Potential Liability for HIPAA Violations: A Primer
|
|
- Calvin Joseph
- 8 years ago
- Views:
Transcription
1 Potential Liability for HIPAA Violations: A Primer Wednesday, March 23, 2016 Presented By the IADC Medical Defense and Health Law Committee and In-House and Law Firm Management Committee Welcome! The Webinar will begin promptly at 12:00 pm CDT. Please read and follow the below instructions: For you information, this Webinar presentation is being recorded. If you have not already done so, please join the conference call. Mute your phone line. If you do not have a mute button or are on a cell phone, press *1 to mute your phone. If you are on a conference phone, please move all cellular or wireless devices away from the conference phone to avoid audio interference. If you have questions during the presentation, you may utilize the Q&A pod on the upper-right-hand side of your screen. You may type questions here and it will be sent to the presenter for response. If your question is not answered during the presentation, our presenter will answer questions at the end of the webinar. Visit the Files pod in the lower-right-hand corner of the screen if you would like to download a copy of this PowerPoint presentation.
2 Type your questions for presenters here in the Q&A Pod Click on the file name to download this Power Point or any referenced documents
3 IADC Webinars are made possible by a grant from The Foundation of the IADC. The Foundation of the IADC is dedicated to supporting the advancement of the civil justice system through educational opportunities like these Webinars. For more information on The Foundation, visit
4 Presenters Robert G. Smith, Jr. Lorance & Thompson, P.C. Houston, TX Cathy Bryant Texas Medical Liability Trust Austin, TX
5 Potential Liability for HIPAA Violations: A Primer This Webinar will be a nuts and bolts presentation regarding HIPAA and potential liability for HIPAA violations. The program will include a discussion of potential liability of law firms for HIPAA violations. For the purposes of the webinar, we will limit our discussion to federal law, HIPAA. It is important for attorneys to be aware of state specific laws where they practice; i.e. in Texas, law firms can be considered Covered Entities under the Texas Medical Privacy Act.
6
7 FBI Warns Law Firms 2009, the FBI first warned that law firms were the targets of hackers 2013 FBI repeated the warning We have hundreds of law firms that we see increasingly being targeted by hackers A complete set of medical records is more valuable than financial records and social security numbers Resale value of medical information used for Medical Identity Theft
8 80% of the Big Law Firms Hacked (law firms) are a treasure trove that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities. American Bar Association Cybersecurity Legal Task For Law firms rank 7 th most vulnerable industry to malware encounters Cisco Systems 2015 Annual Security Report
9 Source: Modern Healthcare
10 HIPAA Overview HIPAA PRIVACY RULE HIPAA SECURITY RULE HIPAA BREACH NOTIFICATION RULE OMNIBUS RULE EFFECTIVE 2003 EFFECTIVE 2005 EFFECTIVE 2013 EFFECTIVE 2013 Rule Covers Protectd Helath Information in all forms: Verbal Written Electronic Rule Covers Protected Health Information in Electronic format only Rule Covers all breaches of protected heatlth information by a Covered Entity or a Business Assoicate Sweeping changes to HIPAA Patient Rights Business Associates directly responsible for HIPAA
11 HIPAA Who? Covered Entity Business Associate Definitions: 45 CFR Subcontractor
12 HIPAA What? Protected Health Information The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)." Individually identifiable health information is information, including demographic data, that relates to: the individual s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
13 Breach A breach is, generally, an impermissible use or disclosure under the [HIPAA] Privacy Rule that compromises the security or privacy of the protected health information. An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the protected health information has been compromised [aka Lo-Pro-Co ] based on a risk assessment of at least 4 factors
14 When is a Breach not a Breach? PHI that is unusable, unreadable or indecipherable to unauthorized persons through the use of a technology or methodology
15 Cost of a Breach COST OF NOTIFYING PATIENTS CREDIT MONITORING FORENSICS HEALTHCARE BREACH CAN COST $363 PER RECORD CALL CENTER LEGAL FEES PUBLIC RELATIONS/ CRISIS RESPONSE 5 th Annual Benchmark Study on Patient Privacy and Data Security The Ponemon Institute
16 OCR Process OCR OCR Intake & Review Possible Criminal Violation OCR Possible Privacy or Security Rule Violation RESOLUTION Violation did not occur after Entity complained about was not covered by the Privacy Rule Incident described does not violate the Privacy Rule Refer to DOJ Investigation Accepted by DOJ RESOLUTION OCR finds no violation OCR finds violation with voluntary compliance, corrective action or agreement OCR issues formal finding of violation Fines Penalties (CMP)
17 HIPAA Violations & Enforcement xxx HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA HIPAA violation due reasonable cause and not due willful neglect HIPAA violation due to willful neglect but violation corrected within the required time period HIPAA violation is due to willful neglect and is not corrected $100 per violation, with an annual maximum of $25,000 for repeat violations $1,000 per violation, with an annual maximum of $100, 000 for repeat violations $10,000 per violation, with an annual maximum of $250, 000 for repeat violations $50,000 per violation, with an annual maximum of $ 1.5 for repeat violations $50,00 per violation, with an annual maximum of $1.5 $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million
18 Review of OCR Investigations 10,783 23,731 34,514 BREACH REPORT OR COMPLAINT INVESTIGATIONS 1/3 rd WERE FOUND TO HAVE NO VIOLATION 2/3 rds HAD VIOLATIONS CORRECTIVE ACTION REQUIRED (69%) NO VIOLATION (31%)
19 Potential Liability Under HIPAA ABA Model Rules of Professional Conduct Lawyers are required to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. Reasonable efforts taking steps to prevent someone from hacking into a law firm s computer network staff posting client information on the Internet training
20 Potential Liability Under HIPAA A lawyer must also consider duties arising under HIPAA, for example, and other laws intended to protect data privacy. ignorance of technology is not a defense Lawyers must stay abreast of changes in the law and its practice, [and] need to have a basic understanding of the benefits and risks of relevant technology.
21 POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER What Privacy and Security issues exist in firms related to PHI? 21
22 Paper 45 CFR (c) Standard: Safeguards -- Have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information Implementation specification: must reasonably safeguard PHI any intentional or unintentional use or disclosure must reasonably safeguard protected health information to limit incidental uses or disclosures 45 CFR Administrative Requirements
23 Password Basic Password Protection Protocols 1. Password length 2. Password complexity (Upper, Lower, Number and Special character) 3. Frequently changed Weak Passwords 2012, the must common passwords 1. Password , the most common passwords were: 1. Password 45 CFR & Technical Safeguard
24 PHI Dear Dr. Expert Witness Here are all the medical reports I need you to review in this bad case. Do you send s Dr. containing Expert Witness PHI Somewhere, USA or medical record attachments? Thanks, Unencrypted Attorney Is PHI sent encrypted or through a secure file sharing technology? Transmitting encrypted data can be accomplished efficiently and without appreciably slowing down the system. 45 CFR Technical Safeguard
25 Encryption Objections to Encryption It is not required by HIPAA. True; but if you don t encrypt you must show what you did to protect PHI equal to encryption It slows down my PC/laptop It is costs money Encryption is not a password or passcode! Encryption is the process of translating words or text into code which conceals the text. 45 CFR Technical Safeguard
26 The Problem with Unencrypted Devices August 2015 OCR Settlement with Cancer Care Group Laptop and backup media (unencrypted) was stolen from employee s vehicle 5500 records Cancer Care was in widespread noncompliance with the HIPAA Security Rule. Had not conducted an enterprise wide risk analysis Did not have written P&P specific to removal of hardware and electronic media Did not encrypt Encryption is a basic cyber risk management tool. Cyber liability insurance applications now ask about the use of encryption and can result in an endorsement excluding unencrypted portable devices.
27 BYOD Do you use your Personal Devices to store or access PHI? The use, or potentially, the loss or theft of smartphones and other devices. With the storage capacity of smartphones increasing, attorneys are storing more and more information on them, including , attachments and documents. The use of personal devices also makes it more difficult for firms to institute good security practices. Attorneys should take reasonable steps to safeguard the confidential information accessible on their mobile phones. 45 CFR & Administrative & Technical Safeguards For example, does the phone permit remote wiping of the information stored in the event that it is lost or stolen? Is it enabled?
28 Cloud Storage According to New York State Bar Association Committee on Professional Ethics Opinion 842, a lawyer in New York may use an online cloud computer data backup system to store client files so long as the lawyer takes reasonable care to protect the client s confidential information form unauthorized disclosure, which included the following three steps: 1. Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and the provider will notify the lawyer if served with process regarding the production of client information; 2. Investigating the online data storage provider s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances; and 3. Employing available technology to guard against reasonably foreseeable attempts to infiltrate stored data. 45 CFR , &
29 Unsecure Wi-Fi Unsecure Wi-Fi Wireless networks that can be freely accessed without a password. Attorneys spend a great deal of time away from the office, and attempt to get work done wherever they may find themselves. To get work done while on the road, attorneys may access the Internet while at the airport or other hotspot that has open access. 45 CFR Technical Safeguard
30 Unpatched/Outdated Software Vulnerabilities arise from running unpatched or outdated software. End of Life the vendor will no longer release security patches for the operating system. Any holes hackers find will be left unpatched and the software is now fundamentally unsecure. Windows 8 -- End of Life January 13, 2016 Internet Explorer End of Life January 12, 2016 Windows Server 2003 End of Life July 14, 2015 Windows XP End of Life April 4, CFR & Administrative & Technical Safeguard
31 Photo Copiers Hard Drives CBS News: Digital Photocopiers Loaded With Secrets April 19, 2010 Affinity Health Plans Reported Breach to HHS April, 2010 Settlement Agreement August, 2013 Settle potential violations of the HIPAA Privacy and Security Rules for $1,215,780. Affinity impermissibly disclosed the protected health information of up to 344,579 individuals. Affinity returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. Affinity failed to incorporate the electronic protected health information stored in copier s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule. Affinity failed to implement policies and procedures when returning the hard drives to its leasing agents. 45 CFR Physical Safeguard
32 POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER What is the proper way to dispose of PHI? 32
33 NIST Publication r1 Sanitization and Disposal
34 Medical Records Radiology Regional Center in Florida notified patients of a possible healthcare data breach after some paper records were found on a street on December 19, ,063 individuals potentially affected. a small quantity of records fell onto the street while being transported by Lee County Solid Waste Division, which is responsible for the disposal of Radiology patient records. As a result of our numerous searches, we believe that virtually all of the records were retrieved. To ensure an incident like this does not happen again, we have taken steps to change how paper records are transported and destroyed, the statement explained. Lee County Solid Waste Division will no longer be responsible for transporting our records for disposal.
35 Law Firm Compliance Obligations The Omnibus Rule (2013) clarifies: Business Associates and their subcontractors are directly liable under HIPAA and must comply with some of the Privacy Rule, all of the Security Rule and Breach Notification. Limiting use and disclosure of PHI Impermissible use and disclosure of PHI Failing to provide breach notification Failing to provide access to a copy of ephi to the CE or individual Failing to account for disclosure of PHI Failing to disclose PHI to the Secretary of HHS related to an investigation about the BA HIPAA compliance Failing to comply with the requirements of the HIPAA Security Rule Failing to enter into a subcontractor BAA 35
36 Cyber Risk Management 36
37 A Caveat About Cyber Insurance Cyber insurance is not a substitute for a good cyber risk management program, as all losses may not be covered by an insurance policy. Increasing cyber risks and regulatory violations require cybersecurity to be integrated into your business risk. Complacency is not a risk management strategy! 37
38 The OCR s Roadmap Jocelyn Samuels: It is critical that entities take a comprehensive and thorough approach to assessing and addressing the risk to all of the protected health information they maintain. Have comprehensive policies and procedures for compliance with the HIPAA Rules, but also the P & P must be clearly communicated to and implemented by all workforce members.
39 Do You Know Where You PHI? Have RISK IDENTIFICATION Where do you create, maintain, transmit or store PHI/ePHI?
40 HIPAA Risk Assessment The first Implementation Specification of the Security Rule requires covered entities and business associates to conduct a security risk analysis The one unforgiveable in the eyes of the OCR is failure to conduct a risk assessment 40
41 POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER TRAINING 45 CFR Administrative requirements. (b)(1) Standard: Training. must train all members of its workforce on the policies and procedures with respect to protected health information required by this subpart and subpart D of this part, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. What employees need to be trained and how? 41
42 Educated Workforce Employee education is paramount See Something Say Something Federal as soon as possible Texas new employees must be trained within 90 days of employment 42
43 POTENTIAL LIABILTY FOR HIPAA VIOLATIONS: A PRIMER What written policies and procedures should a firm have? 43
44 Beware of P&P Templates should reflect what is actually done December 2014 Anchorage Community Mental Health Services OCR Settlement Agreement 2012 ephi was compromised due to malware compromising the security of its IT services $150,000 fine and adopt a plan of correction Organization had adopted sample P&P in 2005 but never followed them The breach was a direct result of failing to identity and address basic risks 44
45 Need Expert Guidance? As the forms of connected technology used by healthcare providers increases so will their cybersecurity risks. Therefore, providers will need assistance in mitigating the proliferation and diversity of their cyber risks, including help with their: IT Systems; Privacy, Security, & Breach Risk Assessments; Staff Privacy Training; and Risk Transfer (cyber insurance). 45
46 The Road to HIPAA Compliance 1. Appoint a Privacy and Security Officer 2. Conduct a Risk Assessment 3. Develop a Risk Management/Mitigation Plan for Risks Identified 4. Create or Update Policies and Procedures 5. Develop a BAA and Subcontractor BAA 6. Develop a Plan for Handling Breaches 7. Workforce Training 8. Consider Cyber Insurance YES COMPLIANCE NO
47 Questions for Presenters? Robert G. Smith, Jr. Lorance & Thompson, P.C. Houston, TX Cathy Bryant Texas Medical Liability Trust Austin, TX
48 Potential Liability for HIPAA Violations: A Primer Wednesday, March 23, 2016 Thank you for Participating! To access the PowerPoint presentation from this or any other IADC Webinar, visit our website under the Members Only Tab (you must be signed in) and click on Resources Past Webinar Materials, or contact Melisa Maisel Vanis at mmaisel@iadclaw.org.
Why Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationHIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationHIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
More informationHIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014
HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationLaw Firm Cyber Security & Compliance Risks
ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationFACT SHEET: Ransomware and HIPAA
FACT SHEET: Ransomware and HIPAA A recent U.S. Government interagency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000
More informationNine Network Considerations in the New HIPAA Landscape
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
More informationFIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
More informationHIPAA & HITECH AND THE DISCOVERY PROCESS
HIPAA & HITECH AND THE DISCOVERY PROCESS HEATHER L. HUGHES, J.D. U.S. Legal Support, Inc. 363 North Sam Houston Parkway East, Suite 900 Houston, Texas 77060 (713) 653-7100 State Bar of Texas 8 th ANNUAL
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationRaymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP
Carol Ann Raymond, MBA, Ed.S., CCC-SLP Associate Clinical Professor/Clinic Director Department of Communication Sciences and Disorders Financial o Employed by the University of Georgia o Non-Financial
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationHIPAA In The Workplace. What Every Employee Should Know and Remember
HIPAA In The Workplace What Every Employee Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security
More informationMobile Medical Devices and BYOD: Latest Legal Threat for Providers
Presenting a live 90-minute webinar with interactive Q&A Mobile Medical Devices and BYOD: Latest Legal Threat for Providers Developing a Comprehensive Usage Strategy to Safeguard Health Information and
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationHIPAA for Business Associates
HIPAA for Business Associates February 11, 2015 Teresa D. Locke This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The
More informationHITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers
HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers Disclaimer: The following questions and answers are not legal advice or opinion. They
More informationBREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
More informationWhat Are The Odds Of a HIPAA Audit?
What Are The Odds Of a HIPAA Audit? 1 Random Odds The law Outline Why is enforcement up? What types of audits and what causes them Examples of enforcement What can you do to avoid audits and fines 2 3
More informationAm I a Business Associate?
Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have
More informationHIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients
HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and
More informationPrivacy & Security. Risk Management Strategies for Healthcare Data. Ohio Hospital Association Centennial Annual Meeting.
Ohio Hospital Association Centennial Annual Meeting Privacy & Security Risk Management Strategies for Healthcare Data Chris Allman, JD Director of Risk Management, Compliance & Insurance Garden City Hospital
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationMaking Memories Matter
Making Memories Matter 2015 WALA Spring Conference A Real World Approach on How to Achieve HIPAA Compliance Jeff Grady, David Hosack, Curtis Urlakis, Holly Schlenvogt, Barbara Zabawa Friday, March 20 10:30
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationDATA SECURITY HACKS, HIPAA AND HUMAN RISKS
DATA SECURITY HACKS, HIPAA AND HUMAN RISKS MSCPA HEALTH CARE SERVICES SEMINAR Ken Miller, CPA, CIA, CRMA, CHC, CISA Senior Manager, Healthcare HORNE LLP September 25, 2015 AGENDA 2015 The Year of the Healthcare
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationHIPAA Update Focus on Breach Prevention
HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationBUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE
BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties
More informationHealthcare to Go: Securing Mobile Healthcare Data
Healthcare to Go: Securing Mobile Healthcare Data Lee Kim, Esq. SANS Mobile Device Security Summit 2013 May 30, 2013 Copyright 2013 Lee Kim 1 Why Information Security is Essential for Healthcare Safeguard
More informationHIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS
HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More informationData Breach Response Planning: Laying the Right Foundation
Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationIowa Health Information Network (IHIN) Security Incident Response Plan
Iowa Health Information Network (IHIN) Security Incident Response Plan I. Scope This plan identifies the responsible parties and action steps to be taken in response to Security Incidents. IHIN Security
More informationHIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer
HIPAA LIAISON MEETING PRESENTAITON August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer Current State of HIPAA Enforcement Content Contributor Abby Bonjean, Investigator Office for
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationPOLICY AND PROCEDURE MANUAL
Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL
More informationZip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.
Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationBUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity
More informationHIPAA WEBINAR HANDOUT
HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and
More informationAnthem s Data Breach Impacts Many Anthem and Non-Anthem Plans: Necessary Employer Actions Now
Anthem s Data Breach Impacts Many Anthem and Non-Anthem Plans: Necessary Employer Actions Now March 6, 2015 On January 29, 2015, Anthem, Inc., an insurer and service provider for many employer-sponsored
More informationHIPAA Compliance: Efficient Tools to Follow the Rules
Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability
More informationHHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI
January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationProtecting Patient Information in an Electronic Environment- New HIPAA Requirements
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
More informationBusiness Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
More informationYOUR HIPAA RISK ANALYSIS IN FIVE STEPS
Ebook YOUR HIPAA RISK ANALYSIS IN FIVE STEPS A HOW-TO GUIDE FOR YOUR HIPAA RISK ANALYSIS AND MANAGEMENT PLAN 2015 SecurityMetrics YOUR HIPAA RISK ANALYSIS IN FIVE STEPS 1 YOUR HIPAA RISK ANALYSIS IN FIVE
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationHIPAA PRIVACY AND SECURITY FOR EMPLOYERS
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to Health Information Risks vary based on the mobile device and its use. Some risks include:
More informationImplementation Business Associates and Breach Notification
Implementation Business Associates and Breach Notification Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com
More informationOutline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?
Outline MOR-OF Education and Medical Expo August 23, 2014 Tatiana Melnik Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL I. HIPAA Compliance II. Why Should You Care? A. Market Pressure
More informationArt Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches
Art Gross President & CEO HIPAA Secure Now! How to Prepare for the 2015 HIPAA Audits and Avoid Data Breaches Speakers Phillip Long CEO at Business Information Solutions Art Gross President & CEO of HIPAA
More informationHIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality
HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationMobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information. Mobile Devices: Risks to to Health Mobile Information Devices: Risks to Health Information Risks vary based on the
More informationHOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationBEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050
BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security
More informationCybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective
Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP
More informationHIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com
HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health
More informationHIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012
HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually
More informationHIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES
SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):
More informationNerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches. Gerard M. Stegmaier gstegmaier@wsgr.
Nerds and Geeks Re-United: Towards a Practical Approach to Health Privacy Breaches Gerard M. Stegmaier gstegmaier@wsgr.com @1sand0slawyer Data Breach Trends 2011 Average Loss to Organization = $5.5 million
More informationEnsuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services
Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services Introduction Patient privacy has become a major topic of concern over the past several years. With the majority of
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationTable of Contents INTRODUCTION AND PURPOSE 1
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE
More information