HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc."

Transcription

1 2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc.

2 Disclaimer We share this information with our clients and friends for general informational purposes only. It does not necessarily address all of your specific issues. It should not be construed as, nor is it intended to provide, legal advice. Questions regarding specific issues and application of these rules to your plans should be addressed by your legal counsel. This set of FAQs is intended to be used in conjunction with the HIPAA: Privacy and Security Executive Summary. It is intended to cover and/or is focused on HIPAA as it applies to our clients not as it applies to GBS as a Business Associate. Please refer to BOSS standards is you have questions regarding GBS responsibilities as a Business Associate.

3 General Does HIPAA protect all personal information or only personal health information? Who must comply with HIPAA? Who is a covered entity? Who are business associates?... 2 Covered Entity Since business associates are governed by HIPAA is it necessary for a covered entity to have a contract with its business associates? Is a covered entity liable for, or required to monitor, the actions of its business associates? If a covered entity has a compliant business associate agreement with a business associate that is a business associate agent, is the covered entity permitted to rely solely on the business associate agreement for the business associate s compliance? Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? Are all health plans considered covered entities and therefore subject to HIPAA? Is a health care flexible spending account a covered entity for purposes of the Privacy Rule? Are group health plans required to create and maintain specific documents in order to access, use and disclose PHI? Is a group health plan sponsor a covered entity under HIPAA? If an employer that offers a fully insured group health plan is the fully insured group health plan subject to all of the Privacy Rule provisions?... 6 Business Associates Is an entity that is acting as a third party administrator to a group health plan a covered entity? May a covered entity share PHI directly with another covered entity's business associate? Is a health insurance company, service organization such as Blue Cross or HMO that provides health insurance to a group health plan a business associate of the group health plan? Is a physician or other health care provider a business associate of a health plan or other payer? Is a reinsurer or stop loss carrier a business associate of a health plan? Is a software vendor a business associate of a covered entity? Is a business associate agreement required with organizations or persons where inadvertent contact with PHI may result - such as in the case of janitorial services?... 7

4 21. Would business associate agreements in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule's business associate agreement requirements? Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? If the only PHI a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate?... 8 Permitted and Required Disclosures of PHI When does the Privacy Rule require a covered entity such as a group health plan to disclose PHI? When is a covered entity such as a group health plan permitted to disclose PHI? What actions must a plan sponsor take regarding permitted uses and disclosures? Assuming a use or disclosure is authorized, required or permitted, are there any limitations on the use or disclosure of PHI under these circumstance?... 9 Minimum Necessary Standard Does the minimum necessary standard apply to all uses and disclosures? Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary? How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of PHI it makes to another covered entity? Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosure that are authorized by an individual? Individual rights with respect to their own PHI Does the HIPAA Privacy Rule require a covered entity or business associate to provide individuals with access to their PHI or an accounting of disclosures, or an opportunity to amend PHI? Does the right to access PHI provide an individual with unlimited ability to access his or her PHI? Does the individual have the right to request that his or her PHI be amended? Must a group health plan agree to an individual s request to restrict uses and disclosure of the individual s PHI? Does the right to an accounting mean that group health plans must provide an individual with a complete accounting of all disclosures of that individual s PHI from the very first disclosure through the date of the request?... 13

5 38. Must a group health plan accommodate all requests to communicate with an individual in a confidential manner? Authorization to use and access PHI May a covered entity disclose PHI specified in an authorization, even if that information was created after the authorization was signed? Must an authorization include an expiration date? Personal representative and minors Must the authorization to use, access or disclose PHI, when required, come from the individual whose PHI is sought to be used, accessed or disclosed, or can the authorization come from the employee or the individual s personal representative? Can the personal representative of an adult or emancipated minor obtain access to the individual's PHI? Does the HIPAA Privacy Rule allow parents the right to see their children s PHI? When an individual reaches the age of majority or becomes emancipated, who controls the PHI concerning health care services rendered while the individual was an unemancipated minor? Incidental Disclosures Are covered entities required to document incidental disclosures permitted by the HIPAA Privacy Rule, in an accounting of disclosures provided to an individual? Is a covered entity required to prevent all incidental uses or disclosures of PHI? Workers Compensation If a State law says that a covered entity may disclose records, relating to the treatment provided to an injured worker, to a workers' compensation insurer for purposes of determining the amount of or entitlement to payment under the workers' compensation system is the covered entity permitted to disclose this information under the HIPAA Privacy Rule? Notice of Privacy Practices Is it sufficient to provide a new enrollee with a notice of privacy practices only upon enrollment? Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? Are covered entities permitted to give individuals a layered notice? Are group health plans required to make a good faith effort to obtain from their enrollees a written acknowledgement of receipt of the notice? Does a group health plan have to provide a copy of its notice to each dependent receiving coverage under a policy?... 16

6 53. Is a group health plan required to periodically notify enrollees about the availability, and how to obtain a copy, of its Notice of Privacy Practices? Security Rule Why is the purpose of the HIPAA Security Rule? Who is required to comply with the Security Rule? Does the Security Rule apply to written and oral communications? Do the standards of the Security Rule require use of specific technologies? What is a security standard? What is an implementation specification? What is the difference between addressable and required implementation specifications in the Security Rule? What does the Security Rule mean by administrative safeguards? What does the Security Rule mean by physical safeguards? What does the Security Rule mean by technical safeguards? Is the use of encryption mandatory in the Security Rule? What is encryption? Do the Security Rule requirements for access control, such as automatic logoff, apply to employees who telecommute or have home-based offices if the employees have access to electronic PHI (e-phi)? Does the Security Rule allow for sending electronic PHI (e-phi) in an or over the Internet? If so, what protections must be applied? Under the Security Rule, must plan sponsors report security incidents to the group health plan? If so, what types of incidents must be reported and what level of detail is required? Are we required to certify our organization s compliance with the standards of the Security Rule? How does a covered entity know if it is compliant with the Security Rule s requirements? Does the Security Rule allow a covered entity to network computers - i.e., connect two computer systems, either within the covered entity, or between two covered entities or between a covered entity and its business associate(s) so that they can exchange information directly? Disposal of PHI and Media Containing PHI What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of PHI?... 20

7 73. May a covered entity dispose of PHI in dumpsters accessible by unauthorized individuals or by the public? May a covered entity hire a business associate to dispose of PHI? May a covered entity reuse or dispose of computers or other electronic media that store electronic PHI? Breaches Do all impermissible uses and disclosures of PHI constitute a breach? In the event of an impermissible use or disclosure of PHI, what should I, as a covered entity do to make the appropriate determination of whether a breach did in fact occur? How can PHI be secured? If a covered entity experiences a breach of unsecured PHI, who must be notified? If a covered entity does experience a breach, when will it be required to notify affected individuals and what information must be contained in the notification? Other than notifying affected individuals that their PHI may have been involved in a breach, does a covered entity need to notify governmental authorities or local media outlets? Preemption of State Law When is a State law "contrary" to the HIPAA Privacy or Security Rule? When is a State law "more stringent" than the HIPAA Privacy or Security Rule? A State law provides greater privacy protections on patients HIV information than the HIPAA Privacy Rule. Is this more protective State law preempted by the Privacy Rule? Penalties for HIPAA violations Compliance for all these requirements appears daunting, what could happen if a covered entity does not make a good faith effort to comply?... 25

8 General 1. Does HIPAA protect all personal information or only personal health information? Actually, neither. HIPAA only covers protected health information (PHI). PHI is all "individually identifiable health information" in any form or media, electronic or non-electronic that is held or transmitted by a covered entity such as a group health plan, including oral communication. PHI includes electronic PHI (ephi), which is PHI that is transmitted or maintained in electronic media. The Security Rule specifically relates to ephi. The Privacy Rule and Breach Notification requirements apply to all PHI. "Individually identifiable health information" is information, including demographic data, created or received by a health care provider, health plan, or health care clearinghouse, that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for health care to an individual, and that identifies an individual (or could reasonably be used to identify an individual). If information is "de-identified," then it is not PHI and not covered by the HIPAA Privacy and Security Rules. De-identified information is that which does not identify any individual and for which there is no reasonable basis to believe that the information can be used to identify an individual. In order to be deidentified the following specific data elements must be removed: Names All geographic information relating to subdivisions smaller than a state, except for the initial three digits of zip codes as long as all zip codes with the same initial three digits that have fewer than 20,000 are grouped into a single 000 zip code All elements of dates except year for dates directly related to an individual e.g., birth date or admission date and information indicative of age Telephone numbers Fax numbers addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) addresses Biometric identifiers, including finger and voice prints Full-face photographic images and any comparable images Any other unique identifying number, characteristic, or code. 2. Who must comply with HIPAA? HIPAA Rules apply to covered entities and business associates. 1

9 3. Who is a covered entity? Covered entities are: Health plans; Health care clearinghouses; Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Department of Health and Human Services (HHS) under HIPAA, such as electronic billing and fund transfers. Health plans includes group health plans regardless of the type of employer sponsoring the plan private, governmental or church. It also includes insurance companies, service organizations such as Blue Cross and HMOs when they are providing health insurance. Covered entities are bound by the privacy standards even if they contract with others (called business associates ) to perform some of their essential functions. 4. Who are business associates? Business associates are persons that perform, or assist a covered entity in performing, an activity that involves the use or disclosure of PHI or who provide certain services to or for a covered entity. Key to this definition, though, is that the service in question must involve the use of PHI. Business associates of a group health plan may include TPAs; independent medical reviewers and UR entities; PBMs; vendors performing payroll services or data processing; vendors who administer COBRA, flexible benefit plans, dental or vision plans or certain disease management programs, and health insurance brokers and agents. Employees of a covered entity are not business associates. Employers and other plan sponsors (such as a board of trustees) are not business associates either, nor is the union that represents workers covered under the group health plan. Insurance companies are a covered entity under an insured health plan. Under a self-funded health plan where the insurance company functions as the TPA by providing claims and other services, the insurance company is a business associate not a covered entity. Covered Entity 5. Since business associates are governed by HIPAA is it necessary for a covered entity to have a contract with its business associates? Yes, even though both entities are directly covered by the Privacy Rule, the covered entity still needs to create an agreement to govern the activities that involve the use of the PHI. This agreement is called a business associate agreement. All business associate agreements must include: Provisions requiring the business associate to not use or disclosure PHI except as required or permitted by the Privacy Rule. Provisions requiring business associates to comply with the HIPAA Security Rule. Provisions requiring business associates to report any impermissible use or disclosure of PHI, including any incident involving unsecured PHI that may constitute a breach to covered entities. 2

10 Provisions requiring business associates to obtain satisfactory assurances that subcontractors agree to comply with the underlying business associate agreement conditions and restrictions as applied to PHI. Make available PHI in a designated record set to the covered entity so that the covered entity can comply with its Privacy Rule obligations. Make any amendments to PHI in a designated record set as directed or agreed to by the covered entity. Make its internal practices, books and records available to the HHS for the purpose of determining compliance with HIPAA rules. HIPAA's business associate provisions also apply to a business associate s subcontractors (persons or entities that provide services to a business associates which involves PHI to fulfill its contractual duties) if the subcontractors create, receive, maintain, or transmit PHI on behalf of business associates. Subcontractors need only have the ability to access to PHI to become business associates; they do not need to access the information. Regulations include an example of a document shredding company hired by a TPA. The document shredding company is a business associate because it has the ability to access the PHI even if it does not access the information. Sample business associate agreement provisions are available on the Department of Health and Human Services website. 6. Is a covered entity liable for, or required to monitor, the actions of its business associates? Maybe. The HIPAA Privacy Rule requires covered entities to enter into written contracts or other arrangements with business associates which protect the privacy of PHI; but covered entities are not required to monitor or oversee the means by which their business associates carry out privacy safeguards or the extent to which the business associate abides by the privacy requirements of the contract. Nor is the covered entity responsible or liable for the actions of its business associates. Business associates will be directly liable for civil money penalties for their violations of the HIPAA Rules. However, if a covered entity is aware of an activity or practice that constitutes a material breach or violation, the covered entity is required to take steps to cure the breach or end the violation and if those steps are not successful, terminate the contract. However, covered entities must be cognizant of the actions of their business associates that are also its agents. 7. If a covered entity has a compliant business associate agreement with a business associate that is a business associate agent, is the covered entity permitted to rely solely on the business associate agreement for the business associate s compliance? No. Covered entities and business associates will be liable for the acts of their business associate agents (in this context, agent is not the same as insurance agency. See next paragraph for definition of agent ), regardless of whether the covered entity has a compliant business associate agreement in place. This is to ensure that where a covered entity or a business associate has delegated out an obligation under the HIPAA Rules, the covered entity or business associate remains liable for penalties associated with the failures of its business associate agent to perform the obligations on the covered entity or business associate s behalf. 3

11 The determination of whether an agency relationship exists between a covered entity and its business associate (or business associate and its subcontractor) will be made under Federal common law principles. The essential factor in this determining is the right or authority of a covered entity to control the business associate s conduct in the course of performing a service on behalf of the covered entity. 8. Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements of the Privacy Rule. 9. Are all health plans considered covered entities and therefore subject to HIPAA? No. Health plans covered by the HIPAA Rules include group health plans, health insurers, service organizations such as Blue Cross, HMOs, insurers of long-term care policies (other than nursing home fixed indemnity policies), multiemployer health plans, multiple employer health plans, and any other individual and/or group plans providing or paying for the cost of medical care. The HIPAA requirements also apply to most government plans such as Medicare, Medicaid, Tricare and State Children s Health Insurance Plans. Unlike the HIPAA Portability rules and PPACA, this definition includes medical, dental, vision, hearing, prescription drug, medical flexible spending account plans, health reimbursement accounts, many wellness programs and employee assistance plans (except those that provide referral services only). It also includes on-site clinics. Health savings accounts are generally not health plans and are not subject to HIPAA. A group health plan that has less than 50 participants and is administered solely by the employer that established and maintains the plan is not subject to the HIPAA Privacy and Security Rules. For this definition participant includes all employees or former employees of the employer who are or may become eligible to receive a benefit or whose beneficiaries may be eligible to receive benefits. As a result, if an employer maintains a health care flexible spending account ( FSA ) or health reimbursement arrangement ( HRA ) that is administered by a third party or has 50 or more participants, then that FSA or HRA plan must comply with HIPAA Privacy and Security Rules even if only 25 employees are actually participating in the plan. 10. Is a health care flexible spending account a covered entity for purposes of the Privacy Rule? Yes, unless it has fewer than 50 participants and is self-administered. Employee welfare benefit plans with fewer than 50 participants and that are self-administered are not subject to the HIPAA Privacy and Security Rules. Dependent day care flexible spending accounts are not health plans. 11. Are group health plans required to create and maintain specific documents in order to access, use and disclose PHI? Yes. In order for a group health plan to use and disclose PHI as permitted by the Privacy Rule, the group health plan must have a privacy policy that includes the following provisions: a) An explanation of how the plan may use or disclose PHI including what uses and disclosures are required, which are permitted and which will require an authorization. b) A statement of the individual s rights such as the opportunity to inspect and copy and inspect their own PHI, the opportunity to request an amendment to their PHI (although the plan is 4

12 generally not required to agree), the opportunity to request a restriction on the disclosure of their PHI (although the plan is not required to agree), and the right to an accounting of disclosures not made as part of treatment, payment or health care operations or in response to an authorization. c) The identity of the privacy official (title), contact information and procedures for complaints, and a statement concerning sanctions for violations of the privacy policy, d) A statement that the group health plan will not intimidate, threaten, coerce, discriminate against or take other retaliatory action against individuals for exercising their HIPPA rights. e) A statement that the plan will mitigate, to the extent possible, any harmful affects that become known to the plan from a use or disclosure that violates the privacy rules and a statement that affected individuals will be notified in the event of a breach of unsecured PHI. f) A statement that the group health plan will make the plan's internal practices, books and records relating to the use and disclosure of PHI available to the Secretary of the Department of Health and Human Resources for compliance purposes. g) A statement that the group health plan will ensure that adequate separation exists between employees who are authorized to use PHI and those who are not; describe those employees or classes of employees to be given access to the PHI; restrict the access to and use of PHI to these employees; and provide an effective mechanism for resolving any issues of noncompliance by persons who have access to PHI. In addition, in order for the group health plan to disclose PHI to the plan sponsor the group health plan must obtain a written certification from the plan sponsor that the plan sponsor agrees to: a) Not use or further disclose PHI other than as permitted or required by the plan documents or as required by law; b) Ensure that any agents, to whom it provides PHI agree to the same restrictions and conditions that apply to the plan sponsor; c) Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit plan of the plan sponsor; d) Report to the group health plan any use or disclosure of PHI that is inconsistent with the permitted or required uses or disclosures. 12. Is a group health plan sponsor a covered entity under HIPAA? No. Employers are not covered entities. Covered entities under HIPAA are health care clearinghouses, most health care providers, and health plans. A group health plan is one type of health plan and is a covered entity (except for self-administered plans with fewer than 50 eligible participants). The group 5

13 health plan is considered to be a separate legal entity from the employer or other parties that sponsor the group health plan. However, the Privacy Rule does control the conditions under which the group health plan may share PHI with the employer (or plan sponsor if not the employer) when the information is necessary for the plan sponsor to perform certain administrative functions on behalf of the group health plan. Among these conditions is receipt of a certification from the employer or plan sponsor that the health information will be protected as required by the Privacy Rule, will not be used for other benefit plans without authorization from the individual who is the subject of the PHI, and will not be used for employment-related actions. 13. If an employer that offers a fully insured group health plan is the fully insured group health plan subject to all of the Privacy Rule provisions? The Privacy Rule recognizes that certain fully insured group health plans may not need to satisfy all of the requirements of the Privacy Rule since these responsibilities will be carried out by the health insurer, service organization or HMO with which the group health plan has contracted for coverage. For example, a fully insured group health plan that does not create or receive PHI, but only receives summary health information and enrollment or disenrollment information, is not required to provide a notice of privacy practices. Fully insured group health plans are exempt from most of the administrative responsibilities under the Privacy Rule. These health plans are still required to refrain from intimidating or retaliatory acts and from requiring an individual to waive their privacy rights. However, if these plans want to assist employees with claims questions, the plan administrator will need to obtain a written authorization from the individual who is the subject of the PHI since resolving claims questions will virtually always involve disclosure of PHI. Business Associates 14. Is an entity that is acting as a third party administrator to a group health plan a covered entity? No, providing services to or acting on behalf of a health plan does not transform a third party administrator (TPA) into a covered entity. Generally, a TPA of a group health plan would be acting as a business associate of the group health plan. An insurance company that is acting as a TPA to a self-funded group health plan is a business associate with respect to that particular health plan. The same insurance company will be a covered entity to a group health plan where it provides health insurance. 15. May a covered entity share PHI directly with another covered entity's business associate? Yes. If the HIPAA Privacy Rule permits a covered entity to share PHI with another covered entity, the covered entity is permitted to make the disclosure directly to a business associate acting on behalf of that other covered entity. 16. Is a health insurance company, service organization such as Blue Cross or HMO that provides health insurance to a group health plan a business associate of the group health plan? A health insurance service organization such as Blue Cross that is providing health insurance to a group health plan is a covered entity with respect to that group health plan. The relationship between the group health plan and the health insurer, service organization or HMO is defined by the Privacy Rule as an organized health care arrangement (OHCA), with respect to the individuals they jointly serve or have 6

14 served. Thus, these covered entities are permitted to share PHI that relates to the joint health care activities (operations) of the OHCA. However, where a group health plan contracts with a health insurance insurer or HMO to perform functions or activities or to provide services that are in addition to or not directly related to the joint activity of providing insurance, the health insurance insurer or HMO may be a business associate with respect to those additional functions, activities, or services. 17. Is a physician or other health care provider a business associate of a health plan or other payer? Generally, providers are covered entities not business associates. However, a business associate relationship could arise if the health care provider is performing another function on behalf of the group health plan such as providing claims review or case management services. 18. Is a reinsurer or stop loss carrier a business associate of a health plan? Generally, no. A reinsurer or stop loss carrier does not become a business associate of a health plan simply by selling a reinsurance policy to a health plan and paying claims under the reinsurance policy. If the reinsurance or stop loss contract is not a health insurance contract, then the reinsurer or stop loss carrier is not a covered entity. However, a business associate relationship could arise if the reinsurer is performing a function on behalf of, or providing services to, the health plan that do not directly relate to the provision of the reinsurance benefits. 19. Is a software vendor a business associate of a covered entity? The mere selling or providing of software to a covered entity does not give rise to a business associate relationship if the vendor does not have access to the PHI of the covered entity. If the vendor needs access to the PHI of the covered entity in order to provide its service, the vendor would be a business associate of the covered entity. For example, a software company that hosts the software containing PHI on its own server or accesses PHI when troubleshooting the software function is a business associate of a covered entity. In these situations, a covered entity would be required to enter into a business associate agreement before allowing the software company access to PHI. 20. Is a business associate agreement required with organizations or persons where inadvertent contact with PHI may result - such as in the case of janitorial services? A business associate agreement is not required with persons or organizations whose functions, activities, or services do not involve the use or disclosure of PHI, and where any access to PHI by such persons would be incidental, if at all. Generally, janitorial services that clean the offices or facilities of a covered entity are not business associates because the work they perform for covered entities does not involve the use or disclosure of PHI, and any disclosure of PHI to janitorial personnel that occurs in the performance of their duties (such as may occur while emptying trash cans) is limited in nature, occurs as a by-product of their janitorial duties, and could not be reasonably prevented. If a service is hired to do work for a covered entity where disclosure of PHI is not limited in nature (such as routine handling of records or shredding of documents containing PHI), it likely would be a business associate. However, when such work is performed under the direct control of the covered entity (e.g., on 7

15 the covered entity s premises), the Privacy Rule permits the covered entity to treat the service as part of its workforce, and the covered entity need not enter into a business associate agreement with the service. 21. Would business associate agreements in electronic form, with an electronic signature, satisfy the HIPAA Privacy Rule's business associate agreement requirements? Yes, assuming that the electronic contract satisfies the applicable requirements of State contract law. The Privacy Rule generally allows for electronic documents, including business associate agreement, to qualify as written documents for purposes of meeting the Privacy Rule s requirements. 22. Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices? No. However, a covered entity must ensure through its contract with the business associate that the business associate's uses and disclosures of PHI and other actions are consistent with the covered entity's privacy policies, as stated in covered entity's notice. Also, a covered entity may use a business associate to distribute its notice to individuals. 23. If the only PHI a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate? No. Where a covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function, the covered entity satisfies the Privacy Rule s requirements that it obtain satisfactory assurances from its business associate with the data use agreement. The covered entity must obtain a data use agreement from the business associate which must: (1) describe how the business associate is permitted to use and/or disclose the information which must be consistent with the Privacy rules; (2) establish who is permitted to use or receive the data set; (3) provide that the business associate will not further use or disclose the data set except as permitted by the agreement or required by law; (4) that is will notify the covered entity of any impermissible use or disclosure of which is becomes aware; and (5) it will not contact the individuals involved. A limited data set is data is deidentified information which may also contain certain zip code and/or date information. Permitted and Required Disclosures of PHI 24. When does the Privacy Rule require a covered entity such as a group health plan to disclose PHI? The Privacy Rule requires group health plans to disclose PHI only in two instances: 1. to the individual who is the subject of the PHI when the individual requests it, and 2. to the Secretary of the Department of Health and Human Services when the Secretary is undertaking a compliance investigation or review or enforcement action. 25. When is a covered entity such as a group health plan permitted to disclose PHI? A group health plans is prohibited from "using" or "disclosing" PHI except: With written authorization from the individual who is the subject of the PHI (this may not be the employee); or As explicitly permitted by the Privacy Rule; or 8

16 As required by the Privacy Rule. Health information is "used" when shared within the entity that holds the information (internal), while health information is "disclosed" when it is shared outside the entity (external). However, with the exception of psychotherapy notes and HIV antibody and antigen testing and treatment information, a group health plan with proper plan language in its documents does not need to obtain an individual's consent for the use and disclosure of PHI for payment or health care operations (or treatment for on-site clinics.) A group health plan may not use or disclose genetic information for underwriting purposes even if the individual signs an authorization for such purposes. This prohibition applies regardless of when or where the genetic information originated. 26. What actions must a plan sponsor take regarding permitted uses and disclosures? The plan sponsor will need to limit the employees who may access or use PHI to only those employees performing group health plan administrative functions (i.e., payments and health care operations). The plan sponsor may designate a class of employees (e.g., all employees assigned to a particular department) or individual employees. The plan sponsor may identify these employees in whatever way best reflects the plan sponsor's business needs as long as participants can reasonably identify who will have access. For example, persons may be identified by naming individuals' job titles (e.g., Director of Human Resources), functions (e.g., employees with oversight responsibility for the TPA), divisions of the company (e.g., Employee Benefits Department) or other entities related to the plan sponsor. 27. Assuming a use or disclosure is authorized, required or permitted, are there any limitations on the use or disclosure of PHI under these circumstance? Even when the group health plan may use or disclose PHI in accordance with the Privacy Rule, the group health plan must make reasonable efforts to limit PHI to the "minimum necessary" to accomplish the intended purpose of use, disclosure, or the request for PHI. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. The group health plan must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary. For routine uses of information, the Privacy Rule permits a group health plan to adopt general procedures for determining what the minimum necessary information is, then applying the general procedures. For example, a group health plan may take two steps: 1) identify persons or classes of persons in its workforce who need access to PHI to carry out their duties and job responsibilities; and 2) for each person or classes of persons, identify the category or categories of PHI to which access is needed and any conditions appropriate to that access. For example, a group health plan could develop procedures that allow certain employees or classes of employees unrestricted access to aggregate claims information for rating/accounting/budgeting purposes. However, the procedures could require approval from the departmental manager to obtain an individual's specific identifiable claims records to determine the cause of the claims that can influence the rates/accounting/budgeting decisions. 9

17 HIPAA also requires a covered entity to limit the use, disclosure, or request of PHI, to the extent practicable, to the limited data set or, if the covered entity needs additional information, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively. A limited data set excludes 16 types of identifiers such as name, social security number, address, address, and telephone number, but may include certain zip code and/or date information. Minimum Necessary Standard 28. Does the minimum necessary standard apply to all uses and disclosures? The minimum necessary standards of the Privacy Rule do not apply to the following: a) Disclosures to or requests by a heath care provider for treatment purposes. b) Disclosures to the individual who is the subject of the information. c) Uses or disclosures made pursuant to an authorization. d) Disclosures to the HHS when disclosure is required under the rule for investigation, compliance review or enforcement purposes. e) Uses or disclosures that are required to comply with the Privacy Rule or by other federal law. 29. Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity's business associate as the minimum necessary? A business associate agreement must limit the business associate s uses and disclosures of, as well as requests for, PHI to be consistent with the covered entity s minimum necessary policies and procedures. A covered entity is permitted to reasonably rely on such requests from a business associate as the minimum necessary. 30. How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose? The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Privacy Rule requires covered entities to make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the reasonable practices to limit the unnecessary sharing of health information. 10

18 31. Is a covered entity required to apply the HIPAA Privacy Rule's minimum necessary standard to a disclosure of PHI it makes to another covered entity? Covered entities are required to apply the minimum necessary standard to their own requests for PHI. One covered entity may reasonably rely on another covered entity s request as the minimum necessary; it does not need to engage in a separate minimum necessary determination. However, if a covered entity does not agree that the amount of information requested by another covered entity is reasonably necessary for the purpose, it is up to both covered entities to negotiate a resolution of the dispute as to the amount of information needed. 32. Must the HIPAA Privacy Rule's minimum necessary standard to be applied to uses or disclosure that are authorized by an individual? No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements. For example, if a covered health care provider receives an individual s authorization to disclose medical information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. However, the authorization must meet all statutory requirements. Individual rights with respect to their own PHI 33. Does the HIPAA Privacy Rule require a covered entity or business associate to provide individuals with access to their PHI or an accounting of disclosures, or an opportunity to amend PHI? The Privacy Rule generally requires covered entities, not business associates to provide individuals with access to their PHI, an opportunity to request an amendment to or restrict disclosures of PHI, and an accounting of PHI that is disclosed other than for treatment, payment or health care operations or in response to a written authorization... This may include information in a designated record set held by a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Privacy Rule requires covered entities to specify in the business associate agreement that the business associate must make such PHI available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate agreement that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof. If a covered entity is amend PHI about an individual in a designated record set, it must amend the PHI in all designated record sets it maintains that contain that PHI and any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate agreement that the business associate must amend PHI in such records (or copies) when requested by the covered entity. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity. The Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. This accounting does not need to include disclosures for treatment, payment or health care operations. The business associate agreement must provide that the business associate will make such information available to the covered entity in order 11

19 for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate agreement that the business associate will provide the accounting to individuals, as may be appropriate given the PHI held by, and the functions of, the business associate. 34. Does the right to access PHI provide an individual with unlimited ability to access his or her PHI? In general, no. Covered entities such as group health plans must give individuals the opportunity to inspect and/or obtain copies of their PHI. Only information held in the group health plan's "designated record set" must be made available. A designated record set includes information such as medical records, billing records, enrollment, payment, claims adjudication, case or medical management record systems or records used to make decisions about individuals. There are exceptions to this requirement, however, including information maintained in psychotherapy notes and information compiled for use in a civil, criminal, or administrative action. In the case of the exceptions, group health plans may deny individual's access to their PHI without providing the individual with an opportunity for review. If the individual indicates in writing, to direct the covered entity to transmit a copy of his or her PHI (or ephi) directly to a specific entity or person named by the individual, the covered entity must transmit the information to that individual. The request to send PHI to another individual must be clear and specify to whom the PHI is to be transmitted. A covered entity that uses or maintains PHI in an electronic format must allow the covered individual to obtain a copy of his or her PHI in an electronic format. The information must be provided in the electronic format requested by the individual if it is readily producible in the requested format. If it is not readily producible in the requested format, it may be provided in another mutually agreeable electronic format. Electronic formats could include Word, Excel, PDF or similar. The information must be provided within 30 days; however, the covered entity may under certain circumstances have an additional 30 days. The covered entity may impose a fee for providing the individual with a copy of his or her information (or a summary or explanation of the information) if the copy (or summary or explanation) is in an electronic form. The fee may not exceed the covered entity's labor costs to respond to the request for the copy (or summary or explanation). It may, however, include the cost of certain electronic media such as flash drives or CDs if the information is provided on those media. 35. Does the individual have the right to request that his or her PHI be amended? Yes. A group health plan must permit individuals to request an amendment to their PHI held in the group health plan's designated record set for as long as the group health plan maintains the PHI. A group health plan may, however, deny an individual's request for amendment or correction if the information is accurate and complete or if the group health plan determines that the PHI was (a) not created by the group health plan, (b) is not part of the designated record set, or (c) not available for the individual's inspection. Since PHI such as medical records is not created by group health plans but, rather, is created by health care providers, the amendment process should not have a significant effect on group health plans (the same would generally apply to records such as claims files maintained by a health insurance insurer or TPA). 36. Must a group health plan agree to an individual s request to restrict uses and disclosure of the individual s PHI? No. Group health plans must permit individuals to request restrictions on: (a) the uses and disclosures of their PHI for treatment, payment or health care operations and (b) certain disclosures to family members, other relatives, close personal friends or others identified by the individual. For instance, an individual 12

20 may request a restriction regarding disclosures to family members. Group health plans are not required to agree to the requested restrictions, however, and may deny the request for any reason. If the group health plan agrees to a requested restriction, the group health plan may not use or disclose PHI in violation of the restriction, except in the case of emergency treatment where the restricted PHI is needed to provide the emergency treatment. If the restricted PHI is disclosed to a health care provider for emergency treatment, the group health plan must request that such health care provider not further use or disclose the information. Health care providers (but not other covered entities) must comply with a requested restriction if: (a) the disclosure is to a health plan for purposes of carrying out payment or health care operations (and is not for purposes of carrying out treatment) unless otherwise required by law; and (b) the PHI relates solely to a health care item or service for which the health care provider involved has been paid out-of-pocket and in full. For example, if a covered individual pays a healthcare provider for a service out-of-pocket and in full, the healthcare provider may not release the information to the group health plan if the covered individual has asked that the information be restricted. 37. Does the right to an accounting mean that group health plans must provide an individual with a complete accounting of all disclosures of that individual s PHI from the very first disclosure through the date of the request? No. Upon request, individuals have a right to receive an accounting of instances where their PHI is disclosed by the group health plan or by one of the plan's business associates (such as the TPA). The Privacy Rule does not require accounting for certain disclosures, the more common of which are disclosures: (a) for carrying out treatment, payment or healthcare operations, (b) to the individual or the individual's personal representative, (c) pursuant to an authorization, and (d) for notification of or to persons involved in an individual's care. This right applies to disclosures made in the six years prior to the date on which the accounting of the disclosure is requested (three years under proposed regulations.) Group health plans must have procedures to give individuals an accurate accounting of the disclosures. Such accounting must include the following: (a) the date of each disclosure; (b) the name and address of the organization or person who received the PHI; (c) a brief description of the information disclosed; and (d) for disclosures other than those made at the request of the individual, the purpose for which the information was disclosed. The accounting must be provided as soon as possible, but no later than 60 days after receipt of the request. If the information is maintained offsite, the group health plan may have a one-time extension of 30 days providing the individual is notified of the delayed and date PHI will be provided within the initial 60-day period. (Proposed regulations would decrease the 60-day period to 30 days.) 38. Must a group health plan accommodate all requests to communicate with an individual in a confidential manner? No. Individuals have the right to request that a group health plan communicate to them regarding their PHI either by an alternative means or at an alternative location, if such requests are reasonable. "Reasonableness" is based upon the administrative difficulty in accommodating the request, not on the perceived merits of the request. A group health plan must accommodate such reasonable requests only if the individual clearly states that disclosing all or part of the information could put him or her in danger. 13

BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)]

BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] BUSINESS ASSOCIATES [45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] Background By law, the HIPAA Privacy Rule applies only to covered entities health plans, health care clearinghouses, and certain

More information

HIPAA PRIVACY AND EDI RULES

HIPAA PRIVACY AND EDI RULES The Health and Human Services (HHS) issued final HIPAA privacy regulations on August 14, 2002. These rules govern how individually identifiable medical information must be protected. HIIPAA also requires

More information

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4

HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS. Exhibit B Notice of Privacy Practices pages B-1 to B-4 HIPAA PRIVACY POLICY FOR OPTICAL LABS TABLE OF CONTENTS HIPAA Privacy Policy pages 2 to 12 Exhibit A HIPAA Privacy Regulations pages A-1 to A-89 Exhibit B Notice of Privacy Practices pages B-1 to B-4 Exhibit

More information

HIPAA Privacy Common Questions: Definitions

HIPAA Privacy Common Questions: Definitions Brought to you by Momentous Insurance Brokerage, Inc. HIPAA Privacy Common Questions: Definitions What is a Covered Entity under the HIPAA Privacy Rules? The following organizations are governed by this

More information

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules

January 2003. Employers must be prepared for their obligations under the HIPAA Privacy Rules Employer Sponsored Group Health Plans and the HIPAA Privacy Rules Employers must be prepared for their obligations under the HIPAA Privacy Rules January 2003 Bob Radecki KnowHIPAA.com HIPAA-COBRA-FMLA

More information

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General

HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction. HIPAA Privacy Regulations-General HIPAA PRIVACY FOR EMPLOYERS A Comprehensive Introduction HIPAA Privacy Regulations-General The final HIPAA Privacy regulation was released on December 20, 2000 and was effective for compliance on April

More information

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why

More information

Gaston County HIPAA Manual

Gaston County HIPAA Manual Gaston County HIPAA Manual Includes Gaston County IT Manual Action Date Reviewed and Revised December 2012 Gaston County HIPAA Policy Manual has be updated and combined with the Gaston County IT Manual.

More information

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,

More information

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) HUMAN RESOURCES Index No. VI-35 PROCEDURES MEMORANDUMS TO: FROM: SUBJECT: MCC Personnel Office of the President Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance

More information

HIPAA Privacy Summary for Fully-insured Employer Groups

HIPAA Privacy Summary for Fully-insured Employer Groups HIPAA Privacy Summary for Fully-insured Employer Groups I. Overview The Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulate the uses and disclosures

More information

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT

Section C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by

More information

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices

The Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL

More information

HIPAA PRIVACY AND SECURITY STANDARDS CITY COMPLIANCE

HIPAA PRIVACY AND SECURITY STANDARDS CITY COMPLIANCE Important: Conducting an assessment of your health plan(s) is the first step to determining HIPAA compliance. You will need to conduct a separate assessment for each of your health plans. (Please be aware

More information

HIPAA OVERVIEW ETSU 1

HIPAA OVERVIEW ETSU 1 HIPAA OVERVIEW ETSU 1 What is HIPAA? Health Insurance Portability and Accountability Act. 2 PURPOSE - TITLE II ADMINISTRATIVE SIMPLIFICATION To increase the efficiency and effectiveness of the entire health

More information

Frequently Asked Questions About the Privacy Rule Under HIPAA

Frequently Asked Questions About the Privacy Rule Under HIPAA Q-1: What is HIPAA? Frequently Asked Questions About the Privacy Rule Under HIPAA A: HIPAA is the Health Insurance Portability and Accountability Act (passed by Congress in 1996). The Privacy Rule was

More information

HIPAA Compliance Manual

HIPAA Compliance Manual HIPAA Compliance Manual HIPAA Compliance Manual 1 This Manual is provided to assist your efforts to comply with the federal privacy and security rules mandated under HIPAA and HITECH, specifically as said

More information

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES

NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES SCHOOL DISTRICT OF BLACK RIVER FALLS 523.5 Exhibit NOTICE OF HIPAA PRIVACY AND SECURITY PRACTICES PRIVACY NOTICE This notice describes how medical information about you may be used and disclosed and how

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

TJ RAI, M.D. THERAPY MEDICATION WELLNESS PRIVACY POLICY STATEMENT

TJ RAI, M.D. THERAPY MEDICATION WELLNESS PRIVACY POLICY STATEMENT PRIVACY POLICY STATEMENT Purpose: It is the policy of this Physician Practice that we will adopt, maintain and comply with our Notice of Privacy Practices, which shall be consistent with HIPAA and California

More information

HIPAA Privacy Rule Primer for the College or University Administrator

HIPAA Privacy Rule Primer for the College or University Administrator HIPAA Privacy Rule Primer for the College or University Administrator On August 14, 2002, the Department of Health and Human Services ( HHS ) issued final medical privacy regulations (the Privacy Rule

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

HIPAA Privacy Summary for Self-insured Employer Groups

HIPAA Privacy Summary for Self-insured Employer Groups I. Overview HIPAA Privacy Summary for Self-insured Employer Groups The Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulate the uses and disclosures of

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations The MC Academy The Employee Benefits and Executive Compensation Series HIPAA PRIVACY AND SECURITY The New Final Regulations June 18, 2013 Overview Background Recent Changes to HIPAA Identifying Business

More information

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996 HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT Talksoft is BA with Covered Entity BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is made this day of, and entered into between, ( Covered Entity ) having its principal place of

More information

Executive Memorandum No. 27

Executive Memorandum No. 27 OFFICE OF THE PRESIDENT HIPAA Compliance Policy (effective April 14, 2003) Purpose It is the purpose of this Executive Memorandum to set forth the Board of Regents and the University Administration s Policy

More information

THIRD PARTIES HAVING ACCESS TO PHI

THIRD PARTIES HAVING ACCESS TO PHI Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates I. OVERVIEW The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that

More information

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE OF PRIVACY PRACTICES HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. This HIPAA Notice

More information

BROWN RUDNICK BERLACK ISRAELS LLP. Group Health Plan Compliance with HIPAA and ERISA: NAVIGATING THE LEGAL AND

BROWN RUDNICK BERLACK ISRAELS LLP. Group Health Plan Compliance with HIPAA and ERISA: NAVIGATING THE LEGAL AND B R B I BROWN RUDNICK BERLACK ISRAELS LLP Group Health Plan Compliance with HIPAA and ERISA: NAVIGATING THE LEGAL AND ADMINISTRATIVE MAZE Q&A 2003 QUESTION AND ANSWER RESOURCE GUIDE Group Health Plan Compliance

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets

HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information

More information

NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS

NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW

More information

HIPAA Privacy Overview

HIPAA Privacy Overview May 21, 2003 HIPAA Privacy Overview Presented to the California State University Agenda Introduction HIPAA privacy regulations HIPAA privacy impact on CSU Next steps/action items Mercer Human Resource

More information

HIPAA. HIPAA and Group Health Plans

HIPAA. HIPAA and Group Health Plans HIPAA HIPAA and Group Health Plans CareFirst BlueCross BlueShield is the business name of CareFirst of Maryland, Inc. and is an independent licensee of the Blue Cross and Blue Shield Association. Registered

More information

Plan Sponsor Guide HIPAA Privacy Rule

Plan Sponsor Guide HIPAA Privacy Rule Plan Sponsor Guide HIPAA Privacy Rule Plan Sponsor s Guide to the HIPAA Privacy Rule Compliments of Aetna 00.02.108.1A (5/05) Compliments of Aetna You have likely heard a great deal about the HIPAA Privacy

More information

SARASOTA COUNTY GOVERNMENT EMPLOYEE MEDICAL BENEFIT PLAN HIPAA PRIVACY POLICY

SARASOTA COUNTY GOVERNMENT EMPLOYEE MEDICAL BENEFIT PLAN HIPAA PRIVACY POLICY SARASOTA COUNTY GOVERNMENT EMPLOYEE MEDICAL BENEFIT PLAN HIPAA PRIVACY POLICY Purpose: The following privacy policy is adopted to ensure that the Sarasota County Government Employee Medical Benefit Plan

More information

PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03)

PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03) PATIENT RECORDS PRIVACY POLICIES AND PROCEDURES FOR HIPAA COMPLIANCE (4/03) Use and Disclosure of PHI: Protected Health Information ( PHI ) may not be used or disclosed in violation of the Health Insurance

More information

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3

INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS. I. Introduction 2. II. Definitions 3 INDIANA UNIVERSITY SCHOOL OF OPTOMETRY HIPAA COMPLIANCE PLAN TABLE OF CONTENTS I. Introduction 2 II. Definitions 3 III. Program Oversight and Responsibilities 4 A. Structure B. Compliance Committee C.

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

ü Ensuring the privacy and security of personally identifiable health information (the Privacy and Security Rules); and

ü Ensuring the privacy and security of personally identifiable health information (the Privacy and Security Rules); and Provided by Benefits By Choice HIPAA Rules: Privacy, Security and Electronic Data Interchange The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a broad federal law regarding health

More information

An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP

An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP Important Disclaimer: Practice limited to labor and employment law on behalf of management and related litigation.

More information

Notice of Privacy Practices

Notice of Privacy Practices Notice of Privacy Practices This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. This Notice of

More information

HIPAA COMPLIANCE. What is HIPAA?

HIPAA COMPLIANCE. What is HIPAA? HIPAA COMPLIANCE What is HIPAA? The Health Insurance Portability and Accountability Act (HIPAA) also known as the Privacy Rule specifies the conditions under which protected health information may be used

More information

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits State of Nevada for the Requirements for PEBP Health Benefits Plan Year 2016 July 1, 2015 June 30, 2016 www.pebp.state.nv.us (775) 684-7000 Or (800) 326-5496 Amendments Amendment Log Any amendments, changes

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan

DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan DETAILED NOTICE OF PRIVACY AND SECURITY PRACTICES OF THE Trustees of the Stevens Institute of Technology Health & Welfare Plan THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED

More information

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA TRAINING MANUAL HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA Table of Contents INTRODUCTION 3 What is HIPAA? Privacy Security Transactions and Code Sets What is covered ADMINISTRATIVE

More information

Alert. Client PROSKAUER ROSE LLP. HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements

Alert. Client PROSKAUER ROSE LLP. HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements PROSKAUER ROSE LLP Client Alert HIPAA Compliance Update: Employers, As Group Health Plan Sponsors, Will Be Affected By HIPAA Privacy Requirements The U.S. Department of Health and Human Services published

More information

HIPAA Compliance for Employers. What is HIPAA? Common HIPAA Misperception. The Penalties. Chapter I HIPAA Overview. The Privacy Regulations Why?

HIPAA Compliance for Employers. What is HIPAA? Common HIPAA Misperception. The Penalties. Chapter I HIPAA Overview. The Privacy Regulations Why? Chapter I HIPAA Overview HIPAA Compliance for Employers What is it? What is it supposed to do? Why should you care? Who does it apply to? What does it cover? Patricia C. Shea, Esq. 717.231.5870 2 What

More information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

Winthrop-University Hospital

Winthrop-University Hospital Winthrop-University Hospital Use of Patient Information in the Conduct of Research Activities In accordance with 45 CFR 164.512(i), 164.512(a-c) and in connection with the implementation of the HIPAA Compliance

More information

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE OF PRIVACY PRACTICES HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Protected

More information

HIPAA NOTICE OF PRIVACY PRACTICES

HIPAA NOTICE OF PRIVACY PRACTICES HIPAA NOTICE OF PRIVACY PRACTICES Human Resources Department 16000 N. Civic Center Plaza Surprise, AZ 85374 Ph: 623-222-3532 // Fax: 623-222-3501 TTY: 623-222-1002 Purpose of This Notice This Notice describes

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

MILWAUKEE ROOFERS HEALTH FUND

MILWAUKEE ROOFERS HEALTH FUND MILWAUKEE ROOFERS HEALTH FUND PRIVACY PRACTICES NOTICE October 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE

More information

HIPAA Privacy Manual

HIPAA Privacy Manual California State University HIPAA Privacy Manual Revised February 17, 2010 As prepared by Mercer Human Resource Consulting 2010 California State University The HIPAA Privacy Manual was drafted for the

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

HIPAA PRIVACY POLICIES AND PROCEDURES

HIPAA PRIVACY POLICIES AND PROCEDURES HIPAA PRIVACY POLICIES AND PROCEDURES FOR MOTT COMMUNITY COLLEGE NOVEMBER 18, 2004 PREPARED BY: KUSHNER & COMPANY 2427 WEST CENTRE AVENUE PORTAGE, MICHIGAN 49024 (269) 342-1700 WWW.KUSHNERCO.COM EMPLOYEE

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

UPMC POLICY AND PROCEDURE MANUAL

UPMC POLICY AND PROCEDURE MANUAL UPMC POLICY AND PROCEDURE MANUAL POLICY: INDEX TITLE: HS-EC1807 Ethics & Compliance SUBJECT: Honest Broker Certification Process Related to the De-identification of Health Information for Research and

More information

Professional Employer Organizations Obligations Under HIPAA A Summary

Professional Employer Organizations Obligations Under HIPAA A Summary NAPEO Legal InsightsTM Volume 2, Number 6 November 2009 Professional Employer Organizations Obligations Under HIPAA A Summary Dale R. Vlasek, Esq. Attorney McDonald Hopkins LLC Cleveland, Ohio A PEO is

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

The HIPAA Privacy Rule: Overview and Impact

The HIPAA Privacy Rule: Overview and Impact The HIPAA Privacy Rule: Overview and Impact DISCLAIMER: This information is provided as is without any express or implied warranty. It is provided for educational purposes only and does not constitute

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

HIPAA Privacy FAQ s. 3. Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?

HIPAA Privacy FAQ s. 3. Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do? HIPAA Privacy FAQ s 1. What is the HIPAA privacy regulation? Until Congress passed HIPAA in 1996, personal health information (PHI) was protected by a patchwork of federal and state laws. Patients health

More information

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual

State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual State of Connecticut Department of Social Services HIPAA Policies and Procedures Manual Updated 9/17/13 1 Overview As of April 14, 2003, the State of Connecticut Department of Social Services (DSS) is

More information

-1- PERSONNEL CERTIFIED / NON-CERTIFIED 4112.61/4212.61

-1- PERSONNEL CERTIFIED / NON-CERTIFIED 4112.61/4212.61 -1- HIPAA Privacy Policies The Wallingford Board of Education ("the Board" or the "Plan Sponsor") sponsors a group health plan that provides medical and dental benefits (the "Plan"). These Privacy Policies

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

HIPAA COMPLIANCE INFORMATION. HIPAA Policy

HIPAA COMPLIANCE INFORMATION. HIPAA Policy HIPAA COMPLIANCE INFORMATION HIPAA Policy Use of Protected Health Information for Research Policy University of North Texas Health Science Center at Fort Worth Applicability: All University of North Texas

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191.

HIPAA means the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191. HIPAA Data Use Agreement 1 Revision Date: This Data Use Agreement (the Agreement ) is entered into by and between Yale University ( Covered Entity ) and ( Data User ), collectively, the Parties, and shall

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

Connecticut Pipe Trades Health Fund Privacy Notice. 2013 Restatement

Connecticut Pipe Trades Health Fund Privacy Notice. 2013 Restatement Connecticut Pipe Trades Health Fund Privacy Notice 2013 Restatement Section 1: Purpose of This Notice and Effective Date THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED

More information

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY. REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS

More information

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT

EXHIBIT C BUSINESS ASSOCIATE AGREEMENT EXHIBIT C BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT is made and entered into by and between ( Covered Entity ) and KHIN ( Business Associate ). This Agreement is effective as of, 20 ( Effective Date

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,

More information

Salt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices

Salt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Date: June 1, 2014 Salt Lake Community College

More information

State of Florida Employees' Group Health Insurance Privacy Notice

State of Florida Employees' Group Health Insurance Privacy Notice This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully. The Health Insurance Portability and Accountability

More information

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016

IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Institutional Review Board (IRB) IRB Guidelines 1.3 HIPAA Research Implications Version 1.1: Created 4/20/2016 Overview The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations,

More information

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL

THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL What is HIPAA? Comprehensive federal legislation regarding health insurance which is comprised of four key areas:

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION

ELKIN & ASSOCIATES, LLC. HIPAA Privacy Policy and Procedures INTRODUCTION ELKIN & ASSOCIATES, LLC HIPAA Privacy Policy and Procedures INTRODUCTION The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict a Covered Entity

More information

HIPAA Compliance for Students

HIPAA Compliance for Students HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

Privacy Notice. The Plan s duties with respect to health information about you

Privacy Notice. The Plan s duties with respect to health information about you Privacy Notice Please carefully review this notice. It describes how medical information about you may be used and disclosed and how you can get access to this information. The Health Insurance Portability

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the "Agreement") is made and entered into this day of,, by and between Quicktate and idictate ("Business Associate") and ("Covered Entity").

More information