Research Impacts of the HIPAA Omnibus Final Rule July 31, 2013
|
|
- Chad Griffin
- 7 years ago
- Views:
Transcription
1 Research Impacts of the HIPAA Omnibus Final Rule July 31, 2013 Presented by: Fred Hamilton, JD Vice President, Ethics and Compliance at Mount Sinai Medical Center of Florida
2 About the Webinar Access webinar audio via computer speakers or telephone dial-in Please mute your audio Troubleshooting: Log out and log back in Try switching from computer audio to phone dial-in Recording and archive Q&A: via in-webinar tools and Webinar survey Certificate of attendance
3 About Schulman Associates IRB Established in 1983 US and Canadian boards fully accredited by the Association for the Accreditation of Human Research Protection Programs (AAHRPP) Superior audit history with FDA five consecutive audits with no findings 21 CFR Part 11 compliant electronic systems Compliant with FDA and OHRP requirements
4 About Schulman Associates IRB Full board meetings five days a week Dedicated daily expedited review of qualifying minimal risk protocols Phase I Board with streamlined processes tailored to Phase I timelines Oncology Review Board for all phases of oncology research Customized services for institutions and AMCs Experienced primary points of contact for sponsors, CROs, institutions and sites
5
6 About Today s Presenter Fred Hamilton, JD Vice President, Ethics and Compliance at Mount Sinai Medical Center of Florida Schulman board member (unaffiliated) since 2011 Formerly Associate General Counsel and Director, Office of Research Compliance and Regulatory Affairs, University of Cincinnati Has represented hospitals in contract and health law matters Attorney and graduate of the Salmon P. Chase College of Law of Northern Kentucky University
7 Research Impacts of the HIPAA Omnibus Final Rule July 31, 2013 Presented by: Fred Hamilton, JD Vice President, Ethics and Compliance at Mount Sinai Medical Center of Florida
8 HIPAA Fundamentals The Health Insurance Portability and Accountability Act ( HIPAA ) (1996)
9 HIPAA Fundamentals The Health Information Technology for Economic And Clinical Health Act ( HITECH ) (2009)
10 HIPAA Fundamentals Department of Health and Human Services Food and Drug Administration Office for Human Research Protections Office for Civil Rights
11 HIPAA Fundamentals Only Covered Entities are subject to HIPAA. Covered Entities include (a) healthcare providers who submit bills electronically; (b) health plans; and (c) healthcare clearinghouses. Most pharmaceutical companies, medical device companies, commercial IRBs and CROs are not Covered Entities. Research sites normally are Covered Entities, but may not be, depending on the nature of the operation.
12 HIPAA Fundamentals Penalties under the HIPAA Statute (Civil Penalties Tiered Approach) $ $ 50,000 per violation (Criminal Penalties Tiered Approach) Fines from $100 per violation to $ 250,000 Imprisonment up to Ten Years
13 HIPAA Fundamentals American Medical News June 7, 2010
14 HIPAA Fundamentals
15 HIPAA Fundamentals Certain uses and disclosures of Protected Health Information are permitted without obtaining a patient s authorization (for example, disclosures for the purposes of treatment, payment, and healthcare operations; disclosures required by law, etc.) All other uses and disclosures require a written patient authorization. Authorization Consent
16 Authorizations for Use and Disclosure of Health Information Authorizations for Use and Disclosure of Health Information Required Content (45 CFR (c)) Meaningful description of the information Who may use or disclose the information To whom the information will be disclosed All purpose(s) of the use or disclosure Expiration date or expiration event Individual s signature and date Right and method to revoke Right to refuse to sign (and consequences) Inability to condition treatment, payment, enrollment Risk of re-disclosure Plain language Copy must be given to Subject If LAR, authority to be described
17 Authorizations for Use and Disclosure of Health Information Additional Content When Appropriate (45 CFR )) Right of Access (Covered entity designated record set) Temporary Denial of Access (May override subjects wishes if integrity of the research is at stake)) Adverse Event Reporting (FDA required by law) Document Retention (Required by Law)
18 Effect of Revocation after Action in Reliance Written revocation of authorization, with withdrawal of existing research data or samples, may be denied as to data or samples as to which the investigator has taken action in reliance on the authorization (for example, sent to sponsor, reporting an adverse event). (45 CFR (b)(5)(1))
19 Common Rule HIPAA Requirements (5) A statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained [and that notes the possibility that the Food and Drug Administration may inspect the records]. Study subjects should be informed of the extent to which the institution intends to maintain confidentiality of records identifying the subjects. In addition, they should be informed that FDA may inspect study records (which include individual medical records). If any other entity, such as the sponsor of the study, may gain access to the study records, the subjects should be so informed. 21 CFR 50.25(a)(5); 45 CFR (a)(5) [This is not a HIPAA Requirement]
20 HIPAA Omnibus Final Rules Effective Date: March 26, 2013 Compliance Date: September 23, 2013
21 HIPAA Omnibus Final Rules HIPAA Omnibus Rules Breach Notification Standard Pre-Final Rule, Breach: acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted [by HIPAA], which poses a significant risk of financial, reputational, or other harm to the affected individual[.] 45 CFR Final Rule, Breach: acquisition, access, use or disclosure of protected health information in a manner not permitted [by HIPAA] which compromises the security or privacy of the protected health information.
22 HIPAA Omnibus Final Rules HIPAA Omnibus Rules Prohibition on Sale of PHI Expansion of Prohibition on Marketing
23 HIPAA Omnibus Final Rules Other Features HIPAA Omnibus Rules Business Associate Expansions - direct liability - subcontractor liability - conduit rule Mandatory Changes to BA Agreements Disclosures of PHI for fundraising Covered Entity vicarious liability Expanded disclosures - Family Requirement for providing EHR Changes - Notice of Privacy Practices Decedents PHI
24 Compound Authorizations for Research
25 Compound Authorizations (3) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: (i) An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of protected health information for such research or a consent to participate in such research[.] [Old] 45 CFR (c)(3)(i) (emphasis added)
26 Compound Authorizations When an Authorization is obtained for research purposes, the Privacy Rule requires that it pertain only to a specific research study, not to nonspecific research or to future, unspecified projects. The Privacy Rule considers the creation and maintenance of a research repository or database as a specific research activity, but the subsequent use or disclosure by a covered entity of information from the database for a specific research study will require separate Authorization [.] NIH: Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (April 14, 2003) (emphasis added)
27 Compound Authorizations (3) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows: (i) An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of protected health information for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research [.] [New] 45 CFR (c)(3)(i) (emphasis added)
28 Compound Authorizations Where a covered health care provider has conditioned the provision of research-related treatment on provision of one of the authorizations any compound authorization created under this paragraph must clearly differentiate between the conditioned and unconditioned components and provide the individual with an opportunity to opt in to the research activities described in the unconditioned authorization. [New] 45 CFR (c)(3)(iii)
29 Compound Authorizations Notes 1. The new expansion is not limited to combining authorization for a research study with an authorization for a research database or repository; the expansion applies to combinations of authorizations for any types of research studies.
30 Compound Authorizations Notes 2. The new expansion does not change the pre-existing rule regarding separate authorization for the use or disclosure of psychotherapy notes; an authorization for the use or disclosure of psychotherapy notes may only be combined with another authorization for the use or disclosure of psychotherapy notes.
31 Compound Authorizations Notes 3. A combined authorization which permits an individual only to opt out of an unconditioned research activity is not permitted. We decline to permit a combined authorization that only allows the individual to opt out of the unconditioned research activities (e.g. Check here if you do NOT want your data provided to the biospecimen bank ) because an opt-out option does not provide individuals with a clear ability to authorize the optional research activity, and may be viewed as coercive by individuals. 78 Fed. Reg (January 25, 2013)
32 Approvability of Compound Authorizations for Future Research In order to satisfy the requirement that an authorization include a description of each purpose of the requested use or disclosure, an authorization for uses and disclosures of protected health information for future research purposes must adequately describe such purposes such that it would be reasonable for the individual to expect that his or her protected health information could be used or disclosed for such future research.
33 Approvability of Compound Authorizations for Future Research However, we do not prescribe specific statements in the Rule. We agree with commenters that this approach best harmonizes with practice under the Common Rule regarding informed consent for future research, and allows covered entities, researchers and Institutional Review Boards to have flexibility in determining what adequately describes a future research purpose depending on the circumstances.
34 Compound Authorizations for Future Research Retroactive Effect Covered entities and researchers may rely on an Institutional Review Boardapproved consent obtained prior to the effective date of this final rule that reasonably informed individuals of the future research, provided the informed consent was combined with a HIPAA authorization (even though the authorization itself was specific to the original study or creation and maintenance of a repository)
35 Compound Authorizations for Future Research Extrinsic Documents [Covered entities may use] a combined consent/authorization form for a clinical trial and optional banking component, with a check box for the individual to have the choice to opt in to the banking component, and one signature, but with the detailed information about the banking component presented in a separate brochure or information sheet that is referenced directly in the consent/authorization form, [provided that]
36 Compound Authorizations for Future Research Extrinsic Documents if the brochure or information sheet includes required elements of the authorization (or informed consent) then the brochure or information sheet must be made available to potential research participants before they are asked to sign the consent/authorization document. Finally, in such cases, a covered entity must keep not only the signed authorization/consent form, but also a copy of the brochure or information sheet, in order to be in compliance with the documentation requirements at [45 CFR] (j).
37 Practical Tips Opt-In and Opt-Out The changes under the Omnibus Rule as regards opting in and opting out of research uses and disclosures had two purposes. The first purpose was to ensure that subjects understand the difference between the mandatory components of a research project, and the optional components. The second purpose was to ensure that subjects were not subject to coercion or undue pressure to participate in optional (unconditioned) activities.
38 Practical Tips Opt-In and Opt-Out Reviewing the language, it is clear that the opt-in requirement only applies if two things are true. First, the research under consideration must involve both a mandatory and an optional component. Second, the researcher must be seeking authorization for uses and disclosures of health information for both the mandatory and optional components in the same document (a compound authorization ).
39 Practical Tips Opt-In and Opt-Out Identifying Mandatory and Optional Components If these two conditions are satisfied, then the Rule requires, first, that the compound authorization make clear to subjects that there are mandatory and optional component(s) to the research. No particular language is required for this, and it is likely that the regulators would provide wide latitude in determining whether this requirement is satisfied.
40 Practical Tips Opt-In and Opt-Out Providing an Opt-In Opportunity for Optional Components Second, the Rule requires that subject be given the opportunity to opt-in to the optional research. This is the most frequent source of confusion surrounding this Rule, but the commentary makes clear that, if a subject is only provided an opportunity to opt out, he or she may be subject to undue pressure to agree to the optional research uses and disclosures.
41 Practical Tips Opt-In and Opt-Out Placement of Opt-In Language in a Compound Authorization The Omnibus Rule provides no guidance on where, exactly, an opt-in box (or other documentation of an opt-in election) relating to uses and disclosures of health information for optional research should appear. However, in keeping with the general regulatory principle that research-related documentation should avoid confusing subjects and should be kept to the minimum amount necessary for a full and clear explanation, it is probably reasonable for the opt-in box to appear in the body of the informed consent portion of the document, along with the explanation of the purposes, risks, benefits, etc. of the optional research. However, for clarity, there should be an explanation in the authorization (e.g. If you have elected to participate in the optional biomarker study as described above, your health information [may be used for/disclosed to etc.]
42 Compound Authorizations for Future Research I hereby authorize the use and disclosure of my protected health information for the following purposes: Future biomedical research Future research into my disease or condition Future research as described in the brochure Pharmacogenomics and You (
43 Compound Authorizations for Future Research By signing this form, you also authorize the use and disclosure of your protected health information for vital future biomedical research. If you do not wish to participate in this optional future research, please place your initials here:.
44 The Future HHS Advance Notice of Proposed Rulemaking: Enhanced Protections for Research Subjects and Reducing Burden, Delay and Ambiguity for Investigators 76 Fed. Reg (July 26, 2011)
45 The Future This ANPRM describes potential refinements to the current review framework intended to ensure that protections are commensurate with the level of risk of the research study. Five of the most significant changes being considered are summarized below, followed by a more detailed explanation of the proposals: HHS Advance Notice of Proposed Rulemaking: Enhanced Protections for Research Subjects and Reducing Burden, Delay and Ambiguity for Investigators 76 Fed. Reg (July 26, 2011)
46 The Future 1. Establishing mandatory data security and information protection standards for identifiable information and rules protecting against the inappropriate reidentification of de-identified information that is collected or generated as part of a research study to minimize informational risks and thereby eliminate the need for IRBs to review informational risks of the research. For purposes of the Common Rule, we are considering adopting the HIPAA standards regarding what constitutes individually identifiable information, a limited data set, and de-identified information, in order to harmonize these definitions and concepts. HHS Advance Notice of Proposed Rulemaking: Enhanced Protections for Research Subjects and Reducing Burden, Delay and Ambiguity for Investigators 76 Fed. Reg (July 26, 2011)
47 The Future A strong majority was opposed to the use of the HIPAA standards for purposes of defining the identifiability of research data Persons who were in support of the HIPAA standards tended to be persons based in medical organizations that were already following the HIPAA requirements. OHRP: Summary of Comments on ANPRM 02/24/2012
48 Questions - Comments
49 Thank You! We hope you found today s webinar informative and useful. Please complete our survey to provide feedback on this session. In the survey, you can also request a certificate of attendance for this event. Stay tuned for more information on our next webinar.
50 Research Impacts of the HIPAA Omnibus Final Rule July 31, 2013 Presented by: Fred Hamilton, JD Vice President, Ethics and Compliance at Mount Sinai Medical Center of Florida
HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationNew Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs
New Rules on Privacy, Security, Breach Reporting and Enforcement: Not Just for HIPAA-chondriacs Executive Summary After years of waiting for all of the anxious HIPAA-chondriacs out there, the HHS Office
More informationWinthrop-University Hospital
Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance
More informationProtecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule
AA Privacy RuleP DEPARTMENT OF HE ALTH & HUMAN SERVICES USA Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule NIH Publication Number 03-5388 The HI Protecting Personal
More informationNEW HIPAA PRIVACY RULES ALTER OPTIONS FOR HEALTH CARE MARKETING AND RESEARCH
A DV I S O RY January 2013 NEW HIPAA PRIVACY RULES ALTER OPTIONS FOR HEALTH CARE MARKETING AND RESEARCH In a notice published in the Federal Register on Jan. 25, 2013, 1 the Department of Health and Human
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More informationOCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act
OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act February 20, 2013 Boston Brussels Chicago Düsseldorf Frankfurt Houston
More informationAm I a Business Associate?
Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
More informationIntroduction to HIPAA Privacy
Introduction to HIPAA Privacy is published by HCPro, Inc. Copyright 2003 HCPro, Inc. All rights reserved. Printed in the United States of America. No part of this publication may be reproduced, in any
More informationMedical Research Law & Policy Report
Medical Research Law & Policy Report Reproduced with permission from Medical Research Law & Policy Report, 12 MRLR 98, 02/06/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033)
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationBUSINESS ASSOCIATE AGREEMENT TERMS
BUSINESS ASSOCIATE AGREEMENT TERMS This Addendum ( Addendum ) is incorporated into and made part of the Agreement between SIGNATURE HEALTHCARE CORPORATION ("Covered Entity ) and ( Business Associate"),
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationChildren's Hospital, Boston (Draft Edition)
Children's Hospital, Boston (Draft Edition) The Researcher's Guide to HIPAA Evervthing You Alwavs Wanted to Know About HIPAA But Were Afraid to Ask 1. What is HIPAA? 2. What is the Privacy Rule? 3. What
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association DISCLAIMER This general information fact sheet is made available
More informationHIPAA Basics for Clinical Research
HIPAA Basics for Clinical Research Audio options: Built-in audio on your computer OR Separate audio dial-in: 415-930-5229 Toll-free: 1-877-309-2074 Access Code: 960-353-248 Audio PIN: Shown after joining
More informationHITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers
HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers Disclaimer: The following questions and answers are not legal advice or opinion. They
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationMetropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN 55337 Ph: (952) 564-3030 Fax: (651) 925-0031
The Health Insurance Portability and Accountability Act (HIPAA) and Client Privacy Statement This notice describes how your medical information may be used and disclosed and how you can get access to this
More informationUniversity of Mississippi Medical Center Office of Integrity and Compliance
Office of Integrity and Effective Date: 2005 By: Committee 1.0 PURPOSE The purpose of this policy is to guide (UMMC) employees, who are involved with research, in obtaining an authorization for the use
More informationFirstCarolinaCare Insurance Company Business Associate Agreement
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
More informationThe HIPAA Final Rule: What You Need To Do Now
The HIPAA Final Rule: What You Need To Do Now Guidance and Privacy Notice Updates for Psychologists July 2013 Introduction In January 2013, the U.S. Department of Health and Human Services (HHS) issued
More informationREPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.
REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
More informationNOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable
NOTICE OF PRIVACY PRACTICES TEMPLATE Sections highlighted in yellow are optional sections, depending on if applicable Original Date: ##/##/#### Revised per HIPAA Omnibus Rule ##/##/#### Revised Date Implementation:
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationSaaS. Business Associate Agreement
SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered
More informationHHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule
JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT This is a draft business associate agreement based on the template provided by HHS. It is not intended to be used as is and you should only use the agreement after you
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred
More informationPrivacy Space. Public Place. How to Protect PHI and be HIPAA Compliant
Privacy Space. Public Place. How to Protect PHI and be HIPAA Compliant Event Type Live Online ACPE Expiration Date 12/11/2016 Credits 1 Contact Hour Target Audience Pharmacy Technicians Program Overview
More informationHIPAA Privacy and Security and Research
ICTS Brown Bag Seminar Successful Completion: Participants must complete an evaluation form to receive a certificate of completion Contact Hours: 1 contact hours is available to those who meet the successful
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationReleasing Information
Releasing Information There are 3 kinds of release situations now: our original Release of Information and it s uses under Colorado Law and Professional Ethical Standards; HPAA s Consent to release information
More informationLegislative & Regulatory Information
Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy
More informationBUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity
More informationBUSINESS ASSOCIATE AGREEMENT. Recitals
BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and
More informationResthave Home of Whiteside County, Illinois Resthave Nursing Home Resthave Home Assisted Living. Notice of Privacy Practices
Resthave Home of Whiteside County, Illinois Resthave Nursing Home Resthave Home Assisted Living Notice of Privacy Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationHIPAA COMPLIANCE. What is HIPAA?
HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used
More informationHIPAA Privacy Rule Primer for the College or University Administrator
HIPAA Privacy Rule Primer for the College or University Administrator On August 14, 2002, the Department of Health and Human Services ( HHS ) issued final medical privacy regulations (the Privacy Rule
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationAPPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version)
APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT (2012 Version) THIS AGREEMENT is entered into and made effective the day of, 2012 (the Effective Date ), by and between (a)
More informationAdd a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual.
HIPAA/HITECH Policies and Procedures Please read this in its entirety. Add a section in the back of your HIPAA Privacy Manual and HIPAA Security Manual. Give a copy of this to all staff to read and ask
More informationHIPAA-P01 Uses and Disclosures of Protected Health Information Policy
HIPAA-P01 Uses and Disclosures of Protected Health Information Policy FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions Sanctions ADDITIONAL DETAILS Additional Contacts Web Address
More informationLong-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates
Legal Update February 11, 2013 Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates On January 17, 2013, the Department of Health
More informationReliance Agreement for Institutions Utilizing Stony Brook University s Institutional Review Board(s)
Name of Organization Providing IRB Review: Stony Brook University ( SBU IRB ) Name of Institution Relying on the SBU IRB ( Institution ): Latest AAHRPP Accreditation Date (if applicable) OHRP Federal Wide
More informationDr. Adam Apfelblat 5140 Highland Road Waterford 48327 Phone: (248)618-3467 Fax: (248)618-3515
Dr. Adam Apfelblat 5140 Highland Road Waterford 48327 HIPAA NOTICE OF PRIVACY PRACTICES PLEASE REVIEW THIS NOTICE CAREFULLY. IT DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW
More informationHIPAA Security Manual Administrative Security/Omnibus Rule
Notice of Privacy Policies Form ***This notice describes how medical information about you may be used and disclosed and how you can get access to this information. PLEASE READ IT CAREFULLY!*** The tells
More informationACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES
ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES I acknowledge that I have been provided a copy of Fiorillo Cosmetic and General Dentistry s Notice of Privacy Practices, which has an effective
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate
More informationAuthorization for Release of Information
Authorization for Release of Information Section I. Date: Student Name: Date of Birth: / / (mm/dd/yy) ID: Grade: School: Section II: Name: authorizes District # to release the specific information identified
More informationNotice of Privacy Practices
Notice of Privacy Practices This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This practice uses
More informationSTANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT
STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT THIS AGREEMENT is entered into and made effective the day of, 2014 (the Effective Date ), by and between (a) GI Quality Improvement Consortuim,
More informationAPPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT
APPENDIX I: STANDARD FORM BUSINESS ASSOCIATE CONTRACT AND DATA USE AGREEMENT THIS AGREEMENT is entered into and made effective the day of, 20 (the Effective Date ), by and between (a) THE SOCIETY OF GYNECOLOGIC
More informationOverview of HITECH ACT Changes to HIPAA Privacy Rules
Overview of HITECH ACT Changes to HIPAA Privacy Rules January 4, 2010 Presentation by Jennifer L. Cox, Esq. Timeline and Sources of Law HIPAA was passed by Congress in 1996, and regulations were required
More informationFinal Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan.
AIS Special Report 1 AIS Special Report Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg. 5566 (Jan. 25, 2013) By Francie Fernald,
More informationNotice of Privacy Practices
Notice of Privacy Practices This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This Notice of
More informationHIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION
HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION HILLSDALE COLLEGE HEALTH AND WELLNESS CENTER Policy Preamble This privacy policy ( Policy ) is designed to address the Use and Disclosure
More informationHIPAA Policies and Procedures
HIPAA Policies and Procedures William T. Chen, MD, Inc. General Rule 164.502 A Covered Entity may not use or disclose PHI except as permitted or required by the privacy regulations. Permitted Disclosures:
More informationA How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
More informationWhat is Covered under the Privacy Rule? Protected Health Information (PHI)
HIPAA & RESEARCH What is Covered under the Privacy Rule? Protected Health Information (PHI) Health information + Identifier = PHI Transmitted or maintained in any form (paper, electronic, forms, web-based,
More informationBusiness Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
More informationPATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03)
PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03) Use and Disclosure of PHI: Protected Health Information ( PHI ) may not be used or disclosed in violation of the Health Insurance
More informationPrincipal Investigator Responsibilities for Education and Social/Behavioral Researchers
Principal Investigator Responsibilities for Education and Social/Behavioral Researchers Introduction The purpose of this module is to provide a basic understanding of the responsibilities of the principal
More informationDefinitions. Catch-all definition:
BUSINESS ASSOCIATE AGREEMENT THESE PROVISIONS MAY STAND ALONE AS A BUSINESS ASSOCIATE AGREEMENT, OR MAY BE INCORPORATED INTO A LARGER, MORE COMPREHENSIVE CONTRACT WITH THE BUSINESS ASSOCIATE TO COVER OTHER
More informationAppendix : Business Associate Agreement
I. Authority: Pursuant to 45 C.F.R. 164.502(e), the Indian Health Service (IHS), as a covered entity, is required to enter into an agreement with a business associate, as defined by 45 C.F.R. 160.103,
More informationBusiness Associates: HITECH Changes You Need to Know
Business Associates: HITECH Changes You Need to Know Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 Who Is a Business Associate? A
More informationCentral Maine Healthcare
Central Maine Healthcare Administrative Policy No. HC-HI-5004(R2) HIPAA SUBJECT: Disclosures of Protected Health Information Policy Statement/Purpose: This policy sets forth the circumstances in which
More informationHIPAA-ACKNOWLEDGEMENT OF RECEIPT Notice of Privacy Practices
PEDIATRIC ENDOCRINE ASSOCIATES, P.C. 8200 E. Belleview Avenue, Suite 510E Greenwood Village, CO 80111 303-783-3883 HIPAA-ACKNOWLEDGEMENT OF RECEIPT Notice of Privacy Practices Printed Patient Name: Patient
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationBUSINESS ASSOCIATE ADDENDUM
BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate
More informationAuthorization/Informed Consent for Use and Disclosure of Health Care Information Grid Wisconsin Statutes and the Federal Privacy Law
Disclaimer: This Document is. It may be freely redistributed in its entirety provided that this copyright notice is not removed. It may August 27, 2010 Grid updated to correct the omission of "general"
More informationBusiness Associate Agreement (BAA) Guidance
Business Associate Agreement (BAA) Guidance Introduction The purpose of this document is to provide guidance for creating or updating business associate agreements between your Practice ( Covered Entity
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More informationUnderstanding Your Health Record Information
Associated Retina Consultant s, Ltd. Notice of Information Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Addendum is made part of the agreement between Boston Medical Center ("Covered Entity ) and ( Business Associate"), dated [the Underlying Agreement ]. In connection with
More informationPOLICY AND PROCEDURE MANUAL
Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL
More informationHSHS BUSINESS ASSOCIATE AGREEMENT BACKGROUND AND RECITALS
HSHS BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement, ( Agreement ) is entered into on the date(s) set forth below by and between Hospital Sisters Health System on its own behalf and
More informationHIPAA Compliance Issues and Mobile App Design
HIPAA Compliance Issues and Mobile App Design Washington, D.C. April 22, 2015 Presenter: Shannon Hartsfield Salimone, Holland & Knight LLP, Tallahassee and Jacksonville, Florida Agenda Whether HIPAA applies
More informationNOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS
NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW
More informationPRIVACY NOTICE. In certain situations, we may also disclose patient information to another provider or health plan for their health care operations.
1 PRIVACY NOTICE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. This Privacy Notice is being
More informationGENOA, a QoL HEALTHCARE COMPANY, LLC WEBSITE PRIVACY POLICY
GENOA, a QoL HEALTHCARE COMPANY, LLC WEBSITE PRIVACY POLICY PLEASE READ THIS WEBSITE PRIVACY POLICY CAREFULLY BEFORE USING THIS WEBSITE, OR SUBMITTING ANY PROTECTED HEALTH INFORMATION OR PERSONALLY IDENTIFIABLE
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability
More informationBusiness Associate Agreement
Business Associate Agreement This Business Associate Contract (Agreement) is entered into by and between, as a Covered Entity as defined in relevant federal and state law, and HMS Agency, Inc., as their
More informationHIPAA COMPLIANCE INFORMATION. HIPAA Policy
HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas
More informationAttachment B HIPAA-P03 Instructions for Completing IU s Authorization for Research Purposes
Attachment B HIPAA-P03 Instructions for Completing IU s Authorization for Research Purposes The HIPAA Privacy Rule generally prohibits health care providers from using or releasing protected health information
More informationDear New Lilly Associate and Spouse or Domestic Partner:
Eli Lilly and Company Lilly Corporate Center Indianapolis, Indiana 46285 U.S.A. +1.317.276.2000 www.lilly.com Dear New Lilly Associate and Spouse or Domestic Partner: Eli Lilly and Company is required
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationPLLC NOTICE OF PRIVACY PRACTICES
PLLC THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE READ IT CAREFULLY. NOTICE OF PRIVACY PRACTICES The following
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationThe Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices
The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL
More informationBUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;
BUSINESS ASSOCIATE ADDENDUM This BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is made and entered into as of July 1, 2012, ( Effective Date ) and supplements and is made a part of the services agreement
More informationBUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE
BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties
More informationEvolution of HB 300. HIPAA passed in 1996 Originally, HIPAA only directly impacted certain covered entities :
Texas HB 300 HB 300: Background Texas House Research Organizational Bill Analysis for HB 300 shows state legislators believed HIPAA did not provide enough protection for private health information (PHI)
More informationRE: HIPAA Privacy Rule Accounting for Disclosures, RIN 0991-AB62
Submitted electronically at www.regulations.gov Ms. Susan McAndrew Deputy Director for Health Information Privacy Office for Civil Rights U.S. Department of Health and Human Services Hubert H. Humphrey
More information