1 Attorneys and Other Contractors HIPAA Business Associates in 2014 and Beyond October 18, 2013
2 Presenter Jennifer Orr Mitchell, Esq. Office ^ The information provided in this presentation is an expression of the viewpoints of the author(s) and is not intended to constitute nor should it in any way be construed as legal advice or a definitive statement of the law in any jurisdiction.
3 We will be covering Attorneys as HIPAA Business Associates HIPAA Privacy and Security Rules Recent Amendments HITECH and Omnibus Final Rule HIPAA Penalties Breach Notification Rule & Encryption Attorneys Use of Mobile Devices Enforcement Trends and Examples Best Practices
4 Five Principles of Fair Information Practices Underlying the HIPAA Rules Openness (Notice) The existence and purposes of record-keeping systems should be publicly known. Individual Participation (Access) The individual should have the right to see his or her records and assure the quality of the information contained in those records (accurate, complete, and timely). Security There should be reasonable safeguards in place for protecting the confidentiality, integrity, and availability of information.
5 Five Principles of Fair Information Practices Underlying the HIPAA Rules Accountability (Enforcement) Violations of the rules should result in reasonable penalties and mitigation is critical if a violation occurs. Limits on Collection, Use and Disclosure (Choice) Information should be collected only with the knowledge and consent of the individual Information should be used only in ways that are relevant for the purposes for which the information was collected. Information should be disclosed only with consent/notice or authority.
6 What is HIPAA -- Overview HIPAA = The Health Insurance Portability and Accountability Act of 1996 We will discuss two primary HIPAA regulations: Privacy Rule Security Rule Both rules apply to Covered Entities and their Business Associates
7 What is HIPAA -- Overview The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in HIPAA was intended to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange. Under HIPAA s Privacy and Security Rules, Covered Entities must take steps to secure and prevent the unauthorized disclosure of certain types of individually identifiable patient information known as Protected Health Information ( PHI ), including electronic Protected Health Information (ephi). HITECH (The Health Information Technology for Economic and Clinical Health Act), effective February 2009, significantly expanded the privacy and security requirements of HIPAA and put teeth into HIPAA enforcement through increased penalties and new enforcement mechanisms. One of the most significant changes under HITECH, which was reinforced under the Omnibus Final Rule, is the direct regulation of Business Associates.
8 Covered Entities Health Care Providers (if they transmit data in electronic form in connection with a transaction covered under HIPAA) Health Plans (including employer sponsored group health plans) Applies to all group health plans, both self-insured and fully funded, with > 50 participants Applies to all group health plans with < 50 participants unless self-administered Employers: Your health plan is covered is it compliant? Health Care Clearinghouses Workforce of a covered entity are required to comply with HIPAA Do not have to be employees of the covered entity, can include contractors, volunteers, etc.
9 Business Associates Any entity that creates, receives, maintains, or transmits (emphasis added) PHI in performing a function, activity, or service on behalf of a covered entity. Examples: billing companies, accountants, insurance agents/brokers, payroll vendors, consultants, data processing firms, cloud providers, records storage, and ATTORNEYS. Any entity that gets PHI to do something for a Covered Entity, including providing legal advice. BAs are required to agree to protect PHI the same way CEs do; otherwise, CEs cannot continue to do business with them
10 Attorneys as Business Associates Attorneys are included as Business Associates under the HIPAA Privacy Rule: 45 C.F.R Any non-employee who "provides legal services to or for such covered entity where the provision of the services involves disclosure of individually identifiable health information " There are differing viewpoints as to when the Privacy Rule applies to attorneys representation of their Covered Entity clients (e), Final Rule Preamble: "The provisions in this paragraph are not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information. In such cases, we presume that parties will have ample notice and an opportunity to object in the context of the proceeding in which the individual is a party."
11 Attorneys as Business Associates The HITECH Act made the Business Associate provisions of the Privacy Rule and certain Security Rule provisions directly and specifically applicable to Business Associates, including penalties for noncompliance. The Omnibus Final Rule confirmed this application. Privacy Rule Most attorneys and law firms already have good measures in place for dealing with confidential information Need to support these measures with written policies and procedures and review for compliance
12 Attorneys as Business Associates Security Rule Attorneys must reasonably and appropriately protect the confidentiality, integrity, and availability of any PHI they receive, create or maintain electronically pursuant to their legal representation of a Covered Entity. Attorneys and Law Firms must take measures to address the following Security Rule requirements: Documentation of Policies and Procedures Administrative Safeguards Physical Safeguards Technical Safeguards
13 When is an Attorney a Business Associate? Attorneys who do not technically practice health care law often think they are not subject to HIPAA privacy and security obligations when they receive PHI from their covered entity clients. Attorney may be a BA: Privacy or Security Rule compliance support for CEs Fraud and abuse/false claims defense Health care professional discipline defense, payment disputes, advice on compliance, risk management, peer review, accreditation, licensing Representing a CE or BA in audits or governmental investigations Due diligence for some types of CE transactions Representing a CE in any case involving individual patient diagnosis or treatment Representing a CE in any case involving individual health benefits Representing a CE or a BA in enforcing a restrictive covenant against an employee who is soliciting patients of the covered entity or who has disclosed patient data to a new employer Representation in the sale or purchase of a CE or BA and have access to a patient list or a detailed list of accounts receivable Antitrust representation to define relevant market in restraint of trade case
14 When is an Attorney a Business Associate? Attorneys who do not technically practice health care law often think they are not subject to HIPAA privacy and security obligations when they receive PHI from their covered entity clients. Attorney may NOT be a BA: When it is representing any party which is not a CE, including individual plaintiffs In workers compensation cases (excluded by statute) In Social Security cases. In employment law matters, except for representation of group health plans or matters involving health care entities disclosing PHI to their attorneys to defend the litigation (because the individual has not put his/her medical condition at issue in an employment case). Sources:
15 When is an Attorney a Business Associate? Attorney is LIKELY a BA: (My List): Federal or state regulatory compliance and/or defense against an enforcement action (e.g., HIPAA, Medicare/Medicaid, fraud and abuse, etc.) Audit or investigation relating to actual or potential governmental or whistleblower complaints Pre-suit ERISA or other claims for health plan benefits Transactional work of any nature involving access to patient medical or financial information (e.g., billing, medical records, accounts payable, accounts receivable, pending or threatened litigation, etc.) Pre-suit employment investigation or advice where you had reason to access patient information (other than information contained in the employee s own employment file) Risk management or pre-suit handling of medical or personal injury claims Professional licensing board, credentialing, or other administrative matters Responding to subpoenas requesting patient information in any form
16 When is an Attorney a Business Associate? Attorneys and law firms should be able to recognize when they are (or could be considered) Business Associates and take the appropriate steps to comply with the HIPAA privacy and security rule provisions applicable to Business Associates. Non-compliance can lead to steep fines and government investigations, as well as potential loss of an attorney s or client s reputation. Given the risks associated with non-compliance, attorneys should consult with health care attorneys and other HIPAA experts (either within or outside their law firms) for advice on their compliance obligations and the implementation of HIPAA-compliant privacy and security programs. Source:
17 Business Associate Agreement Basics The BAA should include: Permitted uses/disclosures of PHI by BA Prohibited uses/disclosures of PHI by BA Requirement that BA use appropriate safeguards administrative, physical technical to protect ephi Requirement that BA report security incidents Ensure subcontractors agree to step in shoes of BA Make PHI available to CE for access, amendment, accounting of disclosures Make BA internal practices, books, records available to HHS for review to determine compliance Provision for return/destruction/escrow of PHI upon termination Authorize termination if material violation of BAA Security breach notification requirements HITECH/Omnibus Rule Minimum necessary requirement -- HITECH Security Rule compliance requirement HITECH Audit requirements -- HITECH
18 Business Associate Agreement Basics Indemnification Largely due to potential exposure under the Breach Notification Rule, CEs and BAs are including or attempting to include indemnification provisions in their BAAs These provisions should be carefully considered prior to execution of any BAA by both sides
19 HHS Guidance -- FAQs 1: Attorney disclosure of PHI to agents and/or subcontractors: The business associate agreement between the covered entity and the lawyerbusiness associate provides that the lawyer will ensure that any agents, including subcontractors, to whom it provides protected health information agree to the same restrictions and conditions that apply to the business associate with respect to the information. See 45 CFR (e)(2)(ii)(D). Thus, if a lawyer-business associate enlists the services of a person or entity in furtherance of the lawyer s legal services to a covered entity, and the lawyer must provide protected health information to the person or entity for such purpose, the lawyer s business associate agreement with the covered entity requires that the lawyer ensure that these persons agree to the same restrictions and conditions with respect to the protected health information they receive that apply to the lawyer as a business associate.
20 HHS Guidance -- FAQs 1: Attorney disclosure of PHI to agents and/or subcontractors (continued): For example, pursuant to its business associate agreement, a lawyer must ensure that other legal counsel, jury experts, document or file managers, investigators, litigation support personnel, or others hired by the lawyer to assist the lawyer in providing legal services to the covered entity, will also safeguard the privacy of the protected health information the lawyer receives to perform its duties. Conversely, a lawyer-business associate need not ensure that opposing counsel, fact witnesses, or other persons who do not perform functions or services that assist the lawyer in performing its services to the client, agree to the business associate restrictions and conditions, even though the lawyer may have to disclose protected health information to these third parties.
21 HHS Guidance -- FAQs 2: Sharing of PHI by CE with its Attorney for use in litigation Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of health care operations at 45 CFR includes a covered entity s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity s covered functions (i.e., those functions that make the entity a health plan, health care provider, or health care clearinghouse). Thus, for example, a covered entity that is a defendant in a malpractice action, or a plaintiff in a suit to obtain payment, may use or disclose protected health information for such litigation as part of its health care operations.
22 HHS Guidance -- FAQs 2: Sharing of PHI by CE with its Attorney for use in litigation (continued) The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR (b), (d). In most cases, the covered entity will share protected health information for litigation purposes with its lawyer, who is either a workforce member or a business associate. In these cases, the Privacy Rule permits a covered entity to reasonably rely on the representations of a lawyer who is a business associate or workforce member that the information requested is the minimum necessary for the stated purpose. See 45 CFR (d)(3)(iii)(C). A covered entity s minimum necessary policies and procedures may provide for such reasonable reliance on the lawyer s requests for protected health information needed in the course of providing legal services to the covered entity.
23 HHS Guidance -- FAQs 2: Sharing of PHI by CE with its Attorney for use in litigation (continued) In disclosing protected health information for litigation purposes, the lawyer who is a workforce member of the covered entity must make reasonable efforts to limit the protected health information disclosed to the minimum necessary for the purpose of the disclosure. Similarly, a lawyer who is a business associate must apply the minimum necessary standard to its disclosures, as the business associate contract may not authorize the business associate to further use or disclose protected health information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. Depending on the circumstances, this could involve de-identifying the information or stripping direct identifiers from the information to protect the privacy of individuals, and may in some cases limit disclosures more significantly than would be required to meet a relevance standard. Further, whether as workforce members or business associates, lawyers may consider availing themselves of the protections routinely afforded to similarly confidential information within the litigation forum, such as protective orders on the use of the information in public portions of the proceedings.
24 HHS Guidance -- FAQs 3: Accounting for disclosures of PHI made during the course of litigation Individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity (or its business associate), with certain exceptions. These exceptions, or instances where a covered entity is not required to account for disclosures, include disclosures for treatment, payment, or health care operations and disclosures authorized by the individual. See 45 CFR (GPO). Disclosures that are subject to the accounting for disclosures requirement include disclosures made by a covered entity that is not a party to the litigation or proceeding and that are made: as required by law (under (a) and (e)(1)(i)); for a proceeding before a health oversight agency (under (d)); or in response to a subpoena, discovery request, or other lawful process (under (e)).
25 HHS Guidance -- FAQs 3: Accounting for disclosures of PHI made during the course of litigation (continued) Conversely, covered entities need not account for disclosures of protected health information for litigation that are made with the individual s authorization or, in cases where the covered entity is a party to the litigation, when such disclosures are part of the covered entity s health care operations. In many cases, covered entities share protected health information for litigation purposes with a lawyer who is a business associate of the covered entity. These disclosures by a covered entity to its lawyer-business associate are not themselves subject to the accounting. However, if (as described above) the lawyer makes disclosures that are subject to the accounting requirement, the business associate agreement required by the Privacy Rule should provide that the lawyer-business associate make information about these disclosures available to the covered entity, so that the covered entity can fulfill its obligation to provide an accounting to the individual. Alternatively, the covered entity and the lawyer can agree through the business associate contract that the lawyer will provide the accounting to individuals who request one.
26 Privacy and Security Privacy is the individual s right over the use and disclosure of his or her protected health information (PHI), and includes the right to determine when, how, and to what extent PHI is shared with others. The Privacy Rule grants rights to individuals for accessing and controlling the use/disclosure of their PHI. Security is the specific measures a health care entity must take to protect PHI from any unauthorized breaches of privacy, such as if information is stolen or provided to the wrong person in error. It also includes measures taken to ensure against the loss of integrity of PHI, such as if a patient s records are lost or destroyed by accident. HIPAA requires general security measures that are both reasonable and appropriate.
27 HIPAA Privacy Rule Protects all PHI (protected health information), which includes just about any piece of information that might possibly identify a person, in any form, including oral information Grants individuals broader rights in their PHI: access amendment disclosure accounting restrictions confidential communications Has been in effect since April 2003
28 The Privacy Rule THE RULE: Covered Entities are prohibited from using or disclosing PHI unless a Privacy Rule exception applies. THE LANGUAGE: A covered entity may not use or disclose protected health information [PHI], except as permitted or required by this subpart or by subpart C of part 160 of this chapter. [45 CFR ]
30 The Privacy Rule Protected Health Information (PHI) information created or received by a health care provider, health plan, or health care clearinghouse ( covered entities ); relating to past, present, or future health of an individual, provision of health care, or payment for health care; either identifies the individual or provides a reasonable basis for identification; in all forms (oral, written, electronic) PHI includes ephi, which is also covered more specifically by the Security Rule Exceptions: employment records, education records covered by FERPA, and records covered by other federal law.
31 The Privacy Rule It is important to understand that whether data is PHI depends on the source and how it was obtained. The same data can be PHI in one context and not in another. Did the data come from a covered entity? Was the information provided to assist the CE with its health care operations? (as opposed to information contained in HR/employment files or worker s comp files, for example) Does the information relate to past, present, or future health of an individual, provision of health care, or payment for health care? PHI provided pre-suit can arguably lose its status as PHI once a lawsuit is filed by the patient who is the subject of the information, putting his/her medical condition at issue; it would then depend on when the use or disclosure occurred.
32 The Privacy Rule PHI includes the following 18 identifiers: 1. names 2. all geographic subdivisions smaller than a State (street address, city, county, precinct, zip code) 3. All elements of dates (except year) for dates related to the individual (birth date, admission date, discharge date, date of death, prescription dispense date, etc.) 4. Telephone numbers 5. Fax numbers 6. addresses 7. SSNs 8. Medical records numbers (including, prescription numbers) 9. Health plan beneficiary numbers
33 The Privacy Rule 10. account numbers 11. certificate/license numbers 12. vehicle identifiers, serial numbers, license plate numbers 13. device identifiers and serial numbers 14. URLs 15. IP address numbers 16. Biometric identifiers (finger and voice prints) 17. Full face photographs (and comparable images) 18. Catch-all: any other unique number, characteristic, or code that might possibly identify a person So, in terms of information contained within medical and billing records, this really includes nearly every piece of useful information.
34 The Privacy Rule Key Permitted Uses & Disclosures: To the Individual For Treatment, Payment and Health Care Operations (TPO) Pursuant to an Authorization As Required by Law To Business Associates For Public Health Activities To Health Oversight Agencies Concerning Decedents To Organ Procurement Organizations For Research Purposes In a Limited Data Set For Fundraising and Underwriting
35 The Privacy Rule Minimum Necessary Rule When using or disclosing PHI or when requesting PHI from another covered entity, a covered entity must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
36 The Privacy Rule There are 6 Exceptions to the Minimum Necessary Rule: Disclosures for Treatment Disclosures to the Individual Disclosures pursuant to an Authorization Disclosures to DHHS for Enforcement Disclosures Required by Law Disclosures required for compliance with the Privacy Rule
37 The Privacy Rule Incidental Uses and Disclosures The Privacy Rule explicitly permits certain incidental uses and disclosures that occur as a by-product of a use or disclosure otherwise permitted under the Privacy Rule. An incidental use or disclosure is permissible only to the extent that the covered entity has applied reasonable safeguards and implemented the minimum necessary rule, where applicable.
38 The Privacy Rule Authorizations Specific elements are required for it to be effective. For example: plain language, right to revoke, specific description of information to be used or disclosed, identification of person or entity to whom information to be disclosed termination date
39 The Privacy Rule Notice of Privacy Practices (NPP): Sets forth the uses and disclosures that will be undertaken by the covered entity and its business associates. An individual has a right to adequate notice of the uses and disclosures of PHI that may be made by the covered entity, and of the individual s rights and the CE s legal duties regarding PHI. Specific requirements for what must be contained in the NPP are set out in the Privacy Rule. There are specific rules for distributing, posting, and providing access to the NPP OCR has recently issued a new sample NPP for use by health care providers and health plans Employers: Did you update your health plan NPPs in September 2013? You should have!
40 The Security Rule The Security Rule mandates safeguards for Electronic PHI (or ephi ). Security safeguards were already required by the Privacy Rule. The Security Rule provides more guidance as to the nature and function of each individual safeguard. Has been in effect since April 2005.
41 The Security Rule RULE: All covered entities and their business associates are required to develop and document a security program to guard against real and potential threats of disclosure or loss, which will include policies, procedures and safeguards to protect Electronic PHI (or ephi).
42 The Security Rule Safeguards 1. Administrative Safeguards Administrative actions, policies and procedures related to security measures Managing conduct of workforce in protecting ephi Risk analysis, risk management, appoint security officer, employee training, etc. ADMINISTRATIVE SAFEGUARDS Security Management Process 45 CFR (a)(1) (required) Assigned Security Responsibility 45 CFR (a)(2) (required) Workforce Security 45 CFR (a)(3) (addressable) Information Access Management 45 CFR (a)(4) (addressable) Security Awareness and Training 45 CFR (a)(5) (addressable) Security Incident Procedures 45 CFR (a)(6) (required) Contingency Plan 45 CFR (a)(7) (required) Evaluation 45 CFR (a)(8) (required) Business Associate Contracts and Other Arrangements 45 CFR (b) (required)
43 The Security Rule 2. Physical Safeguards Focused on preventing unauthorized individuals from gaining access to EPHI Protecting buildings and equipment from unauthorized access, disasters and hazards Limiting physical access to information systems and addressing security needs of workstations and computers PHYSICAL SAFEGUARDS Facility Access Controls 45 CFR (a)(2) (addressable) Workstation Use 45 CFR (b) (required) Workstation Security 45 CFR (c) (required) Device and Media Controls 45 CFR (d) (required)
44 The Security Rule 3. Technical Safeguards Technology and the policies and procedures for its use that protect ephi and control access to ephi Address electronic transmission of ephi and access control mechanisms TECHNICAL SAFEGUARDS Access Control - 45 CFR (a)(1) (addressable); (a)(2) (required) Audit Controls - 45 CFR (b) (required) Integrity - 45 CFR (c)(1) (N/A) Person or Entity Authentication - 45 CFR (d) (required) Transmission Security - 45 CFR (e)(1) (N/A)
45 The Security Rule Implementation Specifications Required v. Addressable required specifications addressable specifications CEs and BAs (after HITECH) must assess whether a specification is reasonable and appropriate If reasonable and appropriate, the CE or BA must implement the specification If not applicable, the CE or BA must document the decision not to implement the specification, reason, and how the standard is otherwise being met.
46 The Security Rule - OCR FAQ What is the difference between addressable and required implementation specifications in the Security Rule? Answer:.The covered entity [or business associate] must decide whether a given addressable implementation specification is a reasonable and appropriate security measure to apply within its particular security framework. For example, a covered entity [or business associate] must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative. This decision will depend on a variety of factors, such as, among others, the entity's risk analysis, risk mitigation strategy, what security measures are already in place, and the cost of implementation. The decisions that a covered entity [or business associate] makes regarding addressable specifications must be documented in writing. The written documentation should include the factors considered as well as the results of the risk assessment on which the decision was based.
47 The Security Rule Some key areas of security concerns: unprotected Internet web browsing and cookies Authentication networks/firewalls lack of physical security hackers/phishing/other illegality internal mischief/disgruntled employees data sharing encryption (or lack thereof)
48 The HITECH Act Health Information Technology for Economic and Clinical Health Act (HITECH Act) February 17, 2009 Most significant changes to HIPAA since issuance of the Privacy and Security Regulations.
49 The HITECH Act Included $20 billion in funding for healthcare information technology projects Extended the reach of the HIPAA Privacy and Security Rules and penalties to directly Business Associates Increased enforcement, of and penalties for, HIPAA violations: Formal investigations of complaints State AGs can bring civil actions in federal court Increased penalty amounts Imposed breach notification requirements on CEs and BAs Clarified minimum necessary standard (sort of) Limited certain uses and disclosures of PHI More accounting responsibilities for uses/disclosures of PHI Increased individuals rights with respect to PHI maintained in electronic health records (EHRs) Periodic HHS audits of HIPAA compliance (KPMG audits underway) Remuneration in exchange for PHI prohibited (with some limited exceptions) Marketing/fundraising restrictions tightened Required BAs to enter into Business Associate Agreements with subcontractors and monitor compliance BA must terminate contract if compliance issues cannot be cured
50 The HITECH Act Section-by-Section Sec Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions. Sec Notification in the case of breach. Sec Education on health information privacy. Sec Application of privacy provisions and penalties to business associates of covered entities. Sec Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format. Sec Conditions on certain contacts as part of health care operations. Sec Temporary breach notification requirement for vendors of personal health records and other non-hipaa covered entities. Sec Business associate contracts required for certain entities. Sec Clarification of application of wrongful disclosures criminal penalties. Sec Improved enforcement. Sec Audits.
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
HHS Issues Rule Requiring Individuals Be Notified of Breaches of Their Health Information New regulations requiring health care professionals, health plans, and other entities covered by the Health Insurance
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus firstname.lastname@example.org Office of General Counsel University of Texas System April 10,
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. email@example.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013 Presentation Overview s investigative
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
Objective The objective of this policy is to provide guidance for breach notification by Georgia Regional Academic Community Health Information Exchange (hereafter referred to as GRAChIE) when unauthorized
Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act
HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
Federal Breach Notification and Tools Disclaimer This document is copyright 2013 by the Long Term Care Consortium (LTCC). These materials may be reproduced and used only by long-term health care providers
1. Breach Notification Team. Breach Notification Policy Ferris State University ( Ferris State ), a hybrid entity with health care components, has established a Breach Notification Team, which consists
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
WHY YOU NEED TO COMPLY. HIPAA UPDATE 2014: WHY AND HOW YOU MUS T C OMPL Y 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its longawaited Omnibus Rule 2 implementing regulations
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
What You Need to Know About the New HIPAA Breach Notification Rule 1 New regulations effective September 23, 2009 require all physicians who are covered by HIPAA to notify patients if there are breaches
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
HIPAA Business Associate Addendum THIS HIPAA BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is by and between ( Covered Entity ) and TALKSOFT CORPORATION ( Business Associate ) (hereinafter, Covered Entity
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
New HIPAA Regulations Require Notification of Breaches of Unsecured Protected Health Information GEORGE CHORIATIS In this article, the author discusses the new Health Insurance Portability and Accountability
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
9/25/13 Lawyers as HIPAA Business Associates ISBA Solo and Small Firm Conference October 4, 2013 Rick L. Hindmand McDonald Hopkins LLC 1 Agenda Background HIPAA/HITECH Act/Omnibus Rule Who is a business
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES I. Overview / Definitions The Health Insurance Portability and Accountability Act is a federal law
UNIVERSITY OF WYOMING HIPAA POLICY 3.6 BREACH I. PURPOSE: The purpose of this policy is to outline the processes and procedures for determining whether the security or privacy of PHI has been compromised
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514
REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On
FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
HIPAA & HITECH AND THE DISCOVERY PROCESS HEATHER L. HUGHES, J.D. U.S. Legal Support, Inc. 363 North Sam Houston Parkway East, Suite 900 Houston, Texas 77060 (713) 653-7100 State Bar of Texas 8 th ANNUAL
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements
Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy
STATE OF NEVADA DEPARTMENT OF HEALTH AND HUMAN SERVICES BUSINESS ASSOCIATE ADDENDUM BETWEEN The Division of Health Care Financing and Policy Herein after referred to as the Covered Entity and (Enter Business
HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience
Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad