Covered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How?
|
|
- Theodora Johnston
- 8 years ago
- Views:
Transcription
1 Covered En**es Should Periodically Audit Third Party Vendors/Business Associates Why, What, & How? March 27 th 12 pm EDT Moderator: Gerry Blass Panelists: Mac McMillan, Francois Bodhuin, Lou Dignam
2 Webinar Objec*ves Provide an overview of what has changed for BAs with respect to the Omnibus Describe how to develop and sustain effec*ve vendor management prac*ces to ensure compliance Present a five step life cycle approach with suppor*ng ac*ons for managing vendor security requirements Provide useful resources and tools to use in a vendor management program Share proven best prac*ce strategies for provider organiza*ons seeking to improve vendor selec*on and management to ensure compliance
3 Housekeeping All awendees will be on mute for the dura*on of the presenta*on. We ask that any and all ques*ons be directed to the host in the Q&A Panel and we will try to answer as many as we can at the end of the presenta*on. This webinar is scheduled to last 1 hour but we can stay on longer for Q&A at the end and all of you are welcomed to do the same. If we do not have a chance to answer your ques*on please feel free to us. Our addresses are included in the presenta*on.
4 Housekeeping This webinar as well as a PDF of the presenta*on will be archived and available on the NJ HIMSS website shortly a]er the event. Everyone who has registered will receive an with the link. We have included Bios (with addresses) slides at the end of this presenta*on.
5 Introduc*ons Gerry Blass, President & CEO, ComplyAssistant Mac McMillan, CEO - CynergisTek Francois Bodhuin, IS Technology Director - Informa*on Security Officer, Inspira Lou Dignam, Director of Informa*on Security and Server Pladorms, Virtua Health
6 Seek Professional Help The Phases of BA Nego*a*ons Denial Anger Bargaining Depression Acceptance (Just need to get here by September 2014)
7 A New Paradigm Leon Rodriguez, Office for Civil Rights Director, had this to say about Omnibus: This final Omnibus Rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented, These changes not only greatly enhance a pajent s privacy rights and protecjons, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protecjons, regardless of whether the informajon is being held by a health plan, a health care provider, or one of their business associates.
8 HIPAA Defines Business Associate 45 C.F.R : A Business Associate (BA) is a person/en2ty who/that: (i) on behalf of such CE or of an organized health care arrangement ( OHCA ) in which the CE par*cipates, but other than in the capacity of a member of the workforce of such CE or arrangement, performs, or assists in the performance of: A. a func9on or ac9vity involving the use or disclosure of PHI, including claims processing or administra*on, data analysis, processing or administra*on, u*liza*on review, quality assurance, billing, benefit management, prac*ce management, and re- pricing; or B. any other func*on or ac*vity regulated by this subchapter; OR (ii) Provides, other than in the capacity of a member of the workforce of such CE, legal, actuarial, accoun2ng, consul2ng, data aggrega2on (as defined in of this subchapter), management, administra2ve, accredita2on, or financial services to or for such CE, or to or for an OHCA in which the CE par*cipates, where the provision of the service involves the disclosure of PHI from such CE or arrangement.
9 HITECH Expands Defini*on Any person or en*ty that creates, receives, maintains or transmits PHI on behalf of a Covered En*ty or Business Associate. 45 CFR (3)(iii) Now specifically includes: Health Informa*on Organiza*ons Regional Health Informa*on Organiza*ons E- prescribing gateways, and Any person or en*ty that transmits PHI or requires access to PHI on a rou*ne basis. Conduits for data transmission are NOT BAs (e.g., retains PHI for only that period of *me necessary to support the transmission process)
10 Subcontractors Incorporated Any person or en*ty that creates, receives, maintains or transmits PHI on behalf of a HIPAA Business Associate. 45 CFR (3)(iii) This applies even if Sub and BA don t enter into BAA The HIPAA/BAA obliga*ons awach to downstream subcontractors TOO! OCR can directly enforce requirements against Subcontractors
11 Can Vendors Avoid HIPAA? The absence of a BA Agreement does NOT mean that a BA can avoid HIPAA compliance. A BA is determined by HIPAA s defini*ons and the ac*vi*es of the BA (or Sub), and direct compliance and enforcement by OCR cannot be avoided by simply not having in place a HIPAA- compliant BA Agreement in place between the CE and the BA, or the BA and its Subcontractor. Just because you are not a BA, does NOT mean HIPAA is not relevant.
12 Breach No*fica*on The Interim Rule: Defined a breach to mean generally: the acquisi*on, access, use, or disclosure of protected health informa*on in a manner not permiwed [by the Privacy Rule] which compromises the security or privacy of the protected health informa*on. It further elaborated that compromises the security or privacy of the PHI meant poses a significant risk of financial, reputa*onal, or other harm to the individual. FYI: HHS originally included harm test in order to align the rule with many state breach no*fica*on laws as well as exis*ng obliga*ons on federal agencies that have a similar risk of harm standard for triggering breach no*fica*on.
13 Breach No*fica*on The Final Rule Removes the significant risk of harm test, and replaces it with a presump*on that any impermissible use or disclosure of PHI is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the PHI has been compromised. CE or BA has the burden of proof to demonstrate that there is a low probability that the PHI is compromised. The CE and BA must also maintain wriden documenta2on sufficient to demonstrate why it concluded that there is a low probability that the PHI was compromised and did not issue no*ces.
14 HITECH Revisions to BAAs BAA must state BA must comply with HIPAA Security Rule regarding e- PHI Must state that minimum necessary rule applies to use & disclosures of PHI BA must report breaches of unsecured PHI to CE (this is in addi*on to any uses/disclosures that violate the BAA) Contract must obligate BA to ensure that Subcontractors agree in wri2ng to same restric*ons If BA is going to carry out CEs obliga2ons (i.e., providing access to individuals), then contract must state BA is obligated to perform these obliga*ons in a compliant manner
15 Upda*ng BAAs BA Agreements that were entered into and in effect as of or before January 25, 2013 will be considered compliant for up to 1 year a]er the September 23, 2013 effec*ve date for final HITECH Rule compliance. So you have un2l September 23, 2014 before you must amend for technical compliance with HITECH. NEW BA Agreements entered into any 2me arer January 25, 2013 should have been updated by September 23, 2013, the effec*ve compliance deadline. If a BA Agreement is up for renewal or is modified any 2me arer March 26, 2013, then an updated and HITECH compliant BAA must be put in place.
16 BA Considera*ons & Issues I m not a BA or We don t need a BAA Defining permitted BA Services and Functions An agent, or not Security assessments (show me) Breach notification timeframes Encryption required Use of de-identified data Foreign (non-u.s.) sub-agents Cyberinsurance Indemnification (breaches; penalties; lawsuits) State law
17 Ac*on Implement a process to evaluate who is a BA, and who is not a BA (i.e., conduit); and sub- BAs Update your BAA forms for HITECH language Include Omnibus required language Add language to protect yourself from agent issue! Use compliant form NOW if entering into new BAA Can keep old BAAs in place un*l 9/23/2014 if they were in effect by Jan 25, 2013 & don t renew a]er March 23, Manage your BA Agreements! Keep track of important dates Assign who is responsible for managing BAAs?
18 Vendor Management Expecta*ons Vendor security requirements have been expanded under the new rules, and expecta*ons for Covered En**es were further clarified during OCR s HIPAA compliance audits in 2012 Expecta*ons for Managing Business Associates Pre- Contract Due Diligence Contrac*ng Requirements Post Contract Maintenance/Administra*on Incident Management Back Up/Disaster Recovery Physical Protec*on Access Control Accoun*ng for Disclosures Media/Data Disposal/Accountability End of Contract/Termina*on
19 Vendor Security Management Requirements Defini*on Solicita*on/RFP Processes Contract & Agreements Performance Monitoring Termina*on Security Incident Management & Breach No*fica*on Documenta*on Define Terminate Select Monitor Contract
20 Administra*ve Requirements BA Inventory Research accounts payable Vendor informa*on Requirements Defini*on Classifica*on Security Minimal Necessary Solicita*on/RFP Processes Solicita*on/RFP development Pre- contract evalua*on Contracts & Agreements Security requirements BAA development
21 Opera*onal Requirements Performance Monitoring Upda*ng documenta*on as required Back up/recovery Physical Security External Requests Business changes Incident Response No*fica*on of CE Risk Analysis Clean up/remedia*on No*fica*on others Termina*ons Disposi*on of informa*on Workforce turnover
22 First Hand Experience Inspira & Virtua
23 Approach Mac already addressed the necessity. Lou and I will discuss the process. Life Cycle approach New BA Sanc*on check + Security ques*onnaire Exis*ng BA Yearly survey Get our house in order Find a Management Tool and a Methodology Remember to involve Purchasing / Materials Management they maintain the primary rela*onship with the vendors (point of contact ) *** Most Important *** - Get Execu*ve support You need a high level of collabora*on between the Privacy and Security team and the business folks.
24 Approach 1 BA Inventory 2 Program Setup 3 Func*onal Analysis 4 Send and Monitor Results 5 Analysis of Results 6 Process Review 7 Start over
25 1 BA inventory Iden*fy who maintains the BA Inventory Review BA inventory Contract management so]ware So]ware Support arrangements SFTP Survey all Directors Categorize the vendors (Triage) Good *me to check if all BA have BAAs Select 10 BAs for pilot
26 2 Program Setup Iden*fy the tool to use (GRC so]ware) Methodology SAAS or do it yourself? Create lewers LeWer of introduc*on from the organiza*on LeWer to the Vendor Set up vendor ques*onnaires 1 or 2 Different set of ques*ons depending of vendor category Have your ques*ons reviewed by Privacy and Security as well as Legal If you submit the ques*ons via the web, allow for awachments
27 3 Func*onal Analysis Push back from vendors some vendors think they already have to comply with HIPAA/HITECH, so they do not need to respond. What if answers are not what we expected? Determine Ac*ons this is where execu*ve support may be needed. Will this cost the organiza*on more money? Are we ready to terminate a contract? Consider developing a grading system, but iden*fy the show- stoppers.
28 4 Send and Monitor Results Start with a pilot 2 nd Cycle Extend the pilot or send to all BAs Iden*fy who is responsible for monitoring the responses. On- going and a lot of work
29 5 - Analysis and Process Review Analyze the results % of responses Accuracy Decisions will depend on results / answers Store informa*on in a database to compare answers from one year to another
30 6 Process Review Review the process Tweak the lewers Tweak the ques*onnaires Are we sending to the correct person? Do we give enough *me to the BA for answers? Are we trea*ng the vendors the same way within each category?
31 7 Start Over Never ending Story Life Cycle Get to every vendor every year Keep refining the process to make it easier for the vendor (Web ques*onnaire )
32 Conclusion Do it right analyze consequences Confirm the Execu*ve support Don t forget Plan B (Risk Acceptance) This is s*ll our data and we are responsible for it make BA understand that fact Doing this demonstrates our oversight (Due diligence)
33 Q & A Gerry Blass gerry@comply assistant.com Mac McMillan mac.mcmillan@ cynergistek.com Francois Bodhuin bodhuinf@ihn.org Lou Dignam ldignam@virtua. org
34 Moderator Bio Gerry Blass - gerry@complyassistant.com Gerry is President & CEO of Blass Consul*ng and Compliance. Gerry has over 35 years of experience in healthcare IT and compliance. Gerry provides healthcare IT and consul*ng services and so]ware called ComplyAssistant that automates the management and documenta*on of healthcare compliance ac*vi*es. Gerry co- authors quarterly columns for JHIM, the na*onal HIMSS magazine, and is a co- founder of HIPAA 411, a linked in group.
35 Panelist Bio Mac McMillan - mac.mcmillan@cynergistek.com Mac McMillan is CEO of CynergisTek, Inc., a firm specializing in informa*on security and regulatory compliance in healthcare. He is Chair of the HIMSS Privacy & Security Policy Task Force and brings over 30 years of experience from Government and private sector posi*ons. He has worked in the healthcare industry since his re*rement from the government and contributes regularly to the thought leadership around compliance, security and privacy in healthcare.
36 Panelist Bio Francois Bodhuin - bodhuinf@ihn.org Francois is the Technology Director and Informa*on Security Officer at Inspira. Francois manages servers/worksta*ons, the Networks, TV services and the telephony. Francois has 20 years of healthcare IT experience and teaches Informa*on Technology at Cumberland County College as an adjunct professor. Francois has obtained the CISSP cer*fica*on from ISC2 as well as the MCSE Sec+ cer*fica*on from Microso]. He is a member of DVHIMSS and NJHIMSS.
37 Panelist Bio Lou Dignam - ldignam@virtua.org Lou has 28 years of technical Healthcare IT experience, 12 of which were specialized in Informa*on Security. Lou joined Virtua in July 2008 as the Director of Informa*on Security and Server Pladorms/HIPAA Security Officer to oversee all informa*on security efforts around Regulatory & Audit Compliance, Policy Development, Technology Risk Mi*ga*on, and Vulnerability Management and to develop and deliver a comprehensive informa*on security program for Virtua. Lou obtained his CISSP in 2006 and has extensive technical knowledge in informa*on security, informa*on security management, IT risk management and assessment, network technology, server technology, and desktop technology.
Creating Stable Security & Compliance Relationships
Creating Stable Security & Compliance Relationships David Holtzman JD, CIPP/G VP, Compliance CynergisTek, Inc. James Wieland JD Principal Ober Kaler Welcome The slides for today s webinar are available
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationHIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC What cons?tutes PHI? HIPAA provides a list of 18 iden?fiers that cons?tute PHI. Any one of these iden?fiers
More informationTop Practices in Health IT Compliance. Data Breach & Leading Program Prac3ces
Top Practices in Health IT Compliance Data Breach & Leading Program Prac3ces Overview Introduc3on to ID Experts & Secure Digital Solu3ons Healthcare Data Breach Trends & Drivers Data Incident Management
More informationVendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire
Vendor Management Challenges and Solutions for HIPAA Compliance Jim Sandford Vice President, Coalfire Housekeeping You may submit questions throughout the webinar using the question area in the control
More informationIndustry leading Education
Industry leading Education Please ask questions #CGwebinar Todays slides are available http://compliancy- group.com/slides023/ Past webinars and recordings http://compliancy- group.com/webinar/ 855.85HIPAA
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationHIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist. www.riskwatch.com
HIPAA Omnibus & HITECH Rules: Key Provisions and a Simple Checklist www.riskwatch.com Introduction Last year, the federal government published its long awaited final regulations implementing the Health
More informationPrivacy & Security The HHS Rule is Out What s New and What s Next. Mary Jo Carden, RPh, JD Director, Regulatory Affairs AMCP mcarden@amcp.
Privacy & Security The HHS Rule is Out What s New and What s Next Mary Jo Carden, RPh, JD Director, Regulatory Affairs AMCP mcarden@amcp.org Disclosure Mary Jo Carden is an employee of the Academy of Managed
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More informationBusiness Associate Considerations for the HIE Under the Omnibus Final Rule
Business Associate Considerations for the HIE Under the Omnibus Final Rule Joseph R. McClure, Esq. Counsel Siemens Medical Solutions USA, Inc. WEDI Privacy & Security Work Group Co-Chair Agenda Who is
More informationHow to prepare your organization for an OCR HIPAA audit
How to prepare your organization for an OCR HIPAA audit Presented By: Mac McMillan, FHIMSS, CISM CEO, CynergisTek, Inc. Technical Assistance: 978-674-8121 or Amanda.Howell@iatric.com Audio Options: Telephone
More informationHealth Informa.on Technology Audits: "Meaningful Use" and HIPAA. January 23, 2015 Eli Poliakoff Gary Capps
Health Informa.on Technology Audits: "Meaningful Use" and HIPAA January 23, 2015 Eli Poliakoff Gary Capps 1 HITECH - Related Audits Health Informa.on Technology for Economic and Clinical Health Act ("HITECH")
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationHHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI
January 23, 2013 HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI Executive Summary HHS has issued final regulations that address recent legislative
More informationHIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS
HIPAA OMNIBUS RULE: EXPANDED COMPLIANCE REQUIREMENTS James J. Eischen, Jr., Esq. November 2013 San Diego, California JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher & Mack, LLP 26+ years of experience
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationFTC Data Security Standard
FTC Data Security Standard The FTC takes the posi6on (Being tested now in li6ga6on) that Sec6on 5 of the FTC Act requires Reasonable Security under the circumstances: that companies have reasonable controls
More informationAm I a Business Associate?
Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have
More informationHHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule
JANUARY 23, 2013 HHS announces sweeping changes to the HIPAA Privacy and Security Rules in the final HIPAA Omnibus Rule By Linn Foster Freedman, Kathryn M. Sylvia, Lindsay Maleson, and Brooke A. Lane On
More informationImplementation Business Associates and Breach Notification
Implementation Business Associates and Breach Notification Tony Brooks, CISA, CRISC, Tony.Brooks@horne-llp.com Clay J. Countryman, Esq., Clay.Countryman@bswllp.com Stephen M. Angelette, Esq., Stephen.Angelette@bswllp.com
More informationProtecting Patient Information in an Electronic Environment- New HIPAA Requirements
Protecting Patient Information in an Electronic Environment- New HIPAA Requirements SD Dental Association Holly Arends, RHIT Clinical Program Manager Meet the Speaker TRUST OBJECTIVES Overview of HIPAA
More informationIt s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing?
It s a New Regulatory Landscape: Do You Know Where Your Business Associates are and What They are Doing? The AMC Privacy & Security Conference Series Securely Connecting Communities for Improved Health
More informationCloud Computing & Health Care Organizations: Critical Privacy & Security Issues - December 16, 2015
Cloud Computing & Health Care Organizations: Critical Privacy & Security Issues - December 16, 2015 James B. Wieland, Principal, Ober Kaler David Holtzman, VP of Compliance, CynergisTek Welcome The slides
More informationEthics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015
Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015 Katherine M. Layman Cozen O Connor 1900 Market Street Philadelphia, PA 19103 (215) 665-2746
More informationWelcome. This presentation focuses on Business Associates under the Omnibus Rule of 2013.
Welcome. This presentation focuses on Business Associates under the Omnibus Rule of 2013. Business Associates have been part of the focus of the HIPAA regulations since 2003 when the privacy rule went
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationHIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help
HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help The Health Information Portability and Accountability Act (HIPAA) Omnibus Rule which will begin to be enforced September 23, 2013,
More informationUnderstanding HIPAA Regulations and How They Impact Your Organization!
Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationBusiness Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationHIPAA Compliance and Electronic Protected Health Informa6on: Ignorance is not bliss!
Maxxum, Inc. HIPAA Compliance and Electronic Protected Health Informa6on: Ignorance is not bliss! Medical Device ephi Risk Iden6fica6on and Mi6ga6on Webinar Overview Relevance why this topic? Risk a perspective
More informationFIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS
FIVE EASY STEPS FOR HANDLING NEW HIPAA REQUIREMENTS & MANAGING YOUR ELECTRONIC COMMUNICATIONS James J. Eischen, Jr., Esq. October 2013 Chicago, Illinois JAMES J. EISCHEN, JR., ESQ. Partner at Higgs, Fletcher
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationPresented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationHealth Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know Note: Information provided to NCRA by Melodi Gates, Associate with Patton Boggs, LLC Privacy and data protection
More informationHIPAA Changes 2013. Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13
HIPAA Changes 2013 Mike Jennings & Jonathan Krasner BEI For MCMS 07/23/13 BEI Who We Are DC Metro IT Service Provider since 1987 Network Design/Upgrade Installation/Managed IT Services for small to medium-sized
More informationHIPAA Privacy Policy (Revised Feb. 4, 2015)
Valley Bone & Joint Clinic HIPAA Privacy Policy (Revised Feb. 4, 2015) 1. PURPOSE Valley Bone & Joint Clinic is commi2ed to protec6ng the rights of our pa6ents. In compliance with the Health Insurance
More informationDissecting New HIPAA Rules and What Compliance Means For You
Dissecting New HIPAA Rules and What Compliance Means For You A White Paper by Cindy Phillips of CMIT Solutions and Kelly McClendon of CompliancePro Solutions TABLE OF CONTENTS Introduction 3 What Are the
More informationCybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective
Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective July 23, 2013 Gerry Hinkley, Pillsbury Allen Briskin, Pillsbury Pillsbury Winthrop Shaw Pittman LLP
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationNEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16
NEW PERSPECTIVES on Healthcare Risk Management, Control and Governance www.ahia.org Journal of the Association of Heathcare Internal Auditors Vol. 32, No. 3, Fall, 2013 Professional Fee Coding Audit: The
More informationBusiness Associate Liability Under HIPAA/HITECH
Business Associate Liability Under HIPAA/HITECH Joseph R. McClure, JD, CHP Siemens Healthcare WEDI Security & Privacy SNIP Co-Chair Reece Hirsch, CIPP, Partner Morgan Lewis & Bockius LLP ` Fifth National
More informationPreparing for the HITECH September Deadline: Tips for Negotiating Effective Business Associate Agreements under HIPAA.
Preparing for the HITECH September Deadline: Tips for Negotiating Effective Business Associate Agreements under HIPAA July 29, 2014 Meet Today s Speakers James B. Wieland Principal, Ober Kaler jbwieland@ober.com
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationDefinitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:
PRIVACY 1.0 FACILITY PRIVACY OFFICER Scope: Purpose: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities
More informationBusiness Associates: HITECH Changes You Need to Know
Business Associates: HITECH Changes You Need to Know Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 Who Is a Business Associate? A
More informationKey HIPAA HITECH Changes. Gina Kastel, Partner, Health and Life Sciences
Key HIPAA HITECH Changes Gina Kastel, Partner, Health and Life Sciences Agenda Business Associates Restrictions on Disclosures Access to PHI Notice of Privacy Practices Fundraising 2 Business Associates
More informationHIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationTHE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE
THE HIPAA TANGO CHOREOGRAPHING PRIVACY AND SECURITY UNDER THE FINAL RULE The Speakers Cinda Velasco Attorney, Manager, Privacy Officer Patient Safety and Risk Management Trish Lugtu Senior Manager MMIC
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationSurviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell. Topics Covered Part One. Topics Covered Part Two.
Surviving a HIPAA violation One Agency s Experience Presented by: Roger Shindell President & CEO Carosh Compliance Solutions & Liz Mayer, RHIA Director, Organizational Integrity HCI Care Services and VNS
More informationAnswering to HIPAA. Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM. Brought to you by. www.duxware.com
Answering to HIPAA Who Answers Your Phone? Prepared by Kenneth E. Rhea, MD, FASHRM Brought to you by www.duxware.com The Event On February 20, 2014 at 8:00 PM an Internal Medicine specialist received a
More informationBuild a HIPAA- Compliant Prac5ce. Wes Strickling, Founder & CEO
Build a HIPAA- Compliant Prac5ce Wes Strickling, Founder & CEO Agenda What is HIPAA Compliance? What does it mean to your prac5ce? What should you do? Q & A What Is HIPAA Compliance? Health Insurance Portability
More informationLegislative & Regulatory Information
Americas - U.S. Legislative, Privacy & Projects Jurisdiction Effective Date Author Release Date File No. UFS Topic Citation: Reference: Federal 3/26/13 Michael F. Tietz Louis Enahoro HIPAA, Privacy, Privacy
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationSample Business Associate Agreement Provisions
Sample Business Associate Agreement Provisions Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these sample provisions. Definitions Catch-all
More informationOCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement
OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement Clinton Mikel The Health Law Partners, P.C. Alessandra Swanson U.S. Department of Health and Human Services - Office for Civil Rights Disclosure
More informationHIPAA Basics. Health Insurance Portability and Accountability Act of 1996
HIPAA Basics Health Insurance Portability and Accountability Act of 1996 HIPAA: What Is HIPAA? Protects the privacy of healthcare informa@on for all Americans, including the individuals you support Protects
More informationHIPAA Privacy Rule Policies
DRAFT - Policies and Procedures PRIVACY OFFICE ASSIGNMENT AND RESPONSIBILITIES APPROVED BY: SUPERCEDES POLICY: Policy #1 ADOPTED: REVISED: REVIEWED: Purpose This policy is designed to assure the establishment
More informationPrivileged Administra0on Best Prac0ces :: September 1, 2015
Privileged Administra0on Best Prac0ces :: September 1, 2015 Discussion Contents Privileged Access and Administra1on Best Prac1ces 1) Overview of Capabili0es Defini0on of Need 2) Preparing your PxM Program
More informationSecurityMetrics Business Associate HIPAA compliance program
SecurityMetrics Business Associate HIPAA compliance program IS YOUR PHI SAFE? Business associates help your business succeed, but are they a liability? When your BAs are not HIPAA compliant, your business
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationA How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
More informationSo#ware quality assurance - introduc4on. Dr Ana Magazinius
So#ware quality assurance - introduc4on Dr Ana Magazinius 1 What is quality? 2 What is a good quality car? 2 and 2 2 minutes 3 characteris4cs 3 What is quality? 4 What is quality? How good or bad something
More informationFaster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions
Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy...
More informationOCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463. Court Reporters and HIPAA
Court Reporters and HIPAA OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR 2463 1 What Exactly is HIPAA? HIPAA is an acronym for the Health Insurance Portability and Accountability Act
More informationAHLA. B. HIPAA Compliance Audits. Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA
AHLA B. HIPAA Compliance Audits Marti Arvin Chief Compliance Officer UCLA Health System and David Geffen School of Medicine Los Angeles, CA Anna C. Watterson Davis Wright Tremaine LLP Washington, DC Fraud
More informationBUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS
PRIVACY 27.0 BUSINESS ASSOCIATES AND BUSINESS ASSOCIATE AGREEMENTS Scope: Purpose: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS
More informationHeadaches and Pitfalls in Business Associate Contract Management
Headaches and Pitfalls in Business Associate Contract Management ISACA Puget Sound Chapter September Monthly Luncheon Meeting September 17, 2013 2013 Christiansen IT Law Presenter CV John R. Christiansen,
More information12/4/2013. Regulatory Updates. Eric M. Wright, CPA, CITP. Schneider Downs & Co., Inc. December 5, 2013
Regulatory Updates Eric M. Wright, CPA, CITP Schneider Downs & Co., Inc. December 5, 2013 Eric M. Wright, CPA, CITP Eric has been involved with Information Technology with Schneider Downs since 1983. He
More informationThe Challenges of Applying HIPAA to the Cloud. Adam Greene, Partner Davis Wright Tremaine LLP
The Challenges of Applying HIPAA to the Cloud Adam Greene, Partner Davis Wright Tremaine LLP AGENDA Key Concepts Under HIPAA HIPAA Obligations for a BA Questions Remain Reaching Answers Resources KEY CONCEPTS
More informationObtaining CSF Certification Lessons Learned and Why Do It
Obtaining CSF Certification Lessons Learned and Why Do It Aaron Miri, Chief Technology Officer, Children s medical Center of Dallas Ryan Sawyer, Director, Technology Risk and Identity Governance, WellPoint
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationThe HIPAA Omnibus Final Rule
WHITE PAPER The HIPAA Omnibus Final Rule Four risk exposure events that can uncover compliance issues leading to investigations, potential fines, and damage to your organization s reputation. By Virginia
More informationHIPAA: Protecting Your. Ericka L. Adler. Practice and Your Patients
HIPAA: Protecting Your Ericka L. Adler Practice and Your Patients Rachel V. Rose Fallout from the Omnibus Rule Compliance strategies for medical practices 1. Know / manage your business associates and
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationCovered Entities and Business Associates: An Evolving Relationship
Covered Entities and Business Associates: An Evolving Relationship Rebecca L. Williams, RN, JD Partner, Chair of HEALTH/HIPAA Practice Davis Wright Tremaine LLP beckywilliams@dwt.com 1 No health care provider
More informationMy Docs Online HIPAA Compliance
My Docs Online HIPAA Compliance Updated 10/02/2013 Using My Docs Online in a HIPAA compliant fashion depends on following proper usage guidelines, which can vary based on a particular use, but have several
More informationShipman & Goodwin LLP. HIPAA Alert STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS
Shipman & Goodwin LLP HIPAA Alert March 2009 STIMULUS PACKAGE SIGNIFICANTLY EXPANDS HIPAA REQUIREMENTS The economic stimulus package, officially named the American Recovery and Reinvestment Act of 2009
More informationBoomer Technology Group, LLC.
Consul'ng has its ups and downs. This presenta'on is meant to educate those interested in this career path. As well as re- enforce what seasoned consultants already know. This informa'on is presented on
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationHIPAA Privacy and Information Security Management Briefing
HIPAA Privacy and Information Security Management Briefing Karen Pagliaro-Meyer Privacy Officer kpagliaro@columbia.edu (212) 305-7315 Soumitra Sengupta Information Security Officer sen@columbia.edu (212)
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More informationName of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationImplications of HIPAA Requirements on Healthcare Payment Processing
Implications of HIPAA Requirements on Healthcare Payment Processing Linda M Wolverton Vice President, Compliance, TEAMHealth Lynne Pearson Vice President, National Healthcare Treasury Management Fifth
More informationThe HIPAA Audit Program
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit. Iliana L. Peters, J.D., LL.M. April 23, 2014
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Audit Iliana L. Peters, J.D., LL.M. April 23, 2014 OCR RULEMAKING UPDATE What s Done? What s to Come? What s Done: Interim Final Rules
More informationAccounting for Disclosure Requirements Summary of Changes Included in the Proposed Rule 76 Federal Register 31426-31448 May 31, 2011
Accounting for Disclosure Requirements Summary of Changes Included in the 76 Federal Register 31426-31448 May 31, 2011 Current Rule Right to an Accounting; Content Generally An individual has a right under
More informationTools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits
Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits Presented by: Don Waechter, Managing Partner Health Compliance Partners Ann Breitinger, Attorney Blalock Walters Legal Disclaimer
More information