HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

Size: px
Start display at page:

Download "HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013"

Transcription

1 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013

2 Presentation Overview s investigative process Tips for working with during an investigation s recent enforcement activities 2

3 Investigative Process 3

4 Investigation Steps Notice letter is issued to Covered Entity Response is received from Covered Entity analyzes response to determine whether more data/information/interviews are needed makes a compliance determination 4

5 Resolutions by Year and Type April 14, 2003 December 31,

6 Annual Enforcement Results January 1, 2012 December 31,

7 Methods of Enforcement When determines from its investigation of the allegations raised in a Privacy Rule complaint or through a compliance review that a covered entity may well have violated the Privacy Rule and/or the Security Rule, has various means of enforcement at its command. If feasible, usually seeks voluntary compliance. Voluntary compliance often involves the covered entity changing its policies and procedures, retraining personnel, and sanctioning the members of its workforce who violated the Privacy or Security Rules. 7

8 Methods of Enforcement If determines that the conduct involved warrants some sort of penalty even if voluntary compliance is forthcoming, may seek to have the covered entity enter into a Resolution Agreement and Corrective Action Plan as well as pay a resolution amount. This method is often used when the problems identified by are systemic. If either determines that the conduct involved is so serious or if the covered entity is adamant in its refusal to cooperate in the investigation or resolution of the problem, will assess a Civil Money Penalty (CMP). 8

9 HIPAA Compliance/Enforcement (As of December 31, 2012) TOTAL (since 2003) Complaints Filed 77,200 Cases Investigated 27,500 Cases with Corrective Action 18,600 Civil Monetary Penalties & Resolution Agreements (since 2008) $14.9 million 8

10 What is a Resolution Agreement? A settlement agreement between HHS and covered entity It incorporates a Corrective Action Plan which: Generally lasts for one to three years; Requires the covered entity to prepare new policies and procedures, subject to HHS approval; Generally requires improved training; and Requires monitoring of implementation and compliance Includes payment of a resolution amount 10

11 What is a Resolution Agreement? A Resolution Agreement and Corrective Action Plan do not constitute: A formal finding of facts A formal finding of a violation An admission by the covered entity A Resolution Amount is not a civil monetary penalty, fine, or other formal penalty. Because a Resolution Agreement is an informal resolution into which the covered entity enters in lieu of administrative litigation: The covered entity has no right to formal process or an administrative hearing 11

12 How does RA/CAP Differ from Other Types of Informal Resolution? Usually investigations in which there are indications of noncompliance are concluded when: The covered entity completes certain voluntary compliance actions to the satisfaction of ; and notifies the complainant and the covered entity in writing of the resolution result. The Resolution Agreement/Corrective Action Plan approach is generally designed for cases with systemic issues where entity-wide change in policy and procedures and in the internal emphasis placed on the issue is needed to ensure compliance. 12

13 Recent Enforcement Actions

14 Recent Enforcement Actions HITECH has allowed the Secretary to impose significantly increased penalty amounts for violations of the HIPAA rules and encouraged prompt corrective action. Implementation of HITECH Act enforcement has strengthened the HIPAA protections and rights related to an individual s health information. This strengthened penalty scheme will encourage covered entities and business associates to comply with the HIPAA Privacy and Security and HITECH requirements.

15 Facts of Providence Health and Services Case Electronic protected health information ("ephi") left unattended overnight in the personal vehicle of an employee and was stolen. The employee took the disks and tapes pursuant to a practice followed at the time by the CE s Information Staff with the knowledge of some of the CE s managers. The ephi on the tapes and disks was not encrypted laptops containing ephi were left unattended and were stolen from workforce members on 4 separate occasions The e-phi on the stolen laptops was not encrypted. 15

16 Providence Investigation The investigation was triggered by 31 complaints submitted to and the Centers for Medicare and Medicaid Services (CMS). The complaints were merged into a joint compliance review by CMS and. It was determined that the practices of the Providence entities created systemic vulnerabilities that led to massive losses of e-phi. Providence was cooperative throughout the investigation. Providence executed a Resolution Agreement and Corrective Action Plan in July

17 Indications of Noncompliance in the Providence Resolution Agreement cited the following indications of noncompliance in the Resolution Agreement: Electronic PHI was not encrypted or otherwise properly safeguarded by Providence. Backup tapes, optical disks, and laptops, all containing unencrypted e-phi, were removed from the Providence premises by members of the Providence workforce and left unattended in vehicles. Portable media and laptops were lost or stolen, compromising the e-phi of over 386,000 patients. Providence management knew of such practices, but allowed them to continue. 17

18 Actions to Settle Providence Case Providence paid a $100,000 resolution amount. Providence s Corrective Action Plan provided: 1. Providence would revise its policies and procedures, subject to approval, by: Adopting new risk assessment and risk management tools Improving physical and technical safeguards (e.g., encryption) for off-site transport and storage of electronic media containing PHI 2. Providence would train its workforce members on electronic and other safeguards for PHI. 3. Providence would conduct internal audits and site visits of facilities to determine compliance with the Corrective Action Plan. 4. Providence would Submit implementation report and annual reports to HHS for period of three years. 18

19 Lessons Learned Effective compliance means more than just written policies and procedures. Corporate management of covered entities need to continuously monitor implementation of privacy and security policies and practices. HHS is willing to work with cooperative entities to implement effective changes to ensure that consumers are protected. Covered entities need to ensure that these efforts include: Effective privacy and security staffing Adequate employee training on privacy and security issues Physical and technical implementation in an effective manner 19

20 Cignet Health Care Over a two-year period, 41 individuals complained to that Cignet had ignored their requests for access to their health records Cignet failed to respond to s investigation or provide copies of the patients records

21 CMP of $4.3 Million Levied Civil Money Penalty of $1.3 million attributable to failure to provide individuals access to their health records Penalty of $3 million for failure to respond to demands to produce records and failure to cooperate with s investigation

22 Massachusetts General Hospital Employee, who had taken patient files home, left the folders on the subway train and they were never recovered Investigation initiated after media reports of incident and a complaint from an individual whose PHI was lost Settled with through Resolution Agreement and corrective action plan $1 million resolution amount MGH required to actively monitor its compliance with the Corrective Action Plan through use of an internal monitor

23 Management Services Organization of Washington MSO disclosed ephi to an affiliated company without a valid authorization, so that the affiliate could market Medicare Advantage plans to those individuals MSO had not developed or implemented appropriate and reasonable administrative, technical, and physical safeguards to protect ephi Separate agreements with DOJ and OIG to settle allegations under the Federal False Claims Act

24 Actions to Settle Case $35,000 resolution amount to Corrective Action Plan Develop and implement policies & procedures to demonstrate compliance with the Privacy and Security Rules Train workforce members Conduct internal monitoring Submit compliance reports to HHS for a period of two years

25 Rite Aid Corporation Series of media reports about personnel disposing of PHI, including labeled pill bottles and prescriptions, in unsecured garbage containers outside of several Rite Aid pharmacy stores $1 million resolution amount Corrective Action Plan 1. Revising, distributing policies & procedures regarding PHI disposal 2. Sanctioning workers who do not follow them 3. Training workforce members 4. Conducting internal monitoring 5. Engaging a third-party assessor to render reports to HHS 6. New internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures 7. Submitting compliance reports to HHS for a period of three years

26 Indications of Non-Compliance in Rite Aid Resolution Agreement Rite Aid policies and procedures for disposal did not reasonably and appropriately safeguard PHI Rite Aid did not maintain sanctions policy for workforce members who failed to safeguard PHI in disposal process Rite Aid did not provide necessary and appropriate training for its workforce regarding disposal of PHI

27 Major 2012 Enforcement Actions BCBS Tennessee ($1.5 M) e-phi stored on servers stolen from deactivated data center after construction/relocation to new facility Reevaluate threats/vulnerabilities to e-phi caused by changing operational environment and manage risk Phoenix Cardiac Surgery ($100K) e-phi disclosed through Internet when provider used third party application hosted in the cloud Business associate agreements required when sharing data with cloud computing service providers Alaska DHSS ($1.7M) Portable storage device stolen from personal vehicle symptomatic of widespread failure to implement program-wide information security safeguards Risk analysis to identify location and safeguards for PHI, training and controls for portable devices

28 Major 2012 Enforcement Actions Massachusetts Eye and Ear Institute ($1.5M) Stolen personal laptop of physician using device as desktop substitute Covered entity had not implemented a program to mitigate identified risks to e-phi Encrypt data stored on end-user devices Hospice of Northern Idaho ($50K) Breach affecting 400 individuals when laptop stolen Provider had not conducted a risk assessment or taken other measures to safeguard e-phi as required by Security Rule Implement security measures to safeguard e-phi 33

29 Major 2013 Enforcement Actions Affinity Health Plan ($1.2 Million) Breach report after CBS news notified Affinity that it had purchased a photocopier previously leased to Affinity which contained ephi on the hard drive - estimated 344,579 individuals affected Affinity failed to delete ephi when it returned multiple leased copiers and failed to incorporate the ephi contained on copier hard drives into its risk analysis Best efforts to retrieve hard drives and implement safeguards WellPoint ($1.7 Million) Breach report that the ephi of 612,402 individuals was accessible to unauthorized persons over the internet WellPoint did not implement administrative and technical safeguards 29

30 Major 2013 Enforcement Actions Shasta Regional Medical Center ($275,000) Compliance review following an LA Times article indication an impermissible disclosure of PHI to the media Senior management impermissibly shared a patient s PHI with the entire staff via an and failed to sanction the workforce members that disclosed that PHI to the media Update policies on safeguarding PHI and training staff; 15 other hospitals under same ownership attest to their understanding of permissible uses and disclosures of PHI Idaho State University ($400,000) Breach reported after the ephi of 17,500 patients was unsecured for 10 months due to disabled firewall protections affecting 29 outpatient clinics. ISU did not apply proper security measures and policies to address risks to ephi and did not have procedures for routine review of IT systems Corrective action plan pertaining to risk management and information system activity review to detect problems sooner 30

31 A Culture of Compliance In light of 's clearly articulated intention to aggressively enforce the HIPAA Privacy and Security Rules, covered entities and business associates should review their current HIPAA compliance programs. A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.

32 Want More Information? The website, offers a wide range of helpful information about health information privacy including educational information, FAQ s, and rule text and guidance for the Privacy, Security, and Breach Notification Rules. 32

33 Region VIII Contact Information U.S. Department of Health and Human Services Office for Civil Rights, Region VIII th Street, South Terrace, Suite 417 Denver, Colorado Emily Prehm Equal Opportunity Specialist

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement. Learning Objectives

OCR Reports on the Enforcement. Learning Objectives OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement

OCR Reports on the Enforcement OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Update. HIPAA Summit West September 20, Michael F. Kruley and Michael Leoz HHS Office for Civil Rights

OCR Update. HIPAA Summit West September 20, Michael F. Kruley and Michael Leoz HHS Office for Civil Rights Office of the Secretary Office for Civil Rights () Update HIPAA Summit West September 20, 2011 Michael F. Kruley and Michael Leoz HHS Office for Civil Rights REGULATORY STATUS Status of Regulatory Activities

More information

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010 Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 As Required by the Health Information Technology for Economic and Clinical Health (HITECH)

More information

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement

Disclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement Office of the Secretary Office for Civil Rights () Current Developments in Privacy and Security Rule Enforcement Michigan Medical Billers Association Andrew C. Kruley, J.D. Equal Opportunity Specialist

More information

HIPAA WEBINAR HANDOUT

HIPAA WEBINAR HANDOUT HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer

HIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer HIPAA LIAISON MEETING PRESENTAITON August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer Current State of HIPAA Enforcement Content Contributor Abby Bonjean, Investigator Office for

More information

Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance. For Calendar Years 2011 and 2012

Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance. For Calendar Years 2011 and 2012 Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012 As Required by the Health Information Technology for Economic and Clinical

More information

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE

THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014

HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014 HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities

More information

HIPAA Compliance: Efficient Tools to Follow the Rules

HIPAA Compliance: Efficient Tools to Follow the Rules Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability

More information

HIPAA Enforcement and Compliance: Report from HHS s Office of the General Counsel

HIPAA Enforcement and Compliance: Report from HHS s Office of the General Counsel HIPAA Enforcement and Compliance: Report from HHS s Office of the General Counsel Midwest Regional HCCA Conference September 23, 2011 Jerome B. Meites Chief Regional Civil Rights Counsel Region V Chicago

More information

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update OCR / WEDI Webinar Series July 17, 2013 Today s Speakers Verne Rinker, JD, MPH Health Information Privacy Specialist

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

Proofpoint HIPAA Breach Report:

Proofpoint HIPAA Breach Report: Proofpoint HIPAA Breach Report: An Analysis of HITECH Breach Notifications and Settlements, Q1 2013 Healthcare Industry Update threat protection compliance archiving & governance secure communication Contents

More information

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health

More information

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.

HIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C. HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results

More information

SELECT HIPAA PRIVACY AND SECURITY ENFORCEMENT ACTIONS. Current as of December 2015. attorney advertisement

SELECT HIPAA PRIVACY AND SECURITY ENFORCEMENT ACTIONS. Current as of December 2015. attorney advertisement SELECT HIPAA PRIVACY AND SECURITY ENFORCEMENT ACTIONS Current as of December 2015 Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA 94306 The content of this packet is an introduction to Cooley

More information

Breach Notification and Enforcement Update

Breach Notification and Enforcement Update Breach Notification and Enforcement Update Presented to the Seattle Western Pension & Benefits Council June 16, 2015 Sarah Brown Investigator U.S. Department of Health and Human Services Office for Civil

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

Dallas Bar Association April 15, 2015 Jamie Sorley, JD, MBA, CIPP/US Investigator, Region VI

Dallas Bar Association April 15, 2015 Jamie Sorley, JD, MBA, CIPP/US Investigator, Region VI Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Dallas Bar Association April 15, 2015 Jamie Sorley, JD, MBA, CIPP/US Investigator, Region VI OCR Overview Enforces Civil

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

Network Security and Data Privacy Insurance for Physician Groups

Network Security and Data Privacy Insurance for Physician Groups Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Raymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP

Raymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP Carol Ann Raymond, MBA, Ed.S., CCC-SLP Associate Clinical Professor/Clinic Director Department of Communication Sciences and Disorders Financial o Employed by the University of Georgia o Non-Financial

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group

HOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.

HIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq. HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq. Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September

More information

You Probably Don t Even Know

You Probably Don t Even Know You Probably Don t Even Know That You Need To Comply With HIPAA In Collaboration With: About ERM About The Speaker Stephen Siegel, Esq., Of Counsel, Broad and Cassel Board Certified Health Law Over 25

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

Anatomy of an OCR Breach Investigation

Anatomy of an OCR Breach Investigation Anatomy of an OCR Breach Investigation HCCA 18 th Annual Compliance Institute San Diego, CA April 1, 2014 Objectives Learn key steps involved in responding to an incident Understand timeframes and review

More information

WHITE PAPER HIPAA Compliance: Six Reality Checks

WHITE PAPER HIPAA Compliance: Six Reality Checks WHITE PAPER HIPAA Compliance: Six Reality Checks What are you doing to mitigate the risk of a breach or HIPAA violation? INSIDE Introduction IT S TIME FOR A REALITY CHECK.... 1 Reality Check #1 DATA BREACHES

More information

Inside an OCR Investigation

Inside an OCR Investigation Inside an OCR Investigation Abby Bonjean, Investigator U.S. Department of Health and Human Services, Office for Civil Rights, Region V 1 These slides, along with Ms. Bonjean s remarks, are intended to

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Top HIPAA Hazards and How to Avoid Them

Top HIPAA Hazards and How to Avoid Them Top HIPAA Hazards and How to Avoid Them HIPAA penalties are getting bigger and bigger, and are almost always issued for inadvertent mistakes. MPA monitors the Office of Civil Rights (OCR) HIPAA enforcements

More information

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014 Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

G23-Lessons Learned: Hard Data. Ann Geyer Chief Privacy and Security Officer University of California, Berkeley

G23-Lessons Learned: Hard Data. Ann Geyer Chief Privacy and Security Officer University of California, Berkeley G23-Lessons Learned: Hard Data from 300 Breaches Ann Geyer Chief Privacy and Security Officer University of California, Berkeley ageyer@berkeley.edu Topics Enforcement Trends in Privacy, Security, and

More information

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security

More information

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives

Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)

More information

Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption?

Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? A. Most e-mail systems do not include encryption. There are

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

Isaac Willett April 5, 2011

Isaac Willett April 5, 2011 Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule

Reporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule Reporting of HIPAA Privacy/Security Breaches The Breach Notification Rule Objectives What is the HITECH Act? An overview-what is Protected Health Information (PHI) and can I protect patient s PHI? What

More information

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?

3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed

More information

RESOLUTION AGREEMENT I. RECITALS

RESOLUTION AGREEMENT I. RECITALS RESOLUTION AGREEMENT I. RECITALS 1. Parties. The Parties to this Resolution Agreement ( Agreement ) are the United States Department of Health and Human Services, Office for Civil Rights ( HHS ) and The

More information

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012

HIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012 HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually

More information

HITECH Omnibus Overview of the Rule

HITECH Omnibus Overview of the Rule HITECH Omnibus Overview of the Rule June 14, 2013 OCR Representative: Rachel Seeger WEDI Representatives: Mark Cone and David Ginsberg WEDI SNIP Privacy & Security Workgroup 1 Overview of the Omnibus Final

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done? Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514

More information

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other

More information

HIPAA Training for Staff and Volunteers

HIPAA Training for Staff and Volunteers HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

The HIPAA Audit Program

The HIPAA Audit Program The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance

More information

Philip L. Gordon, Esq. Littler Mendelson, P.C.

Philip L. Gordon, Esq. Littler Mendelson, P.C. Beyond The Legal Requirements: Key Practical Issues in Negotiating Business Associate Agreements, Responding to a Breach of Unsecured PHI, and Understanding HHS Enforcement Philip L. Gordon, Esq. Littler

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300)

Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

Outline. Identity Fraud and HIPAA Data Breaches Criminal and Civil Enforcement Efforts Orlando, FL July 30, 2014 7/10/2014

Outline. Identity Fraud and HIPAA Data Breaches Criminal and Civil Enforcement Efforts Orlando, FL July 30, 2014 7/10/2014 LeadingAge Florida s 50 th Annual Convention and Exposition Identity Fraud and HIPAA Data Breaches Criminal and Civil Enforcement Efforts Orlando, FL July 30, 2014 James Robnett Special Agent in Charge

More information

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure

More information

2010 HIPAA Security Environment

2010 HIPAA Security Environment 2010 HIPAA Security Environment Managing Risk in the HITECH Act World Prepared by Mark Lutes, Epstein Becker & Green, PC mlutes@ebglaw.com; 202.861.1824 Robert Hudock, Epstein Becker & Green, PC rhudock@ebglaw.com;

More information

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano

The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments Robin B. Campbell Ethan P. Schulman Jennifer S. Romano HIPAAPrivacy and Security Breach Overview of the Laws Developments Incident

More information

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach

More information

HIPAA security rules of engagement

HIPAA security rules of engagement healthcare HIPAA security rules of engagement The use of health information technology continues to expand in healthcare. Healthcare organizations are using web-based applications and other portals that

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information

More information

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations The MC Academy The Employee Benefits and Executive Compensation Series HIPAA PRIVACY AND SECURITY The New Final Regulations June 18, 2013 Overview Background Recent Changes to HIPAA Identifying Business

More information

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.

More information

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com

More information

HIPAA Training for Hospice Staff and Volunteers

HIPAA Training for Hospice Staff and Volunteers HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA compliance audit: Lessons learned apply to dental practices HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

HIPAA Training for Providers

HIPAA Training for Providers HIPAA Training for Providers [Organization] [Date] What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act of 1996, which became law on August 21, 1996. HIPAA is implemented

More information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

HIPAA Privacy Summary Kelly McLendon, RHIA

HIPAA Privacy Summary Kelly McLendon, RHIA HIPAA Privacy Summary Kelly McLendon, RHIA This document is intended to summarize the latest HIPAA Privacy Rules in a format that is understandable by record managers and all of the stakeholders of protected

More information

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation WHY YOU NEED TO COMPLY. HIPAA UPDATE 2014: WHY AND HOW YOU MUS T C OMPL Y 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its longawaited Omnibus Rule 2 implementing regulations

More information