Getting a Grip on HIPAA
|
|
- Nickolas Baldwin
- 6 years ago
- Views:
Transcription
1 Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com Edward I. Leeds leeds@ballardspahr.com Amy Mushahwar mushahwara@ballardspahr.com Dee Spagnuolo spagnuolod@ballardspahr.com February 20, 2013
2 Introductions Ballard s HIPAA Compliance Group Jean Hemphill, Health Care and Employee Benefits Edward Leeds, Employee Benefits and Executive Compensation Amy Mushahwar, Privacy and Data Security Dee Spagnuolo, White Collar/Investigations Group 2
3 HIPAA Health Insurance Portability and Accountability Act of 1996 ( HIPAA ), as amended in 2009 by the Health Information Technology for Economic and Clinical Health Act ( HITECH ) - Establishes individuals privacy rights for protected health information - Requires covered entities and business associates to implement procedures regarding the use, security and disclosure of protected health information. - U.S. Department of Health and Human Services (HHS) regulations establish the standards for the electronic exchange, privacy and security of health information On January 25, 2013, HHS released modifications to the HIPAA, HITECH and Genetic Information Nondiscrimination Act ( GINA ) in final rules Compliance begins September 23, 2013 PHL_A # v1 3
4 Final Rules Standards applicable to Business Associates New breach definition and related notification developments Stronger limitations on use and disclosure of PHI for marketing, fundraising; prohibitions on sale of PHI, and clarifications regarding research use GINA amendments to HIPAA rules Expanded individual rights relating to electronic records Enforcement rule enhancements increased audits, civil monetary and criminal penalties 4
5 HIPAA Origins 5
6 HIPAA Origins Privacy Rule A Covered Entity may use or disclose Protected Health Information only as HIPAA expressly Requires or Permits that use or disclosure 6
7 HIPAA Origins Security Rule Covered Entities must secure electronic Protected Health Information Preserve confidentiality, accessibility, and integrity 7
8 HIPAA Origins Protected Health Information (PHI) Any information in any form or medium that: Is created or received by a health care provider, health plan, employer, or health care clearinghouse; AND Relates to the past, present or future physical or mental health or condition of an individual, or the provision or payment for health care for an individual; AND Is individually identifiable 8
9 HIPAA Origins Covered Entity Health Plans Health Care Providers who engage in covered electronic transaction Health Care Clearinghouses 9
10 HIPAA Origins Business Associate Vendor of covered entity Obtains PHI in performing services on behalf of covered entity Covered entity must require it to enter into business associate agreement (BAA) imposing specified privacy and security requirements 10
11 HIPAA Origins Required Uses and Disclosures Individual Rights HHS request in assessing HIPAA compliance 11
12 HIPAA Origins Permitted Uses and Disclosures Treatment, payment, health care operations Specified activities, including - Compliance with other laws - Public health - Law enforcement - Judicial proceedings - Research Otherwise, obtain individual s authorization or de-identify information 12
13 HIPAA Origins Measures Required Physical, technical, and administrative safeguards Allocations of responsibility Training Documentation Ongoing responsibilities 13
14 Business Associates 14
15 Business Associates Modification of Business Associate Requirements Changes to Definition Changes to Business Associate Agreement Imposition of direct responsibility 15
16 Business Associates Changes to Definition of Business Associate Clarification of who is and who is not a BA Application to subcontractors that create, receive, maintain, or transmit PHI on behalf of BA 16
17 Business Associates Subcontractors as Business Associates BA s responsibilities transferred downstream BA s contract with its subcontractors must include appropriate BA provisions 17
18 Business Associates Business Associate Agreements must require BA to: Appropriately safeguard PHI and comply with applicable security requirements Report security incidents and inappropriate uses or disclosure, including breaches Pass security obligations on to subcontractors in written BAA Comply with privacy rules to the extent BA carries out Covered Entities obligations under privacy rules 18
19 Business Associates Other Considerations for Business Associate Agreements include Elaboration on responsibilities, particularly allocation of breach notification obligations BA s responsibility to act if it becomes aware of Covered Entity s material violations The obligation to report a BA s violations to HHS (if they cannot be corrected and relationship cannot be terminated). 19
20 Business Associates Transitional Rule Applies to BAAs in place before where arrangement with BA is not modified between and May delay revising BAA for up to one year (or until BA arrangement is modified 20
21 Business Associates BAs Directly Subject to HIPAA Almost all of the HIPAA Security Rule Use or disclosure that violates BAA or HIPAA Privacy Rule Non-compliance with HHS audit Failure to meet certain individual rights to access to own PHI Non-compliance with minimum necessary rule Failure to enter into a proper BAA with subcontractor 21
22 Business Associates Direct Application of HIPAA responsibility Previously BAs had only contractual liability Civil and criminal penalties may apply Subject to enforcement mechanisms Subcontractor BAs may also be sanctioned directly 22
23 Breaches 23
24 Old Rules: Defining a Breach Under the 2009 rules, an impermissible use or disclosure of unsecured PHI including electronic PHI was only a breach if it posed a significant risk of financial, reputational, or other harm to the individual. Known as the harm standard, this threshold focused on the individual and has been difficult to apply consistently to an array of business associates and uses and disclosures. 24
25 New Rules Signal A Shift in Notification Standard First, there is now a presumption that an impermissible use or disclosure of unsecured PHI is a breach subject to the HIPAA rules on breach notifications. Second, the harm standard is replaced with the requirement to demonstrate that there is a low probability that the protected health information has been compromised. 25
26 Demonstrating a Low Probability of PHI Compromise We will now need to perform risk assessments with the following factors: - The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; - The unauthorized person who used the PHI or to whom the disclosure was made; - Whether the PHI was actually acquired or viewed; and - The extent to which the risk to the PHI has been mitigated. 26
27 The Risk Analysis MUSTS Address all four factors (can address more). Evaluate the overall probability that PHI has been compromised. Without a low probability that PHI has been compromised, breach notification is required. 27
28 More Breaches Will Be Disclosed HHS says plans and business associates had misinterpreted its original guidance as setting a very high threshold for breach notification. HHS intends to produce more objective and consistent breach determinations than the old standards did. 28
29 Keep in Mind: State Law is Still Valid The Omnibus Rule (and current law) does not preempt most state breach reporting laws. The HIPAA Rules preempt conflicting state laws, there is no conflict if a covered entity or BA is able to comply with both federal and state law. The rat race continues expect to comply with a disparate collection of breach reporting laws in the case of data breaches impacting individuals residing in numerous states. 29
30 Consider the Encryption Safe Harbor In light of the breadth and burdens of the Final Rule s provisions on breach notification, consider the safe harbor under HIPAA for encryption. Encrypting data in accordance with the HIPAA safe harbor is arguably one of the smartest risk mitigation strategies an entity subject to HIPAA could employ. Encryption also helps the state data breach analysis! 30
31 Avoid the Breach to Begin With Companies that have effective compliance programs are less likely to experience a breach, and when they do it s less expensive. For CISO s on the line, make legal your best friend. For Legal and compliance officers, make CISOs and IT security your new ally. 31
32 Conduct Some Internal Security Socialization 32
33 Use the Omnibus Rule as a Funding Mandate Use this HIPAA Omnibus Ruling as a justification to review and shore up a number of areas that are routinely woefully underfunded. Consider examining your: - Log File Management and Alerting Protocols - Data Maps; - Access Controls; - Person / Entity Authentication; - Integrity Controls ; - Encryption and - Security Auditing Practices Everyone has IT funding headaches, use this opportunity to elevate the problems and resolve them. 33
34 New Limitations on Use of PHI for Fundraising, Research, Marketing, and the Sale of PHI 34
35 PHI for Fundraising Communications CE may use or disclose to a BA or an institutionally related foundation certain PHI for the purpose of raising money for its own benefit - Demographic information (name, address, age, gender, DOB) - Dates health care provided - Department of service involved - Treating physician - Outcome information - Health insurance status 35
36 PHI for Fundraising Communications CE s Notice of Privacy Practice must disclose that the organization may use PHI to contact the individual for fundraising and advise the individual that he or she has the right to opt out of receiving such communications. Each communication must include a clear and conspicuous opportunity to elect not to receive any further communications. - Including oral communications (telephone solicitations) CE may not send fundraising communications to any individual that elects to opt out. CE may provide information as to how to opt back in 36
37 PHI for Fundraising Communications Opt out method must not cause individual to bear undue burden or incur more than a nominal cost. - Flexible and not prescriptive standard - CE can adopt a single or multiple opt-out methods as long as they are reasonably accessible to all individuals wishing to opt out - Use of toll-free number, address, pre-printed, pre-paid return postcard are acceptable - Requiring a written letter is considered an undue burden. Opt-out may be applied on a campaign-specific or all fundraising basis 37
38 Use of PHI in Research New rules eliminate multiple, redundant authorization forms and allows for a combined authorization addressing both - Research for which participation in the clinical protocol is conditioned upon agreement to authorize the use of PHI for research purposes ( conditioned research ) - Research where clinical treatment is not conditioned upon the authorization ( unconditioned research ) (e.g. tissue banking authorization) Must clearly differentiate research activities Provide opt-in option for unconditioned research 38
39 Authorizing Use in Future Research Authorization s purpose section must adequately describe uses and disclosures for future research purposes such that it would be reasonable for the individual to expect that PHI could be used for future research. Authorization may cover PHI collected beyond the time of the original study Authorization may designate a class of persons as the recipients of PHI to cover sharing of PHI in future research 39
40 Marketing HIPAA privacy rule requires a CE to obtain individual authorizations to use or disclose PHI for marketing purposes. - If marketing involves financial remuneration from a third party, the authorization must disclose that it such remuneration is involved. 40
41 Sale of PHI HITECH added a specific prohibition on the sale of PHI without an individual s authorization. Sale of PHI means a disclosure by CE or BA where CE or BA directly or indirectly receives remuneration from or on behalf of the recipient of the PHI in exchange for the PHI. Applies to a change in title of owner as well as access, license or lease agreements. Numerous exceptions to the definition of sale of PHI 41
42 Sale of PHI - Exceptions Exceptions to the definition of sale of PHI - Public health activities (in limited data set form or under (b)) - Research purposes - Treatment - Sale, transfer, merger or consolidation of CE and related due diligence (provided that the successor is or will be a CE) 42
43 Sale of PHI Grants, contracts to CE to perform programs or research not considered a sale Health information exchange fees are not a sale of PHI For research uses, not a sale if remuneration limited to a reasonable cost-based charge to collect and transmit data Based on direct and indirect costs. Indirect costs include labor, materials, supplies as well as related capital and overhead charges, but not a profit margin 43
44 Sale of PHI Authorization form must advise individual that the disclosure will result in remuneration to the CE Use of the term remuneration means financial and nonfinancial (in kind) benefits - This is a broader definition than the marketing provision, where the statute uses the term payment and the regulation refers only to financial benefits 44
45 GINA 45
46 Genetic Information Nondiscrimination Act Other laws require privacy of health information, including GINA New HIPAA regulations include provisions designed to coordinate with particular requirement in GINA rules Health plan may not use or disclose PHI that is genetic information for purposes of underwriting - Rule applies even if individual provides authorization - Exception for long term care insurers - Genetic information includes family medical history 46
47 Individual Rights 47
48 Individual Rights Individuals have the following rights under HIPAA's privacy rules Right to Restrict Uses and Disclosures of PHI Right to Access PHI in Designated Record Set Right to Amend Designated Record Set Right to Obtain Accounting of Disclosures Right to Receive Notice of Privacy Practices 48
49 Individual Rights Restrictions on Use and Disclosure Individual may restrict disclosure for PHI relating to item or services paid for completely out-of-pocket, for purposes of payment or health care operations Exception to meet legal requirements 49
50 Individual Rights Right to access PHI in Designated Record Set Provide in form requested if readily producible If not, readily producible in requested form: - For electronic PHI that is requested electronically, provide in agreed-upon electronic form - Otherwise, provide in agreed-upon form or as a readable hard copy Also must provide to individual s designee if designation is made clearly. 50
51 Individual Rights Right to accounting of disclosures Generally Covered Entity required to account for limited range of disclosures of PHI on request for up to 6 years HITECH Act required Covered Entity to report broader range of disclosures of EHR on request for up to 3 years Proposed regulations extended requirement to all electronic records in Designated Record Set Final regulations do not address 51
52 Individual Rights Notice of Privacy Practices must be amended to state that authorization is required for: Most uses and disclosures of psychotherapy notes (where applicable) Marketing and sale of PHI Other uses and disclosures not described in the notice 52
53 Individual Rights The New Regulations also require that the Notice of Privacy Practices be amended to state: PHI may be used to contact individuals for fundraising, but individual may opt out Individual may restrict use or disclosure for expenses paid outof-pocket Notice will be provided of a breach of unsecured PHI Genetic information may not be used or disclosed for underwriting purposes 53
54 Individual Rights Health Plan - Distribution of Notice of Privacy Practices Post restated notice or notice of material changes on website by compliance date and distribute restated notice of notice of material changes in next annual mailing to enrollees If no website, distribute restated notice or notice of material changes within 60 days of material change 54
55 Individual Rights Health Care Provider - Distribution of Notice of Privacy Practices Make restated notice available when individual requests Make copies of restated notice available at site where services are delivered Post restated notice in clear and prominent location at delivery site Give notice to new patients and try in good faith to obtain acknowledgment of receipt 55
56 Enforcement/Penalties 56
57 Enforcement, OCR Audits & Penalties OCR enforces privacy and security rules by: - Investigating complaints - Conducting compliance reviews - Performing education and outreach to promote compliance 57
58 Complaints 58
59 The Audit Process What is an OCR Audit? - HHS s method of ensuring compliance - Compliance improvement tool - Comprehensive audit protocol to assess processes, control, and policies relating to: Privacy Rule requirements Security Rules requirements Breach Notification Rule requirements 59
60 The Audit Process Protocols consider: - Existence of formal or informal policies? - Have policies been communicated to employees? Pilot phase November December audits Audit selection - At random - As the result of a breach - In response to a complaint to OCR 60
61 The Audit Process The audit process: - Introductory letter - Commence 30 to 90 days from the date of letter - Onsite visits for 3-10 business days - After fieldwork, the auditor provides a draft final report 10 days to respond in writing - Auditor completes final report within 30 days after receiving written comments - Submission to OCR 61
62 Resolution If showing of noncompliance, OCR attempts to resolve through: - Voluntary compliance - Corrective action - Resolution agreement OCR may impose civil monetary penalties 62
63 Civil Monetary Penalties Did not know and by exercising reasonable diligence would not have known of violation Violation due to reasonable cause Willful neglect but corrected problem Willful neglect but did not correct problem $100 to $50,000 per violation $1.5 million per type per year $1,000 to $50,000 per violation $1.5 million per type per year $10,000 to $50,000 per violation $1.5 million per type per year $50,000 per violation $1.5 million per type per year 63
64 Statistics and Trends Add complaints received by calendar year chart Received Resolved Investigated No Violation CAO 64
65 Risks Loss of contracts Criminal and civil investigation Federal penalties, state fines Public harm and reputational risk Legal costs Cost of notification 65
66 Compliance Measures 66
67 Compliance Measures Considerations New Requirements and a Deadline Changes in the Privacy/Security Environment Internal and External Experience 67
68 Compliance Measures To Do List Security Risk Assessment (BAs and CEs) Security Policies and Procedures (BAs and CEs) Privacy Policies and Procedures (CEs) Breach Response Readiness (BAs and CEs) Training (BAs and CEs) Notice of Privacy Practices (CEs) Business Associate Agreements (BAs and CEs) Effect on other HIPAA Documents and Practices (BAs and CEs) 68
69 Compliance Measures What to Watch For Accounting of Disclosure Rules Electronic Distribution of Notice of Privacy Practice Minimum Necessary Rules Technical Guidance Further Information about Enforcement/Penalties 69
70 Thank you Jean C. Hemphill Edward I. Leeds Amy Mushahwar Dee Spagnuolo
71 Questions? 71
To: Our Clients and Friends January 25, 2013
Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationOmnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule
Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationHighlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationManagement Alert Final HIPAA Regulations Issued
Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationLegal and Privacy Implications of the HIPAA Final Omnibus Rule
Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,
More informationThe wait is over HHS releases final omnibus HIPAA privacy and security regulations
The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under
More informationHayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA
More informationCoping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!
Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,
More informationHIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school
ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes
More informationACC Compliance and Ethics Committee Presentation February 19, 2013
ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA
More informationHIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule
HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationHHS, Office for Civil Rights. IAPP October 11, 2012
HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities
More informationHIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules
HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!
More informationHealth Law Diagnosis
February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More information8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013
HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable
More informationHEALTH LAW ALERT January 21, 2013
HEALTH LAW ALERT January 21, 2013 Omnibus Privacy Rule Issued HHS Imposes More Stringent Breach Notification Standard Requires Changes to Privacy Notices, Business Associate Agreements On Thursday, the
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.
More informationGUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do
GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned
More informationHIPAA Enforcement Under the HITECH Act; The Gloves Come Off
HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are
More informationCompliance Steps for the Final HIPAA Rule
Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
More informationSATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE
SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy
More informationHITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013
HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance
More informationHITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government
HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated
More informationFifth National HIPAA Summit West
Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for
More informationPreparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013
Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients
More informationNew HIPAA-HITECH Proposed Regulations Issued
July 2010 New HIPAA-HITECH Proposed Regulations Issued On Thursday July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations in the Federal Register on many provisions
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationMEMORANDUM. Kirk J. Nahra, or
MEMORANDUM TO: FROM: Interested Parties Kirk J. Nahra, 202.719.7335 or knahra@wileyrein.com DATE: January 28, 2013 RE: The HIPAA/HITECH Omnibus Regulation After almost four years, the Department of Health
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationHIPAA OMNIBUS FINAL RULE
HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on
More informationCLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors
CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )
More informationNPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH
NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy
More informationHIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment
More informationWhat Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.
What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. HIPAA stands for Health Insurance Portability and Accountability
More information1.) The Privacy Rule (Part 164, Subpart E)
1.) The Privacy Rule (Part 164, Subpart E) 164.500 Applicability 164.501 Definitions (health care operations, marketing, underwriting purposes, payment) 164.502 Uses and disclosures of protected health
More informationCompliance Steps for the Final HIPAA Rule
Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule
More informationChanges to HIPAA Under the Omnibus Final Rule
Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services
More information"HIPAA RULES AND COMPLIANCE"
PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS
More informationHIPAA & The Medical Practice
HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,
More informationOmnibus HIPAA Rule: Impact on Covered Entities
Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,
More informationSaturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules
Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.
More informationHIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities
Health Care Focus March 2013 HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Peggy L. Barlett 608.284.2214 pbarlett@gklaw.com M. Scott LeBlanc 414.287.9614 sleblanc@gklaw.com
More informationHIPAA: Impact on Corporate Compliance
HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal
More informationPreparing for a HIPAA Audit & Hot Topics in Health Care Reform
Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,
More informationSUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),
More informationHIPAA Compliance Under the Magnifying Glass
HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationHIPAA and Lawyers: Your stakes have just been raised
HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory
More informationNOTIFICATION OF PRIVACY AND SECURITY BREACHES
NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally
More informationHighlights of the Final Omnibus HIPAA Rule
Highlights of the Final Omnibus HIPAA Rule Health Information & the Law Project 1 Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH Devi Mehta, JD, MPH Elizabeth Gray, JD Teresa Cascio, JD Grace Im,
More informationHIPAA Omnibus Rule Compliance
HIPAA Omnibus Rule Compliance Jana Aagaard, JD Senior Counsel, Privacy/HIT Dignity Health Christy Navarro, MS CIPP/US Director, Chief Privacy Officer - Ascendian 1 Overview Background What Should Be Done
More informationGUIDE TO PATIENT PRIVACY AND SECURITY RULES
AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist
More informationHITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule
HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule Audio Seminar January 28, 2013 Practical Tools for Seminar Learning Copyright 2012 American Health Information Management Association.
More informationOMNIBUS RULE ARRIVES
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan
More informationHIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights
HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement
More informationAMA Practice Management Center, What you need to know about the new health privacy and security requirements
1. HIPAA Security Rule Johns, Merida L., Information Security, in Johns, Merida L. (ed.) Health Information Management Technology, an Applied Approach, AHIMA: Chicago, IL, 2nd ed. 2007, chapter 19, pp.
More informationManaging Information Privacy & Security in Healthcare. When an Authorization is Required
D21 Managing Information Privacy & Security in Healthcare When an Authorization is Required By Barbara Demster, MS, RHIA, CHCQM and Sandra Sinay, JD, LLM Authorizations for Uses and Disclosures: 164.508.
More information2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners
2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and
More informationHIPAA Omnibus Final Rule and Research
Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy
More informationO n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report
Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 168, 02/04/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com
More informationThe American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again
ClientAdvisory The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again February 26, 2009 On February 17, 2009, President Obama signed into
More informationThe HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.
The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance I. INTRODUCTION Patricia A. Markus, Esq. AHLA Hospitals and Health Systems Law Institute February 13, 2013 On January 17, 2013, the
More informationHIPAA Privacy Overview
HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview
More informationAROC 2015 HIPAA PRIVACY AND SECURITY RULES
AROC 2015 HIPAA PRIVACY AND SECURITY RULES Presented by: Robert A. Paster, Esq. Brach Eichler L.L.C. 101 Eisenhower Parkway Roseland, NJ 07068 973-403-3144 rpaster@bracheichler.com www.bracheichler.com
More informationARRA s Amendments to HIPAA Privacy & Security Rules
ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health
More informationHIPAA Final Omnibus Rule Playbook
DOWNLOADABLE GUIDE HIPAA Final Omnibus Rule Playbook Your Ticket to Winning the Compliance Game Offensive Plays HIPAA Privacy Rule Defensive Plays HIPAA Security Rule Special Team Plays Breach Notification
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES
HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES January 23, 2014 I. Executive Summary I: The HIPAA Final Rule
More informationCROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF
CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 Update 2-17-2016 CROOK COUNTY RECORD OF CHANGES 2 TABLE OF CONTENTS Introduction HIPAA
More informationCentral Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4
Table of Contents A. Introduction...1 1. Purpose...1 2. No Third Party Rights...1 3. Right to Amend without Notice...1 4. Definitions...1 B. Plan s General Policies...4 1. Plan s General Responsibilities...4
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More informationIndustry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.
Industry leading Education Certified Partner Program Please ask questions Todays slides are available http://compliancy- group.com/slides023/ Past webinars and recordings http://compliancy- group.com/webinar/
More informationBreach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule
Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance
More informationHIPAA Special Considerations: Individual Right to Request Restriction of Uses and Disclosures of PHI Voluntary and Mandatory
HIPAA Special Considerations: Individual Right to Request Restriction of Uses and Disclosures of PHI Voluntary and Mandatory A Presentation Developed by: Erin MacLean, Freeman & MacLean, P.C. & Deb Micu,
More informationHIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security
More informationOmnibus Rule: HIPAA 2.0 for Law Firms
Omnibus Rule: HIPAA 2.0 for Law Firms Introduction On January 25, 2013, the U.S. Department of Health and Human Services (HHS) issued the muchanticipated Omnibus Rule 1 finalizing changes to the HIPAA
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationPractical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule
Practical Guidance and Proposed Solutions in Response to the HIPAA Final Omnibus Rule February 21, 2013 Megan Hardiman Katten Muchin Rosenman LLP Chicago, Illinois 312.902.5488 megan.hardiman@kattenlaw.com
More informationHIPAA Compliance Guide
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your
More information[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4
Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did
More informationARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationIT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER]
IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW Publication IT'S COMING: THE HIPAA/HITECH RULE; WHAT TO EXPECT AND WHAT TO DO NOW [OBER KALER] Author James B. Wieland 2012: Issue
More informationChanges to HIPAA Privacy and Security Rules
Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives.
More informationEffective Date: March 23, 2016
AIG COMPANIES Effective Date: March 23, 2016 HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.
More informationHIPAA PRIVACY AND SECURITY AWARENESS
HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect
More informationVOL. 0, NO. 0 JANUARY 23, 2013
Health IT Law & Industry Report VOL. 0, NO. 0 JANUARY 23, 2013 Reproduced with permission from Health IT Law & Industry Report, 5 HILN 4, 01/23/2013. Copyright 2013 by The Bureau of National Affairs, Inc.
More informationHIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.
HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,
More informationARRA 2009: Privacy and Security Provisions. Deven McGraw
ARRA 2009: Privacy and Security Provisions Deven McGraw 1 Health Privacy Project at CDT Health IT and electronic health information exchange have tremendous potential to improve health care quality, reduce
More informationPort City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES
Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY 13126 315.342.6151 315.342.8548 - Fax HIPAA NOTICE OF PRIVACY PRACTICES PLEASE REVIEW THIS NOTICE CAREFULLY. IT DESCRIBES HOW YOUR MEDICAL INFORMATION
More informationHIPAA Final Omnibus Rule Playbook for Business Associates
DOWNLOADABLE GUIDE HIPAA Final Omnibus Rule Playbook for Business Associates Your Ticket to Winning the Compliance Game Offensive Plays HIPAA PRIVACy Rule Defensive Plays HIPAA Security Rule Special Team
More informationHIPAA Basic Training for Health & Welfare Plan Administrators
2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying
More information