HIPAA Compliance: Are you prepared for the new regulatory changes?

Similar documents
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security Rule Compliance

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

When HHS Calls, Will Your Plan Be HIPAA Compliant?

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Compliance Guide

Health Information Privacy Refresher Training. March 2013

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

SECURITY RISK ASSESSMENT SUMMARY

M E M O R A N D U M. Definitions

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Healthcare Compliance Solutions

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

HIPAA and Mental Health Privacy:

The HIPAA Audit Program

New HIPAA regulations require action. Are you in compliance?

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

HIPAA Security Checklist

Security Is Everyone s Concern:

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA BUSINESS ASSOCIATE AGREEMENT

University Healthcare Physicians Compliance and Privacy Policy

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

OCR UPDATE Breach Notification Rule & Business Associates (BA)

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

VMware vcloud Air HIPAA Matrix

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

SAMPLE BUSINESS ASSOCIATE AGREEMENT

Datto Compliance 101 1

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Compliance Guide

H I P AA B U S I N E S S AS S O C I ATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

SaaS. Business Associate Agreement

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

Legislative & Regulatory Information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Joseph Suchocki HIPAA Compliance 2015

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

This form may not be modified without prior approval from the Department of Justice.

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Security Alert

HENRY COUNTY POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

New HIPAA Breach Notification Rule: Know Your Responsibilities. Loudoun Medical Group Spring 2010

HIPAA Information Security Overview

Model Business Associate Agreement

HIPAA in an Omnibus World. Presented by

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Overview of the HIPAA Security Rule

HIPAA BUSINESS ASSOCIATE AGREEMENT

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

NCHICA HITECH Act Breach Notification Risk Assessment Tool. Prepared by the NCHICA Privacy, Security & Legal Officials Workgroup

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

District of Columbia Health Information Exchange Policy and Procedure Manual

HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT OF 1996 HIPAA

Understanding changes to the Trust Services Principles for SOC 2 reporting

HIPAA Security COMPLIANCE Checklist For Employers

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

BUSINESS ASSOCIATE AGREEMENT

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

Table of Contents INTRODUCTION AND PURPOSE 1

State HIPAA Security Policy State of Connecticut

C.T. Hellmuth & Associates, Inc.

Business Associate and Data Use Agreement

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1

Business Associate Agreement

Lessons Learned from HIPAA Audits

My Docs Online HIPAA Compliance

Transcription:

HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. Baker Tilly Virchow Krause, LLP

2 Your Presenters Dan Steiner, Manager MBA, CPA, CFE, ARM >Dan Steiner is a Manager in the Risk Services Group >Specializes in enterprise risk management, internal controls, risk transfer solutions, HIPAA compliance, Service Organization Control (SOC) reporting, crisis management, and business continuity 2

3 Your Presenters Christine Duprey, VP and Co-Owner >Chris has over 19 years of health care experience >Has spent the past six years consulting many organizations in the public and private sector through their HIPAA initiatives in assessment, planning and execution. >Performed business analysis for hospital practices to streamline business processes, increasing efficiency and increase awareness to employees to eliminate waste within their processes. 3

4 Your Presenters Megan Blaser, Consultant >Has a Master s of Arts and Education in Adult Education and Training >Helps companies with their compliance initiatives by conducting risk assessment > provides the necessary education and training for companies to successfully implement their compliance plans 4

Agenda > HIPAA Regulation Integration and Relationship > HIPAA - Omnibus Final Rule Modification Impacts to Privacy, Security, Breach and Enforcement Business Associate Responsibilities Satisfactory Assurances Breach Notification (Final Rule) Civil Monetary Penalties > Unsecured PHI > Security and Privacy Rule Overview > Compliance Readiness > Next Steps > Appendix 5 5

A Brief History of HIPAA HIPAA Health Insurance Portability and Accountability Act (1996) Security (2003) American Recovery and Reinvestment Act ARRA (2009) Division A- Appropriations Provisions Title XIII Health Information Technology Improved Privacy and Security Provisions Electronic Data Interchange Privacy (2000) Genetic Information Nondiscrimination Act GINA (2008) Patient Protection and Affordable Care Act HIPAA Final Omnibus Rules Published January 25 th, 2013 (Effective March 26 th, 2013, compliance required by September 23 rd, 2013) 6

Modifications Privacy Security > Modifies the notice of privacy practices > Modifies the individual authorization > Enables access to decedent information > Sets limitations on use and disclosure of PHI for Marketing and Fundraising > Modifies Privacy to incorporate GINA Act requirements > Expands individual rights > Business Associates are directly liable > Business Associates are directly liable > Modifies Security regulations to include business associate requirements of ARRA Breach Notification > Final rule on Breach Notification Enforcement > Increased and tiered Civil Money Penalties > Adopt HITECH Act enhancements to the Enforcement Rule addressing willful neglect 7 7

Business Associates > Business Associate a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity or business associate. > Examples of Business Associates include: Third Party Administrators Patient Safety Organizations - New Print and Mail Services IT Troubleshooting and Support Shredding and Disposal Data Management Companies 8 8

Business Associate Requirement Changes 1996 Covered entity must obtain the written assurances (Business Associate Agreement) monitoring not required. 2009 ARRA deems the Business Associate just as responsible for the execution of the Business Associate Agreement and applies Civil Monetary Penalties to BA s. 2013 Business Associates are responsible to obtain BAA with their subcontractors. May need to provide or obtain satisfactory assurances that they or their subcontractors are compliant. 9 9

Business Associate Agreement Compliance due date September 23, 2013 or September 23, 2014? 10

Where are you? >Have all Business Associates been identified?» Are the Business Associate Agreements updated and executed since 2009? >Have you identified situations when you are the Business Associate to others?» Are the Business Associate Agreements updated and executed since 2009 >What work is left?» Updating and re-execution of ALL Business Associate Agreements by 9/23/2013» Agreements executed by January 25, 2013 will have until 9/23/2014 to complete these BAAs. 11

Polling Question > Have you identified the relationships where you are the business associate and others are a business associate to you? A. Yes B. No C. Somewhat D. Not sure 12 12

Satisfactory Assurances > Organizations will need to determine the level of satisfactory assurances it will need to feel comfortable that compliance is met. Direction has not been provided as to the level of satisfactory assurances; Business Associates will need to consider for Subcontractors; Implementation; and Oversight > Expectations from Covered Entity s by September 23, 2013 Satisfactory Assurances 13 13

Breach Notification The Final Rule was published on January 25, 2013 to be effective on March 23, 2013 with compliance required by September 23, 2013. In 1996 HIPAA did not require notification when patient PHI was inappropriately disclosed, covered entities may have chosen to include notification as part of the mitigation process. In 2009 ARRA/HITECH does require notification of certain breaches of unsecured PHI to the following: Individuals Department of Health and Human Services (HHS) Media On January 25, 2013, the Final Breach Notification Rule was published, requiring an entity to assess the probability that the protected health information has been or may be further compromised based on a risk assessment. 14 14

Risk Factors to Consider for Breach Notification (1) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification (2) The unauthorized person who used the protected health information or to whom the disclosure was made (3) Whether the protected health information was actually acquired or viewed (4) The extent to which the risk to the protected health information has been mitigated 15 15

Application of Provisions and Penalties to Covered Entities 1996 2009 2013 CE responsible for BA, and subject to fines and penalties. HITECH/ARRA penalties introduced by increasing the fines and levels of penalties. Omnibus Rule- CE & BA responsible for the compliance and satisfactory assurances. Final modification which enhanced civil monetary penalties. Example: How will fines be assessed? > 2010- Company X was in violation, and were fined according to Tiered description. > 2013- Company X was in violation, Company X will be evaluated to determine the degree of the penalties. 16 16

Penalty Considerations > Nature and extent of the violation > Nature and extent of the harm resulting from the violation > History or prior compliance with the administrative simplification provision, including violations by the covered entity or business associate, consideration of which may include but is not limited to: Financial condition of the covered entity or business associate Such other matters as justice may require 17 17

Unsecure PHI > Unsecured PHI: Means PHI that is not secured through the use of a technology or methodology specified by the Guidance Specifying the Technologies and Methodologies that render PHI Unusable, Unreadable, or Indecipherable to Unauthorized Individuals for Purposes of the Breach Notification Requirements Under HITECH/ARRA; Request for information. 18 18

Compromising PHI Data Data in Motion data that is moving through a network, including wireless transmission; Data at Rest data that resides in databases, file systems, and other structured storage methods; Data in Use data in the process of being created, retrieved, updated, or deleted; or Data Disposed discarded paper records or recycled electronic media 19 19

Have you implemented? > Encryption Recommendations for the industry encryption standards to meet definition for secured PHI > Destruction Recommendations for the industry destruction standards to meet the definition of secured PHI > Storage Recommendations for the industry storage of electronic media to meet the definition of secured PHI 20

Polling Question > Based on our discussion are you comfortable that your organization is adequately protecting PHI? A. Yes B. No C. Still not sure 21 21

Security Rules > 164.302 Applicability. > 164.304 Definitions. > 164.306 Security Standards: General Rules. > 164.308 Administrative Safeguards. > 164.310 Physical Safeguards. > 164.312 Technical Safeguards. > 164.314 Organizational Requirements. > 164.316 Policies and Procedures and Documentation Requirements. > 164.318 Compliance Dates for the Initial Implementation of the Security Standards. Standards in bold represent the requirements applicable to the Business Associate via the ARRA 22 22

Have you completed necessary tasks? > Has the Security Risk Assessment been Performed? Have the Risks, Threats and Vulnerabilities been identified? Have controls been implemented to mitigate the risk identified? > Has Access to systems, workstations, programs been assessed? Have appropriate authorization and supervision of access has been implemented? Have workforce members been identified? > Has the Contingency Plans been developed and updated? Do they include: Back-up plans, disaster recovery, emergency mode of operation plans > Has the Security Awareness Training been Completed? Security Reminders Protection from Malicious Software Log-in Password Management 23

Privacy Rules Uses and Disclosures > 164.500 Applicability > 164.501 Definitions > 164.502 Uses and Disclosures of PHI: General Rules > 164.504 Uses and Disclosures: Organizational Requirements > 164.506 Consent for Uses or Disclosures to Carry Out Treatment, Payment, or Health Care Operations > 164.508 Uses and Disclosures for which an Authorization is Required > 164.510 Uses and Disclosures Requiring an Opportunity to Agree or to Object > 164.512 Uses and Disclosures for which an Authorization, or Opportunity to Agree or Object is Not Required > 164.514 Other Requirements Relating to Uses and Disclosures of PHI 24

Privacy Rules Patient Rights > 164.520 Notice of Privacy Practices for PHI > 164.522 Rights to Request Privacy Protection for PHI > 164.524 Access of Individuals to PHI > 164.526 Amendment of PHI > 164.528 Accounting of Disclosures of PHI > 164.530 Administrative Requirements > 164.532 Transition Provisions > 164.534 Compliance Dates for Initial Implementation of Privacy Standards. 25

COMPLIANCE READINESS Are you a Compliant Entity?

Required Tasks Performing the PHI Trail Privacy HIPAA has been around for 10 years, lack of these basic tasks are Willful Neglect OCR Speaker Conduct the Gap Assessment to: > Create the PHI trail for information created, received, accessed, modified, stored, transmitted, or destroyed > Analyze uses and disclosures throughout the organization > Identify gaps in policies, procedures and current processes > Identify and execute BAAs with Business Associates Create Necessary Documents: > Notice of Privacy Practices > Authorization for the Release and Disclosure of PHI > Policies and Procedures for each Privacy requirement, standard and implementation specification > Create minimum necessary rules > Perform annual training and education > Create final compliance documentation Performance of an Annual Assessment to mitigate risks of non-compliance, ensure policy reflects practice and employees are educated 27

Required Tasks Performing the e-phi Trail Security Conduct Security Risk Assessment to: > Analyze electronic use and disclosure of e-phi > Determine mechanisms utilized to create, transmit, store and/or destroy information > Review current access authorizations and supervision > Review contingency plans > Assess risks, threats and vulnerabilities Create Necessary Documents: > Document compliance assessment findings > Identify implementation and remediation tasks > Policies and Procedures for each Privacy requirement, standard and implementation specification > Create final assessment documentation Complete Remediation Tasks > Perform annual Security Awareness and Training > Perform system control tests > Implement remediation controls > Implement secure transmissions > Implement physical facility securities 28

Compliance Planning How would exposure and risk of your company reputation affect your business if there was a breach or penalty for non-compliance? > Build a compliance plan that ensures compliance can be maintained > Daily observance and enforcement of the Privacy and Security regulations are the best source of maintaining compliance > Annual Activities should include: > Compliance review and assessments > Training for Privacy and Security Awareness > Security risk assessments > Contingency planning and testing > Policy and procedure review and modification > Control remediation and implementation > Budget process should include dollars for the daily observance and enforcement, annual assessments and remediation tasks > New Products or Services > Keep compliance on the front end and avoid costly mistakes in product development > Test the compliance components to ensure they meet the requirements for securing PHI 29

Polling Question > Do you feel confident that if the OCR were to audit your company today, you would not be left with a fine or penalty? A. Yes B. No C. Not sure 30

Next Steps > Make a plan for compliance > Assess the Business Associate Relationships > Update all existing Business Associate Agreements > Obtain signatures from all parties > Complete necessary requirements, standards and implementation specifications > Train all workforce members and management > Develop, or modify all Policies and Procedures > Determine the satisfactory assurances required from your subcontractors > Make a plan to budget and maintain compliance 31

Contact Information Christine Duprey Co-Owner/Partner CARIS Innovation, Inc. chris@carisinnovation.com (920) 826-5300 (office) (920) 639-6615 (mobile) www.carisinnovation.com Megan Blaser Consultant CARIS Innovation, Inc. chris@carisinnovation.com (920) 826-5300 (office) (920) 604-3201 (mobile) www.carisinnovation.com Dan Steiner Manager Baker Tilly daniel.steiner@bakertilly.com (920) 739-33320 (office) (608) 220-5528 (mobile) www.bakertilly.com 32

APPENDIX A Security Regulations

164.308 Administrative Safeguards > (1) Standard: Security Management Practices Implement policies and procedures to prevent, detect, contain and correct security violations Implementation Specifications: Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) > (2) Standard: Assigned Security Responsibility 34

164.308 Administrative Safeguards > (3) Standard: Workforce Security Implement policies and procedures to provide workforce with the access they need and prevent those workforce members from accessing information they do not need Implementation Specifications: Authorization and/or Supervision (A) Workforce Clearance Procedures (A) Termination Procedures (A) 35

164.308 Administrative Safeguards > (4) Standard: Information Access Management Implement policies and procedures to provide access to PHI in accordance with Privacy Implementation Specifications: Isolating Health Care Clearinghouse Functions (R) Access Authorization (A) 36

164.308 Administrative Safeguards > (5) Standard: Security Awareness and Training Implement a security awareness and training program for all workforce members Implementation Specifications: Security Reminders (A) Protection from malicious software (A) Log-in Monitoring Access (A) Password Management (A) 37

164.308 Administrative Safeguards > (6) Standard: Security Incident Procedures Implement policies and procedures to address security incidents Implementation Specifications: Response and Reporting (R) > (7) Standard: Contingency Plan Establish and implement as needed policies and procedures for responding to an emergency or other occurrence that damages systems that contain PHI Implementation Specifications: Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedures (A) Applications and Data Criticality Analysis (A) 38

164.308 Administrative Safeguards > (8) Standard: Evaluation Perform a periodic technical and non-technical evaluation > Standard: Business Associate Contracts and other arrangements Applicability of the Business Associate Agreement to the covered entity and those entities they do business with Implementation Specification: Written contract or other arrangement (R) 39

164.310 Physical Safeguards > (1) Standard: Facility Access Controls Implement policies and procedures that limit physical access to the electronic systems that contain information for the facilities in which they are housed while ensuring authorized access is allowed Implementation Specifications: Contingency Operations (A) Facility Security Plan (A) Access control and validation procedures (A) Maintenance Records (A) 40

164.310 Physical Safeguards > Standard: Workstation Use Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and physical attributes of the surroundings of a specific workstation or class of workstation that can access ephi. > Standard: Workstation Security 41

164.310 Physical Safeguards > Standard: Device and Media Controls Implement policies and procedures the govern the receipt and removal of hardware and electronic media that contain ephi iinto and out of a facility, and the movement of these items within the facility. Implementation Specifications: Disposal (R) Media re-use (R) Accountability (A) Data backup and storage (A) 42

164.312 Technical Safeguards > Standard: Access Control Implement technical policies and procedures for electronic information systems that maintain ephi to allow access only to those persons or software programs than have been granted access rights under Administrative Safeguards. Implementation Specifications: Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) 43

164.312 Technical Safeguards > Standard: Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ephi. Implementation Specifications: Mechanism to authenticate ephi (A) > Standard: Person or entity authentication Implement procedures to verify that a person or entity seeking access to ephi is the one claimed. 44

164.312 Technical Safeguards > Standard: Transmission Security Implement technical security measures to guard against unauthorized access to ephi that is being transmitted over an electronic communications network. Implementation Specifications: Integrity Controls (A) Encryption (A) 45

164.314 Organizational Requirements > Standard: Business Associate Contracts or Other Arrangements. Contracts between the covered entity and the business associates Implementation Specifications: Business Associate Agreements (R) > Standard: Requirements for Group Health Plans Ensuring plan documents are updated appropriately Implementation Specifications: Amend Plan Documents (R) 46

164.316 Policies and Procedures and Documentation Requirements > Standard: Policies and Procedures Implement reasonable and appropriate policies and procedures comply with the standards, implementation specifications, or other requirements of Security. > Standard: Documentation Maintain policies and procedures implemented to comply with Security in written (electronic) form; and If an action, activity or assessment is required by this subpart to be documented, maintain a written (electronic) record of the action, activity, or assessment. Implementation Specifications: Time Limit 6 years (R) Availability (R) Updates (R) 47

APPENDIX B Privacy Regulations

164.502 Uses and Disclosures of PHI: General Rules > (a) Standard. A covered entity or business associate may not use or disclose PHI, except as permitted or required by Privacy or by Compliance and Enforcement of part 160 of General Administrative Requirements > (b) Standard. Minimum Necessary > (c) Standard. Uses and Disclosures of PHI subject to an agreed upon restriction. > (d) Standard. Uses and Disclosures of De-Identified PHI > (e) Standard. Disclosures to Business Associates > (f) Standard. Deceased Individuals > (g) Standard. Personal Representatives > (h) Standard. Confidential Communications > (i) Standard. Uses and Disclosures Consistent with Notice > (j) Standard. Disclosures by Whistleblowers and Workforce Member Crime Victims 49

164.504 Uses and Disclosures: Organizational Requirements > (e)(1) Standard. Business Associate Contracts (e)(2) Implementation Specifications: Business Associate Contracts (e)(3) Implementation Specifications: Other Arrangements (e)(4) Implementation Specifications: Other Requirements for Contracts and Other Arrangements > (f)(1) Standard. Requirements for Group Health Plans (f)(2) Implementation Specifications: Requirements for Plan Documents (f)(3) Implementation Specifications: Uses and Disclosures > (g)(1) Standard. Requirements for a Covered Entity with Multiple Covered Functions. 50

164.506 Consent for Uses or Disclosures to Carry out Treatment, Payment or Health Care Operations > (a) Standard. Permitted Uses and Disclosures > (b) Standard. Consent for Uses and Disclosures Permitted (c) Implementation Specifications: Treatment, Payment or Health Care Operations 51

164.508 Uses and Disclosures for which an Authorization is Required > (a) Standard. Authorizations for Uses and Disclosures (b) Implementation Specifications: General Requirements (c) Implementation Specifications: Core Elements and Requirements 52

164.510 Uses and Disclosures Requiring an Opportunity for the Individual to Agree or Object > (a) Standard. Uses and Disclosures for Facility Directories > (b) Standard. Uses and Disclosures for Involvement in the Individual s Care and Notification Purposes. 53

164.512 Uses and Disclosures for which an Authorization, or Opportunity to Agree or Object is Not Required > (a) Standard. Uses and Disclosures Required by Law > (b) Standard. Uses and Disclosures for Public Health Activities > (c) Standard. Disclosures about Victims of Abuse, Neglect, or Domestic Violence > (d) Standard. Uses and Disclosures for Health Oversight Activities > (e) Standard. Disclosures for Judicial and Administrative Proceedings > (f) Standard. Disclosures for Law Enforcement Purposes > (g) Standard: Uses and Disclosures About Decedents > (h) Standard: Uses and Disclosures for Cadaveric Organ, Eye or Tissue Donation Purposes > (i) Standard: Uses and Disclosures for Research Purposes > (j) Standard: Uses and Disclosures to Avert a Serious Threat or Safety > (k) Standard: Uses and Disclosures for Specialized Government Functions > (l) Standard: Disclosures for Workers compensation 54

164.514 Other Requirements Relating to Uses and Disclosures of PHI > (a) Standard. De-identification of PHI (b) Implementation Specifications: Requirements for De-Identification of PHI. (c) Implementation Specifications: Re-identification > (d)(1) Standard. Minimum Necessary Requirements (d)(2) Implementation Specifications: Minimum Necessary Uses of PHI (d)(3) Implementation Specifications: Minimum Necessary Disclosures of PHI (d)(4) Implementation Specifications: Minimum Necessary Requests for PHI (d)(5) Implementation Specifications: Other Content Requirement > (e)(1) Standard. Limited Data Set (e)(2) Implementation Specifications: Limited data set (e)(3) Implementation Specifications: Permitted Purposes for Uses and Disclosures (e)(4) Implementation Specifications: Data Use Agreement > (f)(1) Standard. Uses and Disclosures for Fundraising (f)(2) Implementation Specifications: Fundraising Requirements > (g)(1) Standard: Uses and Disclosures for Underwriting and Related Purposes > (h)(1) Standard: Verification Requirements (h)(2) Implementation Specifications: Verification 55

164.520 Notice of Privacy Practices for PHI > (a) Standard. Notice of Privacy Practices (b) Implementation Specifications: Content of Notice (c) Implementation Specifications: Provision of Notice (d) Implementation Specifications: Joint Notice by Separate Covered Entities (e) Implementation Specifications: Documentation 56

164.522 Rights to Request Privacy Protection for PHI > (a)(1) Standard. Right of an Individual to Request Restriction of Uses and Disclosures (a)(2) Implementation Specifications: Terminating a Restriction > (b)(1) Standard. Confidential Communications Requirements (b)(2) Implementation Specifications: Conditions of Providing Confidential Communications 57

164.524 Access of Individuals to PHI > (a) Standard. Access to PHI (b) Implementation Specifications: Requests for Access and Timely Action (c) Implementation Specifications: Provision of Access (d) Implementation Specifications: Denial of Access (e) Implementation Specifications: Documentation 58

164.526 Amendment of PHI > (a) Standard. Right to Amend (b) Implementation Specifications: Requests for Amendment and Timely Action (c) Implementation Specifications: Accepting the Amendment (d) Implementation Specifications: Denying the Amendment (e) Implementation Specifications: Actions on Notices of Amendment (f) Implementation Specifications: Documentation 59 59

164.528 Accounting of Disclosures of PHI > (a) Standard. Right to an Accounting of Disclosures of PHI (b) Implementation Specifications: Content of the Accounting (c) Implementation Specifications: Provision of the Accounting (d) Implementation Specifications: Documentation 60

164.530 Administrative Requirements > (a)(1) Standard. Personnel Designations (a)(2) Implementation Specifications: Personnel Designations > (b)(1) Standard. Training (b)(2) Implementation Specifications: Training > (c)(1) Standard. Safeguards (c)(2)(i) Implementation Specifications: Safeguards > (d)(1) Standard. Complaints to the Covered Entity (d)(2) Implementation Specifications: Documentation of Complaints > (e)(1) Standard. Sanctions. (e)(2) Implementation Specifications: Documentation > (f) Standard. Mitigation. > (g) Standard. Refraining from Intimidating or Retaliatory Acts > (h) Standard. Waiver of Rights > (i)(1) Standard. Policies and Procedures > (i)(2) Standard. Changes to Policies or Procedures (i)(3) Implementation Specifications: Changes in Law (i)(4) Implementation Specifications: Changes to Privacy Practices stated in the Notice (i)(5) Implementation Specifications: Changes to Other Policies or Procedures > (j)(1) Standard. Documentation (j)(2) Implementation Specifications: Retention Period > (k) Standard. Group Health Plan 61

164.532 Transition Provisions > (a) Standard. Effect of Prior Authorizations (b) Implementation Specifications: Effect of Prior Authorization for Purposes Other Than Research (c) Implementation Specifications: Effect of Prior Permission for Research > (d) Standard. Effect of Prior Contracts or Other Arrangements with Business Associates (e) Implementation Specifications: Deemed Compliance 62

Questions? Dan Steiner daniel.steiner@bakertilly.com Christine Duprey chris@carisinnovation.com Megan Blaser megan@carisinnovation.com

Disclosure Pursuant to the rules of professional conduct set forth in Circular 230, as promulgated by the United States Department of the Treasury, nothing contained in this communication was intended or written to be used by any taxpayer for the purpose of avoiding penalties that may be imposed on the taxpayer by the Internal Revenue Service, and it cannot be used by any taxpayer for such purpose. No one, without our express prior written permission, may use or refer to any tax advice in this communication in promoting, marketing, or recommending a partnership or other entity, investment plan, or arrangement to any other party. Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International. The information provided here is of a general nature and is not intended to address specific circumstances of any individual or entity. In specific circumstances, the services of a professional should be sought. 2013 Baker Tilly Virchow Krause, LLP 64

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information