The ReHabilitation Center Buffalo Street. Olean. NY

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760"

Transcription

1 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach notification as required under the Health Information Technology for Economic and Clinical Health (HITECH) Act and to extend notification requirements under HITECH to all business associates of The ReHabilitation Center. Additionally, it is The ReHabilitation Center s intent to protect the privacy and security of health information as required by federal HIPAA regulations and any other applicable NYS laws/regulations. If a breach of protected health information (PHI) occurs, The ReHabilitation Center is required to provide notification to certain individuals and entities pursuant to Subtitle D of the Health Information Technology for Economic and Clinical Health Act (HITECH) and any regulations promulgated under the act. This policy sets for the procedures The ReHabilitation Center will follow to assess known and potential breaches of PHI and to provide notification to affected individuals as necessary. Detailed Procedure(s): The ReHabilitation Center will investigate and document all reported or suspected breaches of PHI, and if necessary, notify the affected individuals, the Secretary of Health and Human Services, and in certain cases, the media, as required under HITECH. The ReHabilitation Center will amend its Business Associates Agreements to require that all business associates notify The ReHabilitation Center; without reasonable delay and as defined within each individual contract, but no later than 60 days from the date of discovery of any breach or suspected breach so that The ReHabilitation Center can investigate and fulfill its mandatory breach notification requirements; if necessary. Definitions: HITECH incorporates the definitions found in The ReHabilitation Center s HIPAA policy and procedure. Other terms are defined below. PHI (Protected Health Information): For the purposes of this policy, the term PHI means any program participant information, including very basic information such as their name or address, that (1) relates to the past, present, or future physical or mental health or condition of an individual, the provisions of health care to an individual, or the past, present or future payment for the provision of health care to an individual, and (2) either identifies the individual or could reasonable be used to identify the individual. BREACH: A breach is defined in the HITECH Act as the unauthorized acquisition, access, use or disclosure of unsecured protected health information in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI, except where the unauthorized person would not reasonably have been able to retain such information, or in the case where one of three exceptions apply.

2 The breach must also pose a significant risk of financial, reputational or other harm to the affected individual. The HITECH Act requires formal investigations of potential breaches. The ReHabilitation Center has 60 days from the date of discovery of the breach or potential breach to make notifications, if required. It is imperative that any member of The ReHabilitation Center workforce (as defined by HIPAA) or any business associate, who knows, believes or suspects that a breach of protected health information has occurred, reports the breach to the Privacy Officer immediately. After a potential breach is reported, The ReHabilitation Center will conduct a thorough investigation and document its conclusions. The purpose of the investigation is to determine whether the breach triggers mandatory notification under HITECH, and if so, what notifications are required. The agency s Privacy and Corporate Compliance Officer: Susan A. Cross General Manager for Quality Management ext 610 INVESTIGATION PROCEDURE: Any workforce member, who knows, believes or suspects that a breach of protected health information has occurred must report the breach to the Privacy Officer or designee immediately. After a potential breach is reported, the Privacy Officer will work with other staff and departments, including the HIPAA Security Officer, the information technology department, and in-house or outside legal counsel, if necessary, to determine if a breach requiring notification has occurred. As part of the investigation, the Privacy Officer will take all necessary steps to mitigate any known harm. The Privacy Officer/designee during and upon conclusion of the investigation, is responsible for documentation supporting the conclusion of the investigation. The details of the investigation will be documented in an investigation report that is kept on file by the Privacy Officer. Information regarding breaches or potential breaches; including internal/external reports of a breach, risk assessments as to possible harm, the investigation report, letters of notification to individuals, notice to media outlets, and the log of breaches to be reported to HHS, must be retained for a period of at least six (6) years. After a potential breach is reported, the Privacy Officer will conduct a thorough investigation to determine whether a breach of unsecured PHI requiring notification under HITECH has occurred. The ReHabilitation Center has 60 days from the date of discovery of the breach to make notifications, if required. If a breach under HITECH has occurred and notifications are required, the time period by which notifications must be sent to the affected individuals, HHS, and if necessary, the media is measured from when the breach is first discovered, not when the Privacy Officer completed his/her investigation into whether a breach has occurred. Not every report of a potential breach of PHI will result in the need to provide notification / or rises to the notification level of HITECH. Within the Privacy Officer s investigation, the following will be determined and documented in within:

3 (1) Determine whether there has been an impermissible acquisition, access, use, or disclosure of protected health information under the HIPAA Privacy Rule (2) Determine whether the PHI was secure or unsecure (3) Determine whether an exception applies (4) Determine whether the impermissible acquisition, access, use or disclosure compromises the security or privacy of the protected health information. Step 1: Determine whether there has been an impermissible acquisition, access, use or disclosure of PHI under the HIPAA privacy regulations. An impermissible acquisition, access, use or disclosure under the HIPAA Privacy Rule, is one in which one or more elements of the Privacy Rule have been violated. The ReHabilitation Center will investigate and determine what provision of the Privacy Rule has been violated. HITECH requires that PHI be limited, when possible, to a limited date set where direct identifiers of an individual have been de-identified. Where this is not possible or practical, then the HIPAA Privacy Regulations require a minimum necessary standard. The ReHabilitation Center s workforce and business associates are generally expected to limit their uses and disclosures of PHI to the minimum amount of information necessary to perform their duties for The ReHabilitation Center. If The ReHabilitation Center determines that the acquisition, access, use or disclosure was permissible under the Privacy Rule, no further investigation is required. If, however, The ReHabilitation Center determines that an impermissible acquisition, access, use or disclosure has occurred, the investigation proceeds to step #2 below. Step 2: Determine whether the PHI is secured PHI or unsecured PHI : The breach notification requirements under HITECH are required only when a breach occurs that is related to Unsecured PHI. PHI will only be considered secured when the PHI has been rendered unusable, unreadable or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the HHS secretary. HHS gui8dance on this issue states that PHI will not be considered secure unless it has either been (1) destroyed or (2) encrypted with specific standards approved by the National Institute of Standards and Technology (NIST). Following an approved method, a breach of secured PHI is exempt from mandatory breach notification. Unsecured PHI can potentially be used, read or deciphered either because there are not protections placed on it or because the protections are insufficient. The PHI has not been made unusable, unreadable or indecipherable to unauthorized individuals. While The Rehabilitation Center s use of firewalls, password protections/access controls and redacting meet the HIPAA Security Rule requirements, these methods do not adequately secure the PHI for HITECH purposes and they do not exempt The ReHabilitation Center from mandatory breach notification.

4 In most cases, The ReHabilitation Center s paper records containing PHI would be considered unsecured PHI and most of The ReHabilitation Center s electronic records would also be considered unsecure PHI. Impermissible use or disclosure of these records would trigger the notification requirements under HITECH. If the PHI in question is determined to be secured PHI, then The ReHabilitation Center does not need to make notifications. If the PHI is determined to be unsecured PHI, then the investigation proceeds to Step #3 below. Step #3: Determine whether the breach falls under one of the exceptions defined in HITECH The ReHabilitation Center may not have to make notifications if the breach falls under one of three exceptions defined in HITECH: EXCEPTIONS: 1) The acquisition, access, or use of PHI was made by a workforce member, in good faith and within the course and scope of employment, or other professional relationship, and it does not result in further disclosure or use not permitted under HIPAA; 2) There was an inadvertent disclosure by an authorized individual to another authorized individual at the same covered entity or business associate, and there was no further disclosure or use not permitted under HIPAA; and 3) There is a good faith belief that the unauthorized person to whom disclosure of PHI was made would not reasonable have been able to retain the information. If an exception applies, then The ReHabilitation Center will document its conclusions and end the investigation. If however, none of the exceptions apply to the impermissible acquisition, access, or use of PHI at hand, then the investigation, then a reportable breach has occurred, and The ReHabilitation Center will make the necessary notifications as required under HITECH. The investigation will subsequently proceed to Step #4. Step #4: Conduct a risk assessment to determine whether there is significant risk of financial, reputational or other harm to the individual. The guidance to HITECH adds a harm element to the definition of breach: a breach occurs when unsecured PHI is acquired, accessed, used or disclosed AND there is a significant risk of financial, reputational, or other harm to the individual. To determine whether there is significant risk of harm, The ReHabilitation Center is required to perform a fact-specific risk assessment. To access the likely risk of harm, The ReHabilitation Center will weight the following: 1. Who impermissibly used the information and to whom the information was impermissibly disclosed (there may be less risk if disclosed to another entity covered by HIPAA) 2. Whether any immediate steps have been taken to mitigate an impermissible use or disclosure 3. Whether the PHI disclosed was returned prior to being accessed 4. The type and amount of PHI involved in the disclosure 5. The risk of re-identification of PHI contained in a limited date set

5 Other considerations include: 1. The nature of the date elements breached and the context of the breach 2. The likelihood the information is accessible and usable. If the information can be easily used it would be high risk. If the information is encrypted the likelihood of use is significantly decreased. 3. The likelihood an unauthorized individual will know the value of the information and either use the information or sell it to others 4. The ability of The ReHabilitation Center to mitigate the risk of harm and whether The ReHabilitation Center was able to stop further disclosure and/or contain the breach. If The ReHabilitation Center concludes after its risk assessment that there was not a significant risk of harm, then no breach notification is required, and the investigation stops. However, the Privacy Officer is responsible for determining if an accounting of the breach must be made in the records of the individuals affected and for determining if the breach notification provisions of any other state or federal law apply. If the Privacy Officer concludes that a reportable breach has occurred, notification to the affected individuals, the Secretary of HHS and, if applicable, the media is required. NOTIFICATIONS: The ReHabilitation Center is required to provide notice to the affected individuals whose unsecured PHI has been, or is reasonably believed to have been acquired, accessed, used or disclosed as a result of the breach without unreasonable delay and no later than 60 calendar days from the date of discovery of the breach by either the business associate or workforce. The only exception to this is if law enforcement determines that a notification would impede a criminal investigation. Notification will be made as follows: 1) The ReHabilitation Center will notify the affected individual(s) via written first class mail. The ReHabilitation Center will continually update the affected individual(s) through the mail as more information becomes known. 2) If The ReHabilitation Center does not have updated address information on an affected individual, a substitute method of notification is acceptable. In cases where there are 10 or more individuals for whom there is insufficient or out-of-date contact information, then The ReHabilitation Center will make a conspicuous posting on its agency web site. 3) In an urgent case where there is reason to believe an imminent misuse of the unsecured PHI, The ReHabilitation Center will make telephone and notifications and follow up with mail notifications to the affected individual(s). 4) If the breach involves 500 or more individuals, The ReHabilitation Center will notify prominent media outlet serving the Western New Your area. 5) In addition to the above, in the event of a breach affecting over 500 persons, The ReHabilitation Center will immediately notify the Secretary of Health and Human Services. 6) On an ongoing basis, The ReHabilitation Center will log all breaches and submit the log annually to the Secretary of HHS. 7) The Secretary of HHS may post on the Department of Health and Human Services website any breaches of unsecured PHI involving more than 500 individuals.

6 Content of the Notification: 1) A brief description of what happened, including the dates of the breach and of its discovery. 2) A description of the types of unsecured PHI that were involved in the breach (I.e. full name, Social Security Number, date of birth, home address, account number, CPT code, diagnosis, treatment, etc.) 3) What steps the individuals should take to protect themselves from potential harm. 4) What The ReHabilitation Center is doing to investigate the breach, mitigate losses, and protect against further breaches. 5) Contact information at The ReHabilitation Center in the event the affected individual(s) want more information about the specific breach. 6) Any sanctions The ReHabilitation Center has imposed on any work force members involved in the breach Annual Report: Beginning January 1, 2011; The ReHabilitation Center will submit an annual breach notification report to the Secretary of Health and Human Services with information on any breaches of unsecured PHI involving less than 500 persons. All such reports must be submitted no later than 60 days after the end of the calendar year. Alternatively, The ReHabilitation Center may choose to file a report with the Secretary of HHS after the conclusion of each breach investigation rather than waiting until the end of the calendar year. Business Associates: Under HITECH, many privacy and security requirements under HIPAA and the penalties for non-compliance have been expressly extended to business associates. This means that a breach of business agreement s terms can subject the business associate to civil and criminal penalties. The ReHabilitation Center requires its business associates to notify The ReHabilitation Center within 48 hours of any known or suspected breaches of PHI so that The ReHabilitation Center may begin an investigation and meet its notification requirements within the 60 day period. The business associates notification must include the identity of each individual affected by the breach and any other information The ReHabilitation Center is required to include in it breach notification. Training: The ReHabilitation Center will train all members of the workforce on their respective responsibilities under HIPAA and HITECH on an annual basis and whenever there are any changes to the law. Workforce members will also be trained in how to identify and report breaches within the agency. The ReHabilitation Center will apply appropriate disciplinary action against members of its workforce who fail to comply with this policy and procedure. Disciplinary Action: The ReHabilitation Center will apply appropriate disciplinary action against members of its workforce who fail to comply with this policy and procedure up to and including termination. Any workforce member who knows or has reason to believe that another person has violated this policy is responsible for reporting the matter promptly to his/her supervisor or the Corporate Compliance Officer.

7 Check Applicable Corporation(s): CI ARC Foundation R&A J & D Category: Corporate Compliance Origination Date: October 2009 Revision Date(s): 11/10/10 sac; 6/1/11 sac; 8/15/11 sac;10/28/11sac; 5/14/13sac Responsible Staff: All agency staff Authored by: Susan A. Cross, General Manager of Quality Management & Corporate Compliance Officer

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised

More information

POLICY AND PROCEDURE MANUAL

POLICY AND PROCEDURE MANUAL Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL

More information

3.) The Breach Notification Rule (Part 164, Subpart D)

3.) The Breach Notification Rule (Part 164, Subpart D) 3.) The Breach Notification Rule (Part 164, Subpart D) 164.400 Applicability 164.402 Definitions (breach, unsecured protected health information) 164.404 Notification to individuals 164.406 Notification

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

QUEST, INC BREACH NOTIFICATION POLICY

QUEST, INC BREACH NOTIFICATION POLICY QUEST, INC BREACH NOTIFICATION POLICY Dev September 2012 Page Number I. Breach Notification Template HIPAA Breach Notification Policy Table of Contents 1 A. Generally 1 B. When a Breach is Considered to

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

LOUISIANA HEALTH CARE QUALITY FORUM

LOUISIANA HEALTH CARE QUALITY FORUM POLICY: Data Breach Notification and Investigation EFFECTIVE: 10-01-2011 DEPARTMENT: LHCQF; LaHIE REVISED: PURPOSE To facilitate compliance with the Health Information Technology for Economic and Clinical

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION Summary November 2009 On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the Rule ) that

More information

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings:

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings: HITECH/HIPAA Breach Notification Regulations This summary was prepared by the New Jersey Department of Human Services Privacy Officer on February 24, 2010 for distribution at the Division of Addiction

More information

POLICY NAME: NOTICE OF PRIVACY BREACHES

POLICY NAME: NOTICE OF PRIVACY BREACHES NOTE: This sample policy is drafted to comply with the HIPAA breach notification rules as amended January 2013. The user should review applicable laws and regulations and modify this sample policy as appropriate

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

NEW JERSEY DATA BREACH NOTIFICATION & IDENTITY THEFT PREVENTION POLICY **DISCLAIMER**

NEW JERSEY DATA BREACH NOTIFICATION & IDENTITY THEFT PREVENTION POLICY **DISCLAIMER** NEW JERSEY DATA BREACH NOTIFICATION & IDENTITY THEFT PREVENTION POLICY **DISCLAIMER** This document was prepared to assist the typical physician practice in seeking to undertake reasonable measures to

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New Objective The objective of this policy is to provide guidance for breach notification by Georgia Regional Academic Community Health Information Exchange (hereafter referred to as GRAChIE) when unauthorized

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 12 I. Policy The Health Information Technology for Economic and Clinical Health Act ( HITECH ) regulations contain requirements for notifying individuals in the event of a breach of their unsecured

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

CHART YOUR HIPAA COURSE...

CHART YOUR HIPAA COURSE... CHART YOUR HIPAA COURSE... HHS ISSUES SECURITY BREACH NOTIFICATION RULES PUBLISHED IN FEDERAL REGISTER 8/24/09 EFFECTIVE 9/23/09 The Department of Health and Human Services ( HHS ) has issued interim final

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance

More information

Dates Revised: September 23, 2013; July 1, 2014; December 14, 2015

Dates Revised: September 23, 2013; July 1, 2014; December 14, 2015 Policy Level: Policy Title: Policy Number: Breach Notification PP-29 Superseded Policy(ies) or Entity Policy: N/A Date Established: March 17, 2010 Date Effective: December 14, 2015 Dates Revised: September

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel

More information

Checklist for HITECH Breach Readiness

Checklist for HITECH Breach Readiness Checklist for HITECH Breach Readiness Checklist for HITECH Breach Readiness Figure 1 describes a checklist that may be used to assess for breach preparedness for the organization. It is based on published

More information

BREACH MANAGEMENT & NOTIFICATION POLICY

BREACH MANAGEMENT & NOTIFICATION POLICY PURPOSE To ensure that the impermissible or unauthorized use or disclosure of an Individual s Protected Health Information (PHI) will be reported and Participants shall comply with the notification requirements

More information

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Name of Policy: Policy Number: Department: Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Approving Officer: Interim

More information

POLICY AUTHORITY Chancellor for Health Sciences and Dean of the School of Medicine

POLICY AUTHORITY Chancellor for Health Sciences and Dean of the School of Medicine Applies To: All HSC, UNMH, UNMCC, UNM-MG Responsible Department: Privacy Office Revised: New 10/2010 Policy Patient Age Group: ( ) N/A ( X) All Ages ( ) Newborns ( ) Pediatric ( ) Adult POLICY STATEMENT

More information

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA

More information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section

More information

LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4. Breach Notification for Unsecured Protected Health Information

LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4. Breach Notification for Unsecured Protected Health Information LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4 SUBJECT: ORGANIZATION RESPONSIBLE: Breach Notification for Unsecured Protected Health Information Information Technology Security Manager Office of Information

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY 1 School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Information Privacy and Security Program. Title: EC.PS.01.02

Information Privacy and Security Program. Title: EC.PS.01.02 Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS

SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS Reference Purpose Health Insurance Portability and Accountability Act of 1996 (HIPAA); 45 United States Code 1320d et seq.;

More information

HIPAA Breach Notification Policy

HIPAA Breach Notification Policy HIPAA Breach Notification Policy Purpose: To ensure compliance with applicable laws and regulations governing the privacy and security of protected health information, and to ensure that appropriate notice

More information

HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014

HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014 HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014 9/3/14 Gerald Jud E. DeLoss Disclaimer 2 o This presentation and its materials are for informational purposes only and not for the purpose

More information

Responding to HIPAA Breaches

Responding to HIPAA Breaches Responding to HIPAA Breaches 11/06/2015 by Kim Stanger HIPAA privacy and security breaches can result in fines of $100 to $50,000 to covered entities (including healthcare providers and health plans) and

More information

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable

More information

Breach Notification Policy

Breach Notification Policy 1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

HIPAA Update. Bob Radecki W.J. Flynn and Associates, LLC

HIPAA Update. Bob Radecki W.J. Flynn and Associates, LLC HIPAA Update Bob Radecki W.J. Flynn and Associates, LLC Background ARRA American Recovery and Reinvestment Act of 2009 HITECH Health Information Technology for Economic and Clinical Act (Title XII, Part

More information

HIPAA BREACH RESPONSE POLICY

HIPAA BREACH RESPONSE POLICY http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting

More information

Section 2: HIPAA and the HITECH Act

Section 2: HIPAA and the HITECH Act Section 2: HIPAA and the HITECH Act 1 Introduction to HIPAA and the HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed on February 17, 2009 as part of

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

Health Information Technology for Economic and Clinical Health Act ( HITECH ), part of the American Recovery and Reinvestment Act of 2009 ( ARRA ).

Health Information Technology for Economic and Clinical Health Act ( HITECH ), part of the American Recovery and Reinvestment Act of 2009 ( ARRA ). Client Advisory Health Care/Technology August 31, 2009 HHS Issues Security Breach Notice Rule On August 24, the Department of Health and Human Services ( HHS ) published its rule (the Rule ) implementing

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Breach Notification and Enforcement Update

Breach Notification and Enforcement Update Breach Notification and Enforcement Update Presented to the Seattle Western Pension & Benefits Council June 16, 2015 Sarah Brown Investigator U.S. Department of Health and Human Services Office for Civil

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014

HIPAA BREACH NOTIFICATION REQUIREMENTS. Heman A. Marshall, III July 25, 2014 1 HIPAA BREACH NOTIFICATION REQUIREMENTS Heman A. Marshall, III July 25, 2014 2 SCENARIO FOR VBA SUMMER MEETING The Medical Marijuana Growers Association (MMGA) Health Plan, which is a self-fund plan,

More information

HIPAA PRIVACY RULE PAT-608: BREACH NOTIFICATION POLICY

HIPAA PRIVACY RULE PAT-608: BREACH NOTIFICATION POLICY HIPAA PRIVACY RULE PAT-608: BREACH NOTIFICATION POLICY I. POLICY: USC 1 shall comply with breach notification requirements under federal and state laws, including the HIPAA privacy and security regulations

More information

organization's patient protected health information (PHI) occurs. as any other federal or state notification law.

organization's patient protected health information (PHI) occurs. as any other federal or state notification law. I. APPLICABILITY Entire organization and its business associate (BAs) and the BA's Subcontractors. II. PURPOSE To provide guidance for breach notification by covered entities and breaches by their business

More information

New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information

New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information GEORGE CHORIATIS In this article, the author discusses the new Health Insurance Portability and Accountability

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A.

Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A. Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A., UC Health 7093020v1 Examples from the News Review of HIPAA Breach Regulations

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com

HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST. David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com HITECH ACT UPDATE HIPAA BREACH NOTIFICATION RULE WEB CAST David G. Schoolcraft Ogden Murphy Wallace, PLLC dschoolcraft@omwlaw.com Presenters David Schoolcraft, Member, Ogden Murphy Wallace, PLLC Taya Briley,

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate Privacy, Data Security & Information Use September 16, 2010 Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate by John L. Nicholson and Meighan E. O'Reardon Effective

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

HIPAA/HITECH Omnibus Final Rule - January 23, 2013

HIPAA/HITECH Omnibus Final Rule - January 23, 2013 HIPAA Omnibus Rule Please note: these slides are intended to provide an overview of general information, not an exhaustive review. No legal advice is being offered or intended. Do not rely on this information

More information

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010 NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA March 2010 Prepared By: Marisa Guevara and Marcie H. Zakheim Feldesman Tucker Leifer Fidell, LLP 2001

More information

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION PLEASE REVIEW IT CAREFULLY. DEFINITIONS PROTECTED HEALTH INFORMATION (PHI):

More information

Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists

Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists ONCE MORE UNTO THE BREACH, DEAR FRIENDS, ONCE MORE Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third Avenue, 16th Floor, New York,

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

New HIPAA Rules and EHRs: ARRA & Breach Notification

New HIPAA Rules and EHRs: ARRA & Breach Notification New HIPAA Rules and EHRs: ARRA & Breach Notification Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com and Raj Goel Chief Technology Officer Brainlink

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary The Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which became law in February of this

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY. REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013

HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013 HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013 Presented by: Monica C. Hocum, Esq. and Leia C. Olsen, Esq. Agenda

More information

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon. Healthcare Practice Breach Notification Requirements Under HIPAA/HITECH Act and Consumer Identity Theft Protection Act August 2013 Anchorage Beijing New York Portland Seattle Washington, D.C. www.gsblaw.com

More information

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014 GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY HIPAA Policies and Procedures 06/30/2014 Glenn County Health and Human Services Agency HIPAA Policies and Procedures TABLE OF CONTENTS HIPAA Policy Number

More information

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

Identity Theft Prevention and Security Breach Notification Policy. Purpose: Identity Theft Prevention and Security Breach Notification Policy Purpose: Lahey Clinic is committed to protecting the privacy of the Personal Health Information ( PHI ) of our patients and the Personal

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.

Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr. Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier gstegmaier@wsgr.com @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million

More information