HIPAA/HITECH Omnibus Final Rule - January 23, 2013

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HIPAA/HITECH Omnibus Final Rule - January 23, 2013"

Transcription

1 HIPAA Omnibus Rule Please note: these slides are intended to provide an overview of general information, not an exhaustive review. No legal advice is being offered or intended. Do not rely on this information for individual or specific situations; instead, seek advice from retained counsel.

2 HIPAA/HITECH Omnibus Final Rule - January 23, 2013 Requirements effective March 26, 2013 Compliance with most of the final rule provisions is required by September 22, 2013 Existing Business Associate Agreements must be in full compliance by September 22, 2014 (if not previously renewed or modified)

3 Final Rule: Summary of Modifications Extends responsibility for HIPAA/HITECH privacy compliance related to Protected Health Information (PHI) to business associates Outlines new breach notification requirements Creates new penalties for unsecured breaches

4 Final Rule: Summary of Modifications (Continued) Limits disclosures to health plans Limits marketing communications Clarifies prohibition on sale of PHI Allows immunization disclosures Allows disclosures to family members of deceased persons

5 Final Rule: Summary of Modifications (Continued) Regulates record copies and transmittal of electronic PHI Permits combined conditioned and unconditioned research authorizations

6 Business Associate (BA) Changes/Clarifications Modifies definition of business associate to include: a person who maintains PHI; a person who undertakes patient safety activities (PSO); a Health Information Organization, E-prescribing Gateway, or other person who provides data transmission services of PHI to a covered entity and requires routine access to PHI; a person who offers a personal health record to one or more individuals on behalf of a covered entity; and a subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate Subcontractor means: a person to whom a business associate delegates a function, activity, or service other than in the capacity of a member of the workforce of such business associate

7 Deceased Individuals The definition of PHI at has been modified to no longer protect individually identifiable health information of a person deceased for more than 50 years (not a record retention requirement) Covered entities may disclose a decedent s PHI to family and others involved in care of or payment of care for the decedent prior to death, relevant to that person s involvement, unless inconsistent with the individual s known preferences as expressed prior to death (Note: does not permit unlimited disclosures of PHI, and combined with state laws governing records of the deceased, the situation may be complicated)

8 Student Immunization Records A covered entity is permitted to disclose proof of immunization to a school when State or other law requires that information for admission Agreement, which can be oral, is still required and must be documented ( request, notation of phone call, etc.)

9 New Marketing Rules Marketing is a communication about a product or service that encourages its purchase or use Authorization is required for all marketing communications, including those for treatment or healthcare operations, where the marketing entity receives direct or indirect financial remuneration from the marketed entity

10 New Marketing Rules Previous exceptions not modified: Face-to-face communication Promotional gift of nominal value (i.e., pamphlet) Refill exception: Refill reminders or communications regarding current prescriptions, as long as remuneration is reasonably related to cost of making communication (i.e., labor, supplies and postage, no profit) Not intended to be covered: General health promotion Communications regarding government and government-sponsored programs

11 Business Associates Direct Liability Use or disclosures of PHI not in accord with BA agreement or Privacy Rule Failing to disclose PHI when required by the Secretary of the U.S. Department of Health and Human Services (HHS) Failing to disclose PHI to covered entity, individual, or designee as necessary with respect to an individual s request for an electronic copy of his/her PHI Failing to make reasonable effort to ensure PHI is concise and accurate Failing to enter into compliant BA agreements with subcontractors BA failing to act when aware of fellow BA s subcontractor s non-compliance

12 Uses and Disclosures: Sales of PHI Must have written authorization for sale of PHI, including: Receipt of in-kind benefits in addition to financial benefits Need authorization in connection with research if price charged exceeds cost of preparation and transmittal of data (does not include grants for a research study)

13 Uses and Disclosures: Sales of PHI (Continued) Authorization not required for: Public health activities Disclosures for payment or treatment Disclosures to individuals or designees requesting own information, for a reasonable fee (includes labor costs and costs of supplies, e.g., portable media, if state law not more restrictive) Transfer, merger, or consolidation of a covered entity related to due diligence Remuneration between a covered entity and BA or BA and subcontractor for services provided

14 Research Authorizations May combine conditioned and unconditioned authorizations for research if the authorization differentiates between conditioned and unconditioned research activity and allows the person the ability to opt in to the unconditioned research activity Authorization no longer required to be study specific, in that they can be for future research, if purposes adequately described so that the individual would reasonably expect that their PHI could be used or disclosed for future research

15 Restrictions on Use and Disclosure Must comply with an individual s request that a covered entity not disclose PHI to a health plan for payment or healthcare operations if the PHI pertains solely to a healthcare item or service that was paid for in full by the individual (or someone other than the health plan) Exceptions: when disclosure is required by law

16 Individual s Access to Protected Health Information If an individual requests an electronic copy of PHI that is maintained electronically, they must be provided a copy in the electronic form and format requested, if readily producible If not readily producible, produce in form and format mutually agreed to If individual declines all offered and readily producible electronic formats, must provide hard copy Must consider security of transmission, but may provide by unencrypted if individual advised of risk and prefers that method

17 Individual s Access to Protected Health Information (Continued) If requested by the individual, the covered entity must transmit PHI directly to the designated person Requests must be in writing, signed, and clearly identify recipient and address/location Must have reasonable policies and procedures to verify identity of the requestor and reasonable safeguards to protect the information (e.g., procedures to ensure correct address entered) If access approved, access or copy must be provided within 30 days There is a one-time extension of 30 days (with written notice of reasons for delay and expected date request will be completed)

18 Notice of Privacy Practices Must indicate that authorization is required for: Most uses and disclosures of psychotherapy notes (for entities that record or maintain such notes) Uses and disclosures of PHI for marketing Disclosures that constitute a sale of PHI Other uses and disclosures not described in the Notice

19 Notice of Privacy Practices (Continued) Must include a statement regarding fundraising communications and right to opt out of same (if intend to contact an individual to raise funds) Healthcare providers must inform patients of right to restrict certain disclosures of PHI to a health plan when they pay out of pocket in full for the healthcare item or service Must include a simple statement of the right to be notified of a breach of unsecured PHI

20 Notice of Privacy Practices (Continued) Must post revised Notice in clear and prominent location within office or facility Provide copy to new patients and whenever requested Post on website

21 Preemption of State Law HIPAA requirements supersede contrary provisions of state law HIPAA does not preempt state law when state law provides more stringent privacy protections (e.g., HB 300)

22 Enforcement Rule Amendments Business Associate is added to the following Enforcement Rule provisions: ; ; (a) and (c); ; ; ; ; ; ; (b); ; (c) and (d); and (a) and (c) These sections were modified in order to impose direct civil money penalty liability on business associates (which now includes subcontractors) for violations of certain provisions Business associates are required to have policies and procedures regarding privacy and security in handling PHI Business associates are subject to complaint investigations and compliance reviews by the HHS Business associates must get business associate agreements with subcontractors who fall within the BA definition

23 Enforcement Rule Amendments (Continued) If a complaint, after a preliminary investigation of the facts, indicates a possible violation due to willful neglect, the Secretary will investigate. The Secretary has the discretion to investigate other complaints. The Secretary will conduct compliance reviews when a preliminary review of the facts indicates a possible violation due to willful neglect. Absent possibility of willful neglect, compliance reviews are discretionary The Secretary must impose a civil money penalty for willful neglect, but may seek resolution of other complaints and compliance reviews by informal means. If circumstances indicate willful neglect, the Secretary may proceed to formal enforcement without seeking to correct noncompliance through voluntary corrective action.

24 HIPAA Security Rule Applies to Business Associates The definition of business associate has been modified with additions Section requires administrative safeguards, including that BAs must obtain required assurances from subcontractor Section requires physical safeguards Section requires technical safeguards Section requires organizational requirements, including agreements between BA and subcontractors Section policies, procedures, and documentation requirements

25 Breach Notification Provisions Breach acquisition, access, use or disclosure of PHI in a non-permitted manner that compromises the security or privacy of the PHI Exceptions: Unintentional acquisition, access or use by employee or other acting with authority, if in good faith and within course and scope of employment or professional relationship, and was not further acquired, accessed, used or disclosed Inadvertent disclosure between an authorized person to another at the same facility, and information was not further acquired, accessed, used or disclosed Unauthorized disclosures in which the unauthorized person would not have reasonably been able to retain the information

26 Breach Notification Provisions (Continued) An impermissible use or disclosure of PHI is presumed to be a breach unless the covered entity or business associate demonstrates there is a low probability that the [PHI] has been compromised based on a risk assessment.... A risk assessment must include the following factors: Nature and extent of PHI involved The unauthorized person who used or to whom the information was disclosed Whether the PHI was actually acquired or viewed Risk mitigation

27 Breach Notification Provisions (Continued) Burden of proof is on the covered entity or business associate to demonstrate a low probability the PHI has been compromised Must maintain documentation sufficient to meet that burden of proof Safe Harbor: if PHI is encrypted pursuant to 74 FR and 42742, no breach notification is required after an impermissible use or disclosure

28 Breach Notification Provisions (Continued) Business Associates must notify covered entities without delay and always within 60 days following discovery of a breach Discovered means the first day the breach is known or, by exercising reasonable diligence, would have been known to either BA or covered entity The business associate is deemed to have knowledge if the breach is known or by exercising reasonable diligence, would have been known to any employee, officer or other agent, other than the person committing the breach

29 Breach Notification Provisions (Continued) The primary responsibility to notify the affected individual continues to remain with the covered entity (not the business associate) Covered entity must notify affected individuals without unreasonable delay always within 60 days of discovery of breach (with law enforcement exceptions)

30 Breach Notification Provisions (Continued) The Notice must include, to the extent possible: Brief description of what happened (including date of breach and date of discovery, if known) Types of PHI involved Steps individuals should take to protect themselves from potential harm Brief description of actions being taken to investigate breach, mitigate harm, and to protect against further breaches Contact procedures for questions or information Note potential for Civil Rights Act and ADA requirements

31 Methods of Notification to Individuals Send written notice to individual s last known address or him/her if specified as preferred method In case of insufficient or out-of-date contact information, a substitute notice is required In case of insufficient information for ten or more individuals, must make conspicuous posting on website or notice in major print or broadcast media, providing toll-free number If urgent, may also contact by telephone Send minor-notice to parent or personal representative Send deceased-notice to next of kin or personal representative (if known to be deceased and have contact information)

32 Methods of Notification to Individuals (Continued) When more than 500 individuals in a single state or jurisdiction are affected, the covered entity must notify the media (in addition to sending individual notices) Must provide notice to prominent media outlets serving the state or jurisdiction where the individuals reside Timing Without unreasonable delay and always within 60 days after discovery of breach

33 Breach Notification to the Secretary When 500 or more individuals (regardless of whether they are in a single state or jurisdiction) are affected, notification must be sent to the Secretary concurrently with the notification to individuals When less than 500 individuals are affected, the covered entity shall maintain a log or other documentation, and submit information to the Secretary on these breaches within 60 days after the end of the calendar year in which the breaches were discovered, as opposed to occurred Must maintain the internal log or other documentation for six years

34 Penalties for HIPAA Violations Tier A - the offender did not know and, with reasonable diligence would not have known, that it violated a provision. The fine is between $100 and $50,000 for each violation. Tier B - violations due to reasonable cause (knew, or with reasonable diligence would have known violation), but not willful neglect. The fine is between $1,000 and $50,000.

35 Penalties for HIPAA Violations (Continued) Tier C(i) - violations due to willful neglect that the entity timely corrected. The fine is $10,000 to $50,000 for each violation. Tier C(ii) - violations due to willful neglect that were not timely corrected. Fines start at $50,000. For each category of violations, the fines for all violations of an identical provision may not exceed $1,500,000 for a calendar year.

36 Timely Correction 30-day cure period begins on the date the entity first has actual or constructive knowledge of the violation Determined by Department based on evidence gathered during the investigation

37 Factors in Imposing a Penalty Nature and extent of violation, which may include, but is not limited to: Number of affected individuals Time period over which violation occurred Nature and extent of the harm, which may include, but is not limited to: Whether caused physical harm Whether caused financial harm Whether caused harm to an individual s reputation Whether hindered individual s ability to obtain healthcare

38 Factors in Imposing a Penalty (Continued) History of prior compliance, including but not limited to: Current violation same or similar to previous noncompliance Attempts to correct previous noncompliance Response to technical assistance from the Secretary in the context of a compliance effort Response to prior complaints

39 Factors in Imposing a Penalty (Continued) Financial condition, which may include but is not limited to consideration of: Financial difficulties that limit ability to comply Whether a penalty would jeopardize the ability of the entity or BA to continue to provide or pay for healthcare The size of the entity or BA Other matters as justice may require

40 Agents Both covered entities and business associates are liable for their agents, regardless of labels used No longer an exception when a compliant business associate agreement in place

Regulatory Changes to HIPAA under HITECH and GINA

Regulatory Changes to HIPAA under HITECH and GINA HIPAA FINAL OMNIBUS RULE Fact Sheet Regulatory Changes to HIPAA under HITECH and GINA The U.S. Department of Health and Human Services released the Health Insurance Portability and Accountability Act (HIPAA)

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

TTUHSC HIPAA Privacy Changes HITECH Act August 28, 2009

TTUHSC HIPAA Privacy Changes HITECH Act August 28, 2009 New "Defined" Terms Breach; Electronic health record (different from electronic PHI); Personal Health Record (different from PHI); Vendor of Personal Health Records; Unsecured PHI Electronic Health Record

More information

Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates

Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates Final HIPAA/HITECH Omnibus Rule Makes Significant Changes for Health Plans and Their Business Associates After a very long wait, the Department of Health and Human Services ( HHS ) has issued a final HIPAA/HITECH

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

HHS Issues HIPAA/HITECH Omnibus Final Rule Ushering in Significant Changes to Ex... Page 1 of 10 Related Individuals Richard J Zall Partner t: 212.969.3945 Edward S Kornreich Partner t: 212.969.3395 Kristen

More information

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

HIPAA Privacy, Security, Enforcement, and Breach Notification Rules

HIPAA Privacy, Security, Enforcement, and Breach Notification Rules HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Brought To You Today By: + 200 Garden City Plaza, Suite 500 Garden City, NY 11530 Jennifer@kirschenbaumesq.com Presented by: Jennifer

More information

FINAL HIPAA HITECH REGULATIONS RELEASED

FINAL HIPAA HITECH REGULATIONS RELEASED FINAL HIPAA HITECH REGULATIONS RELEASED On January 25, 2013, the United States Department of Health and Human Services (HHS) published final regulations implementing changes to the Health Insurance Portability

More information

POLICY AND PROCEDURE MANUAL

POLICY AND PROCEDURE MANUAL Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL

More information

Outline of Key Changes to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules

Outline of Key Changes to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Outline of Key Changes to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules By Boris Segalis, CIPP/US Editor s Note: This content comes from the InfoLawGroup post New HIPAA/HITECH

More information

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On

More information

H. R. 1 144. Subtitle D Privacy

H. R. 1 144. Subtitle D Privacy H. R. 1 144 (1) an analysis of the effectiveness of the activities for which the entity receives such assistance, as compared to the goals for such activities; and (2) an analysis of the impact of the

More information

M E M O R A N D U M. Leon Rodriguez, HHS Office for Civil Rights Director, noted in a press release that the Omnibus Rule:

M E M O R A N D U M. Leon Rodriguez, HHS Office for Civil Rights Director, noted in a press release that the Omnibus Rule: To: From: Clients and Friends Jim Pyles Rob Portman Amita Sanghvi M E M O R A N D U M REVISED/UPDATED Date: January 25, 2013 Re: HIPAA Final Omnibus Rule is Here! On January 17, 2013, the US Department

More information

3.) The Breach Notification Rule (Part 164, Subpart D)

3.) The Breach Notification Rule (Part 164, Subpart D) 3.) The Breach Notification Rule (Part 164, Subpart D) 164.400 Applicability 164.402 Definitions (breach, unsecured protected health information) 164.404 Notification to individuals 164.406 Notification

More information

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

QUEST, INC BREACH NOTIFICATION POLICY

QUEST, INC BREACH NOTIFICATION POLICY QUEST, INC BREACH NOTIFICATION POLICY Dev September 2012 Page Number I. Breach Notification Template HIPAA Breach Notification Policy Table of Contents 1 A. Generally 1 B. When a Breach is Considered to

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs

New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs Executive Summary After years of waiting for all of the anxious HIPAA-chondriacs out there, the HHS Office

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION Summary November 2009 On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the Rule ) that

More information

LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4. Breach Notification for Unsecured Protected Health Information

LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4. Breach Notification for Unsecured Protected Health Information LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4 SUBJECT: ORGANIZATION RESPONSIBLE: Breach Notification for Unsecured Protected Health Information Information Technology Security Manager Office of Information

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

POLICY NAME: NOTICE OF PRIVACY BREACHES

POLICY NAME: NOTICE OF PRIVACY BREACHES NOTE: This sample policy is drafted to comply with the HIPAA breach notification rules as amended January 2013. The user should review applicable laws and regulations and modify this sample policy as appropriate

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Legislative & Regulatory Information

Legislative & Regulatory Information Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors

HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors Health Care ADVISORY July 16, 2010 HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors On July 8, 2010, the Office for Civil Rights (OCR) of the Department of

More information

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 Federal and Texas Privacy & Security Requirements Minimizing Your Risk of Violations DISCLAIMER The information contained in this document

More information

SUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS

SUMMARY OF CHANGES HIPAA AND OHIO PRIVACY LAWS Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020 Cleveland, OH

More information

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual.

Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. HIPAA/HITECH Policies and Procedures Please read this in its entirety. Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. Give a copy of this to all staff to read and ask

More information

HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013

HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013 HIPAA Fundraising Fundamentals for Foundations WHA s 2013 Prescription for Success: A Workshop for Hospital Foundations August 13, 2013 Presented by: Monica C. Hocum, Esq. and Leia C. Olsen, Esq. Agenda

More information

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates Legal Update February 11, 2013 Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates On January 17, 2013, the Department of Health

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH

More information

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings:

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings: HITECH/HIPAA Breach Notification Regulations This summary was prepared by the New Jersey Department of Human Services Privacy Officer on February 24, 2010 for distribution at the Division of Addiction

More information

Recent Changes to HIPAA Privacy Rule 2013 Omnibus Final Rule. Dennis Kennedy Dressman Benzinger LaVelle psc

Recent Changes to HIPAA Privacy Rule 2013 Omnibus Final Rule. Dennis Kennedy Dressman Benzinger LaVelle psc Recent Changes to HIPAA Privacy Rule 2013 Omnibus Final Rule Dennis Kennedy 859-426-2118 Dressman Benzinger LaVelle psc dkennedy@dbllaw.com What's the effect of most HIPAA presentations? HIPAA-nosis Multiple

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach

More information

BREACH MANAGEMENT & NOTIFICATION POLICY

BREACH MANAGEMENT & NOTIFICATION POLICY PURPOSE To ensure that the impermissible or unauthorized use or disclosure of an Individual s Protected Health Information (PHI) will be reported and Participants shall comply with the notification requirements

More information

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq. HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq. Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Brought to you by Cottingham & Butler for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Talksoft is BA with Covered Entity BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is made this day of, and entered into between, ( Covered Entity ) having its principal place of

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY. REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS

More information

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE

DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE DATA SHARING & BREACH PROTOCOLS UNDER THE FINAL HIPAA PRIVACY RULE I. INTRODUCTION: The Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification provisions apply to three

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

organization's patient protected health information (PHI) occurs. as any other federal or state notification law.

organization's patient protected health information (PHI) occurs. as any other federal or state notification law. I. APPLICABILITY Entire organization and its business associate (BAs) and the BA's Subcontractors. II. PURPOSE To provide guidance for breach notification by covered entities and breaches by their business

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

Section 2: HIPAA and the HITECH Act

Section 2: HIPAA and the HITECH Act Section 2: HIPAA and the HITECH Act 1 Introduction to HIPAA and the HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed on February 17, 2009 as part of

More information

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation WHY YOU NEED TO COMPLY. HIPAA UPDATE 2014: WHY AND HOW YOU MUS T C OMPL Y 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its longawaited Omnibus Rule 2 implementing regulations

More information

HITECH Act Changes to HIPAA Privacy and Security Rules

HITECH Act Changes to HIPAA Privacy and Security Rules CLIENT - ALERT TO: FROM: RE: Health Care Clients D. Brent Wills HITECH Act Changes to HIPAA Privacy and Security Rules DATE: September 21, 2012 This Memorandum is a supplement to my firm s Memorandum dated

More information

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New Objective The objective of this policy is to provide guidance for breach notification by Georgia Regional Academic Community Health Information Exchange (hereafter referred to as GRAChIE) when unauthorized

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014

HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014 HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014 9/3/14 Gerald Jud E. DeLoss Disclaimer 2 o This presentation and its materials are for informational purposes only and not for the purpose

More information

NEW JERSEY DATA BREACH NOTIFICATION & IDENTITY THEFT PREVENTION POLICY **DISCLAIMER**

NEW JERSEY DATA BREACH NOTIFICATION & IDENTITY THEFT PREVENTION POLICY **DISCLAIMER** NEW JERSEY DATA BREACH NOTIFICATION & IDENTITY THEFT PREVENTION POLICY **DISCLAIMER** This document was prepared to assist the typical physician practice in seeking to undertake reasonable measures to

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information

New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information GEORGE CHORIATIS In this article, the author discusses the new Health Insurance Portability and Accountability

More information

Breach Notification and Enforcement Update

Breach Notification and Enforcement Update Breach Notification and Enforcement Update Presented to the Seattle Western Pension & Benefits Council June 16, 2015 Sarah Brown Investigator U.S. Department of Health and Human Services Office for Civil

More information

HIPAA Task Force May 2013

HIPAA Task Force May 2013 HIPAA Task Force May 2013 AUTHORS: Thora A. Johnson tajohnson@venable.com 410.244.7747 Peter P. Parvis ppparvis@venable.com 410.244.7644 Jennifer Spiegel Berman jsberman@venable.com 410.244.7756 Molly

More information

HIPAA Update. Bob Radecki W.J. Flynn and Associates, LLC

HIPAA Update. Bob Radecki W.J. Flynn and Associates, LLC HIPAA Update Bob Radecki W.J. Flynn and Associates, LLC Background ARRA American Recovery and Reinvestment Act of 2009 HITECH Health Information Technology for Economic and Clinical Act (Title XII, Part

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 12 I. Policy The Health Information Technology for Economic and Clinical Health Act ( HITECH ) regulations contain requirements for notifying individuals in the event of a breach of their unsecured

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

CHART YOUR HIPAA COURSE...

CHART YOUR HIPAA COURSE... CHART YOUR HIPAA COURSE... HHS ISSUES SECURITY BREACH NOTIFICATION RULES PUBLISHED IN FEDERAL REGISTER 8/24/09 EFFECTIVE 9/23/09 The Department of Health and Human Services ( HHS ) has issued interim final

More information

Breach Notification Policy

Breach Notification Policy 1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists

More information

Evolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities :

Evolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities : Texas HB 300 HB 300: Background Texas House Research Organizational Bill Analysis for HB 300 shows state legislators believed HIPAA did not provide enough protection for private health information (PHI)

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan.

Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. AIS Special Report 1 AIS Special Report Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) By Francie Fernald,

More information

HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers

HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers Disclaimer: The following questions and answers are not legal advice or opinion. They

More information

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES

LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES LCD SOLUTIONS and CLICKTATE.COM BUSINESS ASSOCIATE AGREEMENT and DISCLOSURE of RIGHTS to COVERED ENTITIES This agreement ("Agreement") is effective upon its execution and delivery to LCD SOLUTIONS, INC.

More information

Network Security and Data Privacy Insurance for Physician Groups

Network Security and Data Privacy Insurance for Physician Groups Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

Health Information Privacy Refresher Training. March 2013

Health Information Privacy Refresher Training. March 2013 Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal

More information

Business Associate Liability Under HIPAA/HITECH

Business Associate Liability Under HIPAA/HITECH Business Associate Liability Under HIPAA/HITECH Joseph R. McClure, JD, CHP Siemens Healthcare WEDI Security & Privacy SNIP Co-Chair Reece Hirsch, CIPP, Partner Morgan Lewis & Bockius LLP ` Fifth National

More information

UPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH)

UPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH) UPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH) March 2011 Presentation by Jennifer L. Cox, J.D. Red Flags Rollback Red flags is going going and not

More information

UPDATE ON CHANGES TO THE HIPAA PRIVACY AND SECURITY RULES

UPDATE ON CHANGES TO THE HIPAA PRIVACY AND SECURITY RULES UPDATE ON CHANGES TO THE HIPAA PRIVACY AND SECURITY RULES HCCA April 11, 2011 Iliana L. Peters, JD, LLM Objective 2 Understand recent changes to the HIPAA Privacy, Security, Enforcement, and Breach Notification

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( the Agreement ) is entered into this day of, 20 by and between the Tennessee Chapter of the American Academy of Pediatrics ( Business Associate

More information