Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

Size: px
Start display at page:

Download "Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement"

Transcription

1 Office of the Secretary Office for Civil Rights () Current Developments in Privacy and Security Rule Enforcement Michigan Medical Billers Association Andrew C. Kruley, J.D. Equal Opportunity Specialist (Investigator) August 11, 2014 Disclaimer These power point slides, along with the remarks of Mr. Kruley, are intended to be purely informational and informal in nature. Nothing in the slides or in Mr. Kruley s statements are intended to represent or reflect the official interpretation or position of the Department of Health and Human Services or the Office for Civil Rights. 2 Topics 2013: A Major Year for Privacy and Security Recent Enforcement Actions Enforcement Statistics and Upcoming Enforcement Activities Omnibus Regulations and Related Guidance Patients Right to Restrict and the Breach Notification Rule Compliance Audits Resources 3 1

2 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Actions: Recent Cases and Trends Security Rule and Privacy Rule Cases from 2013 Affinity Settles in Photocopier Security Rule Breach Case for $1,215,780 Affinity Health Plan impermissibly disclosed the PHI of up to 344,579 individuals when it returned multiple photocopiers to a leasing agent without erasing the data contained on the copier hard drives. 5 Affinity Settles in Photocopier Security Rule Breach Case for $1,215,780 s investigation revealed that Affinity failed to incorporate the electronic protected health information (ephi) stored in copier s hard drives in its analysis of risks and vulnerabilities as required by the Security Rule, and failed to implement policies and procedures when returning the hard drives to its leasing agents. The corrective action plan required Affinity to use its best efforts to retrieve all hard drives that were contained on photocopiers previously leased and that remained in the possession of the leasing agent, and to take certain measures to safeguard all ephi. 6 2

3 WellPoint pays $1.7 million for leaving information accessible over Internet WellPoint s breach report indicated that security weaknesses in an online application database left the ephi (ephi) of 612,402 individuals accessible to unauthorized individuals over the Internet. 7 WellPoint pays $1.7 million for leaving information accessible over Internet s investigation indicated that WellPoint did not implement appropriate administrative and technical safeguards as required under the HIPAA Security Rule: WellPoint did not adequately implement policies and procedures for authorizing access to the on-line application database. Did not perform an appropriate technical evaluation in response to a software upgrade to its information systems. Did not have technical safeguards in place to verify the person or entity seeking access to ephi maintained in its application database. 8 Hospice of North Idaho, a Small Provider, Pays $50,000 to Settle This was the first case involving a breach report for PHI of fewer than 500 individuals which resulted in the execution of a Resolution Agreement by the CE and the payment of a Resolution Amount to, namely $50,000. In 2010, Hospice of North Idaho (HONI) submitted a breach notification, reporting that a laptop containing the PHI of 441 patients had been stolen. 9 3

4 Hospice of North Idaho, a Small Provider, Pays $50,000 to Settle s investigation showed that HONI had not conducted a risk analysis and had not promulgated a policy designed to ensure the security of PHI held on mobile media devices. Since the breach was discovered, HONI did take substantial steps to improve its privacy and security compliance program. 10 Adult & Pediatric Dermatology Pays $150,000 to Settle Breach Notification Case received a report that an unencrypted thumb drive containing ephi for 2200 individuals was stolen from a staffer s car. The thumb drive was never recovered. 11 Adult & Pediatric Dermatology Pays $150,000 to Settle Breach Notification Case investigation showed that APDerm had not conducted an analysis of risks and vulnerabilities regarding ephi. APDerm did not have a written policy for reporting breaches and training employees on Privacy and Security Rule issues. 12 4

5 Shasta Regional Medical Center Settles Privacy Rule Case for $275,000 for Impermissible Disclosure SRMC failed to safeguard the patient s protected health information (PHI) from impermissible disclosure by intentionally disclosing PHI to multiple media outlets on at least three separate occasions, without a valid written authorization. s review indicated that senior management at SRMC impermissibly shared details about the patient s medical condition, diagnosis and treatment in an to the entire workforce. 13 Shasta Regional Medical Center Settles Privacy Rule Case for $275,000 for Impermissible Disclosure In addition, SRMC failed to sanction its workforce members for impermissibly disclosing the patient s records pursuant to its internal sanctions policy. A corrective action plan (CAP) required SRMC to update its policies and procedures on safeguarding PHI from impermissible uses and disclosures and to train its workforce members. The CAP also required fifteen other hospitals or medical centers under the same ownership or operational control as SRMC to attest to their understanding of permissible uses and disclosures of PHI, including disclosures to the media. 14 Lessons Learned Risk Analysis HIPAA covered entities and their business associates are required to undertake a careful risk analysis to understand the threats and vulnerabilities to individuals data, and have appropriate safeguards in place to protect this information. Take caution When implementing changes to information systems, especially when those changes involve updates to Web-based applications or portals that are used to provide access to consumers health data using the Internet. Senior leadership Helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients rights are fully protected 15 5

6 Office of the Secretary Office for Civil Rights () Enforcement Statistics and Upcoming Enforcement Activities HIPAA Compliance/Enforcement (As of December 31, 2013) TOTAL (since 2003) Complaints Filed 90,000 Cases Investigated 31,925 Cases with Corrective Action 22,026 Civil Monetary Penalties & Resolution Agreements (since 2008) $18.6 million 17 Top Five Issues Nationally in Cases Closed in 2013 with Corrective Action 1. Impermissible Uses and Disclosures of PHI 2. Lack of adequate physical, technical, or administrative safeguards 3. Individuals or their Representatives Being Denied Access to their PHI 4. Minimum Necessary 5. Lack of Mitigation by CE 18 6

7 Eye to the Future Increased efficiency High-impact cases Audit HHS expects full compliance, no matter the size of a covered entity. Assure that policies relating to privacy, security and breach notification are up- to- date and effectively implemented. 19 HIPAA Privacy, Security, Breach Compliance and Enforcement What s to Come Resolution Agreements/Corrective Action Plans Continue to increase activity and resources Maintain focus on fundamentals of compliance programs Address emerging issues Investigated Complaints/Compliance Reviews New web portal for complaints/centralized intake Strategic approach to increase efficiencies, identify cases for investigation Breach Reports Redesigned website for 500+ postings eachtool.html 20 Office of the Secretary Office for Civil Rights () HIPAA/HITECH Guidance 7

8 HIPAA/HITECH Guidance What s Done Omnibus Final Rule De-identification Combined Regulation Text Sample BA provisions Refill Reminder Factsheets on Student Immunizations and Decedents Model Notice of Privacy Practices English and Spanish Versions Other Guidance Ability to report serious and imminent threats Permitted mental health disclosures Right to access updated for e-access requirements Law enforcement guide 22 Guidance Regarding the Sharing of Mental Health Information In September 2013, issued extensive guidance regarding the issue of when information about an individual who is receiving mental health care treatment can be shared with the individual s family and others involved in his or her care. The guidance also addresses the patient s capacity to agree to or object to the sharing of such information. It also addresses related law enforcement issues. 23 Guidance Regarding Marketing and Refill Reminders Also in September 2013, issued guidance regarding the refill exception from the marketing provision of the Privacy Rule. Normally, under the marketing provisions, as amended by the omnibus regulations that took effect in 2013, an individual has to provide written authorization before his or her PHI can be sued for marketing purposes. However, the guidance makes clear that prescription refill reminders and other communications about a currently prescribed drug or biologic are generally exempt from the authorization requirement. In addition, a CE can receive financial remuneration from the drug manufacturer or similar third party provided that the remuneration is reasonably related to the CE s cost of making the communication. 24 8

9 Guidance Regarding Disclosure of Decedents PHI The omnibus regulations contained changes to the original April 2003 version of the Privacy Rule regarding the ability of family members to access a deceased relative s PHI. Originally, only an executor or administrator could access a decedent s PHI, unless state law permitted other individuals, such as surviving spouses or adult children to do so. Now, in most instances, any member of the family or other person who was involved in the provision of care to a deceased individual has a right to access his or her PHI, even if that person is not the decedent s personal representative. In September 2013, issued guidance regarding these changes to the Privacy Rule. 25 Model Notice of Privacy Practices Notice in the form of a booklet; A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages; A notice with the design elements found in the booklet, but formatted for full page presentation. A text only version of the notice; Different versions for plans and health care providers HIPAA/CLIA Final Rule Now in Effect: Patient Right of Access to Test Results Center for Medicare and Medicaid Services Enforcement Amends Clinical Laboratory Improvement Amendments (CLIA) regulations to allow labs to give patients completed test results Enforcement Amends HIPAA right to access to remove exemption for CLIA labs Individual has right to access and get copy of PHI in DRS of labs, including right to electronic copy Access obligations on labs same as for other covered entities Individual can still go through physician to obtain test results Dates Publish in FR -- February 6 Effective Date -- April 7 HIPAA Compliance Date -- October

10 HIPAA/HITECH Guidance What s to Come Guidance on Omnibus Final Rule Breach Safe Harbor Update Breach Risk Assessment Tool Minimum Necessary More on Marketing Security Rule Updates small provider risk analysis tool More Factsheets on other provision Model Notice Web based version challenge issued Other YouTube new content; more Spanish versions Medscape new module coming soon -- EHRs and HIPAA: Steps for Maintaining the Privacy and Security of Patient Information 28 Office of the Secretary Office for Civil Rights () Patients Right To Restrict PHI 29 Patient Right to Request Restrictions Old Rule Under the April 2003 version of the Privacy Rule, an individual had the right to request a covered entity to place a restriction regarding use and disclosure of his or her PHI for treatment, payment, and health care operations (and certain other reasons). The CE was not required to agree to any restriction. However, if the CE did agree, the CE was bound by the restriction

11 Right to Require Restrictions New Rule as of September 2013 Under the Omnibus Regulations, the CE must agree to an individual s request to restrict the disclosure of PHI to the individual s health plan if: PHI pertains solely to health care for which the individual (or a person on behalf of individual other than the health plan) has paid the CE in full, out-of-pocket; and The disclosure is not required by other law. The CE is encouraged, but not required, to notify downstream providers of the restriction The Preamble to the Omnibus Regulations contained in the January 25, 2013 issue of the Federal Register provides guidance on the scope of the restriction and other potential implementation issues, including a number of illustrative, hypothetical cases. The old permissive rule still applies to all other requests for restrictions from an individual. 31 Office of the Secretary Office for Civil Rights () Breach Notification Highlights Breach Notification Highlights September 2009 through November 6, reports involving over 500 individuals 84,963 reports involving under 500 individuals Top types of large breaches Theft Unauthorized Access/Disclosure Loss Top locations for large breaches Laptops Paper records Desktop Computers Portable Electronic Device 33 11

12 Spotlight on Largest Breaches of 2012 Hacking network server 780,000 affected Backup tapes stored at hospital cannot be found and are presumed lost 315,000 affected Unencrypted s sent to employee s unsecured address 228,435 affected Theft of laptop from employee s vehicle 116,506 affected Unauthorized access to e-phi stored in database 105,646 affected Hacking database stored on network server 70,000 affected 34 Breach Notification: 500+ Breaches by Type of Breach Hacking/IT Incident 7% Loss 14% Improper Disposal Unknown 5% 3% Unauthorized Access/ Disclosure 20% Theft 51% Data as of January Breach Notification: 500+ Breaches by Location of Breach E mail 3% Other EMR 2% Network Server 11% 10% Paper Records 22% Portable Electronic Device 14% Laptop 23% Desktop Computer 15% Data as of January

13 Office of the Secretary Office for Civil Rights () COMPLIANCE AUDITS 37 Audit Program HITECH Act Sec Periodic audits to ensure covered entities and business associates comply with requirements of HIPAA and HITECH Audit Objectives Examine mechanisms for compliance Identify best practices Discover risks and vulnerabilities that may not have come to light through complaint investigations and compliance reviews Renew attention of covered entities to health information privacy and security compliance activities 38 Compliance and Enforcement: Audit Where We Have Been 39 13

14 Audit Pilot Completed Pilot Process Tiered approach for snapshot of compliance across covered entity types, sizes, complexity Sample of 115 covered entities selected spread across 4 tiers All audits were completed by December 2012 published audit protocol Issued final reports to entities audited in pilot 40 Audit Pilot Observations Completed Audits of 115 entities 61 Providers, 47 Health Plans, 7 Clearinghouses No findings or negative observations for 13 entities (11%) 2 Providers, 9 Health Plans, 2 Clearinghouses Total 979 audit findings and observations 293 Privacy 592 Security 94 Breach Notification Percentage of Security Rule findings and observations was double what would have been expected based on the protocol Smaller entities (Level 4) struggled with all three areas 41 Summary of Entities Audited Level 1 Entities Large Provider / Payer Extensive use of HIT - complicated HIT enabled clinical /business work streams Revenues and or assets greater than $1 billion Level 3 Entities Community hospitals, outpatient surgery, regional pharmacy / All Self-Insured entities that don t adjudicate their claims Some but not extensive use of HIT mostly paper based workflows Revenues between $50 million and $300 million 42 Level 2 Entities Large regional hospital system (3-10 hospitals/region) / Regional Insurance Company Paper and HIT enabled work flows Revenues and or assets between $300 million and $1 billion Level 4 Entities Small Providers (10 to 50 Provider Practices, Community or rural pharmacy) Little to no use of HIT almost exclusively paper based workflows Revenues less than $50 million 14

15 Size/Type of Entities Audited Level 1 Level 2 Level 3 Level 4 Total Health Plans Healthcare Providers Healthcare Clearinghouses Total Data as of December Types of Privacy Rule Audit Findings 50% 45% 40% 35% 30% 25% 20% 15% 10% 5% 0% 20% Notice of Privacy Practices 2% Restriction Requests & Alternative Communications 16% Individual Right of Access 18% Administrative Standards 44% Uses and Disclosures of PHI Data as of December Types of Security Rule Audit Findings 20% 18% 18% 16% 14% 12% 12% 14% 14% 14% 10% 9% 8% 6% 4% 2% 0% Risk Analysis Access Management Data as of December Security Incident Procedures 45 Contingency Planning Audit Controls and Monitoring Movement and Destruction of Media 15

16 Compliance and Enforcement Audit What s Ahead in 2014 Formal Program Evaluation 2013 Internal analysis for follow up and next steps Creation of technical assistance based on results Determine where entity follow up is appropriate Identify leading practices Revise Protocol to reflect Omnibus Rule Ongoing program design and focus Business Associates Accreditation /Certification correlations 46 Resumption of Audits in 2014 will be conducting a second round of compliance audits on its own beginning later in 2014 and continuing into selected from a very large data base an oversupply of 1200 organizations as possible subjects of the new round of audits. is currently making determinations about the listed organizations to determine their suitability for audit. Roughly 800 of the organizations are covered entities and 400 are business associates. 47 New Issues Likely to be Covered in Audits expects to revise its 2012 audit protocol to include changes brought by the Omnibus Regulations. also expects a more intensive focus on organizations analysis of potential risks and vulnerabilities involving the PHI which they generate and which comes in their custody as found the lack of any and/or adequate risks analysis to be very high in the 2012 audit

17 Office of the Secretary Office for Civil Rights () RESOURCES 49 We ve Been Busy New Compliance Assistance Tools for Covered Entities and Business Associates The HIPAA Omnibus Rule X QL9PoePU 50 New Resource Center at Medscape.org Video Programs module imbedded into page for dynamic interest Educational Links, Including Mobile Device Content

18 Two New Learning Modules for Free CME and CE Credit The goal of this activity is to describe steps in analyzing and managing risks related to the security of protected health information The goal of this activity is to describe steps healthcare practices should take to assess and improve the security of protected health information on mobile devices Consumer Awareness and Engagement Your New Rights Under HIPAA - Consumers =3-wV23_E4eQ Over 262,000 views since September 4, 2013 Visit us at 53 s YouTube Videos Your New Rights Under HIPAA 264,781 Views Your Health Information, Your Rights 116,291 Views The Right to Access Your Health Information 84,909 Views EHRs: Privacy and Security 5,645 Views Explaining the Notice of Privacy Practices 124,888 Views The HIPAA Omnibus Rule 273,927 Views Su Informacion de Salud, Sus Derechos 503,898 Views Treatment, Payment and Health Care Operations 77,967 Views Communicating with Friends and Family 97,428 Views HIPAA Security Rule 291,263 Views 1,840,997 TOTAL VIEWS FROM FEB to JAN 30, 2013 Visit us at

19 Contact Information Andrew C. Kruley Equal Opportunity Specialist (Investigator) Office for Civil Rights Region V United States Department of Health and Human Services 233 North Michigan Avenue Suite 240 Chicago, Illinois Andrew.Kruley@hhs.gov 55 19

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014 Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules

More information

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement. Learning Objectives

OCR Reports on the Enforcement. Learning Objectives OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer HIPAA LIAISON MEETING PRESENTAITON August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer Current State of HIPAA Enforcement Content Contributor Abby Bonjean, Investigator Office for

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

Network Security and Data Privacy Insurance for Physician Groups

Network Security and Data Privacy Insurance for Physician Groups Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit

More information

How To Write A Report On The Health Care Privacy And Security Rules Of Health Care For A Patient

How To Write A Report On The Health Care Privacy And Security Rules Of Health Care For A Patient Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012 As Required by the Health Information Technology for Economic and Clinical

More information

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq. HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq. Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September

More information

HIPAA Privacy, Security and Breach Notification Audits

HIPAA Privacy, Security and Breach Notification Audits HIPAA Privacy, Security and Breach Notification Audits Program Overview & Initial Analysis Verne Rinker JD, MPH 2013 NIST / OCR Security Rule Conference May 21-22, 2013 Program Mandate HITECH Act, Section

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

2012 HIPAA Privacy and Security Audits

2012 HIPAA Privacy and Security Audits Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background

More information

Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes

Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes Watch the Replay Straight from the Source: HHS Tools for Avoiding Some of the Biggest HIPAA Mistakes FairWarning Executive Webinar Series May 20, 2014 #AnytimeAudit Today s Panel Laura E. Rosas, JD, MPH

More information

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance

Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014 HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update OCR / WEDI Webinar Series July 17, 2013 Today s Speakers Verne Rinker, JD, MPH Health Information Privacy Specialist

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 Federal and Texas Privacy & Security Requirements Minimizing Your Risk of Violations DISCLAIMER The information contained in this document

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Raymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP

Raymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP Carol Ann Raymond, MBA, Ed.S., CCC-SLP Associate Clinical Professor/Clinic Director Department of Communication Sciences and Disorders Financial o Employed by the University of Georgia o Non-Financial

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

THE FINAL OMNIBUS HIPAA RULE: ARE YOU COMPLIANT?

THE FINAL OMNIBUS HIPAA RULE: ARE YOU COMPLIANT? THE FINAL OMNIBUS HIPAA RULE: ARE YOU COMPLIANT? Ohio Hospital Association Annual Meeting June 9, 2014 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease 614.464.8353 lpreisz@vorys.com Natasha

More information

HIPAA Breaches, Security Risk Analysis, and Audits

HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers

More information

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

Implementation Business Associates and Breach Notification

Implementation Business Associates and Breach Notification Implementation Business Associates and Breach Notification Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com

More information

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

Health Information Privacy Refresher Training. March 2013

Health Information Privacy Refresher Training. March 2013 Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal

More information

You Probably Don t Even Know

You Probably Don t Even Know You Probably Don t Even Know That You Need To Comply With HIPAA In Collaboration With: About ERM About The Speaker Stephen Siegel, Esq., Of Counsel, Broad and Cassel Board Certified Health Law Over 25

More information

Lessons Learned from OCR Privacy and Security Audits

Lessons Learned from OCR Privacy and Security Audits Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis Linda Sanches, MPH Verne Rinker, JD MPH Presentation to IAPP Global Privacy Summit March 7, 2013 Program Mandate

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012 HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually

More information

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013

OCR HIPAA Audit Readiness. ISACA - North Texas Chapter April 11, 2013 ISACA - North Texas Chapter April 11, 2013 Introduction 1 2 Basic components of HIPAA and HITECH legislation HITECH and rising breaches 3 4 OCR HIPAA audits Key findings of the pilot audits 5 Approaches

More information

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Dissecting New HIPAA Rules and What Compliance Means For You

Dissecting New HIPAA Rules and What Compliance Means For You Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the

More information

HIPAA Update Focus on Breach Prevention

HIPAA Update Focus on Breach Prevention HIPAA Update Focus on Breach Prevention Objectives By the end of this program, participants should be able to: Identify top reasons why breaches occur Review the breach definition and notification process

More information

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health

More information

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual

More information

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

HIPAA and New Technologies Using Social Media and Texting Within the Rules. Today s Objectives

HIPAA and New Technologies Using Social Media and Texting Within the Rules. Today s Objectives HIPAA and New Technologies Using Social Media and Texting Within the Rules Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com For Northern California Chapter

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013 Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,

More information

OCR/HHS HIPAA/HITECH Audit Preparation

OCR/HHS HIPAA/HITECH Audit Preparation OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education

More information

HIPAA Violations Incur Multi-Million Dollar Penalties

HIPAA Violations Incur Multi-Million Dollar Penalties HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability

More information

Breaches. Complying with the HIPAA Omnibus Final Rule. Important Definitions. Protected Health Information Includes HIPAA PRIVACY 3/2/2014

Breaches. Complying with the HIPAA Omnibus Final Rule. Important Definitions. Protected Health Information Includes HIPAA PRIVACY 3/2/2014 Breaches Complying with the HIPAA Omnibus Final Rule You Can Be Successful! Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over

More information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security

More information

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption?

Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? A. Most e-mail systems do not include encryption. There are

More information

UPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH)

UPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH) UPDATES FOR MEDICAL PRACTICES: RED FLAGS AND IDENTITY THEFT AND HIPAA PRIVACY CHANGES (FROM HITECH) March 2011 Presentation by Jennifer L. Cox, J.D. Red Flags Rollback Red flags is going going and not

More information

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice

8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010 Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 As Required by the Health Information Technology for Economic and Clinical Health (HITECH)

More information

HIPAA Business Associate Addendum

HIPAA Business Associate Addendum HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability

More information

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel

More information

HIPAA Security Overview of the Regulations

HIPAA Security Overview of the Regulations HIPAA Security Overview of the Regulations Presenter: Anna Drachenberg Anna Drachenberg has been assisting healthcare providers and hospitals comply with HIPAA and other federal regulations since 2008.

More information

NOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable

NOTICE OF PRIVACY PRACTICES TEMPLATE. Sections highlighted in yellow are optional sections, depending on if applicable NOTICE OF PRIVACY PRACTICES TEMPLATE Sections highlighted in yellow are optional sections, depending on if applicable Original Date: ##/##/#### Revised per HIPAA Omnibus Rule ##/##/#### Revised Date Implementation:

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY. REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS

More information