HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
|
|
- Primrose Lawson
- 5 years ago
- Views:
Transcription
1 HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
2 HIPAA OMNIBUS FINAL RULE HITECH GINA
3 TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security rule HITECH modified to strengthen HIPAA and implemented breach notification rule and raised the civil monetary penalties. Included Genetic Information Nondiscrimination Act of 2008 (GINA) Genetic information can t be used for underwriting Is treated like PHI
4 TERMINOLOGY HIPAA Health insurance Portability & Accountability Act. Enacted in 1996 so health insurance would be portable Compliance by October 16, 2002 for EMR/EHR Compliance by April 14, 2003 for privacy rules
5 PRIVACY RULE Establishes national standard for protection of PHI Addresses the use/disclosure of an individual s PHI Gives individuals rights with respect to their PHI Policies and procedures must be in place to ensure that reasonable steps are taken to protect individual PHI.
6 SECURITY RULE Establishes national standard for protection of PHI that is held or transferred in electronic form. Address the technical and non-technical safeguards Implement three safeguards: 1. Administrative assignment of individual to train and be responsible for security. 2. Physical how the electronic systems are protected in the environment. 3. Technical password protections; encryption
7 TERMINOLOGY HITECH Health Information Technology for Economic & Clinical Health Act Provision under the Social Security Act Modified to strengthen HIPAA Modifications made significant changes
8 HOW HITECH AFFECTS HIPAA Applies the same requirements and penalties for Covered Entities and Business Associates. Establishes mandatory federal privacy and security breach reporting requirements Creates new privacy requirements including new accounting disclosure requirements. Establishes new criminal and civil penalties for non-compliance and new enforcement methods. All these apply equally to Covered Entities and Business Associates
9 TERMINOLOGY PHI Protected Health Information Identifiable health information Includes written, verbal or electronic form used in records, social media, internet, intranet
10 PHI IDENTIFIERS This is the information that requires protection: Name and address including zip code or other geographic codes Date of birth and age Telephone number, fax number, address Social security number, medical record number Health plan beneficiary number Account number Certificate/license number; license plate number Web URL; IP address Finger or voice prints Photographs Any other unique identifying characteristic
11 DE-IDENTIFICATION When the identifiers are removed from a patient s information, it is considered deidentified. No longer considered PHI No restrictions on the use/disclosure There is no information that could easily identify the individual.
12 TERMINOLOGY Minimum Necessary Standard Only the minimum necessary PHI is made to use, disclose and request PHI to accomplish the intended purpose. Breach PHI has been used in a manner that compromises the security or privacy of the PHI.
13 TERMINOLOGY Incidental Use and Disclosure The use/disclosure of PHI that is a result of or incident to permitted use of PHI. ELECTRONIC MEDIA revised definition hard drives, tapes, disks, memory cards, removable medium internet, intranet, private networks does not include fax, telephone as electronic media transmission
14 BUSINESS ASSOCIATE Person/entity, other than a member of the workforce, who performs functions/activities on behalf of or for a Covered Entity that involves the use/disclosure of PHI. A BA is also a subcontractor that creates, receives, transmits, or maintains PHI on behalf of another BA. BAs and subcontractors have to safeguard PHI down the stream. Typical BAs: billing service, collection agencies, answering service, EMR software vendor, labs, transcription
15 BUSINESS ASSOCIATE AGREEMENT An agreement between a Covered Entity and Business Associate or between 2 BAs. Clarifies and limits permissible use/disclosure of PHI. Deadlines: If currently have a BAA as of 1/25/13 and not due for renewal by 9/23/13, have until 9/23/14.. Otherwise, update by 9/23/13
16 BUSINESS ASSOCIATE EXCEPTIONS Health care providers concerning treatment of individual. Doctor to doctor; nurse to nurse; referrals Banking and financial institutions Government agencies determining eligibility, enrollment or benefits Medicare, Medicaid, VA Pharmacies
17 COVERED ENTITY Health Care Providers Conduct transactions in electronic form Physicians, clinics, dentists, nursing homes Health Care Clearinghouses Entities that process non-standard health information Health Plans Health insurance companies, HMOs Government health programs
18 NOTICE OF PRIVACY PRACTICE Statements set out in a written document for patients regarding the use/disclosure of PHI that is allowed without authorization and that which requires authorization. Has to be displayed in a clear and prominent location Must be provided to new patients and a hardcopy has to be provided to anyone who asks for one. Has to be posted on Covered Entity s website, if applicable. Established patients must be made aware of changes. Requires a signed acknowledgement of receipt.
19 PATIENT RIGHTS Under the Final Rule and stated in the NPP: Right to request a restriction of uses/disclosures CE may consider which restrictions to honor Right to access PHI Only if maintained in electronic form Do not have right to direct access to system Can copy onto external device
20 PATIENT RIGHTS Right to have an accounting of disclosures An accounting is a record of each disclosure of each patient s PHI for purposes other than treatment, payment or health care operations. Can include 6 years prior to the date of which the accounting is requested and not before Disclosures that do not need to be recorded: treatments, payments, disclosures made to the patient
21 PATIENT RIGHTS Right to ask for a change in their medical record If the individual believes there is an error or disagrees with what is in their EMR, they may ask for a change. The Covered Entity, upon investigation, may or may not agree with the change. Communication of the decision must be made in writing to the individual. If there is a change, the original is not destroyed, but an addendum is made.
22 AUTHORIZED PHI DISCLOSURES DECEDENT S PHI: The healthcare provider may disclose PHI to family members/others involved in care prior to death using minimum necessary standard. After 50 years, PHI is no longer protected. Arkansas: spouse or parent may receive autopsy report Student Immunizations to Schools Only require verbal authorization for release Public Health Activities May report for the public health and safety. E.g., communicable diseases
23 AUTHORIZATION REQUIRED Must have valid written authorization for: Use/disclosure of psychotherapy notes. Use/disclosure for marketing purposes. The sale of PHI
24 BREACH NOTIFICATION RULE This Rule did not exist prior to the HITECH Act. If a breach occurs, a Risk Assessment has to be performed to determine if there was a low probability of compromised PHI. The risk of harm to the individual is not part of the assessment. Affected individuals have to be notified of the breach within 60 days from discovery of the breach. If more than 500 individuals have been affected, notice through prominent media outlets must occur; this is in additions to individual notices. HHS has to be notified if > 500 involved.
25 Breach Notification Notifications to individuals are to be sent via first class mail to last known address. Can be sent via or telephone if address is out of date. Parents of minors, personal representatives of adults without capacity and next of kin of deceased patients may be notified. If there is insufficient information for 10 or more individuals, the CE must put up a notice on their web site or major print or broadcast media where the individuals reside. BA has same requirements and must notify CE.
26 BURDEN OF PROOF The CE and BA have to demonstrate there is a low probability that the information used/disclosed was compromised. If it cannot clearly make this determination, it is treated as a breach. CE and BA must also demonstrate that all notifications were made.
27 INVESTIGATION OF BREACH Office of Civil Rights (OCR) under the Department of Health and Human Services (HHS) enforces HIPAA. OCR is required to formally investigate a complaint. Complaint has to be filed within 180 days of alleged violation. If the preliminary investigation indicates a possible violation further investigation will expand into a compliance investigation. OCR tries to determine whether willful neglect is indicated.
28 INVESTIGATION (CON T) The entity has 30 days to respond to OCR. If a violation or willful neglect is found, a civil monetary penalty for each violation can be imposed.
29 CIVIL MONETARY PENALTIES Failure to comply with HIPAA can result in civil and criminal penalties. The HITECH Act: significantly increased the amount of civil monetary penalties (CMP); Reduced the number of available affirmative defenses; and Required imposition of CMPs for all violations due to willful neglect under a tiered liability structure. Prior to February 18, 2009, HIPAA violations were $100/each violation and the most in one year for same violation was $25,000. Now up to $50,000/each violation and $1.5 million in one year for same violation.
30 TIERED LIABILITY STRUCTURE Unknowing: The CE or BA did not know and reasonably should not know of the violation Reasonable Cause: The CE or BA knew, or by exercising reasonable diligence would have known, that the act or omission was a violation, but the CE or BA did not act with willful neglect. Willful Neglect: Corrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA. However, the CE or BA corrected the violation within 30 days of discovery. Willful Neglect: Uncorrected. The violation was the result of conscious, intentional failure or reckless indifference to fulfill the obligation to comply with HIPAA, and the CE or BA did not correct the violation within 30 days of discovery.
31 MONETARY PENALTIES Violation Category Each Violation Not less than Or more than Total CMP for Violations of an Identical Provision in a Calendar Year Unknowing $100 - $50,000 $1,500,000 Reasonable Cause $1,000 - $50,000 $1,500,000 Willful Neglect - Corrected Willful Neglect Uncorrected $10,000 - $50,000 $1,500,000 At least $50,000 $1,500,000
32 TOP 5 HIPAA VIOLATIONS Year #1 Violation #2 Violation #3 Violation #4 Violation #5 Violation 2010 Impermissible Uses & Disclosure 2009 Impermissible Uses & Disclosure 2008 Impermissible Uses & Disclosure 2007 Impermissible Uses & Disclosure Safeguards Access Minimum Necessary Safeguards Access Minimum Necessary Safeguards Access Minimum Necessary Safeguards Access Minimum Necessary Notice Complaints to Covered Entity Complaints to Covered Entity Notice
33 ADMINISTRATIVE REQUIREMENTS Written policies and procedures to comply with the administrative requirements must include: 1. A designated contact person to handle complaints and provide further information about the Notice of Privacy Practice. 2. A designated privacy officer who is responsible for development and implementation of the policies and procedures. 3. Required annual training of all workforce members with documentation of the training. 4. Safeguards to protect the privacy of PHI and limit incidental uses or disclosures. 5. Procedures for individuals to submit complaints regarding HIPAA compliance.
34 ADMINISTRATIVE REQUIREMENTS 6. Must have and apply appropriate sanctions against workforce members who violate privacy policies and procedures. 7. Must document sanctions that are applied, if any. 8. Must mitigate to the extent practicable any harmful effect due to violation. 9. Cannot take intimidating or retaliatory acts against any individual for filing a complaint or exercising his/her right. 10. Must retain policies and procedures, NPPs, disposition of complaints and other actions/activities for 6 years after the later of the date of their creation or last effective date. 11. Maintain documentation sufficient to meet the burden of proof.
35 CASES
36 Impermissible Use/Disclosure Removal and Loss of Medical Records A Massachusetts hospital employee took work home, and accidentally left 192 billing records containing detailed PHI on the subway. Even though an accident, severe penalties were imposed on hospital: $1 million fine 3 year corrective action plan with oversight by OCR. Requirements to develop comprehensive policies and procedures using encryption. Implementation of a comprehensive training program and written certification from all staff.
37 Accessing PHI Without Legitimate Purpose Accessing Celebrity Records Researcher at UCLA School of Medicine received notice of termination. In retaliation, he accessed superior and co-workers medical records. Over the next 4 weeks, he accessed UCLA patient records including many celebrities a total of 323. Penalty: sentenced to 4 years in prison.
38 Accessing & Leaking PHI to Media AR. M.D. and 2 hospital employees accessed records of slain Arkansas TV reporter. Details of the attack were leaked to the media. The 3 pled guilty in federal court to misdemeanors. Federal judge fined all 3 and sentenced them to 1 year of probation. Hospital suspended M.D. s privileges for 2 weeks and terminated the 2 employees + an account rep. and Emergency Department coordinator.
39 Lack of HIPAA Safeguards Small Phoenix surgery practice group (5 doctors) posted clinical and surgical appointments for its patients on Internet-based calendar that was publicly accessible. OCR began investigation and noted the following violations: Failure to: Implement adequate policies and procedures; Document employee training; Identify clinic security officer and conduct risk analysis, and Obtain BAA with the internet-based and calendar services. OCR fined practice $100,000 and required implementation of corrective action plan that included compliance with violations listed above.
40 Improper Disposal of PHI First of its kind joint investigation by OCR and Federal Trade Ccommission over allegations that CVS Pharmacy was disposing of PHI such as prescription bottle labels and old prescriptions in public dumpsters. Joint investigation revealed the following violations: Failure to: Implement adequate policies and procedures to protect PHI during disposal; Adequately train employees on proper disposal methods; Have a sanctions policy. CVS entered into a Resolution Agreement that required CVS to: Revise and distribute its policies and procedures regarding disposal of PHI; Train employees; sanction those that did not follow policies; Engage a third party assessor to conduct assessments and submit reports to Health and Human Services.
41 Improper Disposal of PHI Create new internal reporting procedures requiring employees to report all violations of the new policies and procedures Submit compliance reports to HHS for 3 years AND CVS was fined $2.5 million. CVS is required to submit to 3 rd part audits every 2 years for 20 years (part of its agreement with the FTC).
42 Willful Intent Arkansas LPN accessed PHI for personal gain. While working in an Arkansas clinic the LPN accessed a patient s medical record and gave the information to her husband. Husband called the patient and said he intended to use the information against him/her in an upcoming legal proceeding. Upon discovery, the clinic fired the LPN. A federal indictment charged her with wrongful disclosure of individually identifiable health information for personal gain and malicious harm. Charges were dropped against her and husband for guilty plea. Faced a maximum of 10 years in prison and a fine of up to $250,000 Sentenced to 2 years probation 100 hours of community service Revocation of nursing license.
43 INSURANCE Malpractice insurance does not cover HIPAA violations. General liability insurance does not cover HIPAA violations. May purchase cyber liability insurance for HIPAA.
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationLegal and Privacy Implications of the HIPAA Final Omnibus Rule
Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationHIPAA Enforcement Under the HITECH Act; The Gloves Come Off
HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are
More informationThe wait is over HHS releases final omnibus HIPAA privacy and security regulations
The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under
More informationHIPAA Privacy Overview
HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview
More informationNOTIFICATION OF PRIVACY AND SECURITY BREACHES
NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally
More informationWhat is HIPAA? (1 of 2)
HIPAA 1 HIPAA On August 21 1996 the federal government passed the Health Information Portability and Accountability Act of 1996 Has been update throughout; with the newest update (Final Rule) going into
More informationOmnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule
Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More information"HIPAA RULES AND COMPLIANCE"
PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS
More informationHIPAA: Impact on Corporate Compliance
HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal
More informationHIPAA & The Medical Practice
HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,
More informationTo: Our Clients and Friends January 25, 2013
Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationHIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.
HIPAA 102a What You Don t Know About HIPAA Privacy and Security Can Really Hurt You! Revision 2015 Presented by Jack Kolk President ACR 2 Solutions, Inc. Todays Agenda: 1) About Myself - Jack Kolk, CEO
More informationSaturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules
Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.
More informationFifth National HIPAA Summit West
Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for
More informationCROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF
CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 Update 2-17-2016 CROOK COUNTY RECORD OF CHANGES 2 TABLE OF CONTENTS Introduction HIPAA
More informationHIPAA Compliance Under the Magnifying Glass
HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information
More informationHIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules
HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationHighlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 REASONS FOR HIPAA PRIVACY RULES Perceived need for protection of individual health information
More informationHHS, Office for Civil Rights. IAPP October 11, 2012
HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities
More informationHIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school
ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes
More informationHIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights
HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement
More informationHealth Law Diagnosis
February Page 1 of 2013 11 Health Law Diagnosis HHS Releases Final HITECH Omnibus Rule After waiting over two years from the publication of the Notice of Proposed Rulemaking to implement provisions of
More informationHIPAA Basic Training for Health & Welfare Plan Administrators
2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying
More information2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners
2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and
More informationIACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP
IACT Medical Trust HIPAA Privacy Training June 28, 2012 Jim Hamilton (317) 684-5419 jhamilton@boselaw.com 2009 Bose McKinney & Evans LLP HIPAA Overview 2009 Bose McKinney & Evans LLP The Privacy Rule HIPAA
More informationNPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH
NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy
More informationHIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES
SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES
HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES January 23, 2014 I. Executive Summary I: The HIPAA Final Rule
More informationHITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013
HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance
More informationHIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule
HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com
More informationPreparing for a HIPAA Audit & Hot Topics in Health Care Reform
Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,
More informationWhat Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996.
What Brown County employees need to know about the Federal legislation entitled the Health Insurance Portability and Accountability Act of 1996. HIPAA stands for Health Insurance Portability and Accountability
More information8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013
HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable
More informationCoping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!
Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,
More informationPresented by Marti Arvin Chief Compliance Officer UCLA Health Sciences
Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences 1 Brief discussion of where we have been and where we are going Discussion of Federal Enforcement Actions Privacy and Security issue
More informationThe HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime
HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: UPDATE 2015 February 20, 2015 I. Executive Summary HIPAA is a federal law passed by Congress to protect medical patient data privacy from misuse or disclosure
More informationIt s as AWESOME as You Think It Is!
It s as AWESOME as You Think It Is! Fine Print This presentation and any materials and/or comments are training and educational in nature only. They do not establish an attorney-client relationship, are
More informationGetting a Grip on HIPAA
Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy
More informationBreach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule
Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance
More informationHIPAA Compliance Guide
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationEffective Date: 4/3/17
HIPAA AND HITECH ADM 067.4 Attachment D Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule Health Information Technology for Economic and Clinical Health (HITECH)
More informationHIPAA Omnibus Final Rule and Research
Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy
More information"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA
"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA Jeanne M. Born, RN, JD SOUTH CAROLINA ASSOCIATION OF LEGAL ADMINISTRATORS THURSDAY, APRIL 14, 2016 Jborn@nexsenpruet.com What Every Law
More informationHIPAA Data Breach ITPC
HIPAA Data Breach Objectives Overview of Omnibus Rule - Data Breach Suspected Breach - Investigation Audit Risk Assessment Corrective Action Plan Written Notification Elements NYS Rules on Data Breach
More informationHIPAA COMPLIANCE. for Small & Mid-Size Practices
HIPAA COMPLIANCE for Small & Mid-Size Practices Golden State Web Solutions 619.825.GSWS (4797) INTRODUCTION Most individuals reading this are interested in HIPAA, GSWS, or some combination of the two;
More informationChanges to HIPAA Under the Omnibus Final Rule
Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services
More informationHIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.
HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure
More informationGUIDE TO PATIENT PRIVACY AND SECURITY RULES
AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist
More information2016 Business Associate Workforce Member HIPAA Training Handbook
2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all
More informationHIPAA PRIVACY AND SECURITY AWARENESS
HIPAA PRIVACY AND SECURITY AWARENESS Introduction The Health Insurance Portability and Accountability Act (known as HIPAA) was enacted by Congress in 1996. HIPAA serves three main purposes: To protect
More informationCHAPTER 33 HIPAA PRIVACY REGULATIONS
CHAPTER 33 HIPAA PRIVACY REGULATIONS I. INTRODUCTION The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress and signed into law by President Clinton in 1996. Most people
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More informationCompliance Steps for the Final HIPAA Rule
Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
More informationx Major revision of existing policy Reaffirmation of existing policy
Name of Policy: Reporting of Security Breach of Protected Health Information including Personal Health Information Policy Number: 3364-90-15 Approving Officer: Executive Vice President of Clinical Affairs
More informationExecutive Policy, EP HIPAA. Page 1 of 25
Executive Policy, EP 2.217 HIPAA Page 1 of 25 Executive Policy Chapter 2, Administration Executive Policy EP 2.217, HIPAA Policy Effective Date: June 2017 Prior Dates Amended: None Responsible Office:
More informationNew. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.
Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy
More informationWhat Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers?
Visit our Practice Group blog: www.workplaceprivacycounsel.com What Does The New Omnibus HIPAA/HITECH Final Rule Really Mean For Employers And Their Service Providers? Philip L. Gordon, Esq. Littler Mendelson,
More informationOCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC
Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative
More informationCOMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T
COMPLIANCE TRAINING 2015 QUALITY MANAGEMENT COMPLIANCE DEPARTMENT 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T Compliance Program why? Ensure ongoing education
More informationPreparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013
Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients
More informationHIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA
HIPAA AND YOU 2017 G E R A L D E MELTZER, MD MSHA ALLISON SHUREN, J D, MSN Financial Disclosure Gerald Meltzer is a consultant for imedicware Allison Shuren co-chairs the Life Sciences and Healthcare Regulatory
More informationTexas Tech University Health Sciences Center HIPAA Privacy Policies
Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 Reviewed Date: August 7, 2017 References: http://www.hhs.gov/ocr/hippa HSC HIPAA website http://www.ttuhsc.edu/hipaa/policies_procedures.aspx
More informationOMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS
OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT Effective Date: September 23, 2013 RECITALS WHEREAS a relationship exists between the Covered Entity and the Business Associate that performs certain functions
More informationHIPAA and Lawyers: Your stakes have just been raised
HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory
More informationConduct of covered entity or business associate. Did not know and, by exercising reasonable diligence, would not have known of the violation
HIPAA UPDATE: WHY AND HOW YOU MUST COMPLY 1 In January 2013, the Department of Health and Human Services ( HHS ) issued its long-awaited Omnibus Rule 2 implementing regulations required by the HITECH Act
More informationGUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do
GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned
More informationHIPAA Redux 2013 Kim Cavitt, AuD Audiology Resources, Inc. Expert e-seminar 4/29/2013. HIPAA Redux Presented by: Kim Cavitt, AuD
HIPAA Redux 2013 Presented by: Kim Cavitt, AuD Moderated by: Carolyn Smaka, Au.D., Editor-in-Chief, AudiologyOnline Expert e-seminar TECHNICAL SUPPORT Need technical support during event? Please contact
More informationThe Audits are coming!
HIPAA and Meaningful Use (MU) Governmental Program Audits The Audits are coming! The Audits are coming! 1 Audit Readiness Meaningful Use and HIPAA Both CMS and the Office for Civil Rights (OCR) have been
More informationARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationPrivacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference
Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance 2015 National Wellness Conference Barbara J. Zabawa, JD, MPH Center for Health Law Equity, LLC Agenda Health Data Exposure ADA,
More informationARRA s Amendments to HIPAA Privacy & Security Rules
ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health
More informationHIPAA, Privacy, and Security Oh My!
2014 CliftonLarsonAllen LLP HIPAA, Privacy, and Security Oh My! Chad D. Kunze CPA Health Care Principal Phoenix, AZ CLAconnect.com Learning Objectives At the end of this learning session, you will be able
More informationTexas Tech University Health Sciences Center El Paso HIPAA Privacy Policies
Administration Policy 1.1 Glossary of Terms - HIPAA Effective Date: January 15, 2015 References: http://www.hhs.gov/ocr/hipaa TTUHSC El Paso HIPAA website: http://elpaso.ttuhsc.edu/hipaa/ Policy Statement
More informationHIPAA Privacy & Security Plan October 2016
HIPAA Privacy & Security Plan October 2016 Page 1 HIPAA Privacy & Security Plan Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More information[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4
Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did
More informationChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance
ChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance The enclosed packet includes basic HIPAA Privacy Rule information, Amendments for your health care plan, identified action items
More informationHIPAA AND ONLINE BACKUP WHAT YOU NEED TO KNOW ABOUT
WHAT YOU NEED TO KNOW ABOUT HIPAA AND ONLINE BACKUP Learn more about how KeepItSafe can help to reduce costs, save time, and provide compliance for online backup, disaster recovery-as-a-service, mobile
More informationHIPAA, HITECH & Meaningful Use
HIPAA, HITECH & Meaningful Use October 21, 2011 presented by Helen Oscislawski, Esq. Overview - What Has Changed? HITECH Act: Increased Penalties for non-compliance, effective 11/30/2009 New federal requirements
More informationHIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.
HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,
More informationHIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE
HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE Policy Preamble This privacy policy ( Policy ) is designed to
More informationNon-Union. Health Plan Notices IMPORTANT NOTICE
Non-Union 2015 Health Plan Notices IMPORTANT NOTICE This packet of notices related to our health care plan includes a notice regarding how the plan s prescription drug coverage compares to Medicare Part
More informationHITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government
HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated
More informationHighlights of the Final Omnibus HIPAA Rule
Highlights of the Final Omnibus HIPAA Rule Health Information & the Law Project 1 Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH Devi Mehta, JD, MPH Elizabeth Gray, JD Teresa Cascio, JD Grace Im,
More informationHIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches
Presenting a live 90 minute webinar with interactive Q&A HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches THURSDAY,
More informationHIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)
HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services
More informationCOUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA
COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA 1 Recommended by ISP Committee of CSS on October 22 nd, 2014 Amended
More informationHITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule
HITECH Privacy, Security, Enforcement, Breach, and GINA The Final Rule Audio Seminar January 28, 2013 Practical Tools for Seminar Learning Copyright 2012 American Health Information Management Association.
More informationLEGAL ISSUES IN HEALTH IT SECURITY
LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson
More informationCompliance Steps for the Final HIPAA Rule
Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule
More informationNew HIPAA Rules and Implications for the Industry January 29, 2013
New HIPAA Rules and Implications for the Industry January 29, 2013 **Audio for this webinar streams through the web. Please make sure the sound on your computer is turned on. If you need technical assistance,
More information