but does not include payments received in the form of grants or research studies because any provision of the protected health information to the payer is a byproduct of the service being provided. Other exceptions include for public health purposes; for treatment and payment purposes; or for due diligence for the sale, transfer, merger, or consolidation of all or part of the covered entity. The Final Rule also prohibits health plans (except for issuers of long-term care policies) from using and disclosing genetic information for underwriting purposes, which includes determination of eligibility (including enrollment and continued eligibility) or benefits under the plan; the computation of premium or contribution amounts under the plan (including discounts, rebates, etc. for participating in a health risk assessment or a wellness program); and the application of any pre-existing condition exclusion under the plan. Modifications to the HIPAA Security Rule The HIPAA Security Rule, 45 CFR Part 160 and Subparts A and C of Part 164, protects electronic PHI and applies to covered entities. The Final Rule now requires all business associates to comply with the security standards set forth in the Security Rule. It also requires business associates to enter into contractual agreements with its subcontractors that have access to PHI that the subcontractor will appropriately safeguard the PHI. Business associates must implement policies and procedures and enter into contractual relationships with its subcontractors quickly if they have not done so in order to comply with the Final Rule. Significantly, the Final Rule states that covered entities and business associates will be in compliance with 45 CFR (b), (a), (e), and (e) if business associate agreements are in place by January 25, Accordingly, covered entities should immediately review vendor and subcontractor relationships to determine whether or not compliant business associate agreements are in place or need to be in place to meet the January 25, 2013, deadline. Finally, the Final Rule does not make a single change to the accounting of disclosures rule as previously proposed, no doubt in response to the many comments by covered entities that the proposed changes would be unduly burdensome. 4

5 Modifications to the Enforcement Rule The HIPAA Enforcement Rule, 45 CFR Part 160, Subparts C through E, establishes rules regarding enforcement processes, such as the establishment of an amount of the penalty for a violation. The Final Rule clarifies that the HHS Secretary will investigate any complaint where a preliminary review of the facts indicates a possible violation due to willful neglect and also conduct a compliance review with discretion to investigate any other complaints. HHS will increase cooperation with other law enforcement agencies to refer cases involving possible criminal HIPAA violations. The Final Rule increases the penalties for HIPAA violations, and increases the limit of penalties in one calendar year to $1.5 million based on the degree of knowledge: Did not know $100 $50,000 per violation Reasonable cause defined as circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated $1,000 $50,000 per violation Willful Neglect Corrected $10,000 $50,000 per violation Willful Neglect Not Corrected $50,000 per violation The factors for determining the amount of the civil penalty include: The nature of the claims and the circumstances under which they were presented, The degree of culpability, History of prior offenses, Financial condition of the person presenting the claims, and Such other matters as justice may require. Modifications to the Breach Notification Rule The Final Rule significantly modifies the definition of a breach of unsecured PHI, and clarifies covered entity s and business associates obligations with respect to notifying an individual of a breach. Previously, a breach was defined as: [T]he acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] which compromises the security or privacy of the protected health information. 5

6 For purposes of this definition, compromises the security or privacy of the protected health information meant that the unauthorized use or disclosure posed a significant risk of financial, reputational, or other harm to the individual [emphasis added]. 1 Built into the definition was a requirement known as the significant harm standard, which required covered entities to determine whether the impermissible disclosure put the individual at a significant risk of harm. The significant harm standard was intended to ensure that consumers were not flooded with breach notifications for inconsequential events, which could potentially cause unnecessary anxiety and eventual apathy among consumers. The Final Rule removes the significant harm standard from the definition and replaces it with the following language: [A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors [emphasis added]: The nature and extent of the protected health information involved, including the types of identifiers, and the likelihood of re-identification; The unauthorized person who used the protected health information or to whom the disclosure was made; Whether the protected health information was actually acquired or viewed; and The extent to which the risk to the protected health information has been mitigated. 2 The Final Rule removed the significant harm standard due to its subjective nature, which, according to HHS, had the potential to lead to inconsistent interpretations and results. The four factor risk assessment set forth in the Final Rule focuses more objectively on the risk that the PHI was compromised, rather than on the subjective harm to the individual. Breach notification policies will need to be revised to reflect the four factors and other considerations from the Final Rule. The Final Rule also clarifies other aspects of the covered entity s responsibilities with respect to a breach, including: Encryption Safe Harbor: No breach notification is required if the PHI that is improperly disclosed is encrypted pursuant to Guidance Specifying the 1 45 CFR

7 Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals Day Timeframe for Notifying Individuals: The Final Rule clarifies that the time period for breach notification begins when the incident is first known, not when the investigation of the incident is complete, even if it is initially unclear whether the incident constitutes a breach as defined in the rule. Limited Data Set Exception Removed: Previously, a breach exception existed for an impermissible use or disclosure of PHI that qualified as a limited data set which excluded dates of birth and zip codes (both identifiers that may otherwise be included in a limited data set). This was a narrow exception based on the belief that it would be very difficult to re-identify a limited data set that excludes dates of birth and zip codes. The Final Rule removes this exception, and a Covered Entity or Business Associate must now perform a risk assessment following an impermissible use or disclosure of any limited data set. Breaches Treated as Discovered: Commentary to the Final Rule states that when determining whether a covered entity acted with reasonable diligence with respect to the discovery of a breach, covered entities and business associates may wish to observe the standards of practice of other covered entities and/or business associates under similar circumstances. Notification by Business Associate: Commentary to the Final Rule points out that the covered entity is ultimately responsible for providing individuals with notification of a breach, and the clock for notifying individuals of a breach begins upon knowledge of the incident, even if it is not yet clear whether the incident actually qualifies as a reportable breach. For more information on the revisions to the breach notification requirements, click here. Effective date of compliance The official publication of the new Rule will be released January 25, 2013, and will go into effect on March 26, 2013, with September 23, 2013 as the compliance deadline. HHS estimates that these new regulations will cost covered entities and business associates between $114 million and $225.4 million during the first year of implementation, and approximately $14.5 million each year thereafter FR

8 Compliance actions Here are some suggested compliance actions in response to the Final Rule: Identify subcontractors and vendors who have access to PHI to determine whether a business associate agreement is in place or needs to be implemented by January 25, 2013; Review and revise the Notice of Privacy Practices as applicable and post it on your website; Review and implement Privacy and Security Policies for compliance; Review, revise, and implement Breach Notification Compliance Program; Ensure compliance with the Genetic Information Discrimination Act in conjunction with HIPAA; and Ensure compliance with marketing and fundraising requirements. Nixon Peabody, LLP will be hosting a webinar on the Final Rule on February 5, 2013, at 2:00 p.m. (EST). You will receive a separate invitation to that event. If you have any questions concerning compliance with the HIPAA Privacy and Security Rule in the final HIPAA Omnibus Rule, or need assistance with compliance, please contact: Linn Foster Freedman, Privacy & Data Protection Group Leader and Chair of the HIPAA Compliance Team, at lfreedman@nixonpeabody.com or (401) Kathryn Sylvia at ksylvia@nixonpeabody.com or (401) Lindsay Maleson at lmaleson@nixonpeabody.com or (516) Brooke Lane at balane@nixonpeabody.com or (516)

Legislative & Regulatory Information

Legislative & Regulatory Information Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates Legal Update February 11, 2013 Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates On January 17, 2013, the Department of Health

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

POLICY AND PROCEDURE MANUAL

POLICY AND PROCEDURE MANUAL Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

Covered Entities and Business Associates: An Evolving Relationship

Covered Entities and Business Associates: An Evolving Relationship Covered Entities and Business Associates: An Evolving Relationship Rebecca L. Williams, RN, JD Partner, Chair of HEALTH/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 No health care provider

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors

HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors Health Care ADVISORY July 16, 2010 HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors On July 8, 2010, the Office for Civil Rights (OCR) of the Department of

More information

Department of Health and Human Services. No. 17 January 25, 2013. Part II

Department of Health and Human Services. No. 17 January 25, 2013. Part II Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

SUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS

SUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020 Cleveland, OH

More information

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan.

Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. AIS Special Report 1 AIS Special Report Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) By Francie Fernald,

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs

New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs Executive Summary After years of waiting for all of the anxious HIPAA-chondriacs out there, the HHS Office

More information

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act International Life Sciences Arbitration Health Industry Alert If you have questions or would like additional information on the material covered in this Alert, please contact the author: Brad M. Rostolsky

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act

OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act February 20, 2013 Boston Brussels Chicago Düsseldorf Frankfurt Houston

More information

New HIPAA Rules: A Guide for Radiology Providers

New HIPAA Rules: A Guide for Radiology Providers New HIPAA Rules: A Guide for Radiology Providers Adrienne Dresevic, Esq and Clinton Mikel, Esq The credit earned from the Quick Credit TM test accompanying this article may be applied to the AHRA certified

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009

More information

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach

More information

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014 GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY HIPAA Policies and Procedures 06/30/2014 Glenn County Health and Human Services Agency HIPAA Policies and Procedures TABLE OF CONTENTS HIPAA Policy Number

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

HIPAA BREACH RESPONSE POLICY

HIPAA BREACH RESPONSE POLICY http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting

More information

HIPAA In The Workplace. What Every Employee Should Know and Remember

HIPAA In The Workplace. What Every Employee Should Know and Remember HIPAA In The Workplace What Every Employee Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

HIPAA Compliance in 2013:

HIPAA Compliance in 2013: HIPAA Compliance in 2013: National Association for Home Care & Hospice March on Washington March 18, 2013 1 Marcia Augsburger Partner, DLA Piper, LLP (US) Firm HIPAA Officer and HIPAA Working Group Co-Chair

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Breach Notification Policy

Breach Notification Policy 1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists

More information

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).

More information

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY. REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS

More information

January 25, 2013. 1 P a g e

January 25, 2013. 1 P a g e Analysis of Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information

More information

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why

More information

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE OF PRIVACY PRACTICES HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Protected

More information

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 Federal and Texas Privacy & Security Requirements Minimizing Your Risk of Violations DISCLAIMER The information contained in this document

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual.

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. HIPAA/HITECH Policies and Procedures Please read this in its entirety. Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. Give a copy of this to all staff to read and ask

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010 NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA March 2010 Prepared By: Marisa Guevara and Marcie H. Zakheim Feldesman Tucker Leifer Fidell, LLP 2001

More information

Network Security and Data Privacy Insurance for Physician Groups

Network Security and Data Privacy Insurance for Physician Groups Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit

More information

Reproductive Medicine Associates of New Jersey, LLC

Reproductive Medicine Associates of New Jersey, LLC NOTICE OF PRIVACY PRACTICES Effective Date: September 20, 2013 Last Modified: May 12, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

GUIDE TO PATIENT PRIVACY AND SECURITY RULES AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) HUMAN RESOURCES Index No. VI-35 PROCEDURES MEMORANDUMS TO: FROM: SUBJECT: MCC Personnel Office of the President Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY 1 School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

BUSINESS ASSOCIATE AGREEMENT ( BAA )

BUSINESS ASSOCIATE AGREEMENT ( BAA ) BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor

More information

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update OCR / WEDI Webinar Series July 17, 2013 Today s Speakers Verne Rinker, JD, MPH Health Information Privacy Specialist

More information

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

Connecticut Pipe Trades Health Fund Privacy Notice. 2013 Restatement

Connecticut Pipe Trades Health Fund Privacy Notice. 2013 Restatement Connecticut Pipe Trades Health Fund Privacy Notice 2013 Restatement Section 1: Purpose of This Notice and Effective Date THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED

More information

BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)]

BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] Background By law, the HIPAA Privacy Rule applies only to covered entities health plans, health care clearinghouses, and certain

More information

The Institute of Professional Practice, Inc. Business Associate Agreement

The Institute of Professional Practice, Inc. Business Associate Agreement The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information