2013 HIPAA/HITECH AMENDMENTS: HOW THE CHANGES IMPACT THE ediscovery PROCESS

Size: px
Start display at page:

Download "2013 HIPAA/HITECH AMENDMENTS: HOW THE CHANGES IMPACT THE ediscovery PROCESS"

Transcription

1 2013 HIPAA/HITECH AMENDMENTS: HOW THE CHANGES IMPACT THE ediscovery PROCESS Brian Brown Danny Tijerina RenewData, an LDiscovery Company Austin, TX Introduction Maintaining compliance with government regulations has become more complicated due to the final omnibus regulations that implement the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) amendments of the Health Information Technology for Economic and Clinical Health ( HITECH ) Act. These rules not only impact companies generally, but they also affect ediscovery efforts, as law firms are responsible for subcontractors performing discovery tasks on behalf of their healthcare organization clients. In order to mitigate risk, firms need to understand the various components of ediscovery, the role protected health information ( PHI ) plays in this process and whether their ediscovery providers are compliant with the regulations. This article will explore how The HITECH Act and changes to HIPAA affect legal organizations and their ediscovery efforts. Business Associates and Liability for Non- Compliance The key element of the HITECH Act and regulations implementing it is the expanded obligations around management of individuals PHI by law firms and others that handle information of healthcare providers. The biggest change involves expansion of direct government oversight from previously regulated covered entities (such as health plans and healthcare providers) to now include business associates of those covered entities and their subcontractors. This means that organizations such as law firms (as well as the vendors they utilize in representing healthcare clients) are now directly subject to HIPAA as business associates and the litigation efforts (including collection of electronically stored information ( ESI ) and processing supported by ediscovery providers) are now under the purview of federal HIPAA and HITECH rules. Defining Business Associates A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Services include legal, consulting or accreditation services. A function or activity performed by a business associate includes those such as billing, benefit management or claims processing. 1 The regulations expand the universe of individuals and companies that must be treated as business associates to include all downstream contractors of a business associate that create, receive, maintain, or transmit PHI on behalf of a covered entity. 2 This means that any subcontractors or vendors working in conjunction with law firms (including forensic investigators, ediscovery providers, and managed review companies) on a matter for a covered entity must meet these same information security obligations. While ediscovery providers may be engaged directly by the covered entity and as a result are direct business associates of the covered entity in the category of providing services, they are often engaged by the law firm, and thus considered downstream business associates of the firm. These changes create far-reaching implications for law firms that represent healthcare organizations and other providers. The regulations extend liability of law firms to outside organizations such as ediscovery companies that provide critical external services for law firms, including collecting, receiving, storing, processing, and analyzing PHI on their behalf. While there are differences between the HIPAA Privacy Rule 3 and the HIPAA Security Rule, 4 it is incumbent upon law firms to understand that they must take protection of PHI into account when selecting ediscovery providers. This includes investigating security standards of providers and how they measure up to the requirements of HIPAA and HITECH regulations given the risks of exposure, alteration, or other manipulation of data that can occur during the ediscovery process. Otherwise, these firms will risk liability for these providers failure to protect PHI. Breach Notification The obligation to notify patients if there is a breach of their PHI is expanded and clarified under the rules. 5 Law firms and ediscovery providers must conduct a risk analysis 6 in the event they have suffered a breach and should put a process in place to assess and mitigate any potential breaches as quickly as possible. Required Security Protocols, Standards There are multiple layers of security protocols required under the regulations, including administrative, 7 technical 8 and physical 9 safeguards, as well as general organizational requirements. 10 Some of these specifications are required and others are addressable 11 to provide some flexibility to covered entities and business associates. Under the Final Rule implementing most of the HITECH Act, a continued on page 22 21

2 2013 HIPAA/HITECH Amendments: How the Changes Impact ediscovery continued from page 21 Business Associate must also comply with HIPAA s minimum necessary standard, meaning that when business associates use, disclose, or request PHI from a covered entity, they must limit PHI to the minimum necessary to accomplish the intended purpose. This creates a special set of problems for ediscovery providers, as courts impose varying expectations on what the true scope of discovery should be. There is a balancing act between this minimum necessary standard under HIPAA/HITECH and the courts desire for full, open, and reasonable disclosure of relevant data in legal matters. As there have been few, if any, instances of widespread data breaches involving ediscovery that have been made public, there is not yet a robust body of case law or government enforcement actions to illustrate how liability may be shared among healthcare organizations, law firms, and ediscovery providers. This area will likely evolve quickly as data breaches become more and more common through a combination of inadvertent errors and malicious attacks on the IT infrastructure of various organizations. Mapping Security Practices to the Electronic Discovery Reference Model 12 Understanding the EDRM and Its Role ediscovery presents a number of challenges related to securing PHI, especially when considering the evergrowing volumes of data being collected, processed, and transmitted during the litigation process. As such, it is helpful to evaluate appropriate measures that should be taken at each stage of the discovery lifecycle to ensure compliance with HIPAA and HITECH standards. EDRM as a Map for HIPAA & HITECH Issues The Electronic Discovery Reference Model ( EDRM ) is regarded as the gold standard in mapping the ediscovery process and provides a conceptual framework for the iterative steps used by law firms, ediscovery providers, and others engaged in the litigation process. Established in 2006 by a coalition of ediscovery consumers and providers, the EDRM addresses the lack of standards and guidelines in the ediscovery market. Since creating the EDRM, the EDRM group, comprised of 268 organizations, including 172 service and software providers, 68 law firms, three industry groups and 24 corporations involved with ediscovery and information governance, have developed additional standards and frameworks that guide the industry on the various stages of ediscovery. Using the EDRM as a foundation, an analysis of each stage of the EDRM will illuminate various administrative, physical, and technical controls that may impact compliance with HIPAA and HITECH standards. 1. Information Management The first stage in the EDRM is understanding and organizing ESI, thus reducing costs and mitigating risk when litigation, regulatory, or compliance matters arise. This includes understanding data across the entire data lifecycle from creation, communication and Electronic Discovery Reference Model / 2009 / v2.0 / EDRM (edrm.net) 22

3 storage to data remediation and destruction as well as recognizing what types of information constitute electronic protected health information ( ephi ). Understanding which combinations of information rise to the level of ephi will play a significant role in developing processes and standards to minimize the risk of compromising such data. Critical to HIPAA and HITECH compliance is the establishment of data classification systems that help organizations recognize PHI and attach labels (or classifications) that allow key controls to be applied to ensure the security and integrity of such data. Using a data classification system, an organization can proactively tag various types of data being ingested into its information technology architecture and apply certain rules to those tag classifications to enable differing levels of control. This means that data that is classified as PHI may be subject to different internal standards and access controls from information that is classified as Business Strategy or Financial Projections. Data classification is an emerging technology trend that is still being refined and included in data archiving solutions; it also requires advance planning and strategic discussion of which classifications are going to be incorporated, as it must be implemented at the onset of launching the classification system in order to catalog all information passing through the organization s IT infrastructure. 2. Identification The second stage of the EDRM occurs when various sources of ESI are located and the scope and breadth of potential data are established. The custodians of relevant information are identified, as well as the potentially responsive documents. While this step typically focuses on specific timeframes, custodians, and business units within a larger organization, from a HIPAA perspective it is important to recognize key data sources that may contain PHI so that law firms and ediscovery providers can understand which types of administrative, physical, and technical controls to apply in the following stages of the discovery process. 3. Preservation Preservation primarily involves protecting ESI and data sources from being accidentally altered, modified, or destroyed during the discovery process. During this stage, data that has been identified as potentially relevant during the Identification phase is placed on a litigation hold, 13 ensuring that data is not modified or accidentally destroyed. Preservation is the first stage in continued on page 24 Type Information Access Management Access Authorization Device and Media Controls Accountability Notes Preservation (a)(4)(ii)(B) ediscovery service providers utilize archiving databases and automated litigation hold technologies for the purposes of preservation and litigation hold. These platforms, which typically consist of large software systems and ESI databases, store huge volumes of data and prevent spoliation. Policies and procedures for granting access to the potential ephi stored in these databases need to exist in order for the service providers to consider themselves meeting the intent of the HIPAA access authorization standard. This authorization standard includes evaluation of which workforce personnel may be provided access to the ESI/ePHI in question and the type and extent of access authorized to information systems, as well as an overall risk analysis for each trained workforce member or business unit within the organization that has a need to access such info to accomplish a legitimate task (d)(2)(iii) ediscovery Service providers also need to maintain detailed chain of custody logs 14 to record any movement of hardware or electronic media and any person responsible for such under state and federal rules of evidence that apply to the litigation and criminal legal process. This is especially important during the archiving process because the physical media holding the potential ephi must be safeguarded and audit tracking capabilities must be enabled in case of a physical security breach. Access Control Emergency Access Procedure (a)(2)(ii) HIPAA standards require the availability of archived, preserved data. 15 HIPAA requires logs, authorizations, and requests for restrictions, access, copies, etc. to be retained for a minimum of six years, although in some cases the HITECH Act has limited certain archival retention to three years. 16 This includes the ability to access the data during an emergency situation. It is important for organizations to develop emergency access procedures, along with the appropriate compensating access controls, so that data remain protected even during emergency situations. 23

4 2013 HIPAA/HITECH Amendments: How the Changes Impact ediscovery continued from page 23 the EDRM where organizations, law firms, and ediscovery providers are actually handling data, and thus where specific steps to ensure HIPAA compliance must be enforced. The overall goal of preservation is to provide a defensible process to avoid spoliation of data, but the EDRM does not provide any specific direction on how to protect PHI from being inadvertently exposed. Organizations should consider the following safeguards during the Preservation process to ensure compliance with HIPAA and HITECH regulations. 4. Collection The next phase of the discovery lifecycle is capturing the identified ESI that will be examined and culled down during the ediscovery process. Collection operates hand-in-hand with Preservation, and depending on where data resides in an organization these steps may take place in succession or simultaneously. Whether data is collected in the form of physical documents, extracted from electronic databases, or downloaded from cloudbased platforms, collection is a critical step in the discovery process and security is impacted in numerous aspects of data collection. Organizations should consider the following safeguards during the Collection process to ensure compliance with HIPAA and HITECH regulations. 5. Processing Once relevant sources of ESI have been preserved and collected, the next stage in the discovery process involves filtering large volumes of data down to a more manageable subset so it can be more closely examined for relevance and responsiveness. This phase of ediscovery may also involve converting data from one form or format into a more standardized format to facilitate review and analysis. This phase often involves the extraction of text and metadata from native files, as well as tools that de-duplicate redundant files or remove extraneous non-relevant system files. Modern processing tools can also employ advanced analytic tools to further reduce the data set prior to attorney review to save time and money. Key security considerations around processing stem from the use of software tools or even cloud-based platforms that support the culling of data to more manageable subsets. Organizations should consider the following safeguards during the Processing stage to ensure compliance with HIPAA and HITECH regulations. Type Workforce Security Authorization/ Supervision and Workforce Clearance (a)(3)(ii)(A) & (a)(3)(ii)(B) Notes Collection Collection must be performed by a qualified and competent person, whether completed on site or remotely. Key considerations include a documented process for hiring competent individuals by carefully examining prior experience and technical competency. On-boarding procedures should include processes to vet potential hires for criminal history and the signing of protective contracts such as non-disclosure agreements. Additionally, organizations need to have procedures regarding who has the authority to grant permission to perform collections. Device and Media Controls Media Disposal and Media Re-Use (d)(2)(i) & (d)(2)(ii) Service providers that perform collections need to have processes and procedures in place for the receipt, logging, and handling of electronic media that may contain ephi. This should include complete chain of custody documentation and documentation of physical safeguards in place for management of the media when it is in the service provider s possession. Transmission Security Encryption (e)(2)(ii) All data should be protected via encryption 17 in transit to and from the collection site. This safeguard should be in place whether potential PHI is transferred on portable media, traditional hardware, or over the Internet and has been considered a best practice across the IT, legal, and financial industries for more than a decade. In each case, proper encryption controls need to be in place to guard against unauthorized access while in transit. 24

5 Type Business Associate Contracts and Other Arrangements Notes Processing (b)(1) ediscovery service providers typically use complex software to handle ESI processing. Since the vendors who create these platforms often support them by remotely accessing the active database to help resolve technical issues, they are now potentially accessing PHI on behalf of the service provider. These software vendors who provide and license the platforms installed at and operated by ediscovery providers are now considered business associates as well and, as such, a business associate agreement needs to be in place. The growth of cloudbased processing software has added a layer of complexity to the ediscovery process, although in most cases the software licensing agreement between software vendor and ediscovery provider will be subsumed within the law firm s business associate agreement with the ediscovery provider. Facility Access Controls Facility Security Plan and Access Control Procedures (a)(2)(ii) & (a)(2)(iii) ediscovery providers need to have appropriate policies and procedures in place to safeguard the facility and equipment processing potential PHI. This includes access controls as well as validation procedures for anyone accessing equipment that maintains, transmits, stores, or processes PHI. Examples of these controls may include biometric access controls, proximity card-based access controls, or cameras. Transmission Security Integrity Controls (e)(2)(i) Processing data requires that vendors have auditing procedures in place to ensure the integrity of data. Thousands of files are modified as a result of the manipulation that occurs during processing. Service providers should maintain appropriate data integrity controls to confirm that PHI is not improperly modified without detection during processing. 6. Review During the review phase, attorneys will evaluate the reduced pool of ESI for relevance and privilege. This typically includes attaching legal issue tags to documents or groups of documents for use in developing strategies during settlement negotiations or trial. Modern review is most often conducted using cloud-based review platforms that are accessed remotely by teams of external contract attorneys. Given the combination of offsite, proprietary, web-based review platforms and the frequent utilization of thirdparty reviewers, organizations should consider the following safeguards during the Review process to ensure compliance with HIPAA and HITECH regulations. 7. Production Production involves delivering the final reviewed dataset to either opposing counsel or the court based on agreed-upon specifications. This production may take different forms (from native files to image files such as TIFF 18 to specific load file formats), as the recipient s document review platform may not mirror the platform used by the producing party. Key security considerations here include similar precautions as during the preservation and collection process, because all data needs to be protected in transit. Transfer may take place over the Internet or by FTP or may be burned onto physical media such as DVD/CD and delivered by overnight mail or courier service. In any case, proper encryption controls need to be in place to guard against unauthorized access while in transit via or on physical media, and chain of custody documentation must be completed. 8. Presentation Presentation involves using the processed and reviewed data at depositions, hearings, or trials as part of the litigation process to uncover further information to be evaluated, prove or disprove elements of a matter, or to persuade an audience. To the extent possible under the rules of court or other venue, care should be taken to minimize exposure of ephi unless necessary in the arguments of the case. If details are being presented in law offices, arbitrator s facilities, or the courtroom, reasonable measures should be implemented to ensure that ephi is not discussed in front of unauthorized personnel and that any ephi physically present should be removed from the premises at the conclusion of such presentation activities. Comparing/Contrasting HIPAA & ISO Standards For Data Security In addition to HIPAA, a number of other protocols and standards exist for protecting data of various types. One such protocol is ISO 27001, continued on page 26 25

6 2013 HIPAA/HITECH Amendments: How the Changes Impact ediscovery continued from page 25 Type Security Management Process Activity Review (a)(1)(ii)(D) Notes Review Review typically takes place on third-party software platforms that are accessible via the Internet. These software platforms log user authentication, data modification, and other actions that occur during the software s use. Service providers are bound by HIPAA to implement procedures to regularly review these records for discrepancies or security concerns. Facility Access Controls Contingency Operations (a)(2)(i) Service providers need to have physical security measures in place to ensure that unauthorized individuals do not have access to the review platform or the underlying database being reviewed. Additionally, in the event of emergency, providers should have contingency plans and alternate access procedures. This includes allowing facility access in support of restoration of lost data under a disaster recovery plan or implementing emergency operations plan. Access Control Unique User Identification (a)(2)(i) All reviewers should be identified in audit logs and each reviewer should be provided a unique username and password combination. Additionally, ediscovery providers who host review software should consider implementing an automatic log out mechanism after a set period of inactivity. These two processes assure accountability in the event of a security incident. Additional steps may include the use of tokens or rotating access codes that require an additional layer of authentication for reviewers to access the database. which is the international standard describing best practice for an Information Security Management System. Developed by the International Organization for Standardization ( ISO ) in October 2005 and updated in September 2013, the objective of the ISO standard itself is to provide requirements for establishing, implementing, maintaining and continuously improving an Information Security Management System. 19 ISO is not a single rigid standard; rather it is a continuous quality control process that requires an organization to develop comprehensive written policies and procedures addressing all aspects of information security within the organization. There are several key differences between HIPAA-compliant security standards and ISO-issued certifications for data security, the primary element being that HIPAA focuses exclusively on healthcare related information while ISO is focused on data as a whole and varies from organization to organization in how the practical elements of policy are defined and implemented. ISO 27001, while not required, provides additional assurances to law firms and corporations that the data they are entrusting to their ediscovery provider is secure. Questions to Ask ediscovery Providers In order to assist attorneys in managing their newly expanded liability under HIPAA and HITECH, below is a list of questions to ask ediscovery providers to ensure they are in compliance and minimize potential risk for the attorney representing the healthcare organization. These questions should be viewed as a general roadmap that will require balancing risk and cost. There are no clear cut answers that meet a defined minimum threshold to eliminate liability, so each attorney should consider his/her level of risk aversion and evaluate answers to the questions below through that prism. What experience do you have working with and representing healthcare organizations? Can you provide formal documentation on physical security parameters of your data processing facility? Do you have formal policies for data security and management? What certifications do you have pertaining to data security? Have you undertaken any specific efforts to comply with the regulations implementing HIPAA and the HITECH Act? Have you hired a third party to evaluate your data security and/or compliance with applicable regulations, including HIPAA and the HITECH Act? Is your processing center ISO certified? How often are your security policies reviewed and updated? 26

7 Have you had any security breaches or incidents involving potential exposure of PHI in the last three years? If so, please list them. Do you have a data security team or data security officer on site at your facility? How many people within your organization are specifically tasked with managing and maintaining the security and integrity of client data? What levels of security are enacted for physical access to your data processing facility? Key Card? Man Trap? Biometric Access? Video Surveillance? Will work be completed entirely onsite, will data be transmitted physically or electronically to a processing/hosting facility, or will all collections be performed remotely? Is data going to be hosted in a specific physical environment or on a cloud-based server? What contract provisions related to data privacy and specifically PHI are included in contracts, especially those related to indemnification, liability limitations, and insurance requirements? Conclusion The regulations implementing HIPAA and the HITECH Act have created a brave new world for business entities that work with, represent, or handle PHI on behalf of healthcare organizations. For law firms representing healthcare providers and healthcare organizations, this creates a substantial administrative burden as well as a newly-realized liability for the actions (or omissions) of contractors such as ediscovery providers who assist firms with handling PHI as part of legal matters. In order to minimize risk, attorneys should be aware of the liability potential and carefully screen ediscovery providers and other contractors to ensure that anyone working as an agent of the attorney and law firm is fully compliant with the regulations under HIPAA and the HITECH Act. Brian Brown, vice president of technology and security for RenewData, an LDiscovery Company, is an innovator and industry leader with more than fifteen years of experience architecting solutions for technology companies. He currently leads strategic technological roadmap efforts for the company, leveraging his experience handling massive data volumes (30PB+), as well as his background with enterpriselevel software development, information architecture, and data center and security convergence. Additionally, Brown uses his expertise in computer forensics, ediscovery, and information security to assist clients in cases requiring the extensive review of relevant case data by a fully trained and certified investigator. Brown is also responsible for the design, construction, and management of RenewData s 43,000 square-foot, secure, state-of-the-art facility. He may be reached at Danny Tijerina is a Certified Information Systems Auditor, Certified Information Systems Security Professional, and licensed private investigator in the state of Texas. He has over five years experience in information security operations, security research, and compliance with laws and standards like HIPAA, PCI-DSS, and ISO Tijerina s responsibilities at RenewData, an LDiscovery Company, have included overseeing and enhancing the company s Information Security Management System and maintaining its ISO certification. He may be reached at Endnotes 1 Health Information Privacy, HHS.gov, accessed January 20, privacy/hipaa/understanding/coveredentities. 2 Reece Hirsch, A Little Privacy, Please, Corporate Counsel, May 2013, Summary of the HIPAA Privacy Rule, HHS. gov, accessed January 20, ocr/privacy/hipaa/understanding/summary/ index.html. 4 Summary of the HIPAA Security Rule, HHS. gov, accessed January 20, ocr/privacy/hipaa/understanding/srsummary. html C.F.R The Final Rule implementing most of the HITECH Act, also known as the omnibus rule, is at 78 Fed. Reg (Jan. 25, 2013) C.F.R C.F.R C.F.R C.F.R C.F.R What is the difference between addressable and required implementation specifications in the Security Rule?, accessed January 20, rule/2020.html. 12 Electronic Discovery Reference Model, accessed January 20, Zubulake v. UBS Warburg ( Zubulake IV ), 220 F.R.D. at 217 (S.D.N.Y. Oct. 22, 2003). Once a party reasonably anticipates litigation, it must suspend its routine document retention/destruction policy and put in place a litigation hold to ensure the preservation of relevant documents. 14 Chain of Custody, accessed January 20, chain-of-custody. 15 HIPAA Final Omnibus Rule 2013, accessed January 20, FR /pdf/ pdf C.F.R Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals, accessed January 20, privacy/hipaa/administrative/breachnotification rule/brguidance.html. 18 TIFF is a file format that is commonly used in ediscovery. Typically, other file types are converted to TIFFs because they are easy to redact and searchable across the collection of TIFFs. 19 International Organization for Standardization, accessed January 20, iso/home/standards/management-standards/iso htm. 27

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Xact Data Discovery. Xact Data Discovery. Xact Data Discovery. Xact Data Discovery. ediscovery for DUMMIES LAWYERS. MDLA TTS August 23, 2013

Xact Data Discovery. Xact Data Discovery. Xact Data Discovery. Xact Data Discovery. ediscovery for DUMMIES LAWYERS. MDLA TTS August 23, 2013 MDLA TTS August 23, 2013 ediscovery for DUMMIES LAWYERS Kate Burke Mortensen, Esq. kburke@xactdatadiscovery.com Scott Polus, Director of Forensic Services spolus@xactdatadiscovery.com 1 Where Do I Start??

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1

HIPAA COMPLIANCE AND DATA PROTECTION. sales@eaglenetworks.it +39 030 201.08.25 Page 1 HIPAA COMPLIANCE AND DATA PROTECTION sales@eaglenetworks.it +39 030 201.08.25 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and EagleHeaps

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University

More information

Healthcare Management Service Organization Accreditation Program (MSOAP)

Healthcare Management Service Organization Accreditation Program (MSOAP) ELECTRONIC HEALTHCARE NETWORK ACCREDITATION COMMISSION (EHNAC) Healthcare Management Service Organization Accreditation Program (MSOAP) For The HEALTHCARE INDUSTRY Version 1.0 Released: January 2011 Lee

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

HIPAA COMPLIANCE AND

HIPAA COMPLIANCE AND INTRONIS CLOUD BACKUP & RECOVERY HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction 3 The HIPAA Security Rule 4 The HIPAA Omnibus Rule 6 HIPAA Compliance and Intronis Cloud Backup and Recovery

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Krengel Technology HIPAA Policies and Documentation

Krengel Technology HIPAA Policies and Documentation Krengel Technology HIPAA Policies and Documentation Purpose and Scope What is Protected Health Information (PHI) and What is Not What is PHI? What is not PHI? The List of 18 Protected Health Information

More information

ITS HIPAA Security Compliance Recommendations

ITS HIPAA Security Compliance Recommendations ITS HIPAA Security Compliance Recommendations October 24, 2005 Updated May 31, 2010 http://its.uncg.edu/hipaa/security/ Table of Contents Introduction...1 Purpose of this Document...1 Important Terms...1

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions

Medical Privacy Version 2015.12.10 - Standard. Business Associate Agreement. 1. Definitions Medical Privacy Version 2015.12.10 - Standard Business Associate Agreement This Business Associate Agreement (the Agreement ) shall apply to the extent that the Lux Scientiae HIPAA Customer signee is a

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance

More information

University Healthcare Physicians Compliance and Privacy Policy

University Healthcare Physicians Compliance and Privacy Policy Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of

More information

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010

City of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 City of Pittsburgh Operating Policies Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 PURPOSE: To establish internal policies and procedures to ensure compliance

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE Infinedi HIPAA Business Associate Agreement This Business Associate Agreement ( Agreement ) is entered into this day of, 20 between ( Company ) and Infinedi, LLC, a Limited Liability Corporation, ( Contractor

More information

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010 New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE

More information

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is made and entered into to be effective as of, 20 (the Effective Date ), by and between ( Covered Entity ) and

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

HIPAA Security and HITECH Compliance Checklist

HIPAA Security and HITECH Compliance Checklist HIPAA Security and HITECH Compliance Checklist A Compliance Self-Assessment Tool HIPAA SECURITY AND HITECH CHECKLIST The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires physicians

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Health Partners HIPAA Business Associate Agreement

Health Partners HIPAA Business Associate Agreement Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee

Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies. Privacy Committee Web 2.0/Cloud Computing Subcommittee Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies Privacy Committee Web 2.0/Cloud Computing Subcommittee August 2010 Introduction Good privacy practices are a key

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY

Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY 2016 CLM Annual Conference April 6-8, 2016 Orlando, FL Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY Understanding e-discovery definitions and concepts is critical to working with vendors,

More information

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:

More information

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013 The City of Philadelphia is a Covered Entity as defined in the regulations

More information

This form may not be modified without prior approval from the Department of Justice.

This form may not be modified without prior approval from the Department of Justice. This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate

More information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, LLC. (hereinafter known as Business Associate ), and

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This Agreement is entered into as of ("Effective Date"), between ( Covered Entity ), and ( Business Associate ). RECITALS WHEREAS, Business Associate provides services on behalf

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What

More information

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services Introduction Patient privacy continues to be a chief topic of concern as technology continues to evolve. Now that the majority

More information

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean. BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity

More information

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND

HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN. Stewart C. Miller & Co., Inc. (Business Associate) AND HIPAA PRIVACY AND SECURITY RULES BUSINESS ASSOCIATE AGREEMENT BETWEEN Stewart C. Miller & Co., Inc. (Business Associate) AND City of West Lafayette Flexible Spending Plan (Covered Entity) TABLE OF CONTENTS

More information

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT. Recitals BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and

More information

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box 80278 Portland, OR 97280 503-384-2538 877-376-1981 503-384-2539 Fax Please Read This business associate audit questionnaire is part of Apgar & Associates, LLC s healthcare compliance resources, Copyright 2014. This questionnaire should be viewed as a tool to aid in evaluating

More information

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,

More information

Business Associate and Data Use Agreement

Business Associate and Data Use Agreement Business Associate and Data Use Agreement This Business Associate and Data Use Agreement (the Agreement ) is entered into by and between ( Covered Entity ) and HealtHIE Nevada ( Business Associate ). W

More information

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37.

Zip It! Feds, State Strengthen Privacy Protection. Practice Management Feature July 2012. Tex Med. 2012;108(7):33-37. Zip It! Feds, State Strengthen Privacy Protection Practice Management Feature July 2012 Tex Med. 2012;108(7):33-37. By Crystal Conde Associate Editor When it comes to enforcing HIPAA data security and

More information

FirstCarolinaCare Insurance Company Business Associate Agreement

FirstCarolinaCare Insurance Company Business Associate Agreement FirstCarolinaCare Insurance Company Business Associate Agreement THIS BUSINESS ASSOCIATE AGREEMENT ("Agreement"), is made and entered into as of, 20 (the "Effective Date") between FirstCarolinaCare Insurance

More information

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery WHITE PAPER HIPPA Compliance and Secure Online Data Backup and Disaster Recovery January 2006 HIPAA Compliance and the IT Portfolio Online Backup Service Introduction October 2004 In 1996, Congress passed

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

Business Associate Agreement Involving the Access to Protected Health Information

Business Associate Agreement Involving the Access to Protected Health Information School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered

More information

plantemoran.com What School Personnel Administrators Need to know

plantemoran.com What School Personnel Administrators Need to know plantemoran.com Data Security and Privacy What School Personnel Administrators Need to know Tomorrow s Headline Let s hope not District posts confidential data online (Tech News, May 18, 2007) In one of

More information

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients

HIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE INTRODUCTION The healthcare industry is driven by many specialized documents. Each day, volumes of critical information are sent to and from

More information

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services 1 Contents 3 Introduction 5 The HIPAA Security Rule 7 HIPAA Compliance & AcclaimVault Backup 8 AcclaimVault Security and

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (Hereinafter "Agreement") dated as of, 2013, is made by and between (Hereinafter Covered Entity ) and (Hereinafter Business Associate ). ARTICLE

More information

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ), entered into and effective this day of,, is by and between ( Business Associate ) and Black, Gould & Associates, Inc.

More information

Creating Stable Security & Compliance Relationships

Creating Stable Security & Compliance Relationships Creating Stable Security & Compliance Relationships David Holtzman JD, CIPP/G VP, Compliance CynergisTek, Inc. James Wieland JD Principal Ober Kaler Welcome The slides for today s webinar are available

More information