The HIPAA Audit Program

Size: px
Start display at page:

Download "The HIPAA Audit Program"

Transcription

1 The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance with the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH), part of the American Recovery and Reinvestment Act of Within HHS, the Office for Civil Rights (OCR) is responsible for administering and enforcing HIPAA. 3 In response to the HITECH audit mandate, OCR began a pilot audit program in 2010 and used a contractor to conduct 115 pilot audits of covered entities in 2011 and While OCR found widespread compliance issues in the pilot audits, OCR has not indicated an intention to seek enforcement action against those covered entities. Following the pilot audits, OCR engaged a different contractor to evaluate the pilot audit program and provide recommendations for the program going forward. 5 In spring of 2014, an OCR official released information about the evaluation recommendations and made announcements about the audit program for 2014 through Unlike the pilot audits, OCR will conduct future audits using internal staff. 7 OCR 1 Health Insurance Portability and Accountability Act of 1996, as amended, and implementing regulations (collectively, HIPAA ), 42 U.S.C. 1320d d-9. 2 Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA) 13411; 42 U.S.C (2009). 3 Office for Civil Rights; Statement of Delegation of Authority, 65 Fed. Reg (Dec. 28, 2000). 4 HIPAA Privacy, Security, and Breach Notification Audit Program, available at (last accessed Sept. 14, 2014). 5 OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2, HCCA Compliance Institute, March 31, Id. 7 Id. 1

2 also announced plans to begin auditing business associates in OCR indicated that it will select business associates by having covered entities identify their business associates. 9 OCR confirmed that covered entities will be selected for the next round of audits using random selection within certain types or categories. 10 OCR has indicated that it intends to audit a wide range of types of covered entities including: group health plans, physicians and group practices, behavioral health, dental, hospitals, and laboratories. 11 The following contains an overview of the pilot audit program, a summary of OCR s projections for the next round of audits, and materials to assist in preparing for a HIPAA audit, including checklists for the Privacy, Security, and Breach Notification Rules. OVERVIEW OF THE PILOT AUDIT PROGRAM The pilot audit program was a multi-step process conducted from that included an initial study, identification of covered entities, development of audit protocol, conducting the audits, and an evaluation of the program. 12 initial twenty covered entities to conduct test audits in late OCR selected an These were followed by audits of an additional ninety-five covered entities, which concluded in December The pilot audits were all onsite audits and evaluated covered entities compliance 8 Id. 9 Id. 10 Id. 11 Id. 12 Id. The initial study and identification of covered entities were done by Booz Allen Hamilton and completed in 2010 and 2011, respectively. The audit protocol was developed by KPMG in 2011 followed by the audit, also done by KPMG, in 2011 and The program evaluation was done by PWC, LLP and concluded in Lessons Learned from OCR Privacy and Security Audits, Program Overview and Initial Analysis, Presentation to IAPP Global Privacy Summit, March 7, Id. 2

3 with the HIPAA Privacy, Security, and Breach Notification Rules. Covered entities generally had between thirty to ninety days after the initial notification before the audit began. 15 OCR describes the pilot audits as a compliance improvement activity, 16 but notes that an audit that reveals serious compliance issues could be referred for enforcement. 17 OCR s covered entity selection for the pilot audits was designed to capture covered entities of a variety of sizes and types, as demonstrated in Figures 1 and 2 below. From the initial covered entity pool, OCR used specific criteria to select the covered entities to be audited. 18 This included, but was not limited to, whether the covered entity was a public or private entity, the entity s size, based on revenue and assets, number of patients, number of employees, use of health information technology, the entity s affiliation with other health care organizations, geographic location, and the type of entity and relationship to patient care. 19 OCR classified all covered entities into four groups, as shown in Figure 1. Level 1 entities were the largest providers and health plans, with more than $1 billion in revenue and/or assets. Level 2 entities included large regional hospital systems (with three to ten hospitals per region) and regional insurance companies. These entities had $300 million to $1 billion in revenue and/or assets. Level 3 entities included community hospitals, outpatient surgery facilities, regional pharmacies, and self-insured entities, all with $50 million to $300 million in revenue. 15 Audit Pilot Program, (Sept. 9, 2014). 16 Id. 17 Under HIPAA, 45 C.F.R. Part 160, OCR has the authority to investigate complaints filed with the Secretary pursuant to 45 C.F.R and to conduct compliance reviews of covered entities and business associates pursuant to 45 C.F.R Lessons Learned from OCR Privacy and Security Audits, Program Overview and Initial Analysis, Presentation to IAPP Global Privacy Summit, March 7, Id. 3

4 Small providers (practices with ten to fifty providers, and community or rural pharmacies, for example), fell within Level 4. These entities had less than $50 million in revenue. The categorization of covered entities into these levels allowed OCR to ensure the pilot audits looked at a variety of types and sizes of covered entities. Figure 2 illustrates the number of entities selected in the pilot audit program by both type (health plans, health care providers, and health care clearinghouses) and size. Figure 1: Breakdown of Auditees Id. 4

5 Figure 2: Auditees by Type and Size 21 SCOPE OF THE PILOT AUDITS OCR s pilot audits, while comprehensive, did not evaluate all provisions of the HIPAA Privacy, Security and Breach Notification Rules. The pilot audits evaluated covered entities compliance with the following provisions: 22 HIPAA Privacy Rule Provisions Evaluated in the Pilot Audits Notice of Privacy Practices - 45 C.F.R Notice of Privacy Practices Provision of Notice Health Plans Provision of Notice Certain Covered Health Care Providers Provision of Notice Electronic Notice 21 Id. 22 Id. 5

6 Joint Notice by Separate Covered Entities Right to Request Privacy Protection for PHI - 45 C.F.R Confidential Communication Requirements Access of Individuals to PHI - 45 C.F.R Right to Access Review of Denial of Access Administrative Requirements - 45 C.F.R Privacy Training Complaints to the Covered Entity Sanctions of Workforce Regarding Failure to Comply with the Privacy Policies and Procedures Policies and Procedures Uses and Disclosures of PHI: General Rules - 45 C.F.R Deceased Individuals Personal Representatives Uses and Disclosures: Organizational Requirements - 45 C.F.R Business Associate Contracts Requirements for Group Health Plans Uses and Disclosures to Carry Out Treatment, Payment, or Health Care Operations - 45 C.F.R Permitted Uses and Disclosures Uses and Disclosures for which an Authorization is Required - 45 C.F.R Obtaining Authorization as Required for Internal Use and Disclosure of PHI 6

7 Authorization for Use or Disclosure - Required Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object - 45 C.F.R Limited Uses and Disclosures when the Individual is Not Present Uses and Disclosures for which an Authorization or Opportunity to Agree or Object is Not Required - 45 C.F.R Disclosures for Judicial and Administrative Proceedings Uses and Disclosures for Research Purposes Re-Identification Other Requirements Relating to Uses and Disclosures of PHI - 45 C.F.R Minimum Necessary Uses of PHI Minimum Necessary Disclosures of PHI Uses and Disclosures for Fundraising Uses and Disclosures for Underwriting and Related Purposes Verification of the Identity of Those Requesting PHI HIPAA Breach Notification Rule Provisions Evaluated in the Pilot Audits Notification to Individuals - 45 C.F.R Notification to Individuals Timeliness of Notification Methods of Individual Notification Burden of Proof - 45 C.F.R HIPAA Security Rule Provisions Evaluated in the Pilot Audits Administrative Safeguards - 45 C.F.R

8 Risk Analysis Policies and Procedures for Authorizing Access Policies and Procedures for Access Establishment and Modification Development and Implementation Procedures to Respond and Report Security Incidents Contingency Planning Policy Physical Safeguards - 45 C.F.R Identification of Methods of Physical Access to Workstations Implementation of Methods for Final Disposal of ephi Accountability for Hardware and Electronic Media Data Backup and Storage Procedures Technical Safeguards - 45 C.F.R Encryption and Decryption Determination of Activities that Will be Tracked or Audited Implementation of Audit/System Activity Review Process Identification of All Users Authorized to Access ephi Mechanism to Authenticate ephi RESULTS OF THE PILOT AUDITS Only 11% of entities audited in the pilot audits did not have a finding or observation. 23 By entity size, Level 4 entities, the smallest entities, accounted for 41% of the findings and observations. 24 Both Level 1 entities and Level 2 entities accounted for 23 Id. 24 Id. 8

9 20% of findings and observations, with Level 3 entities at 19%. 25 By entity type, health care providers accounted for 65% of the total findings and observations, followed by health plans at 32% and health care clearinghouses at 3%. 26 Despite auditing on twice as many Privacy Rule provisions, the Security Rule provisions accounted for more than 60% of the total findings and observations. 27 Specifically, 58 out of 59 providers had one or more Security Rule findings and 47 out of the 59 providers failed to provide a complete and accurate risk analysis. 28 OCR has indicated that it used the pilot audits and the evaluation to inform the structure of future audits. 29 OCR also states that it will release best practices and targeted guidance based on what it learned in the pilot audits. 30 Following the pilot audits, HHS released a Security Risk Assessment, a tool designed to help covered entities comply with the risk analysis requirement of the HIPAA Security Rule. That tool can be downloaded here: THE NEXT PHASE OF HIPAA AUDITS THE FIRST PROPOSAL In March 2014, OCR announced that it projected the next phase of its audit program would include offsite or desk audits of 350 covered entities. 31 OCR anticipated initially contacting covered entities in the spring and in the summer sending a 25 Id. 26 Id. 27 Id. 28 Id. 29 Id. 30 Audit Pilot Program, available at (last accessed Sept. 14, 2014). 31 Lessons Learned from OCR Privacy and Security Audits, Program Overview and Initial Analysis, Presentation to IAPP Global Privacy Summit, March 7,

10 pre-audit survey to approximately covered entities. 32 OCR planned to select the covered entities it would audit from that pool and notify the selected entities in fall of OCR anticipated giving auditees two weeks to respond to data requests, allowing it to conduct the audit reviews from October 2014 through June OCR also announced that it would begin auditing business associates in OCR stated that onsite audits were being planned on a resource-dependent basis. 36 Figure 3 represents a breakdown of the targeted offsite audits, by covered entity type, as presented by OCR in March Figure 3: OCR Projected Breakdown of Covered Entity Audits 37 Privacy Rule Audit Breach Notification Rule Audit Security Rule Audit Total Number of Covered Entities Health Plans Health Care Providers Health Care Clearinghouses THE CURRENT PROPOSAL In September 2014, OCR announced modifications and a delay to its previous proposal for the next round of HIPAA audits. 38 OCR now plans to conduct less than 200 targeted offsite audits, but will conduct a large number of comprehensive onsite audits Id. 33 Id. 34 Id. 35 Id. 36 Id. 37 Id. 38 L. Sanches speaking at the HIMSS Privacy and Security Forum, Sept. 9, OCR Senior Advisor: Stay Tuned on HIPAA Audit Timeline, HealthITSecurity, available at (Sept. 9, 2014). 10

11 OCR will also conduct comprehensive onsite audits for business associates. 40 OCR stated that it is in the process of updating its technology, which has delayed starting the next round of the audits. 41 OCR could not comment on when the audits will start. 42 The new technology will assist OCR in analyzing data and will include an online portal that entities will use to submit data, both for the pre-audit survey and for the actual audits. 43 OCR predicts this will allow it to conduct more audits. 44 Although many of the audits in the next round may be comprehensive, OCR notes that in particular, it will look for a periodic risk analysis and documentation of policies and procedures that have been updated and implemented. 45 OCR provides that in the comprehensive audits, when looking at an entity s sanction process, we ll want to see instances where you ve sanctioned people and whether it was consistent with your sanctions policy. 46 Additionally, OCR will be asking covered entities for a complete list of all business associates with contact information and the services that they provide. 47 This will be the basis of OCR s selection of business associates for audits Id. 41 Id. 42 Id. 43 Id. 44 Id. 45 Id. 46 Id. 47 Id. 48 Id. 11

12 PREPARING FOR A HIPAA AUDIT As covered entities and business associates prepare for HIPAA audits, and the reality that HIPAA audits are likely permanent feature of OCR s mechanisms to ensure compliance, resources should be focused on several key areas of compliance failures. This checklist is not meant to be comprehensive and covered entities and business associates should take appropriate steps to ensure compliance with all requirements of the HIPAA regulations. Before an OCR audit: Consider conducting mock audits both paper reviews and onsite audits can be helpful in identifying compliance gaps Identify and communicate who in your organization is responsible for HIPAA compliance Review your vendor management process If you are selected for an OCR audit: Determine whether the audit will be onsite or offsite Depending on your organizational structure, verify what part of your organization OCR will audit and verify if OCR will audit subsidiaries or affiliates Begin preparing your response immediately OCR may not give additional time to respond to a data request Evaluate the requirements for transmitting the documentation to OCR communicate with OCR early if you do not believe you can submit in the requested format 12

13 Ensure responsive submissions do not submit extraneous information, but recognize that there may not be an opportunity to submit supplemental information Ensure documentation clearly demonstrates compliance, especially for offsite audits 13

14 SECURITY RULE AUDIT CHECKLIST The Security Rule aims to ensure the confidentiality, integrity and availability of all electronic protected health information (ephi) created, received, maintained, or transmitted by covered entities or business associates. To do this the Security Rule requires covered entities and business associates to protect against reasonably anticipated threats or hazards to the security or integrity of the ephi, to protect against any reasonably anticipated uses or disclosures of ephi that are not permitted by the Privacy Rule, and to ensure its workforce complies with the requirements of the Security Rule. The Security Rule is designed to be flexible and scalable, not prescriptive. Top Security Tasks to Tackle Before an OCR Audit: Risk Analysis and Risk Management: Ensure a complete, accurate, documented enterprise wide risk analysis, conducted in at least the last three years, ideally in the past year, and updated as required by environmental or operational changes and a corresponding risk management plan setting reasonable timelines to address threats and vulnerabilities identified in the risk analysis Encryption and Decryption: Identify all devices and media containing ephi and all instances in which ephi is transmitted; document that data is encrypted or document analysis of why encryption is not reasonable and appropriate and whether an equivalent alternative measure was reasonable Device and Media Controls: Ensure appropriate policies and procedures for disposal, re-use, back-up, storage, and tracking of all devices and media containing ephi; ensure policies and procedures are consistently followed by workforce 14

15 Security Incident Response and Reporting: Policies and procedures should require documentation of all security incidents and response taken, timely action to mitigate harm, where appropriate, and escalation when an incident is a potential breach; ensure consistent implementation and appropriate documentation Security Awareness and Training: An ounce of prevention is worth a pound of cure ensure workforce are properly trained on all security policies and procedures, including incident response reporting and provide periodic awareness training 15

16 PRIVACY RULE AUDIT CHECKLIST The Privacy Rule can be divided into three sections: 1. Uses and Disclosures of PHI (Permitted, Required, and Prohibited); 2. Individual Rights; and 3. Administrative Requirements For each type of use or disclosure of PHI, a covered entity should have a corresponding policy and procedure. Covered entities should periodically verify that these policies and procedures are being implemented correctly. Individuals generally have the right to: request a restriction of uses and disclosures, request confidential communications, access and obtain a copy of all PHI maintained in one or more designated record sets, an amendment of PHI, and an accounting of disclosures of PHI. The Privacy Rule administrative requirements include: designating a privacy officer, workforce training, safeguards, process for individual complaints to the covered entity, sanctions, mitigation of harmful effects, refraining from intimidating or retaliatory acts, prohibition on waiver of certain rights, policies and procedures, and documentation requirements. Top Privacy Tasks to Tackle Before an OCR Audit: Notice: Update Notice of Privacy Practices to reflect material changes required by the Omnibus Rule or other material changes Access: Review policies and procedures for providing individuals with access to their PHI, including the process for denying access and providing reviews of denials, as required; ensure documentation of access provided or reason for denial 16

17 Training: Review training materials, ensure training includes any recent changes to policies and procedures; ensure documentation (tracking) of workforce training Policies and Procedures: Review all policies and procedures related to uses and disclosures of PHI; ensure these are being implemented as written; revise and update as needed or retrain and/or sanction workforce members not following policies and procedures Business Associates: Ensure a process for identifying all contractors and vendors that qualify as Business Associates under HIPAA and entering into appropriate agreements Business Associate Agreements: Update all Business Associate agreements, if needed, to reflect Omnibus Rule changes. 17

18 BREACH NOTIFICATION RULE AUDIT CHECKLIST It is important to ensure complete documentation for each impermissible use or disclosure of PHI. This includes incidents where the covered entity, or business associate, if applicable, determined that the impermissible use or disclosure was a breach, and made notifications to individuals, media, and HHS. Documentation is equally important when the covered entity or business associate, if applicable, determines that the impermissible use or disclosure did not require notifications, because it fell within an exception, it met the safe harbor, or the covered entity or business associate, if applicable, determined a low probability of compromise based on a risk assessment of at least the four enumerated factors. Top Breach Tasks to Tackle Before an OCR Audit: Policies and Procedures: Ensure policies and procedures have been updated to reflect Omnibus Rule changes and address all elements of notification; implement updated policies and procedures and train workforce Breach Notifications: Ensure documentation of all types of notification (individual (written and substitute), media, if applicable, and HHS), including documentation for any delays (e.g., law enforcement request), where appropriate Documentation of Risk Assessment or Exception: Covered entities have the burden of proving that an impermissible use or disclosure of PHI did not meet the definition of breach ensure these determinations are thoroughly documented, made in good faith, and reasonable 18

19 Business Associate Breaches: Ensure business associate agreements require business associate or subcontractors, if applicable, to report breaches (and security incidents, which may exceed the definition of breach) 19

Lessons Learned from OCR Privacy and Security Audits

Lessons Learned from OCR Privacy and Security Audits Lessons Learned from OCR Privacy and Security Audits Program Overview & Initial Analysis Linda Sanches, MPH Verne Rinker, JD MPH Presentation to IAPP Global Privacy Summit March 7, 2013 Program Mandate

More information

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA

AHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud

More information

2012 HIPAA Privacy and Security Audits

2012 HIPAA Privacy and Security Audits Office of the Secretary Office for Civil Rights (OCR) 2012 HIPAA Privacy and Security Audits Linda Sanches OCR Senior Advisor, Health Information Privacy Lead, HIPAA Compliance Audits OCR 1 Agenda Background

More information

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014

Agenda. OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2. Linda Sanches, MPH Senior Advisor, Health Information Privacy 4/1/2014 OCR Audits of HIPAA Privacy, Security and Breach Notification, Phase 2 Linda Sanches, MPH Senior Advisor, Health Information Privacy HCCA Compliance Institute March 31, 2014 Agenda Background Audit Phase

More information

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents

2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents 2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

HIPAA Privacy, Security and Breach Notification Audits

HIPAA Privacy, Security and Breach Notification Audits HIPAA Privacy, Security and Breach Notification Audits Program Overview & Initial Analysis Verne Rinker JD, MPH 2013 NIST / OCR Security Rule Conference May 21-22, 2013 Program Mandate HITECH Act, Section

More information

2016 OCR AUDIT E-BOOK

2016 OCR AUDIT E-BOOK !! 2016 OCR AUDIT E-BOOK About BlueOrange Compliance: We specialize in healthcare information privacy and security solutions. We understand that each organization is busy running its business and that

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

Lessons Learned from HIPAA Audits

Lessons Learned from HIPAA Audits Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security

More information

OCR HIPAA AUDITS THEY RE BACK!

OCR HIPAA AUDITS THEY RE BACK! OCR HIPAA AUDITS THEY RE BACK! Chris Apgar, CISSP 2016 OVERVIEW OCR Audit Program Overview What to Expect if OCR s Auditors Show Up Potential Penalties and Other OCR Actions How to Prepare for an Audit

More information

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy

More information

Overview of the HIPAA Security Rule

Overview of the HIPAA Security Rule Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this

More information

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved

A smarter way to protect your brand. Copyright 2012 Compliance 360 All Rights Reserved A smarter way to protect your brand Minimizing Compliance Risks of Proactive OCR HIPAA Audits Copyright 2012 Compliance 360 All Rights Reserved Compliance 360 at a Glance Compliance, Risk and Audit Solutions

More information

Can Your Diocese Afford to Fail a HIPAA Audit?

Can Your Diocese Afford to Fail a HIPAA Audit? Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous

More information

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by: HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates

More information

When HHS Calls, Will Your Plan Be HIPAA Compliant?

When HHS Calls, Will Your Plan Be HIPAA Compliant? When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate

More information

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec. The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million

More information

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)

More information

HIPAA Audits Are Here!

HIPAA Audits Are Here! HIPAA Audits Are Here! How to prepare for and what to expect when OCR comes knocking May 12, 2016 James B. Wieland, Principal, Ober Kaler Emily H. Wein, Principal, Ober Kaler David Holtzman, VP of Compliance,

More information

New HIPAA regulations require action. Are you in compliance?

New HIPAA regulations require action. Are you in compliance? New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security

More information

valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny

valueoutcome July Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny valueoutcome July 2014 Preparing for Phase 2: The next generation of HIPAA audits Organizations will face enhanced privacy and security scrutiny Highlights 1. In preparation for Phase 2 audits, covered

More information

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS

HIPAA PRIVACY AND SECURITY FOR EMPLOYERS HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative

More information

HIPAA and Mental Health Privacy:

HIPAA and Mental Health Privacy: HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association

More information

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013

Welcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013 Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and

More information

What do you need to know?

What do you need to know? What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,

More information

Business Associate Management Methodology

Business Associate Management Methodology Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates

More information

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.

More information

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various

More information

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Presented by: Don Waechter, Managing Partner Health Compliance Partners Ann Breitinger, Attorney Blalock Walters Legal Disclaimer

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act

More information

How to prepare your organization for an OCR HIPAA audit

How to prepare your organization for an OCR HIPAA audit How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone

More information

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License

More information

HIPAA 101. March 18, 2015 Webinar

HIPAA 101. March 18, 2015 Webinar HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses

More information

COMPLIANCE ALERT 10-12

COMPLIANCE ALERT 10-12 HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment

More information

SAMPLE BUSINESS ASSOCIATE AGREEMENT

SAMPLE BUSINESS ASSOCIATE AGREEMENT SAMPLE BUSINESS ASSOCIATE AGREEMENT THIS AGREEMENT IS TO BE USED ONLY AS A SAMPLE IN DEVELOPING YOUR OWN BUSINESS ASSOCIATE AGREEMENT. ANYONE USING THIS DOCUMENT AS GUIDANCE SHOULD DO SO ONLY IN CONSULT

More information

OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready?

OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready? Presenting a live 90-minute webinar with interactive Q&A OCR Launches Phase 2 HIPAA Audits for Covered Entities and Business Associates: Are You Ready? Developing, Ensuring and Documenting HIPAA and HITECH

More information

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review Privacy and Security Meaningful Use Requirement HIPAA Readiness Review REACH - Achieving - Achieving meaningful meaningful use of your use EHR of your EHR Patti Kritzberger, RHIT, CHPS ND e-health Summit

More information

My Docs Online HIPAA Compliance

My Docs Online HIPAA Compliance My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several

More information

HIPAA in an Omnibus World. Presented by

HIPAA in an Omnibus World. Presented by HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters

More information

M E M O R A N D U M. Definitions

M E M O R A N D U M. Definitions M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice

More information

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style. Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP

More information

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014 Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules

More information

OCR UPDATE Breach Notification Rule & Business Associates (BA)

OCR UPDATE Breach Notification Rule & Business Associates (BA) OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the

More information

What s New with HIPAA? Policy and Enforcement Update

What s New with HIPAA? Policy and Enforcement Update What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final

More information

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,

More information

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com

HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health

More information

Security Is Everyone s Concern:

Security Is Everyone s Concern: Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito

More information

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection

More information

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego

Sunday March 30, 2014, 9am noon HCCA Conference, San Diego Meaningful Use as it Relates to HIPAA Compliance Sunday March 30, 2014, 9am noon HCCA Conference, San Diego CLAconnect.com Objectives and Agenda Understand the statutory and regulatory background and purpose

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010

Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010 Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 As Required by the Health Information Technology for Economic and Clinical Health (HITECH)

More information

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services

HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services HIPAA Secure Now! How MSPs Can Profit From Selling HIPAA security services How MSPs can profit from selling HIPAA security services Managed Service Providers (MSP) can use the Health Insurance Portability

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com

Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com Are You Prepared for an OCR HIPAA Audit or Investigation? February 15, 2012 ID Experts Webinar www.idexpertscorp.com Mahmood Sher-Jan VP of Product Management mahmood.sher-jan@idexpertscorp.com Chris Apgar

More information

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments View the Replay on YouTube Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments FairWarning Executive Webinar Series October 31, 2013 Today s Panel Chris Arnold

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List

More information

Interpreting the HIPAA Audit Protocol for Health Lawyers

Interpreting the HIPAA Audit Protocol for Health Lawyers Interpreting the HIPAA Audit Protocol for Health Lawyers This webinar is brought to you by the Health Information and Technology Practice Group (HIT), and is co-sponsored by the Business Law and Governance

More information

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA

More information

Mapping to HIPAA Audit Protocols

Mapping to HIPAA Audit Protocols Mapping to HIPAA Audit Protocols In June 2011, KPMG was awarded the contract to conduct HIPAA audits and develop an audit protocol on behalf of Health and Human Services (HHS) Office for Civil Rights (OCR).

More information

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why

More information

Am I a Business Associate?

Am I a Business Associate? Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have

More information

HIPAA and HITECH Compliance for Cloud Applications

HIPAA and HITECH Compliance for Cloud Applications What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health

More information

Business Associates, HITECH & the Omnibus HIPAA Final Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS

More information

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute

OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

OCR Reports on the Enforcement. Learning Objectives

OCR Reports on the Enforcement. Learning Objectives OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil

More information

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS

FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher

More information

Preparing for and Responding to an OCR HIPAA Audit

Preparing for and Responding to an OCR HIPAA Audit Preparing for and Responding to Carole Klove Carole.Klove@ucsfmedctr.or g Gerry Hinkley gerry.hinkley@pillsburylaw.com SIXTH NATIONAL HIPAA SUMMIT WEST October 10-12, 2012 Overview Background What to expect

More information

Business Associates Agreement

Business Associates Agreement Business Associates Agreement This Business Associate Agreement (the Agreement ) between Customer,( Covered Entity ) and Kareo ( Business Associate ) will be in effect during any such time period that

More information

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable: PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF

More information

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

Use & Disclosure of Protected Health Information by Business Associates

Use & Disclosure of Protected Health Information by Business Associates Applicability: Policy Title: Policy Number: Use & Disclosure of Protected Health Information by Business Associates PP-12 Superseded Policy(ies) or Entity Policy: N/A Date Established: January 31, 2003

More information

Authorized. User Agreement

Authorized. User Agreement Authorized User Agreement CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION

More information

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014

HIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014 HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding

More information

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties: PRIVACY 1.0 FACILITY PRIVACY OFFICER Scope: Purpose: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities

More information

HIPAA Breach Notification Interim Final Rule

HIPAA Breach Notification Interim Final Rule HIPAA Breach Notification Interim Final Rule The American Recovery and Reinvestment Act of 2009 ( the Act ) made several changes to the HIPAA privacy rules including adding a requirement for notice to

More information

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health

More information

HIPAA BUSINESS ASSOCIATE SUBCONTRACTOR AGREEMENT

HIPAA BUSINESS ASSOCIATE SUBCONTRACTOR AGREEMENT This HIPAA Sub Business Associate Agreement ("Sub Agreement") is entered into by and between HR Simplified, Inc. ( Business Associate ) and [Vendor Name] on behalf of itself and its Affiliates ( Subcontractor

More information

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996

HIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996 HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title

More information

HIPAA BREACH RESPONSE POLICY

HIPAA BREACH RESPONSE POLICY http://dhmh.maryland.gov/sitepages/op02.aspx (OIG) DHMH POLICY 01.03.07 Effective Date: July 22, 2014 I. EXECUTIVE SUMMARY The Department of Health and Mental Hygiene (DHMH) is committed to protecting

More information

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY

Tulane University. Tulane University Business Associates Agreement SCOPE OF POLICY STATEMENT OF POLICY IMPLEMENTATION OF POLICY Tulane University DEPARTMENT: General Counsel s POLICY DESCRIPTION: Business Associates Office -- HIPAA Agreement PAGE: 1 of 1 APPROVED: April 1, 2003 REVISED: November 29, 2004, December 1, 2008, October

More information

Model Business Associate Agreement

Model Business Associate Agreement Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model

More information

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)

Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute

More information

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO. 05-050 Adopting Multnomah County HIPAA Security Policies and Directing the Appointment of Information System Security

More information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information about HIPAA, the HITECH-HIPAA Omnibus Privacy Act, how

More information

Business Associate Agreement

Business Associate Agreement Business Associate Agreement This BUSINESS ASSOCIATE AGREEMENT (the "Agreement") is entered into by and between the Board of Regents of the University of Wisconsin System on behalf of the [insert name

More information

Understanding HIPAA Regulations and How They Impact Your Organization!

Understanding HIPAA Regulations and How They Impact Your Organization! Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor

More information