HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches
|
|
- Britton Wilcox
- 5 years ago
- Views:
Transcription
1 Presenting a live 90 minute webinar with interactive Q&A HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches THURSDAY, MAY 5, pm Eastern 12pm Central 11am Mountain 10am Pacific Td Today s faculty features: Nathan A. Kottkamp, Partner, McGuireWoods, Richmond, Va. Gina M. Kastel, Partner, Faegre & Benson, Minneapolis Rebecca C. Fayed, Counsel, SNR Denton, Washington, D.C. The audio portion of the conference may be accessed via the telephone or by using your computer's speakers. Please refer to the instructions ed to registrants for additional information. If you have any questions, please contact Customer Service at ext. 10.
2 Conference Materials If you have not printed the conference materials for this program, please complete the following steps: Click on the + sign next to Conference Materials in the middle of the left- hand column on your screen. Click on the tab labeled Handouts that appears, and there you will see a PDF of the slides for today's program. Double click on the PDF and a separate page will open. Print the slides by clicking on the printer icon.
3 Continuing Education Credits FOR LIVE EVENT ONLY For CLE purposes, please let us know how many people are listening at your location by completing each of the following steps: Close the notification box In the chat box, type (1) your company name and (2) the number of attendees at your location Click the blue icon beside the box to send
4 Tips for Optimal Quality Sound Quality If you are listening via your computer speakers, please note that the quality of your sound will vary depending on the speed and quality of your internet connection. If the sound quality is not satisfactory and you are listening via your computer speakers, you may listen via the phone: dial and enter your PIN when prompted. Otherwise, please send us a chat or sound@straffordpub.com immediately so we can address the problem. If you dialed in and have any difficulties during the call, press *0 for assistance. Viewing Quality To maximize your screen, press the F11 key on your keyboard. To exit full screen, press the F11 key again.
5 HIPAA Enforcement: The Dawn of a New Era Nathan A. Kottkamp May 5,
6 HIPAA Enforcement: Before HITECH All Bark, and No Bite? McGuireWoods LLP 6
7 HIPAA Enforcement Pre-HITECH Pre-HITECH Penalty limited to $100 per violation or $25K for all identical violations No Civil Money Penalties cases McGuireWoods LLP 7
8 Providence Health & Services-2008 la di da... McGuireWoods LLP 8
9 Providence Health & Services-2008 Providence agrees to pay $100, and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss. The Resolution Agreement relates to Providence's loss of electronic backup media and laptop computers containing individually identifiable health information in 2005 and Providence agreed to perform certain obligations (e.g., staff training) and make reports to HHS for three years. During the period, HHS monitors the compliance of the covered entity with the obligations it has agreed to perform. idenceresolutionagreement.html McGuireWoods LLP 9
10 CVS-2009 Patient records? McGuireWoods LLP 10
11 CVS-2009 Under the Resolution Agreement, CVS agreed to pay a $2,250,000 resolution amount and implement a strong Corrective Action Plan that requires: 1.revising and distributing its policies and procedures regarding disposal of protected health information; 2.sanctioning workers who do not follow them; 3.training workforce members on these new requirements; 4.conducting internal monitoring; 5.engaging a qualified, independent third-party assessor to conduct assessments of CVS compliance with the requirements of the Corrective Action Plan and render reports to HHS; 6.new internal reporting procedures requiring workers to report all violations of these new privacy policies and procedures; and 7.submitting compliance reports to HHS for a period of three years. ement.html McGuireWoods LLP 11
12 HIPAA Penalties Under HITECH The Health Information Technology for Economic and Clinical Health (HITECH) Act revised HIPAA s enforcement regulations: New Penalty Tiers: Unknowing ($100 per violation/ $25K max) Reasonable Cause (($1K per violation /$100 K max) Willful neglect ($10K per violation/$250k max) Uncorrected willful neglect ($50K per violation/$1.5m max) Civil and criminal liability for HIPAA violations extended to business associates Mandatory investigations and civil penalties for violations due to willful neglect Increased emphasis and significant funding on enforcement McGuireWoods LLP 12
13 Rite Aid-2010 McGuireWoods LLP 13
14 Rite Aid-2010 Under the HHS resolution agreement, Rite Aid agreed to pay a $1 million resolution amount to HHS and must implement a strong corrective action program that includes: Revising and distributing its policies and procedures regarding disposal of protected health h information i and sanctioning i workers who do not follow them; Training workforce members on these new requirements; Conducting internal monitoring; and Engaging a qualified, independent third-party assessor to conduct compliance reviews and render reports to HHS. dresagr.html McGuireWoods LLP 14
15 2011 McGuireWoods LLP 15
16 Enforcement To boost enforcement of the HIPAA security rule, OCR has added investigators in 10 regional offices. HHS is seeking $5.6 million increase in funding for Fiscal 2012 enforcement. In FY 2010, the office received approximately 9,400 complaints associated with HIPAA privacy and security rules McGuireWoods LLP 16
17 Cignet Health-Landmark HIPAA Civil Monetary Penalty, February 4, 2011 Today the message is loud and clear: HHS is serious about enforcing individual rights guaranteed by the HIPAA Privacy Rule and ensuring provider cooperation with our enforcement efforts. -OCR Director Georgina Verdugo etresolutionagreement.html McGuireWoods LLP 17
18 Cignet Health of Prince George s County McGuireWoods LLP 18
19 Cignet Health of Prince George s County, MD-Landmark HIPAA Civil Monetary Penalty, February 4, 2011 The first-ever civil money penalty of $4.3 million Cignet violated 41 patients rights by denying them access to their medical records when requested between September 2008 and October The HIPAA Privacy Rule requires that a covered entity provide a patient with a copy of their medical records within 30 (and no later than 60) days of the patient s request. The CMP for these violations is $1.3 million. Cignet failed to cooperate with OCR s investigations of the complaints and produce the records in response to OCR s subpoena. Covered entities are required under law to cooperate with the Department s investigations. The CMP for these violations is $3 million. McGuireWoods LLP 19
20 Cignet Health-Landmark HIPAA Civil Monetary Penalty, February 4, 2011 Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA s requirements.... The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules. -OCR Director Georgina Verdugo etresolutionagreement.htmlent l McGuireWoods LLP 20
21 Mass General- The Million Dollar Subway Ride, February 14, 2011 $1M McGuireWoods LLP 21
22 Seriously? McGuireWoods LLP 22
23 Mass General- The Million Dollar Subway Ride, February 14, 2011 An employee of General Hospital Corporation and Massachusetts General Physicians Organization Inc. ( Mass General ) left documents on a subway that included a patient schedule containing protected health information ( PHI ) of 192 patients, and billing forms with PHI for 66 of those patients. This included PHI of patients with HIV/AIDS. The records were bound only by a rubber band! McGuireWoods LLP 23
24 Mass General- The Million Dollar Subway Ride, February 14, 2011 Mass General paid the US Government a $1,000,000 settlement and entered into a Corrective Action Plan ( CAP ): Develop and implement a comprehensive set of policies and procedures that ensure PHI is protected when removed from Mass General s premises; Train workforce members on these policies and procedures; and Designate the Director of Internal Audit Services to serve as an internal monitor who will conduct assessments compliance with the CAP and render semi-annual reports to HHS for a 3-year period. McGuireWoods LLP 24
25 Mass General- The Million Dollar Subway Ride, February 14, 2011 To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules.... A robust compliance program includes employee training, vigilant implementation of policies and procedures, regular internal audits, and a prompt action plan to respond to incidents. -OCR Director Georgina Verdugo McGuireWoods LLP 25
26 Consequences MORE, MORE, MORE Education Policies Monitoring Documentation Scrutiny McGuireWoods LLP 26
27 Lessons Learned Expect HHS to continue its HIPAA enforcement efforts Cooperate with HHS investigations to limit penalties Covered Entities must have a robust Compliance Plan Updated policies and procedures Workforce training Internal audits Mitigation plan upon discovery of a potential HIPAA violation McGuireWoods LLP 27
28 Contact Information Nathan A. Kottkamp Ó 2011 McGuireWoods LLP McGuireWoods LLP 28
29 HIPAA Privacy and Security: Surviving Heightened Enforcement Gina M. Kastel
30 Agenda Background Recent developments Best practices 30
31 Background Historic (non)enforcement complaint driven and non-aggressive No civil penalties imposed from 2003 to 2011 by Office of Civil Rights Minimal criminal prosecution Penalties increased under HITECH Easy to be complacent? 31
32 Recent Developments Cignet, Massachusetts General, CVS, Rite Aid Recent criminal prosecutions Arkansas physician and hospital staff plead guilty to a criminal misdemeanor violation for accessing a patient s record without any legitimate purpose. Each sentenced to a year s probation, physician fined $5,000 and had to perform community service. Hospital clerk sentenced to year in prison for sharing patient information on myspace.com. Medical records administrator received two years in prison for stealing patient information in credit card scam. Enforcement generally on the rise 32
33 The View from Office of Civil Rights We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity s responsibility to protect its patients health information. To avoid enforcement penalties, covered entities must ensure they are always in compliance with the HIPAA Privacy and Security Rules, said Verdugo. A robust compliance program includes employee training, i vigilant il implementation ti of policies i and procedures, regular internal audits, and a prompt action plan to respond to incidents. - Georgina Verdugo, OCR Director 33
34 Best Practices 34
35 Learn from the Mistakes of Others Massachusetts General Resolution Agreement Cignet Notice of Final Determination OCR enforcement examples and resolution available at OCR security breach list 35
36 Reassess Organization s Current Compliance Review and update policies and procedures Complete? Accessible? Ensure HITECH requirements are included Look at recent enforcement decisions for guidance Removal of PHI from facility Encryption of mobile devices Be sure staff follows them do not get hung by zombie policies i 36
37 Train, Train, Train Consider mix of training methods Train regularly Focus on high risk issues Have staff take tests and certify to completion of training Keep training materials 37
38 Respond Quickly Ensure prompt p incident response processes are in place Investigate thoroughly Implement appropriate p corrective action Take appropriate disciplinary action COOPERATE WITH THE GOVERNMENT! 38
39 Set the Tone at the Top Get buy in on health care compliance from executive team Ensure managers and supervisors stress importance of compliance 39
40 Conduct Ongoing Compliance Assessments Develop a program of self-monitoring and auditing Focus on high risk areas Mobile devices High profile patients and members Improper disclosures Disposal of records Follow up when problems are found 40
41 Monitor New Developments Someone in organization should be responsible for tracking new developments Share information when the law or enforcement activity changes Have mechanism in place to respond to new developments 41
42 HIPAA Privacy and Security: Surviving Heightened Enforcement Strategies to Prepare For or Respond To a Breach May 5, 2011 Rebecca C. Fayed rebecca.fayed@snrdenton.com
43 10-Step Breach Response Plan Overview 1. Prepare for the possibility of a breach. 2. Investigate the incident. 3. Mitigate the harm and take corrective action. 4. Assess and document whether the incident is a breach under the HITECH Act / HHS Breach Notification Rule. 5. Analyze whether incident is a breach under applicable state law. 6. Notify individuals (or the covered entity). 7. Notify the media. 8. Notify HHS and, if applicable, state agencies. 9. Reassess privacy and security compliance policies and procedures. 10. Prepare for possibility of HHS-OCR or state AG investigation. 43
44 Step 1: Prepare for the Possibility of a Breach Develop and implement an incident response and breach notification procedure. Establish an incident response team. Consider encrypting protected health information. When negotiating business associate agreements, consider including an indemnification clause and a breach notification provision addressing who is responsible for what. Consider purchasing data security breach insurance. 44
45 Step 2: Investigate the Incident Do you have a breach notification procedure in place? Do you have an incident response team? If yes, follow the procedure and initiate actions of incident response team. If no, identify individuals in the best positions to help investigate and respond dto the incident. id Identify the following: Facts surrounding the incident (e.g., stolen or lost laptop, backup tape, portable storage device; or fax sent to wrong recipient; paper records thrown in the trash). Data elements (e.g., names, address, phone numbers, PHI, Social Security Numbers, credit card numbers). Number of people affected. States in which affected people live and total in each state. Whether the information was encrypted. 45
46 Step 3: Mitigate Harm & Take Corrective Action Mitigate: A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of PHI in violation of its policies and procedures or the Privacy Rule by the covered entity or its business associate. 45 C.F.R (f). e.g., file a police report, contact recipient and ask for information to be returned or destroyed. Corrective action: May need to terminate t agreement with BA, revise procedures, sanction employees. If determined to be a breach, decide whether credit monitoring services will be offered. 46
47 Step 4: Assess and Document Whether Incident is a Breach Under the HITECH Act / HHS Breach Notification Rule Breach: Acquisition, access, use, or disclosure of PHI (either electronic or hard copy) not permitted by the Privacy Rule which compromises the security or privacy of PHI (i.e., it poses a significant risk of financial, reputational, or other harm to the individual). 3 Steps to Determine if Incident is a Breach: Impermissible use or disclosure of PHI under Privacy Rule? Compromises the privacy or security of PHI by creating significant risk of harm? Is the incident id excluded d from the definition iti of a breach? An unintentional use of PHI by a workforce member acting in good faith and within the scope of his or her authority, and the PHI is not further used or disclosed improperly; An inadvertent tdisclosure of fphib by an authorized person to another authorized person, and the PHI is not further used or disclosed improperly; or A disclosure of PHI to an unauthorized person where there is a good faith belief that the unauthorized person would not reasonably have been able to retain the PHI. 47
48 Step 4: Assess and Document Whether Incident is a Breach Under the HITECH Act / HHS Breach Notification Rule HITECH Act breach notification requirement applies only to the breach of unsecured PHI. The breach of secure PHI is not subject to the breach notification requirement. If PHI is rendered unusable, unreadable, or indecipherable to unauthorized individuals, it is secure. Technologies and Methodologies that will render PHI secure: 1. Encryption. 2. Destruction. 48
49 Step 5: Analyze Whether Incident is a Breach Under State Law Vast majority of states have data breach notification laws. Need to analyze state law s definition of personal information. Small number of states include health or medical information within the definition. Need to analyze any exceptions to breach notification obligations (e.g., encryption, harm-based standards). If state breach notification law is triggered, notification obligations may exist in addition to those required by the HITECH Act. 49
50 Step 6: Notify Individuals or the Covered Entity HITECH Act and HHS Breach Notification Rule: Notice must be provided to the individual without unreasonable delay and no later than 60 days after breach is discovered. Notification should be made sooner than 60 days if possible. Many state laws require notification sooner. Via first-class mail unless the individual has specified a preference for . Notice must include the following: Description of facts about breach. Type of PHI involved. Steps individuals should take to protect themselves. What the covered entity is doing to investigate the situation and prevent future breaches. Contact information for individuals to ask questions. Substitute notice may be required if not able to contact people. HIPAA business associates must notify the covered entity of the breach. Contract t may specify who will notify the individual id and/or who will pay for such notification. 50
51 Step 7: Notify Media If PHI of more than 500 individuals in one state is breached, the entity must notify prominent media outlets in the state. 51
52 Step 8: Notify HHS and/or State Agencies Covered entities must notify HHS of the breach: If more than 500 affected individuals must notify HHS contemporaneously with notification to the individual via online notification. If less than 500 affected individuals must notify HHS via an annual log of events no later than 60 days following the end of the calendar year. Check state laws to determine whether any state agencies must be notified (e.g., police department, consumer protection agencies, Attorney General s office). 52
53 Step 9: Reassess Privacy & Security Policies and Procedures Compliance policies and procedures should be evaluated and revised if they do not work for an organization or do not prevent against privacy and security violations. For example: If incident involved lost or stolen backup data tape, consider changing procedure for transport and/or storage. If incident involved faxing information to a wrong number, consider changing procedure to require contacting the intended d recipient i before the fax is sent to confirm number and after the fax is sent to confirm receipt. If incident was the result of employee error, consider retraining employees. If incident was the result of a business associate s error, consider terminating the agreement or imposing more stringent safeguards under the agreement. 53
54 Step 10: Prepare for a Possible Investigation by OCR or AG HHS-OCR recently stated that they have initiated an investigation into every breach reported to their office via the online notification system stem that involved more than 500 individuals. id OCR is in the midst of training state AGs on HIPAA enforcement. Investigations have been initiated via letter and by phone. As evidenced d by recent actions, OCR expects cooperation. Generally, OCR has been asking for: Facts surrounding the breach. Copies of notification letters, media notices, business associate agreements. Actions taken to locate missing data, prevent further loss of data, and protect affected individuals (e.g., credit monitoring services). Security Rule risk assessments. Description of safeguards in place to protect the information, specifically requesting information related to whether data was encrypted. Compliance efforts related to policies and procedure revisions, training, and sanctions imposed. 54
55 CONTACT INFORMATION Rebecca C. Fayed SNR Denton US LLP
56 DISCLAIMER These materials should not be considered as, or as a substitute for, legal advice and they are not intended to nor do they create an attorney-client relationship. Because the materials included here are general, they may not apply to your individual legal or factual circumstances. You should not take (or refrain from taking) any action based on the information you obtain from these materials without first obtaining professional counsel. The views expressed do not necessarily reflect those of the firm, its lawyers, or clients.
Data Breaches in ERISA Benefit Plans: Prevention and Response
Presenting a live 90-minute webinar with interactive Q&A Data Breaches in ERISA Benefit Plans: Prevention and Response Navigating Regulations Governing Self and Fully Insured Plans; Complying with Notice
More informationHIPAA Compliance for Business Associates
Presenting a live 90-minute webinar with interactive Q&A HIPAA Compliance for Business Associates Overcoming Complex Challenges With Data De-Identification, Security Breaches, Indemnification and More
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationEnsuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting
Presenting a live 90-minute webinar with interactive Q&A Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, Email and Texting Protecting Patient Privacy, Complying with State and Federal
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationHIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.
HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure
More informationOmnibus HIPAA Rule: Impact on Covered Entities
Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More informationThe Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure
The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )
More informationHITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government
HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated
More information503 SURVIVING A HIPAA BREACH INVESTIGATION
503 SURVIVING A HIPAA BREACH INVESTIGATION Presented by Nicole Hughes Waid, Esq. Mark J. Swearingen, Esq. Celeste H. Davis, Esq. Regional Manager 1 Surviving a HIPAA Breach Investigation: Enforcement Presented
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationARRA s Amendments to HIPAA Privacy & Security Rules
ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health
More informationBuilder's Risk Insurance for Construction Projects: Legal Issues Evaluating Scope of Coverage and Resolving Coverage Disputes
Presenting a live 90 minute webinar with interactive Q&A Builder's Risk Insurance for Construction Projects: Legal Issues Evaluating Scope of Coverage and Resolving Coverage Disputes WEDNESDAY, JUNE 29,
More informationHIPAA Enforcement Under the HITECH Act; The Gloves Come Off
HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are
More informationNew HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda
New HIPAA Breach Rules NAHU presents the WHAT and WHYs Presenters: David Smith JD, Vice President, Ebenconcepts Tom Jacobs JD, co-ceo eflexgroup Moderator: Ric Joyner CEBS CFCI, co-ceo, eflexgroup 1 Agenda
More informationOpinion Letters in Commercial Real Estate Best Practices to Minimize Risk When Crafting Third Party Opinions on Loans and Acquisitions
Presenting a live 90 minute webinar with interactive Q&A Opinion Letters in Commercial Real Estate Best Practices to Minimize Risk When Crafting Third Party Opinions on Loans and Acquisitions TUESDAY,
More informationManagement Alert Final HIPAA Regulations Issued
Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,
More informationUniversal Health Services v. Escobar: Avoiding Implied Certification Liability Under FCA
Presenting a live 30-minute webinar with interactive Q&A Universal Health Services v. Escobar: Avoiding Implied Certification Liability Under FCA MONDAY, JULY 25, 2016 1pm Eastern 12pm Central 11am Mountain
More informationHIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security
More informationFifth National HIPAA Summit West
Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for
More informationPresenting a live 90-minute webinar with interactive Q&A. Today s faculty features:
Presenting a live 90-minute webinar with interactive Q&A D&O Indemnification Provisions in Governance Documents and Agreements Drafting Effective Indemnity and Advancement Agreements to Protect Directors
More informationInterim Date: July 21, 2015 Revised: July 1, 2015
HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:
More informationHIPAA / HITECH. Ed Massey Affiliated Marketing Group
HIPAA / HITECH Agent Understanding And Compliance Presented By: Ed Massey Affiliated Marketing Group It s The Law On February 17, 2010 the Health Information Technology for Economic and Clinical Health
More informationHIPAA Breach Notification Case Studies on What to Do and When to Report
HIPAA Breach Notification Case Studies on What to Do and When to Report AHLA Physicians and Physician Organizations and Hospitals and Health Systems Law Institute February 9 and10, 2012 Colleen M. McClorey,
More informationChanges to HIPAA Privacy and Security Rules
Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN
More informationInsurance Coverage for Statutory and Liquidated Damages and Attorney Fees: Policyholder and Insurer Perspectives
Presenting a live 90-minute webinar with interactive Q&A Insurance Coverage for Statutory and Liquidated Damages and Attorney Fees: Policyholder and Insurer Perspectives Advocating Coverage for Statutory
More informationTax Challenges for NPO Counsel: Excess Benefit Transactions for Executive Comp and Other Financial Dealings
Presenting a live 110-minute teleconference with interactive Q&A Tax Challenges for NPO Counsel: Excess Benefit Transactions for Executive Comp and Other Financial Dealings Identifying Prohibited Transactions
More informationImpact on FCPA Compliance Enhancing Internal Reporting Procedures and Meeting New Investigation and Disclosure Challenges
Presenting a live 90 minute webinar with interactive Q&A New SEC Whistleblowing Rules: Impact on FCPA Compliance Enhancing Internal Reporting Procedures and Meeting New Investigation and Disclosure Challenges
More informationNew. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.
Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy
More informationfor Landlords and Tenants Negotiating Insurance, Indemnity and Mutual Waiver of Subrogation Provisions
Presenting a live 90 minute webinar with interactive Q&A Commercial Leases: Risk Mitigation Strategies for Landlords and Tenants Negotiating Insurance, Indemnity and Mutual Waiver of Subrogation Provisions
More informationCompletion Guaranties in Construction Lending: Key Provisions for Lenders and Guarantors
Presenting a live 90-minute webinar with interactive Q&A Completion Guaranties in Construction Lending: Key Provisions for Lenders and Guarantors TUESDAY, MARCH 6, 2018 1pm Eastern 12pm Central 11am Mountain
More informationBREACH NOTIFICATION POLICY
PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationFCPA Due Diligence in M&A Amid Increased Enforcement
Presenting a live 90-minute webinar with interactive Q&A FCPA Due Diligence in M&A Amid Increased Enforcement Developing and Risks and Implementing Post-Closing Protections WEDNESDAY, AUGUST 24, 2016 1pm
More informationFiduciary Compliance in ESOP Transactions: Recent DOL Settlement Agreements
Presenting a live 90-minute webinar with interactive Q&A Fiduciary Compliance in ESOP Transactions: Recent DOL Settlement Agreements Implications of GBTC, FBTS and Alpha Settlement Agreements, Guidance
More informationPresenting a live 90-minute webinar with interactive Q&A. Today s faculty features: Brian E. Hammell, Esq., Sullivan & Worcester, Boston
Presenting a live 90-minute webinar with interactive Q&A Buy-Sell Agreements for Corporations and LLCs: Drafting Stock Redemption, Cross-Purchase and Mixed Agreements Navigating Complex Corporate, Tax,
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationStructuring Equity Compensation for Partnerships and LLCs Navigating Capital and Profits Interests Plus Section 409A and Tax Consequences
Presenting a live 110-minute webinar with interactive Q&A Structuring Equity Compensation for Partnerships and LLCs Navigating Capital and Profits Interests Plus Section 409A and Tax Consequences THURSDAY,
More informationHIPAA OMNIBUS FINAL RULE
HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on
More informationQDRO Drafting Boot Camp: Preparing QDROs for 401(k)s and Similar Defined Contribution Plans
Presenting a live 90-minute webinar with interactive Q&A QDRO Drafting Boot Camp: Preparing QDROs for 401(k)s and Similar Defined Contribution Plans Strategies for Family Law Practitioners to Help Ensure
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationPresenting a live 90-minute webinar with interactive Q&A. Today s faculty features:
Presenting a live 90-minute webinar with interactive Q&A Transactional Risk Insurance in M&A: Reps and Warranties, Contingent Liability and More Leveraging Insurance to Allocate Risk and Protect Deal Value;
More informationARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationCommercial Lease Negotiations: Property and Liability Insurance, Proof of Coverage, AI and Loss Payee Issues
Presenting a live 90-minute webinar with interactive Q&A Commercial Lease Negotiations: Property and Liability Insurance, Proof of Coverage, AI and Loss Payee Issues Structuring Lease Provisions to Require
More informationOMNIBUS RULE ARRIVES
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan
More informationERISA Pre-Approved and Customized Benefit Plans: Overhauled IRS Procedures and Determination Letter Process
Presenting a live 90-minute webinar with interactive Q&A ERISA Pre-Approved and Customized Benefit Plans: Overhauled IRS Procedures and Determination Letter Process TUESDAY, NOVEMBER 14, 2017 1pm Eastern
More informationBank Affiliate Transactions Under Scrutiny Complying With Regulation W's Complex Restrictions on Business Dealings with Affiliate Institutions
Presenting a live 90-minute webinar with interactive Q&A Bank Affiliate Transactions Under Scrutiny Complying With Regulation W's Complex Restrictions on Business Dealings with Affiliate Institutions TUESDAY,
More informationFCPA Due Diligence in M&A: Leveraging the New DOJ Opinion Procedure Release
Presenting a live 90-minute webinar with interactive Q&A FCPA Due Diligence in M&A: Leveraging the New DOJ Opinion Procedure Release Mitigating Pre-Closing Risks and Implementing Post-Closing Protections
More informationOCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC
Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative
More informationTrue or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)
Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent
More informationHITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013
HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance
More informationNOTIFICATION OF PRIVACY AND SECURITY BREACHES
NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally
More informationClearing Title for Defects Due to Mortgage-Related Issues, Legal Description Errors, and Foreclosure
Presenting a live 90-minute webinar with interactive Q&A Clearing Title for Defects Due to Mortgage-Related Issues, Legal Description Errors, and Foreclosure Identifying and Resolving Common Title Defects
More informationChanges to HIPAA Under the Omnibus Final Rule
Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services
More information401(k) Plan Nondiscrimination Testing: Guidance for Employee Benefits Counsel
Presenting a live 90-minute webinar with interactive Q&A 401(k) Plan Nondiscrimination Testing: Guidance for Employee Benefits Counsel Meeting IRS Requirements, Avoiding Corrective Distributions, Evaluating
More information8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013
HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable
More informationInterest Rate Hedges in Real Estate Finance: Placing Swaps, Caps, and Collars on Floating Rate Loans
Presenting a live 90-minute webinar with interactive Q&A Interest Rate Hedges in Real Estate Finance: Placing Swaps, Caps, and Collars on Floating Rate Loans Understanding Pricing and Trade Confirmations,
More informationRISK TRACK. Privacy and Data Protection
RISK TRACK Privacy and Data Protection Presenters Marti Arvin Chief Compliance Officer UCLA Health Sciences Phone: 310-794-6763 MArvin@mednet.ucla.edu Marti Arvin is the Chief Compliance Officer for UCLA
More informationCorporate Governance of Subsidiaries: Board Roles and Responsibilities, Interplay With Parent Board, Liability Risks
Presenting a live 90-minute webinar with interactive Q&A Corporate Governance of Subsidiaries: Board Roles and Responsibilities, Interplay With Parent Board, Liability Risks THURSDAY, AUGUST 16, 2018 1pm
More informationHIPAA Data Breach ITPC
HIPAA Data Breach Objectives Overview of Omnibus Rule - Data Breach Suspected Breach - Investigation Audit Risk Assessment Corrective Action Plan Written Notification Elements NYS Rules on Data Breach
More informationHIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES
SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:
More informationVA Benefits and Medicaid Eligibility
Presenting a live 90-minute webinar with interactive Q&A VA Benefits and Medicaid Eligibility Meeting Complex Requirements for Benefits Qualification and Application THURSDAY, FEBRUARY 16, 2012 1pm Eastern
More informationPresented by Marti Arvin Chief Compliance Officer UCLA Health Sciences
Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences 1 Brief discussion of where we have been and where we are going Discussion of Federal Enforcement Actions Privacy and Security issue
More informationCreatively Completing The Capital Stack: Real Estate GP Private Equity Funds
Presenting a live 90-minute webinar with interactive Q&A Creatively Completing The Capital Stack: Real Estate GP Private Equity Funds Structuring Key Deal Terms Regarding Distribution, Sharing of Promote
More informationHIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment
More informationPresenting a live 90-minute webinar with interactive Q&A. Today s faculty features: Scott D. Brooks, Partner, Cox Castle & Nicholson, San Francisco
Presenting a live 90-minute webinar with interactive Q&A Allocating Risk in Real Estate Leases: Contractual Indemnities, Additional Insured Endorsements, Subrogation Waivers Coordinating Lease Provisions
More information30(b)(6) Depositions in Insurance Coverage and Bad Faith Litigation Preparing and Responding to Notices of Corporate Representative Depositions
Presenting a live 90-minute webinar with interactive Q&A 30(b)(6) Depositions in Insurance Coverage and Bad Faith Litigation Preparing and Responding to Notices of Corporate Representative Depositions
More informationHIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)
HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services
More informationM&A Indemnification Deal Terms: 2017 Survey Results
Presenting a 60-minute encore presentation featuring live Q&A M&A Indemnification Deal Terms: 2017 Survey Results What's Market for Negotiating and Drafting Private Target Company Indemnification Terms
More informationALERT. November 20, 2009
ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made
More informationPresenting a live 90-minute webinar with interactive Q&A. Today s faculty features:
Presenting a live 90-minute webinar with interactive Q&A Keys To Equity Financing: The Compliance Requirements for Lenders and Borrowers Structuring Loans Secured by Stock, Hedge Fund Shares, 40 Act Companies
More informationIP Agreements: Structuring Indemnification and Limitation of Liability Provisions to Allocate Infringement Risk
Presenting a live 90-minute webinar with interactive Q&A IP Agreements: Structuring Indemnification and Limitation of Liability Provisions to Allocate Infringement Risk TUESDAY, SEPTEMBER 1, 2015 1pm Eastern
More informationSurvivor Benefit Plans and Military Divorce: Defending Against or Claiming Former-Spouse SBP Coverage
Presenting a live 90-minute webinar with interactive Q&A Survivor Benefit Plans and Military Divorce: Defending Against or Claiming Former-Spouse SBP Coverage WEDNESDAY, JUNE 28, 2017 1pm Eastern 12pm
More informationUsing Inverted Leases to Finance Renewable Energy Projects
Presenting a live 90-minute webinar with interactive Q&A Using Inverted Leases to Finance Renewable Energy Projects Evaluating Tax Risks, Navigating Structural Variations, Leveraging Pass-Through Election
More informationERISA Retirement Plan Investment Management Agreements: Guidance for Plan Sponsors to Minimize Risks
Presenting a live 90-minute webinar with interactive Q&A ERISA Retirement Plan Investment Management Agreements: Guidance for Plan Sponsors to Minimize Risks Selecting 3(38) Investment Managers, Negotiating
More informationERISA Compliance and Monitoring 401(k) Investments: Safe Harbor Rules and Appointing Advisers
Presenting a live 90-minute webinar with interactive Q&A ERISA Compliance and Monitoring 401(k) Investments: Safe Harbor Rules and Appointing Advisers TUESDAY, APRIL 3, 2018 1pm Eastern 12pm Central 11am
More informationPreparing for a HIPAA Audit & Hot Topics in Health Care Reform
Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,
More informationLEGAL ISSUES IN HEALTH IT SECURITY
LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson
More informationAllocating Risk in Real Estate Leases: Contractual Indemnities, Additional Insured Endorsements and Waivers of Subrogation
Presenting a live 90-minute webinar with interactive Q&A Allocating Risk in Real Estate Leases: Contractual Indemnities, Additional Insured Endorsements and Waivers of Subrogation Structuring Lease Provisions
More information2016 Business Associate Workforce Member HIPAA Training Handbook
2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all
More informationAMA Practice Management Center, What you need to know about the new health privacy and security requirements
1. HIPAA Security Rule Johns, Merida L., Information Security, in Johns, Merida L. (ed.) Health Information Management Technology, an Applied Approach, AHIMA: Chicago, IL, 2nd ed. 2007, chapter 19, pp.
More informationInsurance Requirement Provisions in Technology Contracts: Mitigating Risk, Maximizing Coverage
Presenting a live 90-minute webinar with interactive Q&A Insurance Requirement Provisions in Technology Contracts: Mitigating Risk, Maximizing Coverage THURSDAY, OCTOBER 5, 2017 1pm Eastern 12pm Central
More informationTax Strategies for Real Estate LLC and LP Agreements: Capital Commitments, Tax Allocations, Distributions, and More
Presenting a live 90-minute webinar with interactive Q&A Tax Strategies for Real Estate LLC and LP Agreements: Capital Commitments, Tax Allocations, Distributions, and More Structuring Provisions to Achieve
More informationAuto Injury Claim Recovery: Maximizing Pain and Suffering, Loss of Future Earning Capacity Damages
Presenting a live 90-minute webinar with interactive Q&A Auto Injury Claim Recovery: Maximizing Pain and Suffering, Loss of Future Earning Capacity Damages Leveraging Calculation Methodologies, Medical
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationUCC Article 9 Blanket Asset Lien Exclusions and Purchase Money Security Interests
Presenting a live 90-minute webinar with interactive Q&A UCC Article 9 Blanket Asset Lien Exclusions and Purchase Money Security Interests Navigating Statutory, Contractual and Other Exclusions to All
More informationIACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP
IACT Medical Trust HIPAA Privacy Training June 28, 2012 Jim Hamilton (317) 684-5419 jhamilton@boselaw.com 2009 Bose McKinney & Evans LLP HIPAA Overview 2009 Bose McKinney & Evans LLP The Privacy Rule HIPAA
More informationThe American Recovery Reinvestment Act. and Health Care Reform Puzzle
The American Recovery Reinvestment Act and Health Care Reform Puzzle Carolyn Heyman-Layne Alaska HCCA Conference March 1, 2012 Comparison of Breach Notification Provisions in the HITECH Act 1 and the Alaska
More informationand Waivers After Default Crafting Forbearance Agreements That Minimize Lender Liability and Bankruptcy Risks
Presenting a live 60 minute webinar with interactive Q&A Loan Forbearance Options and Waivers After Default Crafting Forbearance Agreements That Minimize Lender Liability and Bankruptcy Risks THURSDAY,
More informationHIPAA, HITECH & Meaningful Use
HIPAA, HITECH & Meaningful Use October 21, 2011 presented by Helen Oscislawski, Esq. Overview - What Has Changed? HITECH Act: Increased Penalties for non-compliance, effective 11/30/2009 New federal requirements
More informationHIPAA Basic Training for Health & Welfare Plan Administrators
2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying
More informationFraudulent Conveyance Exposure for Intercorporate Guaranties, Integrated Transactions and Designated-Use Loans
Presenting a live 90-minute webinar with interactive Q&A Fraudulent Conveyance Exposure for Intercorporate Guaranties, Integrated Transactions and Designated-Use Loans Navigating the Contours of Section
More informationInvestment Adviser Advertising Rule: New SEC Guidance and Best Practices for Compliance
Presenting a live 90-minute webinar with interactive Q&A Investment Adviser Advertising Rule: New SEC Guidance and Best Practices for Compliance TUESDAY, NOVEMBER 21, 2017 1pm Eastern 12pm Central 11am
More informationM&A Buyer Protection Beyond Indemnification and Escrows
Presenting a live 90-minute webinar with interactive Q&A M&A Buyer Protection Beyond Indemnification and Escrows Structuring Deal-Specific and Often Overlooked Acquisition Provisions to Minimize Buyer's
More informationHighlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationWrap Insurance for Construction Projects Understanding Scope of Coverage and Resolving Coverage and Indemnification Disputes
Presenting a live 90 minute webinar with interactive Q&A Wrap Insurance for Construction Projects Understanding Scope of Coverage and Resolving Coverage and Indemnification Disputes WEDNESDAY, DECEMBER
More informationPresenting a live 90-minute webinar with interactive Q&A. Today s faculty features: Matthew B. Grunert, Partner, Andrews Kurth Kenyon, Houston
Presenting a live 90-minute webinar with interactive Q&A SEC s Pay Ratio Disclosure Rule for CEO and Median Employee Compensation Data Gathering, Calculation Methodologies, Preparing for Heightened Stakeholder
More information