Attorneys and Other Contractors HIPAA Business Associates in 2014 and Beyond October 18, DINSMORE & SHOHL LEGAL COUNSEL

Size: px
Start display at page:

Download "Attorneys and Other Contractors HIPAA Business Associates in 2014 and Beyond October 18, 2013. 2013 DINSMORE & SHOHL LEGAL COUNSEL www.dinsmore."

Transcription

1 Attorneys and Other Contractors HIPAA Business Associates in 2014 and Beyond October 18, 2013

2 Presenter Jennifer Orr Mitchell, Esq. Office ^ The information provided in this presentation is an expression of the viewpoints of the author(s) and is not intended to constitute nor should it in any way be construed as legal advice or a definitive statement of the law in any jurisdiction.

3 We will be covering Attorneys as HIPAA Business Associates HIPAA Privacy and Security Rules Recent Amendments HITECH and Omnibus Final Rule HIPAA Penalties Breach Notification Rule & Encryption Attorneys Use of Mobile Devices Enforcement Trends and Examples Best Practices

4 Five Principles of Fair Information Practices Underlying the HIPAA Rules Openness (Notice) The existence and purposes of record-keeping systems should be publicly known. Individual Participation (Access) The individual should have the right to see his or her records and assure the quality of the information contained in those records (accurate, complete, and timely). Security There should be reasonable safeguards in place for protecting the confidentiality, integrity, and availability of information.

5 Five Principles of Fair Information Practices Underlying the HIPAA Rules Accountability (Enforcement) Violations of the rules should result in reasonable penalties and mitigation is critical if a violation occurs. Limits on Collection, Use and Disclosure (Choice) Information should be collected only with the knowledge and consent of the individual Information should be used only in ways that are relevant for the purposes for which the information was collected. Information should be disclosed only with consent/notice or authority.

6 What is HIPAA -- Overview HIPAA = The Health Insurance Portability and Accountability Act of 1996 We will discuss two primary HIPAA regulations: Privacy Rule Security Rule Both rules apply to Covered Entities and their Business Associates

7 What is HIPAA -- Overview The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in HIPAA was intended to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange. Under HIPAA s Privacy and Security Rules, Covered Entities must take steps to secure and prevent the unauthorized disclosure of certain types of individually identifiable patient information known as Protected Health Information ( PHI ), including electronic Protected Health Information (ephi). HITECH (The Health Information Technology for Economic and Clinical Health Act), effective February 2009, significantly expanded the privacy and security requirements of HIPAA and put teeth into HIPAA enforcement through increased penalties and new enforcement mechanisms. One of the most significant changes under HITECH, which was reinforced under the Omnibus Final Rule, is the direct regulation of Business Associates.

8 Covered Entities Health Care Providers (if they transmit data in electronic form in connection with a transaction covered under HIPAA) Health Plans (including employer sponsored group health plans) Applies to all group health plans, both self-insured and fully funded, with > 50 participants Applies to all group health plans with < 50 participants unless self-administered Employers: Your health plan is covered is it compliant? Health Care Clearinghouses Workforce of a covered entity are required to comply with HIPAA Do not have to be employees of the covered entity, can include contractors, volunteers, etc.

9 Business Associates Any entity that creates, receives, maintains, or transmits (emphasis added) PHI in performing a function, activity, or service on behalf of a covered entity. Examples: billing companies, accountants, insurance agents/brokers, payroll vendors, consultants, data processing firms, cloud providers, records storage, and ATTORNEYS. Any entity that gets PHI to do something for a Covered Entity, including providing legal advice. BAs are required to agree to protect PHI the same way CEs do; otherwise, CEs cannot continue to do business with them

10 Attorneys as Business Associates Attorneys are included as Business Associates under the HIPAA Privacy Rule: 45 C.F.R Any non-employee who "provides legal services to or for such covered entity where the provision of the services involves disclosure of individually identifiable health information " There are differing viewpoints as to when the Privacy Rule applies to attorneys representation of their Covered Entity clients (e), Final Rule Preamble: "The provisions in this paragraph are not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information. In such cases, we presume that parties will have ample notice and an opportunity to object in the context of the proceeding in which the individual is a party."

11 Attorneys as Business Associates The HITECH Act made the Business Associate provisions of the Privacy Rule and certain Security Rule provisions directly and specifically applicable to Business Associates, including penalties for noncompliance. The Omnibus Final Rule confirmed this application. Privacy Rule Most attorneys and law firms already have good measures in place for dealing with confidential information Need to support these measures with written policies and procedures and review for compliance

12 Attorneys as Business Associates Security Rule Attorneys must reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI they receive, create or maintain electronically pursuant to their legal representation of a Covered Entity. Attorneys and Law Firms must take measures to address the following Security Rule requirements: Documentation of Policies and Procedures Administrative Safeguards Physical Safeguards Technical Safeguards

13 When is an Attorney a Business Associate? Attorneys who do not technically practice health care law often think they are not subject to HIPAA privacy and security obligations when they receive PHI from their covered entity clients. Attorney may be a BA: Privacy or Security Rule compliance support for CEs Fraud and abuse/false claims defense Health care professional discipline defense, payment disputes, advice on compliance, risk management, peer review, accreditation, licensing Representing a CE or BA in audits or governmental investigations Due diligence for some types of CE transactions Representing a CE in any case involving individual patient diagnosis or treatment Representing a CE in any case involving individual health benefits Representing a CE or a BA in enforcing a restrictive covenant against an employee who is soliciting patients of the covered entity or who has disclosed patient data to a new employer Representation in the sale or purchase of a CE or BA and have access to a patient list or a detailed list of accounts receivable Antitrust representation to define relevant market in restraint of trade case

14 When is an Attorney a Business Associate? Attorneys who do not technically practice health care law often think they are not subject to HIPAA privacy and security obligations when they receive PHI from their covered entity clients. Attorney may NOT be a BA: When it is representing any party which is not a CE, including individual plaintiffs In workers compensation cases (excluded by statute) In Social Security cases. In employment law matters, except for representation of group health plans or matters involving health care entities disclosing PHI to their attorneys to defend the litigation (because the individual has not put his/her medical condition at issue in an employment case). Sources:

15 When is an Attorney a Business Associate? Attorney is LIKELY a BA: (My List): Federal or state regulatory compliance and/or defense against an enforcement action (e.g., HIPAA, Medicare/Medicaid, fraud and abuse, etc.) Audit or investigation relating to actual or potential governmental or whistleblower complaints Pre-suit ERISA or other claims for health plan benefits Transactional work of any nature involving access to patient medical or financial information (e.g., billing, medical records, accounts payable, accounts receivable, pending or threatened litigation, etc.) Pre-suit employment investigation or advice where you had reason to access patient information (other than information contained in the employee s own employment file) Risk management or pre-suit handling of medical or personal injury claims Professional licensing board, credentialing, or other administrative matters Responding to subpoenas requesting patient information in any form

16 When is an Attorney a Business Associate? Attorneys and law firms should be able to recognize when they are (or could be considered) Business Associates and take the appropriate steps to comply with the HIPAA privacy and security rule provisions applicable to Business Associates. Non-compliance can lead to steep fines and government investigations, as well as potential loss of an attorney s or client s reputation. Given the risks associated with non-compliance, attorneys should consult with health care attorneys and other HIPAA experts (either within or outside their law firms) for advice on their compliance obligations and the implementation of HIPAA-compliant privacy and security programs. Source:

17 Business Associate Agreement Basics The BAA should include: Permitted uses/disclosures of PHI by BA Prohibited uses/disclosures of PHI by BA Requirement that BA use appropriate safeguards administrative, physical technical to protect ephi Requirement that BA report security incidents Ensure subcontractors agree to step in shoes of BA Make PHI available to CE for access, amendment, accounting of disclosures Make BA internal practices, books, records available to HHS for review to determine compliance Provision for return/destruction/escrow of PHI upon termination Authorize termination if material violation of BAA Security breach notification requirements HITECH/Omnibus Rule Minimum necessary requirement -- HITECH Security Rule compliance requirement HITECH Audit requirements -- HITECH

18 Business Associate Agreement Basics Indemnification Largely due to potential exposure under the Breach Notification Rule, CEs and BAs are including or attempting to include indemnification provisions in their BAAs These provisions should be carefully considered prior to execution of any BAA by both sides

19 HHS Guidance -- FAQs 1: Attorney disclosure of PHI to agents and/or subcontractors: The business associate agreement between the covered entity and the lawyerbusiness associate provides that the lawyer will ensure that any agents, including subcontractors, to whom it provides protected health information agree to the same restrictions and conditions that apply to the business associate with respect to the information. See 45 CFR (e)(2)(ii)(D). Thus, if a lawyer-business associate enlists the services of a person or entity in furtherance of the lawyer s legal services to a covered entity, and the lawyer must provide protected health information to the person or entity for such purpose, the lawyer s business associate agreement with the covered entity requires that the lawyer ensure that these persons agree to the same restrictions and conditions with respect to the protected health information they receive that apply to the lawyer as a business associate.

20 HHS Guidance -- FAQs 1: Attorney disclosure of PHI to agents and/or subcontractors (continued): For example, pursuant to its business associate agreement, a lawyer must ensure that other legal counsel, jury experts, document or file managers, investigators, litigation support personnel, or others hired by the lawyer to assist the lawyer in providing legal services to the covered entity, will also safeguard the privacy of the protected health information the lawyer receives to perform its duties. Conversely, a lawyer-business associate need not ensure that opposing counsel, fact witnesses, or other persons who do not perform functions or services that assist the lawyer in performing its services to the client, agree to the business associate restrictions and conditions, even though the lawyer may have to disclose protected health information to these third parties.

21 HHS Guidance -- FAQs 2: Sharing of PHI by CE with its Attorney for use in litigation Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of health care operations at 45 CFR includes a covered entity s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity s covered functions (i.e., those functions that make the entity a health plan, health care provider, or health care clearinghouse). Thus, for example, a covered entity that is a defendant in a malpractice action, or a plaintiff in a suit to obtain payment, may use or disclose protected health information for such litigation as part of its health care operations.

22 HHS Guidance -- FAQs 2: Sharing of PHI by CE with its Attorney for use in litigation (continued) The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR (b), (d). In most cases, the covered entity will share protected health information for litigation purposes with its lawyer, who is either a workforce member or a business associate. In these cases, the Privacy Rule permits a covered entity to reasonably rely on the representations of a lawyer who is a business associate or workforce member that the information requested is the minimum necessary for the stated purpose. See 45 CFR (d)(3)(iii)(C). A covered entity s minimum necessary policies and procedures may provide for such reasonable reliance on the lawyer s requests for protected health information needed in the course of providing legal services to the covered entity.

23 HHS Guidance -- FAQs 2: Sharing of PHI by CE with its Attorney for use in litigation (continued) In disclosing protected health information for litigation purposes, the lawyer who is a workforce member of the covered entity must make reasonable efforts to limit the protected health information disclosed to the minimum necessary for the purpose of the disclosure. Similarly, a lawyer who is a business associate must apply the minimum necessary standard to its disclosures, as the business associate contract may not authorize the business associate to further use or disclose protected health information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. Depending on the circumstances, this could involve de-identifying the information or stripping direct identifiers from the information to protect the privacy of individuals, and may in some cases limit disclosures more significantly than would be required to meet a relevance standard. Further, whether as workforce members or business associates, lawyers may consider availing themselves of the protections routinely afforded to similarly confidential information within the litigation forum, such as protective orders on the use of the information in public portions of the proceedings.

24 HHS Guidance -- FAQs 3: Accounting for disclosures of PHI made during the course of litigation Individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity (or its business associate), with certain exceptions. These exceptions, or instances where a covered entity is not required to account for disclosures, include disclosures for treatment, payment, or health care operations and disclosures authorized by the individual. See 45 CFR (GPO). Disclosures that are subject to the accounting for disclosures requirement include disclosures made by a covered entity that is not a party to the litigation or proceeding and that are made: as required by law (under (a) and (e)(1)(i)); for a proceeding before a health oversight agency (under (d)); or in response to a subpoena, discovery request, or other lawful process (under (e)).

25 HHS Guidance -- FAQs 3: Accounting for disclosures of PHI made during the course of litigation (continued) Conversely, covered entities need not account for disclosures of protected health information for litigation that are made with the individual s authorization or, in cases where the covered entity is a party to the litigation, when such disclosures are part of the covered entity s health care operations. In many cases, covered entities share protected health information for litigation purposes with a lawyer who is a business associate of the covered entity. These disclosures by a covered entity to its lawyer-business associate are not themselves subject to the accounting. However, if (as described above) the lawyer makes disclosures that are subject to the accounting requirement, the business associate agreement required by the Privacy Rule should provide that the lawyer-business associate make information about these disclosures available to the covered entity, so that the covered entity can fulfill its obligation to provide an accounting to the individual. Alternatively, the covered entity and the lawyer can agree through the business associate contract that the lawyer will provide the accounting to individuals who request one.

26 Privacy and Security Privacy is the individual s right over the use and disclosure of his or her protected health information (PHI), and includes the right to determine when, how, and to what extent PHI is shared with others. The Privacy Rule grants rights to individuals for accessing and controlling the use/disclosure of their PHI. Security is the specific measures a health care entity must take to protect PHI from any unauthorized breaches of privacy, such as if information is stolen or provided to the wrong person in error. It also includes measures taken to ensure against the loss of integrity of PHI, such as if a patient s records are lost or destroyed by accident. HIPAA requires general security measures that are both reasonable and appropriate.

27 HIPAA Privacy Rule Protects all PHI (protected health information), which includes just about any piece of information that might possibly identify a person, in any form, including oral information Grants individuals broader rights in their PHI: access amendment disclosure accounting restrictions confidential communications Has been in effect since April 2003

28 The Privacy Rule THE RULE: Covered Entities are prohibited from using or disclosing PHI unless a Privacy Rule exception applies. THE LANGUAGE: A covered entity may not use or disclose protected health information [PHI], except as permitted or required by this subpart or by subpart C of part 160 of this chapter. [45 CFR ]

29

30 The Privacy Rule Protected Health Information (PHI) information created or received by a health care provider, health plan, or health care clearinghouse ( covered entities ); relating to past, present, or future health of an individual, provision of health care, or payment for health care; either identifies the individual or provides a reasonable basis for identification; in all forms (oral, written, electronic) PHI includes ephi, which is also covered more specifically by the Security Rule Exceptions: employment records, education records covered by FERPA, and records covered by other federal law.

31 The Privacy Rule It is important to understand that whether data is PHI depends on the source and how it was obtained. The same data can be PHI in one context and not in another. Did the data come from a covered entity? Was the information provided to assist the CE with its health care operations? (as opposed to information contained in HR/employment files or worker s comp files, for example) Does the information relate to past, present, or future health of an individual, provision of health care, or payment for health care? PHI provided pre-suit can arguably lose its status as PHI once a lawsuit is filed by the patient who is the subject of the information, putting his/her medical condition at issue; it would then depend on when the use or disclosure occurred.

32 The Privacy Rule PHI includes the following 18 identifiers: 1. names 2. all geographic subdivisions smaller than a State (street address, city, county, precinct, zip code) 3. All elements of dates (except year) for dates related to the individual (birth date, admission date, discharge date, date of death, prescription dispense date, etc.) 4. Telephone numbers 5. Fax numbers 6. addresses 7. SSNs 8. Medical records numbers (including, prescription numbers) 9. Health plan beneficiary numbers

33 The Privacy Rule 10. account numbers 11. certificate/license numbers 12. vehicle identifiers, serial numbers, license plate numbers 13. device identifiers and serial numbers 14. URLs 15. IP address numbers 16. Biometric identifiers (finger and voice prints) 17. Full face photographs (and comparable images) 18. Catch-all: any other unique number, characteristic, or code that might possibly identify a person So, in terms of information contained within medical and billing records, this really includes nearly every piece of useful information.

34 The Privacy Rule Key Permitted Uses & Disclosures: To the Individual For Treatment, Payment and Health Care Operations (TPO) Pursuant to an Authorization As Required by Law To Business Associates For Public Health Activities To Health Oversight Agencies Concerning Decedents To Organ Procurement Organizations For Research Purposes In a Limited Data Set For Fundraising and Underwriting

35 The Privacy Rule Minimum Necessary Rule When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

36 The Privacy Rule There are 6 Exceptions to the Minimum Necessary Rule: Disclosures for Treatment Disclosures to the Individual Disclosures pursuant to an Authorization Disclosures to DHHS for Enforcement Disclosures Required by Law Disclosures required for compliance with the Privacy Rule

37 The Privacy Rule Incidental Uses and Disclosures The Privacy Rule explicitly permits certain incidental uses and disclosures that occur as a by-product of a use or disclosure otherwise permitted under the Privacy Rule. An incidental use or disclosure is permissible only to the extent that the covered entity has applied reasonable safeguards and implemented the minimum necessary rule, where applicable.

38 The Privacy Rule Authorizations Specific elements are required for it to be effective. For example: plain language, right to revoke, specific description of information to be used or disclosed, identification of person or entity to whom information to be disclosed termination date

39 The Privacy Rule Notice of Privacy Practices (NPP): Sets forth the uses and disclosures that will be undertaken by the covered entity and its business associates. An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the covered entity, and of the individual s rights and the CE s legal duties regarding PHI. Specific requirements for what must be contained in the NPP are set out in the Privacy Rule. There are specific rules for distributing, posting, and providing access to the NPP OCR has recently issued a new sample NPP for use by health care providers and health plans Employers: Did you update your health plan NPPs in September 2013? You should have!

40 The Security Rule The Security Rule mandates safeguards for Electronic PHI (or ephi ). Security safeguards were already required by the Privacy Rule. The Security Rule provides more guidance as to the nature and function of each individual safeguard. Has been in effect since April 2005.

41 The Security Rule RULE: All covered entities and their business associates are required to develop and document a security program to guard against real and potential threats of disclosure or loss, which will include policies, procedures and safeguards to protect Electronic PHI (or ephi).

42 The Security Rule Safeguards 1. Administrative Safeguards Administrative actions, policies and procedures related to security measures Managing conduct of workforce in protecting ephi Risk analysis, risk management, appoint security officer, employee training, etc. ADMINISTRATIVE SAFEGUARDS Security Management Process 45 CFR (a)(1) (required) Assigned Security Responsibility 45 CFR (a)(2) (required) Workforce Security 45 CFR (a)(3) (addressable) Information Access Management 45 CFR (a)(4) (addressable) Security Awareness and Training 45 CFR (a)(5) (addressable) Security Incident Procedures 45 CFR (a)(6) (required) Contingency Plan 45 CFR (a)(7) (required) Evaluation 45 CFR (a)(8) (required) Business Associate Contracts and Other Arrangements 45 CFR (b) (required)

43 The Security Rule 2. Physical Safeguards Focused on preventing unauthorized individuals from gaining access to EPHI Protecting buildings and equipment from unauthorized access, disasters and hazards Limiting physical access to information systems and addressing security needs of workstations and computers PHYSICAL SAFEGUARDS Facility Access Controls 45 CFR (a)(2) (addressable) Workstation Use 45 CFR (b) (required) Workstation Security 45 CFR (c) (required) Device and Media Controls 45 CFR (d) (required)

44 The Security Rule 3. Technical Safeguards Technology and the policies and procedures for its use that protect ephi and control access to ephi Address electronic transmission of ephi and access control mechanisms TECHNICAL SAFEGUARDS Access Control - 45 CFR (a)(1) (addressable); (a)(2) (required) Audit Controls - 45 CFR (b) (required) Integrity - 45 CFR (c)(1) (N/A) Person or Entity Authentication - 45 CFR (d) (required) Transmission Security - 45 CFR (e)(1) (N/A)

45 The Security Rule Implementation Specifications Required v. Addressable required specifications addressable specifications CEs and BAs (after HITECH) must assess whether a specification is reasonable and appropriate If reasonable and appropriate, the CE or BA must implement the specification If not applicable, the CE or BA must document the decision not to implement the specification, reason, and how the standard is otherwise being met.

46 The Security Rule - OCR FAQ What is the difference between addressable and required implementation specifications in the Security Rule? Answer:.The covered entity [or business associate] must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity [or business associate] must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity's risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity [or business associate] makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.

47 The Security Rule Some key areas of security concerns: unprotected Internet web browsing and cookies Authentication networks/firewalls lack of physical security hackers/phishing/other illegality internal mischief/disgruntled employees data sharing encryption (or lack thereof)

48 The HITECH Act Health Information Technology for Economic and Clinical Health Act (HITECH Act) February 17, 2009 Most significant changes to HIPAA since issuance of the Privacy and Security Regulations.

49 The HITECH Act Included $20 billion in funding for healthcare information technology projects Extended the reach of the HIPAA Privacy and Security Rules and penalties to directly Business Associates Increased enforcement, of and penalties for, HIPAA violations: Formal investigations of complaints State AGs can bring civil actions in federal court Increased penalty amounts Imposed breach notification requirements on CEs and BAs Clarified minimum necessary standard (sort of) Limited certain uses and disclosures of PHI More accounting responsibilities for uses/disclosures of PHI Increased individuals rights with respect to PHI maintained in electronic health records (EHRs) Periodic HHS audits of HIPAA compliance (KPMG audits underway) Remuneration in exchange for PHI prohibited (with some limited exceptions) Marketing/fundraising restrictions tightened Required BAs to enter into Business Associate Agreements with subcontractors and monitor compliance BA must terminate contract if compliance issues cannot be cured

50 The HITECH Act Section-by-Section Sec Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions. Sec Notification in the case of breach. Sec Education on health information privacy. Sec Application of privacy provisions and penalties to business associates of covered entities. Sec Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format. Sec Conditions on certain contacts as part of health care operations. Sec Temporary breach notification requirement for vendors of personal health records and other non-hipaa covered entities. Sec Business associate contracts required for certain entities. Sec Clarification of application of wrongful disclosures criminal penalties. Sec Improved enforcement. Sec Audits.

Why Lawyers? Why Now?

Why Lawyers? Why Now? TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law

Everett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy

More information

Data Breach, Electronic Health Records and Healthcare Reform

Data Breach, Electronic Health Records and Healthcare Reform Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

Presented by Jack Kolk President ACR 2 Solutions, Inc.

Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security

More information

Table of Contents INTRODUCTION AND PURPOSE 1

Table of Contents INTRODUCTION AND PURPOSE 1 HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

HIPAA Privacy & Breach Notification Training for System Administration Business Associates

HIPAA Privacy & Breach Notification Training for System Administration Business Associates HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES

Guidance Specifying Technologies and Methodologies DEPARTMENT OF HEALTH AND HUMAN SERVICES DEPARTMENT OF HEALTH AND HUMAN SERVICES 45 CFR PARTS 160 and 164 Guidance Specifying the Technologies and Methodologies That Render Protected Health Information Unusable, Unreadable, or Indecipherable

More information

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013

HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information

More information

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

Health Information Privacy Refresher Training. March 2013

Health Information Privacy Refresher Training. March 2013 Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal

More information

Breach Notification Policy

Breach Notification Policy 1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant

HIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

Lawyers as HIPAA Business Associates

Lawyers as HIPAA Business Associates 9/25/13 Lawyers as HIPAA Business Associates ISBA Solo and Small Firm Conference October 4, 2013 Rick L. Hindmand McDonald Hopkins LLC 1 Agenda Background HIPAA/HITECH Act/Omnibus Rule Who is a business

More information

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES

HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):

More information

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14

UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule ) HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

Statement of Policy. Reason for Policy

Statement of Policy. Reason for Policy Table of Contents Statement of Policy 2 Reason for Policy 2 HIPAA Liaison 2 Individuals and Entities Affected by Policy 2 Who Should Know Policy 3 Exclusions 3 Website Address for Policy 3 Definitions

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

HIPAA Business Associate Addendum

HIPAA Business Associate Addendum HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

what your business needs to do about the new HIPAA rules

what your business needs to do about the new HIPAA rules what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or

More information

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS

HIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

Community First Health Plans Breach Notification for Unsecured PHI

Community First Health Plans Breach Notification for Unsecured PHI Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement. Learning Objectives

OCR Reports on the Enforcement. Learning Objectives OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

You Probably Don t Even Know

You Probably Don t Even Know You Probably Don t Even Know That You Need To Comply With HIPAA In Collaboration With: About ERM About The Speaker Stephen Siegel, Esq., Of Counsel, Broad and Cassel Board Certified Health Law Over 25

More information

Federal Breach Notification Decision Tree and Tools

Federal Breach Notification Decision Tree and Tools Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers

More information

Network Security and Data Privacy Insurance for Physician Groups

Network Security and Data Privacy Insurance for Physician Groups Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law

More information

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Penalty. Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation WHY YOU NEED TO COMPLY. HIPAA UPDATE 2014: WHY AND HOW YOU MUS T C OMPL Y 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its longawaited Omnibus Rule 2 implementing regulations

More information

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH

UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised

More information

HIPAA BREACH RESPONSE POLICY

HIPAA BREACH RESPONSE POLICY http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com

More information

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule

Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule HEALTHCARE October 2009 Barnes & Thornburg LLP HIPAA Update: HITECH Act Breach Notification Rule This HIPAA Update provides a detailed description of the new breach notification requirements for HIPAA

More information

HIPAA & HITECH AND THE DISCOVERY PROCESS

HIPAA & HITECH AND THE DISCOVERY PROCESS HIPAA & HITECH AND THE DISCOVERY PROCESS HEATHER L. HUGHES, J.D. U.S. Legal Support, Inc. 363 North Sam Houston Parkway East, Suite 900 Houston, Texas 77060 (713) 653-7100 State Bar of Texas 8 th ANNUAL

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

Raymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP

Raymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP Carol Ann Raymond, MBA, Ed.S., CCC-SLP Associate Clinical Professor/Clinic Director Department of Communication Sciences and Disorders Financial o Employed by the University of Georgia o Non-Financial

More information

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits

State of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits State of Nevada for the Requirements for PEBP Health Benefits Plan Year 2016 July 1, 2015 June 30, 2016 www.pebp.state.nv.us (775) 684-7000 Or (800) 326-5496 Amendments Amendment Log Any amendments, changes

More information

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update

HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update OCR / WEDI Webinar Series July 17, 2013 Today s Speakers Verne Rinker, JD, MPH Health Information Privacy Specialist

More information

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?

Information Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done? Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule

HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On

More information

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters

More information

SaaS. Business Associate Agreement

SaaS. Business Associate Agreement SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY

More information

What You Need to Know About the New HIPAA Breach Notification Rule 1

What You Need to Know About the New HIPAA Breach Notification Rule 1 What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches

More information

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations

The MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations The MC Academy The Employee Benefits and Executive Compensation Series HIPAA PRIVACY AND SECURITY The New Final Regulations June 18, 2013 Overview Background Recent Changes to HIPAA Identifying Business

More information

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016

ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH

More information

Legislative & Regulatory Information

Legislative & Regulatory Information Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy

More information

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY. REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS

More information

HIPAA Privacy Breach Notification Regulations

HIPAA Privacy Breach Notification Regulations Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification

More information

G REATER H OUSTON H EALTHCONNECT. HIPAA/HITECH Privacy Compliance Manual

G REATER H OUSTON H EALTHCONNECT. HIPAA/HITECH Privacy Compliance Manual G REATER H OUSTON H EALTHCONNECT HIPAA/HITECH Privacy Compliance Manual Adopted by the Board of Directors on December 14, 2011and amended on September 12, 2012 and February 27, 2013 TABLE OF CONTENTS Page

More information

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS

HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.

HIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc. 2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc. Disclaimer We share this information with our clients and friends for general informational purposes

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information