True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

Size: px
Start display at page:

Download "True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)"

Transcription

1 Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics. The statements made as part of the presentation are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the speaker. This presentation is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of law to your activities, you should seek the advice of your legal counsel. True or False? I don t have to worry about HIPAA because I live in Idaho and the government would never go after us. The Office for Civil Rights ( OCR ) must impose a $10,000 fine per HIPAA violation if I act with willful neglect. Under HIPAA, residents may sue our facility for HIPAA violations. Long term care facilities are vicariously liable for HIPAA violations by their business associates. HIPAA does not apply to resident names so long as we do not disclose medical information.

2 True or False? We must have the resident s authorization before disclosing protected health information to family members. Under HIPAA, residents have a right to access all information concerning the resident. HIPAA prohibits ing or texting residents, family, or providers unless the or text is encrypted. We must self-report all HIPAA violations to the resident and the government. We only have to self-report breaches of unsecured protected health info if the breach would result in significant harm to the resident. HIPAA: Hot Topics Enforcement actions Recent settlements Private causes of action Security rule concerns Security rule compliance s and texts Business associate liability Breach notification Applicable standards Applying the standards Preliminaries Written materials Stanger, HIPAA Update: How and Why You Must Comply This is overview. Feel free to ask questions or comment. But don t share protected health info. That would be awkward

3 HIPAA: Terminology Covered entities: Healthcare providers who engage in e-transactions. Health plans, including group health plans with 50+ participants or administered by third party. Protected health info ( PHI ): individually identifiable info concerning a resident s health, healthcare, or payment for care. Business associates: create, receive, maintain or transmit PHI on behalf of covered entity. HIPAA History 2003: Privacy Rule, 45 CFR et seq. Requires covered entities and business associates to protect the confidentiality of protected health information ( PHI ) Gives residents certain rights concerning their PHI. 2005: Security Rule, 45 CFR et seq. Requires covered entities to implement certain safeguards to protect e-phi. 2009: HITECH Act Breach Notification Rule, 45 CFR et seq. Enforcement Rule, 45 CFR et seq. 2013: Omnibus Rule. Requires updates to HIPAA policies and forms. HIPAA Overview

4 Privacy Rule Covered entities may not access, use or disclose protected health info unless: For purposes of treatment, payment or healthcare operations. To a family member or other person involved in healthcare or payment so long as: Resident has not objected; Is in resident s best interest; and Limit disclosure to scope of recipient s involvement. For certain safety or government functions. Have valid authorization. Do not disclose more than is minimally necessary. (45 CFR to.514) Privacy Rule Resident or their personal representative has the right to: Receive notice of privacy practices. Request that disclosures of PHI for purposes of treatment, payment or healthcare operations be limited. Request communication by alternative means or at alternative locations. Access their PHI. Request amendment of their PHI. Obtain accounting of improper disclosures of PHI. (45 CFR to.528) Privacy Rule Covered entity must: Designate privacy and security officer. Train staff. Implement policies and procedures. Implement reasonable safeguards. Document and respond to complaints. Sanction workforce members who violate HIPAA. Mitigate violations. Not retaliate. Maintain HIPAA documents for 6 years. (45 CFR )

5 Security Rule Covered entity and business associates must: Perform risk analysis. Implement safeguards: Administrative Technical Physical Execute business associate agreements. (45 CFR ) * More about this later Breach Notification Rule If there is breach of unsecured ephi: Covered entity must: Notify affected individuals. Notify HHS. Notify media, if breach involves > 500 persons in a state. Business associate must notify covered entity. (45 CFR ) HIPAA Enforcement HIPAA Business Associates Covered Entities

6 Enforcement Criminal Penalties Applies if employees or other individuals obtain or disclose protected health info from covered entity without authorization. Conduct Knowingly obtain info in violation of the law Committed under false pretenses Intent to sell, transfer, or use for commercial gain, personal gain, or maliciousharm Penalty $50,000 fine 1 year in prison 100,000 fine 5 years in prison $250,000 fine 10 years in prison Enforcement Civil Penalties Conduct Penalty Did not know and should not have known of violation Violation due to reasonable cause Willful neglect, but correct w/in 30 days Willful neglect, but do not correct w/in 30 days $100 to $50,000 per violation Up to $1.5 million per type per year No penalty if correct w/in 30 days OCR may waive or reduce penalty $1000 to $50,000 per violation Up to $1.5 million per type per year No penalty if correct w/in 30 days OCR may waive or reduce penalty $10,000 to $50,000 per violation Up to $1.5 million per type per year Penalty is mandatory At least $50,000 per violation Up to $1.5 million per type per year Penalty is mandatory

7 Enforcement: 2014 Anchorage Community Mental Health Services pays $150,000 for failing to maintain patches on software. New York hospitals pay $4.8 million for leaving electronic medical records vulnerable to searches. Concentra pays $1.7 million for lost unencrypted laptop. QCA Health Plan pays $250,000 for lost unencrypted laptop. Skagit County, WA pays $215,000 because PHI was available on public database. Parkview Community Health: fined $800,000 for leaving 71 boxes of records in physician s driveway. All involved security rule violations Enforcement: Idaho Idaho is not exempt! In 2013, Hospice of North Idaho had to pay $50,000 for theft of unencrypted laptop that contained PHI of 441 patients. Investigation showed failure to comply with security rule. In 2013, Idaho State University had to pay $400,000 because firewall failure left PHI of 17,500 patients exposed. Remember: OCR must impose penalty if you are determined to act with willful neglect. Enforcement HHS purportedly to resume audits in OIG workplan for 2015 includes HIPAA issues. State attorney general can bring lawsuit under HIPAA. $25,000 fine per violation + fees and costs Some of biggest cases brought by AGs. In the future, affected individuals may recover percentage of fines or penalties. Enacted as part of HITECH. Still waiting for regulations. Must impose sanctions against employees who violate HIPAA.

8 Enforcement No private cause of action under HIPAA. Affected individuals may sue under common law tort theories. Negligence. Standard of care = HIPAA? Negligence per se. Privacy torts. Unreasonable, highly offensive intrusion into solitude or seclusion. Public disclosure of private facts. Infliction of emotional distress. Vicarious liability of employer. Enforcement Lessons learned: Beware state laws in addition to HIPAA. Not enough to simply implement policies and train staff; you must ensure that data is protected if you really want to be safe.

9 Security Rule Compliance 2014: Year of Cyber Attacks Security Rule Compliance Risk analysis. Implement safeguards. Administrative Technical Physical Execute business associate agreements. Intended to ensure: Confidentiality Integrity Availability of ephi.

10 Security Rule Compliance Security Rule Compliance Administrative Safeguards Physical Safeguards Technical Safeguards Standards Standards Standards Implementation Specifications Required Addressable Implementation Specifications Required Addressable Implementation Specifications Required Addressable Implementation Specifications Required : implement the specification. Addressable : Assess reasonableness of specification. If spec is reasonable, implement it. If spec is not reasonable, Document why it is not reasonable (e.g., size, cost, risk factors, etc.), and Implement alternative if reasonable. Must review and modify as needed.

11 Administrative Safeguards 1. Security management process 2. Assigned security responsibility 3. Workforce security 4. Information access management 5. Security awareness and training 6. Security incident procedures 7. Contingency plan 8. Evaluation 9. Business associate contracts Physical Safeguards 1. Facility access controls 2. Workstation use 3. Workstation security 4. Device and media controls Technical Safeguards 1. Access controls 2. Audit controls 3. Integrity of e-phi 4. Person or entity authorization 5. Transmission security

12 Data Privacy and Security Risk Analysis Security rule requires that covered entities and business associates conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of [ephi] (45 CFR (a)). Frequently cited in recent violations. Periodically reevaluate analysis. New systems or equipment. Every few (very few?) years. Include mobile devices. Risk Analysis

13 Risk Analysis Additional materials are available at ecurityrule/securityruleguidance.html Final Guidance on Risk Analysis OCR Guidance re Risk Analysis NIST Publications

14 Mobile Devices Encryption Encryption is an addressable standard per 45 CFR : (e)(1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to [ephi] that is being transmitted over an electronic communications network. (2)(ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. ephi that is properly encrypted is secured. Not subject to breach reporting. OCR presumes that loss of unencrypted laptop, USB, mobile device is breach.

15 Communicating by HIPAA Privacy Rule allows resident to request communications by alternative means or at alternative locations. Including unencrypted . (45 CFR (b)). Omnibus Rule commentary states that covered entity or business associate may communicate via unsecured so long as they warn resident of risks and resident elects to communicate via unsecured to text. (78 FR 5634)

16 Business Associates Business Associates Entities that create, receive, maintain, or transmit PHI on behalf of a covered entity to perform: A function or activity regulated by HIPAA (e.g., healthcare operations, payment, covered entity function), or Certain identified services (e.g., billing or claims management, legal, accounting, or consulting services). Health information organizations and e-prescribing gateways. Data transmission companies if they routinely access PHI. Data storage companies (e.g., cloud computing, off-site storage facilities) even if they do not access PHI. resident safety organizations. Subcontractors of business associates. Covered entities acting as business associates. (45 CFR ; 78 FR ) Business Associates Business Associates Management company Billing company EMR / IT specialist Consultant Accountant Attorney Malpractice insurer Interpreters Data storage entities Data transmission services if have routine access to info Subcontractors of forgoing NOT Business Associates Workforce members, i.e., if you have right to control Other providers when they are providing treatment Members of organized healthcare arrangement Insurance companies unless acting for you Mere conduits of information, e.g., mailman Janitors

17 Business Associates Covered Entity (Healthcare Provider or Health Plan) PHI Business Associate PHI Subcontractor(s) Not Business Associates Members of covered entity s workforce. Covered entity has control over the person. Entities who do not handle PHI as part of their job duties. Janitor, mailman, etc. Entities that receive PHI to perform functions on their own behalf, not on behalf of covered entity. E.g., banks, third party payors, etc. Other healthcare providers while providing treatment. Data transmission companies that do not routinely access PHI. Entity is mere conduit of PHI. Members of an organized healthcare arrangement. Group of entities that provide coordinated care. (45 CFR ) Business Associate Agreements ( BAA ) Business Associate

18 BAA Covered entity must have BAA before disclosing PHI to business associate or authorizing business associate to create or receive PHI for covered entity. BAA limits business associate s use of PHI. Business associate must have BAA with subcontractor. Must match scope of BAA between covered entity and business associate. BAA must contain terms required by HIPAA privacy and security rules. Must comply with HIPAA even if no BAA. (45 CFR and.502(e); 78 FR 5601) BAA Covered Entity must ensure there is BAA Business Associate must ensure there is BAA Covered Entity (Healthcare Provider or Health Plan) BAA BAA Business Associate BAA Subcontractor(s) Subcontractor BAA must mirror the BAA with the covered entity

19 BAA: Pro-Covered Entity Terms Covered entities may want to add these terms: Business associate must report or act within x days. Business associate must implement policies. Business associate must encrypt or implement other safeguards. Business associate must to carry data breach insurance. Business associate notifies individuals of breaches and/or reimburses covered entity for costs of the notice. Business associate defends and indemnifies for losses, claims, etc. Business associate is an independent contractor, not agent. Business associate assumes liability for subcontractors. Allow termination of underlying agreement. Must have consent to operate outside the United States. Covered entity has right to inspect and audit. Cooperate in HIPAA investigations or actions. BAA: Pro-BA Terms Business associates probably want to add these terms: Covered entity will not disclose PHI unless necessary. Covered entity will not request action that violates HIPAA. Covered entity will not agree to restrictions on PHI that will adversely affect business associate. Covered entity will notify business associate of all such restrictions. Covered entity will reimburse for additional costs. Blanket reporting for security incidents Specify business associate does not maintain designated record set. Reserve the right to terminate based on restrictions or other change that adversely affects business associate. Subcontractors are independent contractor, not agent. Mutual indemnification. Limitation or cap on damages. Liability for Business Associates

20 Liability for Business Associate Covered entity or business associate violates HIPAA if: Knew of a pattern of activity or practice of the business associate/subcontractor that constituted a material breach or violation of the business associate s/subcontractor s obligation under the contract or other arrangement; Failed to take reasonable steps to cure the breach or end the violation, as applicable; or Failed to terminate the contract or arrangement, if feasible. (45 CFR (e)(1)) Liability for Business Associate Covered entity or business associate is liable, in accordance with the Federal common law of agency, for the acts or omissions of a business associate/subcontractor acting with the scope of the agency. (45 CFR (c)) Test: right or authority of a covered entity to control the business associate s conduct. Contract terms. Right to give interim directions or control details. Relative size or power of the entities. Maintain independent contractor status! (78 FR ) Responding to a Breach

21 Responding to Breach Timely response important because: Required to mitigate breach. May minimize risk that data is compromised and avoid breach notification requirements. May avoid penalties if do not act with willful neglect and correct the situation within 30 days. Train employees to report immediately. Sanction workforce members for violations. Document your actions. Responding to a Breach If you think there is a breach: Act immediately to stop disclosure and retrieve PHI. Confirm scope of breach. Persons who may have received PHI. Type of PHI involved. Additional redisclosures. Obtain confirmation from recipient[s] that they have not and will not further use or disclose the info, and warn them of penalties. Document in writing, e.g., letter to recipients. Responding to a Breach HHS interprets corrected broadly: For example, in the event a covered entity s or business associate s noncompliant inadequate safeguards policies result in an impermissible disclosure, the disclosure violation itself could not be fully undone or corrected. The safeguards violation, however, could be corrected in the sense that the noncompliant policies and procedures could be brought into compliance. (75 FR 40879)

22 Breach Notification Breach Notification If there is breach of unsecured PHI, Covered entity must notify: Each individual whose unsecured PHI has been or reasonably believed to have been accessed, acquired, used, or disclosed. HHS. Local media, if breach involves > 500 persons in a state. Business associate must notify covered entity. (45 CFR et seq.) Secured PHI Currently, only two methods to secure PHI: Encryption of electronic PHI Transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Notice provides processes tested and approved by Nat l Institute of Standards and Technology (NIST). Destruction of PHI. Paper, film, or hard copy media is shredded or destroyed such that PHI cannot be read or reconstructed. Electronic media is cleared, purged or destroyed consistent with NIST standards. Guidance updated annually. (74 FR or

23 Breach of Unsecured PHI Acquisition, access, use or disclosure of PHI in violation of privacy rules is presumed to be a breach unless the covered entity or business associate demonstrates that there is a low probability that the info has been compromised based on a risk assessment of the following factors: nature and extent of PHI involved; unauthorized person who used or received the PHI; whether PHI was actually acquired or viewed; and extent to which the risk to the PHI has been mitigated. unless an exception applies. (45 CFR ) Breach of Unsecured PHI Breach excludes the following: Unintentional acquisition, access or use by workforce member if made in good faith, within scope of authority, and PHI not further disclosed in violation of HIPAA privacy rule. Inadvertent disclosure by authorized person to another authorized person at same covered entity, business associate, or organized health care arrangement, and PHI not further used or disclosed in violation of privacy rule. Disclosure of PHI where covered entity or business associate have good faith belief that unauthorized person receiving info would not reasonably be able to retain info. (45 CFR ) Breach of Unsecured PHI Determine the probability that the data has been compromised by assessing: 1. Nature and extent of PHI involved, including types of identifiers and the likelihood of re-identification. 2. Unauthorized person who used PHI or to whom disclosure was made. 3. Whether PHI was actually acquired or viewed. 4. Extent to which the risk to the PHI has been mitigated. 5. Other factors as appropriate under the circumstances. (45 CFR )

24 Breach Notification: Summary No breach notification required if: No privacy rule violation Incidental disclosures are not violations. PHI is secured Encrypted per HHS standards. Exception applies Unintentional internal disclosure and no re-disclosure. Low probability that data has been compromised based on: Nature of PHI disclosed. Person who received the PHI. Whether PHI actually viewed. Mitigation. Hypothetical Your facility faxed a resident s medical records to the wrong physician s office. A records clerk at the other physician s office called to alert you to same. The clerk confirmed that they would shred the info. The record contains the following info: Name Diagnosis Description of care Other similar info Hypothetical The family of one of your residents maintains a Facebook page in which she shares information about the resident. One of your CNAs, who is close to the family, posted comments about the resident on the page, including info that confirms the resident is in your facility and her general condition.

25 Hypothetical Your social services director routinely photographs residents engaging in activities and posts it on your website as well as on a bulletin board in the facility. The photos simply show the residents engaged in activities, but does not include names. Hypothetical You are missing an unencrypted USB containing the following info concerning residents: Name Birthdate Account number Dates of service Diagnosis Breach Notification According to HHS, the following constitutes willful neglect, requiring mandatory penalties: A covered entity s employee lost an unencrypted laptop that contained unsecured PHI. [T]he covered entity feared its reputation would be harmed if info about the incident became public and, therefore, decided not to provide notification as required by et seq. (75 FR 40879) Beware missing PHI or devices containing PHI.

26 Breach Notification If breach is reportable, notify: Individual No more than 60 days from discovery. By mail. Contain required elements. HHS If < 500 persons, by March 1 of next year. If > 500 persons, no more than 60 days from discovery. Electronic report from OCR website uctions.html. Media if breach > 500 persons in a state. (45 CFR et seq.) Breach Notification New breach reporting portal requires additional info. If wait to report, ensure you are tracking required info. Remember your employee benefit plan HIPAA applies to employee benefit plans if: Administered by a third party, or Have 50+ participants. Employee benefit plan must comply with HIPAA Required policies. Required notices. Others.

27 Additional Resources HIPAA Resources OCR website: Regulations Summary of regulations Frequently asked questions Guidance regarding key aspects of privacy rule Sample business associate agreement Breach notification to HHS portal OCR listserve Notice of HIPAA changes

28 Holland & Hart Resources Available on our website Checklists Privacy rule Security rule Omnibus rule Notice of privacy practices Business associate agreements Authorization Practice guides Free webinars Free client alerts Sample privacy policies Questions? Holland & Hart LLP (208)

HIPAA Privacy and Security Rules

HIPAA Privacy and Security Rules HIPAA Privacy and Security Rules HIPAA Compliance Bootcamp (5/16) This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics.

More information

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )

HIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA ) HIPAA Privacy and Security Rules: Overview and Update HIPAA IHCA Convention (7/16) This presentation is similar to any other legal education materials designed to provide general information on pertinent

More information

AFTER THE OMNIBUS RULE

AFTER THE OMNIBUS RULE AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member

More information

ARE YOU HIP WITH HIPAA?

ARE YOU HIP WITH HIPAA? ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined

More information

Determining Whether You Are a Business Associate

Determining Whether You Are a Business Associate The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information

More information

LEGAL ISSUES IN HEALTH IT SECURITY

LEGAL ISSUES IN HEALTH IT SECURITY LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson

More information

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation HIPAA UPDATE: WHY AND HOW YOU MUST COMPLY 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its long-awaited Omnibus Rule 2 implementing regulations required by the HITECH Act

More information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice

More information

HIPAA Compliance Under the Magnifying Glass

HIPAA Compliance Under the Magnifying Glass HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information

More information

HIPAA Compliance Guide

HIPAA Compliance Guide This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your

More information

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know 1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013

More information

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement

More information

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment

More information

503 SURVIVING A HIPAA BREACH INVESTIGATION

503 SURVIVING A HIPAA BREACH INVESTIGATION 503 SURVIVING A HIPAA BREACH INVESTIGATION Presented by Nicole Hughes Waid, Esq. Mark J. Swearingen, Esq. Celeste H. Davis, Esq. Regional Manager 1 Surviving a HIPAA Breach Investigation: Enforcement Presented

More information

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,

More information

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013 HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable

More information

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,

More information

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability

More information

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure

More information

HIPAA: Impact on Corporate Compliance

HIPAA: Impact on Corporate Compliance HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal

More information

HEALTHCARE BREACH TRIAGE

HEALTHCARE BREACH TRIAGE IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards

More information

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Basic Training for Health & Welfare Plan Administrators 2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying

More information

H E A L T H C A R E L A W U P D A T E

H E A L T H C A R E L A W U P D A T E L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.

More information

Negotiating Business Associate Agreements

Negotiating Business Associate Agreements Negotiating Business Associate Agreements February 19, 2015 William J. Roberts, Esq. Shipman & Goodwin LLP 2015. All rights reserved. HARTFORD STAMFORD GREENWICH WASHINGTON, DC About HIPAA HIPAA is a federal

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.

More information

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013! Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts

More information

Management Alert Final HIPAA Regulations Issued

Management Alert Final HIPAA Regulations Issued Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,

More information

OMNIBUS RULE ARRIVES

OMNIBUS RULE ARRIVES AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan

More information

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners 2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and

More information

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA ALLISON SHUREN, J D, MSN Financial Disclosure Gerald Meltzer is a consultant for imedicware Allison Shuren co-chairs the Life Sciences and Healthcare Regulatory

More information

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!

More information

HIPAA OMNIBUS FINAL RULE

HIPAA OMNIBUS FINAL RULE HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy

More information

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background

More information

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT

HIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Learn more about how KeepItSafe can help to reduce costs, save time, and provide compliance for online backup, disaster recovery-as-a-service, mobile

More information

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are

More information

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA FOR LAW FIRMS WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA "HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA Jeanne M. Born, RN, JD SOUTH CAROLINA ASSOCIATION OF LEGAL ADMINISTRATORS THURSDAY, APRIL 14, 2016 Jborn@nexsenpruet.com What Every Law

More information

HIPAA and Lawyers: Your stakes have just been raised

HIPAA and Lawyers: Your stakes have just been raised HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory

More information

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

The wait is over HHS releases final omnibus HIPAA privacy and security regulations The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under

More information

Highlights of the Omnibus HIPAA/HITECH Final Rule

Highlights of the Omnibus HIPAA/HITECH Final Rule Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737

More information

To: Our Clients and Friends January 25, 2013

To: Our Clients and Friends January 25, 2013 Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health

More information

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta

More information

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta

More information

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement

More information

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V. HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,

More information

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection

More information

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule The HIPAA Omnibus Rule NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives.

More information

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally

More information

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: UPDATE 2015 February 20, 2015 I. Executive Summary HIPAA is a federal law passed by Congress to protect medical patient data privacy from misuse or disclosure

More information

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY

Disclaimer LEGAL ISSUES IN PHYSICAL THERAPY LEGAL ISSUES IN PHYSICAL THERAPY Paul J. Welk, PT, JD Tucker Arensberg, P.C. pwelk@tuckerlaw.com 2017 PHCA Annual Convention 1 Disclaimer The purpose of this presentation is to provide a general overview

More information

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,

More information

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )

More information

HIPAA Breach Notification Case Studies on What to Do and When to Report

HIPAA Breach Notification Case Studies on What to Do and When to Report HIPAA Breach Notification Case Studies on What to Do and When to Report AHLA Physicians and Physician Organizations and Hospitals and Health Systems Law Institute February 9 and10, 2012 Colleen M. McClorey,

More information

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Health Care Focus March 2013 HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Peggy L. Barlett 608.284.2214 pbarlett@gklaw.com M. Scott LeBlanc 414.287.9614 sleblanc@gklaw.com

More information

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated

More information

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style

Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style July 27, 2016 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP hcarnell@mcguirewoods.com

More information

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment

More information

HIPAA Background and History

HIPAA Background and History Agenda Jeffery P. Drummond Lawyers as HIPAA Business Associates: Ethical Obligations and Practical Tips for Compliance Dallas Bar Association January 17, 2018 Jamie Sorley An Overview of HIPAA The Privacy

More information

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates I. OVERVIEW/DEFINITIONS The Health Insurance Portability and Accountability Act (HIPAA) is a federal

More information

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services

More information

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below. Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy

More information

Changes to HIPAA Under the Omnibus Final Rule

Changes to HIPAA Under the Omnibus Final Rule Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services

More information

2016 Business Associate Workforce Member HIPAA Training Handbook

2016 Business Associate Workforce Member HIPAA Training Handbook 2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all

More information

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia HIPAA in the Digital Age Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia Virginia MGMA reminds attendees that the program is not intended to provide legal advice and advises participants

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

Palmetto Paralegal Association

Palmetto Paralegal Association Palmetto Paralegal Association What Every Paralegal Needs to Know About HIPAA March 19, 2014 Jeanne M. Born, RN, JD NEXSEN PRUET, LLC What Every Paralegal Needs to Know About HIPAA In August of 1996 Congress

More information

HIPAA Privacy Compliance Checklist

HIPAA Privacy Compliance Checklist HIPAA Privacy Compliance Checklist Task Obtain Education on HIPAA Privacy Requirements 1. HIPAA EDI requirements. 2. HIPAA privacy requirements. Organize the HIPAA Privacy Team and Create a Game Plan 1.

More information

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA

More information

Interim Date: July 21, 2015 Revised: July 1, 2015

Interim Date: July 21, 2015 Revised: July 1, 2015 HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:

More information

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )

More information

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker Safeguarding Your HIPAA and Personal Health Information Data Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker 1 Overview» Patient information confidentiality Grant requirements

More information

HIPAA Privacy, Breach, & Security Rules

HIPAA Privacy, Breach, & Security Rules HIPAA Privacy, Breach, & Security Rules An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337 Eagle Associates,

More information

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT PREVIEW VERSION ONLY This Business Associate Agreement (BAA) is made available for preview purposes only. It is indicative of the BAA that will be presented through the online user interface for acceptance

More information

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional) HIPAA Infection Control OSHA Dental Practice Act HIPAA What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional) In the dental field since 1972, Leslie

More information

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com

More information

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did

More information

ACC Compliance and Ethics Committee Presentation February 19, 2013

ACC Compliance and Ethics Committee Presentation February 19, 2013 ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA

More information

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.

Industry leading Education. Certified Partner Program. Please ask questions Todays slides are available   group. Industry leading Education Certified Partner Program Please ask questions Todays slides are available http://compliancy- group.com/slides023/ Past webinars and recordings http://compliancy- group.com/webinar/

More information

HIPAA Privacy Overview

HIPAA Privacy Overview HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview

More information

HIPAA STUDENT ASSOCIATE AGREEMENT

HIPAA STUDENT ASSOCIATE AGREEMENT HIPAA STUDENT ASSOCIATE AGREEMENT This Agreement dated as of, 20 is made by and between Petaluma Health Center (Hereinafter Covered Entity ) and (Hereinafter Student ). INTRODUCTION This Agreement governs

More information

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),

More information

HIPAA Business Associate Agreement

HIPAA Business Associate Agreement HIPAA Business Associate Agreement ICANotes LLC doing business at 1600 St Margarets Rd, Annapolis MD 21409 and, doing business at are parties to a Business Associate arrangement as defined under the Health

More information

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group

6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group 855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 HIPAA Compliance Simplified Marc Haskelson, President Compliancy Group Agenda Why HIPAA? Common misunderstandings What is a Audit? Real World Stories

More information

ARRA s Amendments to HIPAA Privacy & Security Rules

ARRA s Amendments to HIPAA Privacy & Security Rules ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health

More information

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA Privacy & Security. Transportation Providers 2017 HIPAA Privacy & Security Transportation Providers 2017 HIPAA Privacy & Security As a non emergency medical transportation provider, you deal directly with Medicare and Medicaid Members healthcare information

More information

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

GUIDE TO PATIENT PRIVACY AND SECURITY RULES AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist

More information

HIPAA, Privacy, and Security Oh My!

HIPAA, Privacy, and Security Oh My! 2014 CliftonLarsonAllen LLP HIPAA, Privacy, and Security Oh My! Chad D. Kunze CPA Health Care Principal Phoenix, AZ CLAconnect.com Learning Objectives At the end of this learning session, you will be able

More information

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates

More information

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg ICAHN Presentation Final Omnibus Rule and Security Risk Analysis July 26, 2013 David Ginsberg PrivaPlan Associates, Inc. PrivaPlan Associates, Inc. is the leading authority in HIPAA Privacy and Security

More information

ARTICLE 1. Terms { ;1}

ARTICLE 1. Terms { ;1} The parties agree that the following terms and conditions apply to the performance of their obligations under the Service Contract into which this Exhibit is being incorporated. Contractor is providing

More information

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014. HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,

More information

Interpreters Associates Inc. Division of Intérpretes Brasil

Interpreters Associates Inc. Division of Intérpretes Brasil Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable

More information

ALERT. November 20, 2009

ALERT. November 20, 2009 ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made

More information

HIPAA COMPLIANCE. for Small & Mid-Size Practices

HIPAA COMPLIANCE. for Small & Mid-Size Practices HIPAA COMPLIANCE for Small & Mid-Size Practices Golden State Web Solutions 619.825.GSWS (4797) INTRODUCTION Most individuals reading this are interested in HIPAA, GSWS, or some combination of the two;

More information

Charging Patients for Copies of Their Records: OCR Guidance

Charging Patients for Copies of Their Records: OCR Guidance Charging Patients for Copies of Their Records: OCR Guidance Publication 5/23/2016 Kim Stanger Partner 208.383.3913 Boise kcstanger@hollandhart.com HIPAA generally gives patients or their personal representative

More information

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017

HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017 HIPAA Compliance for Business Associates ISBA Health Law Symposium October 10, 2017 Presenters: Isaac M. Willett & Doriann H. Cain Business Associates & HIPAA in 2017 Increasing focus on business associates

More information

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?

What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers? Visit our Practice Group blog: www.workplaceprivacycounsel.com What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers? Philip L. Gordon, Esq. Littler Mendelson,

More information