Visa Inc. HIPAA Privacy and Security Policies and Procedures

Save this PDF as:

Size: px
Start display at page:

Download "Visa Inc. HIPAA Privacy and Security Policies and Procedures"

Transcription

1 Visa Inc. HIPAA Privacy and Security Policies and Procedures Originally Effective April 14, 2003 (HIPAA Privacy) And April 21, 2005 (HIPAA Security) Further Amended Effective February 17, 2010, Unless Otherwise Noted

2 Visa Group Health Plans HIPAA Policies and Procedures Table of Contents Sec. Topic Citation Introduction 1.0 Administrative 1.1 HIPAA Policy and Procedure Development and Approval 45 CFR (i) 1.2 Group Health Plans and Plan Document 45 CFR (f) 1.3 Designation of a Privacy Officer 45 CFR (a)(1)(i) 1.4 Mitigation of Harmful Effects of Unauthorized Use or Disclosure of Protected Health Information (PHI) 45 CFR (f) 1.5 Record Retention 45 CFR (b)(6), (j)(2) 1.6 Reporting of Non-Compliance with the HIPAA Rules 45 CFR Work Force Sanctions 45 CFR (e) 1.8 Verification of Person s Identity 45 CFR (h)(1) 1.9 Safeguards 45 CFR (c) 1.10 Audit of Privacy Standards 45 CFR (a)(1), (a); (a)(1), , (i), (b)(1)(iii)(A) - (C), Authorization 2.1 Authorization for Uses and Disclosures of PHI 45 CFR , (a) 3.0 Business Associates 3.1 Business Associates and Contracts 45 CFR (e), (e), , (b)(2), (b), (f), (d) and (b)(1) 4.0 Disclosure of PHI to Plan Sponsor 4.1 Disclosure of PHI to Plan Sponsor 45 CFR (f) 4.2 Granting Levels of Access to PHI 45 CFR , Table of Contents

3 Sec. Topic Citation 5.0 Individual Rights 5.1 Individual s Right to Access PHI 45 CFR Individual Request to Amend PHI 45 CFR Individual s Rights to Request Privacy Protection for PHI 45 CFR Complaint Process 45 CFR (a)(1)(ii), (d) 5.5 Notice of Privacy Practices 45 CFR Minimum Necessary 6.1 Minimum Use of PHI 45 CFR (b) and (d) 7.0 Training 7.1 Training Workforce Regarding Protection of Health Information 8.0 Uses and Disclosures 45 CFR, (b) 8.1 Uses and Disclosures of PHI 45 CFR (a) and (g), , , Accounting (Logging) of Disclosures of Member PHI 9.0 Administrative Safeguards 45 CFR Security Management Process Risk Analysis Risk Management Sanctions Information System Activity Review 45 CFR (a)(1)(i) 45 CFR (a)(1)(ii)(A) 45 CFR (a)(1)(ii)(B) 45 CFR (a)(1)(ii)(C) 45 CFR (a)(1)(ii)(D) and 45 CFR (b) (c)(2) 9.2 Assigned Security Responsibility 45 CFR (a)(2) 9.3 Workforce Security 45 CFR (a)(3)(i) Authorization and/or Supervision (A) 45 CFR (a)(3)(ii)(A) Workforce Clearance Procedure (A) 45 CFR (a)(3)(ii)(B) Termination Procedures (A) 45 CFR (a)(3)(ii)(C) 9.4 Information Access Management 45 CFR (a)(4)(i) Access Authorization (A) 45 CFR (a)(4)(ii)(B) Access Establishment and 45 CFR (a)(4)(ii)(C) Modification (A) Table of Contents

4 Sec. Topic Citation 9.5 Security Awareness and Training Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) 9.6 Security Incident Procedures Response and Reporting 45 CFR (a)(5)(i) 45 CFR (a)(5)(ii)(A) 45 CFR (a)(5)(ii)(B) 45 CFR (a)(5)(ii)(C) 45 CFR (a)(5)(ii)(D) 45 CFR (a)(6)(i) 45 CFR (a)(6)(ii) 9.7 Contingency Plan Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) 45 CFR (a)(7)(i)(A) (E) 45 CFR (a)(7)(ii)(A) 45 CFR (a)(7)(ii)(B) 45 CFR (a)(7)(ii)(C) 45 CFR (a)(7)(ii)(D) 45 CFR (a)(7)(ii)(E) 9.8 Periodic Evaluation 45 CFR (a)(8) 10.0 Physical Safeguards 10.1 Facility Access Controls 45 CFR (a)(1) Contingency Operations (A) 45 CFR (a)(2)(i) Facility Security Plan (A) 45 CFR (a)(2)(ii) Access Control and Validation (A) 45 CFR (a)(2)(iii) Maintenance Records (A) 45 CFR (a)(2)(iv) 10.2 Workstation Use 45 CFR (b) 10.3 Workstation Security 45 CFR (c) 10.4 Device and Media Controls Disposal Media Re-Use Accountability (A) Data Backup and Storage (A) 45 CFR (d)(1) - (2)(iv) 45 CFR (d)(2)(i) 45 CFR (d)(2)(ii) 45 CFR (d)(2)(iii) 45 CFR (d)(2)(iv) Table of Contents

5 Sec. Topic Citation 11.0 Technical Safeguards 11.1 Access Control 45 CFR (a)(1) Unique User Identification 45 CFR (a)(2)(i) Emergency Access Procedure 45 CFR (a)(2)(ii) Automatic Logoff (A) 45 CFR (a)(2)(iii) Encryption and Decryption (A) 45 CFR (a)(2)(iv) 11.2 Audit Controls 45 CFR (b) 11.3 Integrity 45 CFR (c)(1) Mechanism to Authenticate ephi (A) 45 CFR (c)(2) 11.4 Person or Entity Authentication 45 CFR (d) 11.5 Transmission Security 45 CFR (e)(1) Integrity Controls (A) 45 CFR (e)(2)(i) Encryption (A) 45 CFR (e)(2)(ii) 12.0 Breach of Unsecured PHI 12.1 Notification to Individuals Notificatioin to the Media Notification to the Secretary Administrative Requirements 45 CFR CFR CFR CFR Appendices Appendix A Appendix B Appendix C Appendix D Appendix E Appendix F Topic Definitions of HIPAA Terms Authorization Form Business Associate Inventory Business Associate Agreement and Certification Notice of Privacy Practices Role of the Privacy and Security Officer Table of Contents

6 Administrative INTRODUCTION TO THE Visa GROUP HEALTH PLAN HIPAA POLICIES AND PROCEDURES In compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Visa Inc. (Visa) has established these HIPAA Policies and Procedures (Policies and Procedures) to guard the confidentiality, integrity and availability of its employees protected health information maintained by the Visa Group Health Plans (referred to in this document as either Plan or Plans ). These Policies and Procedures were originally enacted effective April 14, 2003 as the Visa Group Health Plan HIPAA Privacy Policies and Procedures and the Visa Group Health Plan Security Rule Policies and Procedures effective April 21, They are now combined for HIPAA Privacy and HIPAA Security (as those terms are defined below) and further amended effective February 17, 2010, unless otherwise noted. HIPAA OVERVIEW Title II of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), addresses the privacy and security requirement as they apply to health plans, (including employer group health plans), and certain health care providers. The HIPAA Privacy Rules, which became effective in 2003, are intended to protect each Individual employee s privacy regarding their health care information, called Protected Health Information (PHI). PHI, as defined by the law, includes individually identifiable information from medical, dental, vision, flex, EAP and other health-related benefit plans. The HIPAA Privacy Rules protect information on an Individual s past, present or future health care or payment for health care. PHI is protected whether it is used or disclosed orally, on paper, or electronically. The law defines the authorized and required uses and disclosures of PHI. ELECTRONIC PROTECTED HEALTH INFORMATION ( ephi ) In contrast to the HIPAA Privacy Rules, the HIPAA Security Regulations, effective in 2005, are applicable only to Electronic Protected Health Information (ephi). This means individually identifiable health information that is transmitted by electronic media or maintained in electronic media. The scope of the HIPAA Security Regulations is more limited than that of the HIPAA Privacy Regulations, which broadly apply to protected health information (PHI) in any and all forms (i.e. electronic, paper, oral). Furthermore, similar to the Privacy Regulations, employment records held by an employer group health plan, in its role as employer, are exempt from the Security Regulations. The final rules cover ephi at rest (that is, in storage) as well as during transmission. However, information that has been de-identified (i.e. not able to be identified with any particular employee), pursuant to the requirements of the HIPAA Privacy Regulations, is not PHI and thus is not subject to the security rules. 1.1 HIPAA Policy and Procedure Development and Approval

7 Administrative HIPAA SECURITY RULE REQUIREMENTS Under the HIPAA Security Regulations, employer group health plans need to satisfy four broad requirements: Ensure the confidentiality, integrity, and availability of all ephi that the group health plan creates, receives, maintains or transmits; Protect against any reasonably anticipated threats or hazards to the security or integrity of ephi; Protect against any reasonably anticipated impermissible uses and disclosures of ephi; and Ensure that the covered entity s workforce is in compliance with the Security Regulations. POLICIES AND PROCEDURES The objectives of the policies and procedures discussed in this document are to define how Visa safeguards PHI and ephi. These include: Privacy Safeguards, meaning those requirements that apply to PHI that is not electronic in form. The Privacy requirements also protect Individual access to health information and contain certain notice requirements that health plans must meet. Security Safeguards including Administrative Safeguards, which mean the administrative actions, policies and procedures, to manage the selection, development, implementation and maintenance of security measures to protect ephi; Physical Safeguards, which mean the physical measures, policies and procedures to protect Visa s electronic information systems, and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion; and Technical Safeguards, which mean the technology and the policy and procedures for its use that protect ephi and control access to it. Employer group health plans are required to comply with 22 standards described in the final Security Regulations. Most of the standards are implemented through "required" and "addressable" implementation specifications. An employer group health plan must comply with a "required" implementation specification. However, when an implementation specification is "addressable", an employer group health plan must assess whether the specification is a reasonable and appropriate safeguard given Visa group health Plans unique environment. Factors that can be used to determine whether a specification is reasonable and appropriate include risk analysis performed, risk mitigation strategy, security measures already in place, and the cost of implementation. With respect to "addressable" implementation specifications: 1.1 HIPAA Policy and Procedure Development and Approval

8 Administrative If the Visa group health plan determines that the specification is reasonable and appropriate, it must be implemented. If the implementation specification is determined to be an inappropriate and/or unreasonable security measure, but the standard cannot be met without implementation of an additional security safeguard, Visa group health plan may implement an alternative measure that accomplishes the same end as the addressable implementation specification. An employer group health plan that meets a given standard through alternative measures must document the decision, the rationale behind the decision, and the alternative safeguard implemented. Visa has implemented all the required and addressable implementation standards of the Security Regulations, except for the implementation specification requiring Isolating Health Care Clearinghouse Functions (45 CFR (a)(4)(ii)(A)) which would only apply if a health care clearinghouse is part of a larger organization. Visa has no such clearinghouse functions and therefore need not comply with this implementation specification. Visa has conducted an assessment of its existing safeguards against the Privacy Requirements and the Security Requirements including the required and addressable security implementation specifications. Visa has implemented reasonable and appropriate protection of ephi, will periodically monitor and review its security measures in place, and will amend this policies and procedures document when necessary to reflect organizational, environmental, technology, and regulatory changes. APPLICATION OF THESE POLICIES AND PROCEDURES The objective of the practices outlined in this document is to define how the Plans may handle and share PHI and how Visa has established reasonable and appropriate safeguards to ensure the confidentiality, integrity and availability of Individuals ephi and to protect this information from reasonably anticipated improper or unauthorized access, alteration, deletion and transmission. The safeguards include: Administrative Procedures, including how to verify an Individual s identity and how to audit the Privacy Standards; Authorizations, including when one is needed in using and disclosing PHI; Business Associates, including how to identify them and the contract language needed for the sharing of PHI by and with Business Associates; Individual Rights, including the right to request PHI and restrict some of its Disclosures; Administrative Safeguards, including an overview of the Plans Security management process, Security Incident procedures, access management, and periodic evaluation policy; Physical Safeguards, including the Plans Facility access controls, Workstation use and Security policies, and device and media controls; Technical Safeguards, including technology-based access and audit controls, Authentication methods, and data transmission and Integrity controls; and 1.1 HIPAA Policy and Procedure Development and Approval

9 Administrative Training and awareness for employees who handle PHI and ephi. It is important for you to read this document carefully and understand your role in handling and protecting PHI and ephi under HIPAA. There is a Glossary of Terms and Definitions in Appendix A of this Manual. Please refer to Appendix A for a complete description/definition of the capitalized terms whenever you see them in this Manual. If, after reading this document and attending HIPAA security awareness and training session, you still have questions, please contact Human Resources. 1.1 HIPAA Policy and Procedure Development and Approval

10 Administrative TOPIC: SUBJECT: HIPAA Policy and Procedure Development and Approval Process for Development and Approval of the Plans HIPAA Policy EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 This Section of the Visa policies and procedures document addresses Visa group health plan (GHP) documentation requirements under the Privacy and Security Regulations. Policies and Procedures An employer GHP must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, and other requirements of the Security Regulations. Further, an employer GHP must maintain its policies and procedures in written (including electronic) form. Group Health Plan Document An employer GHP must generally ensure that its Plan documents provide that a plan sponsor will reasonably and appropriately safeguard ephi created, received, maintained, or transmitted to or by the plan sponsor on behalf of the Visa GHPs. POLICY STATEMENT: The Plans will establish and maintain a methodology for consistent organization-wide development, Training, review, approval, assessment and updates of policies and procedures as required by the HIPAA Rules. PROCEDURES: The Plans policies and procedures will be reviewed and agreed upon by the Plans Privacy Officer or individuals to whom such Officer has delegated responsibility for compliance with the HIPAA Rules identified in this policy. Policies and procedures and any communications materials will be kept in written or electronic form as the Plans documentation. 1.1 HIPAA Policy and Procedure Development and Approval

11 Administrative TOPIC: SUBJECT: Group Health Plans and Plan Document Process to ensure that the Plans restrict Uses and Disclosures of PHI to the Plan sponsor consistent with the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans, including the components which may be insured and self-insured, are covered entities. In order for the Plans to disclose PHI to the Plan sponsor or to provide for or permit the Disclosure of PHI to the Plan sponsor by a Health Insurance Issuer or HMO with respect to the Plans, Visa will ensure that the Plan documents restrict Uses and Disclosures of PHI by the Plan sponsor consistent with the HIPAA Rules, including those relating to Genetic Information for Underwriting Purposes. In order for the Plan sponsor to obtain PHI from the Plans without Authorization, the Plan documents will be amended to: Describe the permitted Uses and Disclosures of PHI by the Plan sponsor; Specify that Disclosure is permitted only upon receipt of a written certification by the Plan sponsor that the Plan documents have been amended in accordance with the HIPAA Rules; Provide adequate firewalls which identify the employees or classes of employees or other person under the Plan sponsor s control who will have access to PHI; Provide that the Plan sponsor will implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Availability and Integrity of the ephi it creates, receives, maintains or transmits on behalf of the Group Health Plans; Ensure that the separation between the Plans and the Plan sponsor is supported by reasonable and appropriate Security Measures; Require that the Plan sponsor report to the Plans any Security Incident of which it becomes aware; Ensure that any agents, including subcontractors, authorized to receive PHI agree to implement reasonable and appropriate Security Measures to protect the information; and Provide an effective mechanism for resolving any issues of non-compliance by the employees or class of employees who will have access to PHI. The Plans or a health issuer or HMO with respect to the Plans may disclose Summary Health Information to the Plan sponsor without regard to whether the Plan documents have been amended, if the Plan sponsor requests the Summary Health Information for the purpose of: Obtaining premium bids from Health Plans for providing health insurance coverage under the Plans; or Modifying, amending or terminating the Plans. 1.2 Group Health Plan and Plan Document

12 Administrative Additionally, the Plans (or a health issuer or HMO with respect to the Plans) may disclose to the Plan sponsor information on whether the Individual is participating in the Plans, or is enrolled in or has disenrolled from a Health Insurance Issuer or HMO without regard to whether the Plan documents have been amended by Visa. Effective as of the date determined by the Secretary, any disclosure of Summary Health Information provided to the Plan sponsor from a health issuer or HMO with respect to the Plans must not include Genetic Information for Underwriting Purposes. PROCEDURES: The Plans will: Determine and establish the permitted and required Uses and Disclosures of PHI by the Plan sponsor. Establish procedures for preventing the improper Uses and Disclosures of PHI by the Plan sponsor. Implement Administrative, Physical, and Technical Safeguards that reasonably and appropriately protect the Confidentiality, Availability and Integrity of the ephi it creates, receives, maintains or transmits on behalf of the Plans. Ensure that the separation between the Plans and the Plan sponsor is supported by reasonable and appropriate Security Measures. Determine the key employees (by job function/description) of the Plan sponsor who shall have access to the Plans PHI. Reports from third party administrators back to the Plans contain both aggregated data and individually identifiable data. These practices are intended to continue in the future. To the extent it is necessary to continue to receive Individually identifiable data, Visa will certify to its third party administrators that it has amended its Plan documents appropriately and disclose to them the identity of the Individuals within the Plans who are authorized to continue to view this data. Effective as of the date determined by the Secretary, the Plan sponsor will not accept any disclosure of Summary Health Information provided to the Plan sponsor by a health issuer or HMO with respect to the Plans that includes Genetic Information for Underwriting Purposes. Notwithstanding anything contained in this Manual to the contrary, effective as of the date determined by the Secretary, if the Plans receive PHI for the purpose of premium rating or other activities relating to the creation, renewal, or replacement of a contract of health insurance or health benefits, and if such health insurance or health benefits are not placed with the Plans, the Plans may only use or disclose such PHI for such purpose or as may be Required by Law, subject to the prohibition against using or disclosing PHI that is Genetic Information for Underwriting Purposes. 1.2 Group Health Plan and Plan Document

13 Administrative TOPIC: SUBJECT: Designation of a Privacy Officer Designation of a Privacy Officer who is responsible for the development and implementation of the Plans Privacy policies and procedures. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will designate a Privacy Officer who is responsible for the development and implementation of the Plans HIPAA policies and procedures. The Privacy Officer will ensure a central point of accountability within Visa for Privacy- related issues. The Privacy Officer is charged with developing and implementing the policies and procedures for the Plans, as required throughout the HIPAA Rules and for compliance with the HIPAA Rules generally. The Privacy Officer may be an additional responsibility given to an existing employee of Visa. The Privacy Officer or a designee will be available to answer employee questions about the HIPAA Rules throughout the employee's appointment as the Privacy Officer. PROCEDURES: The Privacy Officer will be trained and able to review the Plans Privacy compliance. The Privacy Officer, or a designee, will: Conduct employee Training Establish a system for logging uses of PHI Document procedures for Individual access to PHI Establish employee Sanctions for failure to comply Maintain compliance records Monitor and respond to employee complaints The Privacy Officer, or a designee, will be responsible for monitoring the Plans Privacy procedures and practices internally on a periodic basis. Rick Leweke currently has been designated the HIPAA Privacy Officer for the Plans. A description of the role of the Privacy Officer is found in Appendix F. 1.3 Designation of a Privacy Officer

14 Administrative TOPIC: SUBJECT: Mitigation of Harmful Effects of Unauthorized Use or Disclosure of PHI Process to mitigate any harmful effect of a Use or Disclosure of PHI in violation of the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will develop and implement procedures to mitigate, to the extent practical, any harmful effect that is known to the Plans. This includes unauthorized Use or Disclosure of PHI by the Plans or its Business Associates. The Plans will be responsible for mitigating harm when the Plans have actual knowledge of harm even if a deleterious effect cannot be shown. The Plans will ensure (via its contracting process) that its Business Associates agree to mitigate, to the extent practicable, any harmful effect that is known to those Business Associates of a Use or Disclosure of PHI by a Business Associate in violation of the requirements of the HIPAA Rules. PROCEDURES: The Plans will take reasonable steps based on knowledge of where the information has been disclosed, how it might be used to cause harm to the patient or another Individual, and what steps can actually have a mitigating effect in that specific situation. The Plans will use flexibility and judgment by those familiar with the circumstances to dictate the approach that is the best to mitigating the harm. Visa Employees within the Firewall: Visa employees within the Firewall typically have access to PHI through day-to-day telephone calls, messages or personal visits from employees with benefits-related issues. If, in the administration of these tasks, an employee becomes aware of an inadvertent misuse, the employee, on his or her own or by seeking assistance of another employee within the Firewall, will take reasonable measures to end or limit the misuse. If PHI is disclosed to an unauthorized Individual, Visa (the Privacy Officer, or his designee or designees) will contact the person to whom the unauthorized disclosure was made, explain that they mistakenly received information and notify them that the information they received contains PHI which may not be used or further disclosed for any purpose. Reasonable steps should be taken to retrieve the information from the person who received it. Business Associate Other than the day to day assistance to employees and the functions described in this Section and Section 1.2 of the policies and procedures, all handling of PHI is done by Business 1.4 Mitigation of Harmful Effects of Unauthorized Use or Disclosure of PHI

15 Administrative Associates who have contractually agreed to comply with the requirements of the HIPAA privacy regulations, including mitigation of harmful effects provision. If Visa becomes aware of an unauthorized use or disclosure of PHI, the HIPAA Privacy Committee will evaluate the specific situation and determine if any corrective action is needed. If a vendor s practice or pattern of activity has violated the privacy regulations, then Visa is obligated to take reasonable steps to cure the violation and have the vendor s practices changed. If such steps are unsuccessful, Visa will need to terminate the contract or if such termination is not feasible, Visa will report the problem to the Secretary of Health and Human Services. If an internal area within Visa has violated the privacy regulations, appropriate steps including outreach to the plan participants involved, application of sanctions, retraining, and other measures will be determined by the Benefits Committee. Examples: The Plans become aware that Business Associate discusses PHI with Individuals not on the list of employees within the Plans firewall (i.e., discussing a participant s claim with a supervisor or colleague). The Plans will contact the Business Associate and take reasonable steps to cure the violation, including verifying that that Business Associate is utilizing the proper list of Plan employees. Business Associate is sharing or selling participant names and/or diagnoses to a pharmaceutical company. The Plans will contact the Business Associate and take reasonable steps to cure the violation, terminate the contract, or contact the secretary and inform that person of the practice. An employee within the firewall receives a claims data report from a Business Associate and forwards to an employee within the firewall for review and analysis. The report is accidentally sent to the wrong person via or interoffice mail. Once the error has been detected, the employee shall take reasonable steps to retrieve the file from the person who received it. As a reasonable precaution against this contingency, employees who handle e- mails, files or reports containing PHI electronically shall be required to establish address listings specifically for others within the firewall for their electronic address book. The Plans become aware of an electronic breach of the corporate firewall, either intentional or unintentional. In such a case, the Plans internal Information Technology specialists may be required to evaluate whether specific data may have been improperly accessed. If such data is determined to have contained ephi, the Plans will use all reasonable efforts to contact the Individuals about whom the ephi related, and to see that the ephi is reobtained or destroyed. The Plans internal Information Technology specialists will be informed about and trained in regard to the sensitive and confidential nature of ephi so that any incidental Disclosure of PHI to them in the course of their job function may be properly contained. The Plans become aware that a Business Associate has mailed ID cards or other documentation containing PHI: (i) the wrong participant; or (ii) in such a way that PHI is visible through the envelope window. The Plans will contact the Business Associate and require it to take reasonable steps to correct the mailing, including identifying and contacting all Individuals who may have had PHI inadvertently disclosed in this manner. 1.4 Mitigation of Harmful Effects of Unauthorized Use or Disclosure of PHI

16 Administrative TOPIC: SUBJECT: Record Retention Process for retaining the Plans Individual Health Information, including the development, implementation and maintenance of appropriate processes to provide healthcare records as requested. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will maintain all PHI and related documentation for six (6) years from the date of its creation or the date when it last was in effect, whichever is later, to meet the applicable requirements of the HIPAA Rules. The Plans intent is to ensure an Individual s PHI is available so that the Plans can comply with the Individual s requests for an accounting of Uses and Disclosures of their PHI. (See also, Accounting (Logging) of Disclosures of Member PHI, Section 8.2) Business Associate contracts will include contract language that meets the HIPAA record retention requirements, accessibility of records (i.e., for accounting purposes), and how records will be transferred upon termination. (See also, Business Associates and Contracts, Section 3.1). PROCEDURES: The Privacy Officer and or the assigned person will be designated to oversee the process used for record retention. Other managers may be charged with maintaining healthcare information as required within their department to be HIPAA compliant regarding record retention. A log for HIPAA Privacy complaints and a log for non-routine permissible Uses and Disclosures of protected Health Information will be developed and maintained. The contracts of the Business Associates have been amended to ensure that the Business Associates will comply with all aspects of the HIPAA Rules, including record retention. 1.5 Record Retention

17 Administrative TOPIC: SUBJECT: Reporting of Non-Compliance with the HIPAA Rules A process for filing a complaint with the Secretary when a person believes that the Plans, a Business Associate or other Covered Entity is not complying with the HIPAA Rules. EFFECTIVE DATE: February 17, 2010 REVISION DATES: POLICY STATEMENT: The Plans will support the HHS policy that states that an Individual may file a complaint with the Secretary when such an Individual believes that the Plans are not complying with the HIPAA Rules. The Plans will also allow persons other than the Individual, such as personal representatives, to exercise the rights of the Individual under certain circumstances (e.g., for a deceased Individual). Any person may become aware of conduct by the Plans that is in violation of the HIPAA Rules. This can include the Plans employees, Business Associates, members, or other organizations. Complaints can be filed by any person, group, or organization. The person or organization who files the complaint will not be subject to any embarrassing or retaliatory action or threat of action. PROCEDURES: Any Individual or organization that becomes aware of conduct by the Plans, its Business Associate(s), or another related Covered Entity that is in violation of the HIPAA Rules does not have to use the Plans internal HIPAA complaint process and can file a complaint directly with HHS. This includes the Plans employees and their dependents, Business Associates, and accrediting, oversight, and advocacy organizations. The Plans will provide the information necessary for the Individual or organization to contact HHS as part of the Notice of Privacy Practices and also upon further request. An Individual or organization who believes that an agreement can be reached with the Plans may also use the Plans HIPAA internal complaint process or other means to seek resolution before filing a complaint with the Secretary. (See, Complaint Process, Sec. 5.4.) 1.6 Reporting of Non-Compliance with the HIPAA Requirements

18 Administrative TOPIC: SUBJECT: Workforce Sanctions Process for applying appropriate Sanctions against the members of the Workforce who fail to comply with the Plans HIPAA Policies and Procedures or the HIPAA Rules. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans have established policies and procedures regarding disciplinary actions which are communicated to all employees, agents, contractors and other persons under the Plans direct control. Sanctions will be implemented for those Individuals who do not follow the outlined policies and procedures. This will be applied to all violations, not just repeat violations. The Plans will have disciplinary actions that are communicated to all employees, agents, and contractors. The Plans will make employees, agents, and contractors aware that violations may result in notification to Law Enforcement Officials and regulatory, accreditation, and licensure organizations. In addition to internal Plan Sanctions, employees, agents, and contractors of the Plans or the Plan sponsor will be advised of civil or criminal penalties for misuse or misappropriation of Health Information. The Plans will inform employees, agents and contractors that violations may result in notification to Law Enforcement Officials and regulatory, accreditation and licensure organizations. These Sanctions will be supported, and may be supplemented by Visa as needed, and may be added to all Business Associate agreements. PROCEDURES: Visa will determine what types of sanctions to apply. Violations of the outlined policies and procedures will be handled on a case-by-case basis through the Individual s manager and with the support of appropriate personnel organizations within Visa. If it is determined that a violation of the outlined policies and procedures has occurred, Visa will take timely and effective remedial action commensurate with the severity of the offense, including disciplinary action, up to immediate termination of employment. Employees of Business Associates are not employees of the Group Health Plan and are subject to the provisions outlined in the Business Associate contracts. Employees will be made aware of what actions are prohibited and punishable. Training will be provided and expectations will be made clear so Individuals are not sanctioned for doing things which they did not know were wrong or inappropriate. 1.7 Work Force Sanctions

19 Administrative Employee Sanctions may include any of the following: (a) Verbal warning (b) Re-Training and/or education (c) Notice of disciplinary action placed in personnel files (d) Other Sanctions, up to and including, termination of employment Business Associate Sanctions may include any of the following: (a) Verbal warning (b) Implementation of contract provisions that include contract penalties (c) Termination of contract (d) Notification to HHS The Human Resources Department will be responsible for notifying Workforce members who fail to comply with the HIPAA policies and procedures. The Privacy Officer and/or the Security Officer will assist Visa s Human Resources Department with the necessary information to appropriately apply disciplinary action, including notification to Law Enforcement Officials and regulatory, accreditation, and licensure organizations. Please refer to section of this Manual for Security Sanction procedures. 1.7 Work Force Sanctions

20 Administrative TOPIC: SUBJECT: Verification of Person s Identity Process to verify the identity of a person requesting PHI and the authority of any person to have access to PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will have procedures reasonably designed to verify and identify the authority of persons requesting PHI. The Plans will verify the identity of a person requesting PHI and the authority of any person to have access to PHI if the identity or authority of the person is not known to the Plans. The Plans will obtain any documentation, Statements, or representations, whether oral or written, from the person requesting PHI when it is a condition of the Disclosure. This applies to all Disclosures of PHI, including Treatment, Payment and Health Care Operations, where the identity of the recipient is not known to the Plans. The Plans will establish reasonable procedures to address verification in Routine Disclosures under Business Associate agreements. PROCEDURES: For communications with the Plans members, the Plans will already have information about each Individual, collected during enrollment that can be used to establish identity, especially for verbal or electronic inquiries. For example, the Plans may ask for the social security number or employee number of Individuals seeking information or assistance by telephone. The Plans will make a reasonable effort to send/mail PHI to the entity authorized to receive it. A form of photo identification such as a driver s license or certain personal information such as date of birth may also be used to verify the identity of the Individual. Disclosures that require an opportunity for the Individual to agree or to object will not require verification of the person requesting PHI. Law Enforcement Official The requirement to disclose PHI for law enforcement purposes may be satisfied by the administrative subpoena or similar process or by a separate written statement that demonstrates the applicable requirements have been met. Public Health Officials The Plans may rely, if such reliance is reasonable under the circumstances, on any of the following to verify identity when the Disclosure of PHI is to a public official or a person acting on behalf of the public official: 1.8 Verification of Person s Identity

21 Administrative If the request is made in person, presentation of an agency identification badge, or other official credentials, or other proof of government status; If the request is in writing, the request is on appropriate government letterhead; A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority; or If the disclosure is made to a person acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government s authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official. Exercise of Professional Judgment The Plans may also rely, if such reliance is reasonable under the circumstances, on any of the following to verify authority when the Disclosure of PHI is to a public official or a person acting on behalf of the public official: A written statement of the legal authority under which the information is requested, or, if a written statement would be impracticable, an oral statement of such legal authority; or If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority. Verification is met if the Plans rely on the exercise of professional judgment in making a use or disclosure in accordance with: The uses and disclosures that require an opportunity for the Individual to agree or to object; Emergency situations Where the Individual is unable to agree or object to disclosure due to incapacity or other emergency circumstance Disclosure to family members, close personal friends, and others involved in the Individual s care in emergency situations Acts on a good faith belief in making a disclosure in accordance with uses and disclosures to avert a serious threat to health or safety. Business Associates The Plans will ensure that the contracts of Business Associates have been amended to ensure that such Business Associates comply with HIPAA Rules. Typically, the third party administrator s use personal access codes/benefits access numbers for purposes of identify verification. 1.8 Verification of Person s Identity

22 Administrative TOPIC: SUBJECT: Safeguards Creating, implementing and maintaining reasonable processes and safeguards for the protection of PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will have appropriate Administrative, Technical, and Physical Safeguards in place to protect the privacy of PHI and the Confidentiality, Integrity, and Availability of ephi. The Plans will reasonably safeguard PHI from any intentional or unintentional Use or Disclosure that is in violation of the HIPAA Rules. The Plans will have reasonable and appropriate Administrative, Physical, and Technical Safeguards in place to protect against the inadvertent Disclosure of PHI to persons other than the intended recipient. PROCEDURES: The list of appropriate safeguards will include: All materials and documents containing PHI must be removed from desktops when not in use and locked in appropriate desk drawers, file cabinets, etc. Ensure that computer monitors are shielded from the view of unauthorized Individuals. Ensure that fax transmissions are shielded from the view of unauthorized Individuals and that fax machines are not located in high-traffic areas. For walk-in employees who wish to discuss health-related issues, ensure that unauthorized Individuals do not overhear discussions or see any PHI being discussed. All documents containing PHI are required to be disposed of in shredding bins. All doors accessing areas where PHI is stored are required to remain locked after business hours, or when the area is unattended. All desk drawers and/or file cabinets housing PHI are required to be locked at the end of the work day. Personnel who are authorized to key or pass code access to PHI shall be limited. All computer system access should be password protected. Ensure that documents containing PHI, on desktops and workstations, are not in plain view of unauthorized Individuals. Other access controls or physical protections (i.e., locking devices on Workstations); Automatic data backups; Firewalls; and Automatic updates to anti-virus software. Additional safeguards applying to ephi may be found in Sections 9 through 11 of this Manual. 1.9 Safeguards

23 Administrative 1.9 Safeguards

24 Administrative TOPIC: SUBJECT: Audit of Privacy Standards Process for auditing the Plans handling of PHI, including the development, implementation and maintenance of appropriate Privacy monitoring practices. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: The Plans will conduct periodic audits of Privacy practices. The goal is to determine if the Plans is in compliance with documented and implemented Privacy practices, policies, and procedures and is generally meeting the requirements of the HIPAA Rules governing Privacy. The Plans overall intent is to ensure that PHI is not released inappropriately or easily accessible to those who are not authorized to have access. For each Privacy audit that is undertaken, the Plans will describe what needs to be provided to support the audit and prove compliance. The Plans also will provide documentation in the form of an audit trail to be used as needed in the audit process. PROCEDURE: The Privacy Officer will be responsible for the overall Privacy audit process and will be assisted by other Human Resources Department staff as necessary to implement and maintain the Privacy audit policy and procedures. An Individual responsible to implement the Privacy audit process will be designated by the Privacy Officer. Selection of the Individual will be based on knowledge of the Human Resources Department and Visa s organization, as well as the HIPAA standards being reviewed. Privacy audits of the Plans will be completed on a periodic basis, with the exception of audits that result from incident reports or other specific events. As appropriate, Privacy audits will be incorporated into ongoing business process audits that follow other pre-existing audit requirements adopted by the Plans or the Plan sponsor. To consistently safeguard the Privacy of PHI, the audit will include the following areas to determine HIPAA compliance: Uses and Disclosures of PHI are compliant with HIPAA Levels of access to PHI are appropriately and consistently assigned De-identification of data is done when required Identity verification is done before PHI is given to a requestor The Minimum Necessary policy for PHI is followed routinely Authorizations are completed for Disclosures that are neither Routine nor non-routine but permissible PHI requests are appropriately logged 1.10 Audit of Privacy Standards

25 Administrative Responses to Individual requests for accounting of Disclosures are completed within the necessary time frame Individuals are given copies and able to inspect their healthcare information within the necessary time frame Privacy Notices are given to all Individuals as required under the Privacy Rules Complaints are reviewed and appropriate steps taken as needed for resolution of issues Business Associate contracts are up-to-date and include HIPAA requirements The Privacy Officer, or a designee, will review the Privacy audit reports to determine appropriate follow up actions, if any, if the audit scores are below the acceptable threshold level. The Plans Business Associates must make their internal practices, books, and records relating to the Use and Disclosure of PHI received from the Plans, or created or received by the Business Associate on behalf of the Plans, available to the Plans or, at the request of the Plans, to the Secretary, in a time and manner designated by the Plans or the Secretary, for purposes of the Secretary determining the Plans compliance with the HIPAA Rules. This agreement must be included and documented in the formal contract entered into between the Plans and its Business Associates. Please refer to section 9.8 of this Manual for Security evaluation procedures Audit of Privacy Standards

26 Authorization TOPIC: SUBJECT: Authorizations for Uses and Disclosures of PHI Process for authorizing Uses and Disclosures of PHI when it is not used for Payment, Treatment or operations, or non-routine, permissible Uses and Disclosures of PHI. EFFECTIVE DATE: April 14, 2003 REVISION DATES: February 17, 2010 POLICY STATEMENT: Authorizations are required for the Use and Disclosure of PHI for purposes other than the permitted Uses and Disclosures specified in the Privacy Rule. The Plans will obtain the Individual s permission prior to using or disclosing PHI when it is not used to carry out Routine (Payment, Treatment or Health Care Operations) or non-routine Uses and Disclosures. Except as listed in the Uses and Disclosures of PHI Policy, Section 8.1, the Plans will not use or disclose PHI without an Authorization. When the Plans receive a properly authorized request for the release of PHI, the Plans will adhere to the terms of the Authorization. Effective as of the date determined by the Secretary, the Plans will not accept any Authorization that permits the Plans to use or disclose PHI that is Genetic Information for Underwriting Purposes. The Plans will document and retain any signed Authorizations and will provide the Individual with a copy of the signed Authorization. PROCEDURES: The Plans do not need to obtain an Authorization from the Individual to: Use or disclose PHI for the Plans Payment or Health Care Operations; Disclose PHI to a Health Care Provider for the Individual s Treatment; Disclose PHI to another Covered Entity or a Health Care Provider for that entity s Payment activities; and Disclose PHI to another Covered Entity for that entity s Health Care Operations if both entities have or had a relationship with the Individual whose PHI is being requested, the PHI pertains to the current or former relationship, and the purpose of the Disclosure is for: A Health Care Operations activity for which the Privacy Rule states an Authorization is not required; or Detection of Health Care fraud and abuse or compliance with Health Care fraud and abuse laws. 2.1 Authorization for Uses and Disclosures of PHI

27 Authorization Use or disclose PHI as specifically permitted by the Privacy Rule pursuant to an exception. When an Authorization is needed, the Individual is provided with a copy of the Authorization form and asked to sign it. Signing an Authorization form is voluntary and the Individual may refuse to sign it. A copy of the signed Authorization must be provided to the Individual. The Individual may revoke the Authorization, in writing, at any time. The permissions granted in the Authorization should not be acted upon if the Authorization has been revoked or if it has expired. The Authorization will be documented and retained for a period of six (6) years after it was created or expired, whichever date is later. Most Uses and Disclosures requiring an Authorization will be handled by the Plans third party administrators. These will include all Uses and Disclosures not identified in Parts I or II of Section 8.1, such as the Disclosure of PHI to another Covered Entity for Health Care operations purposes where that Covered Entity does not have a relationship with that Individual or it is not for one of the purposes listed in Section 8.1. The most likely instance in which an employee within the firewall may need an Authorization is when a participant wishes to name a personal representative (such as an employee s Manager, Union Representative or an Executive s Administrative Assistant). Any Authorizations will be filed and retained on-site for six (6) years at a central location within the Visa Human Resources Department, including copies of any Authorizations obtained at the local level. Employees within the firewall will honor revocations made in writing. Authorizations acquired by Business Associates will need to be revoked via the Business Associate and not by the Plans. When the need for an authorization arises, the Plan or Plans will get a signed authorization from the Individual whose PHI is going to be used or disclosed. As a reminder, authorization forms are not required when disclosing PHI for workers compensation claims, but are required for disclosing PHI for STD and LTD claims. Only the Plan or Plans standard authorization form should be used. The Individual disclosing the PHI must make sure that the authorization is not defective. A signed copy of all authorization and revocation forms must be sent to Visa s Benefits Department. The Benefits Department retains copies of all signed forms. When the Benefits Department receives a request for a revocation of an authorization, it first must research to see if the revocation can be honored. Then the Benefits Department will respond in writing to the Individual stating if the authorization has been revoked and, if not, the reason why. Copies of this letter are retained with the signed revocation request form. The Benefits Department is also responsible for contacting the person/entity listed as the person receiving the PHI on the initial authorization form and informing him or her of the revocation. 2.1 Authorization for Uses and Disclosures of PHI

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 City of Pittsburgh Operating Policies Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 PURPOSE: To establish internal policies and procedures to ensure compliance

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Security and HITECH Compliance Checklist

HIPAA Security and HITECH Compliance Checklist HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians

More information

TABLE OF CONTENTS. University of Northern Colorado

TABLE OF CONTENTS. University of Northern Colorado TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...

More information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

ITS HIPAA Security Compliance Recommendations

ITS HIPAA Security Compliance Recommendations ITS HIPAA Security Compliance Recommendations October 24, 2005 Updated May 31, 2010 http://its.uncg.edu/hipaa/security/ Table of Contents Introduction...1 Purpose of this Document...1 Important Terms...1

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA PRIVACY POLICIES AND PROCEDURES

HIPAA PRIVACY POLICIES AND PROCEDURES HIPAA PRIVACY POLICIES AND PROCEDURES FOR MOTT COMMUNITY COLLEGE NOVEMBER 18, 2004 PREPARED BY: KUSHNER & COMPANY 2427 WEST CENTRE AVENUE PORTAGE, MICHIGAN 49024 (269) 342-1700 WWW.KUSHNERCO.COM EMPLOYEE

More information

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION HILLSDALE COLLEGE HEALTH AND WELLNESS CENTER Policy Preamble This privacy policy ( Policy ) is designed to address the Use and Disclosure

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) HUMAN RESOURCES Index No. VI-35 PROCEDURES MEMORANDUMS TO: FROM: SUBJECT: MCC Personnel Office of the President Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

TJ RAI, M.D. THERAPY MEDICATION WELLNESS PRIVACY POLICY STATEMENT

TJ RAI, M.D. THERAPY MEDICATION WELLNESS PRIVACY POLICY STATEMENT PRIVACY POLICY STATEMENT Purpose: It is the policy of this Physician Practice that we will adopt, maintain and comply with our Notice of Privacy Practices, which shall be consistent with HIPAA and California

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

Healthcare Management Service Organization Accreditation Program (MSOAP)

Healthcare Management Service Organization Accreditation Program (MSOAP) ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee

More information

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N

HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N HIPAA PRIVACY AND SECURITY TRAINING P I E D M O N T COMMUNITY H EA LT H P L A N 1 COURSE OVERVIEW This course is broken down into 4 modules: Module 1: HIPAA Omnibus Rule - What you need to know to remain

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com

More information

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL

More information

University of California Policy

University of California Policy University of California Policy HIPAA Uses and Disclosures Responsible Officer: Senior Vice President/Chief Compliance and Audit Officer Responsible Office: Ethics, Compliance and Audit Services Effective

More information

Krengel Technology HIPAA Policies and Documentation

Krengel Technology HIPAA Policies and Documentation Krengel Technology HIPAA Policies and Documentation Purpose and Scope What is Protected Health Information (PHI) and What is Not What is PHI? What is not PHI? The List of 18 Protected Health Information

More information

HIPAA Agreements Overview, Guidelines, Samples

HIPAA Agreements Overview, Guidelines, Samples HIPAA Agreements Overview, Guidelines, Samples I. Purpose The purpose of this document is to provide an overview of the regulatory requirements related to HIPAA trading partner agreements, business associate

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

Table of Contents INTRODUCTION AND PURPOSE 1

Table of Contents INTRODUCTION AND PURPOSE 1 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA Employee Training Guide. Revision Date: April 11, 2015

HIPAA Employee Training Guide. Revision Date: April 11, 2015 HIPAA Employee Training Guide Revision Date: April 11, 2015 What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 (also known as Kennedy- Kassebaum Act ). HIPAA regulations address

More information

CITY OF LINCOLN. HIPAA Privacy Policies and Procedures

CITY OF LINCOLN. HIPAA Privacy Policies and Procedures CITY OF LINCOLN HIPAA Privacy Policies and Procedures Updated November 2013 Contents INTRODUCTION... 3 PRIVACY OFFICER... 4 NOTICE OF PRIVACY PRACTICES... 5 PATIENT ACCESS TO HEALTH INFORMATION... 6 USE

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

Schindler Elevator Corporation

Schindler Elevator Corporation -4539 Telephone: (973) 397-6500 Mail Address: P.O. Box 1935 Morristown, NJ 07962-1935 NOTICE OF PRIVACY PRACTICES FOR PROTECTED HEALTH INFORMATION THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU

More information

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE How to Use this Assessment The following risk assessment provides you with a series of questions to help you prioritize the development and implementation

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY 1 School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA 1 Amended January 23, 2014 This HIPAA compliance manual was prepared for the

More information

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,

More information

District of Columbia Health Information Exchange Policy and Procedure Manual

District of Columbia Health Information Exchange Policy and Procedure Manual District of Columbia Health Information Exchange Policy and Procedure Manual HIPAA Privacy & Direct Privacy Policies (Version 1 November 27, 2012) Table of Contents Policy # Policy/Procedure Description

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

The HIPAA Security Rule Primer Compliance Date: April 20, 2005 AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below

More information

HIPAA Policies and Procedures

HIPAA Policies and Procedures HIPAA Policies and Procedures William T. Chen, MD, Inc. General Rule 164.502 A Covered Entity may not use or disclose PHI except as permitted or required by the privacy regulations. Permitted Disclosures:

More information

HIPAA Privacy Policies & Procedures

HIPAA Privacy Policies & Procedures HIPAA Privacy Policies & Procedures This sample HIPAA Privacy Policies & Procedures document will help you with your HIPAA Privacy compliance efforts. This document addresses the basics of HIPAA Privacy

More information

8.03 Health Insurance Portability and Accountability Act (HIPAA)

8.03 Health Insurance Portability and Accountability Act (HIPAA) Human Resource/Miscellaneous Page 1 of 5 8.03 Health Insurance Portability and Accountability Act (HIPAA) Policy: It is the policy of Licking/Knox Goodwill Industries, Inc., to maintain the privacy of

More information

Joseph Suchocki HIPAA Compliance 2015

Joseph Suchocki HIPAA Compliance 2015 Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address

More information

HIPAA Training Study Guide July 2015 June 2016

HIPAA Training Study Guide July 2015 June 2016 Contents HIPAA Overview... 2 Who must comply?... 2 Privacy Standard... 3 Protected Health Information (PHI)... 3 Minimum Necessary Rule... 4 Requests for PHI... 5 Acceptable PHI Releases... 5 Special Circumstances...

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA TRAINING MANUAL HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA Table of Contents INTRODUCTION 3 What is HIPAA? Privacy Security Transactions and Code Sets What is covered ADMINISTRATIVE

More information

HIPAA 101: Privacy and Security Basics

HIPAA 101: Privacy and Security Basics HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

HIPAA Privacy Manual

HIPAA Privacy Manual California State University HIPAA Privacy Manual Revised February 17, 2010 As prepared by Mercer Human Resource Consulting 2010 California State University The HIPAA Privacy Manual was drafted for the

More information

Notice of Privacy Practices. Human Resources Division Employees Benefits Section

Notice of Privacy Practices. Human Resources Division Employees Benefits Section Notice of Privacy Practices Human Resources Division Employees Benefits Section THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

More information

HIPAA for Business Associates

HIPAA for Business Associates HIPAA for Business Associates February 11, 2015 Teresa D. Locke This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The

More information

September 2013. This replaces policies in the catalogue and any other documents to date.

September 2013. This replaces policies in the catalogue and any other documents to date. Southwest Acupuncture College September 2013 This replaces policies in the catalogue and any other documents to date. Santa Fe Albuquerque Boulder TABLE OF CONTENTS TABLE OF CONTENTS... 3 STATEMENT OF

More information

Plan Sponsor s Guide to the HIPAA Security Rule

Plan Sponsor s Guide to the HIPAA Security Rule Plan Sponsor s Guide to the HIPAA Security Rule Compliments of Aetna 00.02.117.1 (8/04) The HIPAA Security Rule We live in a world with ever increasing Internet and e-mail access, networking capabilities,

More information

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc. 2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc. Disclaimer We share this information with our clients and friends for general informational purposes

More information

Neera Agarwal-Antal, M.D. HIPAA Policies and Procedures

Neera Agarwal-Antal, M.D. HIPAA Policies and Procedures Neera Agarwal-Antal, M.D. HIPAA Policies and Procedures HIPAA POLICIES & PROCEDURES This packet includes the following HIPAA policies, procedures and model forms: HIPAA General Operating Policy...1 Authorization

More information

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996 HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account

VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES. Health, Dental and Vision Benefits Health Care Reimbursement Account VALPARAISO UNIVERSITY NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

More information

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed

More information

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE OF PRIVACY PRACTICES HIPAA NOTICE OF PRIVACY PRACTICES Human Resources Department 16000 N. Civic Center Plaza Surprise, AZ 85374 Ph: 623-222-3532 // Fax: 623-222-3501 TTY: 623-222-1002 Purpose of This Notice This Notice describes

More information

DISCLAIMER HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES

DISCLAIMER HEALTH INFORMATION PRIVACY POLICIES & PROCEDURES DISCLAIMER This web site is provided for information and education purposes only. No doctor/patient relationship is established by your use of this site. No diagnosis or treatment is being provided. The

More information

HIPAA Privacy Rule Primer for the College or University Administrator

HIPAA Privacy Rule Primer for the College or University Administrator HIPAA Privacy Rule Primer for the College or University Administrator On August 14, 2002, the Department of Health and Human Services ( HHS ) issued final medical privacy regulations (the Privacy Rule

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Proc - A edures, dministrativ and e Documentation Safeguards

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)]

BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] Background By law, the HIPAA Privacy Rule applies only to covered entities health plans, health care clearinghouses, and certain

More information

Health Insurance Portability and Accountability Act (HIPAA)

Health Insurance Portability and Accountability Act (HIPAA) Health Insurance Portability and Accountability Act (HIPAA) General Education Presented by: Bureau of Personnel Department of Health Department of Human Services Department of Social Services Bureau of

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

PHI- Protected Health Information

PHI- Protected Health Information HIPAA Policy 2014 The Health Insurance Portability and Accountability Act is a federal law that protects the privacy and security of patients health information and grants certain rights to patients. Clarkson

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

SDC-League Health Fund

SDC-League Health Fund SDC-League Health Fund 1501 Broadway, 17 th Floor New York, NY 10036 Tel: 212-869-8129 Fax: 212-302-6195 E-mail: health@sdcweb.org NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION

More information

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES

NOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION PLEASE REVIEW IT CAREFULLY. DEFINITIONS PROTECTED HEALTH INFORMATION (PHI):

More information

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL What is HIPAA? Comprehensive federal legislation regarding health insurance which is comprised of four key areas:

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual.

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. HIPAA/HITECH Policies and Procedures Please read this in its entirety. Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. Give a copy of this to all staff to read and ask

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10

HIPAA 100 Training Manual Table of Contents. V. A Word About Business Associate Agreements 10 HIPAA 100 Training Manual Table of Contents I. Introduction 1 II. Definitions 2 III. Privacy Rule 5 IV. Security Rule 8 V. A Word About Business Associate Agreements 10 CHICAGO DEPARTMENT OF PUBIC HEALTH

More information