HIPAA Compliance and Reporting Requirements
|
|
- Pamela Parker
- 3 years ago
- Views:
Transcription
1 Healthcare IT Assurance Peace of Mind Through Privacy and Security Risk Management By Dan Schroeder, CPA, MBA, CISA, CIA, PCI QSA, CISM, CIPP/US
2 BRIEF CONTENTS HCIT IMPROVES THE PROCESS 1 Healthcare Data Breaches are Common ENTER HIP A 2 HITECH and Omnibus Rule make BAs responsible for HIPAA 2 Rise of the BA and Pervasive Security Threats 2 What does Assurance Mean for BAs CREATING PEACE OF MIND 4 SOC 2 for Privacy = Peace of Mind for BAs and CEs SUMMARY 7 SOC 2 as a Better Reporting Option for BAs 7 About Dan Schroeder, Partner, HA&W Appendix A: SOC Reporting Framework
3 PATIENT NAME Business Associates are fundamental to the modern healthcare ecosystem, and data breaches are common. Driven by rising costs, increasingly complex regulations, and the ubiquity of cloud-based solutions, the adoption of healthcare information technology is vastly improving quality and efficiency of the healthcare process. But with progress comes pitfalls. Today, almost every healthcare provider depends on third parties to manage or store gigabytes and sometimes terabytes of information about their patients, and much of it is protected health information ( PHI ). This increasing interdependence of organizations means that the need for assurance regarding those third parties internal controls is greater than ever. Unfortunately, innovation is outpacing security, and threats to personal information abound. Javelin Strategy & Research estimates that 11.6 million American adults were victims of identity fraud in 2011 an increase of 13 percent, or 1.4 million adults, 1 over By the Numbers Number of breaches of PHI since August 2009 > million Patient health records affected 9 % of healthcare organizations had at least one data breach, % of all patient records breached involving a BA, Average Economic Impact of a breach, Average number of lost/stolen records per breach, Sources: Ponemon Institute, Redspin, Javelin Strategy & Research COMMUNITY HOSPITAL INFORMATION IN THIS RECORD IS CONFIDENTIAL DO NOT REMOVE FROM HOSPITAL FIRST MIDDLE LAST Increasingly, third-party technology companies are coming into the crosshairs as a source of information security vulnerability. In a recent study by the Ponemon Institute, 42 percent of survey respondents point to third-party mistakes as the cause of a data breach. 2 According to another recent study, breaches at business associates have historically impacted five times as many patients as those at a covered entity. 3 1 Javelin Strategy & Research (February 2012) 2012 Identity Fraud Report 2 Ponemon Institute and ID Experts. (December 2012 ) Third Annual Benchmark Study on Patient Privacy & Data Security 3 Redspin. (February 2013) Redspin's 2012 PHI Breach Analysis 1
4 Enter HIPAA Compliance with the Health Insurance Portability and Accountability Act ( HIPAA ) continues to require significant resources. This law was designed to improve the efficiency and effectiveness of the nation s healthcare system by encouraging the widespread adoption of electronic records, while also protecting the privacy and security of those records. But not until the passage of the Health Information Technology for Economic and Clinical Health ( HITECH ) Act did HIPAA have teeth. Enacted as part of the American Recovery and Reinvestment Act of 2009, the HITECH Act significantly increases the penalty amounts for violations of HIPAA rules and encourages prompt corrective action. 4 The act increases the maximum penalty amounts from $100 per violation to $50,000 per violation, and from a total of $25,000 to $1.5 million for all violations of an identical provision. In addition, a CE can no longer escape fines for an unknown violation, unless the entity corrects the violation within 30 days of discovery. (In other words, ignorance is no excuse.) HITECH also imposes new notification requirements on CEs and their BAs in the event of a breach of PHI. In addition, HITECH extends the HIPAA Privacy and Security Rules to HIPAA BAs and makes the HIPAA criminal and civil penalties applicable to these third parties. HITECH also deems BAs in violation of HIPAA if they see a pattern of activity that breaches their business associate agreement ( BAA ) and do not either correct it, terminate their agreement or notify the Department of Health and Human Services. In January of 2013, the HIPAA Omnibus Rule was passed and becomes effective in March It combines HIPAA, HITECH, and the Genetic Information Nondiscrimination Act of 2008 ("GINA"), and has strengthened requirements even further. The "harm" standard for breach notification rules has been dissolved and now all unauthorized access to PHI is considered a breach with the exception of specific cases. The HIPAA Omnibus Rule also adopts changes to the Enforcement Rule and strengthens patient rights and requirements for privacy notices. One of the most notable changes the HIPAA Omnibus Rule makes however, is the enforcement of HIPAA requirements and penalties to BAs. Organizations are now considered a BA if the organization "creates, receives, maintains, or transmits any PHI on behalf of the CE or BA." Note: This now includes organizations such as data centers and backup media storage companies. Demonstrating compliance with the complex provisions of the HIPAA Omnibus Rule can be overwhelming, and with HIPAA enforcement heating up, CEs are placing an increasing amount of pressure on their BAs to do just that. Approx 120 audits of CEs were conducted in 2012, and it is expect that the OCR will expand their audit program to encompass BAs. What s a BA to Do? Clearly, BAs have much at stake when it comes to protecting PHI. Not only do they face severe civil and criminal penalties, but also the very survival of the company. As one CEO of an Atlanta-based BA said: If we don t make sure we have the right controls in place, we re dead in the water. So, CEs and BAs need assurance of effective controls to manage their privacy and security risks. But what is assurance? At its most basic level: Assurance is peace of mind. 4 U.S. Department of Health & Human Services (October 2009). News Release: HHS Strengthens HIPAA Enforcement 5 American Bar Association, ABA Health esource (June 2009). HITECH Implications for Business Associate Agreements: What Should You Do and When Should You Do It? 6 U.S. Department of Health & Human Services. HIPAA Privacy & Security Audit Program 2
5 In the context of the BA/CE relationship, that peace of mind is built on evidence that the BA is doing the right things to comply with HIPAA Privacy and Security rules and the HITECH Act to meet its CEs risk management needs and to protect its own integrity and reputation. Notice that there is no mention in that definition of any kind of report. Too many organizations fixate on the report as a way to satisfy an item on a checklist. This checkmark mentality caused organizations to latch onto the SAS 70 report as a universal panacea. But in most cases, SAS 70 (now known as SSAE 16) was used to address risks that are outside of its intended realm of internal controls over financial reporting. It was not designed to address operational or compliance-related controls, and organizations that use it in that capacity are only creating a false sense of assurance. To obtain strong assurance of internal controls and satisfy their governance responsibilities, BAs and CEs must first establish a clear understanding of the services to be provided, how those services are delivered, by whom they are delivered, and other key characteristics of the information system. Without this clear understanding, there can be no context within which to determine the most suitable criteria upon which to establish control objectives and mitigating controls. (For more on service organization governance, see Habif, Arogeti & Wynne s white paper, What s Next After SAS 70? What User Entities Need to Know About Managing Outsourcing and Cloud Risks. ) This lack of focus on suitability of criteria has led BAs to incomplete solutions, which encompass only part of their governance needs. For example, the HITRUST Common Security Framework, a certification awarded by the Health Information Trust Alliance, assesses information security controls, but not 7 those related to privacy. This concept of suitability of criteria has been a missing piece of the discussion around HIPAA compliance. However, it is the foundation of a new assurance reporting option that provides the privacy and security coverage needed by organizations that handle PHI. SOC 2 + GAPP = Peace of Mind The American Institute of Certified Public Accountants ( AICPA ), the standard-setting body for the accounting profession, introduced in 2010 a service organization control ( SOC ) reporting structure to help users of outsourced IT services manage their risks, (see Appendix A). One of these options, SOC 2 reporting on the Privacy Principle, provides a solid framework for addressing the privacy and security risks posed by BAs, for the following reasons: It can be used to demonstrate compliance with HIPAA privacy and security laws, and with business associate agreements It provides transparency into BAs internal controls, which CEs need to satisfy their governance requirements It is backed by an independent attestation 7 HITRUSTalliance.net. HITRUST CSF Assurance Program 3
6 SOC 2 was designed specifically to provide a high level of transparency into controls around privacy, confidentiality, security, availability and/or processing integrity collectively known as the Trust Services Principles. Each principle encompasses existing regulatory requirements and recognized control frameworks. Of particular importance to BAs, the Trust Services Privacy principle maps closely to both the HIPAA Privacy and Security rules. This principle states, personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity s privacy notice and with criteria set forth in generally accepted privacy principles, (GAPP)." Working with other international bodies, AICPA developed the GAPP framework by analyzing internationally known fair information practices included in many privacy laws and regulations, including HIPAA. Its underlying focus on security (see sidebar, #8), which is foundational to any discussion of privacy controls, makes it a comprehensive, scalable framework for managing both security- and privacyrelated compliance. Of course, there are circumstances when an organization may need to comply with additional state and foreign regulations that don t map to GAPP criteria. In such cases, SOC 2 allows the organization to incorporate additional criteria. A SOC 2 examination report includes three required sections: a system description, a management assertion, and an independent auditor s opinion. 1. System Description This detailed description of the BA s information system is the basis upon which management provides an assertion and the independent auditor expresses an opinion. It follows robust AICPA guidelines aimed at providing transparency for the CE. Because of the rigor and detail of the report, the entity can rely on it in lieu of performing other procedures that would otherwise be required to understand how effectively the BA is managing risks it poses to the CE. Some of the key components of a BA s SOC 2 system description that addresses the Privacy principle include: The types of services provided. Detailed description of the infrastructure, software, people, procedures and data used to provide those services. Statement of privacy and security practices. Description of any subservice organizations and their role in handling/processing. personal information and controls deployed at the subservice organization. For each privacy principle criterion, a description of control(s) designed to meet those criteria. A statement regarding how the privacy notice is communicated to individuals, that the CEs are responsible for communicating such notice to individuals, and that the BA is responsible for communicating its privacy practices to the CEs in its statement of privacy practices. 4
7 AICPA Generally Accepted Privacy Principles 2. Management Assertion Under SOC 2 reporting standards, management must make a written assertion that states, to the best of management s knowledge and belief, that: Management s description fairly presents the organization s system. The controls stated in management s description were suitably designed to meet the applicable trust services criteria (i.e., GAPP). The controls operated effectively throughout the specified period to meet the applicable trust services criteria (for Type II reports). The organization complied with the commitments in its statement of privacy practices throughout the specified period. The system description and management assertion provide the basis upon which the service auditor conducts tests and issues an opinion. 1. Management. The entity defines documents, communicates, and assigns accountability for its privacy policies and procedures. 2. Notice. The entity provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. 3. Choice and Consent. The entity describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information. 4. Collection. The entity collects personal information only for the purposes identified in the notice. 5. Use and Retention. The entity limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. The entity retains personal information for only as long as necessary to fulfill the stated purposes. 6. Access. The entity provides individuals with access to their personal information for review and update. 7. Disclosure to Third Parties. The entity discloses personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual. 8. Security for Privacy. The entity protects personal information against unauthorized access (both physical and logical). 9. Quality. The entity maintains accurate, complete, and relevant personal information for the purposes identified in the notice. 10. Monitoring and Enforcement. The entity monitors compliance with its privacy policies and procedures and has procedures to address privacy-related complaints and disputes. 5
8 3. Independent Auditor s Opinion Unlike other assurance reporting options, a SOC assurance report is backed by an independent auditor s opinion. The auditor standards in expressing an opinion on whether: The system is fairly presented Controls were suitably designed Controls operated effectively The organization complied with the commitments of its statement of privacy practices The CPA s professional liability is another reason that a SOC 2 report provides a higher degree of assurance than other types of reports that award a certification. The underlying intent of a certification is to imply safety. In other words, the certifying body has done all the legwork to provide assurance that the organization is doing the right things to protect the customer s information, and that customer can rely on that certification instead of performing his or her own tests. But what if that assurance report is wrong? Who is liable? Without professional liability, there is no transfer of risk; and without transfer of risk, there cannot be true assurance. When a CPA expresses an opinion, his or her reputation and assets are on the line. No other report provides this level of assurance. The CPA s independence is another important differentiator. A service When seeking a professional to conduct an audit of privacy and security-related controls, BAs should ask the following questions: What is your firm s experience performing IT assurance engagements for healthcare entities? What is your experience with SOC standards? What are the professional standards to which you are held? What is your expertise with privacyrelated standards? Do you hold any privacy designations, such as Certified Information Privacy Professional? What is your expertise with security related standards? Do you hold any security designations, such as Certified Information Security Manager or Certified Information Systems Security Professional? engagement is measuring controls the case of SOC 2 for the Privacy Principle, those criteria are GAPP. Not only is GAPP based on internationally known fair information practices that are included in many privacy laws and regulations of jurisdictions around the world, but also those criteria are 8 publicly available for scrutiny and comment. Compare this level of rigor to a for-profit organization that writes a criterion program, performs the testing and awards the certification. What level of assurance does such a program provide? 8 AICPA.org. (January, 2010) Generally Accepted Privacy Principles 6
9 A Better Assurance Reporting Option Organizations that are responsible for managing the PHI of healthcare entities cannot afford to take any chances. They need a high level of assurance that their internal controls meet the strict requirements of HIPAA, HITECH and state privacy and security laws. A SOC 2 report based on GAPP criteria is a better assurance reporting option because it: Enables BAs to efficiently respond to customer requests for evidence of privacy and security measures; Is based on a set of internationally accepted criteria that demonstrate compliance with the HIPAA Privacy and Security Rules; Is a scalable solution that enables compliance with specific state and foreign regulations; and Is backed by professional attestation standards, vetted testing methodology and an independent auditor s opinion. In short, SOC 2 provides the peace of mind BAs need that they are meeting their own governance needs and the governance needs of their CEs. of HIPAA covered entities and their business associates. For a detailed case study of how HA&W helped a healthcare IT company address its need for transparency into privacy and security controls, see Appendix A. About the Author Dan Schroeder, HA&W s partner-incharge of IT Assurance & Risk Management Services, is immediate ex-chairperson of the AICPA Information Technology Executive Committee and serves on the AICPA Peer Review Task Force for SOC Reporting. He has earned numerous IT designations, including Certified Information Systems Auditor, Certified Internal Auditor and Certified Information Security Manager. He also regularly leads training at national AICPA conferences on the subjects of SOC reporting for SSAE 16 and SAS 70, and other aspects of IT auditing and risk management. All-Around Peace of Mind With deep experience in accounting risk management and technology controls, Habif, Arogeti & Wynne LLP delivers cost-effective, pragmatic solutions to address the risk management and assurance reporting needs To learn more about how HA&W can help ensure that your controls protect your business interests and that you are fulfilling your governance responsibilities, call Dan today at
10 Appendix A AICPA Service Organization Control Reporting Framework The American Institute of Certified Public Accountants ( AICPA ) released a new Service Organization Control ( SOC ) reporting structure in 2010 in an effort to help service organizations and their users manage the risks of IT outsourcing, and to eliminate the confusion that has sprung up around SAS 70. This structure provides three options known as SOC 1, SOC 2 and SOC 3 for reporting on service organization controls. Below we describe the types of reports that address each of the categories of risk. Note that there may be situations when a service poses multiple types of risk to the organization, creating the need for more than one of these reporting options. Financial Risks If the service being provided could affect the reliability of financial reporting, then the appropriate reporting option is SOC 1 Report on Controls Relevant to User Entities Financial Reporting. SOC 1 satisfies what is now known as Statement on Standards for Attestation Engagements (SSAE) 16, which replaced SAS 70 for all reporting periods ending June 15, 2011 or later. As with SAS 70, there are two types of SOC 1 reports: Type 1 A report on management s description of the service organization s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date. Type 2 A report on management description of the service organization s system and the suitability of the design and operating effectiveness of the controls achieve the related control objectives included in the description throughout a period of time. Services relevant for SOC 1 reporting purposes typically produce output that is used for or directly affects journal entries of their users, such as claims processing, financial transaction processing, medical billing, outsourced inventory management and order fulfillment. A primary difference between SAS 70 and SSAE 16 is that the new standard requires management of the service organization to provide a detailed assertion regarding the information system description and its controls. This management assertion provides much needed transparency into the service organization s control structure, providing user entities the potential opportunity to use the report in lieu of performing other procedures that would otherwise be required to understand the service organization s controls. Operational and Compliance Risk If the services provided pose risks to the achievement of the user entity s operational goals or compliance with laws or regulations, the AICPA has outlined two options. The choice will depend on the user entity s answers to the following questions: Do we need a robust description of the information system used to deliver the services? Does our governance require detailed testing of service organization controls? 8
11 SOC 2: Report on Controls Relevant to Trust Services Principles If the answer to either or both of the above questions is yes, then a SOC 2 report may be the best option. SOC 2 provides the same level of transparency into operational and compliance risks as the SOC 1 report does into financial risks. As with SOC 1, either a type 1 or type 2 report may be issued. A type 2 report will include descriptions of the tests performed by the service auditor and results of those tests. The auditor who prepares a SOC 2 report uses the AICPA s Trust Services Principles and Criteria as a yardstick to gauge the design of the service organization s controls. A SOC 2 report is appropriate when an organization has a high degree of reliance on highly specialized functions performed by a service organization that pose operational and/or compliance risks. For example, a healthcare entity that relies on a service organization for assessment of claims-related data would likely benefit from a SOC 2 report that focuses on the privacy principle. SOC 3: Trust Services Principles & Criteria If the services in question are more general in nature, then a lower level of transparency may be appropriate and a SOC 3 report may be acceptable. Whereas SOC 1 and SOC 2 are based on a set of controls designed by the service organization, with SOC 3 the independent auditor reviews the service organization s application of pre-determined criteria spelled out in one or more of the AICPA s Trust Services principles. As long as the risks represented by the services align well to the control structure represented by one or more of the Trust Services principles (security, availability, processing integrity, confidentiality and privacy), this report can provide a meaningful level of assurance to user entities. When AICPA SOC Reporting Isn t Appropriate While SOC 1, SOC 2, and SOC 3 will fulfill the needs of many organizations, they are by no means the only options for reporting on service organization controls. An auditor applying one or more of these criteria must take an all-or-nothing approach; cherrypicking criteria is not allowed. However, there are scenarios when a more tailored set of controls and attestation reports will be necessary. The service organization s auditor will be able to design a customized attestation report that fulfills the requirements of Attestation Standard 101 and also meets all parties risk management needs. 9
12 Habif, Arogeti & Wynne, LLP Five Concourse Parkway Suite 1000 Atlanta, Georgia An Independent Member of Baker Tilly International
HIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationAn Executive Overview of GAPP. Generally Accepted Privacy Principles
An Executive Overview of GAPP Generally Accepted Privacy Principles Current Environment One of today s key business imperatives is maintaining the privacy of your customers personal information. As business
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationAbout the Presenter. Presentation Objectives. SaaS / Cloud Computing Risk Management AICPA Attest Alternatives
SaaS / Cloud Computing Risk Management AICPA Attest Alternatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter
More informationBaker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3
Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Understanding SOC 3 Agenda 1) A brief perspective on where SOC 3 originated
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
More informationDissecting New HIPAA Rules and What Compliance Means For You
Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability
More informationWelcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information
Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how
More informationEnclosure. Dear Vendor,
Dear Vendor, As you may be aware, the Omnibus Rule was finalized on January 25, 2013 and took effect on March 26, 2013. Under the Health Insurance Portability & Accountability Act (HIPAA) and the Omnibus
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the information protection of healthcare data 1 May 2015 2015 HITRUST LLC, Frisco, TX. All Rights Reserved Table of Contents Background CSF Assurance Program Overview
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationEthics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015
Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746
More informationWELCOME TO SECURE360 2013
WELCOME TO SECURE360 2013 Don t forget to pick up your Certificate of Attendance at the end of each day. Please complete the Session Survey front and back, and leave it on your seat. Are you tweeting?
More informationBENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT
BENCHMARK MEDICAL LLC, BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) dated as of the signature below, (the Effective Date ), is entered into by and between the signing organization
More information2010 AICPA Top Technology Initiatives. About the Presenter. Agenda. Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP
2010 AICPA Top Technology Initiatives Presenter: Dan Schroeder, CPA/CITP Habif, Arogeti, & Wynne, LLP Georgia Society of CPAs Annual Convention June 16, 2010 About the Presenter Partner-in-Charge, Habif,
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationHealth Partners HIPAA Business Associate Agreement
Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as
More informationUNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S):
UNIVERSITY PHYSICIANS OF BROOKLYN HIPAA BUSINESS ASSOCIATE AGREEMENT CONTRACT NO(S): THIS AGREEMENT is made by and between UNIVERSITY PHYSICIANS OF BROOKLYN, INC., located at 450 Clarkson Ave., Brooklyn,
More informationSOC Readiness Assessments. SOC Report - Type 1. SOC Report - Type 2. Building Trust and Confidence in Third-Party Relationships
Building Trust and Confidence in Third-Party Relationships Today s businesses rely heavily on outsourcing certain business tasks or functions to service organizations, even those that are core to their
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationNCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup
NCHICA HITECH Act Breach Notification Risk Assessment Tool Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup NORTH CAROLINA HEALTHCARE INFORMATION AND COMMUNICATIONS ALLIANCE, INC August
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationBUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION
BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION This Agreement governs the provision of Protected Health Information ("PHI") (as defined in 45 C.F.R.
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationBusiness Associate Agreement Involving the Access to Protected Health Information
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
More informationBuilding Trust and Confidence in Healthcare Information. How TrustNet Helps
Building Trust and Confidence in Healthcare Information The management of healthcare information in the United States is regulated under the HIPAA (Health Insurance Portability and Accountability Act)
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is by and between ( Covered Entity )and CONEX Med Pro Systems ( Business Associate ). This Agreement has been attached to,
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
More informationSaaS. Business Associate Agreement
SaaS Business Associate Agreement This Business Associate Agreement ( BA Agreement ) becomes effective pursuant to the terms of Section 5 of the End User Service Agreement ( EUSA ) between Customer ( Covered
More informationBUSINESS ASSOCIATE AGREEMENT ( BAA )
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More informationHIPAA and the HITECH Act
WHITE PAPER: THE HITECH BALANCING ACT The Hi-Tech Balancing Act: Securely Walking the Tightrope of Patient Care October 2009 By John McNeely President and CEO Sword & Shield Enterprise Security, Inc. [
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationOCTOBER 2013 PART 1. Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information
OCTOBER 2013 PART 1 Keeping Data in Motion: How HIPAA affects electronic transfer of protected health information Part 1: How HIPAA affects electronic transfer of protected health information It is difficult
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (this Agreement ), effective as of May 1, 2014 (the Effective Date ), by and between ( Covered Entity ) and Orchard Software Corporation,
More informationShipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS
Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009
More informationThis form may not be modified without prior approval from the Department of Justice.
This form may not be modified without prior approval from the Department of Justice. Delete this header in execution (signature) version of agreement. HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate
More informationBREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
More informationH I P AA B U S I N E S S AS S O C I ATE AGREEMENT
H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Opticare of Utah, Inc. ( Covered Entity ), and,( Business Associate ).
More informationHIPAA Audits and Compliance: What To Expect From Regulators and How to Comply
HIPAA Audits and Compliance: What To Expect From Regulators and How to Comply October 18, 2013 ACEDS Membership Benefits Training, Resources and Networking for the ediscovery Community Exclusive News and
More informationHealthcare Payment Processing: Managing Data Security and Privacy Risks
Moderator: Linda A. Malek Chair, Healthcare Moses & Singer LLP Healthcare Payment Processing: Managing Data Security and Privacy Risks Thursday, September 13, 2012 Panelists: Beth L. Rubin Senior Counsel
More informationBUSINESS ASSOCIATE AGREEMENT. Recitals
BUSINESS ASSOCIATE AGREEMENT This Agreement is executed this 8 th day of February, 2013, by BETA Healthcare Group. Recitals BETA Healthcare Group consists of BETA Risk Management Authority (BETARMA) and
More informationMASSIVE NETWORKS Online Backup Compliance Guidelines... 1. Sarbanes-Oxley (SOX)... 2. SOX Requirements... 2
MASSIVE NETWORKS Online Backup Compliance Guidelines Last updated: Sunday, November 13 th, 2011 Contents MASSIVE NETWORKS Online Backup Compliance Guidelines... 1 Sarbanes-Oxley (SOX)... 2 SOX Requirements...
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationBUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement is made as of the day of, 2010, by and between Methodist Lebonheur Healthcare, on behalf of itself and all of its affiliates ( Covered Entity
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its
More informationBUSINESS ASSOCIATE ADDENDUM. WHEREAS, Provider (as defined below) has a contractual relationship with FHCCP requiring this Addendum;
BUSINESS ASSOCIATE ADDENDUM This BUSINESS ASSOCIATE ADDENDUM (this Addendum ) is made and entered into as of July 1, 2012, ( Effective Date ) and supplements and is made a part of the services agreement
More informationManaging data security and privacy risk of third-party vendors
Managing data security and privacy risk of third-party vendors The use of third-party vendors for key business functions is here to stay. Routine sharing of critical information assets, including protected
More informationFIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
More informationName of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
More informationUse & Disclosure of Protected Health Information by Business Associates
Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationTulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY
Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) between Inphonite, LLC ( Business Associate and you, as our Customer ( Covered Entity ) (each individually, a Party, and collectively,
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT 1. The terms and conditions of this document entitled Business Associate Agreement ( Business Associate Agreement ), shall be attached to and incorporated by reference in the
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationAnswering to HIPAA. Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM. Brought to you by. www.duxware.com
Answering to HIPAA Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM Brought to you by www.duxware.com The Event On February 20, 2014 at 8:00 PM an Internal Medicine specialist received a
More informationInformation for Management of a Service Organization
Information for Management of a Service Organization Copyright 2011 American Institute of Certified Public Accountants, Inc. New York, NY 10036-8775 All rights reserved. For information about the procedure
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered between ("Covered Entity" or "CE") and, ("Business Associate" or "BA"), collectively the Parties, who agree as follows:
More informationBridging the HIPAA/HITECH Compliance Gap
CyberSheath Healthcare Compliance Paper www.cybersheath.com -65 Bridging the HIPAA/HITECH Compliance Gap Security insights that help covered entities and business associates achieve compliance According
More informationBAC to the Basics: Business Associate Contracts Made Easy
BAC to the Basics: Business Associate Contracts Made Easy Prepared by Jen C. Salyers BAC to the Basics: Business Associate Contracts Made Easy Table of Contents Page I. Approaches to Creating a Business
More informationBUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA)
BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into as of [Date] (hereinafter Effective
More informationUnderstanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule
Understanding Health Insurance Portability Accountability Act AND HITECH HIPAA s Privacy Rule 1 What Is HIPAA s Privacy Rule The privacy rule is a component of the Health Insurance Portability and Accountability
More informationHIPAA Business Associate Agreement
HIPAA Business Associate Agreement User of any Nemaris Inc. (Nemaris) products or services including but not limited to Surgimap Spine, Surgimap ISSG, Surgimap SRS, Surgimap Office, Surgimap Ortho, Surgimap
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationSunday March 30, 2014, 9am noon HCCA Conference, San Diego
Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose
More informationBUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.
BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationMeeting the HIPAA Training and Business Associate Requirements Questions and Answers, with HIPAA Security Expert Mike Semel
Meeting the HIPAA Training and Business Associate Requirements Questions and Answers, with HIPAA Security Expert Mike Semel Questions Answers 1 Is a Business Associate (BA) responsible for assuming a Covered
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) by and between OUR LADY OF LOURDES HEALTH CARE SERVICES, INC., hereinafter referred to as Covered Entity, and hereinafter referred
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the BAA ) is made and entered into as of the day of, 20, by and between Delta Dental of California (the Covered Entity ) and (the Business
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationIntelligent Vendor Risk Management
Intelligent Vendor Risk Management Cliff Baker, Managing Partner, Meditology Services LeeAnn Foltz, JD Compliance Resource Consultant, WoltersKluwer Law & Business Agenda Why it s Needed Regulatory Breach
More informationHIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions
HIPAA BUSINESS ASSOCIATE ADDENDUM (Privacy & Security) I. Definitions A. Business Associate. Business Associate shall have the meaning given to such term under the Privacy and Security Rules, including,
More informationREGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI
REGULATORY CHANGES DEMAND AN ENTERPRISE-WIDE APPROACH TO DISCLOSURE MANAGEMENT OF PHI Healthcare Organizations Can Adopt Enterprise-Wide Disclosure Management Systems To Standardize Disclosure Processes,
More informationOFFICE OF CONTRACT ADMINISTRATION 60400 PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)
Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA) BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) supplements and is made a part of the contract ( Contract
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( BAA ) is by and between the National Association of Boards of Pharmacy
More informationIT Insights. Managing Third Party Technology Risk
IT Insights Managing Third Party Technology Risk According to a recent study by the Institute of Internal Auditors, more than 65 percent of organizations rely heavily on third parties, yet most allocate
More informationHIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS
HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience
More informationBUSINESS ASSOCIATE ADDENDUM
BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( Addendum ) is entered into this day of 2014. Perry Memorial Hospital ( Covered Entity ) and [ABC Company] ( Business Associate ) referred
More informationEffectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com
Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations kpmg.com b Section or Brochure name Effectively using SOC 1, SOC 2, and SOC 3 reports for increased
More informationInformation Protection Framework: Data Security Compliance and Today s Healthcare Industry
Information Protection Framework: Data Security Compliance and Today s Healthcare Industry Executive Summary Today s Healthcare industry is facing complex privacy and data security requirements. The movement
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) is entered into by and between Professional Office Services, Inc., with principal place of business at PO Box 450, Waterloo,
More informationA s a covered entity or business associate, you have
Health IT Law & Industry Report VOL. 7, NO. 19 MAY 11, 2015 Reproduced with permission from Health IT Law & Industry Report, 07 HITR, 5/11/15. Copyright 2015 by The Bureau of National Affairs, Inc. (800-372-1033)
More informationOCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement
OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More information