HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia
|
|
- Dylan Carpenter
- 6 years ago
- Views:
Transcription
1 HIPAA in the Digital Age Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia
2 Virginia MGMA reminds attendees that the program is not intended to provide legal advice and advises participants to obtain such advice from their own legal counsel who is more familiar with their particular situation.
3 Healthcare Insurance Portability and Accountability Act
4 Background and History of HIPAA Signed into law by Bill Clinton in 1996 Original Objectives: Improve portability and accountability of health insurance coverage for employees changing jobs Bring individual privacy rights to patients Require providers to notify patients of their rights Eliminate fraud, waste and abuse in healthcare
5 How did we get from there to here?
6 2003 Updates Privacy, Security, and Enforcement Rules enacted Gave individuals rights regarding their protected health information (PHI) PHI includes any individually identifiable health information Examples names, addresses, Social Security Numbers, addresses, etc. Set national privacy standards for protecting information Addressed covered entities compliance with these Rules
7 2009 Health Information Technology for Economic and Clinical Health Act (HITECH) Entities transitioned from paper-based medical records to electronic health records (EHR) Addressed the electronic transmission of PHI and the security concerns associated with e-transmission Business Associates Limitations on the sale of PHI, marketing, and fundraising communications
8 2013 Final Omnibus Rule Updates to Security and Breach notification Larger penalties Direct application of Privacy and Security Rules to business associates = direct liability for business associates
9 Business Associates A person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. Or a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. A contractor is a BA if it uses, receives, discloses, or maintains PHI.
10 Examples of BAs: Claims processors Accounting firms Attorneys Consultants IT companies Shredding services Billing companies Medical transcription Business Associates
11 Examples of Non-BAs: Business Associates Employees of the covered entity Other healthcare providers treating patients Vendors not handling PHI as part of their job Examples Cleaning company, software provider, etc. Entities not acting on behalf of the covered entity Entities acting on their own behalf or on the behalf of the patient
12 Business Associates - Contracts BAs are held to the same standard as Covered Entities. Covered entities enter into contracts with BAs to ensure that the they will appropriately safeguard protected health information. Contracts also clarify and limit, as appropriate, the permissible uses and disclosures of PHI by the BA, based on the relationship between the parties and the activities or services the business associate is performing. Contracts are required Office of Civil Rights (OCR) has penalized Covered Entities for failing to implement a BA agreement
13 HIPAA enforcement has been strengthened over the years Recently, this has led to increased OCR audits Phased audits Desk audits vs. onsite audits Enforcement Covered entities and business associates can be audited
14 Penalties For HIPAA Violations
15 Civil Penalties For disclosures of PHI, each individual constitutes a separate violation. Example A computer stolen from a vehicle contains the PHI of 5,250 patients. This constitutes 5,250 violations of HIPAA. For a failure to implement policies, each day the policy was not implemented is a separate violation. Example An entity has been in noncompliance with the HIPAA Security Rule for one year. This would amount to 365 violations. This continuing violations concept allows for stacked penalties. There are maximum penalties.
16 Civil Penalties $100-$50,000 minimum range Maximum penalty assessed per covered entity is $1.5 million per calendar year for all violations of an identical HIPAA provision Four tiers of Civil Penalties
17 Tier One Penalties Covered entity or individual did not know of the act that violated HIPAA - and by exercising reasonable diligence would not have known. Penalties range from $100 - $50,000 for each violation. Maximum penalty of $1.5 million for all violations of identical HIPAA provision during a calendar year.
18 Tier Two Penalties Violations with reasonable causes that were not due to covered entity s willful neglect. Penalties range from $1,000 - $50,000 for each violation. Maximum penalty of $1.5 million for all violations of identical HIPAA provision during a calendar year.
19 Tier Three Penalties Violations due to the willful neglect of the covered entity, but the violation was corrected within the required time period. Penalties range from $10,000 - $50,000 for each violation. Maximum penalty of $1.5 million for all violations of identical HIPAA provision during a calendar year.
20 Tier Four Penalties Violations due to the willful neglect of the covered entity, and were not corrected by the covered entity within the required time period. Penalties range from $50,000 or more for each violation. Maximum penalty of $1.5 million for all violations of identical HIPAA provision during a calendar year.
21 Criminal Penalties Unknowingly or with reasonable cause Up to 1-year sentence Under false pretenses Up to 5-year sentence For personal gain or malicious reasons Up to 10-year sentence
22 Recent OCR Resolutions for HIPAA Violations
23 The Case of the Stolen Laptop CardioNet, a Pennsylvania company, reported that an employee s laptop was stolen from a parked vehicle outside of the employee s home. The laptop contained the ephi of 1,391 individuals. OCR s investigation into the impermissible disclosure revealed that CardioNet had an insufficient risk analysis and risk management processes in place at the time of the theft.
24 CardioNet s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. CardioNet was unable to produce any final policies or procedures regarding the implementation of safeguards for ephi, including those for mobile devices.
25 CardioNet paid a $2.5 million settlement. HHS says not understanding HIPAA requirements creates risk.
26 Mobile devices in the healthcare sector remain particularly vulnerable to theft and loss, said Roger Severino, OCR Director. Failure to implement mobile device security by Covered Entities and Business Associates puts individuals sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected.
27 The Case of the Stolen USB Drive MAPFRE Life Insurance Company of Puerto Rico (MAPFRE) is a subsidiary company of a global multinational insurance company. It underwrites and administers a variety of insurance products and services in Puerto Rico, including personal and group health insurance plans.
28 On September 29, 2011, MAPFRE filed a breach report with OCR indicating that a USB data storage device (described as a pen drive ) containing ephi was stolen from its IT department, where the device was left without safeguards overnight. According to the report, the USB data storage device included complete names, dates of birth and Social Security numbers. report noted that the breach affected 2,209 individuals. The MAPFRE informed OCR that it was able to identify the breached ephi by reconstituting the data on the computer on which the USB data storage device was attached.
29 OCR s investigation revealed MAPFRE s noncompliance with the HIPAA Rules, specifically a failure to conduct its risk analysis and implement risk management plans, contrary to its prior representations, and a failure to deploy encryption or an equivalent alternative measure on its laptops and removable storage media until September 1, MAPFRE also failed to implement or delayed implementing other corrective measures it informed OCR it would undertake.
30 $2.2 million HIPAA settlement demonstrates importance of implementing safeguards for ephi. Covered entities must not only make assessments to safeguard ephi, they must act on those assessments as well, said OCR Director Jocelyn Samuels. OCR works tirelessly and collaboratively with covered entities to set clear expectations and consequences. 01/18/hipaa-settlement-demonstrates-importance-implementingsafeguards-ephi.html
31 The Case of the Disabled Firewall Idaho State University operates 29 outpatient clinics, for which it provides health information technology systems security. Due to the disabling of firewall protections at servers maintained by ISU, the ephi of approximately 17,500 patients was unsecured for at least 10 months.
32 OCR opened an investigation after ISU notified HHS of the breach. OCR s investigation indicated that ISU s risk analyses and assessments of its clinics were incomplete and inadequately identified potential risks or vulnerabilities. ISU did not assess the likelihood of potential risks occurring.
33 OCR concluded that ISU did not apply proper security measures and policies to address risks to ephi. OCR found that ISU did not have procedures for routine review of their information system in place, which could have detected the firewall breach sooner. ISU has agreed to a comprehensive corrective action plan to address the issues uncovered by the investigation and its failure to ensure uniform implementation of required HIPAA Security Rule protections at each of its covered clinics.
34 $400,000 was paid by ISU to settle the alleged Security Rule violations. Risk analysis, ongoing risk management, and routine information system reviews are the cornerstones of an effective HIPAA security compliance program, said OCR Director Leon Rodriguez. Proper security measures and policies help mitigate potential risk to patient information.
35 HIPAA in the Digital Age Addressing HIPAA Requirements in the Face of Changing Technology
36 ephi and HIPAA ephi = individually identifiable protected health information sent or stored electronically Examples PHI sent using , stored on a computer, sent via text message, etc. Privacy and Security Rules are both important when analyzing your practice s ephi protections.
37 HIPAA Privacy Rule
38 HIPAA Privacy Rule Addresses the use and disclosure of individuals health information by covered entities, as well as standards for individuals' privacy rights to understand and control how their health information is used. Assures that individuals health information is properly protected while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public's health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Flexible and comprehensive to cover the variety of uses and disclosures of PHI.
39 Uses and disclosures of protected health information: General rules. A covered entity is permitted to use or disclose protected health information as follows: (i) To the individual; (ii) For treatment, payment, or healthcare operations ; (iii) Incident to a use or disclosure otherwise permitted or required by this subpart ; (iv) pursuant to and in compliance with valid authorization ; (v) Pursuant to an agreement under, or as otherwise permitted by, ; and (vi) As permitted by and in compliance with this section, , (e), (f), or (g);
40
41 HIPAA Security Rule
42 HIPAA Security Rule Requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-phi. Covered entities must: Ensure confidentiality, integrity, and availability of all e-phi; Identify and protect against security threats; Protect against disclosures and impermissible uses; Ensure staff compliance.
43 Security standards: General rules. Covered entities and business associates must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce.
44 (b) Flexibility of approach. (1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity or business associate. (ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information.
45 Size and complexity of the covered entity matters! OCR does not expect the same level of sophistication from all entities vs.
46 How to comply with HIPAA for ephi First step assess your risk to determine potential areas of concern for your entity s ephi Perform a HIPAA Risk Analysis required for HIPAA Compliance Risk Assessment Tool Available at:
47 HIPAA Risk Analysis (a)(1)(ii)(A) states: RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
48 The following questions adapted from NIST Special Publication (SP) are examples organizations could consider as part of a risk analysis. These sample questions are identify issues an organization may wish to consider in implementing the Security Rule: Have you identified the e-phi within your organization? This includes e-phi that you create, receive, maintain or transmit. What are the external sources of e-phi? For example, do vendors or consultants create, receive, maintain or transmit e- PHI? What are the human, natural, and environmental threats to information systems that contain e-phi?
49 HIPAA Quiz Brought to you by HHS
50 Guidance and Tips for a HIPAA-Compliant Practice
51 HHS Cloud Computing Guidance HHS has issued guidance specific to Cloud Computing This guidance and HHS s answers to specific questions related to Cloud Computing is located at:
52 HHS Ransomware Guidance HHS has issued guidance specific to Ransomware This guidance regarding Ransomware is located at:
53 Personal devices and PHI Benefits to using personal devices Accessibility Preference from providers/staff Ease of use Inexpensive Can use anywhere Telework for providers
54 Personal devices and PHI Drawbacks to using personal devices Theft of device Who owns the device or is responsible for purchasing? Who maintains or repairs the device? Compatibility among companies i.e. P.C. vs. Mac
55 Guidance from HHS on Mobile Devices Government run website providing helpful resources on technology issues
56 Use a password or other authentication Combine password with fingerprint I.D. on phones Require that passwords are changed regularly Implement strong policies and procedures no sharing of passwords
57 Install and enable data encryption Protect stored data on mobile devices Full disk encryption for mobile phones, USBs and computers Protect transmitted data Encryption for texting and ing of PHI.
58 Install and enable encryption Third party text encryption Useful in verifying the identity of sender and receiver and provide secure messaging platform TigerText DocsInk OhMD MEDX Imprivata Cortext Vocera
59 Install and enable encryption Third party encryption working to verify identity, provide secure messaging platform, and encrypt content Citrix Appriver NeoCertified Pros PauBox
60 Install and activate remote wiping and/or remote disabling Should a phone or computer be lost or stolen, remote protections for your device are crucial Recall the two examples during the beginning of the presentation Stolen USB and stolen laptop Remote tracking is additionally useful Mitigate theft risk by password and fingerprint protecting
61 Technology Fixes to Promote Security and Help Ensure HIPAA Compliance Secure the server or use a cloud-based protected program Do not store ephi on flash drives or portable disks Update passwords regularly Implement HIPAA policies and procedures Train staff on these policies and procedures
62 Technology Fixes to Promote Security and Help Ensure HIPAA Compliance Disable and do not install or use file sharing applications Install and enable a firewall file sharing applications Install and enable security software Keep the software up to date Wipe devices when no longer using Physical protection for devices
63 Additional Tips to Help Ensure HIPAA Compliance Perform required security risk assessment to identify weaknesses in your plan Yearly risk assessments as your needs change Develop office policies and procedures Educate and train staff on policies and procedures Mandate continuing education Have a HIPAA Champion on your team
64 OCR Audits Increased in numbers in recent years What are auditors looking for? The Phase 2 HIPAA Audit Program reviews the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. These analyses are conducted using a comprehensive audit protocol that has been updated to reflect the Omnibus Final Rule.
65 OCR Audits OCR Audit Protocol is available online
66 Conclusion
67 Questions?
68 Contact Information Anisa P. Kelley Rachel P. Maryan (703)
ARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationHIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA
HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA ALLISON SHUREN, J D, MSN Financial Disclosure Gerald Meltzer is a consultant for imedicware Allison Shuren co-chairs the Life Sciences and Healthcare Regulatory
More informationHIPAA Compliance Guide
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationThe Privacy Rule. Health insurance Portability & Accountability Act
The Privacy Rule Health insurance Portability & Accountability Act Enacted on August 21, 1996 to amend the Internal Revenue Code of 1986 To improve portability and continuity of health insurance coverage
More informationHEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?
HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS What do I need to know? INITIAL AUDITS PERFORMED IN 2016 Covered Entities Business associates AUDIT PURPOSE: SUPPORT IMPROVED COMPLIANCE
More informationPreparing for a HIPAA Audit & Hot Topics in Health Care Reform
Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,
More informationHIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights
HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement
More information6/7/2018. HIPAA Compliance Simplified. HHS Wall of Shame. Marc Haskelson, President Compliancy Group
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 HIPAA Compliance Simplified Marc Haskelson, President Compliancy Group Agenda Why HIPAA? Common misunderstandings What is a Audit? Real World Stories
More informationLEGAL ISSUES IN HEALTH IT SECURITY
LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson
More informationAuditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees
Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees San Antonio IIA: I HEART AUDIT CONFERENCE February 24,
More informationHIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT
WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Learn more about how KeepItSafe can help to reduce costs, save time, and provide compliance for online backup, disaster recovery-as-a-service, mobile
More information8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013
HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable
More informationBusiness Associate Risk
Business Associate Risk Assessing and Managing Business Associate Risk Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Disclaimer: Nothing in this presentation
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationTrue or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)
Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationHayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA
More information2016 Business Associate Workforce Member HIPAA Training Handbook
2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all
More informationHIPAA Privacy & Security. Transportation Providers 2017
HIPAA Privacy & Security Transportation Providers 2017 HIPAA Privacy & Security As a non emergency medical transportation provider, you deal directly with Medicare and Medicaid Members healthcare information
More informationTo: Our Clients and Friends January 25, 2013
Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health
More informationHIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule
HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com
More informationIndustry leading Education. Certified Partner Program. Please ask questions Todays slides are available group.
Industry leading Education Certified Partner Program Please ask questions Todays slides are available http://compliancy- group.com/slides023/ Past webinars and recordings http://compliancy- group.com/webinar/
More informationConduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation
HIPAA UPDATE: WHY AND HOW YOU MUST COMPLY 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its long-awaited Omnibus Rule 2 implementing regulations required by the HITECH Act
More informationHEALTHCARE BREACH TRIAGE
IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards
More informationHIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)
HIPAA Infection Control OSHA Dental Practice Act HIPAA What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional) In the dental field since 1972, Leslie
More informationThe Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist
The Security Risk Analysis Requirement for MIPS August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist Today s Speaker Peter Mercuri Peter Mercuri, MBA, HCISPP, CHSA,CMQP,CEHR,CHTS,CHWP
More informationSaturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules
Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.
More informationThe HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime
HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: UPDATE 2015 February 20, 2015 I. Executive Summary HIPAA is a federal law passed by Congress to protect medical patient data privacy from misuse or disclosure
More information503 SURVIVING A HIPAA BREACH INVESTIGATION
503 SURVIVING A HIPAA BREACH INVESTIGATION Presented by Nicole Hughes Waid, Esq. Mark J. Swearingen, Esq. Celeste H. Davis, Esq. Regional Manager 1 Surviving a HIPAA Breach Investigation: Enforcement Presented
More informationHIPAA & The Medical Practice
HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,
More informationHIPAA COMPLIANCE. for Small & Mid-Size Practices
HIPAA COMPLIANCE for Small & Mid-Size Practices Golden State Web Solutions 619.825.GSWS (4797) INTRODUCTION Most individuals reading this are interested in HIPAA, GSWS, or some combination of the two;
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationTexas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300
Texas Health and Safety Code, Chapter 181 Medical Records Privacy Law, HB 300 Training Module provided as a component of the Stericycle HIPAA Compliance Program Goals for Training Understand how Texas
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationHIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc
HIPAA Overview Health Insurance Portability and Accountability Act Premier Senior Marketing, Inc HIPAA Defined Acronym that stands for the Health Insurance Portability and Accountability Act, a US law
More informationHIPAA PRIVACY AND SECURITY AWARENESS
HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect
More informationAMA Practice Management Center, What you need to know about the new health privacy and security requirements
1. HIPAA Security Rule Johns, Merida L., Information Security, in Johns, Merida L. (ed.) Health Information Management Technology, an Applied Approach, AHIMA: Chicago, IL, 2nd ed. 2007, chapter 19, pp.
More informationThe wait is over HHS releases final omnibus HIPAA privacy and security regulations
The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under
More informationHIPAA: Impact on Corporate Compliance
HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal
More informationKey Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style
Key Legal Issues in EMR, EMR Subsidy and HIPAA and Privacy Click Issues to edit Master title style July 27, 2016 www.mcguirewoods.com Introductions Holly Carnell McGuireWoods LLP hcarnell@mcguirewoods.com
More informationHIPAA Compliance Under the Magnifying Glass
HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information
More informationHHS, Office for Civil Rights. IAPP October 11, 2012
HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationDELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION)
DELHAIZE AMERICA PHARMACIES AND WELFARE BENEFIT PLAN HIPAA SECURITY POLICY (9/1/2016 VERSION) Delhaize America, LLC Pharmacies and Welfare Benefit Plan 2013 Health Information Security and Procedures (As
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES KURTIN PLLC COMPLIANCE SOLUTION: UPDATE January 3, I. Executive Summary.
HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES KURTIN PLLC COMPLIANCE SOLUTION: UPDATE 2017 January 3, 2017 I. Executive Summary. The Health Insurance Portability and Accountability Act ( HIPAA ) is
More informationWhat Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.
What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. HIPAA stands for Health Insurance Portability and Accountability
More information1 Security 101 for Covered Entities
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More information"HIPAA RULES AND COMPLIANCE"
PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS
More informationHIPAA / HITECH. Ed Massey Affiliated Marketing Group
HIPAA / HITECH Agent Understanding And Compliance Presented By: Ed Massey Affiliated Marketing Group It s The Law On February 17, 2010 the Health Information Technology for Economic and Clinical Health
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationHIPAA Enforcement Under the HITECH Act; The Gloves Come Off
HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 REASONS FOR HIPAA PRIVACY RULES Perceived need for protection of individual health information
More informationPrivacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR
Resource provided by Page 1 of 10 Contents I. The Privacy Rule The Fundamental HIPAA Rule... 1 II. Privacy Rule Overview... 1 III. Privacy Rule Standards and Implementation Specifications Covered in Section
More informationHow to mitigate risks, liabilities and costs of data breach of health information by third parties
How to mitigate risks, liabilities and costs of data breach of health information by third parties April 17, 2012 ID Experts Webinar www.idexpertscorp.com Rick Kam President and Co-Founder richard.kam@idexpertscorp.com
More informationDisclaimer LEGAL ISSUES IN PHYSICAL THERAPY
LEGAL ISSUES IN PHYSICAL THERAPY Paul J. Welk, PT, JD Tucker Arensberg, P.C. pwelk@tuckerlaw.com 2017 PHCA Annual Convention 1 Disclaimer The purpose of this presentation is to provide a general overview
More informationHIPAA Background and History
Agenda Jeffery P. Drummond Lawyers as HIPAA Business Associates: Ethical Obligations and Practical Tips for Compliance Dallas Bar Association January 17, 2018 Jamie Sorley An Overview of HIPAA The Privacy
More informationHIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school
ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes
More informationFuture of Healthcare in Washington April 2, Christiansen IT Law
An Ounce (or More) of Prevention: Getting Ready for OCR Breach Notification and Regulatory Investigations. Future of Healthcare in Washington April 2, 2014 Presenter CV John R. Christiansen, J.D. - Christiansen
More informationHIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.
HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure
More informationHIPAA and Lawyers: Your stakes have just been raised
HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory
More informationIt s as AWESOME as You Think It Is!
It s as AWESOME as You Think It Is! Fine Print This presentation and any materials and/or comments are training and educational in nature only. They do not establish an attorney-client relationship, are
More informationNOTIFICATION OF PRIVACY AND SECURITY BREACHES
NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally
More informationGUIDANCE ON HIPAA & CLOUD COMPUTING
GUIDANCE ON HIPAA & CLOUD COMPUTING http://www.hhs.gov/hipaa/for-professionals/special-topics/cloudcomputing/index.html January 26, 2017 Health Care Cloud Coalition Deven McGraw, Deputy Director, Health
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationLegal and Privacy Implications of the HIPAA Final Omnibus Rule
Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,
More informationHIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102a What You Don t Know About HIPAA Privacy and Security Can Really Hurt You! Revision 2015 Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) About Myself - Jack Kolk, CEO
More informationMeaningful Use Requirement for HIPAA Security Risk Assessment
Meaningful Use Requirement for HIPAA Security Risk Assessment The MU attestation requirement does not state that any gaps must be resolved prior to meaningful use attestation. Mary Sirois, MBA, PT, CPHIMSS
More informationEffective Date: 4/3/17
HIPAA AND HITECH ADM 067.4 Attachment D Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule Health Information Technology for Economic and Clinical Health (HITECH)
More informationEnsuring HIPAA Compliance When Transmitting PHI Via Patient Portals, and Texting
Presenting a live 90-minute webinar with interactive Q&A Ensuring HIPAA Compliance When Transmitting PHI Via Patient Portals, Email and Texting Protecting Patient Privacy, Complying with State and Federal
More informationNegotiating Business Associate Agreements
Negotiating Business Associate Agreements February 19, 2015 William J. Roberts, Esq. Shipman & Goodwin LLP 2015. All rights reserved. HARTFORD STAMFORD GREENWICH WASHINGTON, DC About HIPAA HIPAA is a federal
More informationHIPAA Privacy, Breach, & Security Rules
HIPAA Privacy, Breach, & Security Rules An Eagle Associates Presentation Eagle Associates, Inc. www.eagleassociates.net info@eagleassociates.net P.O. Box 1356 Ann Arbor, MI 48106 800-777-2337 Eagle Associates,
More informationHIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment
More informationHIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security
More informationHIPAA, Privacy, and Security Oh My!
2014 CliftonLarsonAllen LLP HIPAA, Privacy, and Security Oh My! Chad D. Kunze CPA Health Care Principal Phoenix, AZ CLAconnect.com Learning Objectives At the end of this learning session, you will be able
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES
HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES January 23, 2014 I. Executive Summary I: The HIPAA Final Rule
More informationHow to Cut Down on Security Risks:
How to Cut Down on Security Risks: What You Don t Know About HIPAA Security October 29, 2015 2015 Epstein Becker & Green, P.C. All Rights Reserved. ebglaw.com Presented by Adam Solander Member of the Firm
More informationPrivacy and Data Breach Protection Modular application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationHIPAA Final Omnibus Rule Playbook
DOWNLOADABLE GUIDE HIPAA Final Omnibus Rule Playbook Your Ticket to Winning the Compliance Game Offensive Plays HIPAA Privacy Rule Defensive Plays HIPAA Security Rule Special Team Plays Breach Notification
More informationCLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors
CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )
More informationMarch 1. HIPAA Privacy Policy
March 1 HIPAA Privacy Policy 2016 1 PRIVACY POLICY STATEMENT Purpose: The following privacy policy is adopted by the Florida College System Risk Management Consortium (FCSRMC) Health Program and its member
More informationHIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities
Health Care Focus March 2013 HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Peggy L. Barlett 608.284.2214 pbarlett@gklaw.com M. Scott LeBlanc 414.287.9614 sleblanc@gklaw.com
More informationHighlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationGetting a Grip on HIPAA
Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy
More informationCyber, Data Risk and Media Insurance Application form
Instructions The Hiscox Technology, Privacy and Cyber Portfolio Policy may be purchased on an a-la-carte basis. Some organizations may require coverage for their technology errors and omissions, while
More informationPATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS
PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS This HIPAA Business Associate Agreement ( BA Agreement ), effective as of the last date written on the signature page attached
More informationHIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.
HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,
More informationView the Replay on YouTube. HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense
View the Replay on YouTube HIPAA Enforcement 2.0: Minimizing Exposure with Affirmative Defense FairWarning Ready Executive Webinar Series June 4, 2013 Agenda HIPAA Omnibus Rule s effects on future enforcement
More informationHTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017
HIPAA Tool Kit 2017 Contents Introduction...1 About This Manual... 1 A Word About Covered Entities... 1 A Brief Refresher Course on HIPAA... 2 A Brief Update on HIPAA... 2 Progress Report... 4 Ongoing
More information2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners
2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and
More informationH 7789 S T A T E O F R H O D E I S L A N D
======== LC001 ======== 01 -- H S T A T E O F R H O D E I S L A N D IN GENERAL ASSEMBLY JANUARY SESSION, A.D. 01 A N A C T RELATING TO INSURANCE - INSURANCE DATA SECURITY ACT Introduced By: Representatives
More informationHIPAA Security How secure and compliant are you from this 5 letter word?
HIPAA Security How secure and compliant are you from this 5 letter word? January 29, 2014 www.prnadvisors.com 1 1 About me Over 20 Years in IT as hand-on leader Implemented EMR s of all sizes for Hospitals,
More informationUnderstanding Cyber Risk in the Dental Office. Melissa Moore Sanchez, CIC
Understanding Cyber Risk in the Dental Office Melissa Moore Sanchez, CIC Data Breaches are Escalating Between February 5, 2005 and May 26, 2012 561,465,563 records containing sensitive personal information
More informationThe Audits are coming!
HIPAA and Meaningful Use (MU) Governmental Program Audits The Audits are coming! The Audits are coming! 1 Audit Readiness Meaningful Use and HIPAA Both CMS and the Office for Civil Rights (OCR) have been
More information"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA
"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA Jeanne M. Born, RN, JD SOUTH CAROLINA ASSOCIATION OF LEGAL ADMINISTRATORS THURSDAY, APRIL 14, 2016 Jborn@nexsenpruet.com What Every Law
More informationGeorgia Health Information Network, Inc. Georgia ConnectedCare Policies
Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Version History Effective Date: August 28, 2013 Revision Date: August 2014 Originating Work Unit: Health Information Technology Health
More informationManagement Alert Final HIPAA Regulations Issued
Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,
More information