TRAPS, TRICKS & TREPIDATION IN HIPAA & HYBRID ENTITY DESIGNATIONS AT UNIVERSITIES & AMCS

Size: px
Start display at page:

Download "TRAPS, TRICKS & TREPIDATION IN HIPAA & HYBRID ENTITY DESIGNATIONS AT UNIVERSITIES & AMCS"

Transcription

1 TRAPS, TRICKS & TREPIDATION IN HIPAA & HYBRID ENTITY DESIGNATIONS AT UNIVERSITIES & AMCS

2 FACILITATORS Holly Benton, Duke Privacy, Duke University Lauren Steinfeld, Chief Privacy Officer, Penn Medicine Marti Arvin, VP Audit Strategy, Cynergistek, Inc.

3 DISCLAIMER: 3 This presentation contains slides that have been combined for purposes of presentation continuity. The speakers do not necessarily endorse the content of each other s slides. Moreover, the views expressed in this presentation belong to the speakers and do not necessarily represent the views of their organizations or other organizations.

4 AGENDA Background: review of the regulations Case studies Other relationships to consider Questions

5 BACKGROUND, A REVIEW OF THE REGULATIONS 5

6 6 HIPAA REGULATIONS ON HYBRID ENTITIES Hybrid entity Single legal entity that is A covered entity (Healthcare Provider, Health plan, Healthcare Clearinghouse) With both covered and non-covered functions; and That designates its health care components Covered functions Those functions of a covered entity the performance of which makes the entity a health plan, health care provider or health care clearinghouse.

7 7 REGULATIONS ON HYBRID ENTITIES Business units of the organization that engage in activities that would make them a business associate if they were a separate legal entity must be include in the health care component of the hybrid entity to the extent they engage in those BA activities The health care component may only include a component only to the extent it performs covered functions

8 CASE STUDIES FOR CONSIDERATION TO DEFINE HEALTH CARE COMPONENT 8

9 CASE STUDY 1 HYBRID ENTITY Your entity is a hybrid, consisting of an academic medical center and a university, with several schools involved in healthcare-related research You are trying address the training issues associated with being an AMC. Specifically, there is staff employed by the university that would like to work with PHI for research purposes.

10 CASE STUDY 1 HYBRID ENTITY You also have specialists in statistics and data analytics at other internal, non-covered component, Schools who can help evaluate utilization trends and reasons for readmission. You also would like to ensure proper agreements and relationships are in place when it comes to sharing PHI within the AMC and with the university schools.

11 CONSIDERATIONS CASE STUDY 1 Support services legal, waste management, audit, construction services Do they need the standard HIPAA training given to hospital employees? Groups who do not support the entity overall, but access data for projects for their own purposes, or for service work on behalf of the covered components Are there other safeguards to apply such as DUAs, BAAs, or training?

12 CASE STUDY 2 Ten campus, single legal entity university. All have student health centers Some treat students only Some treat students and student dependents Some treat student, student dependents and staff 6 campuses have medical centers All have a School of Medicine Some have other traditional health schools such as dentistry, nursing, allied health,

13 CASE STUDY 2 The non-amc campuses have health care activities Schools such as optometry Each campus has a unique structure and culture

14 CASE STUDY 2 Functions such as legal, internal audit, compliance have a system level office as well as offices at each campus. All the AMC campuses and some non-amc campuses engage in human subject research

15 CASE STUDY 2 Research has been designated as outside the healthcare component of the hybrid entity There is a system level administrative policy that designates the components which are inside the health care component but each campus must specify the business units and functions that are part of the health care component of their campus.

16 CONSIDERATIONS FOR CASE STUDY 2 What are the practical implications of who is included in the health care component and who is not? How do you assure each campus understands the rules and the system level policy well enough to identify the portions of their campus that is part of the healthcare component?

17 CONSIDERATIONS FOR CASE STUDY 2 How do you keep the consistency of documents like the NPP or a template BAA in place when each campus functions somewhat independently? How do you handle research information when the health system may be conducting services for research subjects?

18 CASE STUDY 3 You ve recently joined the privacy office of a university and discover that the hybrid designation may never have been formally reassessed. Past incident files point to non-covered departments, including transportation and printing services, providing services to covered components, and, seeing neither incident reports nor training records, you suspect some designated units may not even know they re covered.

19 CASE STUDY 3 New enterprise systems have been put into place over the last few years and the lack of related (or any!) risk analysis suggest ephi may be accessible by non-covered units. Of equal concern, you realize the information security office team may not be aware of and/or managing the Security Rule responsibilities.

20 CASE STUDY 3 You learn that the wellness service offered to employees, listed as a part of the ACE and included as an offering of the family medicine clinic, is actually a service provided by a vendor with whom central HR (not a covered unit) has contracted. As your looking at the hybrid designation, you receive a call from a business school employee who wants to know what to do with the state health department documents containing individuals health information he discovered left in a conference room.

21 What do you do, and where do you start? CONSIDERATIONS FOR CASE STUDY 3 What do these scenarios reveal are your institution s issues needing to be addressed? How do you strategize your approach? What do you address first and what order makes the most sense? With whom do you partner and what leadership support do you need upfront for the most successful reassessment? How do you operationalize the results of the reassessment? What documentation considerations does the project(s) present?

22 OTHER RELATIONSHIPS THAT MAY EXIST AT A UNIVERSITY OR AMC

23 Affiliated Covered Entity (ACE) WHAT TYPE OF AGREEMENTS/RELATIONSHIPS MIGHT EXIST? Organized Health Care Arrangement (OCHA) Business Associate 23 AHLA Legal Issues Affecting Academic Medical Centers January 2018

24 24 AFFILIATED COVERED ENTITY Legal separate covered entities that are affiliated designate themselves as an ACE i.e. become a single covered entity for purposes of HIPAA May designate the separate covered entities or any health care component of the CE) Required common ownership or control Designation must be documented AHLA Legal Issues Affecting Academic Medical Centers January 2018

25 25 AFFILIATED COVERED ENTITY What constitutes evidence of common ownership or control? Same parent Overseen by a common Board Be prepared to demonstrate common ownership or control Consider liability implications of becoming an ACE AHLA Legal Issues Affecting Academic Medical Centers January 2018

26 26 ORGANIZED HEALTH CARE ARRANGEMENT 45 CFR A clinically integrated care setting in which individuals typically receive health care from more than one health care provider An organized system of health care in which more than one covered entity participates and all participating CEs Hold themselves out as a joint arrangement Participate in joint activities that include at least one of the following: Utilization review Quality assessments Payment activities AHLA Legal Issues Affecting Academic Medical Centers January 2018

27 27 BUSINESS ASSOCIATES Any component of a covered entity that is a hybrid entity must include those business functions performing BA type activities in the health care component of its hybrid entity. Thus not business associate agreement is required. Entities that are part of an OHCA may be a business associate of another covered entity participating in the OHCA AHLA Legal Issues Affecting Academic Medical Centers January 2018

28 28 BUSINESS ASSOCIATES Business units, colleges or schools may have business associate relationships with external third parties The activities that make the unit, college or school a BA may or may not be considered covered functions Consideration must be given to whether separate P & Ps are required or they would follow the health care component HIPAA P & Ps as applicable. AHLA Legal Issues Affecting Academic Medical Centers January 2018

29 29 BUSINESS ASSOCIATES Need for process to identify external BA relationships before the engagement is entered and to monitor during the engagement to assure The risk profile is considered The compliance obligations are understood Breach notification is properly addressed. AHLA Legal Issues Affecting Academic Medical Centers January 2018

30 QUESTIONS

31 CONTACT INFORMATION Holly Benton Lauren Steinfeld Marti Arvin , ext 8071

PRIVACY STANDARDS OVERVIEW

PRIVACY STANDARDS OVERVIEW PRIVACY STANDARDS OVERVIEW Basic Requirements What Entities Are Covered Practical Effects BASIC REQUIREMENTS A Covered Entity may not use or disclose an individual s protected health information ( PHI

More information

OHCAs, ACEs and Hybrid Entities

OHCAs, ACEs and Hybrid Entities HIPAA Summit West III June 5, 2003 OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA 94111 (415) 276-6532 paulsmith@dwt.com Complex

More information

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Hybrid Entity Policy ISUPP 10010

IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Hybrid Entity Policy ISUPP 10010 POLICY INFORMATION Policy Section: Governance/Legal IDAHO STATE UNIVERSITY POLICIES AND PROCEDURES (ISUPP) HIPAA Privacy - Hybrid Entity Policy ISUPP 10010 Policy Title: HIPAA Privacy - Hybrid Entity Policy

More information

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta

More information

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta

More information

UNIVERSITY POLICY. Adopted: 11/1/2016 Reviewed: 11/1/2016. Revised: Contact:

UNIVERSITY POLICY. Adopted: 11/1/2016 Reviewed: 11/1/2016. Revised: Contact: UNIVERSITY POLICY Policy Name: Hybrid Entity Declaration Section #: 100.1.12 Section Title: HIPAA Policies Approval Authority: Responsible Executive: Responsible Office: RBHS Chancellor/Executive Vice

More information

Determining Whether You Are a Business Associate

Determining Whether You Are a Business Associate The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information

More information

AFTER THE OMNIBUS RULE

AFTER THE OMNIBUS RULE AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member

More information

"HIPAA RULES AND COMPLIANCE"

HIPAA RULES AND COMPLIANCE PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS

More information

Complex Health Care Organization Relationships and the Impact of OCR HIPAA Enforcement Actions. Goals

Complex Health Care Organization Relationships and the Impact of OCR HIPAA Enforcement Actions. Goals Complex Health Care Organization Relationships and the Impact of OCR HIPAA Enforcement Actions Blaine Kerr, CISA, CHPC Chief Privacy Officer Jackson Health System Greg Kerr, MJ, CHPC, CHC Aegis Compliance

More information

HIPAA and Payment Reform ACOs, Medical Home & Bundled Payments

HIPAA and Payment Reform ACOs, Medical Home & Bundled Payments HIPAA and Payment Reform ACOs, Medical Home & Bundled Payments By: Paul T. Smith, Shareholder Hooper, Lundy & Bookman, P.C. psmith@health-law.com 23 rd National HIPAA Summit Washington, D.C. March 17,

More information

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability

More information

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014. HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,

More information

HIPAA and Payment Reform ACOs, Medical Home, Bundled Payments and Exchanges

HIPAA and Payment Reform ACOs, Medical Home, Bundled Payments and Exchanges HIPAA and Payment Reform ACOs, Medical Home, Bundled Payments and Exchanges By: Paul T. Smith, Partner Hooper, Lundy & Bookman, P.C. psmith@health-law.com 22 nd National HIPAA Summit Washington, D.C. February

More information

The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees

The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees The Health Insurance Portability and Accountability Act (HIPAA) A guided tutorial for GVSU employees 1 Who Needs Training? Employees who come in contact with Protected Health Information including: Benefits

More information

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.

More information

Business Associate Contracts: Time Is Running Out...

Business Associate Contracts: Time Is Running Out... Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Seattle, WA beckywilliams@dwt.com 206-628-7769 ... Or April Angst, Again April 2003: First deadline April 14, 2004:

More information

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS This HIPAA Business Associate Agreement ( BA Agreement ), effective as of the last date written on the signature page attached

More information

New HIPAA Rules and Implications for the Industry January 29, 2013

New HIPAA Rules and Implications for the Industry January 29, 2013 New HIPAA Rules and Implications for the Industry January 29, 2013 **Audio for this webinar streams through the web. Please make sure the sound on your computer is turned on. If you need technical assistance,

More information

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements

Emma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements POLICY INFORMATION Document # 900 Revision # 1.0 Safeguard: Administrative Title: Business Associate Agreements Prepared by: J. Black Approved by: Dean Beth E. Foley Print Date: 8/29/2016 Date Prepared:

More information

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement

More information

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients 1 Federal Regulations HIPAA: Health Insurance and Portability Accountability Act of 1996 Purpose: to protect confidential

More information

GUIDANCE ON HIPAA & CLOUD COMPUTING

GUIDANCE ON HIPAA & CLOUD COMPUTING GUIDANCE ON HIPAA & CLOUD COMPUTING http://www.hhs.gov/hipaa/for-professionals/special-topics/cloudcomputing/index.html January 26, 2017 Health Care Cloud Coalition Deven McGraw, Deputy Director, Health

More information

OMNIBUS RULE ARRIVES

OMNIBUS RULE ARRIVES AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan

More information

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment

More information

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style July 27, 2016 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP hcarnell@mcguirewoods.com

More information

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Texas Tech University Health Sciences Center HIPAA Privacy Policies Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 Reviewed Date: August 7, 2017 References: http://www.hhs.gov/ocr/hippa HSC HIPAA website http://www.ttuhsc.edu/hipaa/policies_procedures.aspx

More information

ARRA s Amendments to HIPAA Privacy & Security Rules

ARRA s Amendments to HIPAA Privacy & Security Rules ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health

More information

HIPAA OMNIBUS FINAL RULE

HIPAA OMNIBUS FINAL RULE HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on

More information

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,

More information

Omnibus Rule: HIPAA 2.0 for Law Firms

Omnibus Rule: HIPAA 2.0 for Law Firms Omnibus Rule: HIPAA 2.0 for Law Firms Introduction On January 25, 2013, the U.S. Department of Health and Human Services (HHS) issued the muchanticipated Omnibus Rule 1 finalizing changes to the HIPAA

More information

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Learn more about how KeepItSafe can help to reduce costs, save time, and provide compliance for online backup, disaster recovery-as-a-service, mobile

More information

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 References: http://www.hhs.gov/ocr/hipaa TTUHSC El Paso HIPAA website: http://elpaso.ttuhsc.edu/hipaa/ Policy Statement

More information

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, Inc., a clearinghouse Covered Entity under HIPAA, providing

More information

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background

More information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice

More information

ACC Compliance and Ethics Committee Presentation February 19, 2013

ACC Compliance and Ethics Committee Presentation February 19, 2013 ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA

More information

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?

HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know? HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS What do I need to know? INITIAL AUDITS PERFORMED IN 2016 Covered Entities Business associates AUDIT PURPOSE: SUPPORT IMPROVED COMPLIANCE

More information

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance 2015 National Wellness Conference Barbara J. Zabawa, JD, MPH Center for Health Law Equity, LLC Agenda Health Data Exposure ADA,

More information

Leveraging the CSF to Assess HIPAA Privacy Nadia Fahim-Koster Director, IT Risk Management Meditology Services April 2016

Leveraging the CSF to Assess HIPAA Privacy Nadia Fahim-Koster Director, IT Risk Management Meditology Services April 2016 Leveraging the CSF to Assess HIPAA Privacy Nadia Fahim-Koster Director, IT Risk Management Meditology Services April 2016 Agenda Introduction HITRUST and Privacy Controls Privacy Rule core requirements

More information

HIPAA Privacy Compliance Checklist

HIPAA Privacy Compliance Checklist HIPAA Privacy Compliance Checklist Task Obtain Education on HIPAA Privacy Requirements 1. HIPAA EDI requirements. 2. HIPAA privacy requirements. Organize the HIPAA Privacy Team and Create a Game Plan 1.

More information

HIPAA Data Breach ITPC

HIPAA Data Breach ITPC HIPAA Data Breach Objectives Overview of Omnibus Rule - Data Breach Suspected Breach - Investigation Audit Risk Assessment Corrective Action Plan Written Notification Elements NYS Rules on Data Breach

More information

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates Policy and Procedure: SDM HIPAA Terms and Conditions for (Adapted from UPMC s HIPAA Terms and Conditions for at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/terms.pdf) Effective: 03/30/2012

More information

March 29, 2018 Key Principles in HIPAA Compliance

March 29, 2018 Key Principles in HIPAA Compliance March 29, 2018 Key Principles in HIPAA Compliance Presented by Benefit Comply Welcome! We will begin at 3 p.m. Eastern There will be no sound until we begin the webinar. When we begin, you can listen to

More information

HIPAA Omnibus Rule Compliance

HIPAA Omnibus Rule Compliance HIPAA Omnibus Rule Compliance Jana Aagaard, JD Senior Counsel, Privacy/HIT Dignity Health Christy Navarro, MS CIPP/US Director, Chief Privacy Officer - Ascendian 1 Overview Background What Should Be Done

More information

The HHS Breach Final Rule Is Out What s Next?

The HHS Breach Final Rule Is Out What s Next? The HHS Breach Final Rule Is Out What s Next? Webinar September 16, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved. Disclaimer

More information

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc

HIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc HIPAA Overview Health Insurance Portability and Accountability Act Premier Senior Marketing, Inc HIPAA Defined Acronym that stands for the Health Insurance Portability and Accountability Act, a US law

More information

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205) HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 REASONS FOR HIPAA PRIVACY RULES Perceived need for protection of individual health information

More information

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )

More information

BUSINESS POLICY AND PROCEDURE MANUAL

BUSINESS POLICY AND PROCEDURE MANUAL 06/10 1 of 1 01-13 GENERAL STATEMENT OF HIPAA Compliance The Health Insurance Portability and Accountability Act of 1996 (HIPAA regulates health care providers (Covered Entities) that electronically maintain

More information

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know 1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013

More information

HIPAA Compliance Guide

HIPAA Compliance Guide This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your

More information

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates

More information

HIPAA: Impact on Corporate Compliance

HIPAA: Impact on Corporate Compliance HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal

More information

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA) IHDE BUSINESS ASSOCIATE AGREEMENT (BAA) This Business Associate Agreement (BAA) is entered into by and between the Covered Entity aka. Data Provider/User, (please enter name of organization) and the Business

More information

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did

More information

CYBER LIABILITY REINSURANCE SOLUTIONS

CYBER LIABILITY REINSURANCE SOLUTIONS CYBER LIABILITY REINSURANCE SOLUTIONS CYBER STRONG. CYBER STRONG. State-of-the-Art Protection for Growing Cyber Risks Businesses of all sizes and in every industry are experiencing an increase in cyber

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES

HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES January 23, 2014 I. Executive Summary I: The HIPAA Final Rule

More information

The Privacy Rule. Health insurance Portability & Accountability Act

The Privacy Rule. Health insurance Portability & Accountability Act The Privacy Rule Health insurance Portability & Accountability Act Enacted on August 21, 1996 to amend the Internal Revenue Code of 1986 To improve portability and continuity of health insurance coverage

More information

Business Associate Risk

Business Associate Risk Business Associate Risk Assessing and Managing Business Associate Risk Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Disclaimer: Nothing in this presentation

More information

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

The wait is over HHS releases final omnibus HIPAA privacy and security regulations The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under

More information

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com

More information

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM APPENDIX J Rev dated 11/24/2014 COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM WHEREAS, the Pennsylvania Department of Human Services (Covered Entity) and Contractor (Business Associate) intend

More information

What is HIPAA? (1 of 2)

What is HIPAA? (1 of 2) HIPAA 1 HIPAA On August 21 1996 the federal government passed the Health Information Portability and Accountability Act of 1996 Has been update throughout; with the newest update (Final Rule) going into

More information

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and WHEREAS, Dallas County, Tarrant County, Denton County, Parker County, the North Texas Tollway Authority have created

More information

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement (this BA Agreement ) is made and entered into by ( Provider ), a, located at, and Texas Southern University, an agency and institution of higher education established

More information

COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH

COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH COLUMBIA UNIVERSITY INSTITUTIONAL REVIEW BOARD POLICY ON THE PRIVACY RULE AND THE USE OF HEALTH INFORMATION IN RESEARCH I. Background The Health Insurance Portability and Accountability Act of 1996 (as

More information

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT Effective Date: September 23, 2013 RECITALS WHEREAS a relationship exists between the Covered Entity and the Business Associate that performs certain functions

More information

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015

HIPAA Privacy and Security for Employers in the Age of Common Data Breaches. April 30, 2015 HIPAA Privacy and Security for Employers in the Age of Common Data Breaches April 30, 2015 HIPAA Privacy and Security for Employers in the Age of Common Data Breaches Welcome! We will begin at 3 p.m. Eastern

More information

How to mitigate risks, liabilities and costs of data breach of health information by third parties

How to mitigate risks, liabilities and costs of data breach of health information by third parties How to mitigate risks, liabilities and costs of data breach of health information by third parties April 17, 2012 ID Experts Webinar www.idexpertscorp.com Rick Kam President and Co-Founder richard.kam@idexpertscorp.com

More information

Fifth National HIPAA Summit West

Fifth National HIPAA Summit West Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for

More information

503 SURVIVING A HIPAA BREACH INVESTIGATION

503 SURVIVING A HIPAA BREACH INVESTIGATION 503 SURVIVING A HIPAA BREACH INVESTIGATION Presented by Nicole Hughes Waid, Esq. Mark J. Swearingen, Esq. Celeste H. Davis, Esq. Regional Manager 1 Surviving a HIPAA Breach Investigation: Enforcement Presented

More information

H E A L T H C A R E L A W U P D A T E

H E A L T H C A R E L A W U P D A T E L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.

More information

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300

Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300 Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300 Training Module provided as a component of the Stericycle HIPAA Compliance Program Goals for Training Understand how Texas

More information

University of Wisconsin-Madison Policy and Procedure

University of Wisconsin-Madison Policy and Procedure Page 1 of 9 I. Policy The HIPAA Privacy Rule requires that, in most situations, patients provide written authorization prior to uses or disclosures of their protected health information. This policy is

More information

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated

More information

HIPAA and Lawyers: Your stakes have just been raised

HIPAA and Lawyers: Your stakes have just been raised HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory

More information

LEGAL ISSUES IN HEALTH IT SECURITY

LEGAL ISSUES IN HEALTH IT SECURITY LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson

More information

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security

More information

HEALTHCARE BREACH TRIAGE

HEALTHCARE BREACH TRIAGE IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards

More information

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,

More information

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences

Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences 1 Brief discussion of where we have been and where we are going Discussion of Federal Enforcement Actions Privacy and Security issue

More information

Omnibus HIPAA Rule: Impact on Covered Entities

Omnibus HIPAA Rule: Impact on Covered Entities Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,

More information

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting

Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals,  and Texting Presenting a live 90-minute webinar with interactive Q&A Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, Email and Texting Protecting Patient Privacy, Complying with State and Federal

More information

Healthcare Professional Liability Insurance Mark Albi, Assistant Vice President Risk Management. Transition to Practice Workshop September 7, 2016

Healthcare Professional Liability Insurance Mark Albi, Assistant Vice President Risk Management. Transition to Practice Workshop September 7, 2016 Healthcare Professional Liability Insurance Mark Albi, Assistant Vice President Risk Management Transition to Practice Workshop September 7, 2016 Introductions Mark Albi, Assistant Vice President, Risk

More information

The Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist

The Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist The Security Risk Analysis Requirement for MIPS August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist Today s Speaker Peter Mercuri Peter Mercuri, MBA, HCISPP, CHSA,CMQP,CEHR,CHTS,CHWP

More information

HIPAA Compliance for Business Associates

HIPAA Compliance for Business Associates Presenting a live 90-minute webinar with interactive Q&A HIPAA Compliance for Business Associates Overcoming Complex Challenges With Data De-Identification, Security Breaches, Indemnification and More

More information

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA PRIVACY AND SECURITY AWARENESS HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect

More information

RECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT BETWEEN THE PARTICIPATING PHYSICIAN ORGANIZATION AND MILLIMAN, INC.

RECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT BETWEEN THE PARTICIPATING PHYSICIAN ORGANIZATION AND MILLIMAN, INC. RECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT BETWEEN THE PARTICIPATING PHYSICIAN ORGANIZATION AND MILLIMAN, INC. THIS RECIPROCAL BUSINESS ASSOCIATE AND DATA USE AGREEMENT (this Agreement ) is by

More information

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Basic Training for Health & Welfare Plan Administrators 2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying

More information

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT Attachment G HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT Health Insurance Portability and Accountability Act (HIPAA) Compliance This HIPAA Business Agreement

More information

2016 Business Associate Workforce Member HIPAA Training Handbook

2016 Business Associate Workforce Member HIPAA Training Handbook 2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all

More information

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017 HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017 Presenters: Isaac M. Willett & Doriann H. Cain Business Associates & HIPAA in 2017 Increasing focus on business associates

More information

POLICY FOR THE PROTECTION OF HUMAN SUBJECTS IN RESEARCH

POLICY FOR THE PROTECTION OF HUMAN SUBJECTS IN RESEARCH PURPOSE: 1.01 The purpose of this policy is to formalize Oklahoma State University s (hereinafter referred to as OSU or the University) obligation to protect human subjects and confirm the University s

More information

HIPAA Privacy Overview

HIPAA Privacy Overview HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview

More information

HIPAA and Research at UB

HIPAA and Research at UB HIPAA and Research at UB Brian Murphy, MS Director, University at Buffalo HIPAA Compliance Office of the President Director, Health Professions IT Partnership Office of the VP for Health Affairs bwmurphy@buffalo.edu

More information

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance

More information

Stanford Blood Center, LLC

Stanford Blood Center, LLC Page 1 of 9 I. PURPOSE: A. To establish rules and guidelines for requests, approvals, drafting, review, signature, and administration of Contracts. II. POLICY: A. Stanford Blood Center, LLC ( Stanford

More information