GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY. HIPAA Policies and Procedures 06/30/2014"

Transcription

1 GLENN COUNTY HEALTH AND HUMAN SERVICES AGENCY HIPAA Policies and Procedures 06/30/2014

2 Glenn County Health and Human Services Agency HIPAA Policies and Procedures TABLE OF CONTENTS HIPAA Policy Number and Name Page Number 100: Administrative, Technical, and Physical Safeguards : Accounting of Disclosures of PHI : Breach Notification and Mandatory Reporting : Business Associates : Disclosure of Proof of Child Immunization : Disclosures of PHI to Family, Friends, and Personal Representatives : Sale of PHI : Use and Disclosure of PHI for Fundraising and Marketing : Uses and Disclosures of PHI after Client Death : Uses and Disclosures of Substance Abuse Records : Psychotherapy Notes : Uses and Disclosures of PHI requiring Written Authorization : Uses and Disclosures of PHI not requirement Authorization : Disposal of PHI : ephi-authorization & Access Controls for Workforce : Computer, , and Internet Usage related to PHI : De-Identification of PHI : Printing, Copying, and Faxing PHI : Minimum Necessary : Use of Notice of Privacy Practices : Monitoring HIPAA Compliance : Non-Retaliation regarding Filing a Report of HIPAA Violation : Password Management : Laptops and Other Portable Devices : Individuals Rights related to PHI : HIPAA Training Plan : Enforcement and Sanctions : Security Management Process : Security Standards and Requirements : Termination : Transportation of PHI : Uses and Disclosures of PHI for Research : Verification of Identity...108

3 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 1 of 5 HEALTH AND HUMAN SERVICES AGENCY HIPAA POLICY/PROCEDURES SUBJECT: ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS POLICY Glenn County Health and Human Services Agency (HHSA) will take reasonable steps to safeguard information from any intentional or unintentional use or disclosure that is in violation of the privacy policies. HIPAA specifies administrative, technical, and physical safeguards that must be implemented in order to safeguard PHI. Information to be safeguarded may be in any medium, including paper, electronic, verbal, and visual representations of confidential information. Glenn County Health and Human Services Agency (HHSA) has adopted this policy to comply with HIPAA, HITECH, and all other state and federal laws pertaining to the privacy, security and release of protected health information, to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. PROCEDURES I. Administrative Safeguards Implementation of Role Based Access and the Glenn HIPAA Minimum Necessary Standard policy will promote administrative safeguards. Development and implementation of county-wide security policies will also enhance administrative safeguards. Role-Based Access Roles will be created and defined based on the confidential information HHSA owns, where it is located, and how it is used and why. A determination of who should have access to the specific data will be established. HHSA deputy directors, managers, and supervisors will decide the role of each of their staff and request exceptions based on the needs of their office. Managers are responsible for allowing access to enough information for their staff to do their jobs while holding to the minimum necessary standard. Minimum Necessary HHSA staff will make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. HHSA staff will not HIPAA 100-Administrative, Technical, and Physical Safeguards 1 *1*

4 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 2 of 5 use, disclose, or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. For more information on the Minimum Necessary Standard, please see the Glenn HIPAA Minimum Necessary Standard policy. II. Technical Safeguards Electronic Controls HSA shall implement safeguards to limit access to electronic PHI through at least the following controls: a) All HHSA employees who have access to electronic PHI must have a unique password to allow access to the HHSA computer network. HHSA employees are responsible for guarding this password from misuse by others. HHSA employees who write their password on paper will keep it only in a locked drawer or cabinet so others do not inadvertently learn it. b) If PHI is to be stored on the hard disk drive or other internal components of a personal computer or other electronic storage device, it must be protected by either a password or encryption. Unless encrypted, when not in use, this media must be secured from unauthorized access. c) If PHI is stored on CDs, DVDs, flash drives, or other removable data storage media, the PHI cannot be saved on storage devices that contain other electronic software or data. d) PHI stored in medical equipment (e.g., EKG, Ultrasound, Flexsing machines) must be kept secure and disposed of according to the Glenn HIPAA Disposal of PHI policy. For more information regarding PHI and electronic media, please see the Glenn HIPAA Computer, Electronic Mail, and Internet policy. III. Physical Safeguards PAPER CONTROLS HHSA staff must be aware of the risks regarding paper documents and how they are used and handled. Staff will take all necessary precautions to safeguard confidential information, including the minimum necessary access to paper documents containing confidential information. All HHSA fax machines will be cleared of PHI regularly throughout the day and at the end of each day. HIPAA 100-Administrative, Technical, and Physical Safeguards 2 *2*

5 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 3 of 5 All PHI that is printed by a HSA employee will be removed from the printer in a timely manner to avoid inadvertent disclosures. Storage of Paper PHI HHSA staff will store files and documents that are covered under the privacy policies in locking filing cabinets, drawers, or storage systems. Outside of regular working hours, HHSA personnel assure that materials containing PHI are properly secured in locking cabinets for drawers. Desks, file rooms, and/or open area storage systems must be locked. Disposal of Paper PHI HHSA staff will ensure that files and documents awaiting disposal or destruction in desksite containers, storage rooms, or centralized waste/shred bins, are appropriately labeled and are disposed of on a regular basis. Reasonable measures will be taken to minimize access, as follows: Desk-site containers: Staff will ensure that confidential information awaiting disposal is stored in containers that are appropriately labeled and are properly disposed of on a regular basis. Storage rooms containing confidential information awaiting disposal: Each HHSA workplace will ensure that storage rooms are locked after business hours or when authorized staff are not present. Centralized waste/shred bins: Each HHSA workplace will ensure that all centralized bins or containers for disposed confidential information are clearly labeled confidential, sealed, and locked. Each HHSA workplace that does not have locked storage rooms or centralized waste/shred bins must implement reasonable procedures to minimize access to confidential information. HHSA staff will ensure that shredding of files and documents is performed on a timely basis, consistent with record retention requirements. HHSA staff will ensure that shredding is done in a timely manner. Outside Contractors: HHSA must ensure that such entity is under a written contract that requires safeguarding of confidential information throughout the destruction process. For more information on the appropriate disposal of PHI, please see the Glenn HIPAA Disposal of PHI policy. VERBAL CONTROLS HHSA staff will take reasonable steps to protect the privacy of all verbal exchanges or discussions of confidential information, regardless of where the discussion occurs. Staff will be aware of risk levels, as follows: Low Risk: interview rooms, enclosed offices, and conference rooms. Medium Risk: employee only areas, telephone, and individual cubicles. HIPAA 100-Administrative, Technical, and Physical Safeguards 3 *3*

6 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 4 of 5 High Risk: public areas, reception areas, and shared cubicles housing multiple staff where clients are routinely present. Each department shall make enclosed offices and/or interview rooms available for the verbal exchange of confidential information. Exception: In work environments housing few offices or closed rooms, uses or disclosures that are incidental to an otherwise permitted use or disclosure could occur. Such incidental uses or disclosures are not considered a violation provided that HHSA has met the reasonable safeguards and minimum necessary requirements. When PHI is being released through teleconference or video feed, HHSA personnel must treat the protection of PHI in the same manner as PHI recorded on paper, thereby securing access to the teleconference or video to authorized personnel only. Each department must foster employee awareness of the potential for inadvertent verbal disclosure of confidential information. VISUAL CONTROLS HHSA staff will ensure that observable confidential information is adequately shielded from unauthorized disclosure on computer screens and paper documents. Computers Each department must ensure that confidential information on computer screens is not visible to unauthorized persons. Suggested means for ensuring this protection include: Use of polarized screens or other computer screen overlay devices that shield information on the screen from persons not the authorized user; Placement of computers out of the visual range of persons other than the authorized user; Clearing information from the screen when not actually being used; Minimizing active windows when not in use; Any electronic media being discarded or replaced (including hard drives in workstations) shall be written over, degaussed, or irrevocably destroyed to ensure proper erasure of confidential or proprietary data. Users shall secure media (such as hard copy, diskettes, etc) which contain confidential information in a locked desk, cabinet, drawer, etc. Other effective means as available, including but not limited to, using screen savers and password protected screensavers. For more information on workstations, please see the Glenn HIPAA Workstation policy. Printing and Copying of Paper PHI For more information regarding printing and copying of PHI, please see the Glenn HIPAA Printing and Copying of PHI policy. HIPAA 100-Administrative, Technical, and Physical Safeguards 4 *4*

7 HIPAA 100 Original: 01/01/03 Revised: 02/24/14 Page 5 of 5 ENFORCEMENT An employee or team member learning of violations of this policy should notify his/her supervisor as soon as possible. Staff are responsible for adhering to this policy. Individuals who violate this policy will be subject to the appropriate and applicable disciplinary process, up to and including termination or dismissal. References: 45 CFR , , and HIPAA 100-Administrative, Technical, and Physical Safeguards 5 *5*

8 HIPAA 101 Original: 01/14/03 Revised: 02/24/14 Page 1 of 4 HEALTH AND HUMAN SERVICES AGENCY HIPAA POLICY/PROCEDURES SUBJECT: ACCOUNTING OF DISCLOSURES OF PROTECTED HEALTH INFORMATION POLICY Disclosures of Protected Health Information (PHI) must be documented. This policy outlines the requirements and procedures for documenting disclosures of PHI. Glenn County Health and Human Services Agency (HHSA) has adopted this policy to comply with HIPAA, HITECH, and all other state and federal laws pertaining to the privacy, security, and release of protected health information, to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. PROCEDURES A client has a right to receive an accounting of disclosures of PHI by HHSA during a time period specified up to six (6) years prior to the date of the request for an accounting, except for disclosures: To carry out treatment, payment or health care operations, as permitted under law; To the client about his or her own information; To persons involved in the client s care or other notification purposes permitted under law; Pursuant to the client s authorization; For national security or intelligence purposes; To correctional institutions or law enforcement officials as permitted under law; As part of a limited data set; That occurred prior to April 14, Note: The client s right to receive an accounting of disclosure of PHI to a health oversight agency or law enforcement official may be suspended for the time period specified by the agency or official, if the agency or official provides a written statement asserting that the provision of an accounting would be reasonably likely to impede the activities of the agency or official, and specifying a time period for the suspension. Such a suspension may be requested and implemented based on an oral notification for a period of up to thirty (30) days. Such oral request must be documented, including the identity of the agency or official making the request. HIPAA 101-Accounting of Disclosures 1 *6*

9 HIPAA 101 Original: 01/14/03 Revised: 02/24/14 Page 2 of 4 The suspension may not be extended beyond thirty (30) days unless a written statement is submitted during that time period. Requests for Accounting REQUESTS FOR ACCESS OR COPIES MUST BE MADE IN PERSON. In order to verify the identity of the client, requests for access, accounting of disclosures, or copies must be made in person, and a request submitted in writing. A client must request an accounting of disclosures by completing the Request for Accounting of Disclosures form. This form will also be used to track and respond to the request and will be maintained in the client s chart. Content of the Accounting The written accounting of disclosures must meet the following requirements: Time Period o The documentation must include disclosures of PHI that occurred during the six (6) years (or such shorter time period as specified in the request) prior to the date of the request. Business Associates o The documentation must include disclosures by or to business associates, unless the disclosure falls into the exceptions noted above. Written Requirements o The accounting for each disclosure must include: 1. Date of disclosure; 2. Name of entity or person who received the PHI, and, if known, the address of such entity or person; 3. A brief description of the PHI disclosed; and 4. A brief statement of the purpose of the disclosure that reasonably informs the client of the basis for the disclosure, or in lieu thereof, a copy of the client s authorization or the request for a disclosure. Multiple Disclosures o If multiple disclosures have been made to the same entity or person for a single purpose, or pursuant to a single authorization during the time period for the accounting, the accounting may provide the above information for the first disclosure, and then summarize the frequency, periodicity, or number of disclosures made during the accounting period and the date of the last such disclosure during the accounting period. HIPAA 101-Accounting of Disclosures 2 *7*

10 HIPAA 101 Original: 01/14/03 Revised: 02/24/14 Page 3 of 4 Research Requirements o If, during the time period for the accounting, the entity has made disclosures of PHI for research purposes, for 50 or more individuals, the accounting may, with respect to such disclosures for which the PHI about the individual may be been included, provide: 1. The name of the protocol; 2. A description, in plain language, of the research protocol or other research activity, including the purpose of the research and the criteria for selecting records; 3. A brief description of the type of PHI that was disclosed; 4. The date or period of time during which such disclosures occurred, or may have occurred, including the date of the last such disclosure during the accounting period; 5. The name, address, and telephone number of the entity that sponsored the research and of the researcher to whom the information was disclosed; and 6. A statement that the PHI of the client may or may not have been disclosed for a particular protocol or other research activity. Time Period to Respond The client s request for an accounting must be acted upon no later than sixty (60) days after receipt, as follows: HSA shall provide the accounting as requested within sixty (60) days; or If HSA is unable to provide the accounting within sixty (60) days, the time for response may be extended by no more than thirty (30) additional days, provided that: o Within the first sixty (60) days, the client is given a written statement of the reason for the delay and the date by which the accounting will be provided, and; o There are no additional extensions of time for response. Documentation Costs The first accounting in a twelve (12) month period will be provided to the client without charge. A reasonable, cost-based fee may be charged for additional accountings within the twelve (12) month period, provided the client is informed in advance of the fee, and is permitted an opportunity to withdraw or amend the request. Retention Requirements HHSA must document and retain documentation, in written or electronic format, for a period of six years: All information required to be included in an accounting of disclosures of PHI; All written accountings provided to clients; and Titles of persons or offices responsible for receiving and processing requests for an accounting from individuals. HIPAA 101-Accounting of Disclosures 3 *8*

11 DEFINITIONS HIPAA 101 Original: 01/14/03 Revised: 02/24/14 Page 4 of 4 Protected Health Information (PHI) means individually identifiable information relating to the past, present, or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present, or future payment for health care provided to an client. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual. Treatment, Payment, and Health Care Operations (TPO) includes all of the following: Treatment means the provision, coordination, or management of health care and related services, consultation between providers relating to an individual, or referral of an individual to another provider for health care. Payment means activities undertaken to obtain or provide reimbursement for health care, including determinations of eligibility or coverage, billing, collection activities, medical necessity determinations, and utilization review. Health Care Operations include functions such as quality assessment and improvement activities; reviewing competence and qualifications of health care professionals; conducting or arranging for medical review, legal services, and auditing functions; business planning and development; and general business and administrative activities. References: 45 CFR HIPAA 101-Accounting of Disclosures 4 *9*

12 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 1 of 9 HEALTH AND HUMAN SERVICES AGENCY HIPAA POLICY/PROCEDURES SUBJECT: BREACH NOTIFICATION AND MANDATORY REPORTING POLICY Overview Per federal regulations, Glenn County Health and Human Services Agency (HHSA) is required, under certain circumstances, to notify clients of privacy or security breaches of their unsecured Protected Health Information (PHI) that is collected, stored, and/or maintained by HHSA or one of its Business Associates. In addition, HHSA is required to report certain privacy and security breaches to the Secretary of the U.S. Department of Health and Human Services (DHHS). HHSA has adopted this policy to comply with HIPAA, HITECH, and all other state and federal laws pertaining to the privacy, security, and release of protected health information, to protect the confidentiality and integrity of confidential medical information as required by law, professional ethics, and accreditation requirements. Presumption of a Breach Unless an exception applies, an impermissible use or disclosure of unsecured PHI is presumed to be a breach unless HHSA can demonstrate that there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment. NOTE: It is the burden of HHSA to prove that a breach has not occurred. Definitions BREACH means the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule, which compromises the security or privacy of the PHI. The term breach does not include: Any "unintentional" acquisition, access, or use of PHI by a workforce member or individual acting under the authority HHSA or its Business Associate that is made in good faith, within the course or scope of employment or other professional relationship, and is not further used or disclosed in an unlawful manner under the HIPAA Privacy Rule. HIPAA 102-Breach Notification and Mandatory Reporting 1 *10*

13 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 2 of 9 An "inadvertent" disclosure to another authorized person at HHSA or its Business Associate, and the PHI is not further used or disclosed in an unlawful manner under the HIPAA Privacy Rule. A disclosure where HHSA or its Business Associate had a good-faith belief that the unauthorized person to whom the information was disclosed would not reasonably be able to "retain" such information. UNSECURED PHI: HHSA and its Business Associates are responsible for providing the required notification ONLY if the breach involved unsecured PHI. Unsecured PHI is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance by the Secretary of DHHS. The most current guidance can be found on the DHHS website ( Breaches Treated as Discovered A breach shall be treated as discovered by HHSA as of the first day on which such breach is known to HHSA, or, by exercising reasonable diligence, would have been known to HHSA. o This standard is met if even one workforce member knows of the breach or would know of it by exercising reasonable diligence, and even if the breach is not immediately reported to the Privacy Officer. HHSA shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of HHSA. Discovery of the breach starts the clock ticking on the notification obligation and deadlines, described below. Risk Assessment The risk assessment shall address at least the following factors: 1. The nature and extent of the PHI involved, including the types of identifiers and likelihood of re-identification. To assess this factor, HHSA shall consider the type of PHI involved, such as whether the disclosure involved information of a sensitive nature (e.g., Social Security numbers; information that increases the risk of identity fraud; and clinical information, such as diagnosis, treatment plans, medication, medical history, and test results). Considering the type of information disclosed will allow HHSA to assess the probability that the PHI could be used by an unauthorized user in a manner adverse to the client. In addition, if there are few, if any, direct identifiers in the breached PHI, HHSA may want to determine whether there is a likelihood that the PHI HIPAA 102-Breach Notification and Mandatory Reporting 2 *11*

14 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 3 of 9 released could be re-identified based on the context and the ability to link the information with other available information. 2. The unauthorized person who used the PHI or to whom the disclosure of PHI was made. HHSA shall consider whether the unauthorized person who received the information has obligations to protect the privacy and security of the information. o For example, if PHI is impermissibly disclosed to another entity obligated to abide by the HIPAA Privacy and Security Rules or to a federal agency obligated to comply comparable regulations, then there may be a lower probability that the PHI has been compromised since the recipient of the information is obligated to protect the privacy and security of the information in a similar manner as the disclosing entity. In addition, if the information impermissibly used or disclosed is not immediately identifiable, HHSA may determine whether the unauthorized person who received the PHI has the ability to re-identify the information. 3. Whether the PHI was actually viewed or acquired or, alternatively, if only the opportunity existed for the information to be viewed or acquired. For example, if a laptop computer was stolen and later recovered and a forensic analysis shows that the PHI on the computer was never accessed, viewed, acquired, transferred or otherwise compromised, HHSA could determine that the information was not actually acquired by an unauthorized individual even though the opportunity existed. In contrast, if HHSA mailed information to the wrong client who opened the envelope and called HHSA to report the error, in this case, the unauthorized recipient viewed and acquired the information because she opened and read the information to the extent that she recognized it was mailed to her in error. 4. The extent to which the risk to the PHI has been mitigated. HHSA shall attempt to mitigate the risks to the PHI following any impermissible use or disclosure, such as by obtaining the recipient's satisfactory assurances that the information will not be further used or disclosed (through a written confidentiality agreement or similar means) or that the PHI will be destroyed by the recipient. T HHSA shall consider the extent and efficacy of the mitigation when determining the probability that the PHI has been compromised. HHSA shall ensure that the risk assessment is thorough and completed in good faith, and that the conclusions reached have to be reasonable. HHSA understands that the risk assessment, if not adequately performed and documented, could provide a basis for costly penalties. HIPAA 102-Breach Notification and Mandatory Reporting 3 *12*

15 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 4 of 9 If the risk assessment fails to demonstrate that there is a low probability that the PHI has been compromised, breach notification is required. Burden of Proof HHSA bears the burden of proof to demonstrate that: 1. The impermissible use or disclosure did not constitute a breach and to maintain documentation (e.g., the risk assessment); or 2. All breach notifications were performed as outlined by federal law and outlined in this policy. PROCEDURES A. Discovery of a Breach If an HHSA staff member discovers that there might have been access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule, he/she shall immediately notify the Privacy Officer. A supervisor who is notified of a breach shall immediately notify the Privacy Officer. NOTE: An impermissible use or disclosure of unsecured PHI is presumed to be a breach unless HHSA can demonstrate that there is a low probability that the PHI has been compromised based upon, at minimum, a four-part risk assessment, unless it falls under an exception. B. Evaluation of a Breach 1. The Privacy Officer shall conduct an evaluation of every reported breach to determine whether it meets the definition of a breach, or is an exception, as defined above. 2. If the reported incident is determined to meet the definition of a breach, the Privacy Officer and HHSA Director shall then determine if the breach involved unsecured PHI. HHSA is responsible for notifying individuals of a breach only if the breach involved unsecured PHI. 3. If it is determined that the breach involved unsecured PHI, the Privacy Officer shall address the breach through the process detailed in this policy, beginning with Section C below. 4. If it is determined that the breach did not involve unsecured PHI, the Privacy Officer shall prepare written documentation of that determination and retain it for at least six (6) years. Client notification and reporting to DHHS are not required in cases when the breach did not involve unsecured PHI. HIPAA 102-Breach Notification and Mandatory Reporting 4 *13*

16 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 5 of 9 5. If the incident is determined to be an exception, as defined above, the Privacy Officer shall prepare written documentation of that determination and retain it for at least six (6) years. Client notification and reporting to DHHS are not required in cases that are determined to be exceptions. C. Risk Assessment of a Breach 1. If the Privacy Officer, in conference with the HHSA Director, determines that the reported incident meets the definition of a breach and involves unsecured PHI, the Privacy Officer shall conduct a Risk Assessment, utilizing the Breach Assessment form, to determine the level of probability that the PHI has been compromised. 2. If HHSA is able to prove through the risk assessment that there is a low probability that the PHI was compromised, client notification and reporting to DHHS are not required. a. The risk assessment and determination must be documented in writing and retained for at least six (6) years. 3. If HHSA fails to prove through the risk assessment that the there is a low probability that the PHI was compromised and fails to prove that a breach occurred, the client must be notified and the breach must be reported to DHHS, as outlined below. D. Client Notification of a Breach HHSA shall notify the affected clients in the following manner: 1. Notification of the breach must be made to all parties within sixty (60) calendar days after the discovery of the breach. A breach is deemed discovered when an employee or Business Associate, other than the individual committing the breach, knew or should reasonably have known about the breach. a. Delay of Notification per Law Enforcement Request: If law enforcement becomes aware of the breach and determines that a notification would impede a criminal investigation or cause damage to national security, notification shall be delayed up to thirty (30) days, unless a written request for a longer delay is received. The request for delay must be documented, identifying the law enforcement agency or official making the request. 2. Notification to the affected client(s) must be made in writing, via first class mail, to the individual s last known address, unless the client has specified a preference for or other delivery means. a. If the client lacks capacity, the personal representative (e.g., parent of a minor) must be notified. b. If a client is deceased, his/her next of kin must be notified. HIPAA 102-Breach Notification and Mandatory Reporting 5 *14*

17 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 6 of 9 3. If notification is urgent due to possible imminent misuse of the unsecured PHI, HHSA shall notify client(s) by phone or other immediate means, as appropriate. Written notification is required as a follow-up to the phone call. 4. If a client is unreachable, HHSA may utilize an alternate means of communication to reach the affected parties. Examples include phone calls, s, website posting, or the use of the media. HHSA will utilize a method or combination of methods that will most likely to reach the affected individuals. 5. If 10 or more clients are unreachable by mail (due to outdated or insufficient contact information), HHSA must provide notification in one (1) of the following ways: Prominent posting on the homepage of the Glenn County website for at least 90 days; OR Notice in major print or broadcast media, including major media where individuals likely reside, for at least 90 days. NOTE: Website and media notifications must include a toll free number for clients to call to determine if his/her PHI was involved in the breach. E. Client Notification of a Breach: 500 or More Clients Involved If a breach affects a large number of clients (500+), HHSA shall notify the affected clients in the following manner: 1. Notification to the affected client(s) must be made in writing, via first class mail, to the individual s last known address, unless the client has specified a preference for or other delivery means. a. If the client lacks capacity, the personal representative (e.g., parent of a minor) must be notified. b. If a client is deceased, his/her next of kin must be notified. 2. In addition, HHSA shall place notification in major print or broadcast media, in areas where clients likely reside, for at least 90 days. F. Content of Notification to Clients When notifying clients by any of the methods described above, the following information shall be included in the notice: Brief description of the issue, including the date of the breach, if known Date of discovery of the breach (must be the first day that the breach is known to the Business Associate, or, by exercising reasonable diligence, would have been known to the Business Associate) Types of unsecured PHI involved (full name, date of birth, home address, diagnosis, etc.) Steps that clients should take to protect his/herself from potential harm HIPAA 102-Breach Notification and Mandatory Reporting 6 *15*

18 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 7 of 9 Description of the activities that HHSA is performing to investigate the breach, mitigate harm, and protect against further breaches Contact information for clients who have further questions, including a toll-free number, address, website, or mailing address G. Mandatory Reporting to the U.S. Department of Health and Human Services (DHHS) The Secretary of the DHHS must be notified of all reportable breaches of unsecured PHI. For a breach involving fewer than 500 clients, DHHS must be notified annually. o Breach information must be submitted to the DHHS by March 1 of each year (Feb 29 in leap years) for the previous calendar year. o Breach information must be submitted using the following online form: For a breach involving 500+ clients, DHHS must be notified immediately. o Breach information must be submitted using the following online form: H. Breaches by Business Associates Business Associates are directly liable for safeguarding PHI, and using and disclosing PHI only for purposes outlined in the contract with HHSA and allowed or required by HIPAA. When discovering a reportable breach of unsecured PHI used or maintained by a Business Associate, the Business Associate must notify HHSA within 10 calendar days after discovery of the breach. Notification to HHSA shall include at least the following: o Brief description of the issue, including the date of the breach, if known o Date of discovery of the breach (must be the first day that the breach is known to the Business Associate, or, by exercising reasonable diligence, would have been known to the Business Associate) o Types of unsecured PHI involved (full name, date of birth, home address, diagnosis, etc.) o Steps that clients should take to protect his/herself from potential harm o Description of the activities that the Business Associate is performing to investigate the breach, mitigate harm, and protect against further breaches NOTE: Unless it is specified in the Business Associate Agreement that the Business Associate is responsible for notifying clients, it is assumed that HHSA will notify clients who are affected by the breach. HIPAA 102-Breach Notification and Mandatory Reporting 7 *16*

19 I. Documentation of Breaches HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 8 of 9 The Privacy Officer shall maintain a Breach Assessment file, which contains the following: o Brief description of each breach, including the date of the breach, if known o Date of discovery of the breach (must be the first day that the breach is known to HHSA, or, by exercising reasonable diligence, would have been known to the HHSA) o The name of reporting individual (if known) o Types of PHI involved (full name, date of birth, home address, diagnosis, etc.) o Determination of the evaluation of the breach (i.e., was the issue determined to be a breach or an exception? Was the PHI considered unsecured?) o Risk assessment of the breach o Proof that a) no breach occurred, or b) notification of the breach to clients and the DHHS, if required, were completed. Documentation related to breaches must be maintained for a period of at least six (6) years. DEFINITIONS Breach means the unauthorized acquisition, access, use, or disclosure of PHI in a manner that is not permitted by the HIPAA Privacy Rule which compromises the security or privacy of the client. The term breach does not include: Any unintentional acquisition, access, or use of PHI by an employee or individual acting under the authority of HHSA or an HHSA Business Associate, if the acquisition, access, or use was made in good faith and within the course and scope of the authority; and is not further acquired, accessed, used or disclosed in a manner not permitted by the Privacy Rule. Any inadvertent disclosure by a person who is authorized to access PHI at HHSA or an HHSA Business Associate to another person who is authorized to access PHI at HHSA or the same Business Associate; and is not further acquired, accessed, used or disclosed in a manner not permitted by the Privacy Rule. Business Associate means a person or entity who, on behalf of HHSA, and other than in the capacity of a workforce member: performs or assists in the performance of a function or activity that involves the use or disclosure of Protected Health Information (PHI), or; provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. Protected Health Information (PHI) means individually identifiable information relating to the past, present, or future physical or mental health or condition of an individual, provision of health care to an individual, or the past, present, or future payment for health care provided to an client. Information is considered PHI where there is a reasonable basis to believe the information can be used to identify an individual. HIPAA 102-Breach Notification and Mandatory Reporting 8 *17*

20 HIPAA 102 Original: 04/25/11 Revised: 02/24/14 Page 9 of 9 Re-identification is the process by which anonymous personal data is matched with its true owner. Unsecured Protected Health Information is PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified in guidance by the Secretary of the U.S. Department of Health and Human Services. Reference: 45 CFR Subpart D. HIPAA 102-Breach Notification and Mandatory Reporting 9 *18*

POLICY AND PROCEDURE MANUAL

POLICY AND PROCEDURE MANUAL Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL

More information

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

3.) The Breach Notification Rule (Part 164, Subpart D)

3.) The Breach Notification Rule (Part 164, Subpart D) 3.) The Breach Notification Rule (Part 164, Subpart D) 164.400 Applicability 164.402 Definitions (breach, unsecured protected health information) 164.404 Notification to individuals 164.406 Notification

More information

NEW JERSEY DATA BREACH NOTIFICATION & IDENTITY THEFT PREVENTION POLICY **DISCLAIMER**

NEW JERSEY DATA BREACH NOTIFICATION & IDENTITY THEFT PREVENTION POLICY **DISCLAIMER** NEW JERSEY DATA BREACH NOTIFICATION & IDENTITY THEFT PREVENTION POLICY **DISCLAIMER** This document was prepared to assist the typical physician practice in seeking to undertake reasonable measures to

More information

Breach Notification Policy

Breach Notification Policy 1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists

More information

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New Objective The objective of this policy is to provide guidance for breach notification by Georgia Regional Academic Community Health Information Exchange (hereafter referred to as GRAChIE) when unauthorized

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY 1 School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Information Privacy and Security Program. Title: EC.PS.01.02

Information Privacy and Security Program. Title: EC.PS.01.02 Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4. Breach Notification for Unsecured Protected Health Information

LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4. Breach Notification for Unsecured Protected Health Information LIVINGSTON COUNTY ADMINISTRATIVE PROCEDURE HIPAA-4 SUBJECT: ORGANIZATION RESPONSIBLE: Breach Notification for Unsecured Protected Health Information Information Technology Security Manager Office of Information

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel

More information

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual Updated 9/17/13 1 Overview As of April 14, 2003, the State of Connecticut Department of Social Services (DSS) is

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

Gaston County HIPAA Manual

Gaston County HIPAA Manual Gaston County HIPAA Manual Includes Gaston County IT Manual Action Date Reviewed and Revised December 2012 Gaston County HIPAA Policy Manual has be updated and combined with the Gaston County IT Manual.

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings:

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings: HITECH/HIPAA Breach Notification Regulations This summary was prepared by the New Jersey Department of Human Services Privacy Officer on February 24, 2010 for distribution at the Division of Addiction

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

QUEST, INC BREACH NOTIFICATION POLICY

QUEST, INC BREACH NOTIFICATION POLICY QUEST, INC BREACH NOTIFICATION POLICY Dev September 2012 Page Number I. Breach Notification Template HIPAA Breach Notification Policy Table of Contents 1 A. Generally 1 B. When a Breach is Considered to

More information

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,

More information

HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014

HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014 HIPAA Breach Reporting Tips & Tricks IADDA Annual Conference 2014 9/3/14 Gerald Jud E. DeLoss Disclaimer 2 o This presentation and its materials are for informational purposes only and not for the purpose

More information

Table of Contents INTRODUCTION AND PURPOSE 1

Table of Contents INTRODUCTION AND PURPOSE 1 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE

More information

POLICY NAME: NOTICE OF PRIVACY BREACHES

POLICY NAME: NOTICE OF PRIVACY BREACHES NOTE: This sample policy is drafted to comply with the HIPAA breach notification rules as amended January 2013. The user should review applicable laws and regulations and modify this sample policy as appropriate

More information

organization's patient protected health information (PHI) occurs. as any other federal or state notification law.

organization's patient protected health information (PHI) occurs. as any other federal or state notification law. I. APPLICABILITY Entire organization and its business associate (BAs) and the BA's Subcontractors. II. PURPOSE To provide guidance for breach notification by covered entities and breaches by their business

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) adds to and is made a part of the Q- global Subscription and License Agreement by and between NCS Pearson, Inc. ( Business Associate

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance

More information

Rutgers University HIPAA BUSINESS ASSOCIATE AGREEMENT

Rutgers University HIPAA BUSINESS ASSOCIATE AGREEMENT Rutgers University HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: School/Unit:

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

POLICY AUTHORITY Chancellor for Health Sciences and Dean of the School of Medicine

POLICY AUTHORITY Chancellor for Health Sciences and Dean of the School of Medicine Applies To: All HSC, UNMH, UNMCC, UNM-MG Responsible Department: Privacy Office Revised: New 10/2010 Policy Patient Age Group: ( ) N/A ( X) All Ages ( ) Newborns ( ) Pediatric ( ) Adult POLICY STATEMENT

More information

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION Summary November 2009 On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the Rule ) that

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION HILLSDALE COLLEGE HEALTH AND WELLNESS CENTER Policy Preamble This privacy policy ( Policy ) is designed to address the Use and Disclosure

More information

HIPAA/HITECH Omnibus Final Rule - January 23, 2013

HIPAA/HITECH Omnibus Final Rule - January 23, 2013 HIPAA Omnibus Rule Please note: these slides are intended to provide an overview of general information, not an exhaustive review. No legal advice is being offered or intended. Do not rely on this information

More information

SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS

SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS SALT LAKE COUNTY COUNTYWIDE POLICY ON HIPAA BREACH NOTIFICATION REQUIREMENTS Reference Purpose Health Insurance Portability and Accountability Act of 1996 (HIPAA); 45 United States Code 1320d et seq.;

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

BREACH MANAGEMENT & NOTIFICATION POLICY

BREACH MANAGEMENT & NOTIFICATION POLICY PURPOSE To ensure that the impermissible or unauthorized use or disclosure of an Individual s Protected Health Information (PHI) will be reported and Participants shall comply with the notification requirements

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 12 I. Policy The Health Information Technology for Economic and Clinical Health Act ( HITECH ) regulations contain requirements for notifying individuals in the event of a breach of their unsecured

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

8.03 Health Insurance Portability and Accountability Act (HIPAA)

8.03 Health Insurance Portability and Accountability Act (HIPAA) Human Resource/Miscellaneous Page 1 of 5 8.03 Health Insurance Portability and Accountability Act (HIPAA) Policy: It is the policy of Licking/Knox Goodwill Industries, Inc., to maintain the privacy of

More information

Business Associates Agreement

Business Associates Agreement Business Associates Agreement This Business Associate Agreement (the Agreement ) between Customer,( Covered Entity ) and Kareo ( Business Associate ) will be in effect during any such time period that

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared; Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information

New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information GEORGE CHORIATIS In this article, the author discusses the new Health Insurance Portability and Accountability

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES I acknowledge that I have been provided a copy of Fiorillo Cosmetic and General Dentistry s Notice of Privacy Practices, which has an effective

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Name of Policy: Policy Number: Department: Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Approving Officer: Interim

More information

Identity Theft Prevention and Security Breach Notification Policy. Purpose:

Identity Theft Prevention and Security Breach Notification Policy. Purpose: Identity Theft Prevention and Security Breach Notification Policy Purpose: Lahey Clinic is committed to protecting the privacy of the Personal Health Information ( PHI ) of our patients and the Personal

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

HIPAA BREACH RESPONSE POLICY

HIPAA BREACH RESPONSE POLICY http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT Please complete the following and return signed via Fax: 919-785-1205 via Mail: Aesthetic & Reconstructive Plastic Surgery, PLLC 2304 Wesvill Court Suite 360 Raleigh, NC 27607

More information

HIPAA Training for Staff and Volunteers

HIPAA Training for Staff and Volunteers HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help

More information

Responding to HIPAA Breaches

Responding to HIPAA Breaches Responding to HIPAA Breaches 11/06/2015 by Kim Stanger HIPAA privacy and security breaches can result in fines of $100 to $50,000 to covered entities (including healthcare providers and health plans) and

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

OFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract

More information