Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement
|
|
- Blaze Wilkerson
- 8 years ago
- Views:
Transcription
1 Office of the Secretary Office for Civil Rights () Current Developments in Privacy and Security Rule Enforcement Michigan Medical Billers Association Andrew C. Kruley, J.D. Equal Opportunity Specialist (Investigator) August 11, 2014 Disclaimer These power point slides, along with the remarks of Mr. Kruley, are intended to be purely informational and informal in nature. Nothing in the slides or in Mr. Kruley s statements are intended to represent or reflect the official interpretation or position of the Department of Health and Human Services or the Office for Civil Rights. 2 Topics 2013: A Major Year for Privacy and Security Recent Enforcement Actions Enforcement Statistics and Upcoming Enforcement Activities Omnibus Regulations and Related Guidance Patients Right to Restrict and the Breach Notification Rule Compliance Audits Resources 3 1
2 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Actions: Recent Cases and Trends Security Rule and Privacy Rule Cases from 2013 Affinity Settles in Photocopier Security Rule Breach Case for $1,215,780 Affinity Health Plan impermissibly disclosed the PHI of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. 5 Affinity Settles in Photocopier Security Rule Breach Case for $1,215,780 s investigation revealed that Affinity failed to incorporate the electronic protected health information (ephi) stored in copier s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents. The corrective action plan required Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased and that remained in the possession of the leasing agent, and to take certain measures to safeguard all ephi. 6 2
3 WellPoint pays $1.7 million for leaving information accessible over Internet WellPoint s breach report indicated that security weaknesses in an online application database left the ephi (ephi) of 612,402 individuals accessible to unauthorized individuals over the Internet. 7 WellPoint pays $1.7 million for leaving information accessible over Internet s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule: WellPoint did not adequately implement policies and procedures for authorizing access to the on-line application database. Did not perform an appropriate technical evaluation in response to a software upgrade to its information systems. Did not have technical safeguards in place to verify the person or entity seeking access to ephi maintained in its application database. 8 Hospice of North Idaho, a Small Provider, Pays $50,000 to Settle This was the first case involving a breach report for PHI of fewer than 500 individuals which resulted in the execution of a Resolution Agreement by the CE and the payment of a Resolution Amount to, namely $50,000. In 2010, Hospice of North Idaho (HONI) submitted a breach notification, reporting that a laptop containing the PHI of 441 patients had been stolen. 9 3
4 Hospice of North Idaho, a Small Provider, Pays $50,000 to Settle s investigation showed that HONI had not conducted a risk analysis and had not promulgated a policy designed to ensure the security of PHI held on mobile media devices. Since the breach was discovered, HONI did take substantial steps to improve its privacy and security compliance program. 10 Adult & Pediatric Dermatology Pays $150,000 to Settle Breach Notification Case received a report that an unencrypted thumb drive containing ephi for 2200 individuals was stolen from a staffer s car. The thumb drive was never recovered. 11 Adult & Pediatric Dermatology Pays $150,000 to Settle Breach Notification Case investigation showed that APDerm had not conducted an analysis of risks and vulnerabilities regarding ephi. APDerm did not have a written policy for reporting breaches and training employees on Privacy and Security Rule issues. 12 4
5 Shasta Regional Medical Center Settles Privacy Rule Case for $275,000 for Impermissible Disclosure SRMC failed to safeguard the patient s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. s review indicated that senior management at SRMC impermissibly shared details about the patient s medical condition, diagnosis and treatment in an to the entire workforce. 13 Shasta Regional Medical Center Settles Privacy Rule Case for $275,000 for Impermissible Disclosure In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient s records pursuant to its internal sanctions policy. A corrective action plan (CAP) required SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The CAP also required fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media. 14 Lessons Learned Risk Analysis HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals data, and have appropriate safeguards in place to protect this information. Take caution When implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers health data using the Internet. Senior leadership Helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients rights are fully protected 15 5
6 Office of the Secretary Office for Civil Rights () Enforcement Statistics and Upcoming Enforcement Activities HIPAA Compliance/Enforcement (As of December 31, 2013) TOTAL (since 2003) Complaints Filed 90,000 Cases Investigated 31,925 Cases with Corrective Action 22,026 Civil Monetary Penalties & Resolution Agreements (since 2008) $18.6 million 17 Top Five Issues Nationally in Cases Closed in 2013 with Corrective Action 1. Impermissible Uses and Disclosures of PHI 2. Lack of adequate physical, technical, or administrative safeguards 3. Individuals or their Representatives Being Denied Access to their PHI 4. Minimum Necessary 5. Lack of Mitigation by CE 18 6
7 Eye to the Future Increased efficiency High-impact cases Audit HHS expects full compliance, no matter the size of a covered entity. Assure that policies relating to privacy, security and breach notification are up- to- date and effectively implemented. 19 HIPAA Privacy, Security, Breach Compliance and Enforcement What s to Come Resolution Agreements/Corrective Action Plans Continue to increase activity and resources Maintain focus on fundamentals of compliance programs Address emerging issues Investigated Complaints/Compliance Reviews New web portal for complaints/centralized intake Strategic approach to increase efficiencies, identify cases for investigation Breach Reports Redesigned website for 500+ postings eachtool.html 20 Office of the Secretary Office for Civil Rights () HIPAA/HITECH Guidance 7
8 HIPAA/HITECH Guidance What s Done Omnibus Final Rule De-identification Combined Regulation Text Sample BA provisions Refill Reminder Factsheets on Student Immunizations and Decedents Model Notice of Privacy Practices English and Spanish Versions Other Guidance Ability to report serious and imminent threats Permitted mental health disclosures Right to access updated for e-access requirements Law enforcement guide 22 Guidance Regarding the Sharing of Mental Health Information In September 2013, issued extensive guidance regarding the issue of when information about an individual who is receiving mental health care treatment can be shared with the individual s family and others involved in his or her care. The guidance also addresses the patient s capacity to agree to or object to the sharing of such information. It also addresses related law enforcement issues. 23 Guidance Regarding Marketing and Refill Reminders Also in September 2013, issued guidance regarding the refill exception from the marketing provision of the Privacy Rule. Normally, under the marketing provisions, as amended by the omnibus regulations that took effect in 2013, an individual has to provide written authorization before his or her PHI can be sued for marketing purposes. However, the guidance makes clear that prescription refill reminders and other communications about a currently prescribed drug or biologic are generally exempt from the authorization requirement. In addition, a CE can receive financial remuneration from the drug manufacturer or similar third party provided that the remuneration is reasonably related to the CE s cost of making the communication. 24 8
9 Guidance Regarding Disclosure of Decedents PHI The omnibus regulations contained changes to the original April 2003 version of the Privacy Rule regarding the ability of family members to access a deceased relative s PHI. Originally, only an executor or administrator could access a decedent s PHI, unless state law permitted other individuals, such as surviving spouses or adult children to do so. Now, in most instances, any member of the family or other person who was involved in the provision of care to a deceased individual has a right to access his or her PHI, even if that person is not the decedent s personal representative. In September 2013, issued guidance regarding these changes to the Privacy Rule. 25 Model Notice of Privacy Practices Notice in the form of a booklet; A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages; A notice with the design elements found in the booklet, but formatted for full page presentation. A text only version of the notice; Different versions for plans and health care providers HIPAA/CLIA Final Rule Now in Effect: Patient Right of Access to Test Results Center for Medicare and Medicaid Services Enforcement Amends Clinical Laboratory Improvement Amendments (CLIA) regulations to allow labs to give patients completed test results Enforcement Amends HIPAA right to access to remove exemption for CLIA labs Individual has right to access and get copy of PHI in DRS of labs, including right to electronic copy Access obligations on labs same as for other covered entities Individual can still go through physician to obtain test results Dates Publish in FR -- February 6 Effective Date -- April 7 HIPAA Compliance Date -- October
10 HIPAA/HITECH Guidance What s to Come Guidance on Omnibus Final Rule Breach Safe Harbor Update Breach Risk Assessment Tool Minimum Necessary More on Marketing Security Rule Updates small provider risk analysis tool More Factsheets on other provision Model Notice Web based version challenge issued Other YouTube new content; more Spanish versions Medscape new module coming soon -- EHRs and HIPAA: Steps for Maintaining the Privacy and Security of Patient Information 28 Office of the Secretary Office for Civil Rights () Patients Right To Restrict PHI 29 Patient Right to Request Restrictions Old Rule Under the April 2003 version of the Privacy Rule, an individual had the right to request a covered entity to place a restriction regarding use and disclosure of his or her PHI for treatment, payment, and health care operations (and certain other reasons). The CE was not required to agree to any restriction. However, if the CE did agree, the CE was bound by the restriction
11 Right to Require Restrictions New Rule as of September 2013 Under the Omnibus Regulations, the CE must agree to an individual s request to restrict the disclosure of PHI to the individual s health plan if: PHI pertains solely to health care for which the individual (or a person on behalf of individual other than the health plan) has paid the CE in full, out-of-pocket; and The disclosure is not required by other law. The CE is encouraged, but not required, to notify downstream providers of the restriction The Preamble to the Omnibus Regulations contained in the January 25, 2013 issue of the Federal Register provides guidance on the scope of the restriction and other potential implementation issues, including a number of illustrative, hypothetical cases. The old permissive rule still applies to all other requests for restrictions from an individual. 31 Office of the Secretary Office for Civil Rights () Breach Notification Highlights Breach Notification Highlights September 2009 through November 6, reports involving over 500 individuals 84,963 reports involving under 500 individuals Top types of large breaches Theft Unauthorized Access/Disclosure Loss Top locations for large breaches Laptops Paper records Desktop Computers Portable Electronic Device 33 11
12 Spotlight on Largest Breaches of 2012 Hacking network server 780,000 affected Backup tapes stored at hospital cannot be found and are presumed lost 315,000 affected Unencrypted s sent to employee s unsecured address 228,435 affected Theft of laptop from employee s vehicle 116,506 affected Unauthorized access to e-phi stored in database 105,646 affected Hacking database stored on network server 70,000 affected 34 Breach Notification: 500+ Breaches by Type of Breach Hacking/IT Incident 7% Loss 14% Improper Disposal Unknown 5% 3% Unauthorized Access/ Disclosure 20% Theft 51% Data as of January Breach Notification: 500+ Breaches by Location of Breach E mail 3% Other EMR 2% Network Server 11% 10% Paper Records 22% Portable Electronic Device 14% Laptop 23% Desktop Computer 15% Data as of January
13 Office of the Secretary Office for Civil Rights () COMPLIANCE AUDITS 37 Audit Program HITECH Act Sec Periodic audits to ensure covered entities and business associates comply with requirements of HIPAA and HITECH Audit Objectives Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews Renew attention of covered entities to health information privacy and security compliance activities 38 Compliance and Enforcement: Audit Where We Have Been 39 13
14 Audit Pilot Completed Pilot Process Tiered approach for snapshot of compliance across covered entity types, sizes, complexity Sample of 115 covered entities selected spread across 4 tiers All audits were completed by December 2012 published audit protocol Issued final reports to entities audited in pilot 40 Audit Pilot Observations Completed Audits of 115 entities 61 Providers, 47 Health Plans, 7 Clearinghouses No findings or negative observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Total 979 audit findings and observations 293 Privacy 592 Security 94 Breach Notification Percentage of Security Rule findings and observations was double what would have been expected based on the protocol Smaller entities (Level 4) struggled with all three areas 41 Summary of Entities Audited Level 1 Entities Large Provider / Payer Extensive use of HIT - complicated HIT enabled clinical /business work streams Revenues and or assets greater than $1 billion Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy / All Self-Insured entities that don t adjudicate their claims Some but not extensive use of HIT mostly paper based workflows Revenues between $50 million and $300 million 42 Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion Level 4 Entities Small Providers (10 to 50 Provider Practices, Community or rural pharmacy) Little to no use of HIT almost exclusively paper based workflows Revenues less than $50 million 14
15 Size/Type of Entities Audited Level 1 Level 2 Level 3 Level 4 Total Health Plans Healthcare Providers Healthcare Clearinghouses Total Data as of December Types of Privacy Rule Audit Findings 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 20% Notice of Privacy Practices 2% Restriction Requests & Alternative Communications 16% Individual Right of Access 18% Administrative Standards 44% Uses and Disclosures of PHI Data as of December Types of Security Rule Audit Findings 20% 18% 18% 16% 14% 12% 12% 14% 14% 14% 10% 9% 8% 6% 4% 2% 0% Risk Analysis Access Management Data as of December Security Incident Procedures 45 Contingency Planning Audit Controls and Monitoring Movement and Destruction of Media 15
16 Compliance and Enforcement Audit What s Ahead in 2014 Formal Program Evaluation 2013 Internal analysis for follow up and next steps Creation of technical assistance based on results Determine where entity follow up is appropriate Identify leading practices Revise Protocol to reflect Omnibus Rule Ongoing program design and focus Business Associates Accreditation /Certification correlations 46 Resumption of Audits in 2014 will be conducting a second round of compliance audits on its own beginning later in 2014 and continuing into selected from a very large data base an oversupply of 1200 organizations as possible subjects of the new round of audits. is currently making determinations about the listed organizations to determine their suitability for audit. Roughly 800 of the organizations are covered entities and 400 are business associates. 47 New Issues Likely to be Covered in Audits expects to revise its 2012 audit protocol to include changes brought by the Omnibus Regulations. also expects a more intensive focus on organizations analysis of potential risks and vulnerabilities involving the PHI which they generate and which comes in their custody as found the lack of any and/or adequate risks analysis to be very high in the 2012 audit
17 Office of the Secretary Office for Civil Rights () RESOURCES 49 We ve Been Busy New Compliance Assistance Tools for Covered Entities and Business Associates The HIPAA Omnibus Rule X QL9PoePU 50 New Resource Center at Medscape.org Video Programs module imbedded into page for dynamic interest Educational Links, Including Mobile Device Content
18 Two New Learning Modules for Free CME and CE Credit The goal of this activity is to describe steps in analyzing and managing risks related to the security of protected health information The goal of this activity is to describe steps healthcare practices should take to assess and improve the security of protected health information on mobile devices Consumer Awareness and Engagement Your New Rights Under HIPAA - Consumers =3-wV23_E4eQ Over 262,000 views since September 4, 2013 Visit us at 53 s YouTube Videos Your New Rights Under HIPAA 264,781 Views Your Health Information, Your Rights 116,291 Views The Right to Access Your Health Information 84,909 Views EHRs: Privacy and Security 5,645 Views Explaining the Notice of Privacy Practices 124,888 Views The HIPAA Omnibus Rule 273,927 Views Su Informacion de Salud, Sus Derechos 503,898 Views Treatment, Payment and Health Care Operations 77,967 Views Communicating with Friends and Family 97,428 Views HIPAA Security Rule 291,263 Views 1,840,997 TOTAL VIEWS FROM FEB to JAN 30, 2013 Visit us at
19 Contact Information Andrew C. Kruley Equal Opportunity Specialist (Investigator) Office for Civil Rights Region V United States Department of Health and Human Services 233 North Michigan Avenue Suite 240 Chicago, Illinois Andrew.Kruley@hhs.gov 55 19
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationHIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
More informationHIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014
HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationHIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer
HIPAA LIAISON MEETING PRESENTAITON August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer Current State of HIPAA Enforcement Content Contributor Abby Bonjean, Investigator Office for
More informationLessons Learned from HIPAA Audits
Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationHow To Write A Report On The Health Care Privacy And Security Rules Of Health Care For A Patient
Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012 As Required by the Health Information Technology for Economic and Clinical
More informationHIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.
HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq. Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September
More informationHIPAA Privacy, Security and Breach Notification Audits
HIPAA Privacy, Security and Breach Notification Audits Program Overview & Initial Analysis Verne Rinker JD, MPH 2013 NIST / OCR Security Rule Conference May 21-22, 2013 Program Mandate HITECH Act, Section
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More information2012 HIPAA Privacy and Security Audits
Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background
More informationStraight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes
Watch the Replay Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes FairWarning Executive Webinar Series May 20, 2014 #AnytimeAudit Today s Panel Laura E. Rosas, JD, MPH
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationHIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More informationThe HIPAA Audit Program
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationHIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update
HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update OCR / WEDI Webinar Series July 17, 2013 Today s Speakers Verne Rinker, JD, MPH Health Information Privacy Specialist
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationHIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013
HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 Federal and Texas Privacy & Security Requirements Minimizing Your Risk of Violations DISCLAIMER The information contained in this document
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationRaymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP
Carol Ann Raymond, MBA, Ed.S., CCC-SLP Associate Clinical Professor/Clinic Director Department of Communication Sciences and Disorders Financial o Employed by the University of Georgia o Non-Financial
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationHIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationTHE FINAL OMNIBUS HIPAA RULE: ARE YOU COMPLIANT?
THE FINAL OMNIBUS HIPAA RULE: ARE YOU COMPLIANT? Ohio Hospital Association Annual Meeting June 9, 2014 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease 614.464.8353 lpreisz@vorys.com Natasha
More informationHIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers
More informationDonna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS
Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationImplementation Business Associates and Breach Notification
Implementation Business Associates and Breach Notification Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com
More informationTHE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE
THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More informationYou Probably Don t Even Know
You Probably Don t Even Know That You Need To Comply With HIPAA In Collaboration With: About ERM About The Speaker Stephen Siegel, Esq., Of Counsel, Broad and Cassel Board Certified Health Law Over 25
More informationLessons Learned from OCR Privacy and Security Audits
Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis Linda Sanches, MPH Verne Rinker, JD MPH Presentation to IAPP Global Privacy Summit March 7, 2013 Program Mandate
More informationFIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
More informationHIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012
HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually
More informationOCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013
ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches
More informationHOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationDissecting New HIPAA Rules and What Compliance Means For You
Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the
More informationHIPAA Update Focus on Breach Prevention
HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationHIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013
HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationHIPAA and New Technologies Using Social Media and Texting Within the Rules. Today s Objectives
HIPAA and New Technologies Using Social Media and Texting Within the Rules Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com For Northern California Chapter
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability
More informationBreaches. Complying with the HIPAA Omnibus Final Rule. Important Definitions. Protected Health Information Includes HIPAA PRIVACY 3/2/2014
Breaches Complying with the HIPAA Omnibus Final Rule You Can Be Successful! Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over
More informationPresented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
More informationTexas Medical Records Privacy Act (a.k.a. Texas House Bill 300)
Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationPresented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com
Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationQ: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption?
Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? A. Most e-mail systems do not include encryption. There are
More informationUPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH)
UPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH) March 2011 Presentation by Jennifer L. Cox, J.D. Red Flags Rollback Red flags is going going and not
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationAnnual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010
Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 As Required by the Health Information Technology for Economic and Clinical Health (HITECH)
More informationHIPAA Business Associate Addendum
HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationHIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant
HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability
More informationHIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013
HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel
More informationHIPAA Security Overview of the Regulations
HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.
More informationNOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable
NOTICE OF PRIVACY PRACTICES TEMPLATE Sections highlighted in yellow are optional sections, depending on if applicable Original Date: ##/##/#### Revised per HIPAA Omnibus Rule ##/##/#### Revised Date Implementation:
More informationProtecting Patient Information in an Electronic Environment- New HIPAA Requirements
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationSAMPLE BUSINESS ASSOCIATE AGREEMENT
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
More informationREPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.
REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
More information