HIPAA and Medicare for Chiropractors

Size: px
Start display at page:

Download "HIPAA and Medicare for Chiropractors"

Transcription

1 HIPAA and Medicare for Chiropractors

2 Disclaimer None of the CCS employees are healthcare attorneys. All advice given by CCS is for educational purposes only and should not be considered a legal opinion. The information that follows has been obtained from the Federal Register and other associated government documents. Now on with the show

3 Dr. Jeff Sandquist Chiropractor and Consultant Director of Program Development for CCS CertiGied Chiropractic Professional Coder (CCPC) CertiGied Professional Compliance OfGicer (CPCO)

4

5

6 How Do We Cross the Chasm?

7 The successful person has the habit of doing things failures don t like to do. They don t like doing them either necessarily. But their disliking is subordinated to the strength of their purpose. Albert Gray

8 What is HIPAA? h"ps://www.youtube.com/watch?v=1yjqtn0on8g

9 HIPAA History Objective Improve efgiciency and effectiveness of health care by standardizing electronic exchange of administrative, Ginancial and clinical data Encompasses Transactions standards, electronic signatures, unique identigiers (NPI), privacy, security, breach notigication, coding, and more

10 HIPAA History Developed by the US Department of Health and Human Services (HHS) and enforced by the OfGice of Civil Rights (OCR) Health Insurance Portability and Accountability Act of 1996 HIPAA Administration SimpliGication in 2006 (HIPAA II) Mandated national standards for electronic health care transactions, required national identigiers for providers (NPI number), mandated security and privacy of health data

11

12 HIPAA History Updated in 2009 with HITECH Act Finalized in 2013 with Omnibus Final Rule Original HIPAA law consisted of less than 20 pages HIPAA Omnibus Final Rule law consisted of over 500 pages NOT including HITECH Act!!!

13 HITECH Health Information Technology for Economic and Clinical Health Act Part of American Recovery and Reinvestment Act (ARRA) stimulus package of 2009 Focused on leveraging INFORMATION (technology) to achieve better health care outcomes

14 HITECH Promoted adoption of EHR technology Expanded existing Privacy and Security standards BA subject to direct enforcement of Security and Privacy Rules New breach notigication requirements Enhanced enforcement Increased penalties, proactive audits, etc. Gave HIPAA teeth

15 Omnibus Final Rule The U.S. Department of Health and Human Services (HHS) Of=ice for Civil Rights announces a =inal rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

16 What Changed? The changes in the =inal rulemaking provide the public with increased protection and control of personal health information. HHS News Release, January 17, 2013

17 What Changed? Finalized/implemented many changes from HITECH Act Business Associate and subcontractor liability Breach NotiGication requirements Notice of Privacy Practices requirements Increased penalties for noncompliance Use and disclosure of Protected Health Information (PHI) Expanded individuals rights

18 New HIPAA Deadlines Jan 25, 2013 Published in Federal Register Mar 26, 2013 Effective Date Sept 23, 2013 Compliance Date

19 HIPAA Compliance Privacy Rule since 2003 Security Rule since 2005 HITECH Interim Rule 2009 Meaningful Use in 2011 (Security Risk Analysis) HIPAA Omnibus Final Rule September 23, 2013

20

21 Penalty Factors Nature and extent of violation Number affected, time period Nature and extent of harm resulting from violation History of prior noncompliance Financial condition of covered entity Other factors

22 HIPAA Compliance HIPAA compliance is MANDATORY even if you do NOT utilize EHR HIPAA laws do NOT fall under Obamacare (can t blame that) Can blame HIPAA (in part) for ICD- 10

23 HIPAA Compliance REQUIRED for all Covered Entities (YOU!) Been around but rarely enforced until NOW!

24 HIPAA Noncompliance agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct de=iciencies in its HIPAA compliance program. This case marks the =irst settlement with a covered entity for not having policies and procedures in place to address the breach noti=ication provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).

25 HIPAA Noncompliance The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the con=identiality of ephi as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Noti=ication Rule to have in place written policies and procedures and train workforce members.

26 HIPAA Noncompliance As we say in health care, an ounce of prevention is worth a pound of cure, said OCR Director Leon Rodriguez. That is what a good risk management process is all about identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information. In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.

27 ACTIVE Compliance PROCESS 8 HIPAA Compliance Elements

28 HIPAA Compliance Elements 1. Develop and implement WRITTEN policies and procedures, including changes and updates as necessary; NPP, BAA, Use and Disclosure, Privacy and Security, etc. 2. Designate a Privacy and Security OfGicer; Compliance OfGicer

29 HIPAA Compliance Elements 3. Workforce training for ALL employees; Who, What, When (at least annually and ASAP when hired) 4. Maintain reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use or disclosure of PHI; Security Rule = ELECTRONIC PHI (ephi) Perform a Risk Analysis and Risk Management (SRA Tool)

30 HIPAA Compliance Elements 5. Mitigate harmful effects of use or disclosure of PHI by staff or Business Associates in violation of policies and procedures; Breach, Sanctions, etc. 6. Privacy complaint procedures contained in Notice of Privacy Practices and identify how to and who to make complaints;

31 HIPAA Compliance Elements 7. NEVER retaliate against staff or patients for exercising their rights for assisting in an investigation or for opposing an act or practice that the person believes violates the Privacy Rule; and 8. Record retention of HIPAA related items for 6 YEARS after their effective date

32 Privacy Rule What is it? How to comply with it?

33 Privacy Rule The HIPAA Privacy Rule provides federal protection for individually identi=iable health information held by covered entities. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.

34 Privacy Rule Portion of HIPAA law that pertains to interaction between patient and health care professionals and other entities Final ruling effective as of April, 2003

35 Protected Health Information (PHI) all individually identi=iable health information that is held or transmitted by a covered entity or its business associates, in any form, whether electronic, paper, or oral.

36 Individually IdentiGiable Health Info information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identi=ies the individual or for which there is a reasonable basis to believe can be used to identify the individual. e.g., name, address, birth date, social security number

37 PHI Contains health information that identigies individual including but not limited to demographic information Relates to individual s health or the provision of, or payment for health care

38 PHI Excludes Educational records covered by Family Educational Rights and Privacy Act (FERPA) Employment records held by covered entity in its role as an employer Persons deceased for more than 50 years

39 PHI De- IdentiGication Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual and is not individually identi=iable health information. The following identigiers of the individual, relatives, employers or household members are REMOVED

40 PHI De- IdentiGication Names All geographic subdivisions smaller than state All elements of dates (except year, unless 89years old and over) Phone numbers Fax number addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers CerGficate/license numbers Vehicle idengfiers and serial numbers Device numbers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric idengfiers (finger and voice prints) Full face photos and comparable images Any other unique idengfying number, characterisgc, or code

41 Use The sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. i.e. information used INSIDE your practice

42 Disclosure The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. i.e. information you share OUTSIDE to others

43 Authorization A covered entity must obtain the individual s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.

44 Authorization Requirements DescripGon of the informagon to be used or disclosed Name or other specific idengficagon of the person(s), or class of persons, authorized to make the requested use or disclosure Name or other specific idengficagon of the person(s), or class of persons, to whom the covered engty may make the requested use or disclosure A descripgon of each purpose of the requested use or disclosure An expiragon date or an expiragon event that relates to the individual or the purpose of the use or disclosure Signature of the individual and date If the authorizagon is signed by a personal representagve of the individual, a descripgon of such representagve s authority to act for the individual must also be provided

45 Authorization Requirements REQUIRED STATEMENTS The individual s right to revoke the authorizagon in wrigng, and either: The excepgons to the right to revoke and a descripgon of how the individual may revoke the authorizagon; or A reference to the covered engty s nogce The ability or inability to condigon treatment, payment, enrollment or eligibility for benefits on the authorizagon, by stagng either: The covered engty may not condigon treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorizagon when the prohibigon on condigon of authorizagons; or The consequences to the individual of a refusal to sign the authorizagon the covered engty can condigon treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorizagon

46 Authorization Requirements The potengal for informagon disclosed pursuant to the authorizagon to be subject to re- disclosure by the recipient and no longer be protected by this subpart. Plain language requirement. The authorizagon must be wri"en in plain language. Copy to the individual. If a covered engty seeks an authorizagon from an individual for a use or disclosure of protected health informagon, the covered engty must provide the individual with a copy of the signed authorizagon.

47 Minimum Necessary A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.

48 Min Nec Does NOT Apply To or by health care provider for treatment To the individual With a valid authorization To the Secretary and required by law

49 Monday Morning Action Steps Address understanding and implementation of Use and Disclosure PHI and de- identigied PHI Minimum necessary Determine if valid authorization is in use

50 Security Rule What is it? How to comply with it?

51 Security Rule The Security Rule speci=ies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the con=identiality, integrity, and availability of electronic protected health information.

52 Security Rule SpeciGic to ELECTRONIC protected health information AKA ephi Requires specigic Risk Analysis to determine security Administrative safeguards Training/Management Physical Safeguards Facility Access/Security Technical Safeguards Access/Transmission Security

53 Security Measures Takes into consideration Size, complexity, capabilities Technical, hardware and software infrastructure Cost of security measures Likelihood/possible impact of potential risks to ephi

54 Required vs. Addressable Required = must be implemented Addressable = does NOT mean optional Determine if reasonable and appropriate OR Adopt alternative measure to achieve purpose of standard if reasonable and appropriate OR DOCUMENT why it was NOT implemented

55 Risk Analysis Forms the FOUNDATION upon which an entity s necessary security activities are built.

56 Risk Analysis Part of Administrative Safeguards Security Rule requires you to implement policies and procedures to prevent, detect, contain, and correct security violations.

57 Threat The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a speci=ic vulnerability. Natural threats Gloods, earthquakes, tornadoes, etc. Human threats intentional (unauthorized access, theft) or unintentional (incidental) Environmental threats power failure, water, Gire, etc.

58 Vulnerability A =law or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. Can be technical (technology) OR non- technical (administrative, physical, policies and procedures, staff, etc.)

59 Threats and Vulnerabilities ephi = Chickens Threat = Fox, Wolf, Coyote, Hawk, etc. Vulnerability = Hole in fence, tunnel under fence, gate left open, improper shelter, etc.

60 Risk Function of the likelihood of a given threat triggering or exploiting a particular vulnerability and the resulting impact on the organization. Threat + Vulnerability + Likelihood + Impact

61 Risk Analysis Overview Evaluate likelihood and impact of potential risks to ephi Implement appropriate security measure to address risks identigied Document chosen security measures and rationale Maintain continuous, reasonable and appropriate security protections ONGOING PROCESS update annually and with major changes

62 Administrative Safeguards Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ephi and to manage the conduct of the CE s workforce in relation to the protection of that information.

63 Administrative Safeguards Security management process including Security OfGicer designation and implementing various Policies and Procedures Information access management policies and procedures Workforce training and management including sanctions Periodic evaluation

64 In Other Words What are the threats, vulnerabilities and risks to ephi and how are they managed? Who is in charge (CO) and involved (TEAM)? Who has access to ephi? Is there authorization, supervision and training? Are there periodic evaluations and assessments?

65 Physical Safeguards Physical measures, policies and procedures, to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.

66 Physical Safeguards Facility access and control Workstation and device security Policies and procedures for use and access to workstations and electronic media Policies and procedures regarding transfer, removal, disposal, reuse and protection of electronic media

67 In Other Words Where are the facilities? Who has access to the facilities? How is access to the facilities granted/ controlled? What is the security of workstations and technology? How is transfer, removal, disposal and re- use handled?

68 Technical Safeguards The technology and the policies and procedures for its use that protect ephi and control access to it.

69 Technical Safeguards Policies and procedures allow access to authorized users only Hardware, software, procedures to record and examine access Policies and procedures to ensure ephi is not improperly altered or destroyed Technical security to guard against unauthorized access to ephi transmitted

70 In Other Words ONLY authorized personnel has access to ephi? Audit controls to track and evaluate ephi access/use? What s in place to assure proper destruction and prevent improper destruction or alteration of ephi? What s in place to secure transmission of ephi?

71 Unsecured PHI PHI that is NOT rendered unusable, unreadable or indecipherable to unauthorized individuals according to NIST guidelines (National Institute of Standards and Technology) or by physical destruction

72 Encryption Method of converting original message of regular text into encoded text Encrypted by means of algorithm (formula) Done according to National Institute of Standards and Technology (NIST) guidelines

73 Encryption and Destruction PHI at Rest NIST PHI in Motion NIST , , PHI Disposed Physical Shredded or destroyed so cannot be read or reconstructed Electronic NIST PHI in Use No specigic guidelines other than standard access control technologies (and common sense)

74

75

76 PHI at Rest NIST STORED PHI in some capacity (e.g. desktop, laptop, phone, Glash drive, memory care, external hard drive, CDs, DVDs, etc.)

77 PHI in Motion NIST PHI MOVING across the wire (i.e. internet or intranet) Transport Layer Security (TLS) recommended Provides authentication, congidentiality, data integrity

78 PHI Disposed NIST Sanitized PHI Use approved techniques/methods Not easily retrieved and reconstructed Track and document sanitation and destruction actions

79 Sanitation/Destruction Methods Clearing Can not simply delete Overwrite technology Purging Degaussing Destroying ULTIMATE form Disintegration, incineration, pulverizing, shredding, melting, etc.

80 Disaster Plan LONG- term recovery plan to get you back to where you where before disaster HIPAA REQUIRES access and security of data in the event of a disaster

81 Contingency Plan AKA Business Continuity Plan SHORT- term temporary resumption of critical business operations, helps business survive during Disaster Recovery HIPAA REQUIRES access and security of data

82 Contingency Plan Disaster Risk Analysis Access to critical contact info Info about facility (water, gas, electrical shut- offs) Planned steps for various applicable disasters (natural disasters, equipment failure, power failure, communications failure, burst water pipe, loss of key employee, loss of facility access, etc.)

83 Risk Management REQUIRED under Administrative Safeguards Implement security measures suf=icient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule.

84 Where is YOUR ephi? At the ofgice? At home? In your pocket? Another ofgice?

85 Monday Morning Action Steps Perform a Risk Analysis to determine vulnerabilities, threats, and risks Address Administrative, Physical, and Technical Safeguards Perform a Risk Management to implement, revise and monitor

86 Business Associates Who is involved? What changed? What are the requirements?

87 Covered Entity A health care provider who transmits any health information in electronic form YOU!!! (also includes healthcare clearing houses and health plans)

88 Business Associate A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information.

89 Workforce Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.

90 Business Associate An entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity (YOU)

91 Subcontractor An entity that creates, receives, maintains, or transmits protected health information on behalf of another business associate i.e. Your BA s business associate

92 Business Associate Examples Billing Services EHR Vendor Accounting Consulting Practice Management Transcriptionist Collection Agency Administrative Financial* Accreditation Attorneys Data Aggregation Computer Repair/ Technician Cloud Storage*

93 Cloud Storage

94

95 Business Associate Exceptions Other Healthcare Providers Health Insurance Carriers Financial Institutions for care payment Conduits (USPS, FedEx, UPS, ISP, etc.) Janitor, Electrician, OfGice Repair, Cleaning Service, etc. (NEVER a Business Associate)

96

97 BA Exceptions

98 BA Exceptions

99 Business Associate or Not? Role or activity based Do they create, receive, maintain or transmit PHI on your behalf? Do they have access to PHI as part of their role or activity? Even if not routinely; need only be POTENTIALLY

100 What Changed? Revised deginition of a Business Associate Added entities that fall under BA deginition Increased liability and compliance requirements for BA and subcontractors NEW/UPDATED BA Agreements REQUIRED

101 BA Liability DIRECTLY liable for violations of HIPAA Contractually liable However, liable whether or not they have agreement in place with CE Liable for actions of subcontractors

102 Business Associate Agreement Contract between you and each of your BA outlining the following: NOTE: Do NOT need BAA w/ subcontractors Permitted uses of PHI Restricted uses of PHI Appropriate safeguards Breach procedures Terms and termination

103 BAA Requirements Establish permitted/required uses/ disclosures of PHI BA will not use/disclose PHI other than permitted/required BA will implement appropriate safeguards consistent with HIPAA security rule

104 BAA Requirements BA will report to CE any uses or disclosures not covered in contract, including breaches BA will make PHI available for individuals requests, amendments and accountings BA will comply with applicable HIPAA Privacy Rule requirements

105 BAA Requirements BA will make available internal practices/ books/records to HHS Termination requires BA to destroy/return PHI received/created BA ensures subcontractors agree to same requirements; may be more but NOT less strict Authorize termination by CE if BA violates terms

106 Monday Morning Action Steps Make a list of all Business Associates Get an updated and signed Business Associate Agreement from all BAs

107 Notice of Privacy Practices What is it? Who gets it? Where does it go?

108 What is in the NPP? Describes how medical information about patient may be used and disclosed and how patients can get access to this information Patient Rights Patient Choices Uses and disclosures

109 State vs. Federal Usually Federal Laws are more strict HIPAA takes precedence HOWEVER if State Laws are more strict State Law takes precedence

110 OK Records Request

111 Patient Rights Receive electronic OR paper copy of medical records Ask to correct medical records Request congidential or alternative communications Ask to limit what we use or share Ex. Insurance carriers for care paid for out of pocket

112 Patient Rights Get list of those with whom we ve shared info Get copy of this privacy notice Choose someone to act for you File a complaint if you feel your rights are violated WITHOUT fear of retaliation

113 Patient Choices In these cases, you have both the right and choice to tell us to: Share info with your family, close friends, or others involved in your care

114 Patient Choices In these cases we NEVER share your info UNLESS you give us WRITTEN permission: Marketing purposes* Sale of your information

115 Marketing REQUIRES written signed authorization To make a communication about a product or service that encourage the recipient of the communication to purchase or use the product or service.

116 Marketing An arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity in exchange for REMUNERATION, for the other entity or its af=iliate to make communication about its own product or service that encourage recipients of the communication to purchase or use that product or service. Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.

117 Marketing EXCEPTIONS Face- to- face communications Promotional gift of nominal value* UNLESS Ginancial REMUNERATION takes place Treatment of patient (i.e. case management, care coordination, alternative treatments, therapies, providers or settings) Health- related products or services as part of a plan of benegits (health care provider/plan network) Case management or care coordination, treatment alternatives that do NOT fall under treatment deginition

118 Uses and Disclosures Allowed or required to share patient info Treatment Bill for patient services and receive payments Run your organization (practice) Public health and safety issues Conduct research Comply with law

119 Treatment Provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.

120 Payment Encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to ful=ill their coverage responsibilities and provide bene=its under the plan, and to obtain or provide reimbursement for the provision of health care.

121 Health Care Operations Certain administrative, =inancial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support core functions of treatment and payment.

122 Uses and Disclosures Allowed or required to share patient info Respond to organ and tissue donation requests Work with medical examiner or funeral director Address workers compensation, law enforcement and other government request Respond to lawsuits and legal actions (against you)

123 Decedents NOT PHI 50 years following death of person CAN disclose to decedents family members and others involved in care or payment for care prior to death

124 Provider Responsibilities Required by law to maintain privacy and security of PHI Inform patient promptly if a breach occurs that may compromise the privacy or security of the patient PHI Follow the duties and privacy practices in the NPP and give a copy to the patient Not to use or share info other than described in NPP unless told in writing; can be revoked in writing as well

125 Who Gets the NPP? ALL NEW patients during initial paperwork Obtain written acknowledgment Placed in patient Gile Anyone else who asks for it (NOT likely)

126 Where to Post the NPP? Post in, clear and prominent location and have copies of the NPP at the delivery sight for individuals to request to take with them. May post a summary, as long as the full notice is IMMEDIATELY available. (i.e. should NOT have to ask for full notice) Full notice posted on the ofgice website

127 Monday Morning Action Steps Update NPP Give to all new patients Post in prominent location Post on website

128 Breach NotiGications What is a Breach? What Changed? What is a Breach NotiGication?

129 What is a Breach? Acquisition, access, use or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information. Basically someone has PHI who should NOT have it (NOT authorized or allowed)

130 Guilty Until Proven Innocent Harm standard REMOVED PRESUMED to be a breach UNLESS covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors

131 4 Risk Assessment Factors 1. Nature and extent of PHI involved, types of identigiers, likelihood of re- identigication 2. Unauthorized person who used PHI or who the disclosure was made to 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI was mitigated

132 Breach NotiGications Treated as discovered on FIRST day it was known or should have been known Notify EACH individual affected SpeciGic requirements of info included Have 60 days from discovery to do so Business Associates have obligation to notify the Covered Entity (YOU!) about a breach

133 Individual Breach NotiGications Brief description of what happened Including date of breach and date of discovery Description of types of unsecured PHI involved Steps individual should take to protect themselves Brief description of what you are doing to investigate and mitigate harm and protect in the future Contact procedures Including toll- free number, address, website or postal address

134 Breach NotiGications NotiGication to media More than 500 individuals affected NotiGication to Secretary More than 500 individuals affected within 60 days Less than 500 individuals affected by end of year

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

Compliance Training for Medicare Programs Version 1.0 2/22/2013

Compliance Training for Medicare Programs Version 1.0 2/22/2013 Compliance Training for Medicare Programs Version 1.0 2/22/2013 Independence Blue Cross is an independent licensee of the Blue Cross and Blue Shield Association. 1 The Compliance Program Setting standards

More information

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

Health Information Privacy Refresher Training. March 2013

Health Information Privacy Refresher Training. March 2013 Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

2012-2013 MEDICARE COMPLIANCE TRAINING EMPLOYEES & FDR S. 2012 Revised

2012-2013 MEDICARE COMPLIANCE TRAINING EMPLOYEES & FDR S. 2012 Revised 2012-2013 MEDICARE COMPLIANCE TRAINING EMPLOYEES & FDR S 2012 Revised 1 Introduction CMS Requirements As of January 1, 2011, Federal Regulations require that Medicare Advantage Organizations (MAOs) and

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES SCHOOL DISTRICT OF BLACK RIVER FALLS 523.5 Exhibit NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES PRIVACY NOTICE This notice describes how medical information about you may be used and disclosed and how

More information

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION PLEASE REVIEW IT CAREFULLY. DEFINITIONS PROTECTED HEALTH INFORMATION (PHI):

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL

More information

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY. REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities

Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities 09/2011 Training Goals In this training you will gain an understanding of: Our Compliance Program elements Pertinent

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Presented by: Gina L. Campanella, JD, MHA Rules that Control Privacy A collection of laws and regulations including:

More information

Medicare Advantage and Part D Fraud, Waste, and Abuse Training. October 2010

Medicare Advantage and Part D Fraud, Waste, and Abuse Training. October 2010 Medicare Advantage and Part D Fraud, Waste, and Abuse Training October 2010 Introduction 2008: United States spent $2.3 trillion on health care. Federal fiscal year 2010: Medicare expected to cover an

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

SDC-League Health Fund

SDC-League Health Fund SDC-League Health Fund 1501 Broadway, 17 th Floor New York, NY 10036 Tel: 212-869-8129 Fax: 212-302-6195 E-mail: health@sdcweb.org NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION

More information

HIPAA BREACH RESPONSE POLICY

HIPAA BREACH RESPONSE POLICY http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

Chiropractor Compliance Summary Documentation Compliance Criteria for Chiropractic Claims Submitted to the Funds

Chiropractor Compliance Summary Documentation Compliance Criteria for Chiropractic Claims Submitted to the Funds Chiropractor Compliance Summary Documentation Compliance Criteria for Chiropractic Claims Submitted to the Funds Date: April 23, 2012 Source Information: Medicare Policy Purpose The United Mine Workers

More information

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other

More information

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable

More information

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits State of Nevada for the Requirements for PEBP Health Benefits Plan Year 2016 July 1, 2015 June 30, 2016 www.pebp.state.nv.us (775) 684-7000 Or (800) 326-5496 Amendments Amendment Log Any amendments, changes

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

PHI Air Medical, L.L.C. Compliance Plan

PHI Air Medical, L.L.C. Compliance Plan Page No. 1 of 13 Introduction: The PHI Air Medical, L.L.C. is to be used by employees, contractors and vendors to get a high level understanding of the key regulatory requirements relating to our participation

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10 HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10 CHICAGO DEPARTMENT OF PUBIC HEALTH

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

organization's patient protected health information (PHI) occurs. as any other federal or state notification law.

organization's patient protected health information (PHI) occurs. as any other federal or state notification law. I. APPLICABILITY Entire organization and its business associate (BAs) and the BA's Subcontractors. II. PURPOSE To provide guidance for breach notification by covered entities and breaches by their business

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised

More information

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc. 2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc. Disclaimer We share this information with our clients and friends for general informational purposes

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

Understanding HIPAA Regulations and How They Impact Your Organization!

Understanding HIPAA Regulations and How They Impact Your Organization! Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual Updated 9/17/13 1 Overview As of April 14, 2003, the State of Connecticut Department of Social Services (DSS) is

More information

HIPAA Compliance Manual

HIPAA Compliance Manual HIPAA Compliance Manual HIPAA Compliance Manual 1 This Manual is provided to assist your efforts to comply with the federal privacy and security rules mandated under HIPAA and HITECH, specifically as said

More information

HIPAA for Business Associates

HIPAA for Business Associates HIPAA for Business Associates February 11, 2015 Teresa D. Locke This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

New HIPAA Rules and EHRs: ARRA & Breach Notification

New HIPAA Rules and EHRs: ARRA & Breach Notification New HIPAA Rules and EHRs: ARRA & Breach Notification Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com and Raj Goel Chief Technology Officer Brainlink

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS

NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW

More information

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS

HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS HIPAA POLICIES & PROCEDURES AND ADMINISTRATIVE FORMS TABLE OF CONTENTS 1. HIPAA Privacy Policies & Procedures Overview (Policy & Procedure) 2. HIPAA Privacy Officer (Policy & Procedure) 3. Notice of Privacy

More information

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996 HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Health Insurance Portability and Accountability Policy 1.8.4

Health Insurance Portability and Accountability Policy 1.8.4 Health Insurance Portability and Accountability Policy 1.8.4 Appendix C Uses and Disclosures of PHI Procedures This Appendix covers procedures related to Uses and Disclosures of PHI. Disclosures to Law

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information