Recent Developments in Privacy/Security Litigation
|
|
- Gavin Powell
- 8 years ago
- Views:
Transcription
1 Recent Developments in Privacy/Security Litigation Elizabeth F. Hodge February 25, 2015
2 Privacy & Security Enforcement HIPAA Office for Civil Rights State Attorneys General Federal Trade Commission (FTC) State privacy laws Florida Information Protection Act Private lawsuits State Insurance Commissioners
3 Why Should I Care? Financial cost to entity if there is a breach Staff time Outside consultants Notification to individuals Credit monitoring Fines/penalties Defending ensuing litigation Reputational harm to entity if there is a breach
4 Quantifying the Cost $145 average cost per record involved in a breach $509,237 average notification cost per breach in U.S. $1,599,996 average post data breach cost in U.S. (for remedial action) $5.85 million average cost of a data breach in the U.S. Costs of healthcare breach typically higher than the average cost Source: Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis
5 HIPAA Enforcement
6 HIPAA, Briefly Covered entities are required to protect the confidentiality, integrity and availability of protected health information (PHI) of individuals Health plans (including self-funded employer health plans) Health care clearinghouses Health care providers conducting covered transactions Applies to PHI regardless of form (paper, oral or electronic) Effective September 23, 2013, business associates and subcontractors of Covered Entities are subject to HIPAA Security Rule for electronic-phi
7 OCR HIPAA Audits First round will target 350 covered entities: health plans healthcare clearinghouses health care providers who conduct covered transactions cross-section of type and size of provider small practices are not exempt Second round will target 50 business associates identified from results of first round
8 HIPAA Audits Original Plan: 100 CEs audited on Privacy (Notice and Access) 100 CEs audited on Breach Notification (Content and timeliness of notifications) 150 CEs audited on Security (Risk analysis and risk management) All BAs will be audited on Security only 35 will be IT-related BAs 15 will be non-it related BAs
9 HIPAA Audits CEs will have 2 weeks to respond! information not timely produced will not be considered auditors will not have opportunity to contact CE for clarifications or to ask for additional information only get 1 chance to get response right! failure to submit documentation may lead to referral for regional compliance review all communications will be electronic, including submissions of information to OCR may be asked to produce risk analysis
10 HITECH Act confirmed applicability to Business Associates HIPAA Penalties HITECH Act increased Civil Penalties, with tiers based upon the culpability of the violator: OCR MUST conduct compliance review whenever a preliminary review indicates possible willful neglect Penalties range from $100 to $50,000 per violation Single failure can constitute multiple violations Self-correction within 30 days can reduce or avoid penalties Criminal Penalties: Fines and imprisonment; ranges vary by culpability
11 Per 45 CFR Penalties onetary penalties for HIPAA violations iolation ategory* Each Violation All violations of an identical provision in a calendar year id not know $100 to $50,000 $1.5 million easonable cause $1,000 to $50,000 $1.5 million illful neglect orrected $10,000 to $50,000 $1.5 million illful neglect Not orrected $50,000 $1.5 million
12 HHS Settlement Agreements $4.8M settlement - Connecting personally-owned computer server to employer s network $1.2M settlement Returning leased copiers without wiping or destroying hard drive $3.25M settlement Throwing prescription labels and old prescriptions in dumpsters $7.1M settlements Theft/loss of unencrypted laptops, back-up tapes, USB drives $1M settlement Leaving patient schedules and billing encounter forms on subway $4.3M civil penalty/fine Failing to provide individuals with copies of their PHI and then failing to respond to investigators
13 Class Action Settlements
14 AvMed Settlement Background December company laptops containing PHI were stolen from a locked conference room at corporate building. AvMed investigated the incident and notified current and former members of possible compromise of their PHI November 16, 2010, four plaintiffs filed a class action lawsuit in Miami. AvMed twice moved to dismiss. Trial court granted both motions to dismiss, but the 11 th Circuit Court of Appeals reversed in part and affirmed in part the 2 nd dismissal order. Parties mediated the case
15 Plaintiffs Theories Negligence per se Breach of implied covenant of fair dealing Negligence Breach of contract Breach of implied contract Breach of fiduciary duty Restitution/Unjust enrichment The 11 th Circuit affirmed dismissal of negligence per se and breach of implied covenant of fair dealing counts and reversed dismissal of the other counts
16 Settlement Agreement $3,000,000 settlement fund to pay the following: Premium Overpayment Settlement Class - $10 for each year that the class member paid AvMed for health insurance coverage before the December 2009 incident, up to $30. reimburses class members for portion of premiums that plaintiffs say AvMed should have spent on adequate data protection class members do not need proof of injury Identity Theft Settlement Class reimburse class members for the amount of any proven actual, monetary loss shown by claimant to have occurred more likely than not as a result of the December 2009 incident. class members may also recover as members of the Premium Overpayment Settlement Class
17 Significance of AvMed First case where plaintiffs who could not demonstrate actual damages due to breach were allowed to share in settlement proceeds. Paying premium (or medical bill?) may be enough to establish entitlement to damages under theory of unjust enrichment
18 Springer v. Stanford Hospital, et. al. Stanford Hospital sent the encrypted personal information of patients to Multi-Specialty Collections for permissible business purposes Subcontractor of Multi-Specialty Collections (Corcino & Associates) used the personal information to create a document containing the personal information of almost 20,000 individuals which was subsequently posted on the Student of Fortune website between Sept August One of the affected individuals, Shana Springer, filed a $20M class action lawsuit for violating California s Confidentiality of Medical Information Act. Defendants = Stanford Hospital & Clinics, Multi-Specialty
19 Springer v. Stanford Hospital, et. al. Settlement Agreement Defendants to pay $4,125,000 Stanford Hospital - $750,000 ($500,000 of which will fund training on patient privacy & security issues for business associates, $250,000 of which funds administrative expenses) Multi-Specialty Collections - $1,775,000 Corcino & Associates - $1,600,000 Affected individuals do not need to prove damages to collect under settlement If no one opts out of settlement, after deducting attorneys
20 Springer v. Stanford Hospital, et. al. Significance of settlement Plaintiffs and covered entities are starting to make business associates and subcontractors financially responsible for data breaches. In Stanford settlement documents, it says repeatedly that Stanford represents that it did not create the document that was posted to the website. that language is even included in the settlement notice sent to class members California law allows patients to sue any entity that negligently releases identifiable information, seeking minimum damages of $1,000, with no proof of actual damage required.
21 The FTC Joins the Mix
22 The Role of the FTC
23 Accretive Health Theft of unencrypted laptop containing PHI of 23,000 patients from employee s car. The Federal Trade Commission (FTC) filed a complaint alleging Accretive failed to provide reasonable and appropriate security for the personal information of consumers resulting in the data breach Accretive created unnecessary risks of unauthorized access to personal information by transporting laptops containing personal information in a manner that made them vulnerable to theft Accretive failed to adequately restrict access to personal
24 Agreed to stop doing business in Minnesota for at least 6 years Accretive Health Settlement 20 year settlement agreement Establish and maintain comprehensive information security program Program must be evaluated initially and then every 2 years for 20 years FTC closed its investigation into Accretive s conduct in collecting defaulted debts in hospital emergency rooms Previously, Accretive settled with Minnesota Attorney General who sued under HIPAA for the same breach Accretive paid $2.5 million to settle
25 GMR Transcription Services FTC filed complaint against GMR and its officers, individually, because they control the policies and acts of the company. FTC alleged that GMR hired contractors to transcribe audio files of GMR customers Due to inadequate security, medical transcript files prepared between by GMR s service provider located in India were indexed by a major internet search engine and were publicly available to anyone using the search engine. GMR made representations regarding its privacy and security policies & procedures
26 GMR Transcription Services Violations of the FTC Act Representations that GMR implemented reasonable and appropriate security measures to prevent unauthorized access to personal information in audio and transcript files were false and misleading and constitute a deceptive act or practice Representations that GMR took reasonable measures to oversee their service providers to ensure service providers implemented reasonable & appropriate security measures were false and misleading and constitute a deceptive act or practice GMR failed to use reasonable and appropriate measures to prevent unauthorized access to personal information, such practices caused or are likely to cause substantial injury to
27 GMR Transcription Services Terms of Settlement & Consent Agreement GMR is prohibited from misrepresenting the extent to which it maintains the privacy and security of personal information GMR must establish a comprehensive information security program that will protect consumers sensitive personal information GMR must have the security program evaluated initially and every 2 years by a certified third party Settlement agreement will be in force for 20 years 50 th data security case that FTC has settled in last 12 years
28 Payments MD Case 20 year settlement agreement Can t misrepresent extent to which it uses, maintains, and protects the privacy, confidentiality, security or integrity of covered information collected from consumers Prominently disclose to consumers its practices for collecting, using, storing, disclosing or sharing health information before seeking authorization to collect health information from 3 rd parties Obtain affirmative express consent before collecting health information from 3 rd parties Destroy all covered information collected pursuant to an authorization signed before the settlement agreement Make available to FTC documents relating to compliance with order
29 LabMD & Wyndham Cases Challenges to FTC s authority to oversee data breaches LabMD says it is subject to HIPAA so FTC should MYOB 11 th Circuit recently told LabMD it has to the administrative proceeding before the FTC before it can come to court Wyndham case trial court denied Wyndham's motion to dismiss FTC complaint arising out of breach of Wyndham's computer system. The denial of the MTD is on appeal in 3 rd Circuit Section 5 and the "unfair acts" language does not extend to "unreasonable data security practices FTC hasn't provided fair notice of what are reasonable security practices (i.e., there is no FTC analog to HIPAA security rules).
30 State Attorney Generals
31 California v. Kaiser Foundation Settlement Agreement $150,0000 settlement payment Implement data security improvements - improve encryption policies, internal audit of extent of employee access to sensitive personal information, and report audit results to Attorney General Timely notification when there is breach of the security of Kaiser s system 4 months is too long! Provide notice on a rolling basis following discovery of a breach provide notice as soon as reasonably possible after identifying a portion of total individuals affected by a
32 FL Information Protection Act Florida Statute , effective July 1, 2014 Requires proper notice to be provided to affected consumers within 30 days unless good cause is shown for an additional 15- day delay; Requires proper notice to be provided to the AG for a breach affecting 500 or more individuals in Florida; Defines what information must be included in a proper notice; Expands the definition of personal information to include health insurance, medical information, financial information and online account information such as security questions and answers, addresses and passwords; Expands the data breach statute to include state governmental entities and their instrumentalities.
33 FL Information Protection Act Requires businesses, state government entities, and thirdparty agents to take reasonable measures to protect data, including disposal of customer records; Requires the AG to provide an annual report to the Legislature regarding data breaches by governmental entities; and Authorizes enforcement actions under Florida s Unfair and Deceptive Trade Practices Act for any statutory violations. Burden of Proof change: Moving statute to FDUTPA and away from the criminal code lowers the government s burden of proof.
34 FL Information Protection Act Implications for Healthcare Providers Civil penalties could be imposed in the amount of $1,000 per day for the first 30 days, and $50,000 for each subsequent 30-day period. Potential significant effect on Florida health care providers: currently HIPAA-covered entities have 60 days to notify individuals of a health information breach and may be able to avoid sending notice if they demonstrate that it is unlikely the information has been compromised. However, under FIPA, to avoid notifying the patient, a health entity first has to consult with law enforcement. The statute does state that notice provided in accordance with federal rules is deemed to be in compliance. That may help in situations where HIPAA does not require notice because there is low probability that the information has been compromised. HIPAA-covered entities in Florida will need to update their breach policies to ensure compliance. This is a good time to strengthen existing privacy and security policies. Keep in mind that many entities that have PHI, but are not HIPAA-covered entities will now have security compliance standards to follow. If your business has PHI (or PII) but is not a covered entity, FIPA may force you to significantly alter your business process.
35 HIPAA vs. FIPA Confusion? FIPA requires that affected individuals must be notified of the breach within thirty (30) days. Much more stringent than the sixty (60) day HIPAA requirement for breach notification FIPA provides an exception: Notify individuals in accordance with the HIPAA rules What does this mean?
36 Florida Litigation
37 Carsten v. University of Miami Theories in Complaint Negligence breach of duty to protect and safeguard personal information and to provide timely notice of breach of unencrypted PII Willful violation of the federal Fair Credit Reporting Act willful failure to maintain protections to protect consumer report information Negligent violation of the federal Fair Credit Reporting Act Violation of the Florida Deceptive and Unfair Trade Practices Act UM held itself out as providing secure online environment and protecting PII
38 Carsten v. University of Miami Settlement Agreement: UM pays up to total of $100,000 for all valid claims submitted UM pays up to $90,000 for attorneys fees, costs, expenses UM pays $1,500 incentive award to lead plaintiff Designate Security Program lead to oversee PHI security Perform risk assessment 1 year, 3 years, and 5 years after settlement date Implement security measures to minimize risk to PHI Use reasonable measures to select and retain vendors capable of maintaining security of PHI. No admission of wrongdoing by UM
39 Breach of Implied Covenant of Good Faith/Fair Dealing breach of obligation to follow HIPAA Curry v. AvMed (again) Theories in Complaint Negligence - breached duty to safeguard sensitive information Breach of Contract - contractual obligation to comply with HIPAA and protect sensitive information Breach of Implied Contracts - implied contract obligating AvMed to protect information Restitution/Unjust Enrichment - portion of monthly premiums was used for data security and AvMed failed to adopt data management and security measures mandated by industry standards Negligence Per Se - violation of Breach of Fiduciary Duty - AvMed was guardian of members sensitive information
40 Hospital employees involved in the scheme were not authorized to access the sensitive information of all of these patients Faircloth v. Adventist Health Syst. Theories in Complaint Breach of Contract Breach of Implied Contract Restitution/Unjust Enrichment Breach of Fiduciary Duty Lawyer referral services and chiropractors paid ER intake staff at hospital to access hospital system s database to identify patients who presented to the hospital after being injured in car accidents
41 Faircloth v. Adventist Health Syst. Case is Dismissed by Federal Court Court finds there is no subject matter jurisdiction claims are state law claims and invoking violations of HIPAA does not confer federal jurisdiction a state law claim in which HIPAA is implicated as part of an element does not arise under federal law. HIPAA does not provide a private right of action
42 What Does the Future Hold? More litigation/enforcement from more sources: OCR FTC State AGs enforcing HIPAA and state privacy laws Class actions in state and federal courts Greater risk for covered entities, business associates, and subcontractors Covered entities will look to business associates/subcontractors who are cause of data breach Better protection of the privacy and security of PHI?????
43 What To Do?
44 Prepare for HIPAA Audits Perform and document risk analysis as required by Security Rule (and update periodically) Implement written policies and procedures to address risks identified in analysis Make sure all HIPAA policies are up-to-date, i.e., satisfy Omnibus Rule Make sure breach analysis and breach notification policies are current Identify all business associates and update your BAAs DOCUMENT, DOCUMENT, DOCUMENT!
45 An Ounce of Prevention.... Keep current with emerging technologies and threats Train your employees about importance of data security (paper and electronic) Train again! Insure against the risk cyber risk insurance Have breach response plan in place before something happens identify potential vendors in advance
46 And don t forget FIPA Evaluate your current policies and security measures for electronic personal information and update them as necessary; Develop new policies or update existing policies for identifying breaches and providing appropriate notification to affected individuals. Ensure that your company is using proper methods to destroy or dispose of personal information.
47 And don t forget FIPA, Part 2 Review and update your agreements with third party agents who maintain or transmit electronic personal information to address the new requirements of , Florida Statutes, regarding notification of breaches suffered by the third party agent and what precautions the third party agent takes to safeguard and properly destroy data. Review your liability policies to determine what coverage is available in the event of a breach. The cost to respond to a data breach continues to climb and many insurers are revising their CGL policies to exclude coverage for data breaches. Separate cyber liability policies are available in the marketplace.
48
49
Why Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationHIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.
HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationCYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION. Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131
CYBERSECURITY: THREATS, SOLUTIONS AND PROTECTION Robert N. Young, Director Carruthers & Roth, P.A. Email: rny@crlaw.com Phone: (336) 478-1131 TOPICS 1. Threats to your business s data 2. Legal obligations
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA regulations have undergone major changes in the last few years giving both the federal and state Governments new and enhanced powers and resources to pursue HIPAA violations HIPAA Violations Incur
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationCyber and Privacy Risk What Are the Trends? Is Insurance the Answer?
Minnesota Society for Healthcare Risk Management September 22, 2011 Cyber and Privacy Risk What Are the Trends? Is Insurance the Answer? Melissa Krasnow, Partner, Dorsey & Whitney, and Certified Information
More information3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?
HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationTexas Medical Records Privacy Act (a.k.a. Texas House Bill 300)
Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire
More informationThe Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano
The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments Robin B. Campbell Ethan P. Schulman Jennifer S. Romano HIPAAPrivacy and Security Breach Overview of the Laws Developments Incident
More informationOutline. Identity Fraud and HIPAA Data Breaches Criminal and Civil Enforcement Efforts Orlando, FL July 30, 2014 7/10/2014
LeadingAge Florida s 50 th Annual Convention and Exposition Identity Fraud and HIPAA Data Breaches Criminal and Civil Enforcement Efforts Orlando, FL July 30, 2014 James Robnett Special Agent in Charge
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationOutline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?
Outline MOR-OF Education and Medical Expo August 23, 2014 Tatiana Melnik Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL I. HIPAA Compliance II. Why Should You Care? A. Market Pressure
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationAHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA
AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud
More informationHIPAA WEBINAR HANDOUT
HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ("BA AGREEMENT") supplements and is made a part of any and all agreements entered into by and between The Regents of the University
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationTatiana Melnik Tampa, FL 734.358.4201 www.melniklegal.com
1 Outline HCDA General Membership Meeting September 23, 2014 Tatiana Melnik Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL I. What is HIPAA? II. Why Should You Care? A. B. Regulatory
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY
More informationDisclaimer: Template Business Associate Agreement (45 C.F.R. 164.308)
HIPAA Business Associate Agreement Sample Notice Disclaimer: Template Business Associate Agreement (45 C.F.R. 164.308) The information provided in this document does not constitute, and is no substitute
More informationData Breach Notification Burden Grows With First State Insurance Commissioner Mandate
Privacy, Data Security & Information Use September 16, 2010 Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate by John L. Nicholson and Meighan E. O'Reardon Effective
More informationACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer
ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING By: Jerry Jackson Compliance and Privacy Officer 1 1 Introduction Welcome to Privacy and Security Training course. This course will help you
More informationData Breach and Senior Living Communities May 29, 2015
Data Breach and Senior Living Communities May 29, 2015 Todays Objectives: 1. Discuss Current Data Breach Trends & Issues 2. Understanding Why The Senior Living Industry May Be A Target 3. Data Breach Costs
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationManaging Cyber & Privacy Risks
Managing Cyber & Privacy Risks NAATP Conference 2013 NSM Insurance Group Sean Conaboy Rich Willetts SEAN CONABOY INSURANCE BROKER NSM INSURANCE GROUP o Sean has been with NSM Insurance Group for the past
More informationShipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS
Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009
More informationBUSINESS ASSOCIATE AGREEMENT ( BAA )
BUSINESS ASSOCIATE AGREEMENT ( BAA ) Pursuant to the terms and conditions specified in Exhibit B of the Agreement (as defined in Section 1.1 below) between EMC (as defined in the Agreement) and Subcontractor
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationHIPAA Privacy and Security
HIPAA Privacy and Security Cindy Cummings, RHIT February, 2015 1 HIPAA Privacy and Security The regulation is designed to safeguard Protected Health Information referred to PHI AND electronic Protected
More informationThe Institute of Professional Practice, Inc. Business Associate Agreement
The Institute of Professional Practice, Inc. Business Associate Agreement This Business Associate Agreement ( Agreement ) effective on (the Effective Date ) is entered into by and between The Institute
More informationPresented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com
Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information
More informationHIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013
HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationThe Evolving Legal Framework Regulating Commercial Data Security Standards
The Evolving Legal Framework Regulating Commercial Data Security Standards By Bret Cohen Late one evening in December 2010, an employee of a commercial blood bank left his office with four backup tapes
More informationThe HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.
The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP
More informationYou Probably Don t Even Know
You Probably Don t Even Know That You Need To Comply With HIPAA In Collaboration With: About ERM About The Speaker Stephen Siegel, Esq., Of Counsel, Broad and Cassel Board Certified Health Law Over 25
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
View the online version at http://us.practicallaw.com/7-523-1520 Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation MELISSA J. KRASNOW, DORSEY & WHITNEY LLP
More informationWritten Information Security Programs: Compliance with the Massachusetts Data Security Regulation
Written Information Security Programs: Compliance with the Massachusetts Data Security Regulation Melissa J. Krasnow, Dorsey & Whitney LLP A Note discussing written information security programs (WISPs)
More informationName of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationEthics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015
Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746
More informationPhilip L. Gordon, Esq. Littler Mendelson, P.C.
Beyond The Legal Requirements: Key Practical Issues in Negotiating Business Associate Agreements, Responding to a Breach of Unsecured PHI, and Understanding HHS Enforcement Philip L. Gordon, Esq. Littler
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More informationBusiness Associate Agreement Involving the Access to Protected Health Information
School/Unit: Rowan University School of Osteopathic Medicine Vendor: Business Associate Agreement Involving the Access to Protected Health Information This Business Associate Agreement ( BAA ) is entered
More informationHIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012
HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually
More informationPrivacy Legislation and Industry Security Standards
Privacy Legislation and Issue No. 3 01010101 01010101 01010101 Information is generated about and collected from individuals at an unprecedented rate in the ordinary course of business. In most cases,
More informationHIPAA Compliance: Efficient Tools to Follow the Rules
Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability
More informationMinnesota False Claims Act
Minnesota False Claims Act (Minn. Stat. 15C.01 to.16) i 15C.01 DEFINITIONS Subdivision 1. Scope. --For purposes of this chapter, the terms in this section have the meanings given them. Subd. 2. Claim.
More informationHIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator
HIPAA Happenings in Hospital Systems Donna J Brock, RHIT System HIM Audit & Privacy Coordinator HIPAA Health Insurance Portability and Accountability Act of 1996 Title 1 Title II Title III Title IV Title
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationSigned into law on February 17, 2009, the Stimulus Package known
Stimulus Package Expands HIPAA Privacy and Security and Adds Federal Data Breach Notification Law Marcy Wilder, Donna A. Boswell, and BarBara Bennett The authors discuss provisions of the Stimulus Package
More informationHIPAA & HITECH AND THE DISCOVERY PROCESS
HIPAA & HITECH AND THE DISCOVERY PROCESS HEATHER L. HUGHES, J.D. U.S. Legal Support, Inc. 363 North Sam Houston Parkway East, Suite 900 Houston, Texas 77060 (713) 653-7100 State Bar of Texas 8 th ANNUAL
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More informationHIPAA compliance audit: Lessons learned apply to dental practices
HIPAA compliance audit: Lessons learned apply to dental practices Executive summary In 2013, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 Omnibus Rule put healthcare providers
More informationCyber Liability. AlaHA Annual Meeting 2013
Cyber Liability AlaHA Annual Meeting 2013 Disclaimer We are not providing legal advise. This Presentation is a broad overview of health care cyber loss exposures, the process in the event of loss and coverages
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationPrivacy Law Basics and Best Practices
Privacy Law Basics and Best Practices Information Privacy in a Digital World Stephanie Skaff sskaff@fbm.com What Is Information Privacy? Your name? Your phone number or home address? Your email address?
More informationCovered Entities and Business Associates: An Evolving Relationship
Covered Entities and Business Associates: An Evolving Relationship Rebecca L. Williams, RN, JD Partner, Chair of HEALTH/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 No health care provider
More informationHIPAA and Privacy Policy Training
HIPAA and Privacy Policy Training July 2015 1 This training addresses the requirements for maintaining the privacy of confidential information received from HFS and DHS (the Agencies). During this training
More informationProvided By Touchstone Consulting Group Workers Compensation Employer Penalties
Provided By Touchstone Consulting Group Workers Compensation Employer New Jersey s workers compensation laws determine the benefits available to employees who are injured in the course and scope of employment.
More informationHIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act
International Life Sciences Arbitration Health Industry Alert If you have questions or would like additional information on the material covered in this Alert, please contact the author: Brad M. Rostolsky
More informationAnnual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010
Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 As Required by the Health Information Technology for Economic and Clinical Health (HITECH)
More informationRepresenting Whistleblowers Nationwide
Minnesota False Claims Act Minnesota Stat. 15C.01 to 15C.16) 15C.01 DEFINITIONS Subdivision 1. Scope. --For purposes of this chapter, the terms in this section have the meanings given them. Subd. 2. Claim.
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT is made and entered into as of the day of, 2013 ( Effective Date ), by and between [Physician Practice] on behalf of itself and each of its
More informationHow To Understand And Understand The Benefits Of A Health Insurance Risk Assessment
4547 The Case For HIPAA Risk Assessment Leader s Guide IMPORTANT INFORMATION FOR EDUCATION COORDINATORS & PROGRAM FACILITATORS PLEASE NOTE: In order for this program to meet Florida course requirements,
More informationHIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014
HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationThe HIPAA Audit Program
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
More informationHIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help
HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,
More informationAnatomy of a Hotel Breach
Page 1 of 6 Anatomy of a Hotel Breach Written by Sandy B. Garfinkel Monday, 09 June 2014 15:22 Like 0 Tweet 0 0 Data breach incidents have dominated the news in 2014, and they are only becoming more frequent
More informationHackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable. Data Breaches Are All Too Common
Hackers, Slackers & Packers: Preventing Data Loss & Dealing with the Inevitable Steven J. Fox (sjfox@postschell.com) Peter D. Hardy (phardy@postschell.com) Robert Brandfass (BrandfassR@wvuh.com) (Mr. Brandfass
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationwhat your business needs to do about the new HIPAA rules
what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or
More informationHIT Audit Workshop. Jeffrey W. Short. jshort@hallrender.com
HIT Audit Workshop Jeffrey W. Short jshort@hallrender.com 1 Audits and Investigations to be Discussed Meaningful Use Audits HIPAA Audits Data Breach Investigations Software Vendor Audits FTC Investigations
More informationHHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI
January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More information