Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Size: px
Start display at page:

Download "Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule"

Transcription

1 Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1

2 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA compliance plan, at least annually, or as HIPAA Rules change, policies are updated, or job descriptions change. In April 2013, the Office of Civil Rights stated that inadequate staff training is one of the key deficiencies discovered in its auditing and enforcement activities. PRIVACY RULE SECURITY RULE HIPAA TRANSACTIONS AND CODE SETS RULE UNIQUE IDENTIFIERS RULE ENFORCEMENT RULE 2

3 WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 and its amendments Intent: To protect privacy at the highest level HIPAA preempts state law, unless the state privacy laws are more stringent. HIPAA defers to state law on the treatment of minors, but providers must still consider both state privacy laws and HIPAA depending on the issue. WHO IS REQUIRED TO COMPLY WITH HIPAA? Healthcare providers Healthcare plan providers Business Associates* Agents* Subcontractors* Clearinghouses *Effective March 26, 2013 HIPAA Omnibus Final Rule 3

4 PENALTIES You can be imposed penalties for both Privacy and Security violations and HITECH violations at the same time. Simultaneous imposition of penalties is at the discretion of the OCR. Both covered entities and individuals can be penalized. Revenue earned from imposition of penalties is used by the OCR to further enforce HIPAA rules and fund the audit program. PENALTIES Unknowing The covered entity or business associate did not know and reasonably should not have known of the breach. Reasonable cause The covered entity or business associate knew, or should have known that the act was a breach, but the covered entity did not act with willful neglect. Willful neglect Conscious violation or reckless indifference to the law 4

5 PROBLEM Unknowing CIVIL Reasonable Cause CRIMINAL Unknowingly/reasonable cause False Pretense Intent to Sell/Malicious Intent/Personal Gain PENALTIES GENERAL PENALTY $100 - $50,000 per violation Maximum of $1.5 million annually $1,000 - $50,000 per violation Maximum of $1.5 million annually Up to $50,000 per violation Up to one year imprisonment Up to $100,000 per violation Up to five years imprisonment Up to $250,000 per violation Up to ten years in prison ADDITIONAL PENALTIES Willful Neglect Corrected in 30 days Not corrected $10,000 minimum penalty, up to $1.5 million $50,000 minimum penalty Unlimited maximum penalty Effective March, 13,

6 KEY TERMS AND ACRONYMS IIHI/PHI Individually Identifiable Health Information/Protected Health Information Electronic, written, or oral Related to past, present, or future physical or mental health or condition of an individual Related to provision or payment for healthcare for an individual Created, received, or maintained by a covered entity KEY TERMS AND ACRONYMS PHI: 18 Identifiers 1. Names 2. All geographical subdivisions smaller than state (street address, city, county, zip code) (except for three initial zip code digits with exceptions) 3. All elements of dates, except year, for dates directly related to an individual 4. Phone numbers 5. Fax numbers 6

7 KEY TERMS AND ACRONYMS PHI: 18 Identifiers 6. Electronic mail addresses 7. Social Security numbers 8. Medical record number 9. Health plan beneficiary numbers 10. Account numbers 11. Certificate/license numbers 12. Vehicle identifiers and serial numbers 13. Device identifiers and serial numbers KEY TERMS AND ACRONYMS PHI: 18 Identifiers 14. Web Universal Resource Locators (URLs) 15. Internet Protocol (IP) address numbers 16. Biometric identifiers, including finger and voice prints 17. Full face photographic images and any comparable images 18. Any other unique, identifying number, characteristic, or code 7

8 KEY TERMS AND ACRONYMS TPO Treatment, payment, operations Authorization Form Direct and Indirect Treatment Relationships Disclosure Minimum Necessary Breach Notification/Risk Assessment/ Low Probability HIPAA Omnibus Rule Business Associate KEY TERMS AND ACRONYMS What is a Business Associate? Persons or organizations that Create; Receive; Maintain ; Transmit; or Access PHI on behalf of a covered entity. 8

9 KEY TERMS AND ACRONYMS Minimum Necessary The requirement that a covered entity make reasonable efforts to limit the PHI that it uses, discloses, or requests from another covered entity to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Justification regarding what constitutes the minimum necessary may be required in some situations. It does not apply to disclosures to or requests by a health care provider for treatment purpose. THE PRIVACY RULE Establishes national standards to protect individuals medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including the right to examine and obtain a copy of their health records and to request corrections. 9

10 THE PRIVACY RULE Gives patients control over their PHI Gives patients the right to restrict the use of their PHI, including in relation to billing Gives patients the right to request confidential communication regarding their PHI Sets boundaries on use and disclosure of PHI Sets safeguards Holds violators accountable Limits disclosure to the Minimum Necessary Gives patients the right to notification in the event of a breach HIPAA Omnibus Final Rule Gives patients the right to file a complaint with the OCR THE PRIVACY RULE HIPAA requires that all covered entities have a Privacy Compliance Plan Privacy Officer or Privacy Committee Written privacy policies, procedures, and forms A privacy notice Gap Analysis Audits at least annually to identify privacy risks and reduce vulnerabilities HIPAA requires that all employees have privacy awareness training AT LEAST ANNUALLY 10

11 THE PRIVACY RULE Privacy Awareness Training Overview and basic understanding of the Privacy Rule Understanding of the Minimum Necessary standard Understanding of Privacy Policies and Procedures Documentation of all training Updated training at least annually or as job duties change All procedures, forms, Privacy Notices, staff training, Gap Analysis, Risk Analysis, and other considerations regarding compliance with the HIPAA Omnibus Final Rule must be implemented and/or updated as of September 23, 2013 THE PRIVACY RULE Day to Day Compliance Key words to remember: Common Sense Minimum Necessary Reasonable Good Faith Effort No Willful Neglect 11

12 THE SECURITY RULE Establishes national standards to protect individuals electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. THE SECURITY RULE Intended to ensure three main points: Confidentiality Integrity Availability Who can see your data Data not altered or destroyed Data is accessible when needed 12

13 THE SECURITY RULE INFORMATION SECURITY Minimizing the vulnerability of assets and resources Controlling access to valued resources Controls, countermeasures, and procedures to ensure the appropriate protection of information assets THE SECURITY RULE Key Security Terms Asset Anything of value Vulnerability Any weakness that could be exploited to violate a system or the information it contains Threat A potential violation of security Confidentiality Preventing unauthorized disclosure of sensitive information Integrity Preventing unauthorized modification of systems and information Availability Preventing disruption of service and productivity Authentication The process of proving your identity Access Control Provides protection against the unauthorized use of resources 13

14 THE SECURITY RULE HIPAA requires that all covered entities have a Security Compliance Plan Security Officer or Security Committee Risk Analysis Audits to identify security risks Written privacy policies, procedures, and forms for six main sections of security rule: 1. Administrative Safeguards 2. Physical Safeguards 3. Technical Safeguards 4. Organizational Requirements 5. Policies/Procedures & Documentation Requirements 6. Sanction Policy THE SECURITY RULE Administrative Safeguards Assigned Security Officer Risk Analysis Staff Training Disaster Recovery Plan Data Backup Plan Password Management Business Associate Contracts 14

15 THE SECURITY RULE Physical safeguards Facility security, maintenance records, media disposal, data backup and storage Technical safeguards Unique user identification, encryption, audit trails, security software and features, automatic logoff, transmission security/encryption Organizational requirements Business Associate agreements THE SECURITY RULE HIPAA requires that all employees have security awareness training to ensure: Protection from malicious software Staff should guard against, detect, and report malicious software, downloads, or any suspicious system activity Password Management procedures for changing and safeguarding passwords Understanding of security policies and procedures Documentation of all training Updated training 15

16 THE SECURITY RULE Seven Areas to Maintain: 1. Assign/Reassign Security Responsibility 2. Annually Conduct a Risk Analysis 3. Implement Policies and Procedures and Review Annually 4. Remediation 5. Implement Business Associate Contracts* 6. Conduct Annual Staff Training 7. Ongoing/Annual Evaluation, Testing, and Remediation *Business Associate Agreements must be implemented as of September 23, 2013 as outlined by HITECH/Omnibus Final Rule. WHAT IS THE HITECH ACT? Health Information Technology for Economic and Clinical Health Act: Part of American Recovery and Reinvestment Act of 2009 Contains specific incentives to accelerate the adoption of electronic health record systems among providers Widens the scope of privacy and security protections available under HIPAA Increases the potential legal liability for noncompliance Mandates new disclosure rules for reporting breaches Provides for more enforcement against more parties 16

17 WHAT IS THE HIPAA OMNIBUS FINAL RULE? Released January 17, 2013 and effective September 23, 2013 Interprets and implements various provisions of HITECH Act, which required HHS to modify HIPAA s Enforcement Rule and HHS s approach to imposing civil money penalties (CMPs) Significantly increased the amount of CMPs, reduced the number of available affirmative defenses to CMPs, and required the imposition of CMPs for all violations due to willful neglect Extended all CMP scenarios to apply to Business Associates Strengthened patient privacy protections Provides patients with new rights to their protected health information Definitions Under the Final Rule Breach The impermissible acquisition, access, use, or disclosure of unsecured PHI is presumed a breach unless the responsible entity can demonstrate there is a low probability the PHI has been compromised, based on a risk assessment that includes a specific list of factors to be considered, as outlined by the OCR. Breach Notification If a breach occurs and there is a probability that PHI has been compromised, affected individuals and the Secretary of HHS must be notified in a very specific manner as outlined by the OCR. This applies to breaches by Business Associates and their sub-contractors. Secured PHI The only two accepted methods for rendering PHI unusable, unreadable, indecipherable, uncompromised, and secured by definition are encryption and destruction. 17

18 Patient Rights/Covered Entity Restrictions Sale of PHI Covered entities may not receive direct or indirect payment in exchange for PHI, unless the patient has signed a specific authorization. Exceptions: public health activities, research, treatment of the patient, sale/transfer/merger of business, business associate activities, and for fees charged to provide a patient with a copy of their PHI pursuant to request. Payment or remuneration does include in-kind value. Disclosure for the purposes of sale includes the granting of access, directly or indirectly, through licenses or lease agreements. Research The Final Rule permits covered entities to combine conditional and unconditional authorizations for research if they differentiate between the two activities and allow for an opt-in of unconditional research activities. Future research studies may now be part of a properly executed authorization that includes all the required elements. Exception: psychotherapy notes may only be combined with other authorizations for psychotherapy notes. Access to PHI Electronic Access The Final Rule allows individuals to request electronic copies of their PHI and may direct an entity to transmit a copy directly to another entity or person. Third Parties If an individual requests in writing pursuant to a valid HIPAA authorization form, and clearly identifies the designated person who is to receive the PHI, the entity must transmit the copy as requested.* Fees Covered entities can charge reasonable cost-based fees, including labor costs for both paper and electronic PHI records. Fees for maintaining systems, infrastructure, and storage are not considered reasonable, cost-based fees. * Entities need to implement policies and procedures to verify the identity of the person requesting PHI. 18

19 Access to PHI Timeliness The Final Rule requires entities to provide access to records within 30 days in all circumstances with a one-time 30 day extension. Marketing The Final Rule requires a patient authorization for treatment communications if the covered entity receives payment from the third party whose product/service is subject to the communication. This does not include in-kind or other nonfinancial subsidies for this purpose. Face-to-face communications, gifts of nominal value, services pertaining to case management, alternative treatments or services, or communications regarding refill reminders do not require an authorization. Disclosures Regarding Decedent The Final Rule allows entities to disclose a decedent s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless inconsistent with any prior expressed reference of the individual known to the covered entity. This change does not affect the authority of the personal representative. The IIHI of a person who has been deceased for more than 50 years is NOT PHI under the Privacy Rule. 19

20 Disclosures Regarding Students Covered entities are permitted to disclose proof of immunization to a school where State or other law requires the school to have such information prior to admitting the student. Written authorization is no longer required. Covered entities must obtain oral or written agreement from the parent or guardian and document the type of agreement obtained. The agreement is effective until revoked. Restrictions on Fundraising The Final Rule permits covered entities to use/disclose PHI to a business associate or related foundation for fundraising purposes without an authorization. Permitted PHI includes: Demographic information Dates of healthcare provided to individual Department providing healthcare to an individual Fundraising communications must provide a clear opportunity for the patient to opt-out of receiving future communications. Entities are provided flexibility to decide the method to allow individuals to opt-out and opt-back into the use of PHI in fundraising opportunities. Once an individual has opted-out the covered entity must take reasonable measures to ensure that no further communication is provided. 20

21 Restrictions A covered entity must honor a patient s request to restrict disclosure of PHI to a health plan/insurer for services that the patient paid in full, out-of-pocket. The covered entity must develop methods to prevent disclosures, such as notations in records or separate billing. Entities may still submit restricted information to Medicare and Medicaid audits are required by law. Accounting of TPO Disclosures If a covered entity uses electronic health records, the covered entity, at the patient s request, must provide an accounting of disclosures for treatment, payment, and healthcare for a three year period. 21

22 Business Associates & Subcontractors The Business Associate Agreement used by covered entities must be updated to include the following changes by September 23, 2013: A requirement that BAs must comply with the HIPAA Security Rule A requirement that BAs report breaches of unsecured PHI to covered entities A requirement that any subcontractors of the BA agrees to the same restrictions and conditions that apply to the BA BAs are required to enter into Business Associate agreements with their subcontractors. Covered entities can now be liable for the violations of the BA when acting as an agent of the covered entity. Training BAs regarding compliance efforts and having knowledge of their compliance activities is imperative. Changes to Notice of Privacy Practices The Notice must include statements regarding: The types of uses and disclosures that require individual authorization An individual s right to opt-out of fundraising communications An individual s right to restrict certain disclosures of PHI to a health plan where the individual pays out-of-pocket in full for health care services An individual s right to notice in the event of a breach of unsecured PHI An individual s rights with respect to the use of their genetic information for health plan underwriting purposes 22

23 Notice of Privacy Practices Distribution Requirements: Make the latest notice (i.e., the one that reflects any changes in privacy policies) available at the provider s office or facility for individuals to request to take with them, and post it in a clear and prominent location at the facility May to patient if they agree Provide the notice no later than the date of first service and make a good faith effort to obtain written acknowledgement (exception is emergency treatment As previously required, a healthcare provider should retain copies of each version of its Notice and all written acknowledgements regarding receipt of the Notice by individuals. Additional Changes to Notice of Privacy Practices Additionally, covered entities must ensure that the Notice includes language stating: Most uses and disclosures of psychotherapy notes (if recorded by a covered entity) will require an authorization. Most uses and disclosures for marketing purposes will require an authorization. Most disclosures of PHI that constitute the sale of PHI will require an authorization. That uses and disclosures not described in the Notice will require an authorization 23

24 In response to the Final Rule, you must verify that it has undergone a recent Security Risk Analysis. The OCR views failure to conduct such an analysis as a key trigger to enforcement action. An insufficient risk analysis is among the top weaknesses discovered during the 2012 pilot audit program. Privacy and Security Clearly assign responsibilities to capable employees Update Business Associate Agreements if in existence prior to the Final rule enactment date of January 2013, must be updated when the agreement is modified or reviewed, or September 22, 2014, whichever is earlier HIPAA OMNIBUS RULE/FINAL RULE Breach Notification Rule The Final Rule removes harm standard from the definition of breach. Now, if a breach occurs and there is a probability that PHI has been compromised, affected individuals and the Secretary of HHS must be notified in a very specific manner as outlined by the OCR. This also applies to breaches by Business Associates and their subcontractors. Breaches affecting 500 or more individuals/patient records require notice to the Secretary of HHS through an online portal and prominent media outlet coverage to ensure adequate notice to affected individuals. Breaches affecting less than 500 people require the maintenance of a log of such breaches for annual submission to the Secretary of HHS within 60 days of the end of each calendar year, for breaches occurring the previous year. An online form for each breach must be completed at 24

25 Breach Notification Rule Breaches affecting deceased patients require notice to next of kin. Individual notice must be given by first class mail within 60 days of the discovered breach, unless the individual has agreed to electronic notification. Notices must describe what occurred, details of the unsecured, breached PHI, steps to mitigate harm, and the covered entity s response. If there are 10+ individuals without current contact information, the covered entity must provide notice on its website for 90 days, or publish it in major print or broadcast media, and maintain a toll-free phone number for 90 days so that individuals can learn if their PHI was involved in the breach. Investigation and Resolution of Violations HHS will investigate a possible violation if a preliminary review of the facts available from a complaint or compliance review indicate the possibility of Willful Neglect. The investigation may proceed directly to an enforcement action, particularly in the case of willful neglect. Absent indications of willful neglect, HHS will seek the entity s compliance through informal, voluntary action in appropriate cases. 25

26 Investigation and Resolution of Violations Violations due to reasonable cause: Covers many common violations by otherwise generally compliant covered entities, such as those that occur due to human error, despite training and appropriate policies. The Final Rule modifies the definition of Reasonable Cause to specify the state of mind. Reasonable cause covers violations where the entity exercised ordinary business care and prudence to comply with the provision that was violated. Reasonable cause lacks conscious intent or reckless indifference. Risk Assessment Low probability is evaluated using, at least, the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification The unauthorized person who used the PHI or to whom the disclosure was made Whether the PHI was actually acquired or viewed The extent to which the risk to the PHI has been mitigated 26

27 Risk Assessment The Final Rule includes the following as factors in determining the amount of a civil monetary penalty: The number of affected individuals The time period during which the violation occurred The nature and extent of the harm resulting from the violation, including but not limited to: Whether the violation caused physical harm Whether the violation resulted in financial harm Whether the violation resulted in harm to an individual s reputation* Whether the violation hindered an individual s ability to obtain healthcare * Points to the need to keep patient information off of social networking sites Audit Program HIPAA enforcement totals from 2011 and 2012 exceeded $10.8 million in fines. The new director of the OCR has said that audits will become a permanent and robust program. HIPAA will use money collected from fines to further enforcement activities, including audits. Covered entities need to prepare for audits, enforcement, and costly fines for non-compliance. 27

28 Audit Program Audit reviews are expected to include: Privacy and Security Compliance Policies Plans for complying with Breach Notification Rule Documentation of staff training Documentation of internal audits to identify operations vulnerabilities / Risk analysis AUDITS Update Privacy and Security Policies and Procedures, Business Agreements Staff Training Up-to-date and thorough Privacy Gap Analysis/Security Risk Analysis Address threats and vulnerabilities annually Document Identify areas where additional training is needed 28

29 RESOURCES HIPAA Audit Program Protocol Compare your compliance program against identified Security, Privacy, and Breach elements. The National Institute of Standards and Technology HHS provides a Privacy & Security Framework Tool as a baseline to developing a compliance plan. HIPAA Security Rule Guidance yruleguidance.html Compliance with mobile devices HIPAA Omnibus Final Rule Resource Center 29

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:

More information

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background

More information

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability

More information

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions

More information

Highlights of the Omnibus HIPAA/HITECH Final Rule

Highlights of the Omnibus HIPAA/HITECH Final Rule Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737

More information

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement

More information

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security

More information

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection

More information

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates

More information

To: Our Clients and Friends January 25, 2013

To: Our Clients and Friends January 25, 2013 Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health

More information

HIPAA Compliance Guide

HIPAA Compliance Guide This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your

More information

Getting a Grip on HIPAA

Getting a Grip on HIPAA Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy

More information

HIPAA COMPLIANCE. for Small & Mid-Size Practices

HIPAA COMPLIANCE. for Small & Mid-Size Practices HIPAA COMPLIANCE for Small & Mid-Size Practices Golden State Web Solutions 619.825.GSWS (4797) INTRODUCTION Most individuals reading this are interested in HIPAA, GSWS, or some combination of the two;

More information

Changes to HIPAA Under the Omnibus Final Rule

Changes to HIPAA Under the Omnibus Final Rule Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services

More information

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned

More information

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated

More information

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013 HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable

More information

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!

More information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice

More information

Determining Whether You Are a Business Associate

Determining Whether You Are a Business Associate The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.

More information

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes

More information

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,

More information

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

The wait is over HHS releases final omnibus HIPAA privacy and security regulations The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under

More information

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T COMPLIANCE TRAINING 2015 QUALITY MANAGEMENT COMPLIANCE DEPARTMENT 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T Compliance Program why? Ensure ongoing education

More information

ARE YOU HIP WITH HIPAA?

ARE YOU HIP WITH HIPAA? ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined

More information

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment

More information

HHS, Office for Civil Rights. IAPP October 11, 2012

HHS, Office for Civil Rights. IAPP October 11, 2012 HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities

More information

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD

HIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD HIPAA Redux 2013 Presented by: Kim Cavitt, AuD Moderated by: Carolyn Smaka, Au.D., Editor-in-Chief, AudiologyOnline Expert e-seminar TECHNICAL SUPPORT Need technical support during event? Please contact

More information

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners 2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and

More information

HIPAA: Impact on Corporate Compliance

HIPAA: Impact on Corporate Compliance HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal

More information

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13 North Shore LIJ Health System, Inc. Facility Name POLICY TITLE: HIPAA Marketing and Sale of Protected Health Information Policy ADMINISTRATIVE POLICY AND PROCEDURE MANUAL POLICY #: 800.43 System Approval

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy

More information

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 Update 2-17-2016 CROOK COUNTY RECORD OF CHANGES 2 TABLE OF CONTENTS Introduction HIPAA

More information

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally

More information

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

GUIDE TO PATIENT PRIVACY AND SECURITY RULES AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist

More information

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )

More information

New HIPAA-HITECH Proposed Regulations Issued

New HIPAA-HITECH Proposed Regulations Issued July 2010 New HIPAA-HITECH Proposed Regulations Issued On Thursday July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations in the Federal Register on many provisions

More information

The Audits are coming!

The Audits are coming! HIPAA and Meaningful Use (MU) Governmental Program Audits The Audits are coming! The Audits are coming! 1 Audit Readiness Meaningful Use and HIPAA Both CMS and the Office for Civil Rights (OCR) have been

More information

Management Alert Final HIPAA Regulations Issued

Management Alert Final HIPAA Regulations Issued Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,

More information

Fifth National HIPAA Summit West

Fifth National HIPAA Summit West Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for

More information

Changes to HIPAA Privacy and Security Rules

Changes to HIPAA Privacy and Security Rules Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN

More information

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015) AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015) THIS AGREEMENT made the day of, 20, by and between HOSPICE OF MARION COUNTY, INC., a Florida

More information

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA Privacy & Security. Transportation Providers 2017 HIPAA Privacy & Security Transportation Providers 2017 HIPAA Privacy & Security As a non emergency medical transportation provider, you deal directly with Medicare and Medicaid Members healthcare information

More information

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.

More information

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy Revised December 6, 2017 Table of Contents Statement of Policy 3 Reason for Policy 3 HIPAA Liaison 3 Individuals and Entities Affected

More information

Interim Date: July 21, 2015 Revised: July 1, 2015

Interim Date: July 21, 2015 Revised: July 1, 2015 HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:

More information

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 References: http://www.hhs.gov/ocr/hipaa TTUHSC El Paso HIPAA website: http://elpaso.ttuhsc.edu/hipaa/ Policy Statement

More information

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation HIPAA UPDATE: WHY AND HOW YOU MUST COMPLY 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its long-awaited Omnibus Rule 2 implementing regulations required by the HITECH Act

More information

Health Law Diagnosis

Health Law Diagnosis February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of

More information

"HIPAA RULES AND COMPLIANCE"

HIPAA RULES AND COMPLIANCE PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS

More information

Effective Date: 08/2013

Effective Date: 08/2013 POLICY/GUIDELINE TITLE: HIPAA Marketing and Sale of Protected Health Information Policy POLICY #: 800.43 System Approval Date: 5/18/18 Site Implementation Date: 6/17/18 Prepared by: ADMINISTRATIVE POLICY

More information

AROC 2015 HIPAA PRIVACY AND SECURITY RULES

AROC 2015 HIPAA PRIVACY AND SECURITY RULES AROC 2015 HIPAA PRIVACY AND SECURITY RULES Presented by: Robert A. Paster, Esq. Brach Eichler L.L.C. 101 Eisenhower Parkway Roseland, NJ 07068 973-403-3144 rpaster@bracheichler.com www.bracheichler.com

More information

HIPAA Privacy Overview

HIPAA Privacy Overview HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview

More information

HIPAA Compliance Under the Magnifying Glass

HIPAA Compliance Under the Magnifying Glass HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information

More information

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative

More information

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.

What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. HIPAA stands for Health Insurance Portability and Accountability

More information

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment

More information

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Texas Tech University Health Sciences Center HIPAA Privacy Policies Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 Reviewed Date: August 7, 2017 References: http://www.hhs.gov/ocr/hippa HSC HIPAA website http://www.ttuhsc.edu/hipaa/policies_procedures.aspx

More information

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE Policy Preamble This privacy policy ( Policy ) is designed to

More information

It s as AWESOME as You Think It Is!

It s as AWESOME as You Think It Is! It s as AWESOME as You Think It Is! Fine Print This presentation and any materials and/or comments are training and educational in nature only. They do not establish an attorney-client relationship, are

More information

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc. HIPAA 102a What You Don t Know About HIPAA Privacy and Security Can Really Hurt You! Revision 2015 Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) About Myself - Jack Kolk, CEO

More information

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017 HIPAA & HITECH Privacy & Security Volunteer Annual Review 2017 HIPAA In 1996, state and federal governments enacted protection for patient health information by signing into law the Health Insurance Portability

More information

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com

More information

AFTER THE OMNIBUS RULE

AFTER THE OMNIBUS RULE AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member

More information

Effective Date: 4/3/17

Effective Date: 4/3/17 HIPAA AND HITECH ADM 067.4 Attachment D Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule Health Information Technology for Economic and Clinical Health (HITECH)

More information

HIPAA Omnibus Final Rule and Research

HIPAA Omnibus Final Rule and Research Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy

More information

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA 1 Recommended by ISP Committee of CSS on October 22 nd, 2014 Amended

More information

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1 UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1.12 DATE: 04/01/2003 REVISION: 3/1/2004; 12/28/2010; 01/02/2013 PAGE: 1 of 18 SECTION: HIPAA AREA: HIPAA PRIVACY/SECURITY POLICIES SUBJECT: HIPAA RESEARCH POLICY PURPOSE

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.

More information

Highlights of the Final Omnibus HIPAA Rule

Highlights of the Final Omnibus HIPAA Rule Highlights of the Final Omnibus HIPAA Rule Health Information & the Law Project 1 Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH Devi Mehta, JD, MPH Elizabeth Gray, JD Teresa Cascio, JD Grace Im,

More information

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know 1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013

More information

Limited Data Set Data Use Agreement For Research

Limited Data Set Data Use Agreement For Research Limited Data Set Data Use Agreement For Research This Data Use Agreement is dated,, and is between the ( Recipient ) and University of Miami, ( Covered Entity ). This Data Use Agreement is made in accordance

More information

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement

More information

LEGAL ISSUES IN HEALTH IT SECURITY

LEGAL ISSUES IN HEALTH IT SECURITY LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson

More information

HIPAA, Privacy, and Security Oh My!

HIPAA, Privacy, and Security Oh My! 2014 CliftonLarsonAllen LLP HIPAA, Privacy, and Security Oh My! Chad D. Kunze CPA Health Care Principal Phoenix, AZ CLAconnect.com Learning Objectives At the end of this learning session, you will be able

More information

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES Effective: November 8, 2012 Terms used, but not otherwise defined, in this Policy and Procedure have

More information

HIPAA Privacy & Security Considerations Student Orientation

HIPAA Privacy & Security Considerations Student Orientation Health Insurance Portability and Accountability Act (HIPAA) HIPAA Privacy & Security Considerations Student Orientation The information in this presentation is designed to provide an overview of the HIPAA

More information

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Amanda M. Buzo Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020

More information

Human Research Protection Program (HRPP) HIPAA and Research at Brown

Human Research Protection Program (HRPP) HIPAA and Research at Brown Human Research Protection Program (HRPP) and Research at Brown Version Date: 12/03/2018 I. and Research at Brown A. The Health Insurance Portability and Accountability Act of 1996 () and its regulations,

More information

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities

HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Health Care Focus March 2013 HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Peggy L. Barlett 608.284.2214 pbarlett@gklaw.com M. Scott LeBlanc 414.287.9614 sleblanc@gklaw.com

More information

"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA

HIPAA FOR LAW FIRMS WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA "HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA Jeanne M. Born, RN, JD SOUTH CAROLINA ASSOCIATION OF LEGAL ADMINISTRATORS THURSDAY, APRIL 14, 2016 Jborn@nexsenpruet.com What Every Law

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES CFOP 60-17, Chapter 7 STATE OF FLORIDA DEPARTMENT OF CF OPERATING PROCEDURE CHILDREN AND FAMILIES NO. 60-17, Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES 7-1. Purpose. This

More information

1 Security 101 for Covered Entities

1 Security 101 for Covered Entities HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

HIPAA OMNIBUS FINAL RULE

HIPAA OMNIBUS FINAL RULE HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on

More information

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )

More information

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure

More information

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below. Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy

More information

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

AMA Practice Management Center, What you need to know about the new health privacy and security requirements 1. HIPAA Security Rule Johns, Merida L., Information Security, in Johns, Merida L. (ed.) Health Information Management Technology, an Applied Approach, AHIMA: Chicago, IL, 2nd ed. 2007, chapter 19, pp.

More information

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health

More information

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013! Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,

More information

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform

Preparing for a HIPAA Audit & Hot Topics in Health Care Reform Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,

More information

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance

More information

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia HIPAA in the Digital Age Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia Virginia MGMA reminds attendees that the program is not intended to provide legal advice and advises participants

More information

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Basic Training for Health & Welfare Plan Administrators 2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying

More information

2016 Business Associate Workforce Member HIPAA Training Handbook

2016 Business Associate Workforce Member HIPAA Training Handbook 2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all

More information

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017

HTKT.book Page 1 Monday, July 13, :59 PM HIPAA Tool Kit 2017 HIPAA Tool Kit 2017 Contents Introduction...1 About This Manual... 1 A Word About Covered Entities... 1 A Brief Refresher Course on HIPAA... 2 A Brief Update on HIPAA... 2 Progress Report... 4 Ongoing

More information