GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014
|
|
- Brendan Price
- 8 years ago
- Views:
Transcription
1 GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY HIPAA Policies and Procedures 06/30/2014
2 Glenn County Health and Human Services Agency HIPAA Policies and Procedures TABLE OF CONTENTS HIPAA Policy Number and Name Page Number 100: Administrative, Technical, and Physical Safeguards : Accounting of Disclosures of PHI : Breach Notification and Mandatory Reporting : Business Associates : Disclosure of Proof of Child Immunization : Disclosures of PHI to Family, Friends, and Personal Representatives : Sale of PHI : Use and Disclosure of PHI for Fundraising and Marketing : Uses and Disclosures of PHI after Client Death : Uses and Disclosures of Substance Abuse Records : Psychotherapy Notes : Uses and Disclosures of PHI requiring Written Authorization : Uses and Disclosures of PHI not requirement Authorization : Disposal of PHI : ephi-authorization & Access Controls for Workforce : Computer, , and Internet Usage related to PHI : De-Identification of PHI : Printing, Copying, and Faxing PHI : Minimum Necessary : Use of Notice of Privacy Practices : Monitoring HIPAA Compliance : Non-Retaliation regarding Filing a Report of HIPAA Violation : Password Management : Laptops and Other Portable Devices : Individuals Rights related to PHI : HIPAA Training Plan : Enforcement and Sanctions : Security Management Process : Security Standards and Requirements : Termination : Transportation of PHI : Uses and Disclosures of PHI for Research : Verification of Identity...108
3 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 1 of 5 HEALTH AND HUMAN SERVICES AGENCY HIPAA POLICY/PROCEDURES SUBJECT: ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS POLICY Glenn County Health and Human Services Agency (HHSA) will take reasonable steps to safeguard information from any intentional or unintentional use or disclosure that is in violation of the privacy policies. HIPAA specifies administrative, technical, and physical safeguards that must be implemented in order to safeguard PHI. Information to be safeguarded may be in any medium, including paper, electronic, verbal, and visual representations of confidential information. Glenn County Health and Human Services Agency (HHSA) has adopted this policy to comply with HIPAA, HITECH, and all other state and federal laws pertaining to the privacy, security and release of protected health information, to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. PROCEDURES I. Administrative Safeguards Implementation of Role Based Access and the Glenn HIPAA Minimum Necessary Standard policy will promote administrative safeguards. Development and implementation of county-wide security policies will also enhance administrative safeguards. Role-Based Access Roles will be created and defined based on the confidential information HHSA owns, where it is located, and how it is used and why. A determination of who should have access to the specific data will be established. HHSA deputy directors, managers, and supervisors will decide the role of each of their staff and request exceptions based on the needs of their office. Managers are responsible for allowing access to enough information for their staff to do their jobs while holding to the minimum necessary standard. Minimum Necessary HHSA staff will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. HHSA staff will not HIPAA 100-Administrative, Technical, and Physical Safeguards 1 *1*
4 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 2 of 5 use, disclose, or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. For more information on the Minimum Necessary Standard, please see the Glenn HIPAA Minimum Necessary Standard policy. II. Technical Safeguards Electronic Controls HSA shall implement safeguards to limit access to electronic PHI through at least the following controls: a) All HHSA employees who have access to electronic PHI must have a unique password to allow access to the HHSA computer network. HHSA employees are responsible for guarding this password from misuse by others. HHSA employees who write their password on paper will keep it only in a locked drawer or cabinet so others do not inadvertently learn it. b) If PHI is to be stored on the hard disk drive or other internal components of a personal computer or other electronic storage device, it must be protected by either a password or encryption. Unless encrypted, when not in use, this media must be secured from unauthorized access. c) If PHI is stored on CDs, DVDs, flash drives, or other removable data storage media, the PHI cannot be saved on storage devices that contain other electronic software or data. d) PHI stored in medical equipment (e.g., EKG, Ultrasound, Flexsing machines) must be kept secure and disposed of according to the Glenn HIPAA Disposal of PHI policy. For more information regarding PHI and electronic media, please see the Glenn HIPAA Computer, Electronic Mail, and Internet policy. III. Physical Safeguards PAPER CONTROLS HHSA staff must be aware of the risks regarding paper documents and how they are used and handled. Staff will take all necessary precautions to safeguard confidential information, including the minimum necessary access to paper documents containing confidential information. All HHSA fax machines will be cleared of PHI regularly throughout the day and at the end of each day. HIPAA 100-Administrative, Technical, and Physical Safeguards 2 *2*
5 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 3 of 5 All PHI that is printed by a HSA employee will be removed from the printer in a timely manner to avoid inadvertent disclosures. Storage of Paper PHI HHSA staff will store files and documents that are covered under the privacy policies in locking filing cabinets, drawers, or storage systems. Outside of regular working hours, HHSA personnel assure that materials containing PHI are properly secured in locking cabinets for drawers. Desks, file rooms, and/or open area storage systems must be locked. Disposal of Paper PHI HHSA staff will ensure that files and documents awaiting disposal or destruction in desksite containers, storage rooms, or centralized waste/shred bins, are appropriately labeled and are disposed of on a regular basis. Reasonable measures will be taken to minimize access, as follows: Desk-site containers: Staff will ensure that confidential information awaiting disposal is stored in containers that are appropriately labeled and are properly disposed of on a regular basis. Storage rooms containing confidential information awaiting disposal: Each HHSA workplace will ensure that storage rooms are locked after business hours or when authorized staff are not present. Centralized waste/shred bins: Each HHSA workplace will ensure that all centralized bins or containers for disposed confidential information are clearly labeled confidential, sealed, and locked. Each HHSA workplace that does not have locked storage rooms or centralized waste/shred bins must implement reasonable procedures to minimize access to confidential information. HHSA staff will ensure that shredding of files and documents is performed on a timely basis, consistent with record retention requirements. HHSA staff will ensure that shredding is done in a timely manner. Outside Contractors: HHSA must ensure that such entity is under a written contract that requires safeguarding of confidential information throughout the destruction process. For more information on the appropriate disposal of PHI, please see the Glenn HIPAA Disposal of PHI policy. VERBAL CONTROLS HHSA staff will take reasonable steps to protect the privacy of all verbal exchanges or discussions of confidential information, regardless of where the discussion occurs. Staff will be aware of risk levels, as follows: Low Risk: interview rooms, enclosed offices, and conference rooms. Medium Risk: employee only areas, telephone, and individual cubicles. HIPAA 100-Administrative, Technical, and Physical Safeguards 3 *3*
6 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 4 of 5 High Risk: public areas, reception areas, and shared cubicles housing multiple staff where clients are routinely present. Each department shall make enclosed offices and/or interview rooms available for the verbal exchange of confidential information. Exception: In work environments housing few offices or closed rooms, uses or disclosures that are incidental to an otherwise permitted use or disclosure could occur. Such incidental uses or disclosures are not considered a violation provided that HHSA has met the reasonable safeguards and minimum necessary requirements. When PHI is being released through teleconference or video feed, HHSA personnel must treat the protection of PHI in the same manner as PHI recorded on paper, thereby securing access to the teleconference or video to authorized personnel only. Each department must foster employee awareness of the potential for inadvertent verbal disclosure of confidential information. VISUAL CONTROLS HHSA staff will ensure that observable confidential information is adequately shielded from unauthorized disclosure on computer screens and paper documents. Computers Each department must ensure that confidential information on computer screens is not visible to unauthorized persons. Suggested means for ensuring this protection include: Use of polarized screens or other computer screen overlay devices that shield information on the screen from persons not the authorized user; Placement of computers out of the visual range of persons other than the authorized user; Clearing information from the screen when not actually being used; Minimizing active windows when not in use; Any electronic media being discarded or replaced (including hard drives in workstations) shall be written over, degaussed, or irrevocably destroyed to ensure proper erasure of confidential or proprietary data. Users shall secure media (such as hard copy, diskettes, etc) which contain confidential information in a locked desk, cabinet, drawer, etc. Other effective means as available, including but not limited to, using screen savers and password protected screensavers. For more information on workstations, please see the Glenn HIPAA Workstation policy. Printing and Copying of Paper PHI For more information regarding printing and copying of PHI, please see the Glenn HIPAA Printing and Copying of PHI policy. HIPAA 100-Administrative, Technical, and Physical Safeguards 4 *4*
7 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 5 of 5 ENFORCEMENT An employee or team member learning of violations of this policy should notify his/her supervisor as soon as possible. Staff are responsible for adhering to this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal. References: 45 CFR , , and HIPAA 100-Administrative, Technical, and Physical Safeguards 5 *5*
8 HIPAA 101 Original: 01/14/03 Revised: 02/24/14 Page 1 of 4 HEALTH AND HUMAN SERVICES AGENCY HIPAA POLICY/PROCEDURES SUBJECT: ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION POLICY Disclosures of Protected Health Information (PHI) must be documented. This policy outlines the requirements and procedures for documenting disclosures of PHI. Glenn County Health and Human Services Agency (HHSA) has adopted this policy to comply with HIPAA, HITECH, and all other state and federal laws pertaining to the privacy, security, and release of protected health information, to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. PROCEDURES A client has a right to receive an accounting of disclosures of PHI by HHSA during a time period specified up to six (6) years prior to the date of the request for an accounting, except for disclosures: To carry out treatment, payment or health care operations, as permitted under law; To the client about his or her own information; To persons involved in the client s care or other notification purposes permitted under law; Pursuant to the client s authorization; For national security or intelligence purposes; To correctional institutions or law enforcement officials as permitted under law; As part of a limited data set; That occurred prior to April 14, Note: The client s right to receive an accounting of disclosure of PHI to a health oversight agency or law enforcement official may be suspended for the time period specified by the agency or official, if the agency or official provides a written statement asserting that the provision of an accounting would be reasonably likely to impede the activities of the agency or official, and specifying a time period for the suspension. Such a suspension may be requested and implemented based on an oral notification for a period of up to thirty (30) days. Such oral request must be documented, including the identity of the agency or official making the request. HIPAA 101-Accounting of Disclosures 1 *6*
9 HIPAA 101 Original: 01/14/03 Revised: 02/24/14 Page 2 of 4 The suspension may not be extended beyond thirty (30) days unless a written statement is submitted during that time period. Requests for Accounting REQUESTS FOR ACCESS OR COPIES MUST BE MADE IN PERSON. In order to verify the identity of the client, requests for access, accounting of disclosures, or copies must be made in person, and a request submitted in writing. A client must request an accounting of disclosures by completing the Request for Accounting of Disclosures form. This form will also be used to track and respond to the request and will be maintained in the client s chart. Content of the Accounting The written accounting of disclosures must meet the following requirements: Time Period o The documentation must include disclosures of PHI that occurred during the six (6) years (or such shorter time period as specified in the request) prior to the date of the request. Business Associates o The documentation must include disclosures by or to business associates, unless the disclosure falls into the exceptions noted above. Written Requirements o The accounting for each disclosure must include: 1. Date of disclosure; 2. Name of entity or person who received the PHI, and, if known, the address of such entity or person; 3. A brief description of the PHI disclosed; and 4. A brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or in lieu thereof, a copy of the client s authorization or the request for a disclosure. Multiple Disclosures o If multiple disclosures have been made to the same entity or person for a single purpose, or pursuant to a single authorization during the time period for the accounting, the accounting may provide the above information for the first disclosure, and then summarize the frequency, periodicity, or number of disclosures made during the accounting period and the date of the last such disclosure during the accounting period. HIPAA 101-Accounting of Disclosures 2 *7*
10 HIPAA 101 Original: 01/14/03 Revised: 02/24/14 Page 3 of 4 Research Requirements o If, during the time period for the accounting, the entity has made disclosures of PHI for research purposes, for 50 or more individuals, the accounting may, with respect to such disclosures for which the PHI about the individual may be been included, provide: 1. The name of the protocol; 2. A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting records; 3. A brief description of the type of PHI that was disclosed; 4. The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; 5. The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and 6. A statement that the PHI of the client may or may not have been disclosed for a particular protocol or other research activity. Time Period to Respond The client s request for an accounting must be acted upon no later than sixty (60) days after receipt, as follows: HSA shall provide the accounting as requested within sixty (60) days; or If HSA is unable to provide the accounting within sixty (60) days, the time for response may be extended by no more than thirty (30) additional days, provided that: o Within the first sixty (60) days, the client is given a written statement of the reason for the delay and the date by which the accounting will be provided, and; o There are no additional extensions of time for response. Documentation Costs The first accounting in a twelve (12) month period will be provided to the client without charge. A reasonable, cost-based fee may be charged for additional accountings within the twelve (12) month period, provided the client is informed in advance of the fee, and is permitted an opportunity to withdraw or amend the request. Retention Requirements HHSA must document and retain documentation, in written or electronic format, for a period of six years: All information required to be included in an accounting of disclosures of PHI; All written accountings provided to clients; and Titles of persons or offices responsible for receiving and processing requests for an accounting from individuals. HIPAA 101-Accounting of Disclosures 3 *8*
11 DEFINITIONS HIPAA 101 Original: 01/14/03 Revised: 02/24/14 Page 4 of 4 Protected Health Information (PHI) means individually identifiable information relating to the past, present, or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present, or future payment for health care provided to an client. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual. Treatment, Payment, and Health Care Operations (TPO) includes all of the following: Treatment means the provision, coordination, or management of health care and related services, consultation between providers relating to an individual, or referral of an individual to another provider for health care. Payment means activities undertaken to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collection activities, medical necessity determinations, and utilization review. Health Care Operations include functions such as quality assessment and improvement activities; reviewing competence and qualifications of health care professionals; conducting or arranging for medical review, legal services, and auditing functions; business planning and development; and general business and administrative activities. References: 45 CFR HIPAA 101-Accounting of Disclosures 4 *9*
12 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 1 of 9 HEALTH AND HUMAN SERVICES AGENCY HIPAA POLICY/PROCEDURES SUBJECT: BREACH NOTIFICATION AND MANDATORY REPORTING POLICY Overview Per federal regulations, Glenn County Health and Human Services Agency (HHSA) is required, under certain circumstances, to notify clients of privacy or security breaches of their unsecured Protected Health Information (PHI) that is collected, stored, and/or maintained by HHSA or one of its Business Associates. In addition, HHSA is required to report certain privacy and security breaches to the Secretary of the U.S. Department of Health and Human Services (DHHS). HHSA has adopted this policy to comply with HIPAA, HITECH, and all other state and federal laws pertaining to the privacy, security, and release of protected health information, to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. Presumption of a Breach Unless an exception applies, an impermissible use or disclosure of unsecured PHI is presumed to be a breach unless HHSA can demonstrate that there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment. NOTE: It is the burden of HHSA to prove that a breach has not occurred. Definitions BREACH means the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule, which compromises the security or privacy of the PHI. The term breach does not include: Any "unintentional" acquisition, access, or use of PHI by a workforce member or individual acting under the authority HHSA or its Business Associate that is made in good faith, within the course or scope of employment or other professional relationship, and is not further used or disclosed in an unlawful manner under the HIPAA Privacy Rule. HIPAA 102-Breach Notification and Mandatory Reporting 1 *10*
13 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 2 of 9 An "inadvertent" disclosure to another authorized person at HHSA or its Business Associate, and the PHI is not further used or disclosed in an unlawful manner under the HIPAA Privacy Rule. A disclosure where HHSA or its Business Associate had a good-faith belief that the unauthorized person to whom the information was disclosed would not reasonably be able to "retain" such information. UNSECURED PHI: HHSA and its Business Associates are responsible for providing the required notification ONLY if the breach involved unsecured PHI. Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance by the Secretary of DHHS. The most current guidance can be found on the DHHS website ( Breaches Treated as Discovered A breach shall be treated as discovered by HHSA as of the first day on which such breach is known to HHSA, or, by exercising reasonable diligence, would have been known to HHSA. o This standard is met if even one workforce member knows of the breach or would know of it by exercising reasonable diligence, and even if the breach is not immediately reported to the Privacy Officer. HHSA shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of HHSA. Discovery of the breach starts the clock ticking on the notification obligation and deadlines, described below. Risk Assessment The risk assessment shall address at least the following factors: 1. The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification. To assess this factor, HHSA shall consider the type of PHI involved, such as whether the disclosure involved information of a sensitive nature (e.g., Social Security numbers; information that increases the risk of identity fraud; and clinical information, such as diagnosis, treatment plans, medication, medical history, and test results). Considering the type of information disclosed will allow HHSA to assess the probability that the PHI could be used by an unauthorized user in a manner adverse to the client. In addition, if there are few, if any, direct identifiers in the breached PHI, HHSA may want to determine whether there is a likelihood that the PHI HIPAA 102-Breach Notification and Mandatory Reporting 2 *11*
14 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 3 of 9 released could be re-identified based on the context and the ability to link the information with other available information. 2. The unauthorized person who used the PHI or to whom the disclosure of PHI was made. HHSA shall consider whether the unauthorized person who received the information has obligations to protect the privacy and security of the information. o For example, if PHI is impermissibly disclosed to another entity obligated to abide by the HIPAA Privacy and Security Rules or to a federal agency obligated to comply comparable regulations, then there may be a lower probability that the PHI has been compromised since the recipient of the information is obligated to protect the privacy and security of the information in a similar manner as the disclosing entity. In addition, if the information impermissibly used or disclosed is not immediately identifiable, HHSA may determine whether the unauthorized person who received the PHI has the ability to re-identify the information. 3. Whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired. For example, if a laptop computer was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never accessed, viewed, acquired, transferred or otherwise compromised, HHSA could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed. In contrast, if HHSA mailed information to the wrong client who opened the envelope and called HHSA to report the error, in this case, the unauthorized recipient viewed and acquired the information because she opened and read the information to the extent that she recognized it was mailed to her in error. 4. The extent to which the risk to the PHI has been mitigated. HHSA shall attempt to mitigate the risks to the PHI following any impermissible use or disclosure, such as by obtaining the recipient's satisfactory assurances that the information will not be further used or disclosed (through a written confidentiality agreement or similar means) or that the PHI will be destroyed by the recipient. T HHSA shall consider the extent and efficacy of the mitigation when determining the probability that the PHI has been compromised. HHSA shall ensure that the risk assessment is thorough and completed in good faith, and that the conclusions reached have to be reasonable. HHSA understands that the risk assessment, if not adequately performed and documented, could provide a basis for costly penalties. HIPAA 102-Breach Notification and Mandatory Reporting 3 *12*
15 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 4 of 9 If the risk assessment fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required. Burden of Proof HHSA bears the burden of proof to demonstrate that: 1. The impermissible use or disclosure did not constitute a breach and to maintain documentation (e.g., the risk assessment); or 2. All breach notifications were performed as outlined by federal law and outlined in this policy. PROCEDURES A. Discovery of a Breach If an HHSA staff member discovers that there might have been access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule, he/she shall immediately notify the Privacy Officer. A supervisor who is notified of a breach shall immediately notify the Privacy Officer. NOTE: An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless HHSA can demonstrate that there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment, unless it falls under an exception. B. Evaluation of a Breach 1. The Privacy Officer shall conduct an evaluation of every reported breach to determine whether it meets the definition of a breach, or is an exception, as defined above. 2. If the reported incident is determined to meet the definition of a breach, the Privacy Officer and HHSA Director shall then determine if the breach involved unsecured PHI. HHSA is responsible for notifying individuals of a breach only if the breach involved unsecured PHI. 3. If it is determined that the breach involved unsecured PHI, the Privacy Officer shall address the breach through the process detailed in this policy, beginning with Section C below. 4. If it is determined that the breach did not involve unsecured PHI, the Privacy Officer shall prepare written documentation of that determination and retain it for at least six (6) years. Client notification and reporting to DHHS are not required in cases when the breach did not involve unsecured PHI. HIPAA 102-Breach Notification and Mandatory Reporting 4 *13*
16 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 5 of 9 5. If the incident is determined to be an exception, as defined above, the Privacy Officer shall prepare written documentation of that determination and retain it for at least six (6) years. Client notification and reporting to DHHS are not required in cases that are determined to be exceptions. C. Risk Assessment of a Breach 1. If the Privacy Officer, in conference with the HHSA Director, determines that the reported incident meets the definition of a breach and involves unsecured PHI, the Privacy Officer shall conduct a Risk Assessment, utilizing the Breach Assessment form, to determine the level of probability that the PHI has been compromised. 2. If HHSA is able to prove through the risk assessment that there is a low probability that the PHI was compromised, client notification and reporting to DHHS are not required. a. The risk assessment and determination must be documented in writing and retained for at least six (6) years. 3. If HHSA fails to prove through the risk assessment that the there is a low probability that the PHI was compromised and fails to prove that a breach occurred, the client must be notified and the breach must be reported to DHHS, as outlined below. D. Client Notification of a Breach HHSA shall notify the affected clients in the following manner: 1. Notification of the breach must be made to all parties within sixty (60) calendar days after the discovery of the breach. A breach is deemed discovered when an employee or Business Associate, other than the individual committing the breach, knew or should reasonably have known about the breach. a. Delay of Notification per Law Enforcement Request: If law enforcement becomes aware of the breach and determines that a notification would impede a criminal investigation or cause damage to national security, notification shall be delayed up to thirty (30) days, unless a written request for a longer delay is received. The request for delay must be documented, identifying the law enforcement agency or official making the request. 2. Notification to the affected client(s) must be made in writing, via first class mail, to the individual s last known address, unless the client has specified a preference for or other delivery means. a. If the client lacks capacity, the personal representative (e.g., parent of a minor) must be notified. b. If a client is deceased, his/her next of kin must be notified. HIPAA 102-Breach Notification and Mandatory Reporting 5 *14*
17 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 6 of 9 3. If notification is urgent due to possible imminent misuse of the unsecured PHI, HHSA shall notify client(s) by phone or other immediate means, as appropriate. Written notification is required as a follow-up to the phone call. 4. If a client is unreachable, HHSA may utilize an alternate means of communication to reach the affected parties. Examples include phone calls, s, website posting, or the use of the media. HHSA will utilize a method or combination of methods that will most likely to reach the affected individuals. 5. If 10 or more clients are unreachable by mail (due to outdated or insufficient contact information), HHSA must provide notification in one (1) of the following ways: Prominent posting on the homepage of the Glenn County website for at least 90 days; OR Notice in major print or broadcast media, including major media where individuals likely reside, for at least 90 days. NOTE: Website and media notifications must include a toll free number for clients to call to determine if his/her PHI was involved in the breach. E. Client Notification of a Breach: 500 or More Clients Involved If a breach affects a large number of clients (500+), HHSA shall notify the affected clients in the following manner: 1. Notification to the affected client(s) must be made in writing, via first class mail, to the individual s last known address, unless the client has specified a preference for or other delivery means. a. If the client lacks capacity, the personal representative (e.g., parent of a minor) must be notified. b. If a client is deceased, his/her next of kin must be notified. 2. In addition, HHSA shall place notification in major print or broadcast media, in areas where clients likely reside, for at least 90 days. F. Content of Notification to Clients When notifying clients by any of the methods described above, the following information shall be included in the notice: Brief description of the issue, including the date of the breach, if known Date of discovery of the breach (must be the first day that the breach is known to the Business Associate, or, by exercising reasonable diligence, would have been known to the Business Associate) Types of unsecured PHI involved (full name, date of birth, home address, diagnosis, etc.) Steps that clients should take to protect his/herself from potential harm HIPAA 102-Breach Notification and Mandatory Reporting 6 *15*
18 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 7 of 9 Description of the activities that HHSA is performing to investigate the breach, mitigate harm, and protect against further breaches Contact information for clients who have further questions, including a toll-free number, address, website, or mailing address G. Mandatory Reporting to the U.S. Department of Health and Human Services (DHHS) The Secretary of the DHHS must be notified of all reportable breaches of unsecured PHI. For a breach involving fewer than 500 clients, DHHS must be notified annually. o Breach information must be submitted to the DHHS by March 1 of each year (Feb 29 in leap years) for the previous calendar year. o Breach information must be submitted using the following online form: For a breach involving 500+ clients, DHHS must be notified immediately. o Breach information must be submitted using the following online form: H. Breaches by Business Associates Business Associates are directly liable for safeguarding PHI, and using and disclosing PHI only for purposes outlined in the contract with HHSA and allowed or required by HIPAA. When discovering a reportable breach of unsecured PHI used or maintained by a Business Associate, the Business Associate must notify HHSA within 10 calendar days after discovery of the breach. Notification to HHSA shall include at least the following: o Brief description of the issue, including the date of the breach, if known o Date of discovery of the breach (must be the first day that the breach is known to the Business Associate, or, by exercising reasonable diligence, would have been known to the Business Associate) o Types of unsecured PHI involved (full name, date of birth, home address, diagnosis, etc.) o Steps that clients should take to protect his/herself from potential harm o Description of the activities that the Business Associate is performing to investigate the breach, mitigate harm, and protect against further breaches NOTE: Unless it is specified in the Business Associate Agreement that the Business Associate is responsible for notifying clients, it is assumed that HHSA will notify clients who are affected by the breach. HIPAA 102-Breach Notification and Mandatory Reporting 7 *16*
19 I. Documentation of Breaches HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 8 of 9 The Privacy Officer shall maintain a Breach Assessment file, which contains the following: o Brief description of each breach, including the date of the breach, if known o Date of discovery of the breach (must be the first day that the breach is known to HHSA, or, by exercising reasonable diligence, would have been known to the HHSA) o The name of reporting individual (if known) o Types of PHI involved (full name, date of birth, home address, diagnosis, etc.) o Determination of the evaluation of the breach (i.e., was the issue determined to be a breach or an exception? Was the PHI considered unsecured?) o Risk assessment of the breach o Proof that a) no breach occurred, or b) notification of the breach to clients and the DHHS, if required, were completed. Documentation related to breaches must be maintained for a period of at least six (6) years. DEFINITIONS Breach means the unauthorized acquisition, access, use, or disclosure of PHI in a manner that is not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the client. The term breach does not include: Any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of HHSA or an HHSA Business Associate, if the acquisition, access, or use was made in good faith and within the course and scope of the authority; and is not further acquired, accessed, used or disclosed in a manner not permitted by the Privacy Rule. Any inadvertent disclosure by a person who is authorized to access PHI at HHSA or an HHSA Business Associate to another person who is authorized to access PHI at HHSA or the same Business Associate; and is not further acquired, accessed, used or disclosed in a manner not permitted by the Privacy Rule. Business Associate means a person or entity who, on behalf of HHSA, and other than in the capacity of a workforce member: performs or assists in the performance of a function or activity that involves the use or disclosure of Protected Health Information (PHI), or; provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Protected Health Information (PHI) means individually identifiable information relating to the past, present, or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present, or future payment for health care provided to an client. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual. HIPAA 102-Breach Notification and Mandatory Reporting 8 *17*
20 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 9 of 9 Re-identification is the process by which anonymous personal data is matched with its true owner. Unsecured Protected Health Information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance by the Secretary of the U.S. Department of Health and Human Services. Reference: 45 CFR Subpart D. HIPAA 102-Breach Notification and Mandatory Reporting 9 *18*
POLICY AND PROCEDURE MANUAL
Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL
More informationBusiness Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
More informationADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016
Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH
More informationHIPAA Privacy Breach Notification Regulations
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY 1 School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationBreach Notification Policy
1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationThe ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760
Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationState of Connecticut Department of Social Services HIPAA Policies and Procedures Manual
State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual Updated 9/17/13 1 Overview As of April 14, 2003, the State of Connecticut Department of Social Services (DSS) is
More informationInformation Privacy and Security Program. Title: EC.PS.01.02
Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationHIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013
HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel
More informationBREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
More informationFive Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy
Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health
More informationHHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule
JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationFirstCarolinaCare Insurance Company Business Associate Agreement
FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance
More informationEverett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
More informationGaston County HIPAA Manual
Gaston County HIPAA Manual Includes Gaston County IT Manual Action Date Reviewed and Revised December 2012 Gaston County HIPAA Policy Manual has be updated and combined with the Gaston County IT Manual.
More informationBusiness Associate Agreement Involving the Access to Protected Health Information
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
More informationHIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES
SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):
More informationCMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS
CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,
More informationInfinedi HIPAA Business Associate Agreement RECITALS SAMPLE
Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor
More informationFEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA
APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationFORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationTable of Contents INTRODUCTION AND PURPOSE 1
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE
More informationBarnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule
HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA
More informationSTANDARD ADMINISTRATIVE PROCEDURE
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationBUSINESS ASSOCIATE ADDENDUM
BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate
More informationModel Business Associate Agreement
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
More informationThe Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices
The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL
More informationHIPAA BREACH RESPONSE POLICY
http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting
More informationHIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION
HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION HILLSDALE COLLEGE HEALTH AND WELLNESS CENTER Policy Preamble This privacy policy ( Policy ) is designed to address the Use and Disclosure
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationDisclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
More informationBREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION
BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION Summary November 2009 On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the Rule ) that
More informationName of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More informationIDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240
IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More information8.03 Health Insurance Portability and Accountability Act (HIPAA)
Human Resource/Miscellaneous Page 1 of 5 8.03 Health Insurance Portability and Accountability Act (HIPAA) Policy: It is the policy of Licking/Knox Goodwill Industries, Inc., to maintain the privacy of
More informationReporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration
Name of Policy: Policy Number: Department: Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Approving Officer: Interim
More informationBusiness Associates Agreement
Business Associates Agreement This Business Associate Agreement (the Agreement ) between Customer,( Covered Entity ) and Kareo ( Business Associate ) will be in effect during any such time period that
More informationPage 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;
Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014
More informationSaaS. Business Associate Agreement
SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered
More informationBUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationA How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES
ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES I acknowledge that I have been provided a copy of Fiorillo Cosmetic and General Dentistry s Notice of Privacy Practices, which has an effective
More informationHIPAA and Privacy Policy Training
HIPAA and Privacy Policy Training July 2015 1 This training addresses the requirements for maintaining the privacy of confidential information received from HFS and DHS (the Agencies). During this training
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationGuidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES
DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable
More informationREPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.
REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
More informationIdentity Theft Prevention and Security Breach Notification Policy. Purpose:
Identity Theft Prevention and Security Breach Notification Policy Purpose: Lahey Clinic is committed to protecting the privacy of the Personal Health Information ( PHI ) of our patients and the Personal
More informationBusiness Associate Agreement
Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf
More informationHIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
More informationHIPAA Training for Staff and Volunteers
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
More informationUse & Disclosure of Protected Health Information by Business Associates
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationTulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY
Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October
More informationSDC-League Health Fund
SDC-League Health Fund 1501 Broadway, 17 th Floor New York, NY 10036 Tel: 212-869-8129 Fax: 212-302-6195 E-mail: health@sdcweb.org NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,
More informationHIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND
HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS
More informationThis form may not be modified without prior approval from the Department of Justice.
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607
More informationStatement of Policy. Reason for Policy
Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationChecklist for HITECH Breach Readiness
Checklist for HITECH Breach Readiness Checklist for HITECH Breach Readiness Figure 1 describes a checklist that may be used to assess for breach preparedness for the organization. It is based on published
More informationG REATER H OUSTON H EALTHCONNECT. HIPAA/HITECH Privacy Compliance Manual
G REATER H OUSTON H EALTHCONNECT HIPAA/HITECH Privacy Compliance Manual Adopted by the Board of Directors on December 14, 2011and amended on September 12, 2012 and February 27, 2013 TABLE OF CONTENTS Page
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement and is made between BEST Life and Health Insurance Company ( BEST Life ) and ( Business Associate ). RECITALS WHEREAS, the U.S.
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More informationHIPAA Policies and Procedures
HIPAA Policies and Procedures William T. Chen, MD, Inc. General Rule 164.502 A Covered Entity may not use or disclose PHI except as permitted or required by the privacy regulations. Permitted Disclosures:
More informationHIPAA 101: Privacy and Security Basics
HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually
More informationBusiness Associate and Data Use Agreement
Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W
More informationOFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)
Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract
More informationTABLE OF CONTENTS. University of Northern Colorado
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
More informationNOTICE OF THE NATHAN ADELSON HOSPICE PRIVACY PRACTICES
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION PLEASE REVIEW IT CAREFULLY. DEFINITIONS PROTECTED HEALTH INFORMATION (PHI):
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business
More informationHIPAA Update Focus on Breach Prevention
HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process
More informationBUSINESS ASSOCIATE AGREEMENT. Recitals
BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and
More informationTerms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013
Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations
More informationRUTGERS POLICY. Responsible Office: RBHS Office of Ethics, Compliance & Corporate Integrity
RUTGERS POLICY Section: 100.1.3 Section Title: HIPAA Policies Policy Name: Accounting Disclosures of Health Information Formerly Book: 00-01-15-20:00 Approval Authority: RBHS Chancellor Responsible Executive:
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE
More information