HIPAA & HITECH Privacy and Security Concerns : Are You Covered?
|
|
- Elinor Dean
- 8 years ago
- Views:
Transcription
1 HIPAA & HITECH Privacy and Security Concerns : Are You Covered? Insurance Accounting and Systems Association Chicagoland Chapter Conference April 17, 2014 Colin Gainer & Tim Lessman SmithAmundsen, LLC
2 HIPAA Privacy and Security Health Insurance Portability and Accountability Act of 1996 HIPAA created and implemented standards for the use and dissemination of health care information. The Privacy Rule and Security Rule are sets of regulations for administrative simplification which were promulgated in order to carry out the requirements set forth by HIPAA.
3 Privacy Rule The Privacy Rule regulates the use and disclosure of individuals health information, called protected health information ( PHI )
4 Security Rule The Security Rule sets standards for ensuring that only individuals with clearance to work with electronic protected health information ( e-phi ) have access to such information.
5 Privacy Rule applies to all forms of patients protected health information Security Rule covers protected health information in electronic form Both rules stress the need to maintain administrative, physical, and technical safeguards when working with any form of protected health information.
6 Under HIPAA and HITECH Covered Entity (CE): Health plan Healthcare Clearinghouse Healthcare Provider
7 What is a Covered Entity A Health Care Provider A Health Plan A Health Care Clearinghouse This includes providers such as: Hospitals Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies This includes: Health insurance companies HMOs Company health plans Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.
8 Who is a Business Associate of a Covered Entity Under HIPAA Business Associate (BA) is a person/entity who: Performs or assists with a function or activity involving individually Identifiable information
9 Business Associate Examples Law firms Accountants Information technology companies Billing services Health insurance brokers
10 HITECH
11 What is HITECH? The American Recovery and Reinvestment Act of 2009 ( ARRA ) included legislation, commonly referred to as Health Information Technology for Economic and Clinical Health Act ( HITECH ).
12 Final Rule On January 17, 2013, the Department of Health and Human Services issued long-awaited final regulations implementing the privacy, security, and breachnotification provisions of the HITECH Effective September 23, 2013 The regulations amend the HIPAA Privacy, Security, and Enforcement Rules and finalize a modified HIPAA Breach Notification Rule, which has been in effect on an interim basis since 2009.
13 HITECH on HIPAA Creates new privacy and security requirements for HIPAA covered entities & their business associates New accounting, disclosure, and breach requirements New restrictions on marketing & fundraising Increased Penalties Rise of the HIPAA Audit
14 Expansion of Business Associate Business Associate defined to include: Patient Safety Organizations Health Information Organizations, E- prescribing gateways Subcontractors
15 Subcontractors Downstream entities that work at the direction of or on behalf of a BA Does not require CE to have a contract with the subcontractor (BA does)
16 Subcontractors BA required to obtain written satisfactory assurances from its immediate subcontractor (Sub BAA). Responsible for compliance with the business associate requirements under the Security and Privacy Rules, even if the parties failed to enter into a written business associate agreement.
17 Expansion of Business Associate Entities that maintain PHI Document destruction ephi vendors Storage vendors Cloud storage Test is persistence of custody, not the degree of access
18 The Big Change for Business Associates
19 The Business Associate before HITECH Originally, the provisions of HIPAA only applied to a business associate through a contractually created relationship with a covered entity. Before HITECH the only remedy available to a covered entity for a business associate s violation of HIPAA was one of general contract law.
20 The Business Associate after HITECH HITECH creates a direct legal obligation on a business associate in both the application of the HIPAA requirements and the penalties associated with a violation. BA may be liable not only to the CE in the case of breach of security or privacy, but to the patient as well through HIPAA. BA subject to Civil and Criminal penalties under HIPAA Potentially subject to mandatory compliance audits by Secretary of HHS
21 BA Obligations Limit uses and disclosures to what is permitted under the Privacy Rule This specifically includes compliance with the minimum necessary standards; Provide breach notification to the covered entity; Provide a copy of electronic PHI to either the covered entity or individual Disclose PHI to the Secretary in an investigation Provide an accounting of disclosures* Comply with the security rule safeguards and BAA requirements
22 HIPAA s and HITECH s Impact on Identifiable Health Information
23 PHI and E-PHI Content Individually identifiable health information contains demographic information collected from an individual. Is created or received by a CE Relates to past, present, or future health condition of the individual; the provision of health care to the individual; or past, present, or future payment for the provision of health care to the individual
24 Elements of PHI Names Geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code Elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death Telephone and Fax numbers address Social security numbers Medical record numbers Account numbers Certificate/license numbers Vehicle identifiers and serial numbers, including license plate numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images 45 CFR
25 Secured Information Unsecured protected health information is protected health information that is not secured through a technology or methodology specified in guidance by HHS C.F.R Electronic protected health information may be secured by encryption or workstation security for example. Paper protected health information can be secured by destruction or proper storage for example.
26 Securing PHI and E-PHI Automatic log out Password protected log on Procedures in place for guarding against viruses, Trojan horses, worms, etc. Limit access to E-PHI internally Verify terminated employees/agents no longer have electronic access Increase use of shredders (bins) on daily basis and at time of purging closed files Monitor or control areas where PHI is used Immediately account for and report lost: Iphone, laptop, disks, files, etc. Encryption
27 Breaches
28 Breach Reporting HITECH requires every covered entity to notify a person when there has been a breach of that person s PHI and to notify HHS Under HITECH, a business associate is required to notify the covered entity of any breach of confidentiality of PHI acquired from the covered entity
29 Old Breach Definition Breach meant the acquisition, access, use, or disclosure of [PHI] in a manner not authorized under [HIPAA] which compromises the security or privacy of such information 45 C.F.R
30 Old Definition compromises the security or privacy meant a result of: significant risk of financial, reputational, or other harm to the individual. 45 C.F.R
31 Final Rule Change Replaces the breach notification rule s harm threshold with a more objective standard. Breach is any breach UNLESS you can demonstrate that there is a LOW PROBABILITY that the PHI has been compromised. Presumption standard
32 Reporting Within 60 days of the discovery of a breach, a covered entity must provide notice via first class mail to the affected person s last known address. 45 C.F.R (b).
33 In any case in which more than 500 persons are affected by a breach, the covered entity must provide notice to major local media outlets
34 What must the notice include? A description of what happened Date Types of information involved Steps the person should take to protect Description of covered entity's investigation & mitigation efforts Contact information *Toll free number for web/print/broadcast notice
35 Business Associate Breach Notification Rule Business associate must notify the covered entity A business associate must provide notice to the covered entity within 60 days (check BAA). Provide CE with: the identification of each individual any information required to be provided by the CE in its notification to affected individuals.
36 Additional BA Requirements Must report to CE if BA knows of a pattern of activity or practice by CE that constitutes a material breach of BAA BA must take steps to cure the breach OR: Terminate arrangement Report to HHS
37 HIPAA/HITECH Enforcement
38 Breaches Every breach carries with it the potential for OCR enforcement and civil penalties, regardless of the size, circumstances, or response of the responsible entity
39 Penalties Prior to HITECH No more than $100 for each and up to $25,000 Also allowed for ignorance of the law defense
40 HITECH: Tiered approach Penalties Unaware even through due diligence: $100-$50,000per occurrence/ $1.5mil aggregate Caused but not from willful neglect: $1,000-$50,000per occurrence/ $1.5mil aggregate Willful neglect, corrected in 30 days: $10,000-$50,000per occurrence/ $1.5mil aggregate Willful neglect, not corrected: $50,000 minimum per occurrence/ $1.5mil aggregate
41 OCR Penalties Alaska Medicaid Agency $1.7 million over PHI of 501 individuals BCBS of Tennessee $1.5 million over PHI of 1,023,209 individuals
42 Other Violation Examples OCR imposed $4.3 million penalty on Cignet Health of Prince George s County, MD $1.3 million was imposed on the basis that Cignet had denied 41 patients access to their medical records. An additional $3.0 million was imposed because Cignet failed to cooperate with OCR s investigations on a continuing basis from March 17, 2009 to April 7, Massachusetts General Physicians Organization Inc. (Mass General) agreed to pay $1,000,000 Incident involved the loss PHI of 192 patients of Mass General s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS. University of California at Los Angeles Health System agreed to settle for $865,500 Investigation stemmed from complaint of employees viewing records of two separate celebrity patients
43 OCR and HHS Findings, Developments, and Trends
44 Breaches involving 500 or more individuals made up less than one percent of reports, BUT accounted for more than 99 percent of the more than 7.5 million individuals who were affected by a breach of their protected health information The largest breaches occurred as a result of theft Greatest number of reported incidents: Small breaches involving human or technological error Most commonly involved the protected health information of just one or two individuals
45 Trends Investigated most Impermissible use and disclosure of PHI Lack of safeguards on PHI Lack of patient access Violating minimum necessary rule Lack of admin safeguards on E-PHI
46 Who is Being Affected Top 5: Private Practices General Hospitals Outpatient Facilities Health Plans Pharmacies
47 Audits
48 HIPAA Audits under HITECH Section of the of the HITECH Act requires Dept. of Health and Human Services (HHS) to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.
49 HIPAA Audits under HITECH HHS was left with the task of developing and implementing an audit program that carries out the mandate under HITECH Office of Civil Rights (OCR), through HHS, is overseeing the audit process
50 Audit Protocol Currently 169 activities OCR considers part of the Audit Program 78 activities for HIPAA Security 81 activities for HIPAA Privacy 10 activities for Breach Notification and Reporting
51 Security Rule Protocols The protocol covers Security Rule requirements for administrative, physical, and technical safeguards Examples: Risk assessment policy Workforce clearance to PHI access
52 Privacy Rule Protocols Covers areas of the Privacy rule concerning: 1) notice of privacy practices for PHI; 2) Rights to request privacy protection for PHI; 3) Administrative requirements; 4) Uses and disclosures of PHI; 5) Access of individuals to PHI; 6) Amendment of PHI; 7) Accounting of disclosures Examples: Business Associate Agreement Policy Consistent Use and Disclosure Policies and Notice of Disclosure Policies
53 Breach Protocols The protocol covers requirements for the Breach Notification Rule Examples: Alerting an individual of a breach involving his/her PHI Ensuring breach notification elements are contained in Business Associate Agreement
54 What OCR Discovered Most of the evaluated entities did not conform to HIPAA standards for security, privacy, and breach notification the three-audit areas 2/3 failed to perform a sufficient security risk assessment Most common response to non-compliance finding was that the entity was unaware of the requirement
55 What OCR Discovered Privacy requirements entities were most unaware of: notice of privacy practices access of individuals minimum necessary authorizations Security requirements entities were most unaware of risk analysis media movement and disposal audit controls and monitoring
56 Future of the HIPAA Audit As suspected Round II February 2014 HHS OCR announced plan to survey 1200 organizations 800 covered entities and 400 business associates will gather information about respondents to enable OCR to assess the size, complexity and fitness of a respondent for an audit. Will collect recent data about the number of patient visits or insured lives, use of electronic information, revenue and business locations
57 Who Can Be Audited? Every covered entity and business associate is eligible for an audit Initial rounds were designed to provide a broad assessment of the health care industry OCR has promised to audit: as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses..."
58 HHS OCR Perspective Views the audits as a way to improve knowledge, compliance, and encourage best practices "Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR's ongoing complaint investigations and compliance reviews
59 Best Practices Self-audits The audit process is public information No secret formula on how OCR will grade your compliance Annually review your program Do not rely on out-of-date policies and procedures as evidence of compliance OCR has been clear that you are out of compliance with the regulation if you are not reviewing and updating your program on an annual basis The areas covered by HIPAA Security Rule are especially sensitive to changes in technology
60 Best Practices Do your policies extend beyond the desktop PC at work? Recent OCR enforcement trends have focused heavily on internet and mobile technology e.g. cloud and social networking Entities need policies and procedures addressing tracking, authentication, and security of PHI accessible outside of the physical work area e.g. remote access via smartphones and tablets
61 Worst Practices Hoping you do not get selected (fingers crossed approach) Thinking you are too small to be noticed by OCR Waiting until you receive an Audit letter to begin developing HIPAA/HITECH compliant policies
62 What the future will bring More audits! Evidence Audits will not go away: HHS mandated under HITECH to periodically audit Audits perform two-fold function of enforcing HIPAA and generating (potentially) revenue in the form of penalties stemming from HIPAA violations Money has been appropriated for the audit program OCR Director Leon Rodriguez: We did our audit pilot this year and the idea after that is to have a permanent program, part of which will need to be funded by the proceeds of enforcement. I saw these articles out there that said More audits are coming and Are you ready for audits? and that s a smart question because that is really what s ahead for us.
63 The Cyber Threat Data Breach Examples: Hacking Theft of storage devices Viruses Catastrophic weather events State-sponsored hacking
64 The Implications: Exposure of Personally Identifiable Information Business interruption Litigation Regulatory Implications Government Investigations Reputational Damages
65 Will Insurance Help? Some decisions have found coverage under traditional policies Going forward, however, traditional forms of insurance may not offer sufficient protection. or
66 Property Insurance Ward General Ins. Serv., Inc. v. Employers Fire Ins. Co., 114 Cal.App. 4 th 548 (Cal. App. 2003) Lost data does not constitute tangible property, thus there was no physical loss as was required by the policy. See also: America Online, Inc. v. St. Paul Mercury Ins. Co., 207 F.Supp.2d 459 (E.D. Va. 2002); Southeast Mental Health Center, Inc. v. Pacific Ins. Co., Ltd., 439 F.Supp.2d 831 (W.D. Tenn. 2006) But. Landmark American Ins. Co. v. Gulf Coast Analytical Laboratories, 2012 WL (M.D. La., Mar. 30, 2012) Tangibility was not a defining quality of physicality; electronic data deemed to be physical.
67 Crime Insurance Retail Ventures, Inc. v. National Union Fire Ins. Co. of Pittsburgh, Pa., 691 F.3d 821 (6 th Cir. 2012) Insured prevailed on appeal in its coverage claim seeking $6.8 million in data breach losses under a computer fraud rider to a commercial crime policy. Loss resulted directly from theft of insured property by computer fraud.
68 Errors & Omissions Insurance Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8 th Cir. 2010) Online marketing firm was provided coverage under its E&O policy because the insured s acts were not intentionally wrongful, thus fell within coverage grant. Also found coverage under CGL due to allegations of loss of use of plaintiff s computer. Was not excluded under the impaired property exclusion because no evidence was presented that the situation could be remedied by the removal of Eyeblaster s spyware.
69 CGL Insurance Loss of Electronic Data not Tangible Property Recall Total Information Management v. Federal Ins. Co., 2012 WL (Conn.Super. Jan. 17, 2012); Union Pump Co. v. Centrifugal Technologies, Inc. But. remember Eyeblaster Also, Netscape Communications Corp. v. Federal Ins. Co., 343 Fed.Appx 271 (9 th Cir. 2009) found that an insured was covered under the Personal & Advertising Injury Encore Receivable Management, Inc. v. ACE Property & Cas. Ins. Co., 2013 WL (S.D. Ohio, July 3, 2013) found that publication occurs the moment a customer s conversation is recorded. Could serve to limit the publication requirement. Hartford Cas. Ins. Co. v. Corcino & Assoc. et al. C.D. California case finding publication of confidential medical information triggered a duty to defend. Zurich American Ins. Co. v. Sony Corp. of America: PlayStation Data Breach. Recent pro-insurer ruling publication that occurred was not by policyholder, but by third-party hackers. No duty to defend found.
70 Limitations of Existing Forms of Coverage Exclusions being added to these types of policies to prevent coverage extensions The War Exclusion and Terrorism Exclusions Insurers willing to litigate issues
71 Best Practices: Cyber Coverage Types of coverage offered widely varies, but consultation with professionals regarding needs can ascertain the appropriate type of coverage.
72 Q & A
The Basics of HIPAA Privacy and Security and HITECH
The Basics of HIPAA Privacy and Security and HITECH Protecting Patient Privacy Disclaimer The content of this webinar is to introduce the principles associated with HIPAA and HITECH regulations and is
More informationPresented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102 : What you don t know about the new changes in the law can hurt you! Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) Jack Kolk, CEO of ACR 2 Solutions a information security
More informationWhy Lawyers? Why Now?
TODAY S PRESENTERS Why Lawyers? Why Now? New HIPAA regulations go into effect September 23, 2013 Expands HIPAA safeguarding and breach liabilities for business associates (BAs) Lawyer is considered a business
More informationEverett School Employee Benefit Trust. Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law
Everett School Employee Benefit Trust Reportable Breach Notification Policy HIPAA HITECH Rules and Washington State Law Introduction The Everett School Employee Benefit Trust ( Trust ) adopts this policy
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More information8/3/2015. Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice
Integrating Behavioral Health and HIV Into Electronic Health Records Communities of Practice Monday, August 3, 2015 1 How to ask a question during the webinar If you dialed in to this webinar on your phone
More informationUniversity Healthcare Physicians Compliance and Privacy Policy
Page 1 of 11 POLICY University Healthcare Physicians (UHP) will enter into business associate agreements in compliance with the provisions of the Health Insurance Portability and Accountability Act of
More informationPatient Privacy and HIPAA/HITECH
Patient Privacy and HIPAA/HITECH What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Implemented in 2003 Title II Administrative Simplification It s a federal law HIPAA is mandatory,
More informationOCR/HHS HIPAA/HITECH Audit Preparation
OCR/HHS HIPAA/HITECH Audit Preparation 1 Who are we EHR 2.0 Mission: To assist healthcare organizations develop and implement practices to secure IT systems and comply with HIPAA/HITECH regulations. Education
More informationWhat Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act
What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act by Lane W. Staines and Cheri D. Green On February 17, 2009, The American Recovery and Reinvestment Act
More informationHIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist
HIPAA Omnibus Rule Overview Presented by: Crystal Stanton MicroMD Marketing Communication Specialist 1 HIPAA Omnibus Rule - Agenda History of the Omnibus Rule What is the HIPAA Omnibus Rule and its various
More informationBusiness Associates, HITECH & the Omnibus HIPAA Final Rule
Business Associates, HITECH & the Omnibus HIPAA Final Rule HIPAA Omnibus Final Rule Changes Business Associates Marissa Gordon-Nguyen, JD, MPH Health Information Privacy Specialist Office for Civil Rights/HHS
More informationHIPAA 101. March 18, 2015 Webinar
HIPAA 101 March 18, 2015 Webinar Agenda Acronyms to Know HIPAA Basics What is HIPAA and to whom does it apply? What is protected by HIPAA? Privacy Rule Security Rule HITECH Basics Breaches and Responses
More informationHIPAA Privacy & Breach Notification Training for System Administration Business Associates
HIPAA Privacy & Breach Notification Training for System Administration Business Associates Barbara M. Holthaus privacyofficer@utsystem.edu Office of General Counsel University of Texas System April 10,
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationCREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy
CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy Amended as of February 12, 2010 on the authority of the HIPAA Privacy Officer for Creative Solutions in Healthcare, Inc. TABLE OF CONTENTS ARTICLE
More informationInformation Security and Privacy. WHAT is to be done? HOW is it to be done? WHY is it done?
Information Security and Privacy WHAT is to be done? HOW is it to be done? WHY is it done? 1 WHAT is to be done? O Be in compliance of Federal/State Laws O Federal: O HIPAA O HITECH O State: O WIC 4514
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationHIPAA Hot Topics. Audits, the Latest on Enforcement and the Impact of Breaches. September 2012. Nashville Knoxville Memphis Washington, D.C.
HIPAA Hot Topics Audits, the Latest on Enforcement and the Impact of Breaches September 2012 Nashville Knoxville Memphis Washington, D.C. Overview HITECH Act HIPAA Audit Program: update and initial results
More informationOCR Reports on the Enforcement. Learning Objectives 4/1/2013. HIPAA Compliance/Enforcement (As of December 31, 2012) HCCA Compliance Institute
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationOCR Reports on the Enforcement. Learning Objectives
OCR Reports on the Enforcement of the HIPAA Rules HCCA Compliance Institute April 22, 2013 David Holtzman Sr. Health IT & Privacy Specialist U.S. Department of Health and Human Services Office for Civil
More informationBUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information
BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information I. PREAMBLE ( Covered Entity ) and ( Business Associate ) (jointly the Parties ) wish to enter into an Agreement to comply with the requirements
More informationHIPAA and HITECH Compliance for Cloud Applications
What Is HIPAA? The healthcare industry is rapidly moving towards increasing use of electronic information systems - including public and private cloud services - to provide electronic protected health
More informationOverview of the HIPAA Security Rule
Office of the Secretary Office for Civil Rights () Overview of the HIPAA Security Rule Office for Civil Rights Region IX Alicia Cornish, EOS Sheila Fischer, Supervisory EOS Topics Upon completion of this
More informationHIPAA Compliance for Students
HIPAA Compliance for Students The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 by the United States Congress. It s intent was to help people obtain health insurance benefits
More informationHIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing
HIPAA Omnibus Rule Practice Impact Kristen Heffernan MicroMD Director of Prod Mgt and Marketing 1 HIPAA Omnibus Rule Agenda History of the Rule HIPAA Stats Rule Overview Use of Personal Health Information
More informationHIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality
HIPAA Audits: How to Be Prepared Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality An Important Reminder For audio, you must use your phone: Step 1: Call (866) 906-0123.
More informationCOMPLIANCE ALERT 10-12
HAWAII HEALTH SYSTEMS C O R P O R A T I O N "Touching Lives Every Day COMPLIANCE ALERT 10-12 HIPAA Expansion under the American Recovery and Reinvestment Act of 2009 The American Recovery and Reinvestment
More informationUnderstanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions
Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions Table of Contents Understanding HIPAA Privacy and Security... 1 What
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationNew HIPAA regulations require action. Are you in compliance?
New HIPAA regulations require action. Are you in compliance? Mary Harrison, JD Tami Simon, JD May 22, 2013 Discussion topics Introduction Remembering the HIPAA Basics HIPAA Privacy Rules HIPAA Security
More informationAre You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.
Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style March 27, 2013 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP
More informationHIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule
HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule NYCR-245157 HIPPA, HIPAA HiTECH& the Omnibus Rule A. HIPAA IIHI and PHI Privacy & Security Rule Covered Entities and Business Associates B. HIPAA Hi-TECH Why
More informationJoe Dylewski President, ATMP Solutions
Joe Dylewski President, ATMP Solutions Joe Dylewski President, ATMP Solutions Assistant Professor, Madonna University 20 Years, Technology and Application Implementation Experience Served as Michigan Healthcare
More informationBusiness Associate Management Methodology
Methodology auxilioinc.com 844.874.0684 Table of Contents Methodology Overview 3 Use Case 1: Upstream of s I manage business associates 4 System 5 Use Case 2: Eco System of s I manage business associates
More informationHIPAA WEBINAR HANDOUT
HIPAA WEBINAR HANDOUT OCR Enforcement Tools Voluntary corrective action Resolution Agreement and Payment CMPs Referral to DOJ for criminal investigation Resolution Agreements Contract signed by HHS and
More informationHIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES
SALISH BHO HIPAA AND MEDICAID COMPLIANCE POLICIES AND PROCEDURES Policy Name: HIPAA BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s):
More informationData Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, 2014 2:15pm 3:30pm
Electronic Health Records: Data Security and Integrity of e-phi Worcester, MA Wednesday, 2:15pm 3:30pm Agenda Introduction Learning Objectives Overview of HIPAA HIPAA: Privacy and Security HIPAA: The Security
More informationData Breach, Electronic Health Records and Healthcare Reform
Data Breach, Electronic Health Records and Healthcare Reform (This presentation is for informational purposes only and it is not intended, and should not be relied upon, as legal advice.) Overview of HIPAA
More informationAVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE
AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE This Notice of Privacy Practices describes the legal obligations of Ave Maria University, Inc. (the plan ) and your legal rights regarding your protected health
More informationTrust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits
HIPAA Breaches, Security Risk Analysis, and Audits Derrick Hill Senior Health IT Advisor Kentucky REC Why Does Privacy and Security Matter? Trust Who Must Comply with HIPAA Rules? Covered Entities (CE)
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More information3/13/2015 HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA?
HIPAA/HITECH WHAT S YOUR COMPLIANCE STATUS? Daniel B. Mills Pretzel & Stouffer, Chartered WHAT IS HIPAA? 1 DEFINITIONS HIPAA Health Insurance Portability and Accountability Act of 1996 Primarily designed
More informationBUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE
BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE Lewis & Clark College and Allegiance Benefit Plan Management, Inc., (jointly the Parties
More informationHIPAA Privacy and Security Rules: A Refresher. Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant
HIPAA Privacy and Security Rules: A Refresher Marilyn Freeman, RHIA California Area HIPAA Coordinator California Area HIM Consultant Objectives Provide overview of Health insurance Portability and Accountability
More informationHIPAA in an Omnibus World. Presented by
HIPAA in an Omnibus World Presented by HITECH COMPLIANCE ASSOCIATES IS NOT A LAW FIRM The information given is not intended to be a substitute for legal advice or consultation. As always in legal matters
More informationCommunity First Health Plans Breach Notification for Unsecured PHI
Community First Health Plans Breach Notification for Unsecured PHI The presentation is for informational purposes only. It is the responsibility of the Business Associate to ensure awareness and compliance
More informationWhite Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES
White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES CONTENTS Introduction 3 Brief Overview of HIPPA Final Omnibus Rule 3 Changes to the Definition of Business Associate
More informationHIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets
HIPAA-P06 Use and Disclosure of De-identified Data and Limited Data Sets FULL POLICY CONTENTS Scope Policy Statement Reason for Policy Definitions ADDITIONAL DETAILS Web Address Forms Related Information
More informationHIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013
HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security May 7, 2013 Presenters James Clay President Employee Benefits & HR Consulting The Miller Group jimc@millercares.com
More informationHosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE
Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE [ Hosting for Healthcare: Addressing the Unique Issues of Health IT & Achieving End-to-End Compliance
More informationNetwork Security and Data Privacy Insurance for Physician Groups
Network Security and Data Privacy Insurance for Physician Groups February 2014 Lockton Companies While exposure to medical malpractice remains a principal risk MIKE EGAN, CPCU Senior Vice President Unit
More informationAm I a Business Associate?
Am I a Business Associate? Now What? JENNIFER L. RATHBURN Quarles & Brady LLP KATEA M. RAVEGA Quarles & Brady LLP agenda» Overview of HIPAA / HITECH» Business Associate ( BA ) Basics» What Do BAs Have
More informationBy Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN
Major Changes to HIPAA Security and Privacy Rules Enacted in Economic Stimulus Package By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN The HITECH Act is the
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA Violations Incur Multi-Million Dollar Penalties Whitepaper HIPAA Violations Incur Multi-Million Dollar Penalties Have you noticed how many expensive Health Insurance Portability and Accountability
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationWhat do you need to know?
What do you need to know? DISCLAIMER Please note that the information provided is to inform our clients and friends of recent HIPAA and HITECH act developments. It is not intended, nor should it be used,
More informationBusiness Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule
Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule Patricia D. King, Esq. Associate General Counsel Swedish Covenant Hospital Chicago, IL I. Business Associates under
More informationHIPAA FOR LAWYERS AND LAW FIRMS What you need to know to prevent your law firm from paying MILLION$
HIPAA FOR LAWYERS AND LAW FIRMS What you need to know to prevent your law firm from paying MILLION$ FDCC Annual Meeting The Greenbrier Resort White Sulphur Springs, West Virginia July 27 August 2, 2014
More informationHIPAA Policy, Protection, and Pitfalls ARTHUR J. GALLAGHER & CO. BUSINESS WITHOUT BARRIERS
HIPAA Policy, Protection, and Pitfalls Overview HIPAA Privacy Basics What s covered by HIPAA privacy rules, and what isn t? Interlude on the Hands-Off Group Health Plan When does this exception apply,
More informationDonna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS
Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS 1 DISCLAIMER Please review your own documentation with your attorney. This information
More informationAm I a Business Associate? Do I want to be a Business Associate? What are my obligations?
Am I a Business Associate? Do I want to be a Business Associate? What are my obligations? Brought to you by Winston & Strawn s Health Care Practice Group 2013 Winston & Strawn LLP Today s elunch Presenters
More informationHIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )
HIPAA and HITECH Compliance Under the New HIPAA Final Rule Presented Presented by: by: Barry S. Herrin, Attorney CHPS, Name FACHE Smith Smith Moore Moore Leatherwood Leatherwood LLP LLP Atlanta Address
More information6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013
Updates on HIPAA, Data, IT and Security Technology June 25, 2013 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind, including,
More informationImplementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind
Page1 Implementing Electronic Medical Records (EMR): Mitigate Security Risks and Create Peace of Mind The use of electronic medical records (EMRs) to maintain patient information is encouraged today and
More informationHIPAA Violations Incur Multi-Million Dollar Penalties
HIPAA regulations have undergone major changes in the last few years giving both the federal and state Governments new and enhanced powers and resources to pursue HIPAA violations HIPAA Violations Incur
More informationHHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers
Compliance Tip Sheet National Hospice and Palliative Care Organization www.nhpco.org/regulatory HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers Hospice Provider Compliance To Do List
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT 1. DEFINITIONS: 1.1 Undefined Terms: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms defined by the Health Insurance Portability
More informationThis presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in
This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in the HIPAA Omnibus Rule of 2013. As part of the American
More informationHIPAA Privacy Keys to Success Updated January 2010
HIPAA Privacy Keys to Success Updated January 2010 HIPAA Job Specific Education 1 HIPAA and Its Purpose What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Title II Administrative
More informationA How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
More informationWelcome to ChiroCare s Fourth Annual Fall Business Summit. October 3, 2013
Welcome to ChiroCare s Fourth Annual Fall Business Summit October 3, 2013 HIPAA Compliance Regulatory Overview & Implementation Tips for Providers Agenda Green packet Overview of general HIPAA terms and
More informationUnderstanding HIPAA Regulations and How They Impact Your Organization!
Understanding HIPAA Regulations and How They Impact Your Organization! Presented by: HealthInfoNet & Systems Engineering! April 25 th 2013! Introductions! Todd Rogow Director of IT HealthInfoNet Adam Victor
More informationHealth Partners HIPAA Business Associate Agreement
Health Partners HIPAA Business Associate Agreement This HIPAA Business Associate Agreement ( Agreement ) by and between Health Partners of Philadelphia, Inc., the Covered Entity (herein referred to as
More informationNew HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010
New HIPAA Breach Notification Rule: Know Your Responsibilities Loudoun Medical Group Spring 2010 Health Information Technology for Economic and Clinical Health Act (HITECH) As part of the Recovery Act,
More informationData Security Breaches: Learn more about two new regulations and how to help reduce your risks
Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches
More informationHIPAA and Mental Health Privacy:
HIPAA and Mental Health Privacy: What Social Workers Need to Know Presenter: Sherri Morgan, JD, MSW Associate Counsel, NASW Legal Defense Fund and Office of Ethics & Professional Review 2010 National Association
More informationBREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS
BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS The following HIPAA Business Associate Terms and Conditions (referred to hereafter as the HIPAA Agreement ) are part of the Brevium Software License
More informationOCR UPDATE Breach Notification Rule & Business Associates (BA)
OCR UPDATE Breach Notification Rule & Business Associates (BA) Alicia Galan Supervisory Equal Opportunity Specialist March 7, 2014 HITECH OMNIBUS A Reminder of What s Included: Final Modifications of the
More informationProofpoint HIPAA Breach Report:
Proofpoint HIPAA Breach Report: An Analysis of HITECH Breach Notifications and Settlements, Q1 2013 Healthcare Industry Update threat protection compliance archiving & governance secure communication Contents
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationHIPAA 101: Privacy and Security Basics
HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually
More informationBUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.
BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc. THIS BUSINESS ASSOCIATE AGREEMENT (BAA) is entered into by and between First Choice Community Healthcare, with a principal place of
More informationHIPAA COMPLIANCE PLAN FOR 2013
HIPAA COMPLIANCE PLAN FOR 2013 Welcome! Presentor is Rebecca Morehead, Practice Manager Strategist www.practicemanagersolutions.com Meaningful Use? As a way to encourage hospitals and providers to adopt
More informationThe HIPAA Audit Program
The HIPAA Audit Program Anna C. Watterson Davis Wright Tremaine LLP The U.S. Department of Health and Human Services (HHS) was given authority, and a mandate, to conduct periodic audits of HIPAA 1 compliance
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT The parties to this ( Agreement ) are, a _New York_ corporation ( Business Associate ) and ( Client ) you, as a user of our on-line health record system (the "System"). BY
More informationHIPAA & HITECH AND THE DISCOVERY PROCESS
HIPAA & HITECH AND THE DISCOVERY PROCESS HEATHER L. HUGHES, J.D. U.S. Legal Support, Inc. 363 North Sam Houston Parkway East, Suite 900 Houston, Texas 77060 (713) 653-7100 State Bar of Texas 8 th ANNUAL
More informationSection C: Data Use Agreement. Illinois Department of Healthcare and Family Services. And DATA USE AGREEMENT
Section C: Data Use Agreement Illinois Department of Healthcare and Family Services And DATA USE AGREEMENT This Data Use Agreement (the Agreement ) is effective as of (the Agreement Effective Date ) by
More informationDistrict of Columbia Health Information Exchange Policy and Procedure Manual
District of Columbia Health Information Exchange Policy and Procedure Manual HIPAA Privacy & Direct Privacy Policies (Version 1 November 27, 2012) Table of Contents Policy # Policy/Procedure Description
More informationHIPAA and the HITECH Act Privacy and Security of Health Information in 2009
HIPAA and the HITECH Act Privacy and Security of Health Information in 2009 What is HIPAA? Health Insurance Portability & Accountability Act of 1996 Effective April 13, 2003 Federal Law HIPAA Purpose:
More informationName of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:
PLEASE NOTE: THIS DOCUMENT IS SUBMITTED AS A SAMPLE, FOR INFORMATIONAL PURPOSES ONLY TO ABC ORGANIZATION. HIPAA SOLUTIONS LC IS NOT ENGAGED IN THE PRACTICE OF LAW IN ANY STATE, JURISDICTION, OR VENUE OF
More informationHIPAA Refresher. HIPAA Health Insurance Portability & Accountability Act
HIPAA Health Insurance Portability & Accountability Act This presentation and materials provided are for informational purposes only. Please seek legal advisor assistance when dealing with privacy and
More informationPrivacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:
HIPAA Privacy Officer Orientation Presented by: Cathy Montgomery, RN Privacy Officer Job Description Serve as leader Develop Policies and Procedures Train staff Monitor activities Manage Business Associates
More informationHIPAA Compliance Issues and Mobile App Design
HIPAA Compliance Issues and Mobile App Design Washington, D.C. April 22, 2015 Presenter: Shannon Hartsfield Salimone, Holland & Knight LLP, Tallahassee and Jacksonville, Florida Agenda Whether HIPAA applies
More informationPresented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com
Healthcare Compliance: How HiTECH May Affect Relationships with Business Associates Presented by: Leslie Bender, CIPP General Counsel/CPO The ROI Companies www.theroi.com Legal Disclaimer This information
More informationSecond Annual Conference September 16, 2015 to September 18, 2015 Chicago, IL
Second Annual Conference September 16, 2015 to September 18, 2015 Chicago, IL Using Insurance Coverage to Mitigate Cybersecurity Risks To Warranty and Service Contract Businesses Barry Buchman, Partner
More informationAnnual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance. For Calendar Years 2009 and 2010
Annual Report to Congress on HIPAA Privacy Rule and Security Rule Compliance For Calendar Years 2009 and 2010 As Required by the Health Information Technology for Economic and Clinical Health (HITECH)
More informationMCCP Online Orientation
Objectives At the conclusion of this presentation, students will be able to: Describe the federal requirements of the HIPAA/HITECH regulations that protect the privacy and security of confidential data.
More information2/9/2012. 2012 HIPAA Privacy and Security Audit Readiness. Table of contents
2012 HIPAA Privacy and Security Audit Readiness Mark M. Johnson National HIPAA Services Director Table of contents Page Background 2 Regulatory Background and HITECH Impacts 3 Office of Civil Rights (OCR)
More information