The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.
|
|
- Kerry Farmer
- 5 years ago
- Views:
Transcription
1 The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance I. INTRODUCTION Patricia A. Markus, Esq. AHLA Hospitals and Health Systems Law Institute February 13, 2013 On January 17, 2013, the Office for Civil Rights ( OCR ) of the U.S. Department of Health and Human Services ( HHS ) issued its long-awaited final rule ( Final Rule ) modifying the Health Insurance Portability and Accountability Act ( HIPAA ) privacy, security, enforcement, and breach notification rules in accordance with the Health Information Technology for Economic and Clinical Health ( HITECH ) Act and the Genetic Information Nondiscrimination Act ( GINA ). Published in the Federal Register on January 25, the Final Rule becomes effective on March 26, 2013, although compliance with most of its provisions is not required until September 23, Although some commenters have suggested that the Final Rule did not include significant changes to the proposed and interim final HIPAA Administrative Simplification rules, in reality covered entities and business associates in particular have substantial work to do before the September 23 compliance deadline. Generally speaking, the Final Rule provides additional protections to individuals and requires greater transparency about the uses and disclosures that are made of individuals protected health information ( PHI ), whereas it significantly expands liability for covered entities and their business associates. The Final Rule provisions making the most dramatic changes and therefore necessitating the most substantial operational and policy changes are those pertaining to business associates and breach notification. However, revisions to the HIPAA enforcement rule incorporating the HITECH Act s increased civil monetary penalty tiered structure and changes to several of the HIPAA privacy and security standards also will require considerable attention. This outline addresses the Final Rule s changes to breach notification; enforcement; individuals rights to request electronic copies of their PHI and to have providers restrict uses or disclosures of their PHI to their health plans when the individuals pay for services out-of-pocket; and revisions that covered entities will need to make to their notices of privacy practices ( NPPs ). Marilyn Lamar s outline for this session will address the Final Rule s revisions pertaining to: business associates and their subcontractors, business associate agreements, and liability of subcontractors based on agency; research authorizations; uses of PHI for marketing and fundraising purposes, and restrictions on the sale of PHI; and revisions to the privacy rule based on GINA. II. BREACH NOTIFICATION Following several years in which there was little, if any, actual enforcement activity in response to violations of the HIPAA privacy and security rule requirements, the HITECH Act for 1 78 Fed. Reg. 5566, 5569 (Jan. 25, 2013).
2 the first time required covered entities to provide written notification to the Secretary of HHS, to affected individuals, and in some cases to the media, following the discovery of a breach of unsecured PHI. Where a business associate was responsible for a breach, the business associate was required to notify the covered entity of the breach. On August 24, 2009, HHS published an interim final rule ( IFR ) clarifying the specific requirements for breach notification by covered entities and business associates. 2 These regulations became effective on September 23, A. Interim Final Rule The IFR defined the term breach as the acquisition, access, use, or disclosure of PHI, in a manner not permitted by the HIPAA privacy rule, which compromises the security or privacy of the PHI. 3 Compromises the security or privacy of the PHI was defined to mean poses a significant risk of financial, reputational, or other harm to the individual. 4 The IFR included three narrow exceptions to the definition of breach. A breach did not include: 1. An unintentional acquisition, access, or use of PHI by a member of the work force or an agent of the covered entity or business associate, if the acquisition, access, or use was made in good faith, within the scope of authority, and did not result in a further impermissible use or disclosure; 5 2. An inadvertent disclosure by a person authorized to access PHI at a covered entity or business associate to another authorized person at the same covered entity or business associate or organized health care arrangement, if the PHI received was not further used or disclosed impermissibly; or 3. A disclosure of PHI where the covered entity or business associate believed in good faith that the unauthorized person to whom the PHI was disclosed would not reasonably have been able to retain the information. 6 In addition to the above-noted exceptions, a use or disclosure of a limited data set 7 which also excluded dates of birth and ZIP codes was not considered to be a breach of PHI, because the 2 74 Fed. Reg (Aug. 24, 2009) C.F.R Id. 5 Id. The IFR offered, as an example of this exception, a billing employee who receives and opens an containing PHI about a patient which a nurse mistakenly sent to the billing employee. Once the billing employee notices that he is not the intended recipient of the , he alerts the nurse of the misdirected and then deletes the message. See 74 Fed. Reg. at C.F.R The IFR offered, as an example of this exception, a covered entity that sends several EOBs to the wrong individuals. A few of the EOBs are returned by the post office, unopened, as undeliverable, but several of the EOBs which the covered entity knew were misaddressed were not returned. Under these circumstances, the covered entity may conclude that the EOBs that were returned could not reasonably have been retained by the addressees; however, the covered entity may not reach that conclusion with respect to those EOBs that were not returned as undeliverable. See 45 Fed. Reg. at A limited data set is created by removing sixteen (16) direct identifiers, set forth in 45 C.F.R (e)(2), from PHI. Even with these identifiers removed from the PHI, however, a limited data set is not completely de- 2
3 information had essentially been de-identified. 8 De-identified data is no longer PHI and, accordingly, is not subject to the breach notification requirements. However, if a limited data set which still contained date of birth and ZIP code was impermissibly accessed, acquired, used, or disclosed, the IFR proposed that a covered entity or business associate would be required to perform a risk assessment to determine whether the risk of re-identification of the information posed a significant risk of harm to the individual. 9 As indicated above, the IFR specified that not every impermissible acquisition, access, use or disclosure of PHI constituted a breach for which notification must be made. However, in circumstances where a covered entity or business associate determined that an impermissible acquisition, access, use or disclosure of PHI did occur, the IFR indicated that the situation should be treated as a breach, and the covered entity or business associate then must conduct a factspecific risk assessment to determine whether the impermissible acquisition, access, use or disclosure of PHI posed a significant risk of financial, reputational, or other harm to the individual. 10 In performing the risk assessment, covered entities and business associates were required to consider the following types of factors: Who impermissibly used the PHI, or to whom was the PHI impermissibly disclosed? In what form was the PHI accessed used, or disclosed? Was the impermissible access, use, or disclosure of PHI intentional? What steps, if any, were taken to mitigate the potential harm of the impermissible access, use, or disclosure? What type of PHI was impermissibly accessed, used, or disclosed? Significantly, the entity performing the risk assessment had the burden of demonstrating that it made all breach notifications required by the HITECH Act or that the use or disclosure did not constitute a breach. 11 Accordingly, covered entities and business associates were required to carefully document and maintain their risk assessment processes so that they could later identified, because the elements of dates (including birth dates) and ZIP codes increase the possibility that the information may be re-identified; accordingly, the HIPAA privacy rule treats limited data sets as PHI C.F.R See 74 Fed. Reg. at This harm threshold has proved to be controversial, as many commenters suggested that the statutory language of the HITECH Act did not include such a threshold. In the IFR, however, HHS noted that the statutory phrase compromises the security or privacy appeared to contemplate that some type of risk assessment would be necessary to determine whether a risk of harm in fact resulted from a breach, and that including a harm threshold aligned the HITECH Act breach notification requirement with various state breach notification laws. See id C.F.R (b). 3
4 demonstrate, if necessary, that no breach notification was required following a given impermissible access, use, or disclosure of PHI. 12 If, following the risk assessment, a significant risk of harm was determined to exist, then notification of the breach was required to be made. If the risk assessment resulted in a determination that no significant risk of harm existed, the investigation could be concluded without breach notification. B. Final Rule 1. Definition of breach and risk assessment approach The Final Rule was issued nearly three and a half years after the IFR was published, and many in the industry speculated that the lengthy delay was due to a reconsideration of the harm standard. Such speculation appears to have been accurate. In the preamble to the Final Rule, OCR noted that 60 of the 70 commenters who specifically addressed the IFR s definition of breach supported the proposed risk of harm standard and risk assessment approach. These commenters believed that this approach enabled the appropriate parties covered entities and business associates to assess the likely impact of impermissible uses or disclosures of PHI and then to strike a proper balance between enabling individuals to protect themselves from likely negative consequences of a breach without unnecessarily flooding individuals with notifications about inconsequential events. 13 Other commenters, however, suggested that the subjective risk of harm standard gave too much discretion to covered entities and business associates and appeared to set a higher threshold for breach notification than the HITECH Act or OCR intended. 14 OCR agreed with this smaller group of commenters. In the Final Rule, it revises the definition of breach and the risk assessment approach to create what OCR describes as a more objective standard. 15 Now, an impermissible access, use or disclosure of PHI is presumed to be a breach, and notification is required, unless either the disclosing covered entity or business associate demonstrates that there is a low probability that the PHI was compromised or one of the other exceptions to the definition of breach applies. 16 Thus, the risk assessment now focuses on the potential harm to the data rather than the potential risk of harm to the individual, and the covered entity or business associate now has the burden of proving that there was not a breach. The probability of compromise to PHI must be determined based upon a risk assessment of at least the following factors: 12 A covered entity or business associate is required to maintain documentation sufficient to meet its burden of proof for a period of six years. 45 C.F.R (j)(2). 13 See 78 Fed. Reg. at Fed. Reg. at Fed. Reg. at Fed. Reg. at
5 The nature and extent of the PHI involved, including the types of identifiers and the likelihood that the information may be re-identified; The unauthorized person who impermissibly used the PHI or to whom the PHI was impermissibly disclosed; Whether the PHI was actually accessed or viewed; and The extent to which the risk to the information has been mitigated. 17 If a thorough, good-faith assessment of these and perhaps other factors in combination fails to demonstrate that there is a low probability that the PHI was compromised, then breach notification is required. 18 In further discussing these factors, the Final Rule provides numerous examples suggesting that a finding of a low probability that the data was compromised will be the exception rather than the rule. For example, if a covered entity mails information to the wrong individual, who opens the envelope and then contacts the entity to advise that she received the information in error, the unauthorized recipient viewed and acquired the information. Accordingly, OCR asserts that the covered entity s consideration of the third factor should weigh in favor of notification. 19 OCR also indicates that the identity of the recipient of the PHI may affect whether the covered entity can conclude that an impermissible use or disclosure has been appropriately mitigated. 20 For example, a covered entity may be able to rely on an assertion by another covered entity or business associate employee that the entity or person destroyed a misdirected communication containing PHI, whereas that type of assurance from some other third parties may result in a finding that the risk to PHI was not sufficiently mitigated. 21 The revised standard effectively removes the fairly broad discretion that covered entities and business associates had under the risk of harm standard to determine whether to make notification of breaches. This appears to have been OCR s intent, as it agreed with commenters who suggested that the risk of harm standard would lead to inconsistent interpretations and results across covered entities and business associates. 22 The Final Rule maintains the three narrow exceptions proposed in the IFR, but it eliminates the IFR exception for impermissible uses or disclosure of limited data sets which also exclude dates of birth and ZIP codes; instead, entities now will have to perform a risk assessment to determine whether breach notification is required. 23 More Fed. Reg. at Fed. Reg. at See 78 Fed. Reg. at Fed. Reg. at Id Fed. Reg. at Fed. Reg. at
6 troubling is OCR s clarification that violations of the minimum necessary standard are subject to the risk assessment requirement outlined above. 24 OCR acknowledges that risk assessments surrounding both of these types of privacy violations frequently may result in determinations that breach notification is not required. 25 Nonetheless, OCR s commentary on the new risk assessment standard plainly illustrates its expectation that covered entities and business associates devote significantly more time and thought to performing risk assessments, and evaluate a wider variety of potential breach scenarios, than these entities may have done pursuant to the IFR s risk assessment process. OCR indicates that it will issue specific guidance to assist covered entities and business associates in performing risk assessments in certain frequently-occurring scenarios. 26 Until the September 23, 2013 compliance date, covered entities and business associates must comply with the breach notification requirements of the HITECH Act in accordance with the IFR Notice of breaches The Final Rule offers minor modifications and insight into a few of the IFR s proposed requirements pertaining to notice of breaches. First, OCR agreed to some commenters request for permission to provide oral or telephone breach notification to individuals receiving highly confidential treatment services where the individual has requested to receive verbal communications, so long as the health care provider orally advises the individual to pick up the written breach notice from the provider directly. Should an individual not agree to pick up the written breach notice, the provider may read the entire breach notice over the phone to the individual and document that is has done so, but OCR cautions that this practice is not to be used where providing the oral notice is simply easier for the provider or where the individual has consented to receive information by and the provider has a valid address on file. 28 In response to a comment requesting that providers be excused from providing breach notification to individuals in situations where a licensed health care professional believes that such notice likely will cause substantial harm to the individual, OCR declines to excuse notice to such individuals. However, providers may call such an individual or request that the individual to come into the provider s office to discuss the incident before the breach notification is mailed, so long as that process does not delay the timely issuance of the notice. 29 Finally, with respect to notifications to the Secretary for breaches affecting fewer than 500 individuals, the Final Rule clarifies that covered entities must notify HHS within Fed. Reg. at See 78 Fed. Reg. at Fed. Reg. at Fed. Reg. at Fed. Reg. at Id. 6
7 60 days after the end of the calendar year in which the breaches were discovered, not the year in which the breaches occurred. 30 III. ENFORCEMENT Covered entities are required to report to the Secretary all breaches, large and small. Because breaches by definition involve a violation of the privacy rule, and because reporting to the Secretary admits such violations, covered entities must be aware of the greatly enhanced enforcement penalties that apply following the enactment of the HITECH Act and adoption of the interim final enforcement rule. In addition, the Final Rule confirms that business associates and subcontractors now are subject to civil monetary penalties and enforcement actions for noncompliance with applicable provisions of HIPAA. A. Interim Final Rule 1. Penalty tiers and culpability The chart below summarizes the post-hitech penalty scheme, which provides for increasing degrees of culpability and parallel increases in the amount of applicable penalties. Under the interim final enforcement rule, 31 OCR had enormous discretion under this penalty scheme and this discretion has been amplified under the Final Rule. Moving down the chart, each tier of culpability involves a diminished degree of attention and compliance by the covered entity or business associate, and each tier of violation is punishable by increasingly greater penalties. Nature of violation Range of Penalties under 13,410 of HITECH Range of Penalties under IFR 45 CFR (b) Maximum Penalty Violation unknown or by exercising reasonable diligence would not have known $100 for each violation, up to $25,000 for all identical violations in a calendar year $100 -$50,000 for each violation $1,500,000 for all violations of this type Violation due to reasonable cause and not willful neglect $1,000 for each violation, up to $100,000 for all such violations in a calendar year $1,000 - $50,000 for each violation $1,500,000 for all violations of this type Violation due to willful neglect, if corrected within 30 days from knowledge of violation $10,000 for each violation, up to $250,000 for all such violations in a calendar year $10,000 -$50,000 for each violation $1,500,000 for all violations of this type Violation due to willful $50,000 for each violation, up to $1,500,000 for all $50,000 for each violation $1,500,000 for all Fed. Reg. at Fed. Reg (Apr. 18, 2005). 7
8 neglect not corrected such violations during a calendar year violations of this type The interim final enforcement rule described the degrees of culpability through the following key definitions: a. Reasonable cause means circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply with the administrative simplification provision violated. 32 b. Reasonable diligence means the business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances. This term has been equated to constructive knowledge. 33 c. Willful neglect means conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated Secretary s Enforcement Authority OCR has broad authority in resolving complaints of HIPAA violations. If, in the course of an investigation, it determines that the covered entity failed to comply, it will so advise the covered entity and attempt to resolve the matter by informal means whenever possible. 35 In its July 14, 2010 Notice of Proposed Rulemaking ( NPRM ) modifying the privacy, security, and enforcement rules under HITECH, 36 OCR proposed to require, rather than permit, the Secretary to formally investigate all complaints or initiate compliance reviews where the facts indicate possible violations due to willful neglect. 37 The Secretary still would have discretion to investigate or conduct a compliance review in other circumstances. 38 OCR further proposed to require the Secretary to determine the extent of civil money penalties based upon the nature and extent of the harm resulting from a HIPAA violation. 39 The NPRM also proposed to permit the Secretary to share PHI with other law enforcement agencies if and as permitted under the Privacy Act. 40 B. Final Rule 32 Id. at Id. at Id. at C.F.R (a) Fed. Reg (Jul. 14, 2010). 37 See 78 Fed. Reg. at Fed. Reg. at See 78 Fed. Reg. at Fed. Reg. at
9 The Final Rule adopts the NPRM s proposals increasing the discretion the Secretary has in determining when to investigate potential HPAA violations. Now, if a preliminary review of facts cited in a complaint indicates a possible violation due to willful neglect, the Secretary must investigate the complaint. 41 Similarly, if facts indicating a possible violation due to willful neglect come to the Secretary s attention for other reasons, the Secretary must conduct a compliance review. The Secretary now also has enforcement discretion to impose a civil money penalty or other more formal action without exhausting informal means of resolution. 42 The Final Rule also implements the HITECH Act s tiered civil monetary penalty structure, shown in the chart above, that includes significantly increased financial penalties for HIPAA violations. In response to concerns expressed by commenters about the Secretary s wide range of discretion in determining penalty amounts, OCR emphasizes that HHS will not impose the maximum penalty in every case but will, as required by the HITECH Act, determine penalty amounts based on the facts of each case and the nature and extent of both the violation and the resulting harm. 43 In addition, the Secretary has the ability to waive a civil money penalty to the extent the penalty would be excessive in relation to the violation, and entities may appeal the imposition of penalties they believe to be unfair to an administrative law judge. 44 Responding to questions about how the number of occurrences is determined for purposes of calculating penalties, the Final Rule clarifies that the number of identical violations may be counted by the number of individuals affected by the violation or the number of days the violation continued before it was corrected. Rather ominously, however, the commentary goes on to state that covered entities and business associates may be liable for multiple violations of multiple requirements, and a violation of each requirement may be counted separately, thus feasibly resulting in total penalties in amounts substantially higher than the $1.5 million calendar year limit for each type of violation. 45 Additionally, the Final Rule adopts the NPRM s proposed revised definition of reasonable cause to clarify the state of mind, or mens rea, required for the second category of violations. Reasonable cause now means an act or omission in which a covered entity or business associate knew, or by exercising reasonable diligence would have known, that the act or omission violated an administrative simplification provision, but in which the covered entity or business associate did not act with willful neglect. 46 The Final Rule also outlines a broad variety of factors that may be considered in determining the amount of a civil money penalty, including: The nature of the violation (including the number of individuals affected and the time period during which the violation occurred); Fed. Reg. at Fed. Reg. at Fed. Reg. at Fed. Reg. at Fed. Reg. at Fed. Reg. at
10 The nature and extent of the resulting harm (including physical, reputational, or financial harm or the inability to obtain health care); The history of prior HIPAA compliance by the entity (including previous violations, previous corrections of noncompliance, and response to previous complaints); and The financial condition of the noncompliant covered entity or business associate (including whether the noncompliance may have resulted from financial hardship, the size of the entity, and whether imposing a penalty would jeopardize the entity s ability to continue to provide health care). 47 IV. INDIVIDUAL RIGHTS A. Right to Request Restrictions on Uses and Disclosures of PHI The privacy rule provides individuals with a right to request restrictions on a covered entity s use or disclosure of their PHI for the purposes of treatment, payment, or health care operations, but before enactment of the HITECH Act covered entities were not required to grant such requests. The Final Rule implements the HITECH Act provision requiring that covered entities agree to an individual s request to restrict uses and disclosures of his or her PHI related to a treatment or service, if: (1) the request is to restrict disclosure of information to the individual s health plan for payment or health care operations purposes; and (2) the information relates solely to an item or service for which the individual pays the covered entity out-of-pocket and in full. 48 OCR received numerous questions about how to operationalize this new right. response, the commentary to the Final Rule clarifies that: In Health care providers need not create separate medical records or otherwise segregate PHI that is subject to such a restriction, but they will need to flag this restriction in the record to assure that such information is not provided to the health plan inadvertently or for other operations purposes, such as health plan audits; 49 If the restriction sought is for a service that is one of a number of bundled services provided in a single encounter, the provider should counsel the patient about whether it is able to unbundle the service to permit the individual to pay for that individual service and the possible effect of doing so (e.g., the health plan still may be able to determine that the service was provided). If unbundling the service is possible, the provider should abide by the individual s request to unbundle; if it is not possible, the provider should permit the individual to restrict and pay out-of-pocket for the entire bundle of services; Fed. Reg. at Fed. Reg. at Id Fed. Reg. at
11 Providers do not have an obligation to inform downstream providers of a restriction, but OCR encourages providers to counsel patients to request a restriction and pay out-of-pocket with such downstream providers in order for the restriction to apply to disclosures by those providers; 51 Providers within an HMO who cannot by law accept payment from an individual in excess of the individual s cost-sharing amount may counsel individuals to use an out-of-network provider if they wish to restrict from disclosure PHI about certain health care items or services; 52 and If an individual s payment for the restricted item or service is dishonored, OCR expects providers to make reasonable efforts to contact the individual and obtain payment by alternative means before billing a health plan, but this does not mean that an individual s debt must be placed in collection before a provider may bill the health plan for the item or service. 53 B. Right to Access Copies of Electronically-Stored PHI 1. Form and format The privacy rule permits individuals to request and receive copies of their PHI that a covered entity maintains in a designated record set. The Final Rule adopts the NPRM s proposed expansion of this right to permit individuals to receive a copy of PHI that is maintained in an electronic health record in electronic format. Accordingly, if an individual requests an electronic copy of PHI that the covered entity maintains electronically in one or more designated record sets ( ephi ), the covered entity must provide access to the ephi in the electronic form and format sought by the individual, if readily producible in that form and format. 54 If such access is not possible for example, if the individual seeks to access her ephi through a web-based portal and the provider does not maintain a portal then the covered entity and the individual must agree on the readable electronic format in which the information will be provided. 55 If the individual refuses to accept the ephi in the available electronic formats, the covered entity must provide a hard copy. 56 OCR clarifies that covered entities are not required to purchase new systems or software in order to provide ephi in a form or format that is not readily producible, but that entities whose systems cannot produce a copy of ephi in any electronic form (including some legacy systems) may need to invest in software or hardware to offer 51 Id. 52 Id Fed. Reg. at Fed. Reg. at Fed. Reg. at Id. 11
12 some form of electronic copy. 57 Additionally, covered entities that maintain hybrid records need not scan paper documents in order to provide individuals with electronic copies of those paper records. 58 Several covered entities commented that they should not have to use portable devices brought in by individuals to comply with this requirement, because doing so might introduce viruses or security risks to their systems. OCR acknowledges this risk in commentary to the Final Rule and permits covered entities to provide access to ephi on media provided by the covered entity or, if an individual does not wish to pay for such portable media, to provide the individual an electronic copy through alternative means, such as through . Covered entities also raised concerns about the potential vulnerability of unencrypted s and their potential liability for breach should ephi be compromised when transmitted by this method to individuals. In response, OCR confirms that entities may provide copies of ephi in unencrypted s if they first notify the individual of the possible risk that a third party may read the . If, despite this risk, the individual still prefers to receive an unencrypted instead of an available electronic alternative, the covered entity may the information Third parties Upon an individual s written request, a covered entity must transmit a copy of PHI directly to a third party designated by the individual. The individual s request must be signed, and it must clearly identify the third party and where to send the information Copy fees Covered entities may charge individuals a reasonable, cost-based fee for providing copies of PHI. The Final Rule permits entities to include labor costs for copying in the calculation of the fee. Such costs may include staff time to create and copy electronic files (such as compiling, extracting, scanning, or burning PHI to media and distributing the media). 61 Fees also may be charged for supplies used in creating electronic media (such as discs and flash drives) for individuals who seek copies on portable media, and for postage incurred on behalf of individuals who request mailing of the electronic media. 62 However, entities may not charge for costs related to maintaining systems, data storage, or new technology, nor may they charge a retrieval fee for electronic copies, since such a fee is not permitted for production of paper copies. Finally, in instances where HIPAA permits charging higher costs than does applicable state law, under state law preemption principles covered entities will not be permitted to charge more than state law allows. Conversely, if applicable state law 57 Id. 58 Id Fed. Reg. at Id Fed. Reg. at Id. 12
13 permits charging a higher fee than the copying costs the covered entity actually incurs, the covered entity may only charge for its actual costs Time frame Because access to ephi is almost instantaneous, the Final Rule shortens the time frame within which covered entities must respond to access requests, even where the PHI is stored off-site, to a total of no more than 60 days. Covered entities have 30 days to respond to an individual s access request, and they may have a single 30-day extension upon providing written notice to the individual stating the reason for the delay and the expected date of completion. 64 C. Notice of Privacy Practices The Final Rule adopts the NPRM s proposal that health care providers and health plans update their notices of privacy practice ( NPPs ) to address numerous changes, including that most uses and disclosures of psychotherapy notes, along with marketing communications and the sale of PHI, are not permitted without the individual s prior written authorization. 65 Entities that do not maintain psychotherapy notes, however, need not reference them in the NPP. Covered entities also must notify affected individuals of a breach of unsecured PHI, and those covered entities that engage in fundraising using PHI must notify individuals that they may opt out of receiving any fundraising communications from the provider or plan. 66 Finally, providers must notify individuals that they may restrict disclosures of PHI to health plans where they have paid out-of-pocket and in full for such care. 67 Most health plans (excluding only long-term care plans) also must inform individuals that the plans are prohibited from using or disclosing individuals genetic information for underwriting purposes. 68 In response to concerns expressed about printing costs for new NPPs, OCR advises that providers need not print and hand out revised NPPs to all individuals seeking treatment, but they must post the revised NPP in a prominent location and have copies available for individuals who request a copy to take with them. 69 OCR also reiterates that covered entities may employ a layered notice, including a summary of the individual s rights atop a longer notice that contains all of the required elements. 70 With respect to health plans, the Final Rule specifies that a health plan that currently posts its NPP on its website must both prominently post the change or revised NPP on the website by the effective date of the change (in this case, the compliance deadline of the Final Rule) and provide the revised NPP or information about the change and how to obtain the NPP in its next annual mailing to plan members. Those health plans that do not maintain a website 63 Id Fed. Reg. at Fed. Reg. at Id. 67 Id Fed. Reg. at Id. 70 Id. 13
14 must provide the revised NPP or information about the changes and how to obtain the NPP to plan members within 60 days of the change. 71 revised V. CONCLUSION The Final Rule turns the breach notification s risk assessment methodology on its head, subjects new categories of business associates and many thousands of their subcontractors to direct liability for compliance with portions of the privacy, security, and breach notification rules, and significantly augments the Secretary s enforcement discretion. In order to achieve this, the Final Rule contains scores of details and nuances that will take time for affected parties to evaluate and digest. Covered entities and business associates (and subcontractors) have nearly eight months to come into compliance with all of the new requirements. Given the wide-ranging and substantial implications of noncompliance with the Final Rule, however, it is not too soon for these organizations to begin mapping out the various procedural, policy, and operational changes that must be made and working with internal staff and outside counsel and consultants to effectuate these changes. 71 Id. 14
Highlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationTo: Our Clients and Friends January 25, 2013
Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health
More informationChanges to HIPAA Under the Omnibus Final Rule
Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services
More informationLegal and Privacy Implications of the HIPAA Final Omnibus Rule
Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,
More informationOmnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule
Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions
More information2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners
2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and
More informationCoping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!
Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,
More informationCompliance Steps for the Final HIPAA Rule
Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
More information8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013
HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable
More informationHealth Law Diagnosis
February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of
More informationGUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do
GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationCLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors
CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationHIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules
HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!
More informationHIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school
ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationThe wait is over HHS releases final omnibus HIPAA privacy and security regulations
The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under
More informationSATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE
SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health
More informationCompliance Steps for the Final HIPAA Rule
Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule
More informationGetting a Grip on HIPAA
Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy
More informationHIPAA Special Considerations: Individual Right to Request Restriction of Uses and Disclosures of PHI Voluntary and Mandatory
HIPAA Special Considerations: Individual Right to Request Restriction of Uses and Disclosures of PHI Voluntary and Mandatory A Presentation Developed by: Erin MacLean, Freeman & MacLean, P.C. & Deb Micu,
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationNOTIFICATION OF PRIVACY AND SECURITY BREACHES
NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally
More informationMEMORANDUM. Kirk J. Nahra, or
MEMORANDUM TO: FROM: Interested Parties Kirk J. Nahra, 202.719.7335 or knahra@wileyrein.com DATE: January 28, 2013 RE: The HIPAA/HITECH Omnibus Regulation After almost four years, the Department of Health
More informationSaturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules
Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.
More informationHighlights of the Final Omnibus HIPAA Rule
Highlights of the Final Omnibus HIPAA Rule Health Information & the Law Project 1 Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH Devi Mehta, JD, MPH Elizabeth Gray, JD Teresa Cascio, JD Grace Im,
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More informationHIPAA & The Medical Practice
HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,
More informationManagement Alert Final HIPAA Regulations Issued
Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationHIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities
Health Care Focus March 2013 HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Peggy L. Barlett 608.284.2214 pbarlett@gklaw.com M. Scott LeBlanc 414.287.9614 sleblanc@gklaw.com
More information"HIPAA RULES AND COMPLIANCE"
PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS
More informationALERT. November 20, 2009
ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made
More informationHEALTH LAW ALERT January 21, 2013
HEALTH LAW ALERT January 21, 2013 Omnibus Privacy Rule Issued HHS Imposes More Stringent Breach Notification Standard Requires Changes to Privacy Notices, Business Associate Agreements On Thursday, the
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationPractical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule
Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule February 21, 2013 Megan Hardiman Katten Muchin Rosenman LLP Chicago, Illinois 312.902.5488 megan.hardiman@kattenlaw.com
More informationBreach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule
Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance
More informationFifth National HIPAA Summit West
Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for
More informationNew HIPAA-HITECH Proposed Regulations Issued
July 2010 New HIPAA-HITECH Proposed Regulations Issued On Thursday July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations in the Federal Register on many provisions
More informationHIPAA Omnibus Final Rule and Research
Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy
More informationWhat Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.
What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. HIPAA stands for Health Insurance Portability and Accountability
More informationHayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.
More informationHIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule
HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com
More informationBREACH NOTIFICATION POLICY
PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities
More informationO n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report
Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 168, 02/04/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
More informationHIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights
HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS
HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts
More informationHITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government
HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated
More informationGUIDE TO PATIENT PRIVACY AND SECURITY RULES
AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives.
More informationSUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),
More informationNew. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.
Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy
More informationVOL. 0, NO. 0 JANUARY 23, 2013
Health IT Law & Industry Report VOL. 0, NO. 0 JANUARY 23, 2013 Reproduced with permission from Health IT Law & Industry Report, 5 HILN 4, 01/23/2013. Copyright 2013 by The Bureau of National Affairs, Inc.
More informationOCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC
Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative
More informationHIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security
More informationHIPAA Omnibus Rule Compliance
HIPAA Omnibus Rule Compliance Jana Aagaard, JD Senior Counsel, Privacy/HIT Dignity Health Christy Navarro, MS CIPP/US Director, Chief Privacy Officer - Ascendian 1 Overview Background What Should Be Done
More informationAn Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules Alden J. Bianchi Updated
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy
More informationChanges to HIPAA Privacy and Security Rules
Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationHHS, Office for Civil Rights. IAPP October 11, 2012
HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities
More informationHIPAA OMNIBUS FINAL RULE
HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on
More information2016 Business Associate Workforce Member HIPAA Training Handbook
2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all
More informationReedSmith. The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived. Reed Smith Client Alert
The business of relationships. SM Reed Smith Client Alert The HITECH Final Rule: The New Privacy/Security Rules of the Road Have Finally Arrived Written by Brad M. Rostolsky, Nancy E. Bonifant, Salvatore
More informationHIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE
HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE Policy Preamble This privacy policy ( Policy ) is designed to
More informationICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg
ICAHN Presentation Final Omnibus Rule and Security Risk Analysis July 26, 2013 David Ginsberg PrivaPlan Associates, Inc. PrivaPlan Associates, Inc. is the leading authority in HIPAA Privacy and Security
More informationACC Compliance and Ethics Committee Presentation February 19, 2013
ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA
More informationInterpreters Associates Inc. Division of Intérpretes Brasil
Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable
More informationOVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS
Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Amanda M. Buzo Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationHIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)
HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services
More informationHIPAA: Impact on Corporate Compliance
HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationHIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment
More informationHIPAA Compliance Under the Magnifying Glass
HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information
More informationTrue or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)
Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent
More informationHIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)
HIPAA Infection Control OSHA Dental Practice Act HIPAA What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional) In the dental field since 1972, Leslie
More informationWhat Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?
Visit our Practice Group blog: www.workplaceprivacycounsel.com What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers? Philip L. Gordon, Esq. Littler Mendelson,
More informationNPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH
NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy
More informationHIPAA Privacy Overview
HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationColorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.
Colorado Medical Society The HIPAA OMNIBUS RULE June 3, 2013 Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Agenda The HIPAA Omnibus Rule - a high level overview Effective dates SpeciLic
More informationAROC 2015 HIPAA PRIVACY AND SECURITY RULES
AROC 2015 HIPAA PRIVACY AND SECURITY RULES Presented by: Robert A. Paster, Esq. Brach Eichler L.L.C. 101 Eisenhower Parkway Roseland, NJ 07068 973-403-3144 rpaster@bracheichler.com www.bracheichler.com
More informationOmnibus HIPAA Rule: Impact on Covered Entities
Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,
More informationCompliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16
Compliance TODAY May 2013 a publication of the health care compliance association www.hcca-info.org Meet Scott Killingsworth Partner in the Atlanta offices of Bryan Cave LLP See page 16 25 Medicare Coverage
More informationPATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS
PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS This HIPAA Business Associate Agreement ( BA Agreement ), effective as of the last date written on the signature page attached
More informationHITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013
HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, Inc., a clearinghouse Covered Entity under HIPAA, providing
More informationOMNIBUS RULE ARRIVES
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan
More informationHIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES
SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationPOLICY REGARDING NOTICE OF PRIVACY PRACTICES
Purpose: Standard: Policy: To set forth the policy and procedures of West Virginia University Physicians of Charleston ( WVUPC ) regarding the preparation and dissemination of its Notice of Privacy Practices.
More informationPractical. PPACA, HIPAA and Federal Health Benefit Mandates:
PPACA, HIPAA and Federal Health Benefit Mandates: Practical Q&A The Patent Protection and Affordable Care Act (PPACA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other
More informationNancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System
Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System Thomas N. Shorter, Godfrey & Kahn, S.C. 1 Today s panel discussion addresses the HIPAA/HITECH Omnibus
More informationHIPAA Data Breach ITPC
HIPAA Data Breach Objectives Overview of Omnibus Rule - Data Breach Suspected Breach - Investigation Audit Risk Assessment Corrective Action Plan Written Notification Elements NYS Rules on Data Breach
More informationIT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]
IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW Publication IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER] Author James B. Wieland 2012: Issue
More informationPreparing for a HIPAA Audit & Hot Topics in Health Care Reform
Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,
More information