May 18, Georgina Verdugo Director Office for Civil Rights United States Department of Health and Human Services

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "May 18, 2010. Georgina Verdugo Director Office for Civil Rights United States Department of Health and Human Services"

Transcription

1 May 18, 2010 Georgina Verdugo Director Office for Civil Rights United States Department of Health and Human Services RE: HIPAA Privacy Rule Accounting of Disclosures Under the Health Information Technology for Economic and Clinical Health Act; Request for Information (RIN 0991-AB62) Dear Ms. Verdugo: The undersigned organizations are members of the Consumer Partnership for e-health (CPeH), a coalition of consumer, patient, and labor organizations working on both the national and local levels that, since 2005, has served as a strong and diverse consumer voice advocating for patient-centered policies related to health information technology (HIT). We submit these comments in response to the request for information (RFI) on the implementation of the modifications to the HIPAA Privacy Rule s Accounting of Disclosures provisions required by Title XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA). We believe the accounting of disclosure provisions play a critical role in providing individuals with greater transparency about uses and disclosures of their personal health information. Survey data show that the public supports movement to electronic health records (EHRs), health information exchanges (HIEs) and personal health records (PHRs). However, the data also reflect significant public concerns about the privacy and security of personal health information online, as well as a recognition that the Federal Government has a role in protecting privacy. 1 As we move forward with initiatives to increase the adoption and meaningful use of health information technology (health IT), it is critical to provide greater protection for health information to maintain public trust. In making modifications to the current HIPAA rule on accounting of disclosures, Congress clearly recognized the ability of EHRs to provide individuals with greater transparency about uses and disclosures of their health data than is possible with paper records. Implementation of these new provisions, as well as others in ARRA, creates opportunities for the US Department of Health and Human Services (HHS) to harness the power of technology to better protect health information privacy. Our comments below to some of the questions asked in the RFI are intended to help HHS maximize this opportunity for patients and health care providers. (We did 1 See summaries of Markle public opinion surveys at the following URL:

2 not address those questions directed at covered entities that have experience in implementing the current accounting of disclosures provisions.) In summary, we recommend that HHS: Focus on what is likely to be most important to individuals. Allow covered entities with EHRs to initially use audit trails to satisfy an individual s request for an accounting. Phase-in requirements for additional information to be included in the accounting, such as the purpose of the disclosure and the recipient of the information. Questions 1. What are the benefits to the individual of an accounting of disclosures, particularly of disclosures made for treatment, payment, and health care operations purposes? Transparency Providing individuals with transparency about the uses and disclosures of their identifiable health information is a key component of fair information practices and the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. 2 The practice provides a deterrent to inappropriate access, helps in the detection of fraud, and when combined with other privacyprotective practices of a comprehensive framework supports public trust. The HIPAA Privacy Rule includes several provisions designed to provide greater transparency for patients: The right of patients to receive notice of permitted uses of their health information and their rights with respect to that information; The requirement on covered entities to obtain express patient authorization for certain uses and disclosures; and The right of patients to obtain, upon request, a detailed accounting of certain disclosures. Under the current HIPAA Privacy Rule, the right to receive an accounting is limited to only certain non-routine disclosures; however, the accounting must include a fair amount of detail for each disclosure and cover a period of six years prior to the request. Individuals can also look to covered entities to provide them with an accounting of such disclosures made by business associates of the covered entities. Congress recognized the ability of electronic record systems to automatically detect and record access to a patient s electronic health information and directed HHS to make improvements to the accounting of disclosure provisions. Now, routine disclosures for 2 It is also a key component of the Markle Foundation s multi-stakeholder Connecting for Health Initiative s Common Framework, see 2

3 treatment, payment, and health care operations must be included in an accounting. In addition, HHS Office of the National Coordinator for Health Information Technology (ONC) issued draft certification criteria for EHRs that included provisions to enable greater transparency with respect to record access: (1) technical requirements to enable EHRs to automatically record information that could be used to provide an accounting of disclosures, 3 and (2) technical requirements that enable EHRs to record and generate an audit trail of all access to an EHR. These provisions together provide the technical building blocks for individuals to receive greater transparency of uses and disclosures of their health information. Requiring the use of audit trails and the enhanced accounting provisions combine to provide more effective tools for detecting potential breaches of health information. Early detection through audit trail use and monitoring, bolstered by individuals viewing audit trails or an accounting when they suspect inappropriate use of their information, provides health care providers and institutions with important information about weaknesses in their privacy and security policies and practices. Accountability The current HIPAA Privacy Rule requires covered entities to provide individuals with an accounting only upon request. In ARRA, Congress retained this as a right that individuals exercise at their discretion. Consequently, most individuals will seek an accounting only when they have a need to know who has accessed their record, such as if they suspect inappropriate access. It is important to structure the new accounting provisions in a way that most directly responds to this need. At a minimum, individuals need to know who has accessed information in their record, when such access occurs, and what was done with that information, per the audit trail requirements in the proposed certification criteria. Providing individuals with information about the purpose of the disclosure is also of critical importance to increasing transparency and understanding about the legitimate uses of health information. Therefore this should also be required information, once the electronic systems used by providers are routinely able to collect it. Providing this information in an accounting serves two critical purposes: 1. Helping consumers determine whether their personal health information was disclosed inappropriately and 2. Providing information necessary to hold individuals and institutions accountable in the event of an inappropriate disclosure. Provisions on accounting of disclosure are just one tool under HIPAA for improving patient privacy and security. They are not the sole solution for improving transparency for patients. Nor should they be viewed as the sole mechanism for ensuring 3 ARRA 13405(c). 3

4 accountability. In developing an accounting rule that leverages the functionalities of EHRs, is effective for patients, and does not unreasonably burden providers HHS should focus on what accounting can add to a comprehensive framework of protections that promote greater transparency and accountability. 2. Are individuals aware of their current right to receive an accounting of disclosures? On what do you base this assessment? To the best of our knowledge, there is no objective, nationally representative assessment of the levels of public awareness regarding the right to receive an accounting of disclosures of personal health information. In practice, providers report that individuals rarely request an accounting of disclosures under current rules. This low utilization rate is likely due to individuals not being aware of the right to receive an accounting. 4 We caution HHS not to base policy on anecdotal reports of low rates of individuals exercising their rights to an accounting of disclosures, as survey data indicates strong interest by the public in reviewing who has had access to their health information. Markle Foundation surveys indicate that the public strongly supports the concept of being able to see who has had access to personal health information. For example, 90 percent of respondents in a 2008 survey said that the ability to review who has had access to their information would be one factor in their decision to use a PHR, with 53 percent calling this practice essential. 5 In a 2005 survey on health information exchange, 81 percent called it an absolute or high priority policy. 6 As noted above, survey data also indicate a high degree of concern by individuals about the privacy of their health information. HHS should assume that in an environment of greater use of EHRs and electronic health information exchange, patients may take advantage of the opportunity to learn more about who has accessed their records. 5. With respect to treatment, payment, and health care operations disclosures, 45 CFR (e) currently provides the standard that an electronic health record system record the date, time, patient identification, user identification, and a description of the disclosure. In response to its interim final rule, the Office of the National Coordinator for Health Information Technology received comments on 4 Research has demonstrated that HIPAA privacy notices are often difficult to read and understand. See Mark Hochhauser, Readability of HIPAA Privacy Notices, pp. 5-6, March 12, 2003, Mark Hochhauser, Why Patients Won t Understand Their HIPAA Privacy Notices, April 10, 2003, and Marie Pollio, The Inadequacy of HIPAA s Privacy Rule: The Plain Language Notice of Privacy Practices and Patient Understanding, 60 N,Y.U. Ann. Surv. Am. L. 579 (2005), %20579%20(2005).pdf. 5 Markle Foundation, "Americans Overwhelmingly Believe Electronic Personal Health Records Could Improve Their Health" June 2008, pdf 6 4

5 this standard and the corresponding certification criterion suggesting that the standard also include to whom a disclosure was made (i.e., recipient) and the reason or purpose for the disclosure. Should an accounting for treatment, payment, and health care operations disclosures include these or other elements and, if so, why? How important is it to individuals to know the specific purpose of a disclosure i.e., would it be sufficient to describe the purpose generally (e.g., for for treatment, for payment, or for health care operations purposes ), or is more detail necessary for the accounting to be of value? To what extent are individuals familiar with the different activities that may constitute health care operations? On what do you base this assessment? As noted above, patients who request an accounting will most likely be doing so because they suspect that someone has inappropriately accessed their record, therefore it is essential that the disclosure information they receive include information they need to determine if their information has been used inappropriately. Knowing who received the information that was disclosed and for what purpose are vital to being able to make these determinations, especially given the fact that at the current time the general public has limited knowledge and understanding of the legitimate ways in which their health information is used. Providing some degree of specificity regarding purpose of disclosure, as opposed to simply stating treatment, payment, or operations, would also be advisable, given this general lack of understanding. Providing more detailed description of operations activities would be particularly important, given that there is even less understanding about this particular purpose. Increased transparency about how personal health information is used in provider operations would go a long way toward building trust. Ideally patients would be able to see an accounting not just of external disclosures, but also instances of internal access to the record. Such comprehensive accounting is necessary to provide adequate accountability for inappropriate access and disclosures of information. The increasing number of reports of employee snooping and inappropriate use of information 7 serve to erode consumer trust, even as they readily understand and want the benefits HIT can bring to the quality of their health care. In making decisions about how to meet patients needs for information about the disclosures of their health information, HHS should focus on information that is likely to be most relevant to patients, as well as what is possible to be automatically generated today. This will pave the way for additional useful information to be automatically generated about EHR access and disclosure in the future. Audit trails typically produce 7 Hospital: Radiologist used other employees passwords accessed 5/17/10. 5

6 a record of all access to a patient s record and are therefore a great starting place for meeting patients needs. Additionally, audit trails can be automatically generated by EHRs that will be adopted by providers in Stage 1 of meaningful use, a critical feature that will minimize provider burden. As noted above, HHS has already issued two proposed certification criteria that are relevant to updating the current accounting rule: specifically, those for an audit trail and those specifically designed to address the ARRA accounting provisions. HHS should consider deeming an electronic audit trail of all access to the EHR to satisfy the accounting of disclosures requirement. Patients requesting an accounting would be provided with a copy of the audit trail of their record, which, based on the proposed certification criteria, includes the following information: the date, time, patient identification (name or number), and user identification (name or number), which is recorded when electronic health information is created, modified, deleted, or printed, and an indication of which action(s) occurred. This is likely to satisfy the needs of many patients in seeking an accounting, who are looking for unexpected or suspicious activity in the record. Auditing all record access goes beyond an accounting of just disclosures, but the likelihood that EHRs will possess audit trail functionality in time for Stage 1 of meaningful use and the requirement of audit trail standards under the voluntary Certification Commission for Health IT Standards for ambulatory and inpatient EHRs makes this an attractive initial approach. Allowing covered entities to use an audit trail to respond to individual requests for an accounting under the new ARRA provisions leverages technology that is currently available and takes an initial step toward creating greater transparency with respect to uses and disclosures of health information. We recognize that such audit logs will be difficult for individuals to comprehend, particularly if they are from larger provider organizations or institutions where the record access on a routine basis could be quite extensive. To address this, covered entities could choose to filter the audit log so that it just includes disclosures, or entities could sit down with the patient to answer any questions. It is likely that patients will have additional questions after viewing their audit logs. The ability of an audit log to provide additional information, such as the purpose of the access or disclosure or a brief description, would alleviate the burden on covered entities to make staff available to explain the audit log to the patient. However, it may not be feasible for many EHRs today to generate an audit trail or an accounting that automatically includes purpose or a description of each access or disclosure. Such a requirement should be phased in over time, to allow the technology to develop this capability. HHS should also consider providing incentives or otherwise encouraging vendors to release new EHRs (or upgrades) that allow users to select from a list of common disclosure purposes or that otherwise allow for the disclosure purpose to be logged without the need to manually input text. An increase in patients seeking a copy of the audit trail could stimulate demand for greater functionality to serve the needs of both covered entities and patients. 6

7 It is critical to consider what can be automatically generated by EHRs that exist today, as well as what is possible in the coming years. Providers should not be required to manually input additional information in the course of using the EHR in order to ensure that additional information is in the accounting. HHS should capitalize on what can be automatically generated today, and provide incentives for vendors to develop greater accounting functionality over time. 6. For existing electronic health record systems: (e) Is there a single, centralized electronic health record system? Or is it a decentralized system (e.g., different departments maintain different electronic health record systems and an accounting of disclosures for treatment, payment, and health care operations would need to be tracked for each system)? Since the purpose of the ARRA revisions to the accounting rule was to increase the scope of disclosures and not necessarily to give individuals access to records that they do not have the right to access today, HHS should consider clarifying the definition to make it clear that the accounting addresses only those portions of the record that individuals have the right to access under C.F.R Patients will want an accounting of access to and disclosures from the clinical portions of the EHR, and HHS should clarify that the definition of EHR does not extend to portions of an entity s electronic recordkeeping systems that do not involve patient clinical data. To the extent that the clinical EHR is decentralized, allowing entities to use an audit trail to respond to patient accounting requests should help entities comply, as all parts of the entities overall EHR system should have audit trail functionality. 7. The HITECH Act provides that a covered entity that has acquired an electronic health record after January 1, 2009 must comply with the new accounting requirement beginning January 1, 2011 (or anytime after that date when it acquires an electronic health record), unless we extend this compliance deadline to no later than Will covered entities be able to begin accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations by January 1, 2011? If not, how much time would it take vendors of electronic health record systems to design and implement such a feature? Once such a feature is available, how much time would it take for a covered entity to install an updated electronic health record system with this feature? If covered entities are permitted to use an audit trail to respond to patient requests for an accounting, there is no reason why compliance could not begin by January 1, 2011 because EHRs are required by have this functionality for Stage 1 of meaningful use, and EHRs certified voluntarily by CCHIT already have this capability. HHS should stage requirements for an accounting to include additional information such as the recipients 7

8 of and purpose for any disclosures based on developing EHR capabilities. 9. Is there any other information that would be helpful to the Department regarding accounting for disclosures through an electronic health record to carry out treatment, payment, and health care operations? Compliance by HIPAA Business Associates Under ARRA, business associates are required to comply with the privacy provisions that apply to covered entities; 8 thus, the new accounting requirements are made applicable to business associates. Covered entities are required to provide an accounting of disclosures made by business associates. In the alternative, they can provide individuals with a list of their business associates, and the individuals can then contact those business associates to receive an accounting. We acknowledge that business associates now have independent obligations to comply with the HIPAA privacy and security rules. But placing the burden on patients to seek data directly from business associates is an inefficient (and largely ineffective) way to achieve greater transparency about uses and disclosures of health information. Instead, we suggest that covered entities have the primary obligation to produce an accounting of access to and disclosures from their EHR system. If the patient needs more information about a particular access or disclosure that involves a business associate, the covered entity can contact the particular business associate for further information (which is consistent with how the breach notification rules treat the obligation to notify the patient in the case of inappropriate record access), or, less optimally, provide information to help the patient make the request directly from the relevant business associate(s). This is much more effective than giving the patient a list of all of the entities business associates and requiring the patient to go on a fishing expedition to find his or her data. We note that the ARRA accounting rule modifications apply to covered entities using EHRs and their business associates. This does not require that a business associate be using an EHR in order to be covered by the rule, but the new accounting provisions in ARRA should apply to those business associates using electronic systems that have (or should have) audit trail or other access tracking functionality. Such functionality should be required for business associates keeping electronic records. ARRA also makes clear that entities like Health Information Exchanges and Regional Health Information Organizations (collectively, HIEs) will be business associates, and thus have some obligations for complying with the new accounting provisions. 9 How HIEs comply with these new obligations should depend on how they are structured. For example, a federated exchange that merely facilitates the exchange of information by EHRs may not be able to easily account for disclosures of an individual patient s information (although the edge systems should be fully accountable for accounting for 8 ARRA Section 13404(a). 9 ARRA Section

9 disclosures through the network). However, HIEs that operate database or even hybrid federated/database models may face no more challenges to accounting for disclosures than a large provider using an EHR. Costs of Compliance We have heard from covered entities that they estimate compliance with the ARRA accounting modifications could cost millions (an estimate from one health care system submitted to OMB was approximately $250 million over three years) [Intermountain]. We assume that such calculations are based on applying the provisions of the current accounting rule, which requires that patients be provided with a fair degree of detail for a smaller scope of disclosures, to disclosures for treatment, payment and operations from an EHR. However, if HHS leverages existing EHR capabilities such as the audit trail functionality and expands the amount of information provided to patients using these automated functions over a period of time, there is less reason to believe that this will impose significantly greater costs on covered entities. If HHS focuses on what can be automatically generated, even small providers should easily be able to comply with the expanded accounting provisions. Cost to Individuals Under existing accounting of disclosure provisions, individuals may receive one free copy per year of an accounting. Because the new accounting provisions should be structured in a way that leverages the automating capabilities of EHRs, individuals should continue to be able to receive these at no charge particularly when they are asking for the accounting because they have reason to suspect unauthorized or unlawful access to their personal health information. We appreciate the opportunity to submit these comments. Sincerely, Members of the Consumer Partnership for ehealth AARP American Association of People with Disabilities Childbirth Connection Consumers Union Family Violence Prevention Fund Mental Health America National Health Law Program The Center for Democracy & Technology The National Partnership for Women & Families 9

May 18, 2010. Dear Director Verdugo,

May 18, 2010. Dear Director Verdugo, May 18, 2010 Director Georgina Verdugo U.S. Department of Health and Human Services, Office for Civil Rights Attention: HITECH Accounting of Disclosures Hubert H. Humphrey Building, Room 509F 200 Independence

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq. The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery

More information

New HIPAA Rules and EHRs: ARRA & Breach Notification

New HIPAA Rules and EHRs: ARRA & Breach Notification New HIPAA Rules and EHRs: ARRA & Breach Notification Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com and Raj Goel Chief Technology Officer Brainlink

More information

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

HEALTH IT! LAW & INDUSTRY

HEALTH IT! LAW & INDUSTRY A BNA, INC. HEALTH IT! LAW & INDUSTRY Meaningful Use REPORT VOL. 2, NO. 15 APRIL 12, 2010 BNA Insights: Toward Achieving Meaningful Use: HHS Establishes Certification Criteria for Electronic Health Record

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

RE: HIPAA Privacy Rule Accounting for Disclosures, RIN 0991-AB62

RE: HIPAA Privacy Rule Accounting for Disclosures, RIN 0991-AB62 Submitted electronically at www.regulations.gov Ms. Susan McAndrew Deputy Director for Health Information Privacy Office for Civil Rights U.S. Department of Health and Human Services Hubert H. Humphrey

More information

Business Associate Considerations for the HIE Under the Omnibus Final Rule

Business Associate Considerations for the HIE Under the Omnibus Final Rule Business Associate Considerations for the HIE Under the Omnibus Final Rule Joseph R. McClure, Esq. Counsel Siemens Medical Solutions USA, Inc. WEDI Privacy & Security Work Group Co-Chair Agenda Who is

More information

Notice of Proposed Rule HIPAA Privacy Rule on Accounting of Disclosures and Access Reports

Notice of Proposed Rule HIPAA Privacy Rule on Accounting of Disclosures and Access Reports Notice of Proposed Rule HIPAA Privacy Rule on Accounting of Disclosures and Access Reports The U.S. Department of Health and Human Services has issued a Notice of Proposed Rule to modify the Health Insurance

More information

troinet.com When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse

troinet.com When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse When It Comes to HIPAA Compliance, Ignorance of the Law Is No Excuse The Health Insurance Portability and Accountability Act of 1996

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HITECH Act Changes to HIPAA Privacy and Security Rules

HITECH Act Changes to HIPAA Privacy and Security Rules CLIENT - ALERT TO: FROM: RE: Health Care Clients D. Brent Wills HITECH Act Changes to HIPAA Privacy and Security Rules DATE: September 21, 2012 This Memorandum is a supplement to my firm s Memorandum dated

More information

Signed into law on February 17, 2009, the Stimulus Package known

Signed into law on February 17, 2009, the Stimulus Package known Stimulus Package Expands HIPAA Privacy and Security and Adds Federal Data Breach Notification Law Marcy Wilder, Donna A. Boswell, and BarBara Bennett The authors discuss provisions of the Stimulus Package

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Patient Privacy and HIPAA/HITECH

Patient Privacy and HIPAA/HITECH Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,

More information

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a

More information

Certificate of EHR Compliance

Certificate of EHR Compliance Coordinate 2.0 EHR Modular (Ambulatory) Modules Tested: 170.314(a)(14); 170.314(g)(2, 4) Holds Certificate No. 06192014 2580 5 Coordinate 2.0 EHR Modular (Inpatient) Modules Tested: 170.314(a)(14); 170.314(g)(4)

More information

Business Associate Liability Under HIPAA/HITECH

Business Associate Liability Under HIPAA/HITECH Business Associate Liability Under HIPAA/HITECH Joseph R. McClure, JD, CHP Siemens Healthcare WEDI Security & Privacy SNIP Co-Chair Reece Hirsch, CIPP, Partner Morgan Lewis & Bockius LLP ` Fifth National

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable

More information

Will the Feds Really Buy Me an EHR?

Will the Feds Really Buy Me an EHR? Steven Waldren, MD, David C. Kibbe, MD, MBA, and Jason Mitchell, MD Will the Feds Really Buy Me an EHR? and Other Commonly Asked Questions About the HITECH Act The economic stimulus package offers $19

More information

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals

HIPAA for HIT and EHRs. Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals HIPAA for HIT and EHRs Latest on Meaningful Use and EHR Certification: For Privacy and Security Professionals Donald Bechtel, CHP Siemens Health Services Patient Privacy Officer Fair Information Practices

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

October 22, 2009. 45 CFR PARTS 160 and 164

October 22, 2009. 45 CFR PARTS 160 and 164 October 22, 2009 U.S. Department of Health and Human Services Office for Civil Rights Attention: HITECH Breach Notification Hubert H. Humphrey Building Room 509 F 200 Independence Avenue, SW Washington,

More information

Re: RIN 0991-AB56; Breach Notification for Unsecured Protected Health Information; Interim Final Rule, 74 Fed. Reg (August 24, 2009).

Re: RIN 0991-AB56; Breach Notification for Unsecured Protected Health Information; Interim Final Rule, 74 Fed. Reg (August 24, 2009). Kathleen Sebelius, Secretary U.S. Department of Health and Human Service Office for Civil Rights Attention: HITECH Breach Notification Hubert H. Humphrey Building, Room 509F 200 Independence Avenue, SW

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is effective as of, 2013, and is by and between SOUTHWEST DEVELOPMENTAL SERVICES, INC. ( Covered Entity ) and ( Business Associate

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES

BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES 1 BUSINESS ASSOCIATE AGREEMENT WITH TRANSFUSION FACILITIES This BUSINESS ASSOCIATE AGREEMENT (this Agreement ) is entered into as of the date first written in the signature block below (the Effective Date

More information

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

What Virginia s Free Clinics Need to Know About HIPAA and HITECH What Virginia s Free Clinics Need to Know About HIPAA and HITECH This document is one in a series of tools and white papers produced by the Virginia Health Care Foundation to help Virginia s free clinics

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

Health IT Strategic Framework: Strategic Themes, Principles, Objectives, and Strategies

Health IT Strategic Framework: Strategic Themes, Principles, Objectives, and Strategies Health IT Strategic Framework: Strategic Themes, Principles, Objectives, and Strategies Office of the National Coordinator for Health Information Technology March 8, 2010 Version 23 1 I. BACKGROUND & CHARGE

More information

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability

More information

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009

More information

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

Finally! HHS Issues Proposed Rule Implementing Changes to the HIPAA Privacy, Security and Enforcement Rules under HITECH

Finally! HHS Issues Proposed Rule Implementing Changes to the HIPAA Privacy, Security and Enforcement Rules under HITECH Employment, Labor and Benefits and Health Law Advisory JULY 13 2010 Finally! HHS Issues Proposed Rule Implementing Changes to the HIPAA Privacy, Security and Enforcement Rules under HITECH BY ALDEN BIANCHI,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BA Agreement ) is entered into by Medtep Inc., a Delaware corporation ( Business Associate ) and the covered entity ( Covered Entity

More information

INTRODUCTION. The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment

INTRODUCTION. The HIPAA Privacy Rule and Electronic Health Information Exchange in a Networked Environment INTRODUCTION This guidance is composed of a series of fact sheets that clarify how the HIPAA Privacy Rule applies to, and can be used to help structure the privacy policies behind, electronic health information

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

Department of Health and Human Services

Department of Health and Human Services Thursday, June 24, 2010 Part II Department of Health and Human Services 45 CFR Part 170 Establishment of the Temporary Certification Program for Health Information Technology; Final Rule VerDate Mar2010

More information

Santa Rosa Presents Webinar Series Electronic Health Records & Meaningful Use Incentives: Medicare & Medicaid

Santa Rosa Presents Webinar Series Electronic Health Records & Meaningful Use Incentives: Medicare & Medicaid Santa Rosa Presents Webinar Series Electronic Health Records & Meaningful Use Incentives: Medicare & Medicaid February 11, 2011 Chris Apgar, CISSP President Overview ARRA & Meaningful Use Rule Overview

More information

Health Record Banking Alliance

Health Record Banking Alliance Health Record Banking Alliance From: William A. Yasnoff, MD, PhD, President, Health Record Banking Alliance To: Regulations.Gov Website at http://www.regulations.gov/search/regs/home.html#home Date: May

More information

Dear Honorable Members of the Health information Technology (HIT) Policy Committee:

Dear Honorable Members of the Health information Technology (HIT) Policy Committee: Office of the National Coordinator for Health Information Technology 200 Independence Avenue, S.W. Suite 729D Washington, D.C. 20201 Attention: HIT Policy Committee Meaningful Use Comments RE: DEFINITION

More information

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS

BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS PRIVACY 27.0 BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS Scope: Purpose: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS

More information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section

More information

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule Understanding Health Insurance Portability Accountability Act AND HITECH HIPAA s Privacy Rule 1 What Is HIPAA s Privacy Rule The privacy rule is a component of the Health Insurance Portability and Accountability

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into as of ( Effective Date ) by and between ( Covered Entity ) and American Academy of Sleep Medicine ( Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY

EGUIDE BRIDGING THE GAP BETWEEN HEALTHCARE & HIPAA COMPLIANT CLOUD TECHNOLOGY Bridging The Gap Between Healthcare & Hipaa Compliant Cloud Technology and outsource computing resources to external entities, would provide substantial relief to healthcare service providers. Data stored

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Direct Messaging and Individual s Right of Access through Their Personal Health Record

Direct Messaging and Individual s Right of Access through Their Personal Health Record January 30, 2015 To: cc: Re: Ms. Jocelyn Samuels, Director Office for Civil Rights U.S. Department of Health & Human Services 200 Independence Avenue, S.W. Room 509F HHH Bldg. Washington, D.C. 20201 Dr.

More information

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act International Life Sciences Arbitration Health Industry Alert If you have questions or would like additional information on the material covered in this Alert, please contact the author: Brad M. Rostolsky

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

New Proposed HIPAA Accounting Regulation Adds Up To Big Changes for Health Plans

New Proposed HIPAA Accounting Regulation Adds Up To Big Changes for Health Plans July 13, 2011 Author: Christy A. Tinnes If you have questions, please contact your regular Groom attorney or any of the Health and Welfare attorneys listed below: Jon W. Breyfogle jbreyfogle@groom.com

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

The American Recovery and Reinvestment Act of 2009 Summary of Key Health Information Technology Provisions July 1, 2009

The American Recovery and Reinvestment Act of 2009 Summary of Key Health Information Technology Provisions July 1, 2009 The American Recovery and Reinvestment Act of 2009 Summary of Key Health Information Technology Provisions July 1, 2009 This document is a summary of the ARRA and offered for information only. As the term

More information

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):

UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

HIPAA Update. Bob Radecki W.J. Flynn and Associates, LLC

HIPAA Update. Bob Radecki W.J. Flynn and Associates, LLC HIPAA Update Bob Radecki W.J. Flynn and Associates, LLC Background ARRA American Recovery and Reinvestment Act of 2009 HITECH Health Information Technology for Economic and Clinical Act (Title XII, Part

More information

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements Sara Kashing, JD, Staff Attorney July/August 2012 The Therapist If you are considered a Covered Entity

More information

Business Associates under HITECH: A Chain of Trust

Business Associates under HITECH: A Chain of Trust FAQ on InfoSafe Shredding Services: Frequently Asked Questions on InfoSafe Shredding Information And Video on One Time Cleanouts: Cleanouts and Purges Business Associates under HITECH: A Chain of Trust

More information

Opportunities for Medicaid to Invest in HIT. Shannah Koss, Principal Koss on Care LLC

Opportunities for Medicaid to Invest in HIT. Shannah Koss, Principal Koss on Care LLC Opportunities for Medicaid to Invest in HIT Shannah Koss, Principal Koss on Care LLC Topics Key HIT components in the ARRA What is happening in state Medicaid programs today? Challenges and opportunities

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

PERSONAL HEALTH RECORDS AND

PERSONAL HEALTH RECORDS AND PERSONAL HEALTH RECORDS AND THE HIPAA PRIVACY RULE INTRODUCTION A personal health record (PHR) is an emerging health information technology that individuals can use to engage in their own health care to

More information

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16 NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The

More information

COLLECTION, USE, AND DISCLOSURE LIMITATION

COLLECTION, USE, AND DISCLOSURE LIMITATION COLLECTION, USE, AND DISCLOSURE LIMITATION This is one of a series of companion documents to The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Health Information Technology (HIT) and the Public Mental Health System

Health Information Technology (HIT) and the Public Mental Health System National Association of State Mental Health Program Directors (NASMHPD) NASMHPD Policy Brief Health Information Technology (HIT) and the Public Mental Health System December 2010 NASMHPD Policy Brief Health

More information

CMS AND ONC FINAL REGULATIONS DEFINE MEANINGFUL USE AND SET STANDARDS FOR ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM

CMS AND ONC FINAL REGULATIONS DEFINE MEANINGFUL USE AND SET STANDARDS FOR ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM CMS AND ONC FINAL REGULATIONS DEFINE MEANINGFUL USE AND SET STANDARDS FOR ELECTRONIC HEALTH RECORD INCENTIVE PROGRAM The Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

875 Greentree Road Pittsburgh, PA 15220 QuestDiagnostics.com

875 Greentree Road Pittsburgh, PA 15220 QuestDiagnostics.com 875 Greentree Road Pittsburgh, PA 15220 QuestDiagnostics.com Quest Diagnostics Statement on the Pennsylvania Health Information Technology Act (Senate Bill 8) to the Senate Communications & Technology

More information

SUMMARY OF HEALTH IT AND HEALTH DATA PROVISIONS OF H.R. 2, THE MEDICARE ACCESS AND CHIP REAUTHORIZATION ACT (MACRA)

SUMMARY OF HEALTH IT AND HEALTH DATA PROVISIONS OF H.R. 2, THE MEDICARE ACCESS AND CHIP REAUTHORIZATION ACT (MACRA) SUMMARY OF HEALTH IT AND HEALTH DATA PROVISIONS OF H.R. 2, THE MEDICARE ACCESS AND CHIP REAUTHORIZATION ACT (MACRA) H.R. 2, the SGR Repeal and Medicare Provider Payment Modernization Act of 2015 was introduced

More information

Section 2: HIPAA and the HITECH Act

Section 2: HIPAA and the HITECH Act Section 2: HIPAA and the HITECH Act 1 Introduction to HIPAA and the HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed on February 17, 2009 as part of

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into on [Month], [Day] 2014 (the effective Date ), by and between Accreditation Association for Ambulatory Health

More information

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND

AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION BETWEEN WAKE FOREST UNIVERSITY BAPTIST MEDICAL CENTER AND THIS AGREEMENT for Access to Protected Health Information ( PHI ) ( Agreement ) is entered

More information

DEPARTMENT OF HEALTH AND HUMAN SERVICES. Health Information Technology: Initial Set of Standards, Implementation

DEPARTMENT OF HEALTH AND HUMAN SERVICES. Health Information Technology: Initial Set of Standards, Implementation DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Part 170 RIN 0991-AB58 Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria

More information

BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE ADDENDUM BUSINESS ASSOCIATE ADDENDUM This BA Agreement, effective as of the effective date of the Terms of Use, adds to and is made part of the Terms of Use by and between Business Associate and Covered Entity.

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI

REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI Healthcare Organizations Can Adopt Enterprise-Wide Disclosure Management Systems To Standardize Disclosure Processes,

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

OCR/HHS HIPAA/HITECH Audit Preparation

OCR/HHS HIPAA/HITECH Audit Preparation OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

PROBLEMS FOR ORGAN PROCUREMENT ORGANIZATIONS CAUSED BY THE IMPLEMENTATION OF ELECTRONIC MEDICAL RECORDS

PROBLEMS FOR ORGAN PROCUREMENT ORGANIZATIONS CAUSED BY THE IMPLEMENTATION OF ELECTRONIC MEDICAL RECORDS PROBLEMS FOR ORGAN PROCUREMENT ORGANIZATIONS CAUSED BY THE IMPLEMENTATION OF ELECTRONIC MEDICAL RECORDS The nationwide adoption of Electronic Medical Records (EMRs) should provide Organ Procurement Organizations

More information

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security

2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security 2009 HIMSS Analytics Report: Evaluating HITECH s Impact on Healthcare Privacy and Security Commissioned by ID Experts November 2009 INTRODUCTION Healthcare breaches are on the rise; according to the 2009

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

VIA ELCTRONIC SUBMISSION @ www.regulations.gov. March 15, 2010

VIA ELCTRONIC SUBMISSION @ www.regulations.gov. March 15, 2010 VIA ELCTRONIC SUBMISSION @ www.regulations.gov David Blumenthal, M.D., M.P.P. National Coordinator for Health Information Technology HHS/Office of the National Coordinator for Health Information Technology

More information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information