HIPAA Compliance Review
|
|
- Asher Cole
- 8 years ago
- Views:
Transcription
1 HIPAA Compliance Review For HR and IT Presented by: Linda Railton, PHR HR Consultant Leavitt Group Discussion Points HIPAA Final Rule (effective March 26, 2013) Overview of HIPAA obligations Overview of HIPAA Privacy and Security Rules Breach Notification Requirements Penalties for non-compliance 1
2 HIPAA Legislative History 1996 Health Insurance Portability and Accountability Act 2003 Group Health Plans with premium receipts in excess of $5M subject to Privacy Rules 2004 Group Health Plans with premium receipts less than $5M subject to Privacy Rules 2005 Large Group Health Plans subject to Security Rules 2006 Small Group Health Plan subject to Security Rules 2009 HITECH Act added individual privacy rights, breach notification requirements and increased penalties for violations 2013 Final Rule published regarding HITECH Act Privacy and Security regulations (released January 25, 2013) Effective March 26, 2013 with compliance required by September 23, 2013 HIPAA Final Rule Released January 25,
3 HIPAA Final Rule Expanded types of entities subject to the HIPAA Privacy Rules (i.e. business associates, subcontractors t of business associates, patient safety organizations, and health information exchange organizations) Expanded the definition of business associate to include any entity or individual that creates, receives, maintains, or transmits PHI or ephi on behalf of a group health plan ephi includes: Electronically created or transmitted PHI PHI maintained on a service or storage device such as a computer hard drive, disk, CD, etc ( at rest ) PHI in transit via the internet, dial-up lines, etc. (i.e. , faxes, file transfer protocols [FTP], Electronic data interchanges [EDI], use of cell phones or I-pads) HIPAA Final Rule The expanded definition of business associate includes service providers that t did not previously meet business associate status t such as: Benefits consultants Attorneys CPAs Document storage companies and document shredding companies that maintain PHI for a group health plan Couriers of PHI such as UPS, and Financial institutions that provide loans to the health care industry 3
4 HIPAA Final Rule Changed the definition of a breach no longer focus on harm to the individual id Increased the penalty amounts and included civil penalties Incorporated the provisions of GINA Health plans cannot use or disclose genetic information for determining eligibility, coverage, or payments under the plan HIPAA Final Rule Actions Required Employer Required Actions for Final Rule Compliance: Review and revise HIPAA policies and procedures to comply with Final Rule Review and revise policies and procedures relating to breaches of PHI and ephi (including breach notification policies and procedures) Review and revise Notice of Privacy Practices and distribute revised notices Review and revise Business Associate (BA) agreement templates to comply with Finale Rule use for all new BA relationships Amend current BA agreements and implement revised agreement no later than September 23, 2014 Update HIPAA authorization forms, if applicable Train workforce to include the changes in the Final Rule 4
5 Health Insurance Portability and Accountability Act (HIPAA) What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Title I, Healthcare Portability Protects health insurance coverage for workers and their families when they change jobs Limits restrictions group health plans can place on benefits for preexisting conditions Group plans can refuse to cover preexisting conditions for 12 months after enrollment Group plans must cover preexisting conditions if employee has creditable coverage prior to enrolling in the plan Allows special enrollment periods Requires crediting prior coverage Allows break in coverage for up 63 days 5
6 What is HIPAA? Title II, Privacy and Security Rules Protects the health information of group health plan participants (employees, COBRA participants and family members) Requires national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers Also addresses the security and privacy of health information and sets civil and criminal penalties for violations Sets limits on the use and release of health records What is a Covered Entity? 6
7 HIPAA Covered Entities Health Care providers who transmit any health information electronically ll Health care provider is any person or organization that furnishes, bills, or is paid for health care in the normal course of business (i.e. medical providers) Insurance companies, HMOs and Business Associates Health Plans and their Business Associates Health Plan is defined as any individual or group plan (or combination) that provides or pays for the cost of medical care (i.e., health insurance issuers, HMOs, employer group health plans, Medicare, Medicaid) and is a separate legal entity from the employer/plan sponsor Employer self-insured health plans HIPAA Business Associate Business Associate is any person or business that performs a function or activity on behalf of, or provides services to, a Covered Entity that involves individually identifiable health information or disclosure of PHI (i.e. brokers, claims administrators, consultants, attorneys) Is not a workforce member of the employer/plan sponsor Should have written contract or agreement that Business Associate will appropriately safeguard PHI and will comply with privacy rule requirements Factors to consider in determining if business associate relationship exists are: The time, place and purpose of a the entity s conduct Whether the entity is engaged in a course of conduct subject to the control of the group health plan (includes a business in a subcontractor relationship) Whether the entity s conduct is commonly done by a business associate to accomplish the service performed on behalf of the group health plan Whether or not the group health plan (or business associate) reasonably expected that a business associate would engage in the conduct (or provide a service) 7
8 HIPAA Covered Entities Health Care Clearing Houses Translates data content or format for another entity from non-standard to standard or vice versa Prescription Drug card sponsors Affiliated Covered Entity Shares information in a way that would otherwise be impermissible (sharing becomes a use not a disclosure ); includes research organizations Research organizations use PHI located in databases or repositories. This includes medical treatment of research participants, such as in clinical trials. HIPAA Privacy Rules 8
9 HIPAA Privacy Rules Applies to employer sponsored health plans, health care clearinghouses and medical service providers that transmit, maintain and store health care data Defines Protected Health Information (PHI) Any information which concerns an individual s health status, medical conditions, provision of health care or payment for health care, including: Name Age Gender Info related to physical or mental health or condition of individual Info related to health care services provided to individual Payment of health care Any information that identifies the individual (i.e. SSN) HIPAA Privacy Rule PHI includes Records created or received by an employer in its capacity as the administrator of a HIPPA covered plan such as: Fully insured or self insured group health plans Dental or vision plans that can be linked to an individual HMOs High deductible health plans Includes records stored electronically (ephi) Also includes long-term care plans (not long-term disability), pharmacy benefits, health care reimbursement flexible spending accounts (health FSA), employee assistance programs (EAP) 9
10 HIPAA Covered Transactions Health care claims information Health care payment and remittance advice Coordination of benefits documentation Health care claim status reports/documents with names, SSN, diagnosis, etc. Health Plan enrollment or disenrollment information and documents, including maintenance of those documents Eligibility for a health plan determination information Health plan premium payments Referral certification and authorization information Any files containing records related to medical, dental, vision or mental health HIPPA Covered Transactions Workplace examples of PHI: Payroll deduction records related to insurance premium payments Employee inquiries related to health care benefit eligibility for themselves or a family member Healthcare eligibility responses from the health care provider or employer Faxes, s, notes or documents related to medical, dental, vision plans or EAP claims or appeals of denied claims Large claim information if it identifies individuals Health plan census information HIPAA authorizations Full-face photos Biometric identifiers such as finger or voice prints 10
11 HIPAA Privacy Rules Covered entities must: Maintain written privacy policies and procedures Implement security policies and procedures regarding PHI in compliance with the privacy rules Implement a contingency plan (i.e. emergency closures, backup of ephi information, etc.) Track and document disclosures of PHI Appoint a Privacy Officer responsible for privacy policies and procedures Appoint a contact person responsible for receiving complaints and Train employees about procedures for protecting PHI train entire workforce and appropriate to their job functions Note: Must include complaint process for individuals to make complaints and should be in written format HIPAA Privacy Rules Privacy practices include: Limiting the use or disclosure of PHI to only those with a need to know Limiting permissible disclosures or requests for disclosure to the very minimum required do not include too much info, only enough required for the purpose of the disclosure 11
12 HIPAA Privacy Rules Notice of Privacy Practices Applies to health plans Must be sent at least once every 3 years May be sent via mail or included in open enrollment materials or in a group health plan newsletter provided to all members Must include statement that the health plan prohibits using or disclosing PHI that is genetic information of an individual Must include the group health plan s privacy practices and the individual s rights with respect to their PHI as well as: Uses and disclosures, including those requiring authorization form the individual such as: Disclosures of psychotherapy notes Disclosures of PHI for marketing purposes and Disclosures that constitute a sale of PHI HIPAA Privacy Rules PHI does not include: Medical records the employer creates or receives related to sick leave requests, reports related to Workers Compensation claims, leave of absence medical certifications, disability plans (STD/LTD) and life insurance Health information that has been de-identified (does not identify individual) Unauthorized access, use, disclosure or acquisition under these situations would not trigger a mandatory notice obligation under HIPAA Note: CA privacy laws protect this information from disclosure Note: Summary Health Information (SHI) that summarizes type of claims, claim history and claim expenses that is disclosed for the purpose of obtaining premium bids from prospective carriers or to modify, amend or terminate carrier contract is not covered under Privacy Rules but may be covered under Security Rules 12
13 HIPAA Security Rules HIPAA Security Rules Requires three types of security safeguards: Administrative Physical Technical (ephi) 13
14 HIPAA Security Rules Administrative Safeguards: Covered entities must adopt written privacy procedures and designate a privacy officer to be responsible for implementing the policies and procedures The policies and procedures must clearly identify employees (or classes of employees) who will have access to PHI Access must be restricted to only those who have a need to know HIPAA Security Rules Administrative Safeguards (cont.): The procedures must outline steps to control access authorization, modification and terminating access (i.e. computer pass words for electronic records, locked files for paper records) Training programs on protecting PHI must be given to all employees performing health plan administrative functions All third-party administrators must comply with all HIPAA rules Contracts with these vendors should include HIPAA clauses 14
15 HIPAA Security Rules Administrative Safeguards (cont.): A contingency plan should be in place for responding to emergencies back up electronic data and have disaster recovery procedures in place Internal audits should be conducted periodically to identify potential security violations Procedures should include instructions for addressing and responding to security breaches HIPAA Security Rules Administrative Safeguards (cont.): When using to transmit PHI the security standards for access control, integrity and transmission security must be met Policies and procedures must be in place: To restrict access Protect the information contained in the (i.e., use of encryption) Guard against unauthorized access Implementation of physical safeguards for electronic information systems housed on the premises or at another location 15
16 HIPAA Security Rules Physical Safeguards Employer must control physical access against inappropriate access to PHI The controls must include policy and procedure for removal of hardware and software from the network Especially important when computer equipment is retired or disposed of HIPAA Security Rules Physical Safeguards (cont.): Access to equipment containing health information should be carefully controlled and monitored Access to hardware and software must be limited to properly authorized individuals Access controls should include facility security plans, maintenance records, visitor sign-in and escorts Workstations (and monitors) with PHI should not be in high traffic areas or in direct view of the public 16
17 HIPAA Security Rules Technical Safeguards: Requires protection of communications containing PHI transmitted electronically (i.e., via ) over open networks from being intercepted by anyone other than the intended recipient Use of encryption must be utilized if systems/networks are not closed networks Requires protection of PHI stored on computers and workstations Procedures must be in place so that the employer can confirm that PHI data has been changed or erased by an authorized individual How to Encrypt Files Microsoft Click the Microsoft Office button in the top-left corner of the page 2. Click Prepare 3. Click Encrypt document 2 4. dialog box opens 5. Type in the password in the dialogue box 6. Type it again 7. Don t forget it!
18 How to Encrypt Files Microsoft Click File in the top-left corner of the page 2. Next to Info click Protect Workbook 3. Click Encrypt with Password 2 4. A dialog box opens 5. Type in the password in the dialogue box 6. Type it again 3 7. Don t forget it! HIPAA Security Rules Do not transmit ephi that is not encrypted over the internet Do not include ephi in the body of the unless: You send the securely (receiving party has a secure website for receipt of messages) You have password-protected the PHI documents attached to the 18
19 HIPAA Security Rules Technical Safeguards (cont.): When electronic communications occur between entities, authentication that the receiving entity is who it claims to be must be confirmed by using a password system, two or three-way handshakes, telephone callback or token systems The IT department should keep written records of all configuration settings for all networks and workstations used to transmit or store PHI HIPAA Security Breaches 19
20 HIPAA Security Breach Definition of Breach (new Final Rule Regulations): Breach notification is necessary in all situations except those in which the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised (or one of the exceptions applies) Three exceptions: Unintentional acquisition, access or use of PHI by an employee or business associate that was used in good faith and did not result in further use or disclosure in an unpermitted manner Inadvertent disclosure of PHI by covered entity or business associate if the covered entity or business associate has a good faith belief that the unauthorized individual that received the PHI would not have been able to retain the information Inadvertent disclosure from a person who is authorized to access PHI to another person at the same entity HIPAA Security Breach Risk assessment of breach must consider: The nature of the PHI The unauthorized person who received the disclosure Whether the PHI was actually acquired or viewed, and The extent to which the risk has been mitigated (corrected) 20
21 Security Breach Notification Notice must occur without unreasonable delay, but no later than 60 calendar days after breach is detected to notify affected individuals via first class mail to last known address Applicable to both the employer and any business associate such as a third party administrator Employers should have business associate agreements in place with all third party administrators requiring them to notify the employer ASAP of a breach because 60 day clock starts on day breach is detected Note: notification okay if effected individual has agreed to receive notices electronically. Security Breach Notification Notification to affected individuals must include: Brief description of what happened Date the breach was discovered Date the breach occurred (if known) Identification of what type of PHI was compromised (SSN, Diagnosis, DOB, etc.) Information on how individuals may protect themselves against possible harm resulting from the breach 21
22 Security Breach Notification Notification to affected individuals must include: (cont.) A brief description of the investigation All efforts taken to mitigate any harm Steps taken to prevent further breaches Contact info for person that affected individuals are to contact to ask questions or obtain additional information Security Breach Notification If the employer cannot identify or has insufficient information (i.e., unknown home address) to provide notice to ten or more affected individuals, the employer must provide a substitute notice on their Web page or post a notice in the media Must include toll free number to call and name of individual to contact If less than 10 individuals are affected, the substitute notice may be written, by telephone or other means 22
23 Security Breach Notification Breaches involving less than 500 individuals must be recorded by the employer and submitted annually to the HHS no later than 60 days after the end of the calendar year in which the breaches occurred. Maintain a log Security Breach Notification Breaches involving more than 500 individuals will be investigated by HHS and will require notification using prominent media outlets serving a State or jurisdiction as well as the individual notifications The information will also be listed on the HHS Web site Note: California Senate Bill 24 (SB24) effective January 1, 2012 applies to notices sent to California residents If employer is required to notify more than 500 CA residents about a single security breach, employer must also submit a sample copy of the notice to the California Office of the Attorney General (submittal can be done electronically) 23
24 HIPAA Violations And Penalties HIPAA Violations Any person or organization may file a complaint with the HHS Office of Civil il Rights (OCR) by mail or thru website within 180 days after complainant knew of violation HSS/OCR informal review of circumstances may resolve issue without formal investigation If not, HSS/OCR investigation will be initiated Note: If preliminary review indicates a possible violation due to willful neglect the HHS must initiate an investigation (new requirement in Finale Rule) 24
25 Penalties for Noncompliance Final Rule Violation Category Each Violation Maximum for Each Did not know * $100 - $50,000/ violation $1.5 million Reasonable Cause * $1,000 - $50,000/violation $1.5 million Willful Neglect Corrected Willful Neglect Not Corrected Business Associates $10,000 - $50,000/ violation $50,000/violation Same as for covered entities $1.5 million $1.5 million Same as for covered entities HIPAA Documentation Documentation (written or electronic) must be kept for six (6) years Includes: Policies and Procedures Training provided, Privacy Official, Contact Person Complaints to Covered Entity and their disposition, if any Notice of Privacy Practices, Acknowledgement, and Good Faith efforts to obtain Acknowledgments Authorizations Business Associate Contracts Designated records that are subject to access by the individual, access contact persons, requests, and responses Certification of Group Health Plan document amendments 25
26 HIPAA Documentation Includes (continued): Amendment contact persons, requests, denials, disagreements and rebuttals Information required to be in accounting, accounting contact person, requests and accountings provided to individual Restriction Request Agreements IRB/Privacy Board Waivers (applicable to research organizations) HCC Designations Affiliated Covered Entity Designations HIPAA Questions? U.S. Health and Human Services (HHS) Toll free National Institute of Standards and Technology (NIST)
27 Genetic Information Nondiscrimination Act (GINA) GINA Genetic Nondiscrimination Act (GINA) This act makes it illegal to discriminate against employees or applicants because of genetic information, including diseases of employees and their family members Genetic information is defined as any information about an individual s genetic tests and the genetic tests of an individual s family members as well as any information about an individuals family medical history 27
28 GINA GINA prohibits the disclosure of genetic information about applicants or employees Genetic information/phi disclosure must be limited to only those that have need to know Recommended disclosure should be limited to: Highest ranking official in the company Highest ranking financial person in the company Human Resources Immediate supervisors/managers only if a bona fide safety issue exists Genetic information must be kept in a separate medical file (may be same file where LOA medical certifications are stored) GINA Workplace examples of genetic information include: Drug and alcohol testing Employer sponsored wellness programs where family medical history is obtained Leave of Absence requests and medical certifications 28
29 GINA Add safe harbor language to your medical certification requests The Genetic Information Nondiscrimination i i Act of 2008 (GINA) prohibits employers and other entities covered by GINA Title II from requesting or requiring genetic information of an individual or family member of the individual, except as specifically allowed by this law. To comply with this law, we are asking that you not provide any genetic information when responding to this request for medical information. Genetic Information, as defined by GINA, includes an individual s family medical history, the results of an individual s or family member s genetic tests, the fact that an individual or an individual s family member sought or received genetic services, and genetic information of a fetus carried by an individual or an individual s family member or an embryo lawfully held by an individual or family member receiving assistive reproductive services. GINA Questions? EEOC 29
New HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationHIPAA PRIVACY AND SECURITY FOR EMPLOYERS
HIPAA PRIVACY AND SECURITY FOR EMPLOYERS Agenda Background and Enforcement HIPAA Privacy and Security Rules Breach Notification Rules HPID Number Why Does it Matter HIPAA History HIPAA Title II Administrative
More informationHIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule
HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationBusiness Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationHIPAA Compliance Manual
HIPAA Compliance Manual HIPAA Compliance Manual 1 This Manual is provided to assist your efforts to comply with the federal privacy and security rules mandated under HIPAA and HITECH, specifically as said
More informationHIPAA Privacy Overview
May 21, 2003 HIPAA Privacy Overview Presented to the California State University Agenda Introduction HIPAA privacy regulations HIPAA privacy impact on CSU Next steps/action items Mercer Human Resource
More informationHIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013
HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com
More informationHIPAA. Privacy and Security Frequently Asked Questions for Employers. Gallagher Benefit Services, Inc.
2013 HIPAA Privacy and Security Frequently Asked Questions for Employers Gallagher Benefit Services, Inc. Disclaimer We share this information with our clients and friends for general informational purposes
More informationThe Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationHIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013
HIPPA and HITECH NOTIFICATION Effective Date: September 23, 2013 Orchard Creek Health Care is required by law to maintain the privacy of protected health information (PHI) of our residents. If you feel
More informationREPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.
REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW PROTECTED HEALTH INFORMATION (PHI) ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationCan Your Diocese Afford to Fail a HIPAA Audit?
Can Your Diocese Afford to Fail a HIPAA Audit? PETULA WORKMAN & PHIL BUSHNELL MAY 2016 2016 ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS Agenda Overview Privacy Security Breach Notification Miscellaneous
More informationC.T. Hellmuth & Associates, Inc.
Technical Monograph C.T. Hellmuth & Associates, Inc. Technical Monographs usually are limited to only one subject which is treated in considerably more depth than is possible in our Executive Newsletter.
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationLegislative & Regulatory Information
Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationSCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY
SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY 1 School Board Policy 523.5 The School District of Black River Falls ( District ) is committed to compliance with the health information
More informationRONALD V. MCGUCKIN AND ASSOCIATES Post Office Box 2126 Bristol, Pennsylvania 19007 (215) 785-3400 (215) 785-3401 (Fax) childproviderlaw.
RONALD V. MCGUCKIN AND ASSOCIATES Post Office Box 2126 Bristol, Pennsylvania 19007 (215) 785-3400 (215) 785-3401 (Fax) childproviderlaw.com HIPAA The Health Insurance Portability and Accountability Act
More informationHealth Information Privacy Refresher Training. March 2013
Health Information Privacy Refresher Training March 2013 1 Disclosure There are no significant or relevant financial relationships to disclose. 2 Topics for Today State health information privacy law Federal
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationHIPAA RISKS & STRATEGIES. Health Insurance Portability and Accountability Act of 1996
HIPAA RISKS & STRATEGIES Health Insurance Portability and Accountability Act of 1996 REGULATORY BACKGROUND Health Information Portability and Accountability Act (HIPAA) was enacted on August 21, 1996 Title
More informationSalt Lake Community College Employee Health Care Benefits Plan Notice of Privacy Practices
THIS NOTICE DESCRIBES HOW HEALTH INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. Date: June 1, 2014 Salt Lake Community College
More informationHIPAA PRIVACY AND EDI RULES
The Health and Human Services (HHS) issued final HIPAA privacy regulations on August 14, 2002. These rules govern how individually identifiable medical information must be protected. HIIPAA also requires
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationThe MC Academy The Employee Benefits and Executive Compensation Series. HIPAA PRIVACY AND SECURITY The New Final Regulations
The MC Academy The Employee Benefits and Executive Compensation Series HIPAA PRIVACY AND SECURITY The New Final Regulations June 18, 2013 Overview Background Recent Changes to HIPAA Identifying Business
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationHIPAA. HIPAA and Group Health Plans
HIPAA HIPAA and Group Health Plans CareFirst BlueCross BlueShield is the business name of CareFirst of Maryland, Inc. and is an independent licensee of the Blue Cross and Blue Shield Association. Registered
More informationUpdated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview
Updated HIPAA Regulations What Optometrists Need to Know Now The U.S. Department of Health & Human Services Office for Civil Rights recently released updated regulations regarding the Health Insurance
More informationCity of Pittsburgh Operating Policies. Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010
City of Pittsburgh Operating Policies Policy: HIPAA Privacy Policies Original Date: 1/2005 and Procedures Revised Date: 3/22/2010 PURPOSE: To establish internal policies and procedures to ensure compliance
More informationThe Health and Benefit Trust Fund of the International Union of Operating Engineers Local Union No. 94-94A-94B, AFL-CIO. Notice of Privacy Practices
The Health and Benefit Trust Fund of the International Union of Operating Section 1: Purpose of This Notice Notice of Privacy Practices Effective as of September 23, 2013 THIS NOTICE DESCRIBES HOW MEDICAL
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationThe ReHabilitation Center. 1439 Buffalo Street. Olean. NY. 14760
Procedure Name: HITECH Breach Notification The ReHabilitation Center 1439 Buffalo Street. Olean. NY. 14760 Purpose To amend The ReHabilitation Center s HIPAA Policy and Procedure to include mandatory breach
More informationProfessional Employer Organizations Obligations Under HIPAA A Summary
NAPEO Legal InsightsTM Volume 2, Number 6 November 2009 Professional Employer Organizations Obligations Under HIPAA A Summary Dale R. Vlasek, Esq. Attorney McDonald Hopkins LLC Cleveland, Ohio A PEO is
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationPage 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;
Page 1 National Organization of Alternative Programs 2014 NOAP Educational Conference HIPAA and Privacy Risks Ira J Rothman, CPHIMS, CIPP/US/IT/E/G Senior Vice President - Privacy Official March 26, 2014
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationDonna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS
Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHIPAA PRIVACY AND SECURITY STANDARDS CITY COMPLIANCE
Important: Conducting an assessment of your health plan(s) is the first step to determining HIPAA compliance. You will need to conduct a separate assessment for each of your health plans. (Please be aware
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationHIPAA Privacy Summary for Fully-insured Employer Groups
HIPAA Privacy Summary for Fully-insured Employer Groups I. Overview The Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulate the uses and disclosures
More informationSTANDARD ADMINISTRATIVE PROCEDURE
STANDARD ADMINISTRATIVE PROCEDURE 16.99.99.M0.26 Investigation and Response to Breach of Unsecured Protected Health Information (HITECH) Approved October 27, 2014 Next scheduled review: October 27, 2019
More informationAn Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP
An Employer s Introduction to HIPAA Prepared by Ballard, Rosenberg Golper & Savitt, LLP Important Disclaimer: Practice limited to labor and employment law on behalf of management and related litigation.
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationWhen HHS Calls, Will Your Plan Be HIPAA Compliant?
When HHS Calls, Will Your Plan Be HIPAA Compliant? Petula Workman, J.D., CEBS Division Vice President Compliance Counsel Gallagher Benefit Services, Inc., Sugar Land, Texas The opinions expressed in this
More informationTHE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL
THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) EMPLOYEE TRAINING MANUAL What is HIPAA? Comprehensive federal legislation regarding health insurance which is comprised of four key areas:
More informationEntities Covered by the HIPAA Privacy Rule
Entities Covered by the HIPAA Privacy Rule Who Is A Covered Entity? HIPAA standards apply only to: Health care providers who transmit any health information electronically in connection with certain transactions
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationProtecting Patient Information in an Electronic Environment- New HIPAA Requirements
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationHIPAA Privacy Breach Notification Regulations
Technical Bulletin Issue 8 2009 HIPAA Privacy Breach Notification Regulations On August 24, 2009 Health and Human Services (HHS) issued interim final regulations implementing the HIPAA Privacy Breach Notification
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationM E M O R A N D U M. Definitions
M E M O R A N D U M DATE: November 10, 2011 TO: FROM: RE: Krevolin & Horst, LLC HIPAA Obligations of Business Associates In connection with the launch of your hosted application service focused on practice
More informationADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016
Page 1 of 9 CITY OF CHESAPEAKE, VIRGINIA NUMBER: 2.62 ADMINISTRATIVE REGULATION EFFECTIVE DATE: 1/1/2016 SUPERCEDES: N/A SUBJECT: HUMAN RESOURCES DEPARTMENT CITY OF CHESAPEAKE EMPLOYEE/RETIREE GROUP HEALTH
More informationHIPAA. New Breach Notification Risk Assessment and Sanctions Policy. Incident Management Policy. Focus on: For breaches affecting 1 3 individuals
HIPAA New Breach Notification Risk Assessment and Sanctions Policy Incident Management Policy For breaches affecting 1 3 individuals +25 individuals + 500 individuals Focus on: analysis documentation PHI
More informationGuidelines Relating to Implementation of the Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HUMAN RESOURCES Index No. VI-35 PROCEDURES MEMORANDUMS TO: FROM: SUBJECT: MCC Personnel Office of the President Guidelines Relating to Implementation of the Privacy Regulations of the Health Insurance
More informationShipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS
Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationThe HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.
The HITECH Act: Implications to HIPAA Covered Entities and Business Associates Linn F. Freedman, Esq. Introduction and Overview On February 17, 2009, President Obama signed P.L. 111-05, the American Recovery
More informationINFORMATION SECURITY & HIPAA COMPLIANCE MPCA
INFORMATION SECURITY & HIPAA COMPLIANCE MPCA Annual Conference August 5, 201 Agenda 1 HIPAA 2 The New Healthcare Paradigm Internal Compliance 4 Conclusion 2 1 HIPAA 1 Earning Their Trust 4 HIPAA 5 Health
More informationHIPAA PRIVACY AND SECURITY AWARENESS
HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect
More informationPatient Privacy and HIPAA/HITECH
Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,
More informationTABLE OF CONTENTS. University of Northern Colorado
TABLE OF CONTENTS University of Northern Colorado HIPAA Policies and Procedures Page # Development and Maintenance of HIPAA Policies and Procedures... 1 Procedures for Updating HIPAA Policies and Procedures...
More informationWhat is HIPAA? The Health Insurance Portability and Accountability Act of 1996
What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 BASIC QUESTIONS AND ANSWERS What Does HIPAA do? Creates national standards to protect individuals' medical records and other
More informationHIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees
HIPAA TRAINING A training course for Shiawassee County Community Mental Health Authority Employees WHAT IS HIPAA? HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act.
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More information2005 MSEK White Papers are a publication of Meyer, Suozzi, English & Klein, P.C. and should not be construed as legal advice on any specific facts or
2005 MSEK White Papers are a publication of Meyer, Suozzi, English & Klein, P.C. and should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general
More informationHHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI
January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative
More informationwhat your business needs to do about the new HIPAA rules
what your business needs to do about the new HIPAA rules Whether you are an employer that provides health insurance for your employees, a business in the growing health care industry, or a hospital or
More informationState of Nevada Public Employees Benefits Program. Master Plan Document for the HIPAA Privacy and Security Requirements for PEBP Health Benefits
State of Nevada for the Requirements for PEBP Health Benefits Plan Year 2016 July 1, 2015 June 30, 2016 www.pebp.state.nv.us (775) 684-7000 Or (800) 326-5496 Amendments Amendment Log Any amendments, changes
More informationHIPAA In The Workplace. What Every Employee Should Know and Remember
HIPAA In The Workplace What Every Employee Should Know and Remember What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 Portable Accountable Rules for Privacy Rules for Security
More informationHIPAA Privacy Summary for Self-insured Employer Groups
I. Overview HIPAA Privacy Summary for Self-insured Employer Groups The Privacy Regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulate the uses and disclosures of
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationThe HIPAA Security Rule Primer A Guide For Mental Health Practitioners
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationJoseph Suchocki HIPAA Compliance 2015
Joseph Suchocki HIPAA Compliance 2015 Sponsored by Eagle Associates, Inc. Eagle Associates provides compliance services for over 1,200 practices nation wide. Services provided by Eagle Associates address
More informationAm I a Business Associate?
Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationNOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS
NOTICE OF PRIVACY PRACTICES for the HARVARD UNIVERSITY MEDICAL, DENTAL, VISION AND MEDICAL REIMBURSEMENT PLANS THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW
More informationGuide to HIPAA for Covered Entities Free & Charitable Clinic HIPAA Toolbox May 2014
Guide to HIPAA for Covered Entities Free & Charitable Clinic HIPAA Toolbox May 2014 Following is a HIPPA Guide prepared by Ropes & Gray, a law firm focusing on healthcare, on behalf of AmeriCares and the
More informationHIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients
HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationExecutive Memorandum No. 27
OFFICE OF THE PRESIDENT HIPAA Compliance Policy (effective April 14, 2003) Purpose It is the purpose of this Executive Memorandum to set forth the Board of Regents and the University Administration s Policy
More informationThe HIPAA Audit Program
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationHEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association DISCLAIMER This general information fact sheet is made available
More information