HIPAA and HITECH: New Rules, Trends and Traps for the Unwary

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HIPAA and HITECH: New Rules, Trends and Traps for the Unwary"

Transcription

1 HIPAA and HITECH: New Rules, Trends and Traps for the Unwary Elizabeth Tosaris, Partner October 22, 2015 Atlanta Austin Boston Chicago Dallas Hartford Hong Kong Houston Istanbul London Los Angeles Miami Morristown New Orleans New York Orange County Providence Sacramento San Francisco Stamford Tokyo Washington DC West Palm Beach 2015 Locke Lord LLP Agenda Overview of Law Business Associate Agreements Preparing for OCR Audits 2 1

2 Definitions Covered Entity (CE) Business Associate (BA) Business Associate Agreement (BAA) 3 Definitions, Cont d. PHI: Protected Health Information (individualized), includes any patient name, mailing or address phone number SS # any other individually identifiable health information PHI is not de-identified health information Limited circumstances where PHI can be disclosed 4 2

3 HIPAA Privacy Rule Security Rule Breach Notification Rule Business Associate Requirements 5 HITECH Act Focused on exchange of ephi Widens the scope of privacy and security protections available under HIPAA Increased penalties Requires periodic HHS audits 6 3

4 Exceptions CFR Reporting Requirements To Dept. of Ins. and other regulators Court proceedings Other 7 On Beyond HIPAA and HITECH Versions of the privacy model law adopted in the 1980s State versions of HIPAA Common law causes of action? 8 4

5 9 Many ways to breach privacy 10 5

6 Definition of Breach Federal v. state law definitions HIPAA definition at 45 CFR Four prong test When it occurs 11 Breach Notification Rule Who to tell When to tell What to tell Penalties for violation of breach notification rule 12 6

7 The Basics of Being a BA Subject to certain federal privacy and security rules May have a downstream subcontractor who is also a BA Direct liability for breach Reporting duties in event of breach Subject to HHS audits 13 Violations By a Business Associate A CE is liable for violations by a business associate acting as an agent Federal common law of agency applies and a BA is an agent of a CE if: CE controls BA; or CE delegates its duty to BA 14 7

8 Violations By a Business Associate Facts and Circumstances Test will apply Right to Control Degree of Control Specialized Expertise 15 OCR Authority OCR may initiate investigations following breach or complaint OCR may bring enforcement actions OCR reports its oversight and enforcement activities to Congress 16 8

9 OCR Investigations- Resolutions Public Fine & Corrective Action Paucity of breach settlements with BA s 17 Penalties After HITECH Intent Did not know or could not have known Reasonable Cause and not Willful Neglect Willful Neglect, but Promptly Corrected Willful Neglect, Not Promptly Corrected Minimum Per Incident At least $100 - $50,000 Annual Cap for All violations of Identical Provision $ 1.5 million $1,000 - $50,000 $ 1.5 million $10,000-$50,000 $ 1.5 million $50,000 $1.5 million 18 9

10 Discretion and Factors in Setting the Penalty Nature and extent of the violation (including the number of individuals affected and the duration of the violation). Nature and extent of the harm (including reputational harm). History of prior compliance. Financial condition of the BA or CE. Such other matters as justice may require. Factors can be mitigating or aggravating. Penalties can be waived so long is violation does not arise out of willful neglect. 19 Why would you sign a BAA? Insured is a covered entity Insurer is a BA To get the business 20 10

11 Required Provisions in BAA s Template on HHS Website Mandatory Topics Security Standards (45 C.F.R ) Administrative Safeguards (45 C.F.R ) Physical Safeguards (45 C.F.R ) Technical Safeguards (45 C.F.R ) Organizational Requirements (45 C.F.R ) Policies and Procedures (45 C.F.R ) Notification to the Secretary (45 C.F.R ) General Rules; Uses and Disclosures of PHI (45 C.F.R ) Organizational Requirements; Uses and Disclosures (45 C.F.R ) 21 Key Issues With Insureds: What information is governed by BAA? Does BAA govern traditional insurance functions? With your BA s What will you pay if your BA breaches 22 11

12 BA Obligations Limits on Use of PHI Accounting for Disclosures BA must comply with the Security Rule in its entirety. Duty to disclose breach BA must cure violations by a subcontractor BA. 23 Tips for BAA s Limited scope Only sign if you have to Be sure your systems are compliant Who else will you need to check? 24 12

13 BAA terms to Consider Responsibility for Determining Breach Responsibility for Breach Notification Timing of Notification to CE Naming person to contact in event of breach 25 BAA terms to Consider, Cont d. Indemnity provisions/cost Apportionment Termination Provisions Insurance requirements Other applicable state laws CE s right to audit Compliance with CE s Policies 26 13

14 Preparing for OCR Audits Generally more security than privacy findings HHS is authorized to audit BA s No OCR Audits of BA s completed yet 27 What does OCR Audit for? Audit protocols evolve Privacy Rule requirements Security Rule requirements Requirements for the Breach Notification Rule

15 Ongoing Security Program A good idea for any BA May be subject of an OCR audit May be required under BAA 29 Before an Incident Conduct a Risk Assessment Strong IT system security flexible and fast White hat penetration experts rules on byod security measures around routine access Diligently monitored/ability to know if there is an attack 30 15

16 Before an Incident, cont d Physical Security Training of Personnel Active monitoring by Board/CEO Relationships with vendors Purchase Cyberinsurance Purchase Access to Credit Monitoring Develop Plan in case of attack 31 During an Incident Execute the Plan for a Breach Alert necessary individuals Understand scope of breach asap Preserve evidence Minimize damage Document efforts to address Send required notifications Involve relevant law enforcement and intelligence agencies 32 16

17 A Word about Security Logs Reporting party Date of incident Affected company and business area Summary of facts Affected individual(s) State(s) of residence Electronic or paper data Exposed personal information Description of incident Legal analysis Risk of harm Actions taken Breach/no breach Additional notes 33 After a Breach Make sure breach is repaired Analysis of response to incident Repair reputational harm Address law suits 34 17

18 Conclusion/Q&A Elizabeth Tosaris, Esq. San Francisco Attorney Advertising. Locke Lord LLP disclaims all liability whatsoever in relation to any materials or information provided. This presentation is provided solely for educational and informational purposes. It is not intended to constitute legal advice or to create an attorney-client relationship. If you wish to secure legal advice specific to your enterprise and circumstances in connection with any of the topics addressed we encourage you to engage counsel of your choice Locke Lord LLP 35 18

Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists

Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists ONCE MORE UNTO THE BREACH, DEAR FRIENDS, ONCE MORE Revisiting the PHI Breach Under HIPAA and HITECH and Considerations for Ophthalmologists Neil H. Ekblom, Esq. 885 Third Avenue, 16th Floor, New York,

More information

HIPAA for Business Associates

HIPAA for Business Associates HIPAA for Business Associates February 11, 2015 Teresa D. Locke This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates

Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates After a very long wait, the Department of Health and Human Services ( HHS ) has issued a final HIPAA/HITECH

More information

Business Associate Liability Under HIPAA/HITECH

Business Associate Liability Under HIPAA/HITECH Business Associate Liability Under HIPAA/HITECH Joseph R. McClure, JD, CHP Siemens Healthcare WEDI Security & Privacy SNIP Co-Chair Reece Hirsch, CIPP, Partner Morgan Lewis & Bockius LLP ` Fifth National

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

What You Need to Know About Recent Proposed Changes to HIPAA Privacy, Security and Enforcement Rules

What You Need to Know About Recent Proposed Changes to HIPAA Privacy, Security and Enforcement Rules What You Need to Know About Recent Proposed Changes to HIPAA Privacy, Security and Enforcement Rules September 22, 2010 Pillsbury Winthrop Shaw Pittman LLP General Overview Health Information Technology

More information

Enforcement, Business Associates and Breach Notification. Oh my! May 10, 2016

Enforcement, Business Associates and Breach Notification. Oh my! May 10, 2016 Enforcement, Business Associates and Breach Notification. Oh my! May 10, 2016 This Webinar is Brought to You By. Who We Are HealthInsight and Mountain-Pacific Quality Health are private, non-profit, community-based

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

Business Associate Considerations for the HIE Under the Omnibus Final Rule

Business Associate Considerations for the HIE Under the Omnibus Final Rule Business Associate Considerations for the HIE Under the Omnibus Final Rule Joseph R. McClure, Esq. Counsel Siemens Medical Solutions USA, Inc. WEDI Privacy & Security Work Group Co-Chair Agenda Who is

More information

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

Key HITECH & Omnibus Rule Challenges Enforcement: Thinking Like OCR Audits, Audits & More Audits Hot Issues for 2015 Wrap Up

Key HITECH & Omnibus Rule Challenges Enforcement: Thinking Like OCR Audits, Audits & More Audits Hot Issues for 2015 Wrap Up David Holtzman, JD CIPP/G Vice President for Compliance CynergisTek, Inc. 1 Vice President, Compliance, CynergisTek, Inc. Subject matter expert in policy and compliance issues involving the HIPAA Privacy,

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C. HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results

More information

Understanding HIPAA/HITECH as a Mail Service Provider

Understanding HIPAA/HITECH as a Mail Service Provider Understanding HIPAA/HITECH as a Mail Service Provider General Housekeeping As a reminder this session is being recorded and the slides will be available to download from the NPF website Please be sure

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Preparing for the HITECH September Deadline: Tips for Negotiating Effective Business Associate Agreements under HIPAA.

Preparing for the HITECH September Deadline: Tips for Negotiating Effective Business Associate Agreements under HIPAA. Preparing for the HITECH September Deadline: Tips for Negotiating Effective Business Associate Agreements under HIPAA July 29, 2014 Meet Today s Speakers James B. Wieland Principal, Ober Kaler jbwieland@ober.com

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Talksoft is BA with Covered Entity BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is made this day of, and entered into between, ( Covered Entity ) having its principal place of

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.

Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two. Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell President & CEO Carosh Compliance Solutions & Liz Mayer, RHIA Director, Organizational Integrity HCI Care Services and VNS

More information

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:

BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS: BUSINESS ASSOCIATE AND DATA USE AGREEMENT NAME OF COVERED ENTITY: COVERED ENTITY FEIN/TAX ID: COVERED ENTITY ADDRESS:, City State Zip This Business Associate and Data Use Agreement ( Agreement ) is effective

More information

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences

Key HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences Key HIPAA HITECH Changes Gina Kastel, Partner, Health and Life Sciences Agenda Business Associates Restrictions on Disclosures Access to PHI Notice of Privacy Practices Fundraising 2 Business Associates

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

AMENDMENT TO IMPLEMENT HIPAA BUSINESS ASSOCIATE REQUIREMENTS (UPB=COVERED ENTITY) CONTRACT NO(S).:

AMENDMENT TO IMPLEMENT HIPAA BUSINESS ASSOCIATE REQUIREMENTS (UPB=COVERED ENTITY) CONTRACT NO(S).: AMENDMENT TO IMPLEMENT HIPAA BUSINESS ASSOCIATE REQUIREMENTS (UPB=COVERED ENTITY) CONTRACT NO(S).: THIS AMENDMENT is made as by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC. located at 450 Clarkson

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience

More information

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746

More information

www.shipmangoodwin.com Shipman & Goodwin LLP 2015. All rights reserved. @SGHealthLaw HARTFORD STAMFORD GREENWICH WASHINGTON, DC

www.shipmangoodwin.com Shipman & Goodwin LLP 2015. All rights reserved. @SGHealthLaw HARTFORD STAMFORD GREENWICH WASHINGTON, DC HIPAA Compliance and Non-Business Associate Vendors: Strategies and Best Practices July 14, 2015 William J. Roberts, Esq. Shipman & Goodwin LLP 2015. All rights reserved. HARTFORD STAMFORD GREENWICH WASHINGTON,

More information

Creating Stable Security & Compliance Relationships

Creating Stable Security & Compliance Relationships Creating Stable Security & Compliance Relationships David Holtzman JD, CIPP/G VP, Compliance CynergisTek, Inc. James Wieland JD Principal Ober Kaler Welcome The slides for today s webinar are available

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq. HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq. Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September

More information

Texas Medical Records Privacy Act

Texas Medical Records Privacy Act A COALFIRE PERSPECTIVE Texas Medical Records Privacy Act Texas House Bill 300 (HB 300) Rick Dakin, CEO & Co-Founder Rick Link, Director Andrew Hicks, Director Overview The State of Texas has pushed ahead

More information

Anthem s Data Breach Impacts Many Anthem and Non-Anthem Plans: Necessary Employer Actions Now

Anthem s Data Breach Impacts Many Anthem and Non-Anthem Plans: Necessary Employer Actions Now Anthem s Data Breach Impacts Many Anthem and Non-Anthem Plans: Necessary Employer Actions Now March 6, 2015 On January 29, 2015, Anthem, Inc., an insurer and service provider for many employer-sponsored

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM This Business Associate Addendum ( Addendum ), effective, 20 ( Effective Date ), is entered into by and between University of Southern California, ( University

More information

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule.

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the Privacy Rule. Exhibit F - Business Associate Agreement HIPAA BAA HIPAA BAA, v1.3 Revised 8/15/2014 THIS AGREEMENT is made on between Centre Technologies, Inc., a Texas Corporation ( Company ) with its principal place

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

Business Associate Agreement (BAA) Guidance

Business Associate Agreement (BAA) Guidance Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity

More information

HIPAA Privacy Rule Policies

HIPAA Privacy Rule Policies DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment

More information

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ("Agreement") is made and is effective as of the date of electronic signature("effective Date") between Name of Organization ("Covered

More information

DHHS POLICIES AND PROCEDURES

DHHS POLICIES AND PROCEDURES DHHS POLICIES AND PROCEDURES Section VIII: Privacy and Security Revision History: 8/21/13; 5/1/05 Original Effective Date: 4/14/03 Purpose To ensure that all individuals or organizations that perform specific

More information

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation WHY YOU NEED TO COMPLY. HIPAA UPDATE 2014: WHY AND HOW YOU MUS T C OMPL Y 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its longawaited Omnibus Rule 2 implementing regulations

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( the Agreement ) is entered into this day of, 20 by and between the Tennessee Chapter of the American Academy of Pediatrics ( Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is between you, a healthcare provider, its employees and agents ( Covered Entity ) and Doc Halo, LLC ( Business Associate ).

More information

Copyright 2016 State Volunteer Mutual Insurance Company. HIPAA Training for the Medical Office

Copyright 2016 State Volunteer Mutual Insurance Company. HIPAA Training for the Medical Office Copyright 2016 State Volunteer Mutual Insurance Company HIPAA Training for the Medical Office Disclaimer The information and any commentary contained in these training materials is for informational purposes

More information

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS

HSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS HSHS BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement, ( Agreement ) is entered into on the date(s) set forth below by and between Hospital Sisters Health System on its own behalf and

More information

Interpreting the HIPAA Audit Protocol for Health Lawyers

Interpreting the HIPAA Audit Protocol for Health Lawyers Interpreting the HIPAA Audit Protocol for Health Lawyers This webinar is brought to you by the Health Information and Technology Practice Group (HIT), and is co-sponsored by the Business Law and Governance

More information

HIPAA Business Associate Agreement Instructions

HIPAA Business Associate Agreement Instructions HIPAA Business Associate Agreement Instructions HIPAA AND COLA ACCREDITATION The Health Insurance Portability and Accountability Act (HIPAA) requires laboratories to enter into written agreements with

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate

More information

HIPAA/HITECH Omnibus Final Rule - January 23, 2013

HIPAA/HITECH Omnibus Final Rule - January 23, 2013 HIPAA Omnibus Rule Please note: these slides are intended to provide an overview of general information, not an exhaustive review. No legal advice is being offered or intended. Do not rely on this information

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title:

More information

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions

HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,

More information

Responding to HIPAA Breaches

Responding to HIPAA Breaches Responding to HIPAA Breaches 11/06/2015 by Kim Stanger HIPAA privacy and security breaches can result in fines of $100 to $50,000 to covered entities (including healthcare providers and health plans) and

More information

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT THIS IS A TEMPLATE ONLY. CERTAIN STATES MAY NOT PERMIT THE TYPES OF ACTIVITIES ALLOWED HEREUNDER RELATING TO PROTECTED HEALTH INFORMATION. THUS THIS AGREEMENT MAY NEED TO BE MODIFIED IN ORDER TO COMPLY

More information

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013 Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,

More information

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals

HIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (the Agreement ) is made by and between Business Associate, [Name of Business Associate], and Covered Entity, The Connecticut Center for Health,

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into as of _September 23_, 2013, (the Effective Date ) by and between Denise T. Nguyen, DDS, PC ( Dental Practice

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

HIPAA Enforcement is Here

HIPAA Enforcement is Here HIPAA Enforcement is Here Risks and rewards for MSPs Cam Roberson Director, Reseller Channel Beachhead Solutions THIS JUST IN History of HIPAA Security 1996 Congress Passes Health Insurance Portability

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

Preferred Professional Insurance Company Subcontractor Business Associate Agreement

Preferred Professional Insurance Company Subcontractor Business Associate Agreement Preferred Professional Insurance Company Subcontractor Business Associate Agreement THIS SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT ( Agreement ) amends and is made a part of all Services Agreements (as

More information

STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT

STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT THIS AGREEMENT is entered into and made effective the day of, 2014 (the Effective Date ), by and between (a) GI Quality Improvement Consortuim,

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud

More information

A s a covered entity or business associate, you have

A s a covered entity or business associate, you have Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

Implementation Business Associates and Breach Notification

Implementation Business Associates and Breach Notification Implementation Business Associates and Breach Notification Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com

More information

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version)

APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) THIS AGREEMENT is entered into and made effective the day of, 2012 (the Effective Date ), by and between (a)

More information

Dissecting New HIPAA Rules and What Compliance Means For You

Dissecting New HIPAA Rules and What Compliance Means For You Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the

More information

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of

More information

HIPAA Privacy & Breach Notification Training for ARDC Staff

HIPAA Privacy & Breach Notification Training for ARDC Staff HIPAA Privacy & Breach Notification Training for ARDC Staff Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System August 10, 2015 Webinar Essentials Session

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties: PRIVACY 1.0 FACILITY PRIVACY OFFICER Scope: Purpose: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities

More information