Data Sharing Issues in Accountable Care Organizations

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Data Sharing Issues in Accountable Care Organizations"

Transcription

1 Data Sharing Issues in Accountable Care Organizations Joel Garmon Chief Information Security Officer Wake Forest Baptist Health Brian Vick, JD Associate Counsel Blue Cross Blue Shield of North Carolina Michael Berwanger, JD Compliance Manager Cornerstone Health Care, PA

2 Disclaimer This presentation is not a legal opinion or legal advice Attendees should consult with their own legal counsel for specific legal opinions and advice 2

3 Agenda 1. What are the Security drivers for an ACO? 2. Why does an ACO need identifiable data, and where does it come from? 3. What are the data sharing requirements for an ACO? 4. Panel Discussion

4 Information Security Standards and ACOs -HIPAA Security Rule -OMB Circular No. A-130 -NIST SP FIPS 200 4

5 Security Requirements for CMS Data Use Agreement The User agrees to establish appropriate administrative, technical, and physical safeguards to protect the confidentiality of the data and to prevent unauthorized use or access to it. The safeguards shall provide a level and scope of security that is not less than: 1. the level and scope of security requirements established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III--Security of Federal Automated Information Systems as well as 2. Federal Information Processing Standard 200 entitled Minimum Security Requirements for Federal Information and Information Systems ( and, 3. Special Publication Recommended Security Controls for Federal Information Systems ( publications/nistpubs/ Rev2/sp rev2-final.pdf).* * Payment/sharedsavingsprogram/Downloads/Data-Use-Agreement.pdf

6 OMB Circular No. A requirements Very similar to HIPAA, except: o Specialized Training. Before allowing individuals access to the application, ensure that all individuals receive specialized training focused on their responsibilities and the application rules.

7 NIST SP List of security control activities per impact level (L/M/H) o LOTS of controls listed o Good information and organization to develop a security program o LOTS of documentation o Organizations have flexibility in applying the baseline security controls in accordance with the guidance provided in Special Publication This allows organizations to tailor the relevant security control baseline so that it more closely aligns with their mission and business requirements and environments of operation.

8 Federal Information Processing Standards 200 Determine impact level The security-related areas include: (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity.

9 Why ACOs? Although the U.S. has the most expensive health care system in the world, the nation ranks lowest in terms of efficiency, equity and outcomes, according to the report ( Bankruptcies resulting from unpaid medical bills will affect nearly 2 million people this year making health care the No. 1 cause of such filings, and outpacing bankruptcies due to credit-card bills or unpaid mortgages, according to new data (

10 Why does an ACO need all this data, and why does security matter? Important to distinguish between a: 1. Clinically Integrated Network, and 2. Accountable Care Organization.

11 Clinically Integrated Network Clinical integrated Network (CIN): A CIN involves a network of otherwise independent physicians/health systems who collectively commit to quality and cost improvement. This involves requirements such as infrastructure development, care models, and other demonstrable integration. This is an Anti-Trust term based on regulations and opinions from the DOJ and FTC.* There are requirements to achieve clinical integration from an enforcement perspective. *See STATEMENTS OF ANTITRUST ENFORCEMENT POLICY IN HEALTH CARE, Issued by the U.S. Department of Justice and the Federal Trade Commission (Aug. 1996).

12 What is an ACO? CMS Definition: Accountable Care Organizations (ACOs) are groups of doctors, hospitals, and other health care providers, who come together voluntarily to give coordinated high quality care to their patients. The goal of coordinated care is to ensure that patients, especially the chronically ill, get the right care at the right time, while avoiding unnecessary duplication of services and preventing medical errors. When an ACO succeeds both in delivering high-quality care and spending health care dollars more wisely, it will share in the savings it achieves. Payment/ACO/index.html?redirect=/ACO 12

13 What is an ACO? The Basics If 2+ ACO Participants, must be a distinct legal organization, separate from the individual ACO Participants (42 C.F.R (b)) Strong primary care foundation ACOs are based on contracts with payers Medicare programs (MSSP, Pioneer, Next Generation) Private/Commercial ACOs 13

14 Changing The Way We Deliver Care

15 Patient Centered Care Model

16 Why is data important in an ACO? 1. Performance Measurement. As part of the ACO contract, the ACO is held accountable for certain performance measures tied to reimbursement. 2. Accountability. Shares financial and medical responsibility for providing coordinated care to a group of patients in hopes of: a. Limiting unnecessary spending, b. improving care, and c. improving the patient experience with the health care system. 3. Attributed Patients. Patients are assigned to an ACO provider if they receive the plurality of non-inpatient care for evaluation and management services from that provider within a recent historical period. o The ACO is responsible for all of the costs and quality of care delivered to patients attributed to providers who are exclusively members of that ACO.

17 Information is Necessary although an ACO typically should have, or is moving towards having complete information for the services it provides to its assigned beneficiaries, we also recognize that the ACO may not have access to complete information about all of the services that are provided to its assigned beneficiaries by providers outside the ACO information that would be key to its coordinating care for its beneficiary population. MSSP Final Rule,

18 Where does the data come from? To provide high quality care, an accurate picture of the patient s medical information becomes necessary. Requires gathering information from: payors, other health systems, lab companies, pharmacy groups, the patient (via portals, patient specific medical devices, or otherwise), and an array of other sources. 18

19 Data Sharing A key factor in improving care while driving down costs is sharing medical records and other data across the ACO o The providers with access to these records are no longer part of the same entity, but instead may be part of any ACO participant (and even non-participants) o Significant security and contractual compliance requirements in these data exchanges With each additional provider and data network involved, the risk of a security breach increases o Significant HIPAA and HITECH implications

20 Rules for Data Sharing 1. HIPAA, 2. The Privacy Act of 1974, 3. CMS Data Release Policies, 4. The CMS DUA requires compliance with: - Security requirements established by the Office of Management and Budget (OMB) in OMB Circular No. A-130, Appendix III--Security of Federal Automated Information Systems, - Federal Information Processing Standard 200 entitled Minimum Security Requirements for Federal Information and Information Systems, and -Special Publication Recommended Security Controls for Federal Information Systems

21 Data Sharing Issues Unclear if and how a data breach at one ACO participant will affect the ACO entity and the other ACO participants o Recent enforcement action outside the ACO context against Columbia University based on a data breach at NY Presbyterian o FTC settlement with GMR Transcription Services company never required the individual typists it hired as contractors to implement security measures, such as installing anti-virus software Consider cyber liability insurance for the ACO entity and individual participants.

22 Data Sharing Issues If the ACO has a breach, several factors to consider: The ACO likely holds the funds received for the ACO. If the ACO has a breach, is there a process in place, either contractually or internal process to apply funds to the breach (i.e., would the payment come from the general fund, a reserve fund, etc.)? Cyber-liability coverage? How is shared responsibility among the Participants determined?

23 Data Sharing Issues What does your Participant Agreement and/or the BAA say about: Reporting; Audit rights; Using off-shore vendors; Participant involvement in vendor selection; Damages caps; Ownership of data; Transition costs for onboarding/offboarding Participants?

24 Summary ACOs should be considering effective strategies for: Managing the privacy and security of data exchange; Governing data exchange between participants and third parties; Required contractual and regulatory controls; Relationships with Payors, and how to effectively work with Payors to exchange data.

25 Panel Discussion

26 Panel Discussion Q1: What assurances would you like to receive on the front end of initiating a data exchange with an ACO? What about onboarding new data sources?

27 Panel Discussion Q2: Part of the commitment of ACO Participation is utilizing actionable data in a meaningful way. a) How do you make this data available to providers interacting with patients? b) What security concerns do you have regarding the access to ACO level data at the end-user level?

28 Panel Discussion Q3: From a security perspective, with multiple data sources and data recipients, how do you determine who is an appropriate recipient to share data, and once that is determined, how do you monitor these disclosures? How do you manage patient opt-out rights?

29 Panel Discussion Q4: What type of governance structure may be effective for an ACO with an AMC participant? Does this change from regulatory ACOs (MSSP, Pioneer) to private payor ACOs?

The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security

The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security The Patient Portal Ecosystem: Engaging Patients while Protecting Privacy and Security NCHICA 11th Academic Medical Center Security & Privacy Conference, June 22-24, 2015 Panel Leader: Panelists: Amy Leopard,

More information

FSIS DIRECTIVE 1306.3

FSIS DIRECTIVE 1306.3 UNITED STATES DEPARTMENT OF AGRICULTURE FOOD SAFETY AND INSPECTION SERVICE WASHINGTON, DC FSIS DIRECTIVE 1306.3 REVISION 1 12/13/12 CONFIGURATION MANAGEMENT (CM) OF SECURITY CONTROLS FOR INFORMATION SYSTEMS

More information

ACO Accountable Care Organizations Cooperative Healthcare Requires Cooperative Security It s a Team Sport.

ACO Accountable Care Organizations Cooperative Healthcare Requires Cooperative Security It s a Team Sport. ACO Accountable Care Organizations Cooperative Healthcare Requires Cooperative Security It s a Team Sport. Robby Gulri VP, Product Marketing gulri@echoworx.com 8/28/13 1 Industry leading Educa1on Cer1fied

More information

Medicaid Eligibility and Enrollment (EE) Implementation Advanced Planning Document (IAPD) Template. Name of State Medicaid Agency:

Medicaid Eligibility and Enrollment (EE) Implementation Advanced Planning Document (IAPD) Template. Name of State Medicaid Agency: Name of State: Name of State Medicaid Agency: Name of Contact(s) at State Medicaid Agency: E-Mail Address(es) of Contact(s) at State Medicaid Agency: Telephone Number(s) of Contact(s) at State Medicaid

More information

HIPAA Privacy Rule CLIN-203: Special Privacy Considerations

HIPAA Privacy Rule CLIN-203: Special Privacy Considerations POLICY HIPAA Privacy Rule CLIN-203: Special Privacy Considerations I. Policy A. Additional Privacy Protection for Particularly Sensitive Health Information USC 1 recognizes that federal and California

More information

Fraud and Abuse Considerations for Accountable Care Organizations (ACOs)

Fraud and Abuse Considerations for Accountable Care Organizations (ACOs) Fraud and Abuse Considerations for Accountable Care Organizations (ACOs) By: Chris Rossman, Foley & Lardner LLP, Detroit, Michigan 1. The Centers for Medicare and Medicaid Services ( CMS ) and the Office

More information

See page 16. Thomas A. Vallas

See page 16. Thomas A. Vallas Compliance TODAY July 2014 a publication of the health care compliance association www.hcca-info.org What s the key to successfully merging two large hospital systems? an interview with Michael R. Holper

More information

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS

IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, 2013. p i.

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, 2013. p i. New York, NY, USA: Basic Books, 2013. p i. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=2 New York, NY, USA: Basic Books, 2013. p ii. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=3 New

More information

Minimum Security Requirements for Federal Information and Information Systems

Minimum Security Requirements for Federal Information and Information Systems FIPS PUB 200 FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION Minimum Security Requirements for Federal Information and Information Systems Computer Security Division Information Technology Laboratory

More information

A. CPT Coding System B. CPT Categories, Subcategories, and Headings

A. CPT Coding System B. CPT Categories, Subcategories, and Headings OST 148 MEDICAL CODING, BILLING AND INSURANCE COURSE DESCRIPTION: Prerequisites: None Corequisites: None This course introduces CPT and ICD coding as they apply to medical insurance and billing. Emphasis

More information

Federal Trade Commission Privacy Impact Assessment

Federal Trade Commission Privacy Impact Assessment Federal Trade Commission Privacy Impact Assessment for the: StenTrack Database System September, 2011 1 System Overview The Federal Trade Commission (FTC) protects America s consumers. As part of its work

More information

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by: UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE Subject: MENTAL HEALTH INFORMATION Page 1 of 6 No: Prepared by: Shoshana Milstein Original Issue Date: NEW Reviewed by: HIPAA Policy & Procedure

More information

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACTOR SECURITY OF THE SOCIAL SECURITY ADMINISTRATION S HOMELAND SECURITY PRESIDENTIAL DIRECTIVE 12 CREDENTIALS June 2012 A-14-11-11106

More information

Notice of Privacy Practices

Notice of Privacy Practices Kimmel Chaplain Pharmacy NCPDP: 1413018 205 Bailey Lane Benton, IL 62812 Notice of Privacy Practices THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET

More information

ITS Policy Library. 11.08 - Use of Email. Information Technologies & Services

ITS Policy Library. 11.08 - Use of Email. Information Technologies & Services ITS Policy Library 11.08 - Use of Email Information Technologies & Services Responsible Executive: Chief Information Officer, WCMC Original Issued: December 15, 2010 Last Updated: February 3, 2015 POLICY

More information

HIPPA. business associates agreement

HIPPA. business associates agreement This Business Associate Agreement ( BAA ) is entered into by and between ALTOR National ( ALTOR National ) and Insured/Applicant ( Covered Entity ) and is effective as of September 23 rd, 2013 (the BAA

More information

Accountable Care Organization. Medicare Shared Savings Program. Compliance Plan

Accountable Care Organization. Medicare Shared Savings Program. Compliance Plan Accountable Care Organization Participating In The Medicare Shared Savings Program Compliance Plan 2014 Corporate Location: 3190 Fairview Park Drive Falls Church, VA 22042 ARTICLE I INTRODUCTION This Compliance

More information

Outline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?

Outline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now? Outline MOR-OF Education and Medical Expo August 23, 2014 Tatiana Melnik Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL I. HIPAA Compliance II. Why Should You Care? A. Market Pressure

More information

HITRUST CSF Assurance Program

HITRUST CSF Assurance Program HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview

More information

No. 29 February 12, 2016. The President

No. 29 February 12, 2016. The President Vol. 81 Friday, No. 29 February 12, 2016 Part IV The President Executive Order 13719 Establishment of the Federal Privacy Council VerDate Sep2014 20:00 Feb 11, 2016 Jkt 238001 PO 00000 Frm 00001 Fmt

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

Cornerstone Health Care, P.A.

Cornerstone Health Care, P.A. Cornerstone Health Care, P.A. Medicare Shared Savings Program ACO Compliance NAACOS July 2013 Agenda 1. Background 2. Compliance Requirements & Purpose 3. Cornerstone s experience 4. Q&A 2 Cornerstone

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2015 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled

More information

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information

RUTGERS POLICY. Policy Name: Standards for Privacy of Individually Identifiable Health Information RUTGERS POLICY Section: 100.1.9 Section Title: HIPAA Policies Policy Name: Standards for Privacy of Individually Identifiable Health Information Formerly Book: 00-01-15-05:00 Approval Authority: RBHS Chancellor

More information

Hybrid Entities Health Insurance Portability and Accountability Act of 1996 (HIPAA)

Hybrid Entities Health Insurance Portability and Accountability Act of 1996 (HIPAA) Hybrid Entities Health Insurance Portability and Accountability Act of 1996 (HIPAA) 160.102 APPLICABILITY U.S. Department of Health and Human Services Office of the Secretary THE PRIVACY RULE Related Excerpts

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

Subject: U.S. Department of Housing and Urban Development (HUD) Privacy Protection Guidance for Third Parties

Subject: U.S. Department of Housing and Urban Development (HUD) Privacy Protection Guidance for Third Parties U.S. Department of Housing and Urban Development Office of Public and Indian Housing SPECIAL ATTENTION OF: NOTICE PIH-2014-10 Directors of HUD Regional and Field Offices of Public Housing; Issued: April

More information

LTC Division Webinar Accountable Care Organizations and LTC Pharmacy - The New Era in Health Care Delivery

LTC Division Webinar Accountable Care Organizations and LTC Pharmacy - The New Era in Health Care Delivery LTC Division Webinar Accountable Care Organizations and LTC Pharmacy - The New Era in Health Care Delivery 1 The Pioneer ACO Model James Vasquenza Jr. Vice President, Preferred Provider Network, Innovatix

More information

No. 30 February 16, 2016. The President

No. 30 February 16, 2016. The President Vol. 81 Tuesday, No. 30 February 16, 2016 Part IV The President Executive Order 13719 Establishment of the Federal Privacy Council: Republication VerDate Sep2014 16:34 Feb 12, 2016 Jkt 238001 PO 00000

More information

POSTAL REGULATORY COMMISSION

POSTAL REGULATORY COMMISSION POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1

More information

Purchase College Information Security Program Charter January 2008

Purchase College Information Security Program Charter January 2008 January 2008 Introduction When an organization implements an information security program, it raises the question of what is to be written, and how much is sufficient. SUNY Information Security Initiative

More information

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7

TABLE OF CONTENTS. 2006.1259 Information Systems Security Handbook. 7 2006.1260 Information Systems Security program elements. 7 PART 2006 - MANAGEMENT Subpart Z - Information Systems Security TABLE OF CONTENTS Sec. 2006.1251 Purpose. 2006.1252 Policy. 2006.1253 Definitions. 2006.1254 Authority. (a) National. (b) Departmental. 2006.1255

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

Accountable Care Organizations: Importance to Physicians in Value Based Payment June 19, 2014 12:00-1:00pm EST

Accountable Care Organizations: Importance to Physicians in Value Based Payment June 19, 2014 12:00-1:00pm EST Accountable Care Organizations: Importance to Physicians in Value Based Payment June 19, 2014 12:00-1:00pm EST Ahmed Haque, Director of Care Transformation Health IT U.S. Department of Health & Human Services

More information

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register

More information

MEMORANDUM OF AGREEMENT BETWEEN THE DEPARTMENT OF CRIME CONTROL AND PUBLIC SAFETY, DIVISION OF EMERGENCY MANAGEMENT AND THE COUNTY OF WAKE

MEMORANDUM OF AGREEMENT BETWEEN THE DEPARTMENT OF CRIME CONTROL AND PUBLIC SAFETY, DIVISION OF EMERGENCY MANAGEMENT AND THE COUNTY OF WAKE MOA#: HS-MU-03-5092 Tax ID #: 566000347A Fund Code: 1510-5195 MOA Amount: $500,000 CFDA#: 97.004 I. SUBJECT MEMORANDUM OF AGREEMENT BETWEEN THE DEPARTMENT OF CRIME CONTROL AND PUBLIC SAFETY, DIVISION OF

More information

Request for Proposal HIPAA Security Risk and Vulnerability Assessment

Request for Proposal HIPAA Security Risk and Vulnerability Assessment Request for Proposal HIPAA Security Risk and Vulnerability Assessment May 1, 2016 First Choice Community Healthcare Timeline The following Timeline has been defined to efficiently solicit multiple competitive

More information

Commonwealth of Massachusetts Center for Health Information & Analysis (CHIA) Non-Government Agency Application for Data

Commonwealth of Massachusetts Center for Health Information & Analysis (CHIA) Non-Government Agency Application for Data Commonwealth of Massachusetts Center for Health Information & Analysis (CHIA) Non-Government Agency Application for Data This application is to be used by all applicants, except Government Agencies, as

More information

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES NOTICE OF PRIVACY PRACTICES Effective Date: April 14, 2003 Revision Date: September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS

More information

Privacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information

Privacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information Privacy Statement Relating to the Collection, Use and Disclosure of Personal Data & Customer Information Safeguarding personal data and customer information and using it in a lawful manner, consistent

More information

I. U.S. Government Privacy Laws

I. U.S. Government Privacy Laws I. U.S. Government Privacy Laws A. Privacy Definitions and Principles a. Privacy Definitions i. Privacy and personally identifiable information (PII) b. Privacy Basics Definition of PII 1. Office of Management

More information

NEIAF June 18, 2015. IS Auditing 101

NEIAF June 18, 2015. IS Auditing 101 NEIAF June 18, 2015 IS Auditing 101 http://www.gao.gov/fiscam/overview Planning Understand the Overall Audit Objectives and Related Scope of the Information System Controls Audit Understand the Entity

More information

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, p i.

Schneps, Leila; Colmez, Coralie. Math on Trial : How Numbers Get Used and Abused in the Courtroom. New York, NY, USA: Basic Books, p i. New York, NY, USA: Basic Books, 2013. p i. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=2 New York, NY, USA: Basic Books, 2013. p iii. http://site.ebrary.com/lib/mcgill/doc?id=10665296&ppg=4 New

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Security Controls Assessment for Federal Information Systems

Security Controls Assessment for Federal Information Systems Security Controls Assessment for Federal Information Systems Census Software Process Improvement Program September 11, 2008 Kevin Stine Computer Security Division National Institute of Standards and Technology

More information

Privacy Governance and Compliance Framework Accountability

Privacy Governance and Compliance Framework Accountability Privacy Governance and Framework Accountability Agenda Global Data Protection and Privacy (DPP) Organization Structure Privacy The 3 Lines of Defense (LOD) Model: Overview Privacy The 3 Lines of Defense

More information

Law Firm Cyber Security & Compliance Risks

Law Firm Cyber Security & Compliance Risks ALA WEBINAR Law Firm Cyber Security & Compliance Risks James Harrison CEO, INVISUS Breach Risks & Trends 27.5% increase in breaches in 2014 (ITRC) Over 500 million personal records lost or stolen in 2014

More information

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1

HIPAA/HITECH Privacy and Security for Long Term Care. Association of Jewish Aging Services 1 HIPAA/HITECH Privacy and Security for Long Term Care 1 John DiMaggio Chief Executive Officer, Blue Orange Compliance Cliff Mull Partner, Benesch, Healthcare Practice Group About the Presenters John DiMaggio,

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

A s a covered entity or business associate, you have

A s a covered entity or business associate, you have Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)

More information

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security

OFFICE OF INSPECTOR GENERAL. Audit Report. Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security OFFICE OF INSPECTOR GENERAL Audit Report Evaluation of the Railroad Retirement Board Medicare Contractor s Information Security Report No. 08-04 September 26, 2008 RAILROAD RETIREMENT BOARD INTRODUCTION

More information

Information Privacy and Security Program Title:

Information Privacy and Security Program Title: 1 Page: 1 of 5 I. PURPOSE: 1 The purpose of this standard is to identify and define the standards for implementing contracting provisions related to those individuals and organizations identified as Business

More information

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL INDEPENDENT EVALUATION OF THE NATIONAL CREDIT UNION ADMINISTRATION S COMPLIANCE WITH THE FEDERAL INFORMATION SECURITY MANAGEMENT ACT (FISMA)

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Business Associates 10230 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy Title:

More information

Security Language for IT Acquisition Efforts CIO-IT Security-09-48

Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Security Language for IT Acquisition Efforts CIO-IT Security-09-48 Office of the Senior Agency Information Security Officer VERSION HISTORY/CHANGE RECORD Change Number Person Posting Change Change Reason

More information

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS Department of Health and Human Services OFFICE OF INSPECTOR GENERAL HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS AT STATE MEDICAID AGENCIES Inquiries

More information

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES NOTICE OF PRIVACY PRACTICES Effective Date: April 14, 2003 Revision Date: September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS

More information

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose

2/27/2014. Meaningful Use as it Relates to HIPAA Compliance. Objectives and Agenda. Understand the statutory and regulatory background and purpose Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

Amy K. Fehn. I. Overview of Accountable Care Organizations and the Medicare Shared Savings Program

Amy K. Fehn. I. Overview of Accountable Care Organizations and the Medicare Shared Savings Program IMPLEMENTING COMPLIANCE PROGRAMS FOR ACCOUNTABLE CARE ORGANIZATIONS Amy K. Fehn I. Overview of Accountable Care Organizations and the Medicare Shared Savings Program The Medicare Shared Savings Program

More information

Heartland Rural Physician Alliance. Independent Physician Association Incorporated June 14, 2012

Heartland Rural Physician Alliance. Independent Physician Association Incorporated June 14, 2012 Heartland Rural Physician Alliance Independent Physician Association Incorporated June 14, 2012 Discussion 1. Inception-CoOportunity Health 2. History 3. Care Coordination 4. Medicare ACO 5. Medicaid Health

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - De-identification of PHI 10030 POLICY INFORMATION Major Functional Area (MFA): MFA X - Office of General Counsel & Compliance Policy

More information

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?

It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health

More information

Administrative Services

Administrative Services Policy Title: Administrative Services De-identification of Client Information and Use of Limited Data Sets Policy Number: DHS-100-007 Version: 2.0 Effective Date: Upon Approval Signature on File in the

More information

HIPAA Security Risk Analysis for Meaningful Use

HIPAA Security Risk Analysis for Meaningful Use HIPAA Security Risk Analysis for Meaningful Use NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA

More information

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by:

UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE. No: Supersedes Date: Distribution: Issued by: UNIVERSITY PHYSICIANS OF BROOKLYN, INC. POLICY AND PROCEDURE Subject: ALCOHOL & SUBSTANCE ABUSE INFORMATION Page 1 of 10 No: Prepared by: Shoshana Milstein Original Issue Date: NEW Reviewed by: HIPAA Policy

More information

Get Confidence in Mission Security with IV&V Information Assurance

Get Confidence in Mission Security with IV&V Information Assurance Get Confidence in Mission Security with IV&V Information Assurance September 10, 2014 Threat Landscape Regulatory Framework Life-cycles IV&V Rigor and Independence Threat Landscape Continuously evolving

More information

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii The Office of the Auditor General has conducted a procedural review of the State Data Center (Data Center), a part of the Arizona Strategic Enterprise Technology (ASET) Division within the Arizona Department

More information

ALTA Title Insurance & Settlement Company Best Practices

ALTA Title Insurance & Settlement Company Best Practices ALTA Title Insurance & Settlement Company Best Practices N e w C a s t l e T i t l e 7 5 0 N o r t h 3 r d S t r e e t, S u i t e B ( 6 0 8 ) 7 8 3-9 2 6 5 ( 6 0 8 ) 7 8 3-9 2 6 6 5 / 2 2 / 2 0 1 5 0 5/22/15

More information

Medicare (Pioneer) Accountable Care Organization. Annual Compliance Training

Medicare (Pioneer) Accountable Care Organization. Annual Compliance Training Medicare (Pioneer) Accountable Care Organization Annual Compliance Training Overview While health care professionals have long been concerned about patient safety, increased public awareness and transparency

More information

DISCLAIMER. HIPPAA Notice of Privacy. HIPAA Notice of Privacy Practices Printable PDF. Effective November 1, 2015

DISCLAIMER. HIPPAA Notice of Privacy. HIPAA Notice of Privacy Practices Printable PDF. Effective November 1, 2015 DISCLAIMER Direct Medical Imaging LLC (DMI) dba Pembina High Field MRI provides scanning and services, including an interpretation of the scan by a board certified radiologist. DMI cannot and does not

More information

OUR ACCOUNTABLE CARE ORGANIZATION (ACO) STRATEGY. Meredith Marsh Director Health Choice Care, LLC

OUR ACCOUNTABLE CARE ORGANIZATION (ACO) STRATEGY. Meredith Marsh Director Health Choice Care, LLC OUR ACCOUNTABLE CARE ORGANIZATION (ACO) STRATEGY Meredith Marsh Director Health Choice Care, LLC HEALTH REFORM The Affordable Care Act (ACA) strives to achieve the Triple AIM: Improving the experience

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011 Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8

More information

SUBJECT: BUSINESS ETHICS AND REGULATORY COMPLIANCE PROGRAM & PLAN (BERCPP)

SUBJECT: BUSINESS ETHICS AND REGULATORY COMPLIANCE PROGRAM & PLAN (BERCPP) Effective Date: 6/17/2008; 1/3/2007; 6/2/2004, BOD #04-028 Revised Date: 9/5/2012 Review Date: 9/13/2012 North Sound Mental Health Administration Section 2000-Compliance: Business Ethics and Regulatory

More information

and the Mechanics of MICHAEL K. HARRINGTON, MSHA, RHIA, CHP Faculty Department of Health Administration St. Joseph's College of Maine Standish, Maine

and the Mechanics of MICHAEL K. HARRINGTON, MSHA, RHIA, CHP Faculty Department of Health Administration St. Joseph's College of Maine Standish, Maine HEALTH CARE FINANCE and the Mechanics of Insurance and Reimbursement MICHAEL K. HARRINGTON, MSHA, RHIA, CHP Faculty Department of Health Administration St. Joseph's College of Maine Standish, Maine Ä-

More information

The HIPAA Omnibus Final Rule

The HIPAA Omnibus Final Rule WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia

More information

DATA USE AGREEMENT RECITALS

DATA USE AGREEMENT RECITALS DATA USE AGREEMENT This Data Use Agreement (the Agreement ), effective as of the day of, 20, is by and between ( Covered Entity ) and ( Limited Data Set Recipient or Recipient ) (collectively, the Parties

More information

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology RUTGERS POLICY Section: 70.2.22 Section Title: Legacy UMDNJ policies associated with Information Technology Policy Name: Information Security: Electronic Information and Information Systems Access Control

More information

Look Before You Leap: Legal and Practical Obstacles with ACOs

Look Before You Leap: Legal and Practical Obstacles with ACOs Look Before You Leap: Legal and Practical Obstacles with ACOs Houston ACO Conference May 7, 2013 Edward Vishnevetsky, Esq. Coordinated Care and ACOs Coordinated Care Goal: ensure that healthcare providers

More information

HIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com

HIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations

More information

Policy and Procedures for Recoupment & Coordination of Benefits: Workers Compensation Payment

Policy and Procedures for Recoupment & Coordination of Benefits: Workers Compensation Payment Policy and Procedures for Recoupment & Coordination of Benefits: Workers Compensation Payment Effective Date: September 1, 2013 I. Authority A. The James Zadroga 9/11 Health and Compensation Act of 2010

More information

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA

PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Chapter-4: Business Continuity Planning and Disaster Recovery Planning PAPER-6 PART-5 OF 5 CA A.RAFEQ, FCA Learning Objectives 2 To understand the concept of Business Continuity Management To understand

More information

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU)

Privacy Impact Assessment (PIA) for the. Certification & Accreditation (C&A) Web (SBU) Privacy Impact Assessment (PIA) for the Cyber Security Assessment and Management (CSAM) Certification & Accreditation (C&A) Web (SBU) Department of Justice Information Technology Security Staff (ITSS)

More information

What is an Accountable Care Organization. Amit Rastogi, MD President/CEO PriMed

What is an Accountable Care Organization. Amit Rastogi, MD President/CEO PriMed What is an Accountable Care Organization Amit Rastogi, MD President/CEO PriMed Goals Why is U.S. healthcare undergoing dramatic change How reimbursement structures are likely to change What is the timeline

More information

Information Security Program Management Standard

Information Security Program Management Standard State of California California Information Security Office Information Security Program Management Standard SIMM 5305-A September 2013 REVISION HISTORY REVISION DATE OF RELEASE OWNER SUMMARY OF CHANGES

More information

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014

More information

Sustainable Compliance: A System for Ongoing Audit Readiness

Sustainable Compliance: A System for Ongoing Audit Readiness View the Replay on YouTube Sustainable Compliance: A System for Ongoing Audit Readiness FairWarning Executive Webinar Series November 14, 2013 Agenda Sustainable Compliance at St. Charles Health System

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy

More information

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule NIST Special Publication 800-66 An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Joan Hash, Pauline Bowen, Arnold Johnson, Carla

More information

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS December 2005 2 GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS I. OBJECTIVE... 1 II. SCOPE... 1 III. APPLICATION OF LOCAL LAWS...

More information

www.shipmangoodwin.com Shipman & Goodwin LLP 2015. All rights reserved. @SGHealthLaw HARTFORD STAMFORD GREENWICH WASHINGTON, DC

www.shipmangoodwin.com Shipman & Goodwin LLP 2015. All rights reserved. @SGHealthLaw HARTFORD STAMFORD GREENWICH WASHINGTON, DC HIPAA Compliance and Non-Business Associate Vendors: Strategies and Best Practices July 14, 2015 William J. Roberts, Esq. Shipman & Goodwin LLP 2015. All rights reserved. HARTFORD STAMFORD GREENWICH WASHINGTON,

More information

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES NOTICE OF PRIVACY PRACTICES Effective Date: September, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW

More information

Double-Take in a HIPAA Regulated Health Care Industry

Double-Take in a HIPAA Regulated Health Care Industry Double-Take in a HIPAA Regulated Health Care Industry Abstract: This document addresses the contingency plan and physical access control requirements of the Administrative Simplification security provision

More information

HIT/EHR Vendor Contracting Checklist

HIT/EHR Vendor Contracting Checklist HIT/EHR Vendor Contracting Checklist Dear Members: You are likely coming to the end of an intense process of vetting one or more electronic health record (EHR) products and related vendor proposals. As

More information