GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

Size: px
Start display at page:

Download "GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do"

Transcription

1 GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned by Thompson Publishing. Republished by permission. i

2 Guide to the HIPAA Omnibus Rule: What You Need to Know and Do By D'Arcy Guerin Gue, with Steven J. Fox* Almost 12 years to the month since the Department of Health and Human Services issued the first HIPAA privacy and security rules, a much-expanded "omnibus" rule was released on Jan. 17, HHS coined the term "omnibus" to indicate that the new rule includes four component rules: Final provisions that expand the HIPAA privacy, security and enforcement rules, as mandated in the Health Information Technology for Economic and Clinical Health Act (HITECH) of HITECH was a major element of the American Recovery and Reinvestment Act of 2009 (ARRA), commonly known as the economic stimulus package. The final rule on Breach Notification for Unsecured Protected Health Information, which changes significant elements of a 2009 interim rule. The final HIPAA enforcement rule, which expands HHS' enforcement powers, again, as mandated by the HITECH Act. The final rule modifying the HIPAA privacy rule, as mandated by the Genetic Information Nondiscrimination Act (GINA) of The omnibus rule went into effect on March 26, Overview The omnibus rule, published in the Jan. 25 Federal Register, presented extensive revisions in HIPAA privacy and security requirements (78 Fed. Reg. 5566). While many of the changes are technical details, many others are major and far-reaching. The text of the lengthy document is necessarily complex, given its regulatory intentions, but it is possible to identify at least three broad themes embodied in the new rule: HHS gives patients and their rights central priority, within its long-term vision of an integrated health care environment where HITECH's "meaningful use" of electronic health records will be fully realized. Several provisions of the new rule focus on enhancing security of "protected health information" (PHI), increasing patient privacy, and expanding patients' access to, and control of, their personal health records. On the other hand, the obligations of covered entities under HIPAA have expanded. In a dramatic turnabout, business associates are now subject to most of these obligations, including paying penalties. The rule also mandates greater restrictions on uses and disclosures of PHI, business associate agreements, and breach assessment and notification. HHS has assumed greater reach in enforcement powers and overall authority. It has reduced the level of regulated entities' discretion in identifying breaches and has amplified breach notification requirements. HHS' authority now extends to business associates, making them directly liable for HIPAA compliance. HHS' authority also reaches any subcontractors that touch or store PHI. Finally, genetic information has now been added to the PHI data mix. *Ms. Gue and Mr. Fox are the original authors of Thompson's Guide to Medical Privacy & HIPAA. 1 3

3 New Liability of Business Associates and Subcontractors Adds Extensive Obligations The omnibus rule expanded the HIPAA obligations of business associates, making them directly responsible for adhering to most privacy and security provisions. As with covered entities, business associates are now subject to the same penalties for noncompliance. HHS has amended the security rule to require business associates, like covered entities, to conduct a risk analysis, implement a security plan, and appoint a Security Officer. In a giant step, the rule defines "business associates" far more broadly than in the past, and includes any entities that create, receive, maintain or transmit PHI on behalf of a covered entity. "Maintain" is a new criterion, and will likely include a new group of vendors, such as document storage organizations. HHS has created a new business associate chain: subcontractors of business associates are now responsible for PHI protection and are defined as business associates if they create, receive, maintain or transmit PHI. Further, their subcontractors are pulled into the chain if they meet the same criteria. All have the same compliance obligations under HIPAA that business associates have. Just as covered entities are held responsible for breaches or violations of their business associates, so, now, "first level" or primary business associates are held responsible for the compliance of their subcontractors. Every connected contractor and subcontractor is now directly liable to HHS for breaches. It should be noted that vendors that transmit PHI on behalf of covered entities are not considered to be business associates if they are simply "conduits" that do not routinely access PHI. Internet service providers are likely to be such conduits. Fortunately for covered entities, they do not have to enter into a business associate agreement (BAA) with business associates' subcontractors. But, BAAs are still required between covered entities and their business associates, even though the latter now are held directly accountable for HIPAA compliance. These "primary" business associates also must develop BAAs with all their relevant subcontractors, and covered entities must require their business associates to do so. Note that if an entity meets the definition of a business associate, the entity is liable for HIPAA violations, even if it has not entered into a business associate agreement. Patients' Rights Are Expanded, Creating New Responsibilities for Regulated Entities One focus of the omnibus rule was to support patients' participation in the health care environment. The rule increases patients' access to their health records, and provides them greater latitude in restricting disclosures and uses of PHI. Initially, this creates some additional burdens on covered entities and business associates. Patient Requests If an individual asks a covered entity for an electronic copy of his or her PHI, the omnibus rule requires covered entities to provide it - assuming the information is maintained in an electronic record. The individual also may have a copy of the PHI sent electronically to another person he or she designates. The preamble to the omnibus rule suggests that covered entities must invest in electronic information technology so that they can meet this requirement, echoing HITECH's mandate for meaningful use of electronic health records. 2

4 The rule also parallels HITECH in requiring health care providers to meet patient requests to not disclose to a health plan (or a health plan's business associate) any PHI that is related to items or services for which the patient has fully paid out of pocket. Providers don't have to create separate medical records, as long as they prevent the disclosure. Many electronic systems may not have the ability to single out areas of a record and restrict access to specific individuals. Organizations may have to work with their vendors to complete necessary systems and procedural changes to comply with access restriction requests. Marketing and Sale of PHI The original privacy rule required patient authorization to use or disclose PHI for marketing purposes, but made an exception for such uses and disclosures when they were part of "health care operations." The omnibus rule is more restrictive, requiring individual authorizations for any treatment communications if the covered entity (or a business associate) receives financial remuneration for the subject product or service. The rule includes both direct and indirect remuneration (a payment channeled through a third party). HHS makes an exception for refill reminders or communications about current prescriptions, if the third party subsidy is reasonable. The omnibus rule has adopted HITECH's prohibition of the sale of PHI - defined as the exchange of anything of value (remuneration) for PHI. There are limited exceptions, including disclosure for public health purposes, research purposes, and treatment and payment purposes. Our Recommendations: First Steps to Take Toward Compliance If they haven t already done so, we recommend that affected parties undertake these planning initiatives and follow through on implementation: Gap analysis. Covered entities and business associates should complete a thorough gap analysis to determine which policies, procedures, and documentation (such as notices of privacy practices and subsidized marketing agreements) must be updated in accordance with the omnibus rule. From the gap analysis, the organization will be able to determine the scope of necessary changes, and plan accordingly. Implementation plan. Business associates and their subcontractors should initiate plans for implementing a HIPAA compliance program, if they have not done so. This work should begin with a vetting process by business associates, probably with the assistance of the related covered entity, to determine which contractors and subcontractors are applicable. Then, a plan should be created for performing or redoing related risk analyses, creating a timeline for developing and executing security plans, and setting a timeline for development and implementation of new business associate agreements. Business associate agreements. Covered entities should develop a plan to revise all existing BAAs. Forms. Covered entities should plan to create or revise all forms that apply to provisions in the rule. These include, but are not limited to: requests for PHI access; requests to limit PHI release; and authorization forms addressing marketing, research, sale of PHI, and fundraising communications. Workforce training. All regulated entities should consider timing and execution of applicable workforce training programs. 3 1

5 Fundraising In the past, use of clinical information in fundraising communications by not-for-profit organizations was prohibited; covered entities were limited to using demographic and certain insurance data. Acknowledging that use of more substantive data could enhance the value of fundraising efforts, HHS expanded the information that organizations may use to include certain PHI. This information is limited to disclosures of the department that served the patient, his or her physician's identity, and general information about treatment outcomes. The fundraising value of these new permissions is significant: individuals can be targeted because of their experience in specific clinical situations or departments, and fundraising appeals can be sent in the name of a former patient's physician. The rule emphasizes that covered entities must provide patients with a "clear and conspicuous" notice of their right to opt out of future fundraising communications, and offer a reasonably convenient way to do so. Fundraising entities are required to honor individuals' opt out requests, though they may provide a method to opt back in to the communications. Research In the past, HIPAA required separate individual authorizations to use PHI for research projects, depending on whether the authorization was "conditioned" or "unconditioned." In response to researchers' concerns about prohibitive paperwork, the omnibus rule now permits them to combine conditioned and unconditioned authorizations into one form. The document must clearly offer individuals the option to opt in to the unconditioned authorization, and researchers must abide by their decisions. PHI of Decedents The omnibus rule focuses on the PHI of deceased individuals in two areas, in order to address practical concerns of both covered entities and relatives of decedents. The original privacy rule allowed covered entities to disclose information about a decedent only to a personal representative. The omnibus rule expanded such disclosures to family members and others who were involved in the care or payment for care of the decedent before death, and who likely had access to the individual's PHI during that time. However, if the covered entity knows of any conflicting, expressed wishes of the decedent, such disclosures are not allowed. Previously, covered entities were required to protect deceased individuals' PHI indefinitely. HHS has acknowledged that locating a personal representative to authorize use or disclosure of a decedent's PHI can become impractical over time. The new rule limits the period PHI must be protected to 50 years after the individual's death, suggesting that this is sufficient to protect the privacy interests of most living relatives. Immunization Records In support of public health concerns, the omnibus rule makes it easier for schools to receive proof of students' immunizations. Covered entities now may disclose immunization records of students or prospective students to schools, if required by law. However, they must obtain and document the parent or guardian's agreement, which may be received either orally or in writing. Genetic Information HHS expanded HIPAA's reach relative to protected data to now include genetic information within the definition of PHI. This change reflects requirements under the Genetic Information 4

6 Nondiscrimination Act of 2008 (GINA). As in GINA, the omnibus rule provides that health plans may not use or disclose genetic information for underwriting purposes. In addition, health plans' notices of privacy practices must now specifically reference this prohibition. New Breach Provisions Likely to Increase Breach Notifications In a move seemingly designed to increase the number of breach notifications, HHS eliminated the risk of harm standard in the final omnibus rule, modified the definition of "breach" and altered the risk assessment analysis that entities must perform for each potential breach. Previously, an entity had to determine whether a breach posed a significant risk of financial, reputational or other harm to an individual. Admittedly, this permitted subjective analysis by the covered entity; however, HHS does not provide any evidence in support of its claim that "some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set." To lower that threshold, HHS changed the definition of "breach" so that any impermissible use or disclosure of PHI is now presumed to be a breach, unless the covered entity or business associate demonstrates low probability that the PHI has been compromised. HHS acknowledges that there remain several situations in which the unauthorized acquisition, access, use or disclosure of PHI is so inconsequential that it does not amount to a breach or warrant notification. The comments even give an example of a misdirected fax containing PHI, where the recipient physician immediately calls to say he has destroyed it, and notes that even though this situation does not fit into any of the statutory or regulatory exceptions, the covered entity "may be able to demonstrate after performing a risk assessment that there is a low risk that the protected health information has been compromised." The new risk assessment, instead of looking at the risk of harm to the individual, focuses on the probability that PHI has been compromised based on a consideration of at least the following four factors (plus additional unspecified factors as deemed appropriate by the covered entity): the nature and extent of the PHI involved, including the types of identifiers and the likelihood of reidentification; the unauthorized person who used the PHI or to whom the disclosure was made; whether the PHI was actually acquired or viewed; and the extent to which the risk to the PHI has been mitigated. HHS believes that this type of assessment will result in a more objective evaluation of the risk to the PHI and a more uniform application of the rule. One final note: HHS also removed the exception for limited data sets that do not contain any dates of birth and ZIP codes. So if there is an impermissible use or disclosure of such a limited data set, even one without birth dates and ZIP codes, a risk assessment that evaluates the factors discussed above must still be performed to determine if breach notification is required. Finally, HHS notes that covered entities and business associates are encouraged to take advantage of the safe harbor provision of the breach notification rule by encrypting limited data sets and other PHI, pursuant to the 2009 Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals (74 FR 42740, 42742). If PHI is thus encrypted, then no breach notification is required following an impermissible use or disclosure of PHI. Clearly, that is the safest route to take. 5 3

7 Notice of Privacy Practices As a result of various changes in the rule, covered entities must update and redistribute their notices of privacy practices (NPP). Notices should reflect the rule's provisions concerning: certain individual rights regarding uses and disclosures that require authorization, such as marketing, sale of PHI, fundraising and research; for providers only, the individual's right to restrict disclosures to health plans, when he or she has paid out of pocket for an item or service; an affected individual's right to be notified of a breach of PHI; other uses and disclosures not described in the NPP that require authorization; and for health plans only, the prohibition against considering genetic information in underwriting. New Breach Notification Process Is More Objective and Very Stringent Until now, the guiding HIPAA standard for determining if an improper use or disclosure of PHI qualified as a breach was whether there was significant risk of harm to an individual. Covered entities, after appropriate assessment, were allowed to make this determination. HHS has since rejected this level of discretion and eliminated it in the new rule. The rule now requires an assessment of whether the security incident compromises the privacy and security of PHI; the harm standard is no longer a factor (see detailed discussion, p. 5). HHS' HIPAA Enforcement Powers Hit Harder and Go Farther Many of HHS' enforcement powers as defined in the omnibus rule were already assembled under the HITECH Act and the interim enforcement rule of Broadly speaking, HHS expanded its ability to enforce HIPAA to a longer chain of regulated entities, defined stricter enforcement criteria, and increased penalties for violations. Business associates have come under the penalty umbrella, and like covered entities, are directly subject to financial penalties. If a subcontractor of a business associate meets HHS' definition of an agent and commits a violation, the business associate may be liable for penalties, depending on the latter's authority to manage the relationship. HHS makes it clear that it will investigate any complaint when a preliminary review, or an independent HHS inquiry, indicates a possible violation due to willful neglect. However, if there are not indications of willful neglect, HHS will rely on informal, voluntary actions to seek compliance. In determining the amount of civil money penalties, HHS now considers the following factors: the nature and extent of the violation, the nature and extent of harm, the entity's history of prior compliance, and the financial condition of the entity. The rule formally adopts the HIPAA civil money penalty structure as increased by the HITECH Act, and sets the same categories for levels of violations. 6

8 Violation Category Each Violation All Identical Violations Per Calendar Year For violations occurring before 2/18/2009 For violations occurring on or after 2/18/2009 For violations occurring before 2/18/2009 For violations occurring on or after 2/18/2009 Did Not Know Up to $100 $100 - $50,000 Reasonable Cause Up to $100 $ $50,000 Willful Neglect - Corrected Up to $100 $10,000 - $50,000 $25,000 $1,500,000 Willful Neglect - Not Corrected Up to $100 $50,000 Authors D'Arcy Guerin Gue is vice president of industry relations for Phoenix Health Systems, a division of Medsphere Systems Corporation and a leading provider of health care information technology outsourcing, consulting and project management. She has written on many health care IT issues over her 25 year career, with a special emphasis on HIPAA information privacy and security, Meaningful Use, ICD-10 and other industry initiatives. Steven J. Fox, Esq., is a principal with Post & Schell, PC, a national law firm serving clients throughout the United States, where he is chair of the Information Technology Group and co-chair of the Data Protection Group. An acknowledged authority on health IT, Mr. Fox assists clients with legal issues and strategic counseling involving technology, licensing of health care information systems, data privacy matters and health care regulatory compliance. Copyright 2013 by Thompson Information Services. All rights reserved. Photocopying without the publisher's consent is strictly prohibited. Consent needs to be granted to reproduce individual items for personal or internal use by the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions

More information

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background

More information

Highlights of the Omnibus HIPAA/HITECH Final Rule

Highlights of the Omnibus HIPAA/HITECH Final Rule Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737

More information

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

The wait is over HHS releases final omnibus HIPAA privacy and security regulations The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under

More information

To: Our Clients and Friends January 25, 2013

To: Our Clients and Friends January 25, 2013 Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health

More information

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!

More information

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement

More information

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability

More information

Management Alert Final HIPAA Regulations Issued

Management Alert Final HIPAA Regulations Issued Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,

More information

MEMORANDUM. Kirk J. Nahra, or

MEMORANDUM. Kirk J. Nahra, or MEMORANDUM TO: FROM: Interested Parties Kirk J. Nahra, 202.719.7335 or knahra@wileyrein.com DATE: January 28, 2013 RE: The HIPAA/HITECH Omnibus Regulation After almost four years, the Department of Health

More information

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )

More information

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes

More information

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,

More information

Getting a Grip on HIPAA

Getting a Grip on HIPAA Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.

More information

HHS, Office for Civil Rights. IAPP October 11, 2012

HHS, Office for Civil Rights. IAPP October 11, 2012 HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities

More information

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health

More information

Changes to HIPAA Under the Omnibus Final Rule

Changes to HIPAA Under the Omnibus Final Rule Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services

More information

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA

More information

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013 HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable

More information

HIPAA Omnibus Final Rule and Research

HIPAA Omnibus Final Rule and Research Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy

More information

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. HIPAA stands for Health Insurance Portability and Accountability

More information

AFTER THE OMNIBUS RULE

AFTER THE OMNIBUS RULE AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member

More information

Health Law Diagnosis

Health Law Diagnosis February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of

More information

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection

More information

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule The HIPAA Omnibus Rule NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives.

More information

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients

More information

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16

Compliance. TODAY May Meet Scott Killingsworth. Partner in the Atlanta offices of Bryan Cave LLP. See page 16 Compliance TODAY May 2013 a publication of the health care compliance association www.hcca-info.org Meet Scott Killingsworth Partner in the Atlanta offices of Bryan Cave LLP See page 16 25 Medicare Coverage

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.

More information

ACC Compliance and Ethics Committee Presentation February 19, 2013

ACC Compliance and Ethics Committee Presentation February 19, 2013 ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy

More information

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013! Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule

More information

Changes to HIPAA Privacy and Security Rules

Changes to HIPAA Privacy and Security Rules Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN

More information

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg ICAHN Presentation Final Omnibus Rule and Security Risk Analysis July 26, 2013 David Ginsberg PrivaPlan Associates, Inc. PrivaPlan Associates, Inc. is the leading authority in HIPAA Privacy and Security

More information

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement

More information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice

More information

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated

More information

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013 HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance

More information

HIPAA OMNIBUS FINAL RULE

HIPAA OMNIBUS FINAL RULE HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on

More information

New HIPAA-HITECH Proposed Regulations Issued

New HIPAA-HITECH Proposed Regulations Issued July 2010 New HIPAA-HITECH Proposed Regulations Issued On Thursday July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations in the Federal Register on many provisions

More information

HEALTH LAW ALERT January 21, 2013

HEALTH LAW ALERT January 21, 2013 HEALTH LAW ALERT January 21, 2013 Omnibus Privacy Rule Issued HHS Imposes More Stringent Breach Notification Standard Requires Changes to Privacy Notices, Business Associate Agreements On Thursday, the

More information

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule Audio Seminar January 28, 2013 Practical Tools for Seminar Learning Copyright 2012 American Health Information Management Association.

More information

Fifth National HIPAA Summit West

Fifth National HIPAA Summit West Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for

More information

HIPAA Omnibus Rule Compliance

HIPAA Omnibus Rule Compliance HIPAA Omnibus Rule Compliance Jana Aagaard, JD Senior Counsel, Privacy/HIT Dignity Health Christy Navarro, MS CIPP/US Director, Chief Privacy Officer - Ascendian 1 Overview Background What Should Be Done

More information

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.

More information

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Colorado Medical Society The HIPAA OMNIBUS RULE June 3, 2013 Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Agenda The HIPAA Omnibus Rule - a high level overview Effective dates SpeciLic

More information

Highlights of the Final Omnibus HIPAA Rule

Highlights of the Final Omnibus HIPAA Rule Highlights of the Final Omnibus HIPAA Rule Health Information & the Law Project 1 Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH Devi Mehta, JD, MPH Elizabeth Gray, JD Teresa Cascio, JD Grace Im,

More information

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com

More information

New HIPAA Rules and Implications for the Industry January 29, 2013

New HIPAA Rules and Implications for the Industry January 29, 2013 New HIPAA Rules and Implications for the Industry January 29, 2013 **Audio for this webinar streams through the web. Please make sure the sound on your computer is turned on. If you need technical assistance,

More information

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners 2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and

More information

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 168, 02/04/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

More information

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy

More information

H E A L T H C A R E L A W U P D A T E

H E A L T H C A R E L A W U P D A T E L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

HIPAA Final Omnibus Rule Playbook

HIPAA Final Omnibus Rule Playbook DOWNLOADABLE GUIDE HIPAA Final Omnibus Rule Playbook Your Ticket to Winning the Compliance Game Offensive Plays HIPAA Privacy Rule Defensive Plays HIPAA Security Rule Special Team Plays Breach Notification

More information

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq. The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance I. INTRODUCTION Patricia A. Markus, Esq. AHLA Hospitals and Health Systems Law Institute February 13, 2013 On January 17, 2013, the

More information

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017 HIPAA & HITECH Privacy & Security Volunteer Annual Review 2017 HIPAA In 1996, state and federal governments enacted protection for patient health information by signing into law the Health Insurance Portability

More information

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta

More information

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta

More information

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment

More information

VOL. 0, NO. 0 JANUARY 23, 2013

VOL. 0, NO. 0 JANUARY 23, 2013 Health IT Law & Industry Report VOL. 0, NO. 0 JANUARY 23, 2013 Reproduced with permission from Health IT Law & Industry Report, 5 HILN 4, 01/23/2013. Copyright 2013 by The Bureau of National Affairs, Inc.

More information

ALERT. November 20, 2009

ALERT. November 20, 2009 ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made

More information

"HIPAA RULES AND COMPLIANCE"

HIPAA RULES AND COMPLIANCE PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS

More information

HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort

HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort Slide 1 HITECH/HIPAA (privacy) 2013 Omnibus Final Rule Rita Bowen Senior Vice President of HIM and Privacy Officer HealthPort Slide 2 Electronic Copy of PHI Form and Format requested, if readily producible

More information

ARRA s Amendments to HIPAA Privacy & Security Rules

ARRA s Amendments to HIPAA Privacy & Security Rules ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health

More information

What is HIPAA? (1 of 2)

What is HIPAA? (1 of 2) HIPAA 1 HIPAA On August 21 1996 the federal government passed the Health Information Portability and Accountability Act of 1996 Has been update throughout; with the newest update (Final Rule) going into

More information

Omnibus HIPAA Rule: Impact on Covered Entities

Omnibus HIPAA Rule: Impact on Covered Entities Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,

More information

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102a What You Don t Know About HIPAA Privacy and Security Can Really Hurt You! Revision 2015 Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) About Myself - Jack Kolk, CEO

More information

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are

More information

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM

NEWSLETTER. Volume Nine - Number One January The Final HIPAA HITECH Regulations: Making the Business Case for ERM NEWSLETTER Volume Nine - Number One January 2013 The Final HIPAA HITECH Regulations: Making the Business Case for ERM A Special Expanded Edition of TRG enews When the proposed final rule was sent to the

More information

HIPAA Omnibus Rule. Employer Alert

HIPAA Omnibus Rule. Employer Alert Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 227, 2/11/13, 02/11/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

More information

HIPAA Privacy Overview

HIPAA Privacy Overview HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview

More information

OMNIBUS RULE ARRIVES

OMNIBUS RULE ARRIVES AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan

More information

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )

More information

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security

More information

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment

More information

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know 1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013

More information

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

AROC 2015 HIPAA PRIVACY AND SECURITY RULES AROC 2015 HIPAA PRIVACY AND SECURITY RULES Presented by: Robert A. Paster, Esq. Brach Eichler L.L.C. 101 Eisenhower Parkway Roseland, NJ 07068 973-403-3144 rpaster@bracheichler.com www.bracheichler.com

More information

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

Determining Whether You Are a Business Associate

Determining Whether You Are a Business Associate The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information

More information

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance

More information

1.) The Privacy Rule (Part 164, Subpart E)

1.) The Privacy Rule (Part 164, Subpart E) 1.) The Privacy Rule (Part 164, Subpart E) 164.500 Applicability 164.501 Definitions (health care operations, marketing, underwriting purposes, payment) 164.502 Uses and disclosures of protected health

More information

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]

IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER] IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW Publication IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER] Author James B. Wieland 2012: Issue

More information

Interim Date: July 21, 2015 Revised: July 1, 2015

Interim Date: July 21, 2015 Revised: July 1, 2015 HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:

More information

Effective Date: 4/3/17

Effective Date: 4/3/17 HIPAA AND HITECH ADM 067.4 Attachment D Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule Health Information Technology for Economic and Clinical Health (HITECH)

More information

Omnibus Rule: HIPAA 2.0 for Law Firms

Omnibus Rule: HIPAA 2.0 for Law Firms Omnibus Rule: HIPAA 2.0 for Law Firms Introduction On January 25, 2013, the U.S. Department of Health and Human Services (HHS) issued the muchanticipated Omnibus Rule 1 finalizing changes to the HIPAA

More information

Interpreters Associates Inc. Division of Intérpretes Brasil

Interpreters Associates Inc. Division of Intérpretes Brasil Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable

More information

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules Alden J. Bianchi Updated

More information

Welcome to today s Webinar

Welcome to today s Webinar Welcome to today s Webinar Managing Risk Exposure in Meaningful Use Stage 2 June 28 28, 2013 A A project project of of L.A. L.A. Care Care Health Health Plan Plan 1 Ralph Oyaga, Esq., J.D., MBA is the

More information

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts

More information

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative

More information

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V. HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,

More information

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

GUIDE TO PATIENT PRIVACY AND SECURITY RULES AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist

More information

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate? HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What

More information

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Health Care Focus March 2013 HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Peggy L. Barlett 608.284.2214 pbarlett@gklaw.com M. Scott LeBlanc 414.287.9614 sleblanc@gklaw.com

More information

The Audits are coming!

The Audits are coming! HIPAA and Meaningful Use (MU) Governmental Program Audits The Audits are coming! The Audits are coming! 1 Audit Readiness Meaningful Use and HIPAA Both CMS and the Office for Civil Rights (OCR) have been

More information