1 OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights
2 Disclosure These materials should not be considered legal advice. They are not intended to, nor do they, create an attorney-client relationship. The materials are general and may not apply to certain individual legal or factual circumstances. I have no relevant financial relationships or commercial interests to disclose.
3 Agenda 1) HIPAA Breaches How HIPAA Breaches Arise How to Respond to HIPAA Breaches 2) OCR HIPAA Breach Investigations Types of OCR Investigations What to Expect During an OCR Investigation How to Respond to OCR Investigations
4 How to Respond to a Potential HIPAA Breach: Overview and Best Practices
5 HIPAA Breach What is a reportable Breach under HIPAA? Acquisition, access, use, or disclosure of unsecured PHI not permitted by the Privacy Rule unless there is low probability the PHI has been compromised based on a risk assessment. Breach presumed unless demonstrated otherwise. March 1, 2016, reporting deadline for calendar year 2015 small breaches (where < 500 individuals impacted). State Law Considerations.
6 Breach Investigation Best Practices Prompt investigations of possible breaches is critical. Work with health care legal counsel and IT experts. Document everything Rapid Response and Notification Two Tracks (critical) 1) Breach Response 2) Prepare for the investigation/get your house in order!
7 Breach Investigation Best Practices If you suspect a breach of computerized data: Do not delete, move, or alter files on affected system. Do not contact the suspected perpetrator. Do not attempt to conduct a forensic analysis.
8 Breach Investigation Best Practices Instead, if you suspect a breach: 1) Immediately notify health care legal counsel and IT experts to establish a plan of action for the investigation and analysis. 2) Secure the premises. 3) Isolate affected system to prevent further intrusion, data release, or damage. Take infected machines offline, but leave the power on. 4) Use telephone to communicate. Attackers may be capable of monitoring traffic. 5) Activate all auditing software, if not already activated. 6) IT experts should preserve all pertinent system logs (firewall, router, intrusion detection system, etc.). Files on the affected systems should never be deleted, moved, or altered in any way. 7) If files are damaged or altered, IT experts should create backup copies and store them in a secure location. 8) Identify systems that connect to the affected system and where the affected system resides within the network topology. Continued
9 Breach Investigation Best Practices Best practices continued 9) Identify the programs and processes that operate on the affected system(s), pre-identify the associated IP address, MAC address, Switch Port location, ports and services required, physical location of system(s), the OS, OS version, patch history, safe shut down process, and system administrator or backup. 10) Locate backup or cousin data, if any. 11) Take an inventory of missing items and their locations. 12) Review keycard and surveillance data for unusual activity. 13) Retain an external forensic IT expert to assist and to image the data. 14) Determine whether breach notification is required. (See next slide.) 15) If necessary, after consultation with health care legal counsel, notify affected patients and the appropriate law enforcement agenc(ies). a) Document all conversations with law enforcement, if any, and the steps taken to restore the integrity of the system. b) In the event the affected system is collected as evidence, make arrangements to provide for the continuity of services, i.e., prepare redundant system and obtain data back-ups. 16) After the investigation and notification (if necessary) are completed, conduct a post-investigation review of the events and make necessary adjustments to the technology and/or response procedure to reflect the lessons learned.
10 Breach Investigation Best Practices How to Determine if breach notification is required under HIPAA: 1) Determine whether the use or disclosure violates the Privacy Rule. If no, then no breach notification required. If yes, then continue to Step 2. 2) Determine whether the PHI was unsecured. If secured pursuant to HHS guidance (e.g., encryption or destruction), then no breach notification required. If not, then continue to Step 3. 3) Determine whether a breach notification exception applies. The three exceptions include: a) Unintentional acquisition, access, or use of PHI by a workforce member or person acting under authority. Made in good faith and within the scope of authority and does not result in further use or disclosure which violates the Privacy Rule. b) Inadvertent disclosures by a person who is authorized to access PHI to another person authorized to access PHI at the same entity. PHI not further used or disclosed in a manner that violates Privacy Rule. c) Disclosure of PHI where there is a good-faith belief that the unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. 4) Conduct and document an objective risk assessment to determine whether the violation compromised the PHI. (See next slide.)
11 Breach Investigation Best Practices HIPAA Risk Assessment: Any acquisition, access, use or disclosure of PHI in a manner violative of the Privacy Rule is presumed to be a breach. If a Privacy Rule violation has occurred, determine if breach notification is not required based on a reasonable, good-faith risk assessment that there is a low probability that the PHI has been compromised. Four factors to consider are: a) The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; b) The unauthorized person who used the PHI or to whom the disclosure was made; c) Whether the PHI was actually acquired or viewed; and d) The extent to which the risk to the PHI has been mitigated.
12 Breach Investigation Best Practices Do or don t do risk assessment? Make sure it is thorough, with a good-faith application of the law and reasonable conclusions. Log the unauthorized use or disclosure in the patient s disclosure tracking log Do a Security Incident Report (a)(6)(ii) Remember the 2 Tracks! Move to your gap analysis and IMPLEMENT Update Notice of Privacy Practices First thing OCR auditors will do is to go to the CE s website to see if the NPP is posted. OCR will look to see that the NPP is updated for the HIPAA Omnibus Rule. Update breach notification policies and physical and technical safeguards. Make sure to implement. Conduct and document employee training. Conduct and document risk assessment. Update BAAs and document satisfactory assurances from BAs. E.g., consultants, experts, shredding companies, document and cloud storage companies, etc.
13 OCR HIPAA Enforcement: Types of OCR Investigations and How to Respond
14 OCR HIPAA Enforcement The Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy & Security Rules. How does OCR enforce HIPAA? 1) Investigation of breaches and complaints filed with OCR. 2) HIPAA compliance reviews/audits. 3) Education and outreach to foster compliance.
15 OCR HIPAA Audits OCR completed the pilot audit program in The second round of OCR HIPAA audits were initially delayed last fall. Many expected the audits to occur this year, but there may be another delay. What you need to know about OCR audits: All CEs and BAs are eligible to be audited. Protocols not yet finalized for 2 nd round (Omnibus Rule updates). The objectives of the pilot program were to: (i) examine mechanisms for compliance; (ii) identify best practices; (iii) discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews; (iv) renew attention of CEs to health information privacy and security compliance activities. During the pilot program, the OCR: 1) Notified the CE in writing of the audit and asked for documentation of compliance efforts within 10 business days; 2) Conducted a site visit (provided days notice of site visit; site visits generally took business days); 3) Provided a draft final report to the CE, and the CE had 10 business days to review and provide written comments; and 4) Completed final audit report 30 days after receiving CEs comments.
16 OCR HIPAA Investigations See,
17 OCR Investigations: Step-By-Step 1) OCR receives a complaint, breach notice, et cetera E.g., complaints filed by patients or employees. 2) OCR conducts intake & review to determine if a possible Privacy or Security Rule violation occurred. 3) At any time, the OCR may refer the complaint to the DOJ if a possible criminal violation occurred. 4) If no Privacy or Security Rule violation, case is closed. 5) If there is a possible violation, then OCR will notify the complainant and the CE. (See next slides.) The CE will receive a letter from the OCR asking for specific information to be submitted for review. In some cases, the letter will not have any requests, but will instead list corrective actions for the CE to take. 6) Respond to OCR s information requests or compliance demands.
18 OCR Investigations: Sample Letter #1
19 OCR Investigations: Sample Letter #1
20 OCR Investigations: Sample Letter #1
21 OCR Investigations: Sample Letter #1
22 OCR Investigations: Sample Letter #1 Highlights from sample letter #1: OCR transaction number. Short description of the breach allegations in the complaint & potential HIPAA violations List of OCR s requests, including written responses and document requests (in this case, 15 separate requests), including: Response to allegations in complaint; Internal investigation documents; Breach risk assessment; Patient notification letter; CE s HIPAA policies and any HIPAA training; Any HIPAA risk analysis performed; Evidence of technical safeguards, including network scans, malicious software protection, network security devices, and data backup. Deadline to respond set at 20 days after receipt of letter. Name of the investigator in charge.
23 OCR Investigations: Sample Letter #2
24 OCR Investigations: Sample Letter #2
25 OCR Investigations: Sample Letter #2
26 OCR Investigations: Sample Letter #2 Highlights from sample letter #2: Includes much of the same information as sample letter #1 (i.e., OCR transaction number, short description of the allegations in the complaint, name of investigator in charge, etc.). However, instead of requiring the CE to respond to document requests and written questions, sample letter #2 lists corrective actions the CE must take to comply with HIPAA, including: Conduct an internal investigation of the allegations in complaint; Re-train workforce members involved in incident on Privacy Rule; Determine if sanctions against workforce members are appropriate; Mitigate harm to patients affected; Conduct HIPAA risk assessment; and Implement administrative, physical, and technical safeguards to prevent similar incidents. Sample letter #2 states that the case is closed as of the date of the letter and notifies the CE that OCR may conduct a compliance review in six months. In contrast, sample letter #1 kept the investigation open pending the CE s response (which essentially was a compliance review).
27 Best Practices for Response to OCR Get the response deadline in writing. E.g., notify the OCR investigator via of the date the CE received the letter and confirm the response deadline calculated from the date of receipt. Or, in the sample letter #2 scenario where no response is required, begin implementing the corrective actions immediately. Gap Analysis and Fixing. Forget the allegations, fix the ecosystem Overreact. Don t underreact. Show the OCR that the CE takes HIPAA compliance very seriously. Put your best foot forward. Even if not specifically requested by the OCR, make sure to state the ways in which the CE is HIPAA compliant and the corrective actions the CE has taken to become/remain HIPAA compliant. Focus on reputable compliance history and what CE has done correctly. LOTS OF DOCUMENTS Don t highlight, but don t hide from weaknesses. OCR wants to see that the CE is acting in good faith, learning, and taking corrective actions to ensure compliance. Highlight this when discussing your weaknesses. Focus on how you can and will improve and your ongoing compliance efforts. Highlight the CE s compliance barriers, but don t rely on this too heavily. E.g., small practice with few employees/resources doing the best it can.
28 Best Practices for Response to OCR Update Notice of Privacy Practices First thing OCR auditors will do is to go to the CE s website to see if the NPP is posted. OCR will look to see that the NPP is updated for the HIPAA Omnibus Rule. Update breach notification policies and physical and technical safeguards. Make sure to implement. Conduct and document employee training. Conduct and document risk assessment. Make sure it is thorough, with a good-faith application of the law and reasonable conclusions. Accounting of disclosures for purposes other than treatment, payment, and health care operations Update BAAs and document satisfactory assurances from BAs. E.g., consultants, experts, shredding companies, document and cloud storage companies, etc.
29 OCR Investigations: Step-By-Step, Cont 7) After receiving CE s response, OCR reviews evidence to determine if a violation occurred. If evidence indicates that CE was not in compliance, then OCR will attempt to resolve the case by obtaining: Voluntary compliance; Corrective action; and/or Resolution agreement. 8) Sometimes OCR will request additional information/evidence (e.g., follow-up questions/requests about whether the CE actually took the corrective actions it said it would take in its response). 9) If CE does not take action to resolve the matter that is satisfactory to OCR, then OCR may impose CMPs and CE may request an evidentiary hearing. 10) If OCR is satisfied with the CE s corrective actions, OCR will typically request a phone call to offer HIPAA technical assistance to the CE. This is usually an indication that OCR is closing the file. 11) Once investigation is closed, OCR will send a letter (see next slide). 12) CE should review its response to investigation and determine how it can improve for next time.
30 OCR Investigation Closure Letter
31 OCR Investigation Closure Letter
32 OCR Investigation Closure Letter
33 OCR Investigation Closure Letter Highlights from OCR closure letter: Letter addressed to the CE and the complainant. Outlines the evidence collected from CE and complainant. Focused on the mitigating and corrective actions taken by CE. CE conducted an internal investigation and quickly took steps to protect PHI compromised and to prevent similar incidents. CE terminated its relationship with BA involved in breach. CE updated its HIPAA policies, conducted employee training, and increased physical and technical safeguards. CE notified affected patients and offered one year of credit monitoring. CE gave assurances it would report breach to OCR within 60 days after end of year and document breach for accounting of disclosure purposes. Based on the corrective action measures taken by the covered entity, OCR deems that all matters raised by this complaint at the time it was filed have now been resolved through the voluntary compliance actions of the covered entity. Therefore, OCR is closing this case. OCR s determination only applies to issues raised in complaint.
34 Questions? Clinton Mikel, Esq. Partner The Health Law Partners, P.C. Southfield, Michigan (248)
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. email@example.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health
Implementation Business Associates and Breach Notification Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com
Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process
What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches
UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists
Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier firstname.lastname@example.org @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million
NOTE: This sample policy is drafted to comply with the HIPAA breach notification rules as amended January 2013. The user should review applicable laws and regulations and modify this sample policy as appropriate
Chris Bennington, Esq., INCompliance Consulting Shannon DeBra, Esq., Bricker & Eckler LLP Victoria Norton, R.N., J.D., M.B.A., UC Health 7093020v1 Examples from the News Review of HIPAA Breach Regulations
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
Responding to HIPAA Breaches 11/06/2015 by Kim Stanger HIPAA privacy and security breaches can result in fines of $100 to $50,000 to covered entities (including healthcare providers and health plans) and
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results
Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
HIPAA Data Breaches: Managing Them Internally and in Response to Civil/Criminal Investigations Health Care Litigation Webinar Series March 22, 2012 Spence Pryor Paula Stannard Jason Popp 1 HIPAA/HITECH
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
Brought to you by Cottingham & Butler for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the
HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq. Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
Beyond The Legal Requirements: Key Practical Issues in Negotiating Business Associate Agreements, Responding to a Breach of Unsecured PHI, and Understanding HHS Enforcement Philip L. Gordon, Esq. Littler
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
Objective The objective of this policy is to provide guidance for breach notification by Georgia Regional Academic Community Health Information Exchange (hereafter referred to as GRAChIE) when unauthorized
HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013 Presented by: Monica C. Hocum, Esq. and Leia C. Olsen, Esq. Agenda
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
2015 User Conference HIPAA and Patient Safety: Why It Matters April 24, 2015 (GEN-AO1) Presented by: Susan J. Kressly, MD, FAAP Medical Director, Office Practicum General Session Learning Objectives Understand
Ready or Not: OCR s Second Round of HIPAA Audits Are Just Around the Corner OPRA 2015 Fall Conference November 4, 2015 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease LLP 614.464.8353 email@example.com
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4 SUBJECT: ORGANIZATION RESPONSIBLE: Breach Notification for Unsecured Protected Health Information Information Technology Security Manager Office of Information
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability
QUEST, INC BREACH NOTIFICATION POLICY Dev September 2012 Page Number I. Breach Notification Template HIPAA Breach Notification Policy Table of Contents 1 A. Generally 1 B. When a Breach is Considered to
HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
HIPAA Update Bob Radecki W.J. Flynn and Associates, LLC Background ARRA American Recovery and Reinvestment Act of 2009 HITECH Health Information Technology for Economic and Clinical Act (Title XII, Part
Anatomy of a Health Care Data Breach (a.k.a. Breaches, Breaches, and More Breaches) Presented by: Allyson Jones Labban, Esq. 300 N. Greene Street, Ste. 1400 Greensboro, NC 27401 T: 336.378.5200 E: firstname.lastname@example.org
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
How Does a HIPAA Violation Become a Privacy Breach? Karen Voiles, MBA, CHC, CHPC, CHRC Senior Managing Consultant, Compliance Agenda Differentiating between HIPAA violation and reportable breach Best practices
Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of
2010 HIPAA Security Environment Managing Risk in the HITECH Act World Prepared by Mark Lutes, Epstein Becker & Green, PC email@example.com; 202.861.1824 Robert Hudock, Epstein Becker & Green, PC firstname.lastname@example.org;
HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance
January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On