2 Disclaimer None of the CCS employees are healthcare attorneys. All advice given by CCS is for educational purposes only and should not be considered a legal opinion. The information that follows has been obtained from the Federal Register and other associated government documents. Now on with the show
3 Dr. Jeff Sandquist Chiropractor and Consultant Director of Program Development for CCS CertiGied Chiropractic Professional Coder (CCPC) CertiGied Professional Compliance OfGicer (CPCO)
6 How Do We Cross the Chasm?
7 The successful person has the habit of doing things failures don t like to do. They don t like doing them either necessarily. But their disliking is subordinated to the strength of their purpose. Albert Gray
8 What is HIPAA? h"ps://www.youtube.com/watch?v=1yjqtn0on8g
9 HIPAA History Objective Improve efgiciency and effectiveness of health care by standardizing electronic exchange of administrative, Ginancial and clinical data Encompasses Transactions standards, electronic signatures, unique identigiers (NPI), privacy, security, breach notigication, coding, and more
10 HIPAA History Developed by the US Department of Health and Human Services (HHS) and enforced by the OfGice of Civil Rights (OCR) Health Insurance Portability and Accountability Act of 1996 HIPAA Administration SimpliGication in 2006 (HIPAA II) Mandated national standards for electronic health care transactions, required national identigiers for providers (NPI number), mandated security and privacy of health data
12 HIPAA History Updated in 2009 with HITECH Act Finalized in 2013 with Omnibus Final Rule Original HIPAA law consisted of less than 20 pages HIPAA Omnibus Final Rule law consisted of over 500 pages NOT including HITECH Act!!!
13 HITECH Health Information Technology for Economic and Clinical Health Act Part of American Recovery and Reinvestment Act (ARRA) stimulus package of 2009 Focused on leveraging INFORMATION (technology) to achieve better health care outcomes
14 HITECH Promoted adoption of EHR technology Expanded existing Privacy and Security standards BA subject to direct enforcement of Security and Privacy Rules New breach notigication requirements Enhanced enforcement Increased penalties, proactive audits, etc. Gave HIPAA teeth
15 Omnibus Final Rule The U.S. Department of Health and Human Services (HHS) Of=ice for Civil Rights announces a =inal rule that implements a number of provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
16 What Changed? The changes in the =inal rulemaking provide the public with increased protection and control of personal health information. HHS News Release, January 17, 2013
17 What Changed? Finalized/implemented many changes from HITECH Act Business Associate and subcontractor liability Breach NotiGication requirements Notice of Privacy Practices requirements Increased penalties for noncompliance Use and disclosure of Protected Health Information (PHI) Expanded individuals rights
18 New HIPAA Deadlines Jan 25, 2013 Published in Federal Register Mar 26, 2013 Effective Date Sept 23, 2013 Compliance Date
19 HIPAA Compliance Privacy Rule since 2003 Security Rule since 2005 HITECH Interim Rule 2009 Meaningful Use in 2011 (Security Risk Analysis) HIPAA Omnibus Final Rule September 23, 2013
21 Penalty Factors Nature and extent of violation Number affected, time period Nature and extent of harm resulting from violation History of prior noncompliance Financial condition of covered entity Other factors
22 HIPAA Compliance HIPAA compliance is MANDATORY even if you do NOT utilize EHR HIPAA laws do NOT fall under Obamacare (can t blame that) Can blame HIPAA (in part) for ICD- 10
23 HIPAA Compliance REQUIRED for all Covered Entities (YOU!) Been around but rarely enforced until NOW!
24 HIPAA Noncompliance agreeing to a $150,000 payment. APDerm will also be required to implement a corrective action plan to correct de=iciencies in its HIPAA compliance program. This case marks the =irst settlement with a covered entity for not having policies and procedures in place to address the breach noti=ication provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).
25 HIPAA Noncompliance The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the con=identiality of ephi as part of its security management process. Further, APDerm did not fully comply with requirements of the Breach Noti=ication Rule to have in place written policies and procedures and train workforce members.
26 HIPAA Noncompliance As we say in health care, an ounce of prevention is worth a pound of cure, said OCR Director Leon Rodriguez. That is what a good risk management process is all about identifying and mitigating the risk before a bad thing happens. Covered entities of all sizes need to give priority to securing electronic protected health information. In addition to a $150,000 resolution amount, the settlement includes a corrective action plan requiring APDerm to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR.
27 ACTIVE Compliance PROCESS 8 HIPAA Compliance Elements
28 HIPAA Compliance Elements 1. Develop and implement WRITTEN policies and procedures, including changes and updates as necessary; NPP, BAA, Use and Disclosure, Privacy and Security, etc. 2. Designate a Privacy and Security OfGicer; Compliance OfGicer
29 HIPAA Compliance Elements 3. Workforce training for ALL employees; Who, What, When (at least annually and ASAP when hired) 4. Maintain reasonable and appropriate administrative, technical and physical safeguards to prevent intentional or unintentional use or disclosure of PHI; Security Rule = ELECTRONIC PHI (ephi) Perform a Risk Analysis and Risk Management (SRA Tool)
30 HIPAA Compliance Elements 5. Mitigate harmful effects of use or disclosure of PHI by staff or Business Associates in violation of policies and procedures; Breach, Sanctions, etc. 6. Privacy complaint procedures contained in Notice of Privacy Practices and identify how to and who to make complaints;
31 HIPAA Compliance Elements 7. NEVER retaliate against staff or patients for exercising their rights for assisting in an investigation or for opposing an act or practice that the person believes violates the Privacy Rule; and 8. Record retention of HIPAA related items for 6 YEARS after their effective date
32 Privacy Rule What is it? How to comply with it?
33 Privacy Rule The HIPAA Privacy Rule provides federal protection for individually identi=iable health information held by covered entities. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.
34 Privacy Rule Portion of HIPAA law that pertains to interaction between patient and health care professionals and other entities Final ruling effective as of April, 2003
35 Protected Health Information (PHI) all individually identi=iable health information that is held or transmitted by a covered entity or its business associates, in any form, whether electronic, paper, or oral.
36 Individually IdentiGiable Health Info information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identi=ies the individual or for which there is a reasonable basis to believe can be used to identify the individual. e.g., name, address, birth date, social security number
37 PHI Contains health information that identigies individual including but not limited to demographic information Relates to individual s health or the provision of, or payment for health care
38 PHI Excludes Educational records covered by Family Educational Rights and Privacy Act (FERPA) Employment records held by covered entity in its role as an employer Persons deceased for more than 50 years
39 PHI De- IdentiGication Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual and is not individually identi=iable health information. The following identigiers of the individual, relatives, employers or household members are REMOVED
40 PHI De- IdentiGication Names All geographic subdivisions smaller than state All elements of dates (except year, unless 89years old and over) Phone numbers Fax number addresses Social security numbers Medical record numbers Health plan beneficiary numbers Account numbers CerGficate/license numbers Vehicle idengfiers and serial numbers Device numbers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric idengfiers (finger and voice prints) Full face photos and comparable images Any other unique idengfying number, characterisgc, or code
41 Use The sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information. i.e. information used INSIDE your practice
42 Disclosure The release, transfer, provision of access to, or divulging in any manner of information outside the entity holding the information. i.e. information you share OUTSIDE to others
43 Authorization A covered entity must obtain the individual s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.
44 Authorization Requirements DescripGon of the informagon to be used or disclosed Name or other specific idengficagon of the person(s), or class of persons, authorized to make the requested use or disclosure Name or other specific idengficagon of the person(s), or class of persons, to whom the covered engty may make the requested use or disclosure A descripgon of each purpose of the requested use or disclosure An expiragon date or an expiragon event that relates to the individual or the purpose of the use or disclosure Signature of the individual and date If the authorizagon is signed by a personal representagve of the individual, a descripgon of such representagve s authority to act for the individual must also be provided
45 Authorization Requirements REQUIRED STATEMENTS The individual s right to revoke the authorizagon in wrigng, and either: The excepgons to the right to revoke and a descripgon of how the individual may revoke the authorizagon; or A reference to the covered engty s nogce The ability or inability to condigon treatment, payment, enrollment or eligibility for benefits on the authorizagon, by stagng either: The covered engty may not condigon treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorizagon when the prohibigon on condigon of authorizagons; or The consequences to the individual of a refusal to sign the authorizagon the covered engty can condigon treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorizagon
46 Authorization Requirements The potengal for informagon disclosed pursuant to the authorizagon to be subject to re- disclosure by the recipient and no longer be protected by this subpart. Plain language requirement. The authorizagon must be wri"en in plain language. Copy to the individual. If a covered engty seeks an authorizagon from an individual for a use or disclosure of protected health informagon, the covered engty must provide the individual with a copy of the signed authorizagon.
47 Minimum Necessary A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request.
48 Min Nec Does NOT Apply To or by health care provider for treatment To the individual With a valid authorization To the Secretary and required by law
49 Monday Morning Action Steps Address understanding and implementation of Use and Disclosure PHI and de- identigied PHI Minimum necessary Determine if valid authorization is in use
50 Security Rule What is it? How to comply with it?
51 Security Rule The Security Rule speci=ies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the con=identiality, integrity, and availability of electronic protected health information.
52 Security Rule SpeciGic to ELECTRONIC protected health information AKA ephi Requires specigic Risk Analysis to determine security Administrative safeguards Training/Management Physical Safeguards Facility Access/Security Technical Safeguards Access/Transmission Security
53 Security Measures Takes into consideration Size, complexity, capabilities Technical, hardware and software infrastructure Cost of security measures Likelihood/possible impact of potential risks to ephi
54 Required vs. Addressable Required = must be implemented Addressable = does NOT mean optional Determine if reasonable and appropriate OR Adopt alternative measure to achieve purpose of standard if reasonable and appropriate OR DOCUMENT why it was NOT implemented
55 Risk Analysis Forms the FOUNDATION upon which an entity s necessary security activities are built.
56 Risk Analysis Part of Administrative Safeguards Security Rule requires you to implement policies and procedures to prevent, detect, contain, and correct security violations.
57 Threat The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a speci=ic vulnerability. Natural threats Gloods, earthquakes, tornadoes, etc. Human threats intentional (unauthorized access, theft) or unintentional (incidental) Environmental threats power failure, water, Gire, etc.
58 Vulnerability A =law or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system s security policy. Can be technical (technology) OR non- technical (administrative, physical, policies and procedures, staff, etc.)
59 Threats and Vulnerabilities ephi = Chickens Threat = Fox, Wolf, Coyote, Hawk, etc. Vulnerability = Hole in fence, tunnel under fence, gate left open, improper shelter, etc.
60 Risk Function of the likelihood of a given threat triggering or exploiting a particular vulnerability and the resulting impact on the organization. Threat + Vulnerability + Likelihood + Impact
61 Risk Analysis Overview Evaluate likelihood and impact of potential risks to ephi Implement appropriate security measure to address risks identigied Document chosen security measures and rationale Maintain continuous, reasonable and appropriate security protections ONGOING PROCESS update annually and with major changes
62 Administrative Safeguards Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ephi and to manage the conduct of the CE s workforce in relation to the protection of that information.
63 Administrative Safeguards Security management process including Security OfGicer designation and implementing various Policies and Procedures Information access management policies and procedures Workforce training and management including sanctions Periodic evaluation
64 In Other Words What are the threats, vulnerabilities and risks to ephi and how are they managed? Who is in charge (CO) and involved (TEAM)? Who has access to ephi? Is there authorization, supervision and training? Are there periodic evaluations and assessments?
65 Physical Safeguards Physical measures, policies and procedures, to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.
66 Physical Safeguards Facility access and control Workstation and device security Policies and procedures for use and access to workstations and electronic media Policies and procedures regarding transfer, removal, disposal, reuse and protection of electronic media
67 In Other Words Where are the facilities? Who has access to the facilities? How is access to the facilities granted/ controlled? What is the security of workstations and technology? How is transfer, removal, disposal and re- use handled?
68 Technical Safeguards The technology and the policies and procedures for its use that protect ephi and control access to it.
69 Technical Safeguards Policies and procedures allow access to authorized users only Hardware, software, procedures to record and examine access Policies and procedures to ensure ephi is not improperly altered or destroyed Technical security to guard against unauthorized access to ephi transmitted
70 In Other Words ONLY authorized personnel has access to ephi? Audit controls to track and evaluate ephi access/use? What s in place to assure proper destruction and prevent improper destruction or alteration of ephi? What s in place to secure transmission of ephi?
71 Unsecured PHI PHI that is NOT rendered unusable, unreadable or indecipherable to unauthorized individuals according to NIST guidelines (National Institute of Standards and Technology) or by physical destruction
72 Encryption Method of converting original message of regular text into encoded text Encrypted by means of algorithm (formula) Done according to National Institute of Standards and Technology (NIST) guidelines
73 Encryption and Destruction PHI at Rest NIST PHI in Motion NIST , , PHI Disposed Physical Shredded or destroyed so cannot be read or reconstructed Electronic NIST PHI in Use No specigic guidelines other than standard access control technologies (and common sense)
76 PHI at Rest NIST STORED PHI in some capacity (e.g. desktop, laptop, phone, Glash drive, memory care, external hard drive, CDs, DVDs, etc.)
77 PHI in Motion NIST PHI MOVING across the wire (i.e. internet or intranet) Transport Layer Security (TLS) recommended Provides authentication, congidentiality, data integrity
78 PHI Disposed NIST Sanitized PHI Use approved techniques/methods Not easily retrieved and reconstructed Track and document sanitation and destruction actions
79 Sanitation/Destruction Methods Clearing Can not simply delete Overwrite technology Purging Degaussing Destroying ULTIMATE form Disintegration, incineration, pulverizing, shredding, melting, etc.
80 Disaster Plan LONG- term recovery plan to get you back to where you where before disaster HIPAA REQUIRES access and security of data in the event of a disaster
81 Contingency Plan AKA Business Continuity Plan SHORT- term temporary resumption of critical business operations, helps business survive during Disaster Recovery HIPAA REQUIRES access and security of data
82 Contingency Plan Disaster Risk Analysis Access to critical contact info Info about facility (water, gas, electrical shut- offs) Planned steps for various applicable disasters (natural disasters, equipment failure, power failure, communications failure, burst water pipe, loss of key employee, loss of facility access, etc.)
83 Risk Management REQUIRED under Administrative Safeguards Implement security measures suf=icient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule.
84 Where is YOUR ephi? At the ofgice? At home? In your pocket? Another ofgice?
85 Monday Morning Action Steps Perform a Risk Analysis to determine vulnerabilities, threats, and risks Address Administrative, Physical, and Technical Safeguards Perform a Risk Management to implement, revise and monitor
86 Business Associates Who is involved? What changed? What are the requirements?
87 Covered Entity A health care provider who transmits any health information in electronic form YOU!!! (also includes healthcare clearing houses and health plans)
88 Business Associate A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information.
89 Workforce Employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity or business associate, is under direct control of such covered entity or business associate, whether or not they are paid by the covered entity or business associate.
90 Business Associate An entity that creates, receives, maintains, or transmits protected health information on behalf of a covered entity (YOU)
91 Subcontractor An entity that creates, receives, maintains, or transmits protected health information on behalf of another business associate i.e. Your BA s business associate
92 Business Associate Examples Billing Services EHR Vendor Accounting Consulting Practice Management Transcriptionist Collection Agency Administrative Financial* Accreditation Attorneys Data Aggregation Computer Repair/ Technician Cloud Storage*
93 Cloud Storage
95 Business Associate Exceptions Other Healthcare Providers Health Insurance Carriers Financial Institutions for care payment Conduits (USPS, FedEx, UPS, ISP, etc.) Janitor, Electrician, OfGice Repair, Cleaning Service, etc. (NEVER a Business Associate)
97 BA Exceptions
98 BA Exceptions
99 Business Associate or Not? Role or activity based Do they create, receive, maintain or transmit PHI on your behalf? Do they have access to PHI as part of their role or activity? Even if not routinely; need only be POTENTIALLY
100 What Changed? Revised deginition of a Business Associate Added entities that fall under BA deginition Increased liability and compliance requirements for BA and subcontractors NEW/UPDATED BA Agreements REQUIRED
101 BA Liability DIRECTLY liable for violations of HIPAA Contractually liable However, liable whether or not they have agreement in place with CE Liable for actions of subcontractors
102 Business Associate Agreement Contract between you and each of your BA outlining the following: NOTE: Do NOT need BAA w/ subcontractors Permitted uses of PHI Restricted uses of PHI Appropriate safeguards Breach procedures Terms and termination
103 BAA Requirements Establish permitted/required uses/ disclosures of PHI BA will not use/disclose PHI other than permitted/required BA will implement appropriate safeguards consistent with HIPAA security rule
104 BAA Requirements BA will report to CE any uses or disclosures not covered in contract, including breaches BA will make PHI available for individuals requests, amendments and accountings BA will comply with applicable HIPAA Privacy Rule requirements
105 BAA Requirements BA will make available internal practices/ books/records to HHS Termination requires BA to destroy/return PHI received/created BA ensures subcontractors agree to same requirements; may be more but NOT less strict Authorize termination by CE if BA violates terms
106 Monday Morning Action Steps Make a list of all Business Associates Get an updated and signed Business Associate Agreement from all BAs
107 Notice of Privacy Practices What is it? Who gets it? Where does it go?
108 What is in the NPP? Describes how medical information about patient may be used and disclosed and how patients can get access to this information Patient Rights Patient Choices Uses and disclosures
109 State vs. Federal Usually Federal Laws are more strict HIPAA takes precedence HOWEVER if State Laws are more strict State Law takes precedence
110 OK Records Request
111 Patient Rights Receive electronic OR paper copy of medical records Ask to correct medical records Request congidential or alternative communications Ask to limit what we use or share Ex. Insurance carriers for care paid for out of pocket
112 Patient Rights Get list of those with whom we ve shared info Get copy of this privacy notice Choose someone to act for you File a complaint if you feel your rights are violated WITHOUT fear of retaliation
113 Patient Choices In these cases, you have both the right and choice to tell us to: Share info with your family, close friends, or others involved in your care
114 Patient Choices In these cases we NEVER share your info UNLESS you give us WRITTEN permission: Marketing purposes* Sale of your information
115 Marketing REQUIRES written signed authorization To make a communication about a product or service that encourage the recipient of the communication to purchase or use the product or service.
116 Marketing An arrangement between a covered entity and any other entity whereby the covered entity discloses PHI to the other entity in exchange for REMUNERATION, for the other entity or its af=iliate to make communication about its own product or service that encourage recipients of the communication to purchase or use that product or service. Financial remuneration means direct or indirect payment from or on behalf of a third party whose product or service is being described. Direct or indirect payment does not include any payment for treatment of an individual.
117 Marketing EXCEPTIONS Face- to- face communications Promotional gift of nominal value* UNLESS Ginancial REMUNERATION takes place Treatment of patient (i.e. case management, care coordination, alternative treatments, therapies, providers or settings) Health- related products or services as part of a plan of benegits (health care provider/plan network) Case management or care coordination, treatment alternatives that do NOT fall under treatment deginition
118 Uses and Disclosures Allowed or required to share patient info Treatment Bill for patient services and receive payments Run your organization (practice) Public health and safety issues Conduct research Comply with law
119 Treatment Provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.
120 Payment Encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to ful=ill their coverage responsibilities and provide bene=its under the plan, and to obtain or provide reimbursement for the provision of health care.
121 Health Care Operations Certain administrative, =inancial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support core functions of treatment and payment.
122 Uses and Disclosures Allowed or required to share patient info Respond to organ and tissue donation requests Work with medical examiner or funeral director Address workers compensation, law enforcement and other government request Respond to lawsuits and legal actions (against you)
123 Decedents NOT PHI 50 years following death of person CAN disclose to decedents family members and others involved in care or payment for care prior to death
124 Provider Responsibilities Required by law to maintain privacy and security of PHI Inform patient promptly if a breach occurs that may compromise the privacy or security of the patient PHI Follow the duties and privacy practices in the NPP and give a copy to the patient Not to use or share info other than described in NPP unless told in writing; can be revoked in writing as well
125 Who Gets the NPP? ALL NEW patients during initial paperwork Obtain written acknowledgment Placed in patient Gile Anyone else who asks for it (NOT likely)
126 Where to Post the NPP? Post in, clear and prominent location and have copies of the NPP at the delivery sight for individuals to request to take with them. May post a summary, as long as the full notice is IMMEDIATELY available. (i.e. should NOT have to ask for full notice) Full notice posted on the ofgice website
127 Monday Morning Action Steps Update NPP Give to all new patients Post in prominent location Post on website
128 Breach NotiGications What is a Breach? What Changed? What is a Breach NotiGication?
129 What is a Breach? Acquisition, access, use or disclosure of protected health information in a manner not permitted which compromises the security or privacy of the protected health information. Basically someone has PHI who should NOT have it (NOT authorized or allowed)
130 Guilty Until Proven Innocent Harm standard REMOVED PRESUMED to be a breach UNLESS covered entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors
131 4 Risk Assessment Factors 1. Nature and extent of PHI involved, types of identigiers, likelihood of re- identigication 2. Unauthorized person who used PHI or who the disclosure was made to 3. Whether PHI was actually acquired or viewed 4. Extent to which risk to PHI was mitigated
132 Breach NotiGications Treated as discovered on FIRST day it was known or should have been known Notify EACH individual affected SpeciGic requirements of info included Have 60 days from discovery to do so Business Associates have obligation to notify the Covered Entity (YOU!) about a breach
133 Individual Breach NotiGications Brief description of what happened Including date of breach and date of discovery Description of types of unsecured PHI involved Steps individual should take to protect themselves Brief description of what you are doing to investigate and mitigate harm and protect in the future Contact procedures Including toll- free number, address, website or postal address
134 Breach NotiGications NotiGication to media More than 500 individuals affected NotiGication to Secretary More than 500 individuals affected within 60 days Less than 500 individuals affected by end of year
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
Compliance Training for Medicare Programs Version 1.0 2/22/2013 Independence Blue Cross is an independent licensee of the Blue Cross and Blue Shield Association. 1 The Compliance Program Setting standards
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On
SCHOOL DISTRICT OF BLACK RIVER FALLS 523.5 Exhibit NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES PRIVACY NOTICE This notice describes how medical information about you may be used and disclosed and how
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION PLEASE REVIEW IT CAREFULLY. DEFINITIONS PROTECTED HEALTH INFORMATION (PHI):
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches
REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing
HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Presented by: Gina L. Campanella, JD, MHA Rules that Control Privacy A collection of laws and regulations including:
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. email@example.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
2012-2013 MEDICARE COMPLIANCE TRAINING EMPLOYEES & FDR S 2012 Revised 1 Introduction CMS Requirements As of January 1, 2011, Federal Regulations require that Medicare Advantage Organizations (MAOs) and
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
SDC-League Health Fund 1501 Broadway, 17 th Floor New York, NY 10036 Tel: 212-869-8129 Fax: 212-302-6195 E-mail: firstname.lastname@example.org NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus email@example.com Office of General Counsel University of Texas System April 10,
Compliance Program and HIPAA Training For First Tier, Downstream and Related Entities 09/2011 Training Goals In this training you will gain an understanding of: Our Compliance Program elements Pertinent
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
Chiropractor Compliance Summary Documentation Compliance Criteria for Chiropractic Claims Submitted to the Funds Date: April 23, 2012 Source Information: Medicare Policy Purpose The United Mine Workers
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
Page No. 1 of 13 Introduction: The PHI Air Medical, L.L.C. is to be used by employees, contractors and vendors to get a high level understanding of the key regulatory requirements relating to our participation
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information
HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. EFFECTIVE September 15, 2014 This Notice of
Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act
State of Nevada for the Requirements for PEBP Health Benefits Plan Year 2016 July 1, 2015 June 30, 2016 www.pebp.state.nv.us (775) 684-7000 Or (800) 326-5496 Amendments Amendment Log Any amendments, changes
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
I. APPLICABILITY Entire organization and its business associate (BAs) and the BA's Subcontractors. II. PURPOSE To provide guidance for breach notification by covered entities and breaches by their business
HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf
Effective Date: 5/18/15 NOTICE OF PRIVACY PRACTICES Walter Chiropractic Clinic, 5219 Peters Creek Rd Ste 5, Roanoke VA 24019 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS
HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised
Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor
NOTICE OF HEALTH INFORMATION PRIVACY PRACTICES (HIPAA) THIS NOTICE OF PRIVACY PRACTICES DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10 CHICAGO DEPARTMENT OF PUBIC HEALTH
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003