ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg

Size: px
Start display at page:

Download "ICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg"

Transcription

1 ICAHN Presentation Final Omnibus Rule and Security Risk Analysis July 26, 2013 David Ginsberg

2 PrivaPlan Associates, Inc. PrivaPlan Associates, Inc. is the leading authority in HIPAA Privacy and Security Compliance. Offering a wide array of products and services including guidance on: HIPAA Privacy and HIPAA Security, HIPAA Training, Meaningful Use Consultation, Security Risk Assessments and much more! PrivaPlan Associates also provides a variety of convenient, customized education, training and consulting services on numerous aspects of HIPAA compliance. These can be delivered as workshops, consultative seminars, audioconferences, teleseminars or webinars. We also provide compliance consulting and audit services. David Ginsberg is co-founder and President of PrivaPlan Associates, Inc. He has more than 25 years of experience in the healthcare industry. His prior experience includes serving as co-founder and Executive Director of the Colorado Physician Network, a statewide network of 2,500 physicians that provided a physician managed collaboration with a regional HMO.

3 Agenda The HIPAA Omnibus Rule -a high level overview Effective dates Specific provisions and changes for CAHs Special focus on Breach notification Security Risk Analysis and Meaningful Use

4 Why this seminar? On January 25th the Omnibus rule was released The full title is: 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules

5 Why this seminar? These modifications pertain to four different areas of HIPAA: The Privacy Rule The Security Rule The Enforcement Rule The Breach Notification Rule

6 Back to the Basics- context for today HIPAA covers these primary compliance areas: Privacy Security Administrative Simplification-Transactions and Code Sets With the 2009 ARRA/HITECH Acts-Breach Notification Enforcement regulations for the above

7 ARRA and HIPAA The American Recovery and Reinvestment Act of 2009 ( ARRA ) privacy and security provisions are part of the Health Information Technology for Economic and Clinical Health Act ( HITECH Act ) within ARRA These pertain to the overall initiative to promote adoption and use of electronic health records and health information technology These recognize the vulnerabilities created by adoption of EHR and HIT and especially promotion of a personal health record and health information exchanges

8 HITECH Privacy and Security-Key Provisions Breach Notification Rule Business Associates-Expansion of applicability New Enforcement Rules Accounting of Disclosures Access and restriction rights Limited Data Set-Minimum Necessary Marketing and fundraising restrictions PHRs

9 Omnibus Rule The Omnibus Rule provided modifications to all of these areas except for Personal Health Records (PHR s are to some extent governed under HIPAA Privacy already, and vendors of PHR systems are governed under Federal Trade Commission law in the event of a breach of unsecured information) Accounting of Disclosures - a final rule will be issued later on this The Omnibus Rule also added or expanded on compliance areas

10 Privacy Rule - April 16, 2003 Security Rule - April 20, 2005 Specific Rulemaking already released Transactions and Code Set Rule - October 2003 Breach Notification Rule-August 2009; effective September 23, 2009 with enforcement effective as of February 22, 2010 as the Interim Final Rule Enforcement Penalty Changes - IFR November 30, 2009 It took from 2010 until now for the Office of Civil Rights within HHS to release the final Breach Notification Rule which is one of the four major rule changes within the recently released Omnibus Rule

11 Compliance timelines Omnibus changes are in effect as of March 26,2013; however in most cases there is a 180 day implementation period During the 180 day period before compliance with this final rule is required (September 23, 2013), covered entities and business associates are still required to comply with the requirements of the interim final rule (Breach Notification) - and other existing requirements!

12 Changes - Special Privacy Protections Disclosures to health plans At the patient s request, HIPAA Covered entities may not disclose information about care the patient has paid for out-of-pocket to health plans, unless for treatment purposes or in the rare event the disclosure is required by law. This change updates the previous HIPAA Privacy Rule individual rights to special privacy protections.

13 Changes - Special Privacy Protections Previously, HIPAA Covered entities could refuse a request for restrictions on use and disclosure of PHI. The new law requires restrictions when the patient has paid out-of-pocket and requests the restriction This change is likely to have the greatest impact on your center s workflow both in terms of documentation and follow up to ensure the restriction is adhered to

14 For example: Changes - Special Privacy Protections How should you document the request? What happens if the payment made is rescinded? What about downstream releases to HIE s or other providers? CAH s-remember could live in multiple systems (Revenue cycle, EHR and so forth)

15 Changes - Immunization data Childhood immunizations Under the new rules, physicians may disclose immunizations to schools required to obtain proof of immunization prior to admitting the student so long as the physicians have and document the patient or patient s legal representative s informal agreement to the disclosure. The release cannot be to the school at their request only - affirmative request from the parent/ guardian/patient is still necessary Copyright PrivaPlan Associates, Inc. 2013

16 Changes - Immunization data The change is primarily to reduce the burden of documentation for such routine releases There is still a need to ensure that the release is per State or other law - otherwise revert to the use of a written authorization! And there is a stated requirement to document the agreement to release immunization information Copyright PrivaPlan Associates, Inc. 2013

17 Changes - Access and Copies Decedents The new rules allow covered entities to make disclosures to the deceased s family and friends under essentially the same circumstances such disclosures were permitted when the patient was alive, that is, when these individuals were involved in providing care or payment for care and the physician is unaware of any expressed preference to the contrary. The new rule also eliminates any HIPAA protection for PHI 50 years after a patient s death Copyright PrivaPlan Associates, Inc. 2013

18 Changes - Access and Copies Copies of ephi Under HIPAA covered entities will now have only 30 days to respond to a patient s written request for his or her PHI with one 30 day extension (compared to the current allowance under HIPAA of one 60 day extension), regardless of where the records are kept. They must provide access to EHR records in the electronic form and format requested by the individual if the records are readily reproducible in that format Copyright PrivaPlan Associates, Inc. 2013

19 Changes - Access and Copies Otherwise you must provide the records in another mutually agreeable electronic format. Hard copies are permitted only when the individual rejects all readily reproducible eformats Organizations must also consider transmission security, and may send PHI in unencrypted s only if the requesting individual is advised of the risk and still requests that form of transmission. Copyright PrivaPlan Associates, Inc. 2013

20 Changes - Access and Copies The allowance to use to transmit electronic copies has many associated workflow issues This pertains to PHI that is the subject of the request maintained electronically in one or more electronic designated record sets.. -NOT JUST EHR records! But it is relevant for CE s who use an EHR How will you document advisement of risk? Requests should always be handled in writing and signed by the patient/personal representative

21 Changes - Access and Copies We clarify that covered entities are permitted to send individuals unencrypted s if they have advised the individual of the risk, and the individual still prefers the unencrypted If individuals are notified of the risks and still prefer unencrypted , the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual s request. Further, covered entities are not responsible for safeguarding information once delivered to the individual

22 Changes - Access and Copies Does this open the door for ing PHI? Definitely NOT-just in this situation Other ing should still be done in a secured fashion We believe the risk is too great to assume a blanket of PHI program-without using secured and better yet-patient portals (since you will have a Stage 2 MU benefit) Remember the risk is less about interception and more about sending to the wrong party!

23 Changes - Access and Copies Charging for copies of ephi or PHI-The new rule modifies the costs that can modified the section relative to the costs that may be charged to the individual for copy requests by limiting the cost to is labor costs and supply costs if the patient requests a paper copy, or if electronic the cost of any portable media (such as a USB memory stick or a CD) Labor can include the skilled time to create and copy the file-at a reasonable cost based rate Copyright PrivaPlan Associates, Inc. 2013

24 Changes - Access and Copies Be sure to update your Designated Record Set definition Most CAH s and RHC s will have more than just EHR data in an electronic designated record set Imaging Lab Pharmacy (340B or other)

25 Changes - Minimum necessary Minimum necessary is reiterated to include or apply to business associates However, we encourage all participants to review their Minimum necessary procedures and practices and ensure these are in place We also encourage all participants to update their designated record set definitions, especially in light of current or anticipated use of EHRs

26 Changes - Sale of PHI Sale of PHI The new rules clarify that the prohibition on the sale of PHI in the absence of the patient s written authorization extends to licenses or lease agreements, and to the receipt of financial or in-kind benefits It also includes disclosures in conjunction with research if the remuneration received includes any profit margin

27 Changes - Sale of PHI Prohibition on PHI sales does not extend to permitted disclosures for payment or treatment nor to permitted disclosures to patients or their designees in exchange for a reasonable cost-based fee

28 Changes - Marketing Marketing communications The new rules further limit the circumstances when HIPAA Covered entities may provide marketing communications to their patients in the absence of the patient s written authorization. Generally speaking, the only time a physician may tell a patient about a third-party s product or service without the patient s authorization is when 1) the covered entity receives no compensation for the communication

29 Changes - Marketing 2) the communication involves a drug or biologic the patient is currently being prescribed and the payment is limited to reasonable reimbursement of the costs of the communication (no profit); 3) the communication involves general health promotion, like routine diagnostic tests; or 4) the communication involves government or government-sponsored programs

30 Changes - Fundraising This is applicable to those HIPAA Covered entities in organizations that conduct fundraising such as CAH s New requirements for language in the Notice of Privacy Practices to disclose that fundraising activities take place and PHI may be used for these purposes

31 Fundraising NPP requirements A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by (b)(1)(iii)(A) is included in the covered entity s notice of privacy practices.

32 Changes - Fundraising With each fundraising communication to a patient HIPAA Covered entities must give clear and conspicuous information about how to opt out of future fundraising communications If an opt out is exercised it must be followed going forward A covered entity may provide an individual who has elected not to receive further fundraising communications with a method to opt back in to receive such communications.

33 Fundraising Treatment may not be conditioned on the authorization to receive fundraising communications The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost.

34 Changes - Fundraising communication with BA s Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of :

35 Fundraising information to disclose (i) Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth; (ii) Dates of health care provided to an individual; (iii) Department of service information; (iv) Treating physician; (v) Outcome information; and (vi) Health insurance status.

36 Changes - Authorizations Research authorizations The new rules permit HIPAA Covered entities to combine conditioned and unconditioned authorizations for research participation, provided individuals can opt-in to the unconditioned research activity. Moreover, these authorizations may encompass future research.

37 Changes Notice of Privacy Practices HIPAA Covered entities must amend their NPPs to reflect the changes set forth above including those related to breach notification, disclosures to health plans, and marketing and sale of PHI As the rules presume these are all material changes, HIPAA Covered entities will have to post the revised NPP, and make copies available at their office, to all new patients and to any one else on request.

38 Changes Notice of Privacy Practices HIPAA Covered entities who maintain a website, are cautioned to post the updated NPP on their website as required by the existing HIPAA Privacy rule The new rules also eliminate requirements to include information on communications concerning appointment reminders, treatment alternatives or health-related benefits or services in NPPs, but the rules do not require that that information be removed either

39 Changes Notice of Privacy Practices HIPAA Covered entities who maintain a website, are cautioned to post the updated NPP on their website as required by the existing HIPAA Privacy rule The new rules also eliminate requirements to include information on communications concerning appointment reminders, treatment alternatives or health-related benefits or services in NPPs, but the rules do not require that that information be removed either

40 Changes Notice of Privacy Practices Consider using the new PrivaPlan NPP template in both English and Spanish

41 Changes - Business Associates The new rules expand the universe of individuals and companies which must be treated as business associates to include Patient Safety Organizations and others involved in patient safety activities, health information organizations like eprescribing gateways or health information exchanges that transmit and maintain PHI and personal health record vendors HIPAA Covered entities sponsor for their patients

42 Changes - Business Associates Thus, HIPAA Covered entities must review their relationships and determine if they must enter new BA agreements with these entities or others that create, receive, store, maintain or transmit PHI on their behalf A new definition is created for business associates - subcontractors HIPAA Covered entities are not responsible for the actions of a BA subcontractor-the BA is! HIPAA Covered entities are still liable for the BA s conduct

43 Changes - Business Associates The new emphasis on maintains in the definition This gives rise to clarification regarding conduits vs. storage companies The analysis is whether the access is transient (as in a conduit) or persistent (as in storage company) nature of access The preamble clearly states that a data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis

44 What does this mean? Changes - Business Associates Document storage companies are clearly business associates As are data storage companies or data hosts such as: A cloud based backup company A commercial data center used either as a offsite backup firm or actually hosting your EHR!

45 Changes - Business Associates BA agreements will change! If you are using the PrivaPlan BAA template the impact is modest HIPAA Covered entities have until September 23, 2014 to bring all their BA agreements into conformance with the new rules. BA agreements that have not been renewed or modified between March 26, 2013 and September 23, 2013 will be deemed compliant until the date the BA agreement is renewed or modified or until September 22, 2014, whichever is earlier

46 Requirements are similar to existing State identity theft laws When this was drafted by HHS the intent was to harmonize with the many State laws Key concepts - breach of unsecured data and notification requirements The HITECH Act provides specific guidance for handling notification in case of a breach of Unsecured PHI that has been or is reasonably believed to have been: Accessed Acquired Disclosed The Breach Notification Rule IFR compliance

47 Breach Notification continued HITECH and the Breach Rule introduces the term unsecured PHI where most State law describes this as unencrypted computerized personal information ; HITECH maintains the integrity of the definition of PHI The Rule supports the principle of unsecured as relating to unencrypted data It provides guidance on how to render PHI unusable, unreadable, or indecipherable to unauthorized individuals. This also incorporates a reference to NIST guidelines

48 Breach Notification continued HITECH notes data is vulnerable in multiple states such as Data in motion Data at rest Data in use Data disposed Thus the Breach Notification Rule improves on the HIPAA Security rule by specifying these data states

49 Breach Notification continued The Rule states encryption and destruction are sufficient to secure PHI MOST IMPORTANTLY, the Rule APPLIES TO PAPER FORMS OF PHI!!!! That is, paper PHI can be breached if it is discarded and not properly destroyed The NIST guidelines reference use of cross cut shredding or similar ways to render a very small particle size (1X5 mm or 3/32 inch security screen)

50 Breach Notification continued Discovery begins on the first day which the breach is known either by you or your business associate! You are now required to notify individuals of any security breaches promptly and without delay and within 60 calendar days of discovery You bear the burden of proof that notification was completed This means detailed procedures for notification and good documentation when notification is done

51 Breach Notification continued Required methods of notification include: Written notification (first-class mail) if preference by the individual If insufficient contact information to provide written notification and >10 individuals affected, then: notification on your company website or another type of notification on company website Some form of notice in major print should be posted Immediately notify the Secretary, Health and Human Services if more than 500 individuals are affected If fewer than 500 individuals are affected you can submit an annual log to the Secretary

52 Breach Notification continued DHHS will post breach information on their website; of course this could have a major effect on reputation Entities must provide a notice to prominent media outlets within a State or jurisdiction if the breach affects more than 500 residents of such State or jurisdiction This could mean multiple notices being posted! Again, the Breach notification provision requires detailed procedures!

53 Breach - prevention is worth We believe it is safer to encrypt data in the first place and thus prevent the costly notification requirement When it comes to HIT and EHRs beware - not all vendor systems sufficiently support encryption! Inventory your shredders and shredding procedures This is a good time to do another PHI inventory and use/disclosure flow diagram so you can also identify areas of vulnerability and remediate those

54 Handling a Breach Practical Steps If you suspect a breach you must act quickly There are a number of investigative steps to take to determine if the incident is actually a breach There are some initial steps Determining if a breach of unsecured PHI occurred; this includes establishing a) a breach occurred and b) the data breached was unsecured PHI If a breach occurred, was it to an excepted party or circumstance. For example an unintentional acquisition by a member or your workforce.

55 Breach Notification continued If the breach was not to an excepted party, conducting a risk assessment to determine if the use or disclosure compromises the security or privacy of PHI, if a violation of the HIPAA Privacy rule occurred, and if the breach poses significant risk of financial, reputational, or other harm to the individual

56 Breach Notification continued Who made the impermissible use or to whom was the PHI impermissibly disclosed? Did the covered entity take immediate steps to mitigate an impermissible use or disclosure? Was the impermissibly disclosed PHI returned prior to access for an improper purpose? What type and how much PHI was involved?

57 Omnibus changes FINAL RULE AMENDS THE DEFINITION OF BREACH AT 45 CF KEY CONCEPT-HARM IS REPLACED BY THE CONCEPT OF THE RISK THAT PHI WAS COMPROMISED....we have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.

58 Omnibus changes Risk Assessment (1) The nature and extent of PHI involved; (2) The unauthorized person who used the PHI or to whom the disclosure was made; (3) Whether PHI was actually acquired or viewed; and (4) The extent to which the risk to PHI has been mitigated (e.g., assurances from trusted third- parties that the information was destroyed).

59 Omnibus changes Risk Assessment HHS includes not just unauthorized access to PHI, but also impermissible uses by knowledgeable insiders as a breach requiring an assessment. Breach is not limited to electronic personal information as some identity theft laws but pertains to any PHI

60 Omnibus changes Risk Assessment An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised Breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised (or one of the other exceptions to the definition of breach applies).

61 Omnibus changes Risk Assessment Thus, breach notification is not required under the final rule if a covered entity or business associate, as applicable, demonstrates through a risk assessment that there is a low probability that the protected health information has been compromised, rather than demonstrate that there is no significant risk of harm to the individual as was provided under the interim final rule. Or, if a covered entity simply notifies the individual and HHS without conducting a risk analysis

62 Omnibus changes Risk Assessment The statute acknowledges, by including a specific definition of breach and identifying exceptions to this definition, as well as by providing that an unauthorized acquisition, access, use, or disclosure of protected health information must compromise the security or privacy of such information to be a breach, that there are several situations in which unauthorized acquisition, access, use, or disclosure of protected health information is so inconsequential that it does not warrant notification.

63 Omnibus changes Risk Assessment The preamble even gives a common example: For example, if a covered entity misdirects a fax containing protected health information to the wrong physician practice, and upon receipt, the receiving physician calls the covered entity to say he has received the fax in error and has destroyed it, the covered entity may be able to demonstrate after performing a risk assessment that there is a low risk that the protected health information has been compromised.

64 Omnibus changes Risk Assessment As a result, instead of assessing the risk of harm to the individual, covered entities and business associates must assess the probability that the protected health information has been compromised based on a risk assessment that considers at least the following factors: (1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification; (2) the unauthorized person who used the protected health information or to whom the disclosure was made;

65 Omnibus changes Risk Assessment (3) whether the protected health information was actually acquired or viewed; and (4) the extent to which the risk to the protected health information has been mitigated.

66 Preamble states: Omnibus changes Risk Assessment As we have modified and incorporated the factors that must be considered when performing a risk assessment into the regulatory text, covered entities and business associates should examine their policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors.

67 Omnibus changes Risk Assessment If an evaluation of the factors discussed above fails to demonstrate that there is a low probability that the protected health information has been compromised, breach notification is required. We do note, however, that a covered entity or business associate has the discretion to provide the required notifications following an impermissible use or disclosure of protected health information without performing a risk assessment.

68 Omnibus changes - Notification In response to those commenters who urged that we allow breach notices to be provided orally or via telephone to individuals receiving highly confidential treatment services where the individual has requested to receive communications in such a manner, we note that the HITECH Act specifically refers to written notice to be provided to individuals.

69 Omnibus changes - Notification in the limited circumstances in which an individual has agreed only to receive communications from a covered health care provider orally or by telephone, the provider is permitted under the Rule to telephone the individual to request and have the individual pick up their written breach notice from the provider directly.

70 Omnibus changes - Notification In cases in which the individual does not agree or wish to travel to the provider to pick up the written breach notice, the health care provider should provide all of the information in the breach notice over the phone to the individual, document that it has done so, and the Department will exercise enforcement discretion in such cases with respect to the written notice requirement. Document the affirmative request of the patient!

71 MU Copyright PrivaPlan Associates, Inc. 2013

72 Deep Dive into the 15 th Core Objective Conduct or review a security risk analysis per 45 CFR (a)(1) What does the Security Rule say? Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Copyright PrivaPlan Associates, Inc. 2013

73 Deep Dive This is a component of a broader regulatory standard known as risk management The concept of CIA is well established in the information security world In developing the HIPAA Security Rule, and specifically the risk analysis requirement, HHS relied upon guidance from organizations well versed in Information Security such as NIST Copyright PrivaPlan Associates, Inc. 2013

74 It is NOT a checklist! HIPAA Security Risk Analysis How do you conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ephi held by the covered entity? There are steps that are defined by CMS, NIST and others These have been incorporated and made simple in PrivaPlan Copyright PrivaPlan Associates, Inc. 2013

75 Details of a Risk Analysis It entails a formal review of risks to ephi and your information security: ephi inventory and network or system characterization Review of controls or safeguards Review of threats and vulnerabilities including prior incidents Criticality analysis Review policies and procedures Review likelihood of threat exploitation Risk analysis Copyright PrivaPlan Associates, Inc. 2013

76 Details continued Your control analysis or review spans administrative, physical and technical areas and the other components in the HIPAA Security Rule Workforce clearance Access authorization Termination procedures-don t forget disabling web applications like eligibility portals! Contingency planning and disaster recovery Training Sanctions Incident reporting and response Copyright PrivaPlan Associates, Inc. 2013

77 Details continued Facility security Visitor access Emergency operations Maintenance Media and ephi life cycle Paper disposal Business associate agreements Policies and Procedures Copyright PrivaPlan Associates, Inc. 2013

78 Details continued Review of prior incidents Review of technical controls Encryption controls Integrity controls (malware, use of secure portals) How to establish impact? First by defining ephi criticality, then review threats and vulnerabilities Copyright PrivaPlan Associates, Inc. 2013

79 EHR specific focus Roles and permissions-security settings Audit logs A HUGE GAP!! CONSIDER TECHNOLOGY LIKE PRESINET Server location and location (even if you use a remote data center) Contingency and disaster recovery Periodic testing Specific MU areas like providing an electronic copy, patient summaries, patient reminders, patient access (portals), exchange of data Copyright PrivaPlan Associates, Inc. 2013

80 The measure also states: More on MU and the HIPAA SRA implement updates as necessary and correct identified security deficiencies as part of the risk management process What are updates? The results of a review of a prior HIPAA SRA, or an update to a SRA and/or updating the analysis Copyright PrivaPlan Associates, Inc. 2013

81 More on MU and the HIPAA SRA Correcting identified security deficiencies as part of a risk management plan: Remember some of these may be Privacy/Security such as posting the Notice of Privacy Practices or using an up to date Business Associate agreement Of course, emphasis is on correcting those deficiencies that the use of an EHR exposes your organization to But it also refers to other security deficiencies that are gaps in compliance with the Security Rule Copyright PrivaPlan Associates, Inc. 2013

82 More on MU What has to occur prior to attestation Certainly, conducting or reviewing a HIPAA SRA Identifying security deficiencies especially high risk-likelihood risks Correcting those deficiencies can be done as part of a risk management plan-based on your assessment of risk, and incorporating flexibility of approach Copyright PrivaPlan Associates, Inc. 2013

83 HIPAA Security Risk Analysis A follow up audit would expect a formal report to be on hand to prove you have done the risk analysis-and to show that you are remediating or managing gaps and deficiencies If you attest without doing the work, you will be risking fraud-being untruthful on your attestation documents and receiving federal funds Copyright PrivaPlan Associates, Inc. 2013

84 ONC Guidance When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Providers participating in the EHR Incentive Program can be audited. If you attest prior to actually meeting the meaningful use security requirement, you could increase your business liability for federal law violations and making a false claim. From this perspective, consider implementing multiple security measures as feasible, prior to attesting. The priority would be mitigating high-impact and high-likelihood risks. Copyright PrivaPlan Associates, Inc. 2013

85 Notes and updates The final HIPAA Omnibus Rule doesn t change the Security Risk Analysis requirement However recent OCR enforcement has reiterated the necessity of conducting a Security Risk Analysis and fined organizations (including a medical practice) for failing to do so! Our analysis of the risk analyses that many practices have done as part of their MU attestation? Be prepared for audit deficiencies!! OCR recognizes failure to conduct a RA or insufficient RA s as a common compliance gap Copyright PrivaPlan Associates, Inc. 2013

86 Enforcement The new rules clarify the three penalty tiers as follows: Lowest tier cases in which the physician did not and reasonably could not know of the breach Intermediate tier cases in which the physician knew, or by exercising reasonable diligence would have known of the violation, but the physician did not act with willful neglect Highest tier cases in which the physician acted with willful neglect

87 Summary What are your next steps? Updated or new Privacy, Security and Breach Notification policies and procedures (and in some cases new workflows and forms in the medical practice); Notice of Privacy Practices; and Business Associate Agreement revisions-in some cases analyzing if there are entities (such as an eprescribing gateway or HIE) you need a BA with Workforce training

88 CSI:Medical/PrivaPlan Associates/PresiNET Offerings for ICAHN Model A - $15,500 - Full SRA, PHI Secure and online Toolkit Model B - $14,450 total of $29,950 PresiNET Guardian Pro + Model A Basic Network Surveillance Model C - $27,450 total of $42,950 - PresiNET Guardian Analytics + Model A DICOM Analytics CSI:Medical has remediation services to plug the holes on the IT side Call Jon Langfitt at CSI:Medical at or him at jlangfitt@csinov.com to sign up or for more info

The HIPAA Omnibus Rule

The HIPAA Omnibus Rule The HIPAA Omnibus Rule NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives.

More information

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.

Colorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Colorado Medical Society The HIPAA OMNIBUS RULE June 3, 2013 Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Agenda The HIPAA Omnibus Rule - a high level overview Effective dates SpeciLic

More information

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes

More information

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background

More information

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions

More information

To: Our Clients and Friends January 25, 2013

To: Our Clients and Friends January 25, 2013 Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health

More information

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

The wait is over HHS releases final omnibus HIPAA privacy and security regulations The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under

More information

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned

More information

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability

More information

AFTER THE OMNIBUS RULE

AFTER THE OMNIBUS RULE AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member

More information

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )

More information

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,

More information

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement

More information

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement

More information

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment

More information

Highlights of the Omnibus HIPAA/HITECH Final Rule

Highlights of the Omnibus HIPAA/HITECH Final Rule Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737

More information

Fifth National HIPAA Summit West

Fifth National HIPAA Summit West Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for

More information

Management Alert Final HIPAA Regulations Issued

Management Alert Final HIPAA Regulations Issued Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,

More information

Health Law Diagnosis

Health Law Diagnosis February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of

More information

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA

More information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.

More information

Getting a Grip on HIPAA

Getting a Grip on HIPAA Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy

More information

Omnibus HIPAA Rule: Impact on Covered Entities

Omnibus HIPAA Rule: Impact on Covered Entities Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,

More information

HHS, Office for Civil Rights. IAPP October 11, 2012

HHS, Office for Civil Rights. IAPP October 11, 2012 HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities

More information

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013! Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,

More information

New HIPAA Rules and Implications for the Industry January 29, 2013

New HIPAA Rules and Implications for the Industry January 29, 2013 New HIPAA Rules and Implications for the Industry January 29, 2013 **Audio for this webinar streams through the web. Please make sure the sound on your computer is turned on. If you need technical assistance,

More information

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy

More information

HIPAA Compliance Guide

HIPAA Compliance Guide This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your

More information

BREACH NOTIFICATION POLICY

BREACH NOTIFICATION POLICY PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,

More information

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners 2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and

More information

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health

More information

Changes to HIPAA Under the Omnibus Final Rule

Changes to HIPAA Under the Omnibus Final Rule Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services

More information

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.

More information

OMNIBUS RULE ARRIVES

OMNIBUS RULE ARRIVES AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan

More information

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.

More information

ACC Compliance and Ethics Committee Presentation February 19, 2013

ACC Compliance and Ethics Committee Presentation February 19, 2013 ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA

More information

ARE YOU HIP WITH HIPAA?

ARE YOU HIP WITH HIPAA? ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined

More information

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda New HIPAA Breach Rules NAHU presents the WHAT and WHYs Presenters: David Smith JD, Vice President, Ebenconcepts Tom Jacobs JD, co-ceo eflexgroup Moderator: Ric Joyner CEBS CFCI, co-ceo, eflexgroup 1 Agenda

More information

Changes to HIPAA Privacy and Security Rules

Changes to HIPAA Privacy and Security Rules Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN

More information

The Audits are coming!

The Audits are coming! HIPAA and Meaningful Use (MU) Governmental Program Audits The Audits are coming! The Audits are coming! 1 Audit Readiness Meaningful Use and HIPAA Both CMS and the Office for Civil Rights (OCR) have been

More information

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection

More information

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule

More information

Interim Date: July 21, 2015 Revised: July 1, 2015

Interim Date: July 21, 2015 Revised: July 1, 2015 HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:

More information

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta

More information

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta

More information

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)

True or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15) Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent

More information

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013 HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable

More information

H E A L T H C A R E L A W U P D A T E

H E A L T H C A R E L A W U P D A T E L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.

More information

New HIPAA-HITECH Proposed Regulations Issued

New HIPAA-HITECH Proposed Regulations Issued July 2010 New HIPAA-HITECH Proposed Regulations Issued On Thursday July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations in the Federal Register on many provisions

More information

LEGAL ISSUES IN HEALTH IT SECURITY

LEGAL ISSUES IN HEALTH IT SECURITY LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson

More information

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

GUIDE TO PATIENT PRIVACY AND SECURITY RULES AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist

More information

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )

More information

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative

More information

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA

HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA ALLISON SHUREN, J D, MSN Financial Disclosure Gerald Meltzer is a consultant for imedicware Allison Shuren co-chairs the Life Sciences and Healthcare Regulatory

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy

More information

HIPAA OMNIBUS FINAL RULE

HIPAA OMNIBUS FINAL RULE HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on

More information

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance

More information

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013 HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance

More information

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment

More information

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients

More information

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts

More information

HIPAA: Impact on Corporate Compliance

HIPAA: Impact on Corporate Compliance HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal

More information

HIPAA Omnibus Final Rule and Research

HIPAA Omnibus Final Rule and Research Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy

More information

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)

HIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional) HIPAA Infection Control OSHA Dental Practice Act HIPAA What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional) In the dental field since 1972, Leslie

More information

HIPAA Compliance Under the Magnifying Glass

HIPAA Compliance Under the Magnifying Glass HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information

More information

HIPAA Basic Training for Health & Welfare Plan Administrators

HIPAA Basic Training for Health & Welfare Plan Administrators 2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying

More information

HIPAA Omnibus Rule Compliance

HIPAA Omnibus Rule Compliance HIPAA Omnibus Rule Compliance Jana Aagaard, JD Senior Counsel, Privacy/HIT Dignity Health Christy Navarro, MS CIPP/US Director, Chief Privacy Officer - Ascendian 1 Overview Background What Should Be Done

More information

HIPAA Final Omnibus Rule Playbook

HIPAA Final Omnibus Rule Playbook DOWNLOADABLE GUIDE HIPAA Final Omnibus Rule Playbook Your Ticket to Winning the Compliance Game Offensive Plays HIPAA Privacy Rule Defensive Plays HIPAA Security Rule Special Team Plays Breach Notification

More information

Interpreters Associates Inc. Division of Intérpretes Brasil

Interpreters Associates Inc. Division of Intérpretes Brasil Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable

More information

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.

The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq. The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance I. INTRODUCTION Patricia A. Markus, Esq. AHLA Hospitals and Health Systems Law Institute February 13, 2013 On January 17, 2013, the

More information

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation HIPAA UPDATE: WHY AND HOW YOU MUST COMPLY 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its long-awaited Omnibus Rule 2 implementing regulations required by the HITECH Act

More information

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services

More information

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com

More information

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did

More information

Determining Whether You Are a Business Associate

Determining Whether You Are a Business Associate The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information

More information

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below. Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy

More information

The Privacy Rule. Health insurance Portability & Accountability Act

The Privacy Rule. Health insurance Portability & Accountability Act The Privacy Rule Health insurance Portability & Accountability Act Enacted on August 21, 1996 to amend the Internal Revenue Code of 1986 To improve portability and continuity of health insurance coverage

More information

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.

2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V. HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,

More information

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Amanda M. Buzo Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020

More information

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule

HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule Audio Seminar January 28, 2013 Practical Tools for Seminar Learning Copyright 2012 American Health Information Management Association.

More information

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:

More information

HIPAA, Privacy, and Security Oh My!

HIPAA, Privacy, and Security Oh My! 2014 CliftonLarsonAllen LLP HIPAA, Privacy, and Security Oh My! Chad D. Kunze CPA Health Care Principal Phoenix, AZ CLAconnect.com Learning Objectives At the end of this learning session, you will be able

More information

MEMORANDUM. Kirk J. Nahra, or

MEMORANDUM. Kirk J. Nahra, or MEMORANDUM TO: FROM: Interested Parties Kirk J. Nahra, 202.719.7335 or knahra@wileyrein.com DATE: January 28, 2013 RE: The HIPAA/HITECH Omnibus Regulation After almost four years, the Department of Health

More information

The Impact of the Stimulus Act on HIPAA Privacy and Security

The Impact of the Stimulus Act on HIPAA Privacy and Security The Impact of the Stimulus Act on Webinar March 12, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved. Disclaimer The American

More information

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Version History Effective Date: August 28, 2013 Revision Date: August 2014 Originating Work Unit: Health Information Technology Health

More information

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know 1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013

More information

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information 45 CFR Part 164 Interim Final Rule Breach Notification for Unsecured Protected Health Information Full Preamble and Rule at http://edocket.access.gpo.gov/2009/pdf/e9-20169.pdf The Interim Final Rule also

More information

HIPAA PRIVACY COMPLIANCE MANUAL DISCLAIMER

HIPAA PRIVACY COMPLIANCE MANUAL DISCLAIMER HIPAA PRIVACY COMPLIANCE MANUAL Format Note This document is in Word. Set the font at Times New Roman and the font size at 12 to have page numbers match the Table of Contents. DISCLAIMER This manual is

More information

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017 HIPAA & HITECH Privacy & Security Volunteer Annual Review 2017 HIPAA In 1996, state and federal governments enacted protection for patient health information by signing into law the Health Insurance Portability

More information

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off

HIPAA Enforcement Under the HITECH Act; The Gloves Come Off HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates

More information

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report

O n Jan. 25, the Office for Civil Rights (OCR) of the. Privacy and Security Law Report Privacy and Security Law Report Reproduced with permission from Privacy & Security Law Report, 12 PVLR 168, 02/04/2013. Copyright 2013 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

More information

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally

More information

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE Policy Preamble This privacy policy ( Policy ) is designed to

More information

2016 Business Associate Workforce Member HIPAA Training Handbook

2016 Business Associate Workforce Member HIPAA Training Handbook 2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all

More information