OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS
|
|
- Jason Knight
- 6 years ago
- Views:
Transcription
1 Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Amanda M. Buzo Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020 Cleveland, OH Telephone (216) Fax (216) Waterford Dr. Sheffield Village, OH Telephone (440) Fax (440) OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS Elena A. Lidrbauch Franklin J. Hickman September, 2010 This is a summary only and is not intended to provide legal advice. For individual issues, you should consult your attorney.
2 OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS There have been two major sets of changes during 2009 which affect privacy and confidentiality rules for DD Boards. Ohio law has been amended to permit disclosure of the identity of an individual served by a DD Board if the individual s identity is needed for treatment or payment for services provided to the individual. 1 The same bill removed the duty to provide accountings for all disclosures of an eligible individual s identity. The American Recovery and Reinvestment Act of 2009 (ARRA) enacted on February 17, 2009 adds additional requirements to HIPAA privacy and security rules. 2 DD Boards, COGs and Providers are subject to these new regulations, whether they function as a Covered Entity or a Business Associate 3. The ARRA changes include enhanced notice requirements in the event of a breach and expanded civil sanctions for violations of HIPAA requirements. The ARRA imposes significant new requirements for Business Associates. In response to the ARRA directive, the Department of Health and Human Services (HHS) recently issued two sets of interim final rules: Rules governing notification of breaches of unsecured protected health information. This rule went into effect on September 23, 2009; Rules explaining the enhanced penalties for breach of HIPAA requirements. These rules are effective on November 30, There are a number of additional HIPAA requirements enacted through the ARRA which will become effective in future years. Further information will be provided as regulations regarding these requirements are enacted. 1 Ohio Rev. Code ( RC ) (B)(4) as amended by H.B. 1, effective 10/16/09. 2 These requirements were part of the Health Information Technology for Economic and Clinical Health (HITECH) Act which is a section of the ARRA. 3 DD Boards are Covered Entities subject to HIPAA requirements as both Health Plans and Health Care Providers. In some situations, DD Boards may also function as Business Associates. Most Providers are Covered Entities as Health Care Providers. To the extent that COGs are doing specific tasks for each DD Board, the COG is acting as a Business Associate. This is a summary only and is not intended to provide legal advice. For individual issues, you should consult your attorney.
3 Page 2 I. Changes in Ohio Law HB 1 made two significant changes in the confidentiality rules applicable to DD Boards, effective October 16, RC The identity of an eligible individual may be disclosed without the individual s consent, if the identity of the individual is necessary for treatment or payment. RC (B)(4). Treatment is defined as provision, coordination, or management of services provided to an eligible person. Payment is defined as activities undertaken by a service provider or governmental entity to obtain or provide reimbursement for services to an eligible person. RC (A). A strict construction of the language of statute as amended permits disclosure only of the identity of an individual for treatment or payment purposes; the language as currently enacted does not clearly permit release of records or reports on an individual without a written consent for the release. 4 HB1 also removed the requirement to maintain records of when and to whom a disclosure or release was made. Summary of the New HIPAA Regulations on Notice of Breach Effective September 23, 2009, all HIPAA Covered Entities and their Business Associates are required to provide notice in the event of a breach of unsecured protected health information (PHI). Covered Entities must notify the affected individual, the Secretary of HHS and under some circumstances even the media. Business Associates must provide notice of a breach to the Covered Entity. Failure to comply may lead civil penalties which have been significantly increased under the ARRA revisions. Additionally civil penalties for HIPAA violations are being extended to Business Associates as well as Covered Entities. A. Breaches Subject to Notification Under the new regulations, notification requirements apply to breaches of unsecured PHI. To determine whether notification is required, the Covered Entity or Business Associate must first determine (1) whether there is a breach, and (2) whether the breach includes unsecured PHI. If the answer to both is yes, then notification is required. 4 There may be an amendment in the future which will specifically permit release of reports and records on eligible individuals for treatment or payment purposes. Until the statute is changed, however, we believe that the current practice of obtaining consent for release of all information should continue, except for the explicit exceptions in RC (info needed for direct services contracts and for placement on waiting list).
4 Page 3 B. Definition of a Breach A breach is the acquisition, access, use, or disclosure of PHI in an unauthorized manner which compromises the security or privacy of the PHI 5. The following types of breaches are expressly excluded from this definition: 1. Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner prohibited by HIPAA; 2. Any inadvertent disclosure by a person who is authorized to access PHI to another person authorized to access PHI at the same Covered Entity or Business Associate and the information is not further disclosed in a manner prohibited by HIPAA; or 3. A disclosure of PHI where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. 6 C. Definition of Unsecured PHI Unsecured PHI means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued and made available at 7 The regulations require this guidance to be updated annually. PHI which is secured as specified by the guidance will not be subject to notification in the event there is a breach of the secured PHI CFR (1)(i) For purposes of this definition, compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the individual. (ii) A use or disclosure of PHI that is part of a limited data set as defined by (e)(2), does not compromise the security or privacy of the PHI CFR (2) 7 45 CFR ; The commentary notes that unsecured PHI can include information in any form or medium, including electronic, paper, or oral form. 74 Fed. Reg
5 Page 4 D. Notification Requirements Applicable to the Covered Entity 1. Notice of Breach to Individuals. A covered entity shall, following the discovery of a breach of unsecured PHI, notify each individual whose unsecured PHI has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach 8. The notice must be written in plain language and to the extent possible, must include all of the following: (a) (b) (c) (d) (e) A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; A description of the types of unsecured PHI involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); Any steps individuals should take to protect themselves from potential harm resulting from the breach; A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and Contact procedures for individuals to ask questions or learn additional information, which shall include a tollfree telephone number, an address, Web site, or postal address CFR (a)(1); A breach shall be treated as discovered by a covered entity as of the first day on which such breach is known to the covered entity, or, by exercising reasonable diligence would have been known to the covered entity. A covered entity shall be deemed to have knowledge of a breach if such breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the covered entity. 45 CFR (a)(2) 9 45 CFR (c)
6 Page 5 2. Method of Notice The Covered Entity must provide notice in one of the following three formats, depending on circumstances 10 : (a) Written notice. (i) Written notification by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. (ii) If the covered entity knows the individual is deceased and has the address of the next of kin or personal representative of the individual, written notification by first class mail to either the next of kin or personal representative of the individual. (b) Substitute notice. In the case that contact information is not available, a substitute form of notice reasonably calculated to reach the individual shall be provided. Substitute notice need not be provided in the case in where the individual is deceased. (i) (ii) In the case in which contact information is not available for fewer than 10 individuals, then such substitute notice may be provided by an alternative form of written notice, telephone, or other means. In the case in which contact information is not available for 10 or more individuals, then such substitute notice shall: (A) Be in the form of either a conspicuous posting for a period of 90 days on the home page of the Web site of the covered entity involved, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and (B) Include a toll-free phone number that remains active for at least 90 days that an individual can call to learn whether the individual s unsecured PHI may be included in the breach CFR (d)
7 Page 6 3. Additional notice in urgent situations. In any case deemed by the covered entity to require urgency because of possible imminent misuse of unsecured PHI, the covered entity may, in addition to providing written notice, contact individuals by telephone or other means, as appropriate. E. Other Parties Required to Receive Notice In addition to providing notice to the individual, the Covered Entity must notify the following entities: 1. Notification to the media 11 For a breach of unsecured PHI involving more than 500 residents, a covered entity shall, notify prominent media outlets serving the State or jurisdiction. The content of the notice shall be the same as the notice provided to the individual. 2. Notification to the Secretary of HHS 12. For a breach of unsecured PHI involving more than 500 residents, a covered entity shall, notify the Secretary of HHS in the manner specified on the HHS Web site. For breaches of unsecured PHI involving less than 500 individuals, the covered entity shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, provide notice to the Secretary of HHS of breaches occurring during the preceding calendar year, in the manner specified on the HHS Web site. F. Timeliness of Notification In general, a Covered Entity must provide the required notice without unreasonable delay and in no case later than 60 calendar days after discovery of a breach. 13 The Covered Entity must delay providing notice if a law enforcement official states to the Covered Entity or Business Associate that providing notice would impede a criminal investigation or cause damage to national security. If such statement is in writing and specifies the time for which a delay is required, the Covered Entity or Business Associate shall delay such notice for the time period specified by the official. If the statement is made orally, the Covered Entity or Business Associate shall document the statement, including the identity of the official CFR CFR CFR (b); 406(b); 410(b)
8 Page 7 making the statement, and delay the notice temporarily and no longer than 30 days from the date of the oral statement, unless the law enforcement official submits a written statement during that time 14. II. Changes Affecting Business Associates A. General Changes The ARRA 13401(a), 13404(a) now explicitly requires a business associate to meet the privacy standards applicable to covered entities, and following standards for PHI as well as security and management of PHI. These requirements formerly only applied to covered entities and now cover BAs as well. Administrative Safeguards in Physical Safeguards in Technical Safeguards in Policies, procedures and documentation requirements in Under the ARRA, If the BA determines that the covered entity has violated HIPAA privacy or security requirements, the BA has an affirmative duty to either terminate the BA agreement or to report violations to the Secretary. ARRA 13404(b). B. Notice of Breach A Business Associate must, following the discovery of a breach of unsecured protected health information, notify the Covered Entity of such breach. 15 The Business Associate is subject to the requirements applicable to a Covered Entity for timeliness of notification including requirements for a delayed notification CFR ARRA 13404(b); 45 CFR ; A breach shall be treated as discovered by a business associate as of the first day on which such breach is known to the business associate or, by exercising reasonable diligence, would have been known to the business associate. A business associate shall be deemed to have knowledge of a breach if the breach is known, or by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is an employee, officer, or other agent of the business associate. 45 CFR (a)(2) (b).
9 Page 8 The notification provided by the Business Associate shall include, to the extent possible, the identification of each individual whose unsecured PHI has been, or is reasonably believed by the Business Associate to have been, accessed, acquired, used, or disclosed during the breach. A Business Associate must provide the Covered Entity with any other available information that the Covered Entity is required to include in notification to the individual at the time of the notification or promptly thereafter as information becomes available. III. Compliance with Minimum Necessary Requirements The ARRA states that, effective February 17, 2010, a covered entity complies with the minimum necessary requirement if the covered entity releases a limited data set or the minimum information necessary to accomplish the purpose of the disclosure. ARRA 13405(b)(1)(A). The Secretary of HHS is required to issue guidance on what constitutes minimum necessary by August, ARRA 13405(b)(1)(B). Once the guidance is issued, the guidance will be definitive. IV. Accountings While Ohio law no longer requires accountings, HIPAA requires accounting of disclosures from electronic health records for treatment, payment, health care operations for three years prior to the request. Other disclosures, such as breaches, must also be accounted for a period of six years prior to the request. If the record exists on or before January 1, 2009, the new accounting requirements will apply to disclosures made from that record on or after January 1, If the record exists after January 1, 2009, the new accounting requirements will apply to disclosures made from that record on or after the later of January 1, 2011 or the date the covered entity acquires the electronic health record. BA agreements must include provisions on how accounting requirements will be met. 17 The Secretary may delay the implementation dates for accountings. 17 ARRA (c)(3).
10 Page 9 V. Sanctions The ARRA has strengthened the civil sanctions which apply to violations of HIPAA. There were no changes to the criminal penalties. The following table shows categories of violations and respective penalty amounts available: Violation category Section 1176(a)(1) Each violation All such violations of an identical provision in a calendar year (A) Did Not Know... $100 $50,000 $1,500,000 (B) Reasonable Cause... 1,000 50,000 1,500,000 (C)(i) Willful Neglect Corrected... 10,000 50,000 1,500,000 (C)(ii) Willful Neglect Not Corrected... 50,000 1,500,000 For violations occurring on or after February 18, 2009, the following affirmative defenses are available: 1. The violation is subject to criminal penalties, or 2. The covered entity establishes that the violation is (a) Not due to willful neglect and (b) Corrected during either: (i) The 30 day period on which the covered entity knew or reasonably should have known, that the violation occurred; or (ii) Such additional time as the Secretary of HHS determines to be appropriate. VI. Enforcement Procedures The ARRA has given State Attorney Generals the authority to file civil actions on behalf of individuals harmed by breaches of HIPAA requirements. The Attorney General may seek injunctive relief and damages on behalf of the individual. The maximum penalty amounts are substantially lower: $100 per violation with a maximum of $25,000 per year for identical violations. The Attorney General can collect attorney fees. There are provisions for individuals to receive a portion of penalties received by HHS after the GAO conducts and study and HHS adopts rules for such distributions..
11 Page 10 SUMMARY OF EFFECTIVE DATES FOR ARRA RULES AND REGULATIONS TITLE EFFECTIVE DATE CITE General ARRA privacy and related provisions 02/17/2010 Except as shown below: ARRA Duty of HIPAA-Covered Entities to notify Individual in the Case of Breach of Unsecured PHI 09/23/ Presumptive compliance with standards for minimum necessary requirement. Accounting of Certain PHI Disclosures Required if Covered Entity Uses Electronic Health Record. Prohibition on Sale of Electronic Health Records or PHI Temporary Breach Notification Requirement For Vendors of PHI and Other Non-HIPAA Covered Entities. Civil penalties for willful neglect Tiered Increase in Civil Monetary Penalties Enforcement of Provisions Through Civil Suit By State Attorneys General. 02/17/2010 until Secretary issues guidance on standards for minimum necessary by Aug Guidance will then govern. If the record exists on or before January 1, 2009, the new accounting requirements will apply to disclosures made from that record on or after January 1, If the record exists after January 1, 2009, the new accounting requirements will apply to disclosures made from that record on or after the later of January 1, 2011 or the date the covered entity acquires the electronic health record. At least 6 months after sub- (d) regs promulgated regs by 08/17/ /29/2009 [See Sunset: 13407(g)(2)] 02/17/2011 (for penalties imposed on/after this date) 02/17/2009 (for violations occurring after this date) 02/17/2009 (for violations occurring after this date) 13405(b)(1)(A) 13405(c)(4) 13405(d)(1) (a) 13410(d) 13410(e) Rules governing notification of breach of unsecured protected health information 09/23/ FR Rules on sanctions 11/30/ FR FTC - health breach notification rule for entities not covered by HIPAA 09/18/2009 (for breaches of security discovered on/after this date) 74 FR Implements 16 CFR Part 318
45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information
45 CFR Part 164 Interim Final Rule Breach Notification for Unsecured Protected Health Information Full Preamble and Rule at http://edocket.access.gpo.gov/2009/pdf/e9-20169.pdf The Interim Final Rule also
More informationBREACH NOTIFICATION POLICY
PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities
More informationChanges to HIPAA Privacy and Security Rules
Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN
More informationOCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC
Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative
More informationHIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES
SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:
More informationInterim Date: July 21, 2015 Revised: July 1, 2015
HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:
More informationHITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government
HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated
More informationThe Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure
The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )
More informationNOTIFICATION OF PRIVACY AND SECURITY BREACHES
NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally
More informationARRA s Amendments to HIPAA Privacy & Security Rules
ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health
More informationBreach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule
Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance
More informationHIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)
HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services
More informationNew. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.
Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationPatient Breach Letter Content Requirements
Patient Breach Letter Content Requirements The final breach regulations, effective September 23, 2009, required that the patient whose information was accessed, used or released in an inappropriate manner
More informationFifth National HIPAA Summit West
Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationThe American Recovery Reinvestment Act. and Health Care Reform Puzzle
The American Recovery Reinvestment Act and Health Care Reform Puzzle Carolyn Heyman-Layne Alaska HCCA Conference March 1, 2012 Comparison of Breach Notification Provisions in the HITECH Act 1 and the Alaska
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationHIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school
ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS
HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts
More informationThe Impact of the Stimulus Act on HIPAA Privacy and Security
The Impact of the Stimulus Act on Webinar March 12, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved. Disclaimer The American
More informationChanges to HIPAA Under the Omnibus Final Rule
Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services
More informationx Major revision of existing policy Reaffirmation of existing policy
Name of Policy: Reporting of Security Breach of Protected Health Information including Personal Health Information Policy Number: 3364-90-15 Approving Officer: Executive Vice President of Clinical Affairs
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationNew HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda
New HIPAA Breach Rules NAHU presents the WHAT and WHYs Presenters: David Smith JD, Vice President, Ebenconcepts Tom Jacobs JD, co-ceo eflexgroup Moderator: Ric Joyner CEBS CFCI, co-ceo, eflexgroup 1 Agenda
More informationAn Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules Alden J. Bianchi Updated
More informationInterpreters Associates Inc. Division of Intérpretes Brasil
Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable
More informationHITECH and Stimulus Payment Update
HITECH and Stimulus Payment Update David S. Szabo Agenda HIPAA Breach Notification Rules HITECH and Meaningful Use Open Question Period 2 Data Security Breaches A total of 245,216,093 records containing
More informationHIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment
More informationALERT. November 20, 2009
ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationHITECH Poses Important Challenges... Are You Compliant?
Presents a Webinar HITECH Poses Important Challenges... Are You Compliant? A program for Clinic and Hospital Administrators, Risk Managers, and other interested staff. Joint Sponsor Kansas Hospital Association
More informationHighlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationThe HHS Breach Final Rule Is Out What s Next?
The HHS Breach Final Rule Is Out What s Next? Webinar September 16, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved. Disclaimer
More informationCompliance Steps for the Final HIPAA Rule
Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
More informationManagement Alert Final HIPAA Regulations Issued
Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationHIPAA / HITECH. Ed Massey Affiliated Marketing Group
HIPAA / HITECH Agent Understanding And Compliance Presented By: Ed Massey Affiliated Marketing Group It s The Law On February 17, 2010 the Health Information Technology for Economic and Clinical Health
More informationContaining the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida
Containing the Outbreak: HIPAA Implications of a Data Breach Orlando, Florida www.lowndes-law.com Jason S. Rimes 2013 Lowndes, Drosdick, Doster, Kantor & Reed, P.A. All Rights Reserved Protected Health
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ), is between Birch Family Services, Inc., a New York not-for-profit corporation ( Covered Entity ) and ( Business Associate
More informationHIPAA Basic Training for Health & Welfare Plan Administrators
2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationCLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors
CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )
More informationHHS, Office for Civil Rights. IAPP October 11, 2012
HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities
More informationGUIDE TO PATIENT PRIVACY AND SECURITY RULES
AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist
More informationHIPAA OMNIBUS FINAL RULE
HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on
More informationSafeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker
Safeguarding Your HIPAA and Personal Health Information Data Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker 1 Overview» Patient information confidentiality Grant requirements
More informationBusiness Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)
Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into by and between Washington Dental Service
More informationSUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),
More informationBUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( this Agreement ) is made and entered into as of this day of 2015, by and between TIDEWELL HOSPICE, INC., a Florida not-for-profit corporation,
More informationHayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA
More informationRECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:
This Business Associate Agreement ( BAA ) is entered into by and between NORCAL Mutual Insurance Company ( NORCAL ) and Insured/Applicant ( Covered Entity ) and is effective as of September 23 rd, 2013
More informationOmnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule
Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions
More informationNO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES
CFOP 60-17, Chapter 7 STATE OF FLORIDA DEPARTMENT OF CF OPERATING PROCEDURE CHILDREN AND FAMILIES NO. 60-17, Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES 7-1. Purpose. This
More informationSummary Comparison of Current Senate Data Security and Breach Notification Bills
Data Security reasonable Standards measures Specific Data Security Requirements Personal Information Definition None (a) First name or (b) first initial and last name, in combination with one of the following
More information[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4
Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did
More informationCompliance Steps for the Final HIPAA Rule
Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule
More informationHIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017
HIPAA & HITECH Privacy & Security Volunteer Annual Review 2017 HIPAA In 1996, state and federal governments enacted protection for patient health information by signing into law the Health Insurance Portability
More informationBusiness Associate Agreement For Protected Healthcare Information
Business Associate Agreement For Protected Healthcare Information This Business Associate Agreement ( Agreement ) is entered into this 24th day of February 2017, between PRACTICE-WEB, Inc., a California
More information2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners
2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and
More informationAMA Practice Management Center, What you need to know about the new health privacy and security requirements
1. HIPAA Security Rule Johns, Merida L., Information Security, in Johns, Merida L. (ed.) Health Information Management Technology, an Applied Approach, AHIMA: Chicago, IL, 2nd ed. 2007, chapter 19, pp.
More informationGeorgia Health Information Network, Inc. Georgia ConnectedCare Policies
Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Version History Effective Date: August 28, 2013 Revision Date: August 2014 Originating Work Unit: Health Information Technology Health
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationNOTICE OF PRIVACY PRACTICES
NOTICE OF PRIVACY PRACTICES Original Effective Date: April 14, 2003 Effective Date of Last Revision: August 30, 2013 I. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
More informationPATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS
PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS This HIPAA Business Associate Agreement ( BA Agreement ), effective as of the last date written on the signature page attached
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationFACT Business Associate Agreement
Policy Document #: 2.1.003 Revision: 3 Valid Date: 27June2012 Page 1 of 2 Effective Date: 27Jun2012 FACT Business Associate Agreement 1.0 Purpose The purpose of this document is to establish terms for
More informationNETWORK PARTICIPATION AGREEMENT
NETWORK PARTICIPATION AGREEMENT THIS NETWORK PARTICIPATION AGREEMENT ( Agreement ) is entered into on the date(s) indicated below, by and between the undersigned physician (hereinafter Physician ; and
More informationHIPAA Breach Notification Case Studies on What to Do and When to Report
HIPAA Breach Notification Case Studies on What to Do and When to Report AHLA Physicians and Physician Organizations and Hospitals and Health Systems Law Institute February 9 and10, 2012 Colleen M. McClorey,
More informationHIPAA Privacy Overview
HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview
More informationHIPAA, HITECH & Meaningful Use
HIPAA, HITECH & Meaningful Use October 21, 2011 presented by Helen Oscislawski, Esq. Overview - What Has Changed? HITECH Act: Increased Penalties for non-compliance, effective 11/30/2009 New federal requirements
More informationHIPAA Privacy and Security Rules
HIPAA Privacy and Security Rules HIPAA Compliance Bootcamp (5/16) This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics.
More informationOMNIBUS RULE ARRIVES
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 REASONS FOR HIPAA PRIVACY RULES Perceived need for protection of individual health information
More informationBusiness Associate Agreement
Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into on the Effective Date of the Azalea Health Software as a Service Agreement and/or Billing Service Provider
More informationHIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.
HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure
More informationIACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP
IACT Medical Trust HIPAA Privacy Training June 28, 2012 Jim Hamilton (317) 684-5419 jhamilton@boselaw.com 2009 Bose McKinney & Evans LLP HIPAA Overview 2009 Bose McKinney & Evans LLP The Privacy Rule HIPAA
More informationHIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE
HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE Policy Preamble This privacy policy ( Policy ) is designed to
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationHIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )
HIPAA Privacy and Security Rules: Overview and Update HIPAA IHCA Convention (7/16) This presentation is similar to any other legal education materials designed to provide general information on pertinent
More informationARTICLE 1. Terms { ;1}
The parties agree that the following terms and conditions apply to the performance of their obligations under the Service Contract into which this Exhibit is being incorporated. Contractor is providing
More informationJOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT
JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( HIPAA BAA ) is made between JotForm, Inc., ( JotForm ) and {YourCompanyName} ( Covered Entity or Customer ) as an agreement
More informationHIPAA and ProAssurance
HIPAA and ProAssurance The ProAssurance Companies, along with our legal counsel, have reviewed the Health Insurance Portability And Accountability Act of 1996, and its implementing regulations (collectively,
More informationNew Federal Legislation Affecting Health Plans
New Federal Legislation Affecting Health Plans New COBRA Subsidy New Special Enrollment Rights New Privacy and Security Requirements in the HITECH Act Leslie Anderson Jessica Forbes Olson Mark Kinney March
More informationThe wait is over HHS releases final omnibus HIPAA privacy and security regulations
The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under
More informationGetting a Grip on HIPAA
Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy
More informationLegal and Privacy Implications of the HIPAA Final Omnibus Rule
Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,
More information8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013
HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable
More informationUNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553
UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553 Tel: 516-740-5325 tnl@dickinsongrp.com Fax: 516-740-5326 REVISED NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW
More informationCOUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA
COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA 1 Recommended by ISP Committee of CSS on October 22 nd, 2014 Amended
More informationGUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do
GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned
More informationMONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014
MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY Approved by the Montclair State University Board of Trustees on April 3, 2014 Table of Contents Page I. PURPOSE... 1 II. WHO IS SUBJECT TO THIS POLICY...
More informationHIPAA BUSINESS ASSOCIATE ADDENDUM
HIPAA BUSINESS ASSOCIATE ADDENDUM This Business Associate Addendum ( BAA ) is made between Cognito, LLC., a South Carolina corporation ( Cognito Forms ) and {OrganizationLegalName} ( Covered Entity or
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2018 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled
More informationIt s as AWESOME as You Think It Is!
It s as AWESOME as You Think It Is! Fine Print This presentation and any materials and/or comments are training and educational in nature only. They do not establish an attorney-client relationship, are
More informationBUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)
BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate) This HIPAA Business Associate Agreement ( Agreement ) is entered into this day of, 20, by and between
More information