HIPAA Enforcement. Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services. December 18, 2013
|
|
- Kristopher McBride
- 8 years ago
- Views:
Transcription
1 Office of the Secretary Office for Civil Rights () HIPAA Enforcement Emily Prehm, J.D. Office for Civil Rights U.S. Department of Health and Human Services December 18, 2013
2 Presentation Overview s investigative process Tips for working with during an investigation s recent enforcement activities 2
3 Investigative Process 3
4 Investigation Steps Notice letter is issued to Covered Entity Response is received from Covered Entity analyzes response to determine whether more data/information/interviews are needed makes a compliance determination 4
5 Resolutions by Year and Type April 14, 2003 December 31,
6 Annual Enforcement Results January 1, 2012 December 31,
7 Methods of Enforcement When determines from its investigation of the allegations raised in a Privacy Rule complaint or through a compliance review that a covered entity may well have violated the Privacy Rule and/or the Security Rule, has various means of enforcement at its command. If feasible, usually seeks voluntary compliance. Voluntary compliance often involves the covered entity changing its policies and procedures, retraining personnel, and sanctioning the members of its workforce who violated the Privacy or Security Rules. 7
8 Methods of Enforcement If determines that the conduct involved warrants some sort of penalty even if voluntary compliance is forthcoming, may seek to have the covered entity enter into a Resolution Agreement and Corrective Action Plan as well as pay a resolution amount. This method is often used when the problems identified by are systemic. If either determines that the conduct involved is so serious or if the covered entity is adamant in its refusal to cooperate in the investigation or resolution of the problem, will assess a Civil Money Penalty (CMP). 8
9 HIPAA Compliance/Enforcement (As of December 31, 2012) TOTAL (since 2003) Complaints Filed 77,200 Cases Investigated 27,500 Cases with Corrective Action 18,600 Civil Monetary Penalties & Resolution Agreements (since 2008) $14.9 million 8
10 What is a Resolution Agreement? A settlement agreement between HHS and covered entity It incorporates a Corrective Action Plan which: Generally lasts for one to three years; Requires the covered entity to prepare new policies and procedures, subject to HHS approval; Generally requires improved training; and Requires monitoring of implementation and compliance Includes payment of a resolution amount 10
11 What is a Resolution Agreement? A Resolution Agreement and Corrective Action Plan do not constitute: A formal finding of facts A formal finding of a violation An admission by the covered entity A Resolution Amount is not a civil monetary penalty, fine, or other formal penalty. Because a Resolution Agreement is an informal resolution into which the covered entity enters in lieu of administrative litigation: The covered entity has no right to formal process or an administrative hearing 11
12 How does RA/CAP Differ from Other Types of Informal Resolution? Usually investigations in which there are indications of noncompliance are concluded when: The covered entity completes certain voluntary compliance actions to the satisfaction of ; and notifies the complainant and the covered entity in writing of the resolution result. The Resolution Agreement/Corrective Action Plan approach is generally designed for cases with systemic issues where entity-wide change in policy and procedures and in the internal emphasis placed on the issue is needed to ensure compliance. 12
13 Recent Enforcement Actions
14 Recent Enforcement Actions HITECH has allowed the Secretary to impose significantly increased penalty amounts for violations of the HIPAA rules and encouraged prompt corrective action. Implementation of HITECH Act enforcement has strengthened the HIPAA protections and rights related to an individual s health information. This strengthened penalty scheme will encourage covered entities and business associates to comply with the HIPAA Privacy and Security and HITECH requirements.
15 Facts of Providence Health and Services Case Electronic protected health information ("ephi") left unattended overnight in the personal vehicle of an employee and was stolen. The employee took the disks and tapes pursuant to a practice followed at the time by the CE s Information Staff with the knowledge of some of the CE s managers. The ephi on the tapes and disks was not encrypted laptops containing ephi were left unattended and were stolen from workforce members on 4 separate occasions The e-phi on the stolen laptops was not encrypted. 15
16 Providence Investigation The investigation was triggered by 31 complaints submitted to and the Centers for Medicare and Medicaid Services (CMS). The complaints were merged into a joint compliance review by CMS and. It was determined that the practices of the Providence entities created systemic vulnerabilities that led to massive losses of e-phi. Providence was cooperative throughout the investigation. Providence executed a Resolution Agreement and Corrective Action Plan in July
17 Indications of Noncompliance in the Providence Resolution Agreement cited the following indications of noncompliance in the Resolution Agreement: Electronic PHI was not encrypted or otherwise properly safeguarded by Providence. Backup tapes, optical disks, and laptops, all containing unencrypted e-phi, were removed from the Providence premises by members of the Providence workforce and left unattended in vehicles. Portable media and laptops were lost or stolen, compromising the e-phi of over 386,000 patients. Providence management knew of such practices, but allowed them to continue. 17
18 Actions to Settle Providence Case Providence paid a $100,000 resolution amount. Providence s Corrective Action Plan provided: 1. Providence would revise its policies and procedures, subject to approval, by: Adopting new risk assessment and risk management tools Improving physical and technical safeguards (e.g., encryption) for off-site transport and storage of electronic media containing PHI 2. Providence would train its workforce members on electronic and other safeguards for PHI. 3. Providence would conduct internal audits and site visits of facilities to determine compliance with the Corrective Action Plan. 4. Providence would Submit implementation report and annual reports to HHS for period of three years. 18
19 Lessons Learned Effective compliance means more than just written policies and procedures. Corporate management of covered entities need to continuously monitor implementation of privacy and security policies and practices. HHS is willing to work with cooperative entities to implement effective changes to ensure that consumers are protected. Covered entities need to ensure that these efforts include: Effective privacy and security staffing Adequate employee training on privacy and security issues Physical and technical implementation in an effective manner 19
20 Cignet Health Care Over a two-year period, 41 individuals complained to that Cignet had ignored their requests for access to their health records Cignet failed to respond to s investigation or provide copies of the patients records
21 CMP of $4.3 Million Levied Civil Money Penalty of $1.3 million attributable to failure to provide individuals access to their health records Penalty of $3 million for failure to respond to demands to produce records and failure to cooperate with s investigation
22 Massachusetts General Hospital Employee, who had taken patient files home, left the folders on the subway train and they were never recovered Investigation initiated after media reports of incident and a complaint from an individual whose PHI was lost Settled with through Resolution Agreement and corrective action plan $1 million resolution amount MGH required to actively monitor its compliance with the Corrective Action Plan through use of an internal monitor
23 Management Services Organization of Washington MSO disclosed ephi to an affiliated company without a valid authorization, so that the affiliate could market Medicare Advantage plans to those individuals MSO had not developed or implemented appropriate and reasonable administrative, technical, and physical safeguards to protect ephi Separate agreements with DOJ and OIG to settle allegations under the Federal False Claims Act
24 Actions to Settle Case $35,000 resolution amount to Corrective Action Plan Develop and implement policies & procedures to demonstrate compliance with the Privacy and Security Rules Train workforce members Conduct internal monitoring Submit compliance reports to HHS for a period of two years
25 Rite Aid Corporation Series of media reports about personnel disposing of PHI, including labeled pill bottles and prescriptions, in unsecured garbage containers outside of several Rite Aid pharmacy stores $1 million resolution amount Corrective Action Plan 1. Revising, distributing policies & procedures regarding PHI disposal 2. Sanctioning workers who do not follow them 3. Training workforce members 4. Conducting internal monitoring 5. Engaging a third-party assessor to render reports to HHS 6. New internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures 7. Submitting compliance reports to HHS for a period of three years
26 Indications of Non-Compliance in Rite Aid Resolution Agreement Rite Aid policies and procedures for disposal did not reasonably and appropriately safeguard PHI Rite Aid did not maintain sanctions policy for workforce members who failed to safeguard PHI in disposal process Rite Aid did not provide necessary and appropriate training for its workforce regarding disposal of PHI
27 Major 2012 Enforcement Actions BCBS Tennessee ($1.5 M) e-phi stored on servers stolen from deactivated data center after construction/relocation to new facility Reevaluate threats/vulnerabilities to e-phi caused by changing operational environment and manage risk Phoenix Cardiac Surgery ($100K) e-phi disclosed through Internet when provider used third party application hosted in the cloud Business associate agreements required when sharing data with cloud computing service providers Alaska DHSS ($1.7M) Portable storage device stolen from personal vehicle symptomatic of widespread failure to implement program-wide information security safeguards Risk analysis to identify location and safeguards for PHI, training and controls for portable devices
28 Major 2012 Enforcement Actions Massachusetts Eye and Ear Institute ($1.5M) Stolen personal laptop of physician using device as desktop substitute Covered entity had not implemented a program to mitigate identified risks to e-phi Encrypt data stored on end-user devices Hospice of Northern Idaho ($50K) Breach affecting 400 individuals when laptop stolen Provider had not conducted a risk assessment or taken other measures to safeguard e-phi as required by Security Rule Implement security measures to safeguard e-phi 33
29 Major 2013 Enforcement Actions Affinity Health Plan ($1.2 Million) Breach report after CBS news notified Affinity that it had purchased a photocopier previously leased to Affinity which contained ephi on the hard drive - estimated 344,579 individuals affected Affinity failed to delete ephi when it returned multiple leased copiers and failed to incorporate the ephi contained on copier hard drives into its risk analysis Best efforts to retrieve hard drives and implement safeguards WellPoint ($1.7 Million) Breach report that the ephi of 612,402 individuals was accessible to unauthorized persons over the internet WellPoint did not implement administrative and technical safeguards 29
30 Major 2013 Enforcement Actions Shasta Regional Medical Center ($275,000) Compliance review following an LA Times article indication an impermissible disclosure of PHI to the media Senior management impermissibly shared a patient s PHI with the entire staff via an and failed to sanction the workforce members that disclosed that PHI to the media Update policies on safeguarding PHI and training staff; 15 other hospitals under same ownership attest to their understanding of permissible uses and disclosures of PHI Idaho State University ($400,000) Breach reported after the ephi of 17,500 patients was unsecured for 10 months due to disabled firewall protections affecting 29 outpatient clinics. ISU did not apply proper security measures and policies to address risks to ephi and did not have procedures for routine review of IT systems Corrective action plan pertaining to risk management and information system activity review to detect problems sooner 30
31 A Culture of Compliance In light of 's clearly articulated intention to aggressively enforce the HIPAA Privacy and Security Rules, covered entities and business associates should review their current HIPAA compliance programs. A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents.
32 Want More Information? The website, offers a wide range of helpful information about health information privacy including educational information, FAQ s, and rule text and guidance for the Privacy, Security, and Breach Notification Rules. 32
33 Region VIII Contact Information U.S. Department of Health and Human Services Office for Civil Rights, Region VIII th Street, South Terrace, Suite 417 Denver, Colorado Emily Prehm Equal Opportunity Specialist
OCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationAnnual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010
Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 As Required by the Health Information Technology for Economic and Clinical Health (HITECH)
More informationDisclaimer 8/8/2014. Current Developments in Privacy and Security Rule Enforcement
Office of the Secretary Office for Civil Rights () Current Developments in Privacy and Security Rule Enforcement Michigan Medical Billers Association Andrew C. Kruley, J.D. Equal Opportunity Specialist
More informationHIPAA WEBINAR HANDOUT
HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and
More informationHow To Write A Report On The Health Care Privacy And Security Rules Of Health Care For A Patient
Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance For Calendar Years 2011 and 2012 As Required by the Health Information Technology for Economic and Clinical
More informationHIPAA LIAISON MEETING PRESENTAITON. August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer
HIPAA LIAISON MEETING PRESENTAITON August 11, 2015 Leslie J. Pfeffer, BS, CHP University HIPAA Privacy Officer Current State of HIPAA Enforcement Content Contributor Abby Bonjean, Investigator Office for
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationTHE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE
THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC
More informationHIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update
HIPAA Omnibus Final Rule Changes Breach Notification & Enforcement Plus An Audit Update OCR / WEDI Webinar Series July 17, 2013 Today s Speakers Verne Rinker, JD, MPH Health Information Privacy Specialist
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationHIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education. September 2014
HIPAA: Breach Notification By: Office of University Counsel For: Jefferson IRB Continuing Education September 2014 Introduction The HIPAA Privacy Rule establishes the conditions under which Covered Entities
More informationSELECT HIPAA PRIVACY AND SECURITY ENFORCEMENT ACTIONS. Current as of December 2015. attorney advertisement
SELECT HIPAA PRIVACY AND SECURITY ENFORCEMENT ACTIONS Current as of December 2015 Five Palo Alto Square, 3000 El Camino Real, Palo Alto, CA 94306 The content of this packet is an introduction to Cooley
More informationHIPAA Compliance: Efficient Tools to Follow the Rules
Bank of America Merrill Lynch White Paper HIPAA Compliance: Efficient Tools to Follow the Rules Executive summary Contents The stakes have never been higher for compliance with the Health Insurance Portability
More informationRaymond: Beyond Basic HIPAA - GSHA Convention 2-28-15 1 HIPAA HIPAA HIPAA. Financial. Carol Ann Raymond, MBA, Ed.S., CCC-SLP
Carol Ann Raymond, MBA, Ed.S., CCC-SLP Associate Clinical Professor/Clinic Director Department of Communication Sciences and Disorders Financial o Employed by the University of Georgia o Non-Financial
More informationHIPAA Update. Presented by: Melissa M. Zambri. June 25, 2014
HIPAA Update Presented by: Melissa M. Zambri June 25, 2014 Timeline of New Rules 2/17/09 - Stimulus Package Enacted 8/24/09 - Interim Final Rule on Breach Notification 10/7/09 - Proposed Rule Regarding
More informationHOW TO REALLY IMPLEMENT HIPAA. Presented by: Melissa Skaggs Provider Resources Group
HOW TO REALLY IMPLEMENT HIPAA Presented by: Melissa Skaggs Provider Resources Group WHAT IS HIPAA The Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104 191, 110 Stat. 1936,
More informationHIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.
HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationProofpoint HIPAA Breach Report:
Proofpoint HIPAA Breach Report: An Analysis of HITECH Breach Notifications and Settlements, Q1 2013 Healthcare Industry Update threat protection compliance archiving & governance secure communication Contents
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationYou Probably Don t Even Know
You Probably Don t Even Know That You Need To Comply With HIPAA In Collaboration With: About ERM About The Speaker Stephen Siegel, Esq., Of Counsel, Broad and Cassel Board Certified Health Law Over 25
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationTop HIPAA Hazards and How to Avoid Them
Top HIPAA Hazards and How to Avoid Them HIPAA penalties are getting bigger and bigger, and are almost always issued for inadvertent mistakes. MPA monitors the Office of Civil Rights (OCR) HIPAA enforcements
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationHIPAA Compliance, Notification & Enforcement After The HITECH Act. Presenter: Radha Chanderraj, Esq.
HIPAA Compliance, Notification & Enforcement After The HITECH Act Presenter: Radha Chanderraj, Esq. Key Dates Publication date January 25, 2013 Effective date - March 26, 2013 Compliance date - September
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationSecurity Is Everyone s Concern:
Security Is Everyone s Concern: What a Practice Needs to Know About ephi Security Mert Gambito Hawaii HIE Compliance and Privacy Officer July 26, 2014 E Komo Mai! This session s presenter is Mert Gambito
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationHIPAA Privacy, Security, Breach, and Meaningful Use. CHUG October 2012
HIPAA Privacy, Security, Breach, and Meaningful Use Practice Requirements for 2012 CHUG October 2012 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Standards for Privacy of Individually
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationQ: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption?
Q: How does a provider know if their Email system has encryption? Do big email services (gmail, yahoo, hotmail, etc.) have built-in encryption? A. Most e-mail systems do not include encryption. There are
More informationOutline. Identity Fraud and HIPAA Data Breaches Criminal and Civil Enforcement Efforts Orlando, FL July 30, 2014 7/10/2014
LeadingAge Florida s 50 th Annual Convention and Exposition Identity Fraud and HIPAA Data Breaches Criminal and Civil Enforcement Efforts Orlando, FL July 30, 2014 James Robnett Special Agent in Charge
More informationPresented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationLessons Learned from HIPAA Audits
Lessons Learned from HIPAA Audits October 29, 2012 Tony Brooks, CISA, CRISC Partner - IT Assurance and Risk Services HORNE LLP AGENDA HIPAA/HITECH Regulations Breaches and Fines OCR HIPAA/HITECH Compliance
More informationPhilip L. Gordon, Esq. Littler Mendelson, P.C.
Beyond The Legal Requirements: Key Practical Issues in Negotiating Business Associate Agreements, Responding to a Breach of Unsecured PHI, and Understanding HHS Enforcement Philip L. Gordon, Esq. Littler
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationHIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013
HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com
More informationInformation Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514
More informationReporting of HIPAA Privacy/Security Breaches. The Breach Notification Rule
Reporting of HIPAA Privacy/Security Breaches The Breach Notification Rule Objectives What is the HITECH Act? An overview-what is Protected Health Information (PHI) and can I protect patient s PHI? What
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationWhat is HIPAA? The Health Insurance Portability and Accountability Act of 1996
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other
More informationTHE FINAL OMNIBUS HIPAA RULE: ARE YOU COMPLIANT?
THE FINAL OMNIBUS HIPAA RULE: ARE YOU COMPLIANT? Ohio Hospital Association Annual Meeting June 9, 2014 Presented By: Lisa Pierce Reisz Vorys, Sater, Seymour and Pease 614.464.8353 lpreisz@vorys.com Natasha
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More information2010 HIPAA Security Environment
2010 HIPAA Security Environment Managing Risk in the HITECH Act World Prepared by Mark Lutes, Epstein Becker & Green, PC mlutes@ebglaw.com; 202.861.1824 Robert Hudock, Epstein Becker & Green, PC rhudock@ebglaw.com;
More informationHIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality
HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.
More informationHIPAA Training for Staff and Volunteers
HIPAA Training for Staff and Volunteers Objectives Explain the purpose of the HIPAA privacy, security and breach notification regulations Name three patient privacy rights Discuss what you can do to help
More informationThe MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations
The MC Academy The Employee Benefits and Executive Compensation Series HIPAA PRIVACY AND SECURITY The New Final Regulations June 18, 2013 Overview Background Recent Changes to HIPAA Identifying Business
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationOCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement
OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure
More informationAre You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS. What would you do? Session Objectives
Are You Ready for an OCR Audit? Tom Walsh, CISSP Tom Walsh Consulting, LLC Overland Park, KS What would you do? Your organization received a certified letter sent from the Office for Civil Rights (OCR)
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationHIPAA and New Technologies Using Social Media and Texting Within the Rules. Today s Objectives
HIPAA and New Technologies Using Social Media and Texting Within the Rules Jim Sheldon-Dean Director of Compliance Services Lewis Creek Systems, LLC www.lewiscreeksystems.com For Northern California Chapter
More informationCMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS
CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS Dear Physician Member: Thank you for contacting the California Medical Association and thank you for your membership. In order to advocate on your behalf,
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationHIPAA Privacy & Security Rules
HIPAA Privacy & Security Rules HITECH Act Applicability If you are part of any of the HIPAA Affected Areas, this training is required under the IU HIPAA Privacy and Security Compliance Plan pursuant to
More information3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?
HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More informationHIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com
HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health
More informationTHE HIGH PRICE OF MEDICAL RECORD PRIVACY BREACHES
THE HIGH PRICE OF MEDICAL RECORD PRIVACY BREACHES Melissa D. Berry The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position
More informationHIPAA Training for Hospice Staff and Volunteers
HIPAA Training for Hospice Staff and Volunteers Hospice Education Network Objectives Explain the purpose of the HIPAA privacy and security regulations Name three patient privacy rights Discuss what you
More informationMontclair State University. HIPAA Security Policy
Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationHIPAA security rules of engagement
healthcare HIPAA security rules of engagement The use of health information technology continues to expand in healthcare. Healthcare organizations are using web-based applications and other portals that
More informationRecent Developments in U.S. Law: Privacy and Information Technology Health - 2013
Recent Developments in U.S. Law: Privacy and Information Technology Health - 2013 Amyt M. Eckstein Moses & Singer LLP 405 Lexington Avenue New York, NY 10174-1299 (212) 554-7843 What Does Privacy Mean?
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationRESOLUTION AGREEMENT. I. Recitals
RESOLUTION AGREEMENT I. Recitals 1. Parties: The Parties to this Resolution Agreement (Agreement) are: (1) the United States Department of Health and Human Services (HHS), Office for Civil Rights (OCR);
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationThe HIPAA Audit Program
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
More informationSecurity Compliance, Vendor Questions, a Word on Encryption
Security Compliance, Vendor Questions, a Word on Encryption Alexis Parsons, RHIT, CPC, MA Director, Health Information Services Security/Privacy Officer Shasta Community Health Center aparsons@shastahealth.org
More informationRESOLUTION AGREEMENT I. RECITALS
RESOLUTION AGREEMENT I. RECITALS 1. Parties. The Parties to this Resolution Agreement ( Agreement ) are the United States Department of Health and Human Services, Office for Civil Rights ( HHS ) and The
More informationIsaac Willett April 5, 2011
Current Options for EHR Implementation: Cloud or No Cloud? Regina Sharrow Isaac Willett April 5, 2011 Introduction Health Information Technology for Economic and Clinical Health Act ( HITECH (HITECH Act
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationOutline. Outline. What is HIPAA? I. HIPAA Compliance II. Why Should You Care? III. What Should You Do Now?
Outline MOR-OF Education and Medical Expo August 23, 2014 Tatiana Melnik Melnik Legal PLLC tatiana@melniklegal.com 734-358-4201 Tampa, FL I. HIPAA Compliance II. Why Should You Care? A. Market Pressure
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationHIPAA Security Compliance Reviews
HIPAA Security Compliance Reviews Elizabeth S. Holland, MPA Office of E-Health Standards and Services Centers for Medicare & Medicaid Services U.S. Department of Health and Human Services 1 2 What is HIPAA?
More informationThe ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760
Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach
More information2011 2012 Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.
The OCR Auditors are coming - Are you next? What to Expect and How to Prepare On June 10, 2011, the U.S. Department of Health and Human Services Office for Civil Rights ( OCR ) awarded KPMG a $9.2 million
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationHIPAA & HITECH AND THE DISCOVERY PROCESS
HIPAA & HITECH AND THE DISCOVERY PROCESS HEATHER L. HUGHES, J.D. U.S. Legal Support, Inc. 363 North Sam Houston Parkway East, Suite 900 Houston, Texas 77060 (713) 653-7100 State Bar of Texas 8 th ANNUAL
More informationHIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationThe Dish on Data and Disks HIPAAPrivacy and Security Breach Developments. Robin B. Campbell Ethan P. Schulman Jennifer S. Romano
The Dish on Data and Disks HIPAAPrivacy and Security Breach Developments Robin B. Campbell Ethan P. Schulman Jennifer S. Romano HIPAAPrivacy and Security Breach Overview of the Laws Developments Incident
More informationFive Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455. Notification of Security Breach Policy
Five Rivers Medical Center, Inc. 2801 Medical Center Drive Pocahontas, AR 72455 Notification of Security Breach Policy Purpose: This policy has been adopted for the purpose of complying with the Health
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationTexas Medical Records Privacy Act (a.k.a. Texas House Bill 300)
Texas Medical Records Privacy Act (a.k.a. Texas House Bill 300) Ricky Link, Coalfire ISACA North Texas and IIA Fort Worth Chapters The Petroleum Club of Fort Worth March 4, 2014 1 About Coalfire Coalfire
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationArchitecting Security to Address Compliance for Healthcare Providers
Architecting Security to Address Compliance for Healthcare Providers What You Need to Know to Help Comply with HIPAA Omnibus, PCI DSS 3.0 and Meaningful Use November, 2014 Table of Contents Background...
More information