1 WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP
2 WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Whether you re a healthcare provider, health plan or a non-healthcare business that deals with patients private medical data called electronic protected health infor mation, or ephi your company falls under the complex and aggressively enforced federal HIPAA law. And if even you ve already taken steps to safeguard this sensitive data when your staff transmits it, you must keep in mind that HIPAA also places strict requirements on how you store and back up any ephi under your care. Understanding these backup requirements, and deploying the right solution to back up your ephi, can help keep you on the right side of HIPAA s enforcers, save vyou from the law s steep fines for violations, and even prevent the public damage your business s reputation can suffer as the result of just one mistake. A Health-Data Backup Horror Story When he placed a set of his company s backup tapes in his car for transport, the employee of Science Applications International Corp. (SAIC) had no idea that this routine action would lead to the largest breach of patient health data ever reported by the Department of Health and Human Services. Nor could he know then that this simple mistake would expose his company to a nearly $5 billion class-action lawsuit from the millions of patients it affected. But those backup tapes which contained unencrypted ephi under the care of SAIC, a subcontractor for the US military s health system TRICARE were stolen from the employee s car. The breach affected all of those TRICARE patients who received treatment at a specific medical facility in the decade between 1992 and 2011 a total of 4.9 million active and retired personnel and their family members.
3 Lessons from this Horror Story The number of missteps in the true story above is greater than it might seem at ﬁrst. So before we delve into a discussion of HIPAA and its strict guidelines governing the backup of electronic protected health information, here s a quick recap of where SAIC (and TRICARE) ran afoul of HIPAA: 1. They failed to comply with the Physical Safeguards requirement. HIPAA s Security Rule (45 C.F.R , in case you re wondering), requires a Covered Entity or Business Associate establish physical measures, policies and procedures to protect the business s electronic information systems and related buildings and equipment from, among other things, unauthorized intrusion. Clearly, allowing patient ephi to be stored on backup tapes that are then carried to an employee s car fall short of this requirement. 2. They failed to comply with encryption requirements. Remember, the ephi on the stolen backup tapes was also unencrypted, in violation of section 13402(h) of the HITECH Act, a 2009 expansion to federal healthcare law. This section demands that ephi must be either encrypted or destroyed to ensure its security at all times. 3. They took too long to notify those patients aﬀected. Another component of HIPAA compliance involves the Covered Entity s breach-notiﬁcation procedures. The HIPAA Notiﬁcation Rule (45 C.F.R , in case you re wondering) requires Covered Entities and their Business Associates to provide notiﬁcation following a breach of unsecured protected health information. The notiﬁcation requirements are deadline-speciﬁc and wide-reaching: Covered Entities must notify aﬀected individuals within 90 days of a breach, for example, provide media notiﬁcation within 60 days, and notify the HHS Secretary within 60 days. The SAIC-TRICARE lawsuit argued the businesses did not meet these deadlines.
4 4. They failed to meet their shared responsibility as a BA. Finally, it s worth pointing out that as a subcontractor to the military s health system TRICARE, SAIC was acting as a Business Associate defined as a third party working with a HIPAA Covered Entity (in this case, TRICARE), which deals with ephi on behalf of that Covered Entity as part of its business relationship. SAIC was collecting and storing ephi as a TRICARE contractor, and as a result, they had a shared responsibility to protect that patient data. As a result of this failure to properly back up the ephi under their charge, SAIC exposed both itself and TRICARE to HIPAA regulators and the class-action lawsuit that followed. BACKGROUND: WHAT IS HIPAA? Passed by Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted to protect the security and confidentiality of patients personal medical data called protected health information, or PHI. Here is a brief list of the specific objectives of the HIPAA law in it original format: 1. To increase the security and portability of patient records 2. To provide the ability to securely and easily transfer a patient s health insurance seamlessly from one plan to another 3. To reduce health fraud and abuse 4. To establish mandated, industry-wide standards for electronic billing of medical records 5. To require the protection and confidential handling of protected health information (PHI), whether in hardcopy or electronic formats
5 HIPAA enforcement has continually strengthened since its passage 20 years ago, and the law itself has expanded in scope. The HITECH Act was enacted in 2009, for example, to give federal regulators more authority to address the rapidly expanding use of electronically based protected health information (ephi). Then in 2013, HHS published its Final Omnibus Rule, which expanded regulators oversight of patient information to include any vendor (called a Business Associate ) that creates, receives, maintains or transmits PHI on behalf of Covered Entity such as a healthcare provider or health plan. WHAT CONSTITUTES PHI? Protected health information (PHI) refers to any personally identifiable data relating to the physical or mental health of an individual, the provision of healthcare services for that individual, or the payment for healthcare services on behalf of an individual. These pieces of data could include: Patient name Patient address Patient birthdate Patient Social Security Number Medical records Medical billing details Any other information that can be used to identify a specific person This is why HIPAA s oversight reaches well beyond healthcare providers and health plans clearly, many third parties that play an integral role in patient health also handle ephi. In other words, if you re wondering whether your organization falls under HIPAA s oversight and enforcement, it probably does. To be sure, though, let s review the wide range of entities that share responsibility as Covered Entities (CEs) or Business Associates (BAs) for protecting patients protected health information.
6 WHO IS RESPONSIBLE FOR SAFEGUARDING PHI? Businesses with regulatory responsibility for safeguarding the ephi they deal with fall under two categories: Covered Entities and Business Associates: Covered Entities (CEs) Healthcare Providers: Doctors, clinics, hospitals, pharmacies, psychologists, nursing homes and dentists any healthcare entity that deals with ephi. Health Plans: Health insurers, HMOs, company health plans and certain government entities that pay for healthcare, such as Medicare and Medicaid. Healthcare Clearinghouses: Entities that process nonstandard health information from another entity into standard format (for example, into an electronic form). Business Associates (BAs) This would include all of the non-healthcare businesses contractors, subcontractors or third-party vendors working with Covered Entities that must handle, store or transmit ephi as part of their standard business practices. Like the CEs they work with, these BAs share the responsibility for the security of the ephi under their charge, and as a result they re regulated by HIPAA. Examples of BAs include medical billing companies, businesses that administer health plans, lawyers, accountants, IT consultants, and businesses that store, back up or destroy patient records for CEs. KeepItSafe would qualify as a Business Associate because we securely backup ephi for our healthcare customers. And we sign a Business Associate Agreement (BAA) as part of our standard practice when helping a HIPAA-regulated healthcare business back up its patient data. Remember: the 2013 Final Omnibus Rule, published by the HHS, expanded the Privacy Rule s definition of a Business Associate to include any vendors that create, receive, maintain or transmit PHI on behalf of a Covered Entity.
7 THE HIGH COST OF A HIPAA VIOLATION To give you an idea of the monetary costs of making just a single mistake in terms of how a Covered Entity or its Business Association, have a look at the table below, published by the American Medical Association and addressing failure to comply with HIPAA (Section 42 USC 1320d-5): HIPAA Violation Minimum Penalty Maximum Penalty Individual did not know (and by exercising reasonable diligence would not have known) that he/she violated HIPAA $100 per violation, with an annual maximum of $25,000 for repeat violations (Note: maximum that can be imposed by State Attorneys General regardless of the type of violation) $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to reasonable cause and not due to willful neglect $1,000 per violation, with an annual maximum of $100,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation due to willful neglect but violation is corrected within the required time period $10,000 per violation, with an annual maximum of $250,000 for repeat violations $50,000 per violation, with an annual maximum of $1.5 million HIPAA violation is due to willful neglect and is not corrected $50,000 per violation, with an annual maximum of $1.5 million $50,000 per violation, with an annual maximum of $1.5 million Source: American Medical Association. A single HIPAA violation can cost a Covered Entity $50,000 per occurrence and in cases where each occurrence impacts many people, that per-occurrence penalty can reach $1.5 million in fines annually.
8 A Costly HIPAA Backup Violation Consider this real-world example of how a mishandling of ephi backup can lead to a huge fine not to mention the negative publicity of reports about your patients private medical data being stolen. In 2010, Massachusetts-based South Shore Hospital shipped three boxes of backup tapes (nearly 500 tapes in all) to Archive Data Solutions, to have the tapes wiped clean of their data unencrypted ephi on 800,000 patients. Turns out only one of the three boxes made it to Archive Data Solutions. The other two, containing hundreds of thousands of unencrypted patient records, went missing. According to the Massachusetts Attorney General, South Shore Hospital failed to securely back up its ephi, failed to inform Archive Data Solutions about the sensitive nature of the data it was receiving, failed to put in place a Business Associate Agreement (BAA) with Archive Data, and failed to determine first whether or not Archive Data had the proper safeguards in place at its facilities before shipping ephi to the company. All told, South Shore Hospital paid $750,000 in fines for these HIPAA violations. Another Costly HIPAA Violation In 2013, Illinois-based Advocate Medical Group suffered a break-in at its facility and thieves took off with four laptop computers containing the Social Security numbers and other ephi of more than four million people. This qualified at the time as second-largest health-related data breach ever. According to the lawsuit filed by affected patients against the healthcare organization, Advocate Medical s laptops were unencrypted and stolen from an unmonitored room with little or no security to prevent unauthorized access. Note: The security and HIPAA-violation implications of this laptop-theft incident underscore the need for any Covered Entity or Business Associate to deploy a companywide solution for Mobile Device Management, such as the one available from KeepItSafe Mobile.
9 STILL NOT CONVINCED YOU NEED A BACKUP SOLUTION THAT ADDRESSES HIPAA? Perhaps you need further convincing that your company s data backup solution must take HIPAA s regulations into account, assuming you ever deal directly with PHI. If so, please read the excerpts below from an article published by the Healthcare Billing & Management Association a 30-year trade association whose members today are responsible for nearly 80% of all third-party medical-billing claims in the country. In its feature, The Truth About HIPAA-HITECH and Data Backup, the association warns its medical-billing members (all BAs, regulated by HIPAA): It's not optional - All CEs, including medical practices and BAs, must securely back up "retrievable exact copies of electronic protected health information" (CFR (7)(ii) (A)). Your data must be recoverable - Why else are you backing it up? You must be able to fully "restore any loss of data" (CFR (7)(ii). You must get your data offsite - as required by the HIPAA Security Final Rule (CFR (a)(1)). How could one defend a data backup and disaster recovery plan that stored backup copies of ephi in the same location as the original data store? You must back up your data frequently - as required by the HIPAA Security Final Rule (CFR (a)(1)). In today's real-time transactional world, a server crash, database corruption, or erasure of data by a disgruntled employee at 4:40 PM would result in a significant data loss event if one had to recover from yesterday's data backup. Finally, the piece points out: Non-compliance penalties are severe - Penalties are increased significantly in the new tiered Civil Monetary Penalty (CMP) System with a maximum penalty of $1.5 million for all violations of an identical provision.
10 HOW TO FIND A HIPAA-COMPLIANT DATA BACKUP SOLUTION Many online backup provider claim their processes meet HIPAA standards. And when it comes to certain guidelines and clauses, they might be. But be careful the HIPAA Security Rule demands that a Covered Entity have a backup plan that meets all of HIPAA s criteria. When choosing a data backup solution that will protect your ephi and meet HIPAA s requirements, you will need to judge that solution against HIPAA s mandates regarding: 1. Offsite Data Backup You ll need your backup stored offsite, at physical locations other than your primary facilities. (45 C.F.R ) 2. Encryption You ll need to keep your at-rest ephi data encrypted at all times or destroy it to ensure its security. (Section 13402(h) of Title XIII of the HITECH Act) 3. Technical Safeguards You ll need to employ sufficient technology, and the policies and procedures for its use, to protect your ephi and control access to it. (45 C.F.R ) 4. Physical Safeguards You ll need to implement physical measures, policies and procedures to protect your electronic information systems and related buildings and equipment, from natural and environmental hazards and unauthorized intrusion. (45 C.F.R ) 5. Administrative Safeguards You ll need to implement policies and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of your workforce in relation to the protection of that information. (45 C.F.R )
11 6. Business Associate Agreement For any Business Associate you work with that will need to access or maintain your ephi and an online backup service qualifies you will need that entity to sign a Business Associate Agreement (BAA), which places the BA under shared responsibility with you for all ephi they handle, in accordance with HIPAA guidelines. (45 C.F.R ) Note: You should immediately dismiss from consideration any would-be online backup provider that refuses to sign a binding BAA with you. HIPAA Requirement Clause KeepItSafe Backup All Covered entities and business associates must securely back up "retrievable exact copies of electronic protected health information" (CFR (7)(ii) (A)). We back up exact copies of your all of your data s, SQL files, meta data, etc. Recovery You must be able to fully "restore any loss of data" (CFR (7)(ii) (B)). Our suite of backup and DR solutions allows for the total restore of any lost data and we have the success stories to prove it. Offsite Data Backup You must store your data offsite (CFR (a)(1)) - HIPAA Security Final Rule We provide cloud and hybrid-based backup, protecting your ephi multiple, geographically redundant, tier-4 data centers. Encryption/ Data Destruction ephi must be encrypted or destroyed at rest to secure it. Section 13402(h) of Title XIII HITECH Act We provide military-grade, 256-bit encryption (FIPS ) and ensure only you have an encryption key, to comply with the Privacy Law. Testing "Implement procedures for periodic testing and revision of contingency plans." (CFR (7)(ii) (D)). KeepItSafe DR includes regular testing to ensure ongoing ephi security and your compliance with HIPAA.
12 HIPAA Requirement Clause KeepItSafe Technical Safeguards Technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 45 C.F.R (Security Rule) ISO Suite of Data Recovery Solutions Fully Managed and Monitored Encryption Physical Safeguards Physical measures, policies, and procedures to protect a covered entity's or business associate's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. 45 C.F.R (Security Rule) KeepItSafe protects your ephi at all times in state -of-the-art secure data centers protected by firewalls, onsite guards 24/7 and biometric and other physical restrictions. Administrative Safeguards Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ephi and to manage the conduct of the covered entity's or business associate's workforce in relation to the protection of that information. 45 C.F.R (Security Rule) We deploy protective data safeguards designed specifically for ephi and we offer third-party employee training to ensure a security and compliance culture. The Privacy Rule 40 pages, but includes patient confidentiality and business associates agreements 45 C.F.R KeepItSafe will enter into a BAA for contractual assurance that your ephi security complies with HIPAA. Disaster Recovery Planning The Covered Entity or Business Associate must maintain readiness for lost ephi. Federal Register Vol 68, no 34, sections & We also offer Business Continuity Planning in accordance with HIPAA s guidelines.
13 CONCLUSION: NOW IS THE TIME FOR A BACKUP SOLUTION THAT MEETS HIPAA STANDARDS With the increasing enforcement of HIPAA regulators, the ease with which a Covered Entity can accidentally violate one of the law s many online-backup requirements, and the steep costs for making a mistake, your business should deploy an offsite backup solution to protect your ephi as soon as possible. Start by learning more about KeepItSafe s online backup and DR solutions and how they can keep your business on the right side of HIPAA KeepItSafe. All rights reserved. KeepItSafe is a registered trademark of j2 Global, Inc., and its affiliates.
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
HIPAA COMPLIANCE AND DATA PROTECTION email@example.com +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services firstname.lastname@example.org April 23, 2012 Overview Technology
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
Guide Nine Network Considerations in the New HIPAA Landscape The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services Page 2 of 8 Introduction Patient privacy has become a major topic of concern over the past several years. With the majority
HIPAA Compliance and the Protection of Patient Health Information WHITE PAPER By Swift Systems Inc. April 2015 Swift Systems Inc. 7340 Executive Way, Ste M Frederick MD 21704 1 Contents HIPAA Compliance
HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. email@example.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
Joe Dylewski President, ATMP Solutions Joe Dylewski President, ATMP Solutions Assistant Professor, Madonna University 20 Years, Technology and Application Implementation Experience Served as Michigan Healthcare
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
HIPAA for Business Associates February 11, 2015 Teresa D. Locke This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
Orbograph HIPAA/HITECH Compliance, Resiliency and Security Version 1.0 August 2013 Legal Notice This document is delivered subject to the following conditions and restrictions: The document contains proprietary
HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed
What Every Organization Needs to Know about Basic HIPAA Compliance and Technology April 21, 2015 Who are these handsome fellas? Jamie Wolbeck (VP Of Operations) firstname.lastname@example.org Ron Shelby (Sr. Account
Business Associate Liability Under HIPAA/HITECH Joseph R. McClure, JD, CHP Siemens Healthcare WEDI Security & Privacy SNIP Co-Chair Reece Hirsch, CIPP, Partner Morgan Lewis & Bockius LLP ` Fifth National
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
A White Paper for HIPAA Business Associates (And Agents & Subcontractors!) Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act! Introduction Two years ago we first published
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
White Paper White Endpoint Paper Backup Title Compliance Here Additional Considerations Title for Line HIPAA-Regulated Enterprises A guide for White IT professionals Paper Title Here in healthcare, pharma,
Making Memories Matter 2015 WALA Spring Conference A Real World Approach on How to Achieve HIPAA Compliance Jeff Grady, David Hosack, Curtis Urlakis, Holly Schlenvogt, Barbara Zabawa Friday, March 20 10:30
Best Practices Guide The HIPAA Primer Healthcare What You Should Know About HIPAA and the Omnibus Final Rule Contents 3 What s New With HIPAA? 8 Five Questions To Ask Your Vendors 12 Best Practices: Beyond
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
Last Updated: September 23, 2014 White paper Introduction This paper is intended for security, privacy, and compliance officers whose organizations must comply with the Privacy and Security Rules of the
Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP
HIPAA regulations have undergone major changes in the last few years giving both the federal and state Governments new and enhanced powers and resources to pursue HIPAA violations HIPAA Violations Incur
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746
WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
Double-Take in a HIPAA Regulated Health Care Industry Abstract: This document addresses the contingency plan and physical access control requirements of the Administrative Simplification security provision
Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information
THE STATE OF HEALTHCARE COMPLIANCE: Keeping up with HIPAA, Advancements in EHR & Additional Regulations [ The State of Healthcare Compliance: Keeping up with HIPAA, Advancements in EHR & Additional Regulations
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
ADVANCED INTERNET TECHNOLOGIES, INC. https://www.ait.com Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance Table of Contents Introduction... 2 Encryption and Protection
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
HIPAA SECURITY RULES FOR IT: WHAT ARE THEY? HIPAA is a huge piece of legislation. Only a small portion of it applies to IT providers in healthcare; mostly the Security Rule. The HIPAA Security Rule outlines
HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers
HIPAA-compliant Cloud Faxing HIPAA-compliant Cloud Faxing 4,463 Active investigations against covered entities resolved in 2013 by HIPAA s enforcement arm, the Office of Civil Rights. 3,470 were resolved
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
HIPAA FOR THE DENTAL PRACTICE Catherine C. Cownie Adam J. Freed E-mail: email@example.com E-mail: firstname.lastname@example.org Telephone: 515-242-2490 Telephone: 515-242-2402 BrownWinick 666 Grand Avenue,
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
Potential Liability for HIPAA Violations: A Primer Wednesday, March 23, 2016 Presented By the IADC Medical Defense and Health Law Committee and In-House and Law Firm Management Committee Welcome! The Webinar
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act
The HIPAA Security Rule: Cloudy Skies Ahead? Presented and Prepared by John Kivus and Emily Moseley Wood Jackson PLLC HIPAA and the Cloud In the past several years, the cloud has become an increasingly
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
PRIVACY REGULATIONS FOR BEHAVIORAL HEALTH PROVIDERS WHAT YOU NEED TO KNOW September 10, 2013 AGENDA The Changing Privacy Climate Overlapping Laws & Regulations Health Insurance Portability & Accountability
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
BUSINESS WHITE PAPER Anatomy of a Healthcare Data Breach Prevention and remediation strategies Anatomy of a Healthcare Data Breach Table of Contents 2 Increased risk 3 Mitigation costs 3 An Industry unprepared
Privacy Space. Public Place. How to Protect PHI and be HIPAA Compliant Event Type Live Online ACPE Expiration Date 12/11/2016 Credits 1 Contact Hour Target Audience Pharmacy Technicians Program Overview
Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address
BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
Common HIPAA Risks & The New HITECH Final Rule Eric W. Humes 1 What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to protect the privacy of patient
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security