HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013
|
|
- Annis Jennings
- 8 years ago
- Views:
Transcription
1 HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013
2 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group Julia M. Vander Weele, JD Partner Spencer Fane Britt & Browne
3 Introduction Meeting the Increased Requirements of Benefit Compliance Documentation and Records HIPAA Privacy Final Regulations Confidentiality and HIPAA Privacy Requirements Miller as a Committed Partner
4 Miller Group and Confidentiality Need for Security and Confidentiality HIPAA Privacy Requirements for Clients HIPAA Privacy Requirements for Miller Group Business Associate Agreements (BA or BAA) Miller Privacy Official, James Clay
5 Miller Group and Business Associate Agreements (BA or BAA) Insurance Carriers Plan Sponsor? Self Insured Plans Insured Plans Self Insured TPA s/vendors Downstream BAs (IT) Individuals Other Service Providers (COBRA)
6 Evolution of HIPAA Privacy and Security Rules Health Insurance Portability and Accountability Act ( HIPAA )(1996) Privacy Rule: April 14, 2003 Applicable to all protected health information Security Rule: April 20, 2005 Specific to electronic PHI HITECH Act: February 17, 2010 Final Rule: January 25, 2013
7 Covered Entities Health care providers (who conduct electronic transactions) Health plans Health care clearinghouses Not employers Relationship to healthplan Not Business Associates, BUT under HITECH: Indirect liability under Privacy Rule (for breach of business associate agreement) Direct liability under Security Rule
8 What s a Health Plan? Medical, Dental, Vision, Health Care Flexible Spending Accounts Maybe Employee Assistance Programs Not Workers Compensation, Long-term Disability, Life Insurance, or On-site Medical Clinics Not employer functions such as FMLA, drug testing, sick leave, return to work physicals, ADA, OSHA, fitness for duty However, employer may need authorization to obtain records from provider
9 What s Protected Health Information? Protected Health Information ( PHI ) = individually identifiable health information relating to past, present or future health or payment for health care Includes not only claims information, but name, address, premiums, coverage amounts, etc. Does not include employment records held in the capacity of employer Privacy protections apply to PHI for 50 years after the death of an individual
10 Primary Privacy Standards Do not use or disclose PHI, unless an exception applies Disclose or request only the minimum required amount of information Establish safeguards to prevent and minimize incidental disclosures Obtain assurances from business associates of their compliance and assistance
11 Permitted Uses and Disclosures To the Individual or Personal Representative To a Person Involved in the Individual s Care For Treatment, Payment or Health Care Operations For Public Responsibility purposes Otherwise, need an Authorization
12 Safeguards Must be reasonably designed to minimize incidental disclosures People Access to PHI limited to those who have need for information in connection with job duties performed for benefit plans Do not disclose PHI to other employees that do not have duties that require access to PHI Paper Don t leave in plain view Sealed envelopes Promptly remove printed material from printers
13 Fax Designated fax machines Distribute promptly Disclaimer Phone Verify identity and authority No speakerphones/low voices Storage Lock, put away, or cover Destruction Shred Safeguards
14 Notice of Privacy Practices Individual Rights Request additional restrictions Receive information by alternative means or at alternative locations ( confidential communications ) Obtain access to information Correct erroneous information Obtain accounting of prior disclosures
15 Administrative Requirements Privacy Officer Train workforce on privacy and security issues (new hires and periodic refreshers) Establish complaint process With Department of Health and Human Services No retaliation Apply sanctions for violations Mitigate harmful effects of violations And potentially notify affected individuals if breach of unsecured PHI (see next slide) Document Retention (6 years)
16 Disclosures to Employer Summary health information okay (for purposes of renewal) Enrollment information (for purposes of payroll deduction) To disclose any other PHI to employer, plan documents must contain specific privacy protections (firewalls) Employer may not use PHI to make employment-related decisions or for other benefit plans
17 Self-Funded vs. Fully-Insured Self-Funded Plans Full set of Privacy Rule requirements apply Insured Plans Hands-on = Plan Sponsor receives PHI in addition to summary health information and participation information Must maintain a Privacy Notice and provide it upon request Hands-off = Plan Sponsor does not receive PHI other than summary health information and participation information No Privacy Notice No Administrative Requirements except retaliation and waiver NO exemption from Security Rule requirements
18 Summary of Changes in Final Rule Notification of breach standard Business associates and subcontractors Notice of privacy practices Individual rights right to access Civil monetary penalties and enforcement
19 Effective Dates General effective date for most provisions is September 23, 2013 One-year transition rule for business associate agreements (to earlier of contract renewal/modification or September 22, 2014) Only if in existence before January 25, 2013, AND Agreement complied with HIPAA rules in effect on that date, AND Contract not modified or renewed between March 26, 2013 and September 23, 2013
20 Notification of Breach New requirement as part of HITECH Applies to unsecured PHI that is accessed, acquired, or disclosed by or to an unauthorized person as a result of a breach Must notify affected individuals and the Department of HHS in the event of breach
21 Definition of Breach Old Standard: Significant risk of financial, reputational, or other harm to the individual New Standard: Presumption of breach unless risk assessment demonstrates low probability that PHI has been compromised Four-factor risk assessment must be documented Burden shifted to covered entity or business associate to show that notice not required
22 Breach Notification Risk Assessment Nature and extent of PHI involved Identity of the unauthorized user or recipient Whether the PHI was actually acquired or viewed Extent to which the risk to PHI has been mitigated
23 Business Associates Business Associate Definition: Old Definition: Person or organization who performs functions/activities on behalf of, or provides services to, a covered entity which involve creation, use or disclosure of individually identifiable health information New Definition: Person or organization who creates, receives, maintains, or transmits PHI on behalf of covered entity Broader definition; even if not required to access PHI to perform services, BA relationship exists if persistent ability to access PHI (e.g. data storage providers)
24 Business Associates Liability of Business Associates prior to HITECH No direct application of HIPAA privacy or security rules so no civil or criminal penalties could be assessed on BAs Potential liability to covered entity (if BA agreement included indemnification) but generally covered entity s only recourse is right to terminate agreement upon BA s breach and failure to cure Covered entity not liable for acts of BA if no knowledge of violations or, it took reasonable steps to end the violations
25 Business Associates Business Associates under HITECH: Now directly subject to the HIPAA Security Rules in the same manner as covered entities Also subject to civil and criminal penalties for failure to adhere to the Privacy provisions in the Business Associate agreement New: Covered entity is liable for acts of BA if BA is acting as agent of covered entity
26 Business Associate Agreements May need to amend existing business associate agreements to reflect: Direct liability for Security Rule compliance Breach notification requirements Contractual obligations with respect to subcontractors Obligation to comply with Privacy Rule provisions in the agreement Sample provisions available on HHS website at: eredentities/contractprov.html
27 Subcontractors Subject to the same requirements as business associates if they create, receive, maintain, or transmit PHI on behalf of a BA Subcontractor = a person to whom a BA delegates a function, activity, or service Must have BA agreement Same duties as covered entity with respect to monitoring Reasonable steps to cure or end violation New: requirement to notify HHS removed
28 Notice of Privacy Practices Health plans must update the privacy notice to include: Statement that must obtain authorization to use or disclose psychotherapy notes, to use PHI for marketing purposes, or to sell PHI Statement that will not use or disclose PHI for any purpose not described in the notice Statement that the plan is prohibited from using PHI that is genetic information for underwriting purposes (if PHI used for underwriting purposes) Right to receive a notice when there is a breach of unsecured PHI Right to receive an electronic copy of PHI
29 Notice of Privacy Practices Delivery and Timing Changes considered material so must be provided within 60 days of change (September 23, 2013) If plan has its own website: Post material change or revised notice on website by September 23, 2013, and Provide revised notice, or information about the material change and how to obtain the revised notice, in next annual mailing (e.g., open enrollment)
30 Individual Rights - Access Maintained in designated record set CE must provide access in the electronic form and format requested (if readily producible) If not readily producible, in machine readable format (e.g., MS Word, Excel, text, HTML, PDF) Provide within 30 days (Additional 30-day extension permitted)
31 Standards Administrative Physical Security Rule Technical Implementation Specifications Required Addressable
32 Administrative Safeguards Security Management Process Risk Analysis (A) Risk Management (R) Sanctions (R) Information System Activity Review (sign-on/sign-off activity; unsuccessful logon attempts) (R) Security Officer (R) Workforce Security Authorization and/or Supervision (A) Workforce Clearance Procedures (background checks) (A) Termination Procedures (disable user id and password) (A) Information Access Management Access Authorization (controlled by user id and password) (A) Access Establishment and Modification (A)
33 Security Rule Safeguards Security Awareness and Training Security Reminders (training) (A) Protection from Malicious Software (anti-viral software/firewall) (A) Log-in Monitoring (report suspicious activity) (A) Password Management (change periodically?) (A) Security Incident Procedures (Response and Reporting) (R) Contingency Plans Data Backup (nightly? weekly?) (R) Disaster Recovery (R) Emergency Mode Operation (R) Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) Evaluation
34 Physical Safeguards Facility Access Contingency Operations (A) Facility Security Plan (badge readers, alarm system) (A) Access Control and Validation Procedures (escort visitors) (A) Maintenance Records (A) Workstation Use (automatic screensavers) Workstation Security (shut down procedures) Also applies to remote workstations Device and Media Controls Disposal (delete or purge PHI first) (R) Media Re-use (delete or purge PHI first) (R) Accountability (A) Data Backup and Storage (A)
35 Technical Safeguards Access Controls Unique User Identification (do not share user id or passwords) (R) Emergency Access Procedure (R) Automatic Logoff (mandatory screensavers and shut down procedures) (A) Encryption and decryption (alternative: passwords for Blackberrys and laptops) (A) Audit Controls Data Integrity Person or Entity Authentication Transmission Security Integrity Controls (A) Encryption and decryption (for s or file transfers containing PHI) (A)
36 Civil Monetary Penalties Final rule adopts the higher penalties for violations as proposed under HITECH: Penalty for violations where covered entity did not know and would not have known through exercise of reasonable diligence is at least $100 per violation (maximum of $50,000) Penalty for violations due to reasonable cause is at least $1,000 per violation (maximum of $50,000) Violations due to willful neglect are subject to penalty of $10,000- $50,000 per violation (if corrected) and $50,000 per violation (if not corrected) Maximum penalty for single count violations is $1.5 million, potentially much higher penalties for multiple count violations E.g., security breach may constitute both impermissible use/disclosure and violation of requirement to institute appropriate safeguards (up to $3 million) Correction of violation within 30 days may reduce or eliminate penalty if violation not due to willful neglect
37 Enforcement Business associates subject to penalties for violation of provisions directly applicable to BAs New: HHSmust investigate complaint or conduct compliance review whenever a preliminary review indicates possible violation due to willful neglect CEs and BAs liable for acts of agents even if no business associate agreement
38 Enforcement February 22, 2011, HHS imposed a $4.3M penalty against Cignet Health of Prince George s County, Maryland Cignet failed to respond to patients requests for access to medical records Cignet failed/refused to cooperate in HHS s investigation
39 Enforcement Two days later, Massachusetts General Hospital entered into $1M settlement with HHS Employee left paper records containing the PHI of 192 patients, including patients with HIV/AIDS, on the subway Hospital did not admit liability and did not pay a penalty
40 Enforcement January 2013 First HIPAA breach settlement involving less than 500 patients Hospice of North Idaho (HONI) agreed to pay HHS$50,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Investigation followed a breach report submitted by HONIreporting the theft of a laptop computer containing the electronic PHI of 441 patients. HHS concluded that HONI had not conducted a risk analysis to safeguard e-phi and did not have in place policies or procedures to address mobile device security as required by the HIPAA Security Rule.
41 Next Steps Review and update notice of privacy practices Review and update privacy and security policies and procedures Review and amend business associate agreements if necessary Provide updated training to workforce
42 What Else? HHS required to annually evaluate suitable security protections, develop plans to improve compliance, and conduct periodic audits Plan sponsors should conduct periodic privacy and security reviews to keep up with HHS guidance Revise policies/procedures as technology improves and becomes more affordable
43 Miller Group Activities Complete Security and IT Audit from Outside Party Review of Upstream and Downstream Business Associate Agreements Assignments of New Privacy Officer and Security Officer New Revised Business Associate Agreements Training for Associates Update Training for Clients
44 Questions?
45 Contact Information James Clay President Employee Benefits & HR Consulting The Miller Group Julia M. Vander Weele, JD Partner Spencer Fane Britt & Browne
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationPRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES
PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES TABLE OF CONTENTS A. Overview of HIPAA Compliance Program B. General Policies 1. Glossary of Defined Terms Used in HIPAA Policies and Procedures 2. Privacy
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationProtecting Patient Information in an Electronic Environment- New HIPAA Requirements
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationC.T. Hellmuth & Associates, Inc.
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationHHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI
January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationThe MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations
The MC Academy The Employee Benefits and Executive Compensation Series HIPAA PRIVACY AND SECURITY The New Final Regulations June 18, 2013 Overview Background Recent Changes to HIPAA Identifying Business
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationLegislative & Regulatory Information
Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationSecuring the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer
Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health
More informationHIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationHIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.
2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc. Disclaimer We share this information with our clients and friends for general informational purposes
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationJoseph Suchocki HIPAA Compliance 2015
Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationHIPAA PRIVACY AND SECURITY AWARENESS
HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect
More informationPage 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;
Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( BAA ) is effective ( Effective Date ) by and between ( Covered Entity ) and Egnyte, Inc. ( Egnyte or Business Associate ). RECITALS
More informationHealthcare Compliance Solutions
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
More informationHIPAA Privacy Overview
May 21, 2003 HIPAA Privacy Overview Presented to the California State University Agenda Introduction HIPAA privacy regulations HIPAA privacy impact on CSU Next steps/action items Mercer Human Resource
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationCity of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010
City of Pittsburgh Operating Policies Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 PURPOSE: To establish internal policies and procedures to ensure compliance
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationHIPAA/HITECH: A Guide for IT Service Providers
HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationHIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996
HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationHIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
More informationLessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd
Lessons Learned from Recent HIPAA and Big Data Breaches Briar Andresen Katie Ilten Ann Ladd Recent health care breaches Breach reports to OCR as of February 2015 1,144 breaches involving 500 or more individual
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationThe benefits you need... from the name you know and trust
The benefits you need... Privacy and Security Best at Practices the price you can afford... Guide from the name you know and trust The Independence Blue Cross (IBC) Privacy and Security Best Practices
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationHIPAA Compliance Manual
HIPAA Compliance Manual HIPAA Compliance Manual 1 This Manual is provided to assist your efforts to comply with the federal privacy and security rules mandated under HIPAA and HITECH, specifically as said
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationHIPAA & HITECH AND THE DISCOVERY PROCESS
HIPAA & HITECH AND THE DISCOVERY PROCESS HEATHER L. HUGHES, J.D. U.S. Legal Support, Inc. 363 North Sam Houston Parkway East, Suite 900 Houston, Texas 77060 (713) 653-7100 State Bar of Texas 8 th ANNUAL
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationHIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as
HIPAA Compliance (DSHS and HCA) Preamble: This section of the Contract is the Business Associate Agreement as required by HIPAA. 1. Definitions. a. Business Associate, as used in this Contract, means the
More informationHIPAA Compliance Review
HIPAA Compliance Review For HR and IT Presented by: Linda Railton, PHR HR Consultant Leavitt Group linda.railton@leavitt.com Discussion Points HIPAA Final Rule (effective March 26, 2013) Overview of HIPAA
More informationTHE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE
THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More informationHIPAA Training Study Guide July 2015 June 2016
Contents HIPAA Overview... 2 Who must comply?... 2 Privacy Standard... 3 Protected Health Information (PHI)... 3 Minimum Necessary Rule... 4 Requests for PHI... 5 Acceptable PHI Releases... 5 Special Circumstances...
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationHIPAA for Business Associates
HIPAA for Business Associates February 11, 2015 Teresa D. Locke This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The
More informationAm I a Business Associate?
Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationHIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH
HIPAA Security Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH What is this? Federal Regulations August 21, 1996 HIPAA Became Law October 16, 2003 Transaction Codes and Identifiers
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationHIPAA: In Plain English
HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationState HIPAA Security Policy State of Connecticut
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
More informationUnderstanding HIPAA Regulations and How They Impact Your Organization!
Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor
More informationHIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014
HIPAA PRIVACY AND SECURITY AWARENESS Covering Kids and Families of Indiana April 10, 2014 GOALS AND OBJECTIVES The goal is to provide information to you to promote personal responsibility and behaviors
More informationTable of Contents INTRODUCTION AND PURPOSE 1
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 ( HIPAA ) COMPLIANCE PROGRAM Adopted December 2008: Revised February 2009, May, 2012, and August 2013 Table of Contents INTRODUCTION AND PURPOSE
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationBreaches. Complying with the HIPAA Omnibus Final Rule. Important Definitions. Protected Health Information Includes HIPAA PRIVACY 3/2/2014
Breaches Complying with the HIPAA Omnibus Final Rule You Can Be Successful! Advocate Medical Group in Chicago had 4 desktop computers taken in a burglary that contained the personal information of over
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationImplementation Business Associates and Breach Notification
Implementation Business Associates and Breach Notification Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com
More informationHIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013
HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013 Federal and Texas Privacy & Security Requirements Minimizing Your Risk of Violations DISCLAIMER The information contained in this document
More informationHIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?
HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What
More informationIt s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?
It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT THIS HIPAA BUSINESS ASSOCIATE AGREEMENT ( BAA ) is entered into effective the day of, 20 ( Effective Date ), by and between the Regents of the University of Michigan,
More information