HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

Size: px
Start display at page:

Download "HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP"

Transcription

1 HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP (205)

2 Reasons for HIPAA Privacy Rules Perceived need for protection of individual health information Potential for abuse and concern that employees would misuse health information 2

3 What are the Purposes of the Privacy Rule? To give the consumer more control over health information Participant education on privacy protections. Ensuring patient access to medical records. Receiving patient authorization before information is released. Providing recourse if privacy protections are violated. 3

4 What are the Purposes of the Privacy Rule? To establish boundaries on the use and release of medical records Ensuring that health information is not used for improper purposes Providing the minimum amount of information necessary 4

5 What are the Purposes of the Privacy Rule? To establish accountability for the use and release of medical records, including: Civil penalties Federal criminal penalties 5

6 What Does This Mean To Me? You are in a position that could result in you having access to protected health information. If you improperly request or disclose an individual s protected health information, you could face significant monetary penalties and possible prison time. 6

7 Why Are You Here? Mohawk is required by law to train anyone who has access to protected health information. You need training to avoid potential personal liability. You need training to avoid subjecting others to potential personal liability. 7

8 Civil Penalties Increased Tiered Penalties: Tier 1: If a person is not aware of the violation (and would not have known with reasonable diligence), the penalty is at least $100/violation, not to exceed $25,000 for all violations of the same requirement in the same calendar year. These are violations in which the offender did not realize he or she violated HIPAA and would have handled the matter differently if he or she had. 8

9 Civil Penalties Tier 2: If a violation is due to reasonable cause (but not willful neglect), the penalty is at least $1,000/violation, not to exceed $100,000 for all violations of the same requirement in the same calendar year. Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. 9

10 Civil Penalties Tier 3: If violation is due to willful neglect and is corrected in 30 days, the penalty is at least $10,000/violation, not to exceed $250,000 for all violations of the same requirement in the same calendar year. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated. 10

11 Civil Penalties Tier 4: If a violation is due to willful neglect and is not corrected in 30 days, the penalty is at least $50,000/violation, not to exceed $1.5 million for all violations of the same requirement in the same calendar year. Effective Date: Willful neglect provisions are not applicable until February

12 Civil Penalties State AGs. State AGs are authorized to bring a civil action for HIPAA violations to enjoin violations and seek damages on behalf of residents. Damages are calculated by multiplying the number of violations by $100. The penalty is not to exceed $25,000 for all violations of an identical requirement during a calendar year. 12

13 Civil Penalties Court may award costs and reasonable attorneys fees to State. State action may NOT be brought during pendency of Federal action. Effective Date: Immediately. 13

14 Civil Penalties Individual Compensation. Mechanism for individuals to recover a portion of HHS civil penalty or monetary settlements. Effective Date: Regulations are to be issued by February Effective on or after date of regulations. 14

15 Criminal Penalties Up to $50,000 and 1 year in prison for obtaining or disclosing PHI Up to $100,000 and up to 5 years in prison for obtaining PHI under false pretenses 15

16 Criminal Penalties Up to $250,000 and up to 10 years in prison for obtaining or disclosing PHI with the intent to sell, transfer or use for commercial advantage, personal gain, or malicious harm 16

17 Increased Enforcement Mechanisms Increased Audits. HHS will conduct periodic audits of covered entities and business associates, even if no complaint is filed. Willful Neglect: An audit is required if preliminary investigation of a complaint indicates willful neglect. HHS is required to impose a penalty for violations due to willful neglect. Effective Date: February Regulations to be issued by August

18 What Information Is HIPAA Designed to Protect? Protected Health Information ( PHI ) encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form. 18

19 What Information Is HIPAA Designed to Protect? Transmitted - not defined, generally includes sharing of information electronically, by telephone, fax, mail or even orally Covered Entity - a health plan, a health plan provider, or a health care clearinghouse Note: Employers are NOT covered entities, and employment files are not subject to the HIPAA privacy requirements. 19

20 How Does HIPAA Impact Employment Medical Files? HIPAA does not cover the employer s medical files containing ADA, FMLA, Workers Compensation, Sick Leave, Doctor s Excuses for Absences, etc. In applying normal procedures for those leave/accommodation requests, medical providers will require an authorization from the individual to release information to Mohawk (because providers are subject to HIPAA). 20

21 How Does HIPAA Impact Employment Medical Files? Even though employment medical files are not subject to HIPAA, the files should be kept confidential subject to general privacy policies of Mohawk. 21

22 Subject to HIPAA: Group Health Plan Group Dental Plan Mohawk Plans Health Care Flexible Spending Account Plan Others Plans or programs that do not provide coverage for medical expenses are not subject to HIPAA 22

23 How Will the Plan Receive PHI? Examples of PHI disclosures include: A participant requests assistance in getting a claim paid under a HIPAA covered plan. A participant appeals a claim denied by the third party administrator to a Mohawk committee. 23

24 What are the Authorization Requirements? PHI may be used by covered entities for purposes of treatment, payment, and health care operations ( TPO ) without authorization. PHI must be disclosed to the government in the case of a HIPAA investigation. Otherwise, participant authorization is required. 24

25 What Must a Plan Do to Ensure Privacy? Plan documents must be amended to include required provisions. PHI can only be disclosed to the plan sponsor if the plan sponsor certifies that it will only use the information in accordance with the HIPAA rules. The plan sponsor: cannot use or disclose PHI except as permitted by the plan or required by law; 25

26 What Must a Plan Do to Ensure Privacy? must ensure that agents and vendors who receive PHI agree to the same restrictions; cannot use or disclose PHI for employmentrelated actions or for other benefit plans; must report to the Plan any violation of the privacy requirements; must make PHI available to individuals as required by HIPAA; 26

27 What Must a Plan Do to Ensure Privacy? must allow individuals to amend their PHI; must provide individuals with an accounting of disclosures of PHI; must make its practices available to the government to determine compliance; 27

28 What Must a Plan Do to Ensure Privacy? must return or destroy PHI received from the plan that the plan sponsor maintains in any form; must not retain copies of PHI longer than needed for the purpose for which the disclosure was made; 28

29 What Must a Plan Do to Ensure Privacy? ensure that security procedures have been established that: identify employees or classes of employees who will have access to PHI; restrict access solely to those individuals for the functions performed for the plan; and provide a mechanism for resolving issues of noncompliance with participants. 29

30 What Must a Plan Do to Ensure Privacy? Privacy policies must be developed to ensure that only the minimum necessary amount of information to achieve the purpose of the disclosure is provided to a third person and that the other HIPAA requirements are satisfied. Minimum Necessary Standard Generally, uses, disclosures and requests by a covered entity are limited to the information that is the minimum necessary to accomplish the intended purpose. 30

31 What Must a Plan Do to Ensure Privacy? Prior to the American Recovery and Reinvestment Act, minimum necessary was an unidentified, flexible standard. Starting February 17, 2010 and until guidance is issued, the covered entity may only use, disclose, or request limited data set information, or if more information is needed, in compliance with the minimum necessary standard. By August 2010, HHS will issue guidance on what constitutes minimum necessary. 31

32 What Must a Plan Do to Ensure Privacy? A Notice of Privacy Practices must be distributed to inform Plan participants of their rights under HIPAA. Physical security measures must be put in place to protect PHI (secured file cabinets, software encryption, password protected databases). 32

33 What Must a Plan Do to Ensure Privacy? The Proposed Rule mandates the following changes to a covered entity s notice of privacy practices: If the covered entity intends to send subsidized treatment communications, its notice of privacy practices would be required to disclose that fact and to notify the individual of the right to opt out. *On July 14, 2010, the Department of Health and Human Services (HHS) published a notice of proposed rulemaking (the Proposed Rule ). Unless otherwise indicated, the compliance date for all provisions of the Proposed Rule will be after 180 days after the publication of the Final Rule. 33

34 What Must a Plan Do to Ensure Privacy? If the covered entity intends to send fundraising solicitations, the notice of privacy practices would have to notify the individual of the right to opt out (in contrast to the current Privacy Rule requirement to simply include notice of the opt-out right in the solicitation). 34

35 What Must a Plan Do to Ensure Privacy? The notice would be required to describe the need for an authorization for uses of psychotherapy notes, marketing, and the sale of PHI for which authorization is required. The notice would be required to inform the individual that the covered entity may not refuse a request to withhold information from a health plan where the individual pays out-of-pocket in full for the service. 35

36 What Must a Plan Do to Ensure Privacy? Designate a Privacy Officer to be in charge of monitoring compliance with HIPAA requirements. HIPAA covered plans must train individuals who may come into contact with PHI as to the HIPAA requirements and employer and plan procedures for maintaining the privacy of PHI. For example, all PHI information, questions or problems should be faxed, ed or directed to the Privacy Officer at private fax numbers. 36

37 What Must a Plan Do to Ensure Privacy? Identify Business Associates HITECH* expanded the definition of business associate *Health Information Technology for Economic and Clinical Health Act ( HITECH ), which was contained in ARRA, modified The Privacy and Security Rules originally enacted in HIPAA. 37

38 What Must a Plan Do to Ensure Privacy? The Proposed Rule further expands the definition of Business Associate to include the following: Patient safety organizations ( PSOs ), which are organizations that conduct patient safety and quality improvement activities under the Patient Safety and Quality Improvement Act of 2005 (PSQIA). 38

39 What Must a Plan Do to Ensure Privacy? Organizations that provide data transmission of PHI to a covered entity, such as Health Information Organizations and E-prescribing Gateways, and those that require routine access to PHI. Vendors offering a PHR to one or more individuals on behalf of a covered entity. Subcontractors to a business associate that create, receive, maintain, or transmit PHI on behalf of a business associate. 39

40 What Must a Plan Do to Ensure Privacy? The Proposed Rule requires new provisions to be added to Business Associate Agreements ( BAA ) The so-called safeguards provision should be replaced with a provision requiring that business associates use appropriate safeguards and comply, where applicable, with [the Security Rule], with respect to electronically protected health information, to prevent use or disclosure of the information other than as provided for by its contract. Business associates must report to the covered entity any breach of unsecured PHI, as required by the HITECH security breach notification regulations. 40

41 What Must a Plan Do to Ensure Privacy? Business associates must enter into written agreements with subcontractors that create or receive PHI on behalf of the business associate imposing the same restrictions that apply to the business associate with respect to the PHI. Business associates must comply with the requirements of the Privacy Rule to the extent that the business associate is to carry out a covered entity s obligation under the Privacy Rule. For example, if a business associate is providing an individual with access to PHI, that access must be provided in accordance with Privacy Rule requirements. 41

42 What Must a Plan Do to Ensure Privacy? Policies and procedures for participant complaints must be developed and communicated, and records must be maintained. Retaliation for participant complaints is prohibited. 42

43 Can Protected Information Be Shared Among Plans? AUTHORIZATION IS REQUIRED! 43

44 Procedures for Handling Employee Inquiries Employees will be advised to contact the appropriate Privacy Officer or designated individuals for help with plan issues. Other Human Resources staff, supervisors, etc. will not have access to PHI and cannot provide assistance. Any inquiry that may involve PHI should be referred to the Privacy Officer. 44

45 Disclosure of Security Breaches Covered entities or business associates must notify each affected individual when an unauthorized disclosure of PHI occurs If there is no known contact for an individual, disclosure may be posted on Mohawk s website or through a media outlet. 45

46 Notification of Breach Requirements If security of Unsecured PHI is breached, the Plan must provide notice without unreasonable delay and within 60 days after discovery of breach: To the impacted individual: written notice must be sent to the last known address (with special rules if imminent misuse is possible or individual s address is unknown). To the media: If a breach involves more than 500 individuals in state or jurisdiction, notice must be sent through major media outlets. 46

47 To HHS: Notification of Breach Requirements If a breach involves more than 500 individuals, the Plan must notify HHS immediately, and HHS will identify the covered entity on its website. If a breach involves less than 500 individuals, the Plan must log the breach and provide the log to HHS on an annual basis. If a business associate discovers a breach, the business associate must notify the plan. 47

48 Notification of Breach Requirements When is a breach discovered? A breach is discovered as of the first day that it is known (or reasonably should have been known) to the covered entity or business associate. The covered entity or business associate has knowledge of the breach on the day that any employee, officer or other agent has such knowledge (except for the individual who committed the breach). 48

49 Notification of Breach Requirements Unsecured PHI is PHI which is not secured through the use of a technology or methodology identified by HHS as rendering the information unusable, unreadable or indecipherable to unauthorized persons On April 17, 2009, HHS issued safe-harbor guidance identifying two acceptable technologies and methodologies for securing PHI: Encryption (electronic) Destruction (electronic and paper) Notification requirements are only triggered by breach of unsecured PHI. 49

50 Notification of Breach Requirements On August 24, 2009, HHS issued an interim final rule regarding the HITECH breach notification rules; this rule took effect on September 23, An online form was created which covered entities must use to report breaches of PHI. Only covered entities can report breaches. Contacting affected individuals may be delegated to a business associate. 50

51 Notification of Breach Notice must contain: Requirements a brief description of the breach, including dates; a description of the types of unsecured PHI involved; the steps an impacted individual should take to protect against potential harm; 51

52 Notification of Breach Requirements a brief description of the steps the Plan has taken to investigate the incident, mitigate harm, and protect against further breaches; and contact information. 52

53 Prohibition on the Sale of PHI Covered entity or business associate cannot receive compensation, directly or indirectly, for any PHI unless per a valid authorization specifically addressing sale. Exceptions: for public health activities; for research (cost of data prep and transmittal); for treatment; for Health Care Operations (HCO) related to sale or transfer; 53

54 Prohibition on the Sale of PHI for payment of business associate for services under BAA; to provide an individual with his/her PHI; and for other instances permitted by the Secretary in further guidance. Effective Date: Regulations to be issued by August Effective six months thereafter. 54

55 Prohibition on the Sale of PHI The Proposed Rule adds the following provisions: The treatment exception would be expanded to include disclosures for payment, clarifying that disclosures of PHI to obtain payment are not sales of PHI. An authorization for the sale of PHI would be required to state that the covered entity will be receiving remuneration for the disclosure. The prohibition does not apply to a reasonable, costbased fee charged to the individual by a covered entity for an accounting of disclosures. 55

56 Prohibition on the Sale of PHI Covered entities are allowed to receive payment for a disclosure that is required by law. The sale of PHI is permitted as determined by the Secretary pursuant to regulations to be necessary and appropriate, so long as the fee charged is either reasonable and cost-based or expressly permitted by another law. 56

57 Restrictions on Marketing A communication by a covered entity or business associate that is about a product/service and encourages the recipient to purchase or use same is NOT considered an HCO UNLESS it: describes a health-related product/service (or payment for same) that is provided by or included in the plan of covered entity making communication; is for treatment; or is for case management or care coordination for the individual or to direct/recommend certain alternative treatments, therapies, health care providers, or settings of care to the individual. 57

58 Restrictions on Marketing However, if a communication meets one of the exceptions and the covered entity receives a payment, directly or indirectly, for making such communication, then it is NOT an HCO EXCEPT where: The communication describes only a drug/biologic currently prescribed for recipient and any payment received by covered entity for making communication is reasonable in amount ; AND The covered entity makes communication and covered entity obtains authorization from recipient; OR business associate makes communication on behalf of the covered entity and communication is consistent with business associate agreement. 58

59 Conclusion Compliance with the HIPAA privacy requirements requires significant cultural and procedural changes. Some employees will require additional training. Training is MANDATED for all individuals who may have access to PHI. 59

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205) HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 REASONS FOR HIPAA PRIVACY RULES Perceived need for protection of individual health information

More information

ARRA s Amendments to HIPAA Privacy & Security Rules

ARRA s Amendments to HIPAA Privacy & Security Rules ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health

More information

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background

More information

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability

More information

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,

More information

Management Alert Final HIPAA Regulations Issued

Management Alert Final HIPAA Regulations Issued Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,

More information

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated

More information

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement

More information

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA

More information

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment

More information

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes

More information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice

More information

HHS, Office for Civil Rights. IAPP October 11, 2012

HHS, Office for Civil Rights. IAPP October 11, 2012 HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities

More information

Fifth National HIPAA Summit West

Fifth National HIPAA Summit West Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for

More information

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally

More information

HIPAA Privacy Overview

HIPAA Privacy Overview HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview

More information

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions

More information

AFTER THE OMNIBUS RULE

AFTER THE OMNIBUS RULE AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member

More information

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Basic Training for Health & Welfare Plan Administrators 2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.

More information

Changes to HIPAA Under the Omnibus Final Rule

Changes to HIPAA Under the Omnibus Final Rule Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services

More information

New HIPAA-HITECH Proposed Regulations Issued

New HIPAA-HITECH Proposed Regulations Issued July 2010 New HIPAA-HITECH Proposed Regulations Issued On Thursday July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations in the Federal Register on many provisions

More information

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V. HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

2016 Business Associate Workforce Member HIPAA Training Handbook

2016 Business Associate Workforce Member HIPAA Training Handbook 2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all

More information

Interim Date: July 21, 2015 Revised: July 1, 2015

Interim Date: July 21, 2015 Revised: July 1, 2015 HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:

More information

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017 HIPAA & HITECH Privacy & Security Volunteer Annual Review 2017 HIPAA In 1996, state and federal governments enacted protection for patient health information by signing into law the Health Insurance Portability

More information

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013! Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,

More information

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners 2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and

More information

Highlights of the Omnibus HIPAA/HITECH Final Rule

Highlights of the Omnibus HIPAA/HITECH Final Rule Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737

More information

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules Alden J. Bianchi Updated

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy

More information

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again

The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again ClientAdvisory The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again February 26, 2009 On February 17, 2009, President Obama signed into

More information

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Amanda M. Buzo Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020

More information

Getting a Grip on HIPAA

Getting a Grip on HIPAA Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy

More information

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy

More information

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative

More information

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. HIPAA stands for Health Insurance Portability and Accountability

More information

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

GUIDE TO PATIENT PRIVACY AND SECURITY RULES AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist

More information

The Impact of the Stimulus Act on HIPAA Privacy and Security

The Impact of the Stimulus Act on HIPAA Privacy and Security The Impact of the Stimulus Act on Webinar March 12, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved. Disclaimer The American

More information

Determining Whether You Are a Business Associate

Determining Whether You Are a Business Associate The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information

More information

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into by and between Washington Dental Service

More information

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned

More information

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

The wait is over HHS releases final omnibus HIPAA privacy and security regulations The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under

More information

ALERT. November 20, 2009

ALERT. November 20, 2009 ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made

More information

Changes to HIPAA Privacy and Security Rules

Changes to HIPAA Privacy and Security Rules Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN

More information

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are

More information

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts

More information

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),

More information

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP

IACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP IACT Medical Trust HIPAA Privacy Training June 28, 2012 Jim Hamilton (317) 684-5419 jhamilton@boselaw.com 2009 Bose McKinney & Evans LLP HIPAA Overview 2009 Bose McKinney & Evans LLP The Privacy Rule HIPAA

More information

HIPAA Privacy Compliance Checklist

HIPAA Privacy Compliance Checklist HIPAA Privacy Compliance Checklist Task Obtain Education on HIPAA Privacy Requirements 1. HIPAA EDI requirements. 2. HIPAA privacy requirements. Organize the HIPAA Privacy Team and Create a Game Plan 1.

More information

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below. Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy

More information

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013 HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable

More information

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA / HITECH. Ed Massey Affiliated Marketing Group HIPAA / HITECH Agent Understanding And Compliance Presented By: Ed Massey Affiliated Marketing Group It s The Law On February 17, 2010 the Health Information Technology for Economic and Clinical Health

More information

ARRA 2009: Privacy and Security Provisions. Deven McGraw

ARRA 2009: Privacy and Security Provisions. Deven McGraw ARRA 2009: Privacy and Security Provisions Deven McGraw 1 Health Privacy Project at CDT Health IT and electronic health information exchange have tremendous potential to improve health care quality, reduce

More information

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS This HIPAA Business Associate Agreement ( BA Agreement ), effective as of the last date written on the signature page attached

More information

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

H E A L T H C A R E L A W U P D A T E

H E A L T H C A R E L A W U P D A T E L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.

More information

Highlights of the Final Omnibus HIPAA Rule

Highlights of the Final Omnibus HIPAA Rule Highlights of the Final Omnibus HIPAA Rule Health Information & the Law Project 1 Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH Devi Mehta, JD, MPH Elizabeth Gray, JD Teresa Cascio, JD Grace Im,

More information

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance

More information

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance 2015 National Wellness Conference Barbara J. Zabawa, JD, MPH Center for Health Law Equity, LLC Agenda Health Data Exposure ADA,

More information

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates

More information

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA Privacy & Security. Transportation Providers 2017 HIPAA Privacy & Security Transportation Providers 2017 HIPAA Privacy & Security As a non emergency medical transportation provider, you deal directly with Medicare and Medicaid Members healthcare information

More information

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services

More information

HIPAA, HITECH & Meaningful Use

HIPAA, HITECH & Meaningful Use HIPAA, HITECH & Meaningful Use October 21, 2011 presented by Helen Oscislawski, Esq. Overview - What Has Changed? HITECH Act: Increased Penalties for non-compliance, effective 11/30/2009 New federal requirements

More information

To: Our Clients and Friends January 25, 2013

To: Our Clients and Friends January 25, 2013 Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health

More information

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )

More information

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

AMA Practice Management Center, What you need to know about the new health privacy and security requirements 1. HIPAA Security Rule Johns, Merida L., Information Security, in Johns, Merida L. (ed.) Health Information Management Technology, an Applied Approach, AHIMA: Chicago, IL, 2nd ed. 2007, chapter 19, pp.

More information

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment

More information

What is HIPAA? (1 of 2)

What is HIPAA? (1 of 2) HIPAA 1 HIPAA On August 21 1996 the federal government passed the Health Information Portability and Accountability Act of 1996 Has been update throughout; with the newest update (Final Rule) going into

More information

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows: This Business Associate Agreement ( BAA ) is entered into by and between NORCAL Mutual Insurance Company ( NORCAL ) and Insured/Applicant ( Covered Entity ) and is effective as of September 23 rd, 2013

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE AGREEMENT HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ), is between Birch Family Services, Inc., a New York not-for-profit corporation ( Covered Entity ) and ( Business Associate

More information

New Federal Legislation Affecting Health Plans

New Federal Legislation Affecting Health Plans New Federal Legislation Affecting Health Plans New COBRA Subsidy New Special Enrollment Rights New Privacy and Security Requirements in the HITECH Act Leslie Anderson Jessica Forbes Olson Mark Kinney March

More information

ACC Compliance and Ethics Committee Presentation February 19, 2013

ACC Compliance and Ethics Committee Presentation February 19, 2013 ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA

More information

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!

More information

OMNIBUS RULE ARRIVES

OMNIBUS RULE ARRIVES AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan

More information

ARTICLE 1. Terms { ;1}

ARTICLE 1. Terms { ;1} The parties agree that the following terms and conditions apply to the performance of their obligations under the Service Contract into which this Exhibit is being incorporated. Contractor is providing

More information

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY LEGAL ISSUES IN PHYSICAL THERAPY Paul J. Welk, PT, JD Tucker Arensberg, P.C. pwelk@tuckerlaw.com 2017 PHCA Annual Convention 1 Disclaimer The purpose of this presentation is to provide a general overview

More information

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security

More information

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT Effective Date: September 23, 2013 RECITALS WHEREAS a relationship exists between the Covered Entity and the Business Associate that performs certain functions

More information

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation HIPAA UPDATE: WHY AND HOW YOU MUST COMPLY 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its long-awaited Omnibus Rule 2 implementing regulations required by the HITECH Act

More information

Interpreters Associates Inc. Division of Intérpretes Brasil

Interpreters Associates Inc. Division of Intérpretes Brasil Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable

More information

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: UPDATE 2015 February 20, 2015 I. Executive Summary HIPAA is a federal law passed by Congress to protect medical patient data privacy from misuse or disclosure

More information

Effective Date: March 23, 2016

Effective Date: March 23, 2016 AIG COMPANIES Effective Date: March 23, 2016 HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

More information

Health Law Diagnosis

Health Law Diagnosis February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of

More information

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff

HIPAA Basics: IMPORTANT HIPAA CONCEPTS. What We re going to Cover. Training for Employee Benefits Staff HIPAA Basics: Training for Employee Benefits Staff March 25, 2015 Norbert F. Kugele nkugele@wnj.com 616.752.2186 April A. Goff agoff@wnj.com 616.752.2154 What We re going to Cover Important HIPAA concepts

More information

LEGAL ISSUES IN HEALTH IT SECURITY

LEGAL ISSUES IN HEALTH IT SECURITY LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson

More information

The Privacy Rule. Health insurance Portability & Accountability Act

The Privacy Rule. Health insurance Portability & Accountability Act The Privacy Rule Health insurance Portability & Accountability Act Enacted on August 21, 1996 to amend the Internal Revenue Code of 1986 To improve portability and continuity of health insurance coverage

More information

HIPAA: Impact on Corporate Compliance

HIPAA: Impact on Corporate Compliance HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal

More information

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES CFOP 60-17, Chapter 7 STATE OF FLORIDA DEPARTMENT OF CF OPERATING PROCEDURE CHILDREN AND FAMILIES NO. 60-17, Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES 7-1. Purpose. This

More information

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300 Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300 Training Module provided as a component of the Stericycle HIPAA Compliance Program Goals for Training Understand how Texas

More information

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda New HIPAA Breach Rules NAHU presents the WHAT and WHYs Presenters: David Smith JD, Vice President, Ebenconcepts Tom Jacobs JD, co-ceo eflexgroup Moderator: Ric Joyner CEBS CFCI, co-ceo, eflexgroup 1 Agenda

More information

HIPAA Compliance Under the Magnifying Glass

HIPAA Compliance Under the Magnifying Glass HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information

More information

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013 HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance

More information

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com

More information

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA FOR LAW FIRMS WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA "HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA Jeanne M. Born, RN, JD SOUTH CAROLINA ASSOCIATION OF LEGAL ADMINISTRATORS THURSDAY, APRIL 14, 2016 Jborn@nexsenpruet.com What Every Law

More information

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES Effective: November 8, 2012 Terms used, but not otherwise defined, in this Policy and Procedure have

More information