AROC 2015 HIPAA PRIVACY AND SECURITY RULES

Size: px
Start display at page:

Download "AROC 2015 HIPAA PRIVACY AND SECURITY RULES"

Transcription

1 AROC 2015 HIPAA PRIVACY AND SECURITY RULES

2 Presented by: Robert A. Paster, Esq. Brach Eichler L.L.C. 101 Eisenhower Parkway Roseland, NJ

3 PART I: BACKGROUND 3

4 Health Insurance Portability & Accountability Act Enacted by Congress and signed by Pres. Clinton in 1996 Title I protects health insurance coverage for workers and their families when they change jobs Title II, known as the Administrative Simplification provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans and employers 4

5 Health Insurance Portability & Accountability Act Administrative Simplification Provisions Address privacy and security of health data Intended to improve the efficiency and effectiveness of our health care system by encouraging the widespread use of electronic data interchange 5

6 Key Dates 8/21/1996 HIPAA enacted into law 11/3/1999 HHS Published Notice of Proposed Rulemaking for Privacy Rule 12/28/2000 Privacy Final Rule Published 8/14/2002 Final Modifications to Privacy Rule Published 2/20/2003 Security Standards Published 4/14/2003 Privacy Compliance Deadline 4/21/2005 Security Compliance Deadline 2/17/2009 Health Information Technology for Economic and Clinical Health (HITECH) Act Enacted modified certain provisions of the SSA related to the HIPAA Rules 10/30/2009 Interim Final Rule Published 1/25/2013 HIPAA Omnibus Rule Published 9/23/2013 Compliance Deadline HIPAA Omnibus Rule 6

7 APPLICABILITY & OVERVIEW Privacy Rule Applies to Covered Entities Many, not all, provisions apply to Business Associates Regulates the use and disclosure of Protected Health Information or PHI held by Covered Entities and their Business Associates Security Rule Applies to Covered Entities and Business Associates Complements Privacy Rule Requires administrative, physical and technical safeguards for electronic PHI, or e-phi (PHI stored in electronic media or transmitted in electronic format) 7

8 HIPAA Covered Entities (CEs) Covered Entities Health Plans Health Care Clearinghouses Providers if they engage in electronic transactions 8

9 HIPAA Business Associates (BAs) Expanded definition under Omnibus Rule: On behalf of a CE or of an organized health care arrangement (OHCA), other than in the capacity of a member of the CE s workforce, creates, receives, maintains, or transmits PHI for a function or activity regulated by the Privacy Rule, including claims processing or administration, data analysis, processing, or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management and repricing Provides, other than in the capacity of a member of the CE s workforce, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for the CE, or to an OHCA in which the CE participates 9

10 Business Associates Under the Omnibus Rule Ask the Question: Is the person or company the covered entity is engaging: creating, receiving, maintaining or transmitting PHI in order to provide the service for which engaged? 10

11 Business Associates Under the Omnibus Rule Common examples of BAs Billing Companies Management and Consulting Companies Audit Companies Lawyers, Accountants, Consultants Note: Your Cleaning Service is not a BA! Point: Your cleaning service does not create, receive, maintain or transmit PHI in order to clean your offices. 11

12 12 PART II: PREEMPTION ENFORCEMENT & PENALTIES

13 PREEMPTION FEDERAL HIPAA v. STATE LAW Generally speaking: If any standard, requirement or implementation specification adopted under HIPAA is contrary to state law, HIPAA will control and preempt (or supersede) the state law provision contrary the CE or BA would find it impossible to comply with both the federal and state requirement the state law impedes the purposes and objectives of health information privacy If a state law is more stringent, the state law will control 13

14 ENFORCEMENT Right to Complain: Individuals have the right to complain to the OCR OCR will investigate any complaint when a review of the facts indicates a possible violation due to willful neglect OCR may investigate any other complaints OCR will conduct compliance reviews when a preliminary review of the facts indicates a possible violation due to willful neglect OCR may conduct compliance reviews to determine compliance in any other circumstance 14

15 15 Conscious, intentional failure or reckless indifference to the obligation to comply with the HIPAA provision violated

16 ENHANCED PENALTIES AND ENFORCEMENT UNDER HITECH Tiered Penalty Structure VIOLATION TYPE EACH VIOLATION REPEAT SAME/YR Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect Corrected Willful Neglect Not Corrected $10,000 - $50,000 $1,500,000 $50,000 $1,500,000 16

17 PART III: HIPAA PRIVACY RULE 17

18 Information Covered by Privacy Rule Protected Health Information (PHI) Individually identifiable information in all forms: electronic, written, oral Information is individually identifiable if: It identifies the individual or offers a reasonable basis for identification It is created or received by a CE or an employer AND It relates to the past, present, or future physical or mental condition, the provision of health care, or the payment for health care De-identified information is not PHI 18

19 Minimum Necessary Standard The Privacy Rule contains minimum necessary standards related to the collection, maintenance, access, use and disclosure of PHI Minimum Necessary Standard A CE must make reasonable efforts to limit its uses and disclosures of and requests for PHI to the minimum necessary to accomplish the intended purpose Standard also applies to BAs 19

20 Exceptions to Minimum Necessary Standard Disclosures for treatment Most uses and disclosures made to the individual Disclosures pursuant to valid authorization Uses and disclosures required by law Disclosures made to the Secretary of the DHHS Uses and disclosures required for compliance w/hipaa 20

21 Permitted Disclosures of PHI Incidental uses and disclosures uses and disclosures that cannot reasonably be prevented, are limited in nature, and occur as a by-product of a use or disclosure otherwise permitted under the rule e.g., calling a patient s name in the waiting room; sign-in sheets; office discussions Incidental uses and disclosures are permitted only to the extent that the CE or BA has applied reasonable safeguards, including the minimum necessary standard 21

22 Permitted Disclosures of PHI Treatment, Payment & Health Care Operations (TPO) CEs may use or disclose PHI for TPO CE may obtain consent of the individual to use or disclose PHI to carry out TPO For the CEs own TPO For the TPO of another CE with a relationship to the individual, so long as the recipient is that CE For purposes of health care operations between CEs participating in a group health plan or other joint arrangement, including an organized health care arrangement Best practice: Have patients sign a general consent for TPO disclosures (as part of registration process) 22

23 Exceptions to Permitted Disclosures of PHI Need patient authorization to release: genetic information PHI received from a federally-funded drug and alcohol treatment program psychotherapy notes HIV/AIDS information may release for treatment of the individual may release for other limited reasons under AIDS Assistance Act PHI for marketing purposes PHI for sale 23

24 Other Permitted Disclosures Uses and disclosures permitted by regulation without authorization: Uses and disclosures required by law Uses and disclosures for public health activities Disclosures about victims of abuse, neglect or domestic violence Disclosures for judicial and administrative proceedings Disclosures for law enforcement purposes Uses and disclosures for cadaveric organ, eye and tissue donation Uses and disclosures for research purposes Uses and disclosures to avert a serious threat to health or safety Uses and disclosures for specialized government functions Disclosures for Workers Compensation 24

25 USES AND DISCLOSURES REQUIRING OPPORTUNITY TO AGREE OR OBJECT CE may disclose PHI to a relative or close personal friend of the individual, or any other person identified by the individual, PHI directly related to such person s involvement with the individual s care or related payment CE may also disclose to such persons the individual s PHI regarding the individual s location, general condition or death If the individual is present, CE may only use or disclose with individual s agreement (or if can infer from circumstances that may disclose) If individual not present or cannot agree or object due to incapacity or emergency circumstances, CE may determine whether disclosure is in individual s best interests 25

26 Patient Authorization Written patient authorization must contain: a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion the name or other specific identification of the person(s), or class of persons, to whom the CE may make the requested use or disclosure a description of each purpose of the requested use or disclosure ( at the request of the individual is sufficient) an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure signature of the individual (or authorized representative) and date (and authority of authorized rep, e.g., guardian) 26

27 Patient Authorization Must also contain statements: adequate to put the individual on notice that he/she may revoke the authorization (and circumstances when cannot revoke) describing when the CE may condition treatment or payment on the receipt of an authorization alerting the individual of the potential for information to be subject to re-disclosure by the recipient 27

28 Individual Rights Notice of Privacy Practices CE must provide patients with the CE s Notice of Privacy Practices must provide no later than the same date on which health care services are first provided to the individual must post the notice in a clear and prominent location at the CE, and make available upon request if the CE has a website, must post on the website 28

29 Individual Rights Notice of Privacy Practices Omnibus Rule: CE must update/revise its NPP include a description of the types of uses and disclosures that require an authorization explain that the individual may opt out of fundraising communications explain that the CE must notify individuals of a breach of their unsecured PHI 29

30 Individual Rights Requesting Restrictions on Uses and Disclosures General Rule: CE does not have to agree if an individual requests restrictions relating to a use or disclosure of his/her PHI that is otherwise allowed under HIPAA Omnibus Rule Exception: CE must agree to the request of an individual to restrict disclosure of PHI about the individual to a health plan if: the disclosure is for the purpose of carrying out payment or health care operations and is not otherwise required by law, AND the PHI pertains solely to a health care item or service for which the individual, or a person other than the health plan on behalf of the individual, has paid the CE in full 30

31 Individual Rights Confidential Communications for PHI CE must ensure individuals can receive communications regarding their PHI in a manner and location that feel is safe from unauthorized disclosure e.g., whether or not the patient will accept voice mail messages; sending PHI to alternate address, etc. 31

32 Individual Rights Right to Inspect and Get Copies of PHI General Rule: With some exceptions, an individual has a right of access to inspect and obtain a copy of his/her PHI Omnibus Rule Changes: If the PHI is maintained electronically and if the individual requests an electronic copy, the CE must provide the PHI in the electronic form and format requested by the individual, if it is readily producible (or, if not, in a readable electronic format as agreed by the CE and individual) If an individual s request for access directs the CE to send the copy of PHI to another person designated by the person, the CE must do so the request must be in writing, signed by the individual, and include the address 32

33 Individual Rights Requests for Amendment to PHI General Rule: An individuals has a right to request the CE to amend PHI about the individual Denial: CE may deny request if it determines that the PHI: is accurate and complete as stated in the CE s record would not otherwise be made available to the individual for inspecting and copying was not created by the CE, unless the individual provides a reasonable basis to believe the originator is no longer available to act on the request for amendment 33

34 Individual Rights Requests for Accounting of Disclosures of PHI General Rule: Individual has the right to request an accounting of disclosures made by the CE this includes disclosures by BAs Exceptions: The CE need not account for: Disclosures made for TPO Disclosures to the individual Disclosures made pursuant to valid authorization Disclosures to responsible individuals to notify of location, condition or death Disclosures for national security or intelligence purposes Disclosures to correctional facilities and law enforcement 34

35 Individual Rights Privacy Complaints Individuals must be given information about their right to complain (contained in Notice of Privacy Practices) Individuals may complain to CE or to Secretary of DHHS if believe privacy rights have been violated 35

36 Omnibus Rule: Changes to Individual Rights Limits on Fundraising A CE may use, or disclose to its BA or to an institutionally-related foundation, certain PHI for fundraising for its own benefit, w/o authorization demographic information, including name, address, other contact information, age, gender, date of birth dates of health care provided to an individual department of service information, treating physician, outcome information, health insurance status 36

37 Omnibus Rule: Changes to Individual Rights, Etc. Limits on Fundraising CE must include in NPP information about disclosures for fundraising purposes With each fundraising communication, the CE must provide the individual with a clear and conspicuous opportunity to elect an opt-out for future fundraising communications The method for opting out must not be burdensome The CE may also include information about how to opt back in CE may not condition treatment or payment on the individual s choice with respect to fundraising communications 37

38 Omnibus Rule: Changes to Individual Rights, Etc. Limits on Marketing CEs must obtain a written authorization from the individual for any use or disclosure of PHI for marketing purposes, except if the communication is in the form of: A face-to-face communication by the CE to the individual A promotional gift of nominal value provided by the CE Marketing Defined: To make a communication about a product or service that encourages recipients of the communication to purchase or use the product or service 38

39 Omnibus Rule: Changes to Individual Rights, Etc. Limits on Marketing Marketing does not include a communication made: To provide refill reminders or otherwise communicate about a drug or biologic currently being prescribed, if the remuneration received is reasonably related to the CE s cost of making the communication For treatment and health care operations, if the CE does not receive financial remuneration in exchange for making the communication e.g. for treatment of the individual by a health care provider, including case management or care coordination, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual for case management or care coordination, contacting of individuals with information about treatment alternatives 39

40 Omnibus Rule: Changes to Individual Rights, Etc. Sale of PHI CE (or BA on behalf of CE) must obtain authorization for any disclosure of PHI that constitutes a sale the authorization must indicate that the CE will receive remuneration 40

41 Omnibus Rule: Changes to Individual Rights, Etc. Sale of PHI does not include disclosure of PHI: for public health purposes for research purposes for treatment and payment purposes for the sale, transfer, merger, etc. of the CE s business, including due diligence activities to or by a BA pursuant to its BA agreement to an individual required by law as otherwise allowed under HIPAA 41

42 Omnibus Rule: Changes to Individual Rights, Etc. Decedents The Omnibus Rule amends the definition of PHI to exclude individually identifiable information regarding a person who has been deceased for more than 50 years The Omnibus Rule allows CEs to disclose information about a decedent to a family member, other relative, or a close personal friend of the individual, who was involved in the individual s care prior to death, if the information is relevant to that person s involvement and disclosure is not inconsistent with prior written preferences of the individual 42

43 Omnibus Rule: Changes to Individual Rights, Etc. Compound Authorizations and Research General Rule: An authorization for use or disclosure of PHI may not be combined with any other document to create a compound authorization Exception: An authorization for the use or disclosure of PHI for a research study may now be combined with any other type of written permission for the same or another research study this includes combining an authorization for the use or disclosure of PHI for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with a consent to participate in research 43

44 Omnibus Rule: Changes to Individual Rights, Etc. Immunization Records CEs may disclose PHI to a school about a student or prospective student, if the PHI disclosed is limited to proof of immunization the school is required by State or other law to have such proof of immunization prior to admitting the student the CE obtains and documents the agreement to the disclosure from either the parent (if the student is a minor) or the adult student 44

45 Omnibus Rule: Changes to Individual Rights, Etc. Changes Related to GINA The Omnibus Rule prohibits most health plans from using or disclosing genetic information for underwriting purposes 45

46 Business Associates Omnibus Rule Security Rule and select provisions of the Privacy Rule now extend directly to Business Associates Subcontractors of Business Associates Subcontractors of Subcontractors And so on. chain of trust upstream and downstream almost infinite liability 46

47 Business Associates Under the Omnibus Rule Covered Entities cannot disclose PHI to a Business Associate without a written agreement in place BAs must enter into Business Associate Agreements with their Subcontractors Subcontractor: a person or entity to whom a BA delegates a function, activity or service, other than in the capacity of a member of the workforce of such BA Subcontractors must enter into Business Associate Agreements with their Subcontractors 47

48 BAA Contractual Requirements BA s are required to comply with the Security Rule and parts of the Privacy Rule Required elements in BA Agreements: BA must comply with the Security Rule requirements regarding e-phi BA must comply with minimum necessary standard BA must report to CE any breaches of unsecured PHI, plus any use or disclosure of PHI in violation of HIPAA If BA will carry out functions of CE (e.g., providing access or copies of PHI to the individual), BA must perform these functions in accordance with HIPAA Subcontractor agreements must contain same restrictions as BAA 48

49 Safeguarding PHI Privacy and Workstation Use Policy CE/BA must develop protocols for safeguarding PHI kept in workstations Privacy and Telephone Use Policy CE/BA must develop protocols for safeguarding PHI when making disclosures over the telephone Computer Use Policy CE/BA must develop protocols for acceptable computer use by workforce members Facsimile Policy CE/BA must develop protocols for safeguarding PHI when making and receiving health information via facsimile 49

50 50 PART IV: HIPAA SECURITY RULE

51 The Security Rule requires CEs and BAs to have in place safeguards for protecting e- PHI to: Ensure the confidentiality, integrity, and availability of all e-phi they create, receive, maintain or transmit Identify and protect against reasonably anticipated threats to the information Protect against reasonably anticipated, impermissible uses or disclosures Ensure compliance by their workforce Security Rule 51

52 Security Rule confidentiality means that e-phi is not available or disclosed to unauthorized persons integrity means that e-phi is not altered or destroyed in an unauthorized manner availability means that e-phi is accessible and usable on demand by an authorized person 52

53 Flexibility of Approach Security Rule Rule intended to be flexible and scalable so each CE and BA can implement policies, procedures and technologies that are appropriate for the entity s particular size, organizational structure and risks to PHI Each CE and BA must consider: Its size, complexity and capabilities Its technical, hardware and software infrastructure The costs of security measures The likelihood and possible impact of potential risks to e-phi CEs and BAs must review and modify their security measures to continue protecting e-phi in a changing environment 53

54 Security Rule: Standards vs. Specifications Standards CEs and BAs must comply with every Security Rule Standard Implementation Specifications the nuts and bolts Required must be implemented Addressable does not mean optional; must determine whether reasonable and appropriate for the CE or BA If it is not, the Security Rule allows the CE or BA to adopt an alternative measure that achieves the purpose of the standard, if the alternative measure is reasonable and appropriate If an implementation specification is not reasonable and appropriate in light of the CE/BA s security framework, and there is no reasonable alternative, don t adopt Document decision 54

55 Security Rule: Administrative Safeguards Security Management Process CE/BA must perform a risk analysis process, to include at least the following activities: evaluate the likelihood and impact of potential risks to e-phi implement appropriate security measures to address the risks identified in the risk analysis document the chosen security measures and, where required, the rationale for adopting those measures maintain continuous, reasonable and appropriate security measures 55

56 Security Rule: Administrative Safeguards Security Management Process Risk management security measures to reduce risk Sanction Policy address failure to comply with policy Information System Activity Review e.g., audit logs, access reports, security incident tracking Assigned Security Responsibility Identify the security official responsible for developing and implementing policies and procedures Workforce Security Implement measures to ensure members of the workforce have appropriate access to e-phi; prevent those who should not have access from gaining access (role-based access) 56

57 Security Rule: Administrative Safeguards Workforce Training and Management Workforce members must be granted appropriate authorization and must be appropriately supervised CE/BA must train workforce members Security Incident Procedures CE/BE must implement policies to address security incidents Contingency Plan CE/BA must have backup plans in event of emergency/disaster Evaluation CE/BA must perform periodic assessment of security policies and procedures 57

58 Security Rule: Physical Safeguards Facility Access and Control CE/BA must implement policies and procedures to limit physical access to its facilities while ensuring that authorized access is allowed Workstation and Device Security CE/BA must implement policies and procedures to specify proper use of and access to workstations and electronic media and devices Must also have in place policies and procedures regarding the transfer, removal, disposal and re-use of electronic media or devices, to ensure appropriate protection of e-phi 58

59 Security Rule: Technical Safeguards Access Control CE/BA must implement technical policies and procedures that allow only authorized persons to access e-phi Audit Control CE/BA must implement hardware, software and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-phi 59

60 Security Rule: Technical Safeguards Integrity Controls CE/BA must implement policies and procedures to ensure that e-phi is not improperly altered or destroyed, and to confirm same Person or Entity Authentication CE/BA must implement procedures to verify that the person or entity seeking access to e-phi is the one claimed Transmission Security CE/BA must implement technical security measures that guard against unauthorized access to e-phi that is being transmitted over an electronic network 60

61 PART V: HIPAA BREACHES 61

62 Breach BREACH OF UNSECURED PHI the acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule which compromises the security or privacy of the PHI Unsecured PHI PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of technology or methodology specified by the Secretary of DHHS DHHS Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals 62

63 DEFINITION OF BREACH EXCLUDES Unintentional acquisition or use of PHI by a workforce member when made in good faith, and no further use or disclosure is made Inadvertent disclosure by authorized person to other authorized person, and no further use or disclosure is made A disclosure of PHI where the CE or the BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information 63

64 DISCOVERY OF A BREACH Breach is deemed discovered by the CE as of the first day on which the breach is known to the CE/BA, or, by exercising reasonable diligence would have been known, to any person, other than the person committing the breach, who is a workforce member or agent of the CE/BA BAs must report breaches to the CE CE responsible for breaches by its agents 64

65 Upon discovery of a breach HIPAA Privacy Officer must initiate and/or oversee an investigation INVESTIGATION Governing body or upper management may need to become involved, depending upon the size of the organization, governance structure, etc., and the nature and extent of the PHI and breach involved 65

66 RISK ASSESSMENT Any impermissible acquisition, access, use or disclosure of unsecured PHI is presumed to be a breach, unless the CE can, through a risk assessment, demonstrate that there is a low probability that the PHI has been compromised Omnibus Rule does not define compromise Must utilize four-factor test must analyze all four factors may analyze additional factors 66

67 RISK ASSESSMENT FACTOR #1 The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification 67

68 RISK ASSESSMENT FACTOR #2 The unauthorized person who used the PHI or to whom the disclosure was made 68

69 RISK ASSESSMENT FACTOR #3 Whether the PHI was actually acquired or viewed 69

70 RISK ASSESSMENT FACTOR #4 The extent to which the risk to the PHI has been mitigated 70

71 RESULTS OF RISK ASSESSMENT Must be documented If, after risk analysis, the CE determines there is a low risk that the PHI has been compromised, then no notification to individual(s) is required BA assist CE in investigation and determination Otherwise, the CE must notify the affected individuals of the breach 71

72 BREACH NOTIFICATION Notice to affected individuals must be made without unreasonable delay, but in no case later than sixty (60) calendar days after the discovery Caveat: If law enforcement officials inform the CE that notice to the affected individuals will impede a criminal investigation or cause damage to national security, the CE must delay 72

73 BREACH NOTIFICATION Additional Notices To the media if a single breach event affects > 500 residents of the same state or jurisdiction (without unreasonable delay; but no later than 60 calendar days from discovery) To the Secretary of DHHS if a single breach event affects 500 individuals, regardless of the state or jurisdiction (without unreasonable delay; but no later than 60 days from discovery) if a single breach event affects < 500 individuals, on an annual basis (within 60 days of the end of the calendar year) CE must maintain a breach log 73

74 BREACH NOT IF, BUT WHEN In the words of Leon Rodriguez, the former Director of the Office of Civil Rights in the DHHS: Breaches and enforcement by the OCR is a little like middle school math You must show your work It s all about the process 74

75 BREACH HYPOTHETICAL #1 A medical provider mails a patient s written record to the patient. The patient s name is clearly on the envelope, and the envelope is sealed. However, the address is an old address for the patient. The recipient at the address calls the provider and states that she received the mail intended for the other individual, that she opened it and saw it was not for her and who it was from, and thereafter discarded the mail. She states she is just calling to let the provider know of the error. 75

76 BREACH HYPOTHETICAL #2 A medical provider mails a CD containing patient information. The envelope is addressed to Jane Doe at her proper address, and includes the provider s return address on the outside of the envelope. Jane stops home during her lunch break one day, and receives the mail. When Jane opens the envelope and pulls out the CD, the label on the CD says Patient John Smith. There is nothing else in the envelope. Jane immediately drives to the provider on her way back to work and hands the CD to the front desk personnel. She states she just received it, noted it was not intended for her, and is returning it to the provider. 76

77 BREACH HYPOTHETICAL #3 A physician carries a laptop computer from one office location to another office location, which is password protected, and contains PHI of more than 500 patients. The encrypted PHI includes names, dates of birth, Social Security numbers, patient ID numbers, dates of service, descriptions of services and other related information. The physician normally keeps the laptop in the trunk of the car when she is not using it, so as to safeguard the computer and information in it. However, one day she is careless and leaves it on the passenger seat and forgets to lock the car when running an errand. When she returns to the car, the laptop is missing. 77

78 78 PART VI: Disclosures Required by Law

79 Release of PHI when Required by Law CE/BA may release PHI as required by law a mandate contained in law that compels the CE/BA to make a use or disclosure of PHI and that is enforceable in a court of law includes court orders and subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information The release of information pursuant to such order, subpoena or summons must be limited to and only in compliance with the exact requirements contained in such document 79

80 Release of PHI when Required by Law Administrative Request (administrative agency subpoena or summons, civil demand or similar process) May release the requested records, provided that: the information sought is relevant and material to a legitimate law enforcement inquiry the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought de-identified information could not reasonably be used 80

81 Subpoena v. Court Order A subpoena or discovery request issued/signed by someone other than a judge, such as a court clerk or an attorney in litigation, is different from a court order CE/BA may disclose information to a party issuing a subpoena only if the HIPAA notification requirements are met Often best to seek legal counsel before releasing records or information 81

82 Disclaimer: This presentation and outline are designed to provide accurate and authoritative information regarding the subject matter covered. This presentation and outline should not be construed as legal advice or as pertaining to specific, factual situations. If legal advice or other expert assistance is required, the services of a competent professional should be sought. 82

83 83 QUESTIONS

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability

More information

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background

More information

To: Our Clients and Friends January 25, 2013

To: Our Clients and Friends January 25, 2013 Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health

More information

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.

More information

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule

Omnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions

More information

HIPAA & The Medical Practice

HIPAA & The Medical Practice HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,

More information

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

GUIDE TO PATIENT PRIVACY AND SECURITY RULES AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist

More information

AFTER THE OMNIBUS RULE

AFTER THE OMNIBUS RULE AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member

More information

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection

More information

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA

More information

Management Alert Final HIPAA Regulations Issued

Management Alert Final HIPAA Regulations Issued Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,

More information

Legal and Privacy Implications of the HIPAA Final Omnibus Rule

Legal and Privacy Implications of the HIPAA Final Omnibus Rule Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,

More information

Effective Date: March 23, 2016

Effective Date: March 23, 2016 AIG COMPANIES Effective Date: March 23, 2016 HIPAA NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

More information

Fifth National HIPAA Summit West

Fifth National HIPAA Summit West Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for

More information

Getting a Grip on HIPAA

Getting a Grip on HIPAA Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy

More information

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice

More information

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4 Table of Contents A. Introduction...1 1. Purpose...1 2. No Third Party Rights...1 3. Right to Amend without Notice...1 4. Definitions...1 B. Plan s General Policies...4 1. Plan s General Responsibilities...4

More information

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement

More information

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE Policy Preamble This privacy policy ( Policy ) is designed to

More information

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes

More information

The wait is over HHS releases final omnibus HIPAA privacy and security regulations

The wait is over HHS releases final omnibus HIPAA privacy and security regulations The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under

More information

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013 HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable

More information

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT COVERED PERSONS MAY BE USED AND DISCLOSED AND HOW COVERED PERSONS CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

More information

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553 UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553 Tel: 516-740-5325 tnl@dickinsongrp.com Fax: 516-740-5326 REVISED NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW

More information

HIPAA Privacy & Security. Transportation Providers 2017

HIPAA Privacy & Security. Transportation Providers 2017 HIPAA Privacy & Security Transportation Providers 2017 HIPAA Privacy & Security As a non emergency medical transportation provider, you deal directly with Medicare and Medicaid Members healthcare information

More information

Highlights of the Omnibus HIPAA/HITECH Final Rule

Highlights of the Omnibus HIPAA/HITECH Final Rule Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737

More information

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment

More information

Interpreters Associates Inc. Division of Intérpretes Brasil

Interpreters Associates Inc. Division of Intérpretes Brasil Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable

More information

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES Effective: November 8, 2012 Terms used, but not otherwise defined, in this Policy and Procedure have

More information

East Alabama Campus Health, L.L.C. d/b/a Auburn University Medical Clinic

East Alabama Campus Health, L.L.C. d/b/a Auburn University Medical Clinic East Alabama Campus Health, L.L.C. d/b/a Auburn University Medical Clinic THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

More information

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!

Coping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013! Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,

More information

"HIPAA RULES AND COMPLIANCE"

HIPAA RULES AND COMPLIANCE PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS

More information

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 Update 2-17-2016 CROOK COUNTY RECORD OF CHANGES 2 TABLE OF CONTENTS Introduction HIPAA

More information

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights

HIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement

More information

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996

1641 Tamiami Trail Port Charlotte, Fl Phone: Fax: Health Insurance Portability and Accountability Act of 1996 1641 Tamiami Trail Port Charlotte, Fl. 33948 Phone: 941-629-6262 Fax: 941-629-1782 Health Insurance Portability and Accountability Act of 1996 HIPAA OMNIBUS NOTICE OF PRIVACY PRACTICES Effective April

More information

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned

More information

HIPAA: Impact on Corporate Compliance

HIPAA: Impact on Corporate Compliance HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal

More information

NOTICE OF PRIVACY PRACTICES Total Sports Care, P.C.

NOTICE OF PRIVACY PRACTICES Total Sports Care, P.C. NOTICE OF PRIVACY PRACTICES Total Sports Care, P.C. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

More information

Determining Whether You Are a Business Associate

Determining Whether You Are a Business Associate The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information

More information

Saint Louis University Notice of Privacy Practices Effective Date: April 14, 2003 Amended: September 22, 2013

Saint Louis University Notice of Privacy Practices Effective Date: April 14, 2003 Amended: September 22, 2013 Saint Louis University Notice of Privacy Practices Effective Date: April 14, 2003 Amended: September 22, 2013 This notice describes how medical information about you may be used and disclosed and how you

More information

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated

More information

Texas Tech University Health Sciences Center HIPAA Privacy Policies

Texas Tech University Health Sciences Center HIPAA Privacy Policies Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 Reviewed Date: August 7, 2017 References: http://www.hhs.gov/ocr/hippa HSC HIPAA website http://www.ttuhsc.edu/hipaa/policies_procedures.aspx

More information

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules

HIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!

More information

Effective Date: 4/3/17

Effective Date: 4/3/17 HIPAA AND HITECH ADM 067.4 Attachment D Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule Health Information Technology for Economic and Clinical Health (HITECH)

More information

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 References: http://www.hhs.gov/ocr/hipaa TTUHSC El Paso HIPAA website: http://elpaso.ttuhsc.edu/hipaa/ Policy Statement

More information

Health Law Diagnosis

Health Law Diagnosis February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of

More information

ARRA s Amendments to HIPAA Privacy & Security Rules

ARRA s Amendments to HIPAA Privacy & Security Rules ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health

More information

1. INTRODUCTION AND PURPOSE OF THIS DOCUMENT:

1. INTRODUCTION AND PURPOSE OF THIS DOCUMENT: NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. IT APPLIES TO TALLAHASSEE PRIMARY CARE ASSOCIATES,

More information

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Version History Effective Date: August 28, 2013 Revision Date: August 2014 Originating Work Unit: Health Information Technology Health

More information

1.) The Privacy Rule (Part 164, Subpart E)

1.) The Privacy Rule (Part 164, Subpart E) 1.) The Privacy Rule (Part 164, Subpart E) 164.500 Applicability 164.501 Definitions (health care operations, marketing, underwriting purposes, payment) 164.502 Uses and disclosures of protected health

More information

4900 MERCER UNIVERSITY DR. SUITE 1 MACON, GA Phone: Fax:

4900 MERCER UNIVERSITY DR. SUITE 1 MACON, GA Phone: Fax: 4900 MERCER UNIVERSITY DR. SUITE 1 MACON, GA. 31210 Phone: 478-474-5678 Fax: 478-474-5018 802 EAST 20th STREET TIFTON, GA. 31794 Phone: 228-387-6600 Fax: 229-387-7800 1915 PALMYRA ROAD ALBANY, GA. 31707

More information

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

NOTIFICATION OF PRIVACY AND SECURITY BREACHES NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally

More information

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry

HIPAA FUNDAMENTALS For Substance abuse Treatment Industry HIPAA FUNDAMENTALS For Substance abuse Treatment Industry (c)firststepcounselingonline2014 1 At the conclusion of the course/unit/study the student will... ANALYZE THE EFFECTS OF TRANSFERING INFORMATION

More information

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation

Conduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation HIPAA UPDATE: WHY AND HOW YOU MUST COMPLY 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its long-awaited Omnibus Rule 2 implementing regulations required by the HITECH Act

More information

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative

More information

PRIVACY NOTICE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

PRIVACY NOTICE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. 1NovaMed Surgery Center of Maryville, LLC PRIVACY NOTICE THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW

More information

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure

More information

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH

NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy

More information

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES NOTICE OF PRIVACY PRACTICES Original Effective Date: April 14, 2003 Effective Date of Last Revision: August 30, 2013 I. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED

More information

HIPAA Notice of Privacy Practices

HIPAA Notice of Privacy Practices HIPAA Notice of Privacy Practices THIS NOTICE DESCRIBES HOW YOUR MEDICAL INFORMATION MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. This HIPAA Notice

More information

Business Associate Agreement

Business Associate Agreement This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement

More information

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA 1 Recommended by ISP Committee of CSS on October 22 nd, 2014 Amended

More information

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule

HIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com

More information

HIPAA MANUAL Whole Child Pediatrics

HIPAA MANUAL Whole Child Pediatrics HIPAA MANUAL HIPAA Manual Table of Contents 1.General a. Abbreviated Notice of Privacy Practices Framed for Reception Area b. Notice of Privacy Practices 6 pages to printer c. Training Agenda d. Privacy

More information

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )

More information

Notice of Privacy Practices

Notice of Privacy Practices Notice of Privacy Practices (HIPAA Form) Allergy, Asthma, and Immunology of North Texas, PA THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS

More information

NOTICE OF PRIVACY PRACTICES SOUTH DAYTON ACUTE CARE CONSULTANTS, INC.

NOTICE OF PRIVACY PRACTICES SOUTH DAYTON ACUTE CARE CONSULTANTS, INC. NOTICE OF PRIVACY PRACTICES SOUTH DAYTON ACUTE CARE CONSULTANTS, INC. THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE

More information

NOTICE OF PRIVACY PRACTICES

NOTICE OF PRIVACY PRACTICES NOTICE OF PRIVACY PRACTICES Effective Date: April 14, 2003 Revised: September 23, 2013 Version: 04142003.2 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.

More information

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.

HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014. HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,

More information

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA The Health Insurance Portability and Accountability Act of 1996 HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment

More information

HIPAA Compliance Under the Magnifying Glass

HIPAA Compliance Under the Magnifying Glass HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information

More information

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance 2015 National Wellness Conference Barbara J. Zabawa, JD, MPH Center for Health Law Equity, LLC Agenda Health Data Exposure ADA,

More information

HIPAA Privacy Overview

HIPAA Privacy Overview HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview

More information

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES

Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY Fax HIPAA NOTICE OF PRIVACY PRACTICES Port City Chiropractic. P.C. 11 Fourth Avenue Oswego, NY 13126 315.342.6151 315.342.8548 - Fax HIPAA NOTICE OF PRIVACY PRACTICES PLEASE REVIEW THIS NOTICE CAREFULLY. IT DESCRIBES HOW YOUR MEDICAL INFORMATION

More information

Changes to HIPAA Under the Omnibus Final Rule

Changes to HIPAA Under the Omnibus Final Rule Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services

More information

TEXAS EAR, NOSE AND THROAT SPECIALISTS, L.L.P. NOTICE OF PRIVACY PRACTICES

TEXAS EAR, NOSE AND THROAT SPECIALISTS, L.L.P. NOTICE OF PRIVACY PRACTICES TEXAS EAR, NOSE AND THROAT SPECIALISTS, L.L.P. NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

More information

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE

SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health

More information

HIPAA Omnibus Rule Compliance

HIPAA Omnibus Rule Compliance HIPAA Omnibus Rule Compliance Jana Aagaard, JD Senior Counsel, Privacy/HIT Dignity Health Christy Navarro, MS CIPP/US Director, Chief Privacy Officer - Ascendian 1 Overview Background What Should Be Done

More information

HIPAA Background and History

HIPAA Background and History Agenda Jeffery P. Drummond Lawyers as HIPAA Business Associates: Ethical Obligations and Practical Tips for Compliance Dallas Bar Association January 17, 2018 Jamie Sorley An Overview of HIPAA The Privacy

More information

HIPAA OMNIBUS FINAL RULE

HIPAA OMNIBUS FINAL RULE HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on

More information

SUMMARY OF NOTICE OF PRIVACY PRACTICES. Your rights related to your medical information are as follows:

SUMMARY OF NOTICE OF PRIVACY PRACTICES. Your rights related to your medical information are as follows: LAKE REGIONAL IMAGING PARTNERS, LLC 1075 NICHOLS ROAD OSAGE BEACH, MO 65065 SUMMARY OF NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND

More information

PROMISE HOME SERVICES, INC. D/B/A PROMISE CARE AT HOME NOTICE OF PRJV ACY PRACTICES

PROMISE HOME SERVICES, INC. D/B/A PROMISE CARE AT HOME NOTICE OF PRJV ACY PRACTICES PROMISE HOME SERVICES, INC. D/B/A PROMISE CARE AT HOME NOTICE OF PRJV ACY PRACTICES Effective: September 1, 2013 THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW

More information

OMNIBUS RULE ARRIVES

OMNIBUS RULE ARRIVES AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan

More information

Alfred University Effective Date: January 1, 2019

Alfred University Effective Date: January 1, 2019 Alfred University Effective Date: January 1, 2019 1 Saxon Drive, Alfred NY 14802 HIPAA Notice of Privacy Practices This notice describes how medical information about you may be used and disclosed and

More information

MICHIGAN HEALTHCARE PROFESSIONALS, P.C.

MICHIGAN HEALTHCARE PROFESSIONALS, P.C. MICHIGAN HEALTHCARE PROFESSIONALS, P.C. PATIENT NOTICE OF PRIVACY PRACTICES As Required by the Privacy Regulations Created as a Result of the Health Insurance Portability and Accountability Act of 1996-(HIPAA),

More information

2016 Business Associate Workforce Member HIPAA Training Handbook

2016 Business Associate Workforce Member HIPAA Training Handbook 2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all

More information

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014

MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY. Approved by the Montclair State University Board of Trustees on April 3, 2014 MONTCLAIR STATE UNIVERSITY HIPAA PRIVACY POLICY Approved by the Montclair State University Board of Trustees on April 3, 2014 Table of Contents Page I. PURPOSE... 1 II. WHO IS SUBJECT TO THIS POLICY...

More information

It s as AWESOME as You Think It Is!

It s as AWESOME as You Think It Is! It s as AWESOME as You Think It Is! Fine Print This presentation and any materials and/or comments are training and educational in nature only. They do not establish an attorney-client relationship, are

More information

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013

HITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013 HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance

More information

ACC Compliance and Ethics Committee Presentation February 19, 2013

ACC Compliance and Ethics Committee Presentation February 19, 2013 ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA

More information

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. 165 Court Street Rochester, New York 14647 A nonprofit independent licensee of the BlueCross BlueShield Association THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND

More information

LEWIS COUNTY GENERAL HOSPITAL / RESIDENTIAL HEALTH CARE FACILITY 7785 North State Street Lowville, NY NOTICE OF PRIVACY PRACTICES

LEWIS COUNTY GENERAL HOSPITAL / RESIDENTIAL HEALTH CARE FACILITY 7785 North State Street Lowville, NY NOTICE OF PRIVACY PRACTICES LEWIS COUNTY GENERAL HOSPITAL / RESIDENTIAL HEALTH CARE FACILITY 7785 North State Street Lowville, NY 13367 NOTICE OF PRIVACY PRACTICES THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED

More information

H E A L T H C A R E L A W U P D A T E

H E A L T H C A R E L A W U P D A T E L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.

More information

Compliance Steps for the Final HIPAA Rule

Compliance Steps for the Final HIPAA Rule Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.

More information

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),

More information

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates

Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy

More information

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013

Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients

More information

HHS, Office for Civil Rights. IAPP October 11, 2012

HHS, Office for Civil Rights. IAPP October 11, 2012 HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities

More information

Hand & Microsurgery Medical Group, Inc. HIPAA NOTICE AND ACKNOWLEDGEMENT

Hand & Microsurgery Medical Group, Inc. HIPAA NOTICE AND ACKNOWLEDGEMENT Hand & Microsurgery Medical Group, Inc. HIPAA NOTICE AND ACKNOWLEDGEMENT Acknowledgement: I acknowledge that I have received the attached Notice of Privacy Practice. Patient or Personal Representative

More information