Data Breach, Electronic Health Records and Healthcare Reform

Size: px
Start display at page:

Download "Data Breach, Electronic Health Records and Healthcare Reform"

Transcription

1 Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.)

2 Overview of HIPAA Privacy and Security Changes Introduction and Overview On February 17, 2009, the President signed P.L , the American Recovery and Reinvestment Act. Title XIII of Division A of ARRA comprises the provisions known as HITECH the Health Information Technology for Economic and Clinical Health Act. 2

3 Electronic Health Records Provides that Eligible Professionals who do not become Meaningful Users of Certified EHR Technology will have physician fee schedule payments reduced by 1% in % in % in 2017 and subsequent years 3

4 Electronic Health Records What is EHR? Not simply digitized paper record Key is interoperability and electronic exchange of health information 4

5 Electronic Health Records January 13, 2010 HHS Issues Interim Final Regulations for Certified EHR Proposed Regulations for Meaningful Use (Stage 1 Criteria) Physicians Who Are Meaningful Users of Certified EHR Eligible for Incentive Payments Must Satisfy Stage 1 Criteria Stage 2 by 2013 Stage 3 by

6 Electronic Health Records Stage 1 Criteria (beginning in 2011) Electronically capturing health information in a coded format Using electronic information to track key clinical conditions Communicate information for care coordination Implementation of decision support tools to facilitate disease and medication management Reporting clinical quality measure and public health information 6

7 Electronic Health Records Stage 2 Criteria (beginning in 2013) Expand on Stage 1 criteria Use of HIT for continuous quality improvement at point of care Electronic transmission of orders entered using computerized provider order entry Electronic transmission of diagnostic test results 7

8 Electronic Health Records Stage 3 Criteria (beginning in 2015) Promote improvements in quality, safety and efficiency Decision support for national high priority conditions Patient access to self-management tools Access to comprehensive patient data Improving population health 8

9 Electronic Health Records Up to $44,000 per Physician from Medicare Must Satisfy by 2011 or 2012 Up to $63,750 per Physician from Medicaid if State adopts First Year Adopt, Implement or Upgrade EHR After First Year Meaningful Use 30% of Patients Medicaid Must Elect Not Hospital-based 9

10 Electronic Health Records Health Information Technology Initiatives President Obama s Budget Proposal Increase of $110 Million for HIT initiates at CMS Increase of $17 Million for ONC ARRA Commits $20.6 Billion over 10 Years 10

11 Overview of HIPAA Privacy and Security Changes Business Associates directly regulated by HIPAA Required notification of individuals whose PHI is compromised by a breach Required national education initiative Additional restrictions on certain disclosures Required accounting for certain disclosures Prohibition on sale of EHR and PHI Limitations on use of PHI for marketing 11

12 Overview of HIPAA Privacy and Security Changes Additional entities defined to be Business Associates Stepped up enforcement Increased penalties 12

13 Business Associates Prior Law: Business associates (BAs) are not directly regulated by HIPAA Instead Covered Entities were required to enter into business associate contracts with their BAs 13

14 Business Associates HITECH: Clarifies some relationships and expands requirements on BAs HITECH clarifies that the following are BAs: Health Information Exchange Organizations RHIOs e-prescribing Gateways PHR vendors that provide PHRs to covered entities 14

15 Business Associates HITECH: BAs are required to: Notify covered entities if they discover a data breach Directly comply with administrative, physical, and technical safeguards and documentation requirements under the HIPAA security rule as if they were covered entities Use or disclose PHI only if such use or disclosure is in compliance with the privacy provisions of their business associate contracts 15

16 Business Associates Other HITECH privacy and security requirements that apply to covered entities shall be incorporated into business associate agreement. 16

17 Business Associates BAs now have obligations regarding a breach by a covered entity Terminate arrangement Report the problem to HHS if termination is not feasible 17

18 Business Associates Subject to civil and criminal enforcement and penalties under HIPAA (in addition to contractual liability) Covered entities will need to: Revisit business associate contracts Possibly to amend business associate contracts Review and possibly revise BA vendor agreements 18

19 Data Breach Notification HITECH adds a new breach notification provision applies to covered entities and BA s that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI 19

20 Data Breach Notification Regulations published August 24, 2009 Federal Register, Vol. 74, NO. 162, Monday, August 24, 2009 Effective Date: September 23,

21 Data Breach Notification Requires HIPAA covered entities to provide notification to affected individuals and to the Secretary of HHS following discovery of a breach of unsecured PHI 21

22 Data Breach Notification In some cases, requires covered entities to provide notification to the media of breaches Requires BA of a covered entity to notify the covered entity of data breach involving unsecured PHI at or by BA Requires Secretary HHS to post on HHS website the names of covered entities that experience breach of unsecured PHI involving more than 500 individuals 22

23 Data Breach Notification Secured PHI PHI that is rendered unusable, unreadable, or indecipherable to one or more individuals. Above is accomplished if Electronic PHI is encrypted PHI destroyed 23

24 Data Breach Notification Encryption for data at rest consistent with: NIST Special Publication , Guide to Storage Encryption Technologies for End User Devices Encryption for data in motion comply with: NIST Special Publication Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementation ; Guide to IPsec VPN s ; or Guide to SSL VPN s or others which are Federal Information Processing Standards (FIPS) validated 24

25 Data Breach Notification Destruction paper, film or other hard copy have been shredded or destroyed such that PHI cannot be reconstructed electronic media have been cleared, purged, or destroyed consistent with NIST Special Publication , Guidelines for Media Sanitization, such that PHI cannot be retrieved 25

26 Data Breach Notification Not acceptable security access controls redaction 26

27 Data Breach Notification Process to determine if breach has occurred Step 1 determine if information is individually identifiable health information 27

28 Data Breach Notification Individually Identifiable Health Information health information collected from an individual includes demographic information is created or received by a healthcare provider, health plan, employer or health care clearinghouse AND relates to past, present or future physical or mental health or condition of an individual; or relates to the provision of health care to an individual; or relates to the past, present or future payment for the provision of health care 28

29 Data Breach Notification Individually Identifiable Health Information (continued) AND that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual 29

30 Data Breach Notification Step 2 determine if the information is PHI PHI is individually identifiable health information that is transmitted and maintained in any form or medium including electronic information 30

31 Data Breach Notification Not PHI de-identified information education records covered by FERPA employment records held by covered entity in its role as employer If not PHI no breach under HIPAA may be breach under state or other federal law 31

32 Data Breach Notification Step 3 determine whether use or disclosure violates the Privacy Rule (HIPAA Privacy Regulations) not all uses or disclosures violate Privacy Rule 32

33 Data Breach Notification Step 4 determine if there is a significant risk of financial, reputational or other harm to the individual 33

34 Data Breach Notification Exceptions to breach Information is Limited DataSet and also excludes date of birth and zip code Unintentional access by workforce member or individual acting under authority of covered entity Inadvertant disclosure by one person authorized to access PHI at covered entity or BA to another person authorized to access PHI at a covered entity, BA or organized health care arrangement as long as recipient does not further use or disclose Unauthorized disclosure when person to whom disclosure made not reasonably able to retain information 34

35 Data Breach Notification Discovery of Breach First day breach known to covered entity or By exercising reasonable diligence would have been known to the covered entity Covered entity has knowledge if breach is known, or by exercise of reasonable diligence would have been known, to workforce member or agent of covered entity 35

36 Data Breach Notification Time of required notice No later than 60 calendar days after date breach discovered by covered entity Without unreasonable delay 60 days is outer limit 36

37 Data Breach Notification Methods of notification written notification by first class mail electronic notice if individual agrees to electronic notice substitute notice if insufficient or out-of-date contact information fewer than 10 individuals alternative written, telephone or other means 10 or more individuals post on website for at least 90 days or conspicuous notice in major print or broadcast media 37

38 Data Breach Notification Content of notice brief description date of breach date of discovery description of types of PHI involved steps individuals should take to protect themselves steps entity is taking to mitigate harm contact procedures 38

39 Data Breach Notification Notification of Media breach involving more than 500 residents of a state or jurisdiction notify prominent media outlets in state or jurisdiction no later than 60 days after discovery 39

40 Data Breach Notification Notification to Secretary HHS breaches involving 500 or more individuals, notify HHS contemporaneously with notice to individuals breaches involving less than 500 individuals, maintain a log and provide to HHS 60 days after end of each calendar year 40

41 Data Breach Notification Enforcement Effective Date September 23, 2009 Sanctions for failure to provide required notification will not be imposed for breaches discovered before February 22,

42 Data Breach Notification Vendors of Personal Health Records Breach notification rule for vendors of personal health records and related entities Federal Register, Vol. 74, No. 163, Tuesday, August 25, 2009 Regulated by Federal Trade Commission Effective September 24, 2009 Full compliance by February 22,

43 Data Breach Notification Vendors of Personal Health Records Breach notification requirements similar to HHS requirements for covered entity FTC rule does not apply to HIPAA-covered entities or to BA s of HIPAA-covered entities 43

44 Restrictions on Certain PHI Disclosures Can no longer refuse request NOT to use or disclose PHI when: Disclosure is to health plan for carrying out payment or health care operations (not for treatment); and PHI pertains solely to a health care item or service for which the health care provider involved has been paid out of pocket in full. Previously, covered entity was not required to agree to such requested restrictions 44

45 Restrictions Limited Data Set and Minimum Necessary HITECH Act requires covered entities using or disclosing PHI, or requesting PHI from another covered entity, to limit disclosure of PHI to the limited data set as defined under HIPAA, or, if more information is needed, to the minimum necessary to accomplish the intended purpose of such use, disclosure, or request, respectively. 45

46 Restrictions Limited Data Set and Minimum Necessary Secretary to issue guidance on what constitutes minimum necessary Secretary is permitted up to 18 months to issue the new guidance However, the Act retains all the current exceptions to the existing minimum necessary disclosure standard, including disclosures made for treatment purposes and disclosure required by law This section does not apply to the use, disclosure or request of de-identified PHI 46

47 Restrictions Limited Data Set and Minimum Necessary Minimum Necessary and Breach Notification HHS takes the position that release of more than Minimum Necessary may be a breach requiring notification 47

48 Restrictions on Certain PHI Disclosures Accounting of PHI Disclosures HITECH Act removes an exception that excused covered entities from accounting for disclosures of PHI to carry out treatment, payment and health care operations. All such disclosures must be accounted for if the disclosure was made through an EHR Right to disclosures only applies to the three years prior to the date on which the accounting is requested, rather than the six years permitted under HIPAA 48

49 Restrictions Accounting of PHI Disclosures Effective Date for the accounting requirement varies depending on when a covered entity acquires an EHR For covered entities that had an EHR as of January 1, 2009, the new accounting rules apply to disclosures of PHI made from that EHR on and after January 1, 2014 For those covered entities acquiring an EHR after January 1, 2009, the accounting rules apply to disclosures made on and after the later of: January 1, 2011, or the actual date when it acquires an EHR Secretary has the option to postpone the compliance dates for current users to 2016 and for future users to 2013, if the Secretary determines that a later date is necessary 49

50 Sale of EHRs and PHI Prohibited Covered entities and BAs prohibited from receiving remuneration in exchange for any PHI of an individual without obtaining the authorization of such individual Authorization must specify whether original receiver of PHI may further exchange it for remuneration Subject to additional regulations that the Secretary is mandated to issue within 18 months after enactment of the Act Goes in effect and applies to exchanges of PHI occurring on or after 6 months after the date of promulgation of the final regulations Seven exceptions to prohibition on sale of PHI 50

51 Sale of EHRs and PHI Prohibited Seven exceptions apply if sale of PHI is for purposes of: 1. Public health activities (as defined under HIPAA) 2. Research, if the price paid for PHI reflects the costs of preparation and transmittal of PHI; 3. Treatment of the individual; 4. Sale, transfer, merger or consolidation of all or part of the covered entity and due diligence related to such activity; 5. For an activity that the covered entity s business associate undertakes covered by an applicable business associate agreement; 51

52 Sale of EHRs and PHI Prohibited 6. Providing an individual with a copy of the individual s PHI pursuant to an individual s right of access under HIPAA; and 7. Other exchanges that the Secretary, in the mandated future regulations on this subject, will deem similarly appropriate and necessary to the exceptions described above 52

53 Access to PHI Contained in EHR Covered entity which maintains an electronic health record with respect to PHI is required to produce a copy of such PHI in electronic format upon an individual s request if the individual so chooses, to transmit the copy directly to an entity or person designated by the individual provided the request is clear, conspicuous, and specific A fee for such service may not be greater than the covered entity s labor costs in responding to the request for the copy (or summary or explanation). 53

54 Restrictions on Marketing New restrictions on covered entities and BAs marketing communications to potential buyers or users of their products Any communication that encourages the recipient to purchase or use a product or service is not considered a health care operation unless it is made: to describe a product or service (or payment therefore) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits; 54

55 Restrictions on Marketing for treatment of the individual; or for case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual 55

56 Restrictions on Marketing The three exceptions above will not be considered health care operations if the covered entity receives direct or indirect payment in exchange for making such communications, unless: payment is for a communication regarding a drug currently prescribed for the recipient of the communication and such payment is reasonable in amount the latter requirement to be interpreted in new regulations by the Secretary. the communication is made by the covered entity and the covered entity obtains a valid authorization in accordance with HIPAA; or the communication is made by a BA of a covered entity, on behalf of such covered entity, and such communication is consistent with the applicable business associate agreement 56

57 Restrictions on Marketing and Fundraising Any written fundraising communication that is a healthcare operation under HIPAA is to provide in a clear and conspicuous manner an opportunity for the recipient to opt out or elect not to receive any further such communications If a person opts out, such election is to be treated as a revocation of authorization Restrictions on marketing and fundraising communications will apply to written communications occurring on or after February 17,

58 Precedence over Conflicting State Laws HITECH Act supersedes contrary provisions of state laws in the same manner as a standard and implementation specification adopted under HIPAA supersedes contrary provisions of state law, unless HHS Secretary determines that such provision is necessary to prevent fraud and abuse; ensure appropriate state regulations of insurance and health plans; for state reporting on health delivery costs; or other purposes as determined by the Secretary 58

59 Precedence over Conflicting State Laws State provision addresses a controlled substance; HIPAA does not supersede state law if state law provisions are more stringent than requirements imposed under HIPAA HITECH Act also supersedes any inconsistent standards governing the privacy and security of individually identifiable information promulgated under HIPAA 59

60 New Enforcement Approaches Expands who is liable for criminal violations Expands bases for civil penalties and increased CMPs (from $25,000 to $1.5 million) Harmed individuals to receive percentage of CMP State Attorneys General may bring civil actions for criminal violations HHS Audits of covered entities and business associates required 60

61 For more information please contact: William H. Fischer Berna Rhodes-Ford

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq. The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

TTUHSC HIPAA Privacy Changes HITECH Act August 28, 2009

TTUHSC HIPAA Privacy Changes HITECH Act August 28, 2009 New "Defined" Terms Breach; Electronic health record (different from electronic PHI); Personal Health Record (different from PHI); Vendor of Personal Health Records; Unsecured PHI Electronic Health Record

More information

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information

HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act International Life Sciences Arbitration Health Industry Alert If you have questions or would like additional information on the material covered in this Alert, please contact the author: Brad M. Rostolsky

More information

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

CHART YOUR HIPAA COURSE...

CHART YOUR HIPAA COURSE... CHART YOUR HIPAA COURSE... HHS ISSUES SECURITY BREACH NOTIFICATION RULES PUBLISHED IN FEDERAL REGISTER 8/24/09 EFFECTIVE 9/23/09 The Department of Health and Human Services ( HHS ) has issued interim final

More information

New HIPAA Rules and EHRs: ARRA & Breach Notification

New HIPAA Rules and EHRs: ARRA & Breach Notification New HIPAA Rules and EHRs: ARRA & Breach Notification Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com and Raj Goel Chief Technology Officer Brainlink

More information

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New

Georgia Regional Academic Community Health Information Exchange (GRAChIE) Breach Notification Policy Effective Date: May, 2012 Revision Date: New Objective The objective of this policy is to provide guidance for breach notification by Georgia Regional Academic Community Health Information Exchange (hereafter referred to as GRAChIE) when unauthorized

More information

STANDARD ADMINISTRATIVE PROCEDURE

STANDARD ADMINISTRATIVE PROCEDURE STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019

More information

H. R. 1 144. Subtitle D Privacy

H. R. 1 144. Subtitle D Privacy H. R. 1 144 (1) an analysis of the effectiveness of the activities for which the entity receives such assistance, as compared to the goals for such activities; and (2) an analysis of the impact of the

More information

New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information

New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information GEORGE CHORIATIS In this article, the author discusses the new Health Insurance Portability and Accountability

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

Breach Notification Policy

Breach Notification Policy 1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists

More information

HIPAA/HITECH Omnibus Final Rule - January 23, 2013

HIPAA/HITECH Omnibus Final Rule - January 23, 2013 HIPAA Omnibus Rule Please note: these slides are intended to provide an overview of general information, not an exhaustive review. No legal advice is being offered or intended. Do not rely on this information

More information

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010

NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA. March 2010 NACHC Issue Brief Changes to the Health Insurance Portability and Accountability Act Included in ARRA March 2010 Prepared By: Marisa Guevara and Marcie H. Zakheim Feldesman Tucker Leifer Fidell, LLP 2001

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760

The ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760 Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach

More information

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS

Shipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009

More information

Business Associates: HITECH Changes You Need to Know

Business Associates: HITECH Changes You Need to Know Business Associates: HITECH Changes You Need to Know Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 Who Is a Business Associate? A

More information

organization's patient protected health information (PHI) occurs. as any other federal or state notification law.

organization's patient protected health information (PHI) occurs. as any other federal or state notification law. I. APPLICABILITY Entire organization and its business associate (BAs) and the BA's Subcontractors. II. PURPOSE To provide guidance for breach notification by covered entities and breaches by their business

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

HIPAA BREACH RESPONSE POLICY

HIPAA BREACH RESPONSE POLICY http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013

HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

HIPAA Update. Bob Radecki W.J. Flynn and Associates, LLC

HIPAA Update. Bob Radecki W.J. Flynn and Associates, LLC HIPAA Update Bob Radecki W.J. Flynn and Associates, LLC Background ARRA American Recovery and Reinvestment Act of 2009 HITECH Health Information Technology for Economic and Clinical Act (Title XII, Part

More information

QUEST, INC BREACH NOTIFICATION POLICY

QUEST, INC BREACH NOTIFICATION POLICY QUEST, INC BREACH NOTIFICATION POLICY Dev September 2012 Page Number I. Breach Notification Template HIPAA Breach Notification Policy Table of Contents 1 A. Generally 1 B. When a Breach is Considered to

More information

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings:

Definitions: 45 CFR As used in this subpart, the following terms have the following meanings: HITECH/HIPAA Breach Notification Regulations This summary was prepared by the New Jersey Department of Human Services Privacy Officer on February 24, 2010 for distribution at the Division of Addiction

More information

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA

More information

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY. REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS

More information

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH

More information

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION

BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION BREACH NOTIFICATION FOR UNSECURED PROTECTED HEALTH INFORMATION Summary November 2009 On August 24, 2009, the Department of Health and Human Services (HHS) published an interim final rule (the Rule ) that

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

POLICY AND PROCEDURE MANUAL

POLICY AND PROCEDURE MANUAL Pennington Biomedical POLICY NO. 412.22 POLICY AND PROCEDURE MANUAL Origin Date: 02/04/2013 Impacts: ALL PERSONNEL Effective Date: 03/17/2014 Subject: HIPAA BREACH NOTIFICATION Last Revised: Source: LEGAL

More information

Health Information Technology for Economic and Clinical Health Act ( HITECH ), part of the American Recovery and Reinvestment Act of 2009 ( ARRA ).

Health Information Technology for Economic and Clinical Health Act ( HITECH ), part of the American Recovery and Reinvestment Act of 2009 ( ARRA ). Client Advisory Health Care/Technology August 31, 2009 HHS Issues Security Breach Notice Rule On August 24, the Department of Health and Human Services ( HHS ) published its rule (the Rule ) implementing

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

3.) The Breach Notification Rule (Part 164, Subpart D)

3.) The Breach Notification Rule (Part 164, Subpart D) 3.) The Breach Notification Rule (Part 164, Subpart D) 164.400 Applicability 164.402 Definitions (breach, unsecured protected health information) 164.404 Notification to individuals 164.406 Notification

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into by and between (the Covered Entity ), and Iowa State Association of Counties (the Business Associate ). RECITALS

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

IMPORTANT HIPAA CHANGES SUSAN J. FREED. THE DAVIS BROWN TOWER th STREET, SUITE 1300 DES MOINES, IA

IMPORTANT HIPAA CHANGES SUSAN J. FREED. THE DAVIS BROWN TOWER th STREET, SUITE 1300 DES MOINES, IA IMPORTANT HIPAA CHANGES SUSAN J. FREED THE DAVIS BROWN TOWER 215 10 th STREET, SUITE 1300 DES MOINES, IA 50309 515-288-2500 WWW.DAVISBROWNLAW.COM DAVIS BROWN KOEHN SHORS & ROBERTS P.C. #1651683 IMPORTANT

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Section 2: HIPAA and the HITECH Act

Section 2: HIPAA and the HITECH Act Section 2: HIPAA and the HITECH Act 1 Introduction to HIPAA and the HITECH Act The Health Information Technology for Economic and Clinical Health (HITECH) Act was signed on February 17, 2009 as part of

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

Covered Entities and Business Associates: An Evolving Relationship

Covered Entities and Business Associates: An Evolving Relationship Covered Entities and Business Associates: An Evolving Relationship Rebecca L. Williams, RN, JD Partner, Chair of HEALTH/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 No health care provider

More information

Business Associates and HIPAA

Business Associates and HIPAA Business Associates and HIPAA What BAs need to know to comply with HIPAA privacy and security rules by Dom Nicastro White paper The lax days of complying with privacy and security laws are over for business

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM

STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

Signed into law on February 17, 2009, the Stimulus Package known

Signed into law on February 17, 2009, the Stimulus Package known Stimulus Package Expands HIPAA Privacy and Security and Adds Federal Data Breach Notification Law Marcy Wilder, Donna A. Boswell, and BarBara Bennett The authors discuss provisions of the Stimulus Package

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary

HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary HHS Issues Breach Reporting Regulations under the HITECH Act Executive Summary The Health Information Technology for Economic and Clinical Health Act (the HITECH Act), which became law in February of this

More information

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

POLICY AUTHORITY Chancellor for Health Sciences and Dean of the School of Medicine

POLICY AUTHORITY Chancellor for Health Sciences and Dean of the School of Medicine Applies To: All HSC, UNMH, UNMCC, UNM-MG Responsible Department: Privacy Office Revised: New 10/2010 Policy Patient Age Group: ( ) N/A ( X) All Ages ( ) Newborns ( ) Pediatric ( ) Adult POLICY STATEMENT

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

The Basics of HIPAA Privacy and Security and HITECH

The Basics of HIPAA Privacy and Security and HITECH The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,

More information

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA APPENDIX PR 12-A FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA LEGAL CITATION California Civil Code Section 1798.82 California Health and Safety (H&S) Code Section 1280.15 42 U.S.C. Section

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Data Breach Notification Policy 10240 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance

More information

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration

Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Name of Policy: Policy Number: Department: Reporting of Security Breach of Protected Health Information including Personal Health Information 3364-100-90-15 Hospital Administration Approving Officer: Interim

More information

Information Privacy and Security Program. Title: EC.PS.01.02

Information Privacy and Security Program. Title: EC.PS.01.02 Page: 1 of 9 I. PURPOSE: The purpose of this standard is to ensure that affected individuals, the media, and the Secretary of Health and Human Services (HHS) are appropriately notified of any Breach of

More information

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates Legal Update February 11, 2013 Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates On January 17, 2013, the Department of Health

More information

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy

Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health

More information

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com

Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information

More information