CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors
|
|
- Eleanor Melton
- 5 years ago
- Views:
Transcription
1 CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS ) published its final privacy and security regulations (the Final Rule ) under the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ). The Final Rule implements the changes required by the Health Information Technology for Economic and Clinical Health ( HITECH ) Act of In addition, the Final Rule addresses HIPAA s Enforcement and Breach Notification Rules as well as modifications made to HIPAA s Privacy Rule as required by the Genetic Information Nondiscrimination Act. The Final Rule becomes effective March 26, 2013 and compliance is required by September 23, This Client Alert addresses the following topics: Impact of the Final Rule on Business Associates and Subcontractors; Amendments to the Breach Notification Rule; Changes to Notices of Privacy Practices; and Next Steps for Covered Entities, Business Associates and Subcontractors. Impact of the Final Rule on Business Associates and Subcontractors A significant aspect of the Final Rule is that business associates and their subcontractors are now directly liable for certain violations of the HIPAA Privacy, Security and Breach Notification Rules. In addition, the Final Rule expands the definition of business associate to include any entity (or individual) that creates, receives, maintains, or transmits protected health information ( PHI ) or electronic PHI ( ephi ) on behalf of a covered entity. This change has particular importance for entities such as document storage and shredding companies that maintain PHI or ephi. These entities are now considered business associates even if they never access the PHI they maintain. In addition, data transmission providers that require routine access to ephi are also considered business associates under the Final Rule. Which violations will subject Business Associates and Subcontractors to direct liability? Under the Final Rule, business associates and subcontractors will be directly liable for the following violations: Impermissible uses and disclosures of PHI;
2 Failure to provide a covered entity with notification of a breach; Failure to provide access to ephi to the covered entity, the individual, or the individual s designee as specified in the business associate agreement; Failure to disclose PHI to the Secretary of the DHHS for purposes of determining the business associates (or the subcontractor s) compliance with HIPAA; Failure to provide an accounting of disclosures; and Failure to comply with the HIPAA Security Rule. What is the Impact on Covered Entities? Covered entities should confirm Business Associate Agreements ( BAAs ) are in place with all entities that create, receive, maintain or transmit PHI or ephi on their behalf. For example, if a document storage company maintains PHI on behalf of the covered entity, a BAA is now required. Covered entities should also review their current BAAs to determine whether amendments are required in order to comply with the Final Rule. What BAA provisions are required under the Final Rule? Covered entities (and as applicable, business associates) should review their current BAAs to ensure they address the following: Compliance with the HIPAA Security Rule; Compliance with the HIPAA Privacy Rule (as applicable to business associates); Reporting breaches of unsecured PHI; Business associate s subcontractors must agree to the same restrictions and conditions that apply to the business associate; Impermissible uses and disclosures; Access to ephi; Required disclosures to DHHS for the purpose of determining business associate s compliance with HIPAA; and Limiting disclosures to the minimum necessary. When must BAAs be in compliance with the Final Rule? For all BAAs in effect as of January 25, 2013, covered entities have until September 23, 2014 to amend those BAAs if amendments are required. This transitional relief is applicable only to BAAs, as the parties must comply with requirements of the Final Rule by September 23, New BAAs entered into after January 25, 2013 should reflect the provisions above and should be in place by September 23,
3 Amendments to the HIPAA Breach Notification Rule Amendments to the HIPAA Breach Notification Rule adopted as part of the Final Rule further clarify the duties that have been imposed on covered entities and their business associates since 2009 with regard to breaches of unsecured PHI. What were the Breach Notification Requirements before the Final Rule? The HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, required DHHS to enact a rule for Breach Notification for Unsecured Protected Health Information (the Breach Notification Rule ). Consistent with HITECH, DHHS in August of 2009 published an interim final Breach Notification Rule, which has been in force since September of The Breach Notification Rule requires covered entities that discover a breach of unsecured PHI to notify the affected individuals, the Secretary of DHHS, and for breaches involving more than 500 residents of a state or jurisdiction the media. Business associates that discover a breach of unsecured PHI are required to notify the covered entity without unreasonable delay, and in no event later than sixty (60) calendar days after discovery of the breach. Also in 2009, DHHS released guidance specifying encryption and destruction as the two technologies or methodologies recognized as rendering protected health information unusable, unreadable, or indecipherable (i.e., secured) and thus exempt from these breach notification obligations. ( What are the Key Changes to the Breach Notification Rule? Definition of Breach. Previously, a breach was defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA that posed a significant risk of financial, reputational, or other harm to the individual. Under the Final Rule, significant risk of harm is no longer the standard. Rather, the Final Rule presumes that any non-permitted acquisition, access, use, or disclosure constitutes a breach, unless the covered entity or business associate demonstrates that there is a low probability that the PHI has been compromised based on a risk assessment of at least the following factors: The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification; The unauthorized person who used the PHI or to whom the disclosure was made; Whether the PHI as actually acquired or viewed; and The extent to which the risk to the PHI has been mitigated. DHHS agreed with commenters who expressed concern that the harm standard in the interim rule was too subjective, but rejected a bright line approach: [W]e believe that a risk assessment [to determine whether information has been compromised] is necessary, DHHS said, because there are situations in which unauthorized acquisition, access, use, or disclosure of protected health information is so inconsequential that it does not warrant notification. Notification to the Secretary of DHHS. The Final Rule contains a clarifying change concerning the timing of the required notification to the Secretary of DHHS regarding breaches affecting less than 500 3
4 individuals. Whereas the interim rule required notification to the Secretary not later than sixty (60) days after the end of the calendar year in which a breach occurred, the Final Rule recognizes that there may be a delay between the occurrence and the discovery of breaches, and now provides that notification to the Secretary is required not later than sixty (60) days after the end of the calendar year in which a breach is discovered. The remaining changes to the interim rule made by the final Breach Notification Rule are technical and non-substantive. How does the Breach Notification Rule Interplay With other HIPAA Rules? In the Federal Register Notice accompanying the final omnibus HIPAA Rules revisions, DHHS clarified several points of intersection between the Breach Notification Rule and other elements of HIPAA. For example, DHHS stated that a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of a business associate, including with respect to personal health record functions, is a HIPAA business associate and thus, is subject to the HIPAA Breach Notification Rule DHHS also clarified that a business associate that shares information with a third party in furtherance of the business associate s management and administration or legal responsibilities (as permitted under the rule governing contracts between business associates and covered entities) need not enter into a business associate contract with the third party but must obtain reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person and the person notifies the business associate of any instances of which it is aware that the confidentiality of the information has been breached. With regard to the increased penalty provision imposed by HITECH for HIPAA violations, including data breaches, DHHS notes that where multiple individuals are affected by an impermissible use or disclosure, such as in the case of a breach of unsecured PHI, it is anticipated that the number of identical violations of the Privacy Rule standard regarding permissible uses and disclosures would be counted by the number of individuals affected. Furthermore, in many breach cases, there will be both an impermissible use or disclosure, as well as a safeguards violation, for each of which [DHHS] may calculate a separate civil money penalty. Therefore, one covered entity or business associate may be subject to multiple violations of up to a $1.5 million cap for each violation, which would result in a total penalty above $1.5 million. The Costs of Breaches Are High And They Are Rising: DHHS estimates that 19,000 covered entities annually will incur breach notification costs under the new rule, for a total cost of $14.5 million per year, and that 6.71 million patients annually will be affected by these breaches. This estimate is based on breach notifications received by DHHS during calendar years 2010 and Recent industry statistics, however, suggest that breaches of PHI are on the rise, and that far more covered entities may be affected by the final Breach Notification Rule than DHHS has estimated. The Third Annual Benchmark Study on Patient Privacy & Data Security by the respected Ponemon Institute (see: released in December of 2012, determined that ninety- 4
5 four percent (94%) of the eighty (80) healthcare organizations that participated in the benchmark study had experienced at least one data breach in the past two years, with forty-five percent (45%) of respondents reporting more than five (5) such incidents. Based on costs reported by the study respondents, Ponemon states that the average cost to deal with these breaches was $2.4 million per organization over a two-year period. These breach rates and costs were noted as having increased dramatically since Ponemon estimates that the total annual cost to the healthcare industry of patient data breaches could easily reach into the billions of dollars. Perhaps ironically, the study concludes that breach rates in the healthcare sector are high due, at least in part, to lack of funding. Only twenty-seven percent (27%) of respondents indicated having sufficient resources to combat data breaches, and only thirty-four percent (34%) reported having a sufficient security budget. These figures, together with the more stringent requirements now imposed by the Breach Notification Rule, may induce some healthcare organizations to consider increasing their investment in preventing data breaches from occurring and in developing effective protocols for responding, should the worst occur. Kutak Rock s HIPAA team is available to assist our healthcare clients in assessing and managing their data breach risks. Changes to Notice of Privacy Practices Most covered entities are required to distribute a Notice of Privacy Practices ( NPP ). The NPP describes the uses and disclosures of PHI permitted to be made by a covered entity, the covered entity s duties and privacy practices with respect to PHI and the individual s rights with respect to their PHI. What modifications to the NPP does the Final Rule require? The Final Rule requires covered entities to make certain modifications to their NPPs. These modifications are described in the table below. NPP MODIFICATION TABLE Modification Category Uses and disclosures requiring authorization Description of Modification The NPP must be revised to include a statement that the following requires an authorization: (i) most uses and disclosures of psychotherapy notes, 1 (ii) uses and disclosures of PHI for marketing purposes, and (iii) disclosures that constitute a sale of PHI. 1 If a covered entity does not record or maintain psychotherapy notes, it need not include a statement in its NPP about the psychotherapy note authorization requirement. Additionally, covered entities are not required to include a description of their recordkeeping practice with respect to psychotherapy notes, though they may do so. 5
6 Fundraising Genetic information Restriction on uses and disclosures Unsecured PHI Breaches If a covered entity intends to contact an individual for fundraising purposes, the NPP must include a statement notifying the individual of that fact and that the individual has a right to opt out of receiving such communications. 2 If a health plan covered entity (other than certain issuers of long-term care policies) intends to use or disclose PHI for underwriting purposes, the NPP must include a statement that the health plan is prohibited from using or disclosing PHI that is genetic information of an individual for such purposes. The NPP of health care providers 3 must inform individuals of their right to restrict certain disclosures of PHI to a health plan in instances when an individual pays out-of-pocket in full for the health care item or service. The NPP must include a statement that the covered entity is required by law to notify individuals following a breach of Unsecured PHI. 4 When do revised NPPs need to be distributed? The Final Rule requires covered entities to distribute revised NPPs, or notice of the material changes, as follows: For a health plan that posts its notice on its web site, the plan must prominently post the material changes to the NPP, or the revised NPP, on its web site by the effective date of the revised notice (which will be September 23, 2013 in most cases) and provide the revised NPP, or information about the material changes and how to receive the revised NPP, in its next annual mailing to individuals then covered by the plan. For a health plan that does not post its notice on its web site, the plan must provide the revised NPP, or information about the material changes and how to receive the revised NPP, to individuals then covered by the plan within 60 days of the material revision to the notice. For health care provider covered entities with a direct treatment relationship with an individual, the health care provider must make the revised NPP available upon request on or after the effective date of the revision and have the revised NPP available at the delivery site and post the notice in a clear and prominent location. In addition, such providers would be required to give a copy of the revised NPP to, and obtain a good faith acknowledgement of receipt from, new patients. 2 Because individuals will be provided the opportunity to opt out of fundraising communications with each solicitation, the Final Rule does not require the NPP to include the mechanism for individuals to opt out of receiving fundraising communications, although covered entities may do so if they so choose. 3 Other covered entities may retain language indicating that the covered entity is not required to agree to a requested restriction. 4 The Final Rule states that the NPP s Unsecured PHI Breach language is not intended to add undue complexity or length to the NPP and that the statement need not (i) describe how the covered entity will conduct a risk assessment, (ii) include the descriptions of breach or unsecured PHI or (iii) describe the types of information to be included in the actual breach notification. However, covered entities may include this type of information if they wish. 6
7 As under existing law, covered entities also have the option to distribute their revised NPPs or notices of material changes by , provided the individual has agreed to receive an electronic copy of the revised NPPs or material change notices. What special requirements apply to the revised NPPs? Finally, in general, covered entities are required to take steps necessary to ensure effective communication with individuals with disabilities with respect to the revised NPPs. This could include making the revised NPP available in alternative formats, such as Braille, large print or audio. Some covered entities may also be required to take reasonable steps to ensure meaningful access for Limited English Proficient persons, which could mean that the covered entity is required to translate the NPP into frequently encountered languages. Next Steps for Covered Entities, Business Associates and Subcontractors Generally, covered entities, business associates, and subcontractors (as applicable) should take the steps outlined below to comply with the changes contained in the Final Rule. If you have any questions or if we can assist you in taking these steps, please contact any of the attorneys listed below. What are the Next Steps for Covered Entities? A covered entity should: Review and revise its HIPAA policies and procedures as necessary to comply with the Final Rule, placing particular emphasis on the changes to the rules relating to research, fundraising, marketing, and the sale of PHI. Review and revise its policies and procedures relating to breaches of unsecured PHI. Review and revise its NPP and plan for the distribution of its revised NPP. Review and revise its BAA templates to comply with the Final Rule. Inventory its existing BAAs, use the revised BAA templates for any new relationships entered between now and September 23, 2013, and implement a process to amend BAAs in effect as of January 25, 2013 by September 23, Update its HIPAA authorizations and other forms as necessary to comply with the Final Rule. Modify its HIPAA training programs to include the changes made by the Final Rule and begin training its workforce with respect to these changes. What are the Next Steps for Business Associates? A business associate should: Develop and/or update its HIPAA privacy and security policies and procedures, including its policies and procedures relating to breaches of unsecured PHI. Conduct a security risk assessment. 7
8 Review and revise its BAA templates to comply with the Final Rule. Inventory its existing BAAs entered with covered entities, use the revised BAA templates for any new relationships with covered entities entered between now and September 23, 2013, and implement a process to amend BAAs in effect as of January 25, 2013 by September 23, 2014 Inventory its existing relationships with subcontractors, inventory and review existing subcontractor BAAs, develop and/or revise subcontractor BAA templates to comply with the Final Rule and use the BAA templates for any new subcontractor relationships entered between now and September 23, 2013, and implement a process to amend subcontractor BAAs in effect as of January 25, 2013 by September 23, Develop and/or update its HIPAA training programs to address the business associate s HIPAA compliance program and related policies and procedures. What are the Next Steps for Subcontractors? Subcontractors are now directly liable for certain HIPAA violations. Entities or individuals that may be considered a subcontractor under HIPAA should: Review the definition of subcontractor to determine if you qualify as a subcontractor. Develop and/or update its HIPAA privacy and security policies and procedures, including policies and procedures relating to Unsecured PHI Breaches. Conduct a security risk assessment. Review and revise its BAA templates to comply with the Final Rule. Inventory its existing relationships with business associates and subcontractors, inventory and review existing business associate and/or subcontractor BAAs, develop and/or revise business associate and/or subcontractor BAA templates to comply with the Final Rule, use the BAA templates for any new business associate and/or subcontractor relationships entered between now and September 23, 2013, and implement a process to amend subcontractor BAAs in effect as of January 25, 2013 by September 23, Develop and/or update its HIPAA training programs to address the subcontractor s HIPAA compliance program and related policies and procedures. Additional Information If you wish to visit with us about the Final Rule or any other HIPAA compliance issues, please contact your Kutak Rock LLP attorney or a member of our HIPAA compliance team listed below. Juliana Reno Juliana.Reno@KutakRock.com Bryan G. Looney Bryan.Looney@KutakRock.com G. Mark Sappington Mark.Sappington@KutakRock.com Kathryn M. Magli Kathryn.Magli@KutakRock.com 8
9 L. Elise Dieterich Mike Fowler Diane Stewart-Ferro Sara J.B. English Kutak Rock LLP The Omaha Building 1650 Farnam Street Omaha, NE (402) This Client Alert is a publication of Kutak Rock LLP. It is intended to notify our clients and friends of current events and provide general information about employee benefits issues. This Client Alert is not intended, nor should it be used, as legal advice, and it does not create an attorney-client relationship. Kutak Rock LLP All Rights Reserved. This communication may be considered advertising in some jurisdictions. 9
Management Alert Final HIPAA Regulations Issued
Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,
More informationHITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government
HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationCompliance Steps for the Final HIPAA Rule
Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationTo: Our Clients and Friends January 25, 2013
Life Sciences and Health Care Client Service Group To: Our Clients and Friends January 25, 2013 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules under the Health
More informationHighlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS
HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts
More information8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013
HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationGUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do
GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned
More informationThe wait is over HHS releases final omnibus HIPAA privacy and security regulations
The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under
More informationHIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities
Health Care Focus March 2013 HIPAA Omnibus Final Rule Has Important Changes for Business Associates and Covered Entities Peggy L. Barlett 608.284.2214 pbarlett@gklaw.com M. Scott LeBlanc 414.287.9614 sleblanc@gklaw.com
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationInterim Date: July 21, 2015 Revised: July 1, 2015
HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:
More informationChanges to HIPAA Under the Omnibus Final Rule
Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services
More informationCompliance Steps for the Final HIPAA Rule
Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule
More informationBREACH NOTIFICATION POLICY
PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities
More informationCoping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!
Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,
More informationOmnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule
Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions
More informationHIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school
ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationHIPAA OMNIBUS FINAL RULE
HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on
More informationPATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS
PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS This HIPAA Business Associate Agreement ( BA Agreement ), effective as of the last date written on the signature page attached
More informationSUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),
More informationMEMORANDUM. Kirk J. Nahra, or
MEMORANDUM TO: FROM: Interested Parties Kirk J. Nahra, 202.719.7335 or knahra@wileyrein.com DATE: January 28, 2013 RE: The HIPAA/HITECH Omnibus Regulation After almost four years, the Department of Health
More informationLegal and Privacy Implications of the HIPAA Final Omnibus Rule
Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,
More informationThe Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure
The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )
More informationGetting a Grip on HIPAA
Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy
More informationSATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE
SATINSKY CONSULTING, LLC FINAL OMNIBUS HIPAA PRIVACY AND SECURITY RULE This newsletter summarizes the highlights of the Final Omnibus HIPAA Privacy and Security Rule announced by the Department of Health
More informationHIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.
More informationHIPAA THE NEW RULES. Highlights of the major changes under the Omnibus Rule
HIPAA THE NEW RULES Highlights of the major changes under the Omnibus Rule AUTHOR Gamelah Palagonia, Founder CIPM, CIPP/IT, CIPP/US, CIPP/G, ARM, RPLU+ PRIVACY PROFESSIONALS LLC gpalagonia@privacyprofessionals.com
More informationHHS, Office for Civil Rights. IAPP October 11, 2012
HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities
More informationHEALTH LAW ALERT January 21, 2013
HEALTH LAW ALERT January 21, 2013 Omnibus Privacy Rule Issued HHS Imposes More Stringent Breach Notification Standard Requires Changes to Privacy Notices, Business Associate Agreements On Thursday, the
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy
More informationHIPAA Compliance Under the Magnifying Glass
HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information
More informationBreach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule
Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance
More informationHIPAA Omnibus Final Rule and Research
Office of the Secretary Office for Civil Rights () HIPAA Omnibus Final Rule and Research Federal Demonstration Partnership September 17, 2013 Christina Heide, JD Senior Health Information Privacy Policy
More informationHayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA
More informationACC Compliance and Ethics Committee Presentation February 19, 2013
ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives.
More informationHIPAA: Impact on Corporate Compliance
HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal
More informationPreparing for a HIPAA Audit & Hot Topics in Health Care Reform
Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationOCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC
Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative
More informationHIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules
HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!
More informationChanges to HIPAA Privacy and Security Rules
Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN
More informationARRA s Amendments to HIPAA Privacy & Security Rules
ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ), is between Birch Family Services, Inc., a New York not-for-profit corporation ( Covered Entity ) and ( Business Associate
More informationInterpreters Associates Inc. Division of Intérpretes Brasil
Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable
More informationHIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017
HIPAA & HITECH Privacy & Security Volunteer Annual Review 2017 HIPAA In 1996, state and federal governments enacted protection for patient health information by signing into law the Health Insurance Portability
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) by and between (hereinafter known as Covered Entity ) and Office Ally, Inc., a clearinghouse Covered Entity under HIPAA, providing
More informationBUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and
BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and WHEREAS, Dallas County, Tarrant County, Denton County, Parker County, the North Texas Tollway Authority have created
More informationBusiness Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)
Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into by and between Washington Dental Service
More informationBUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)
BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate) This HIPAA Business Associate Agreement ( Agreement ) is entered into this day of, 20, by and between
More informationBusiness Associate Agreement
Business Associate Agreement This Business Associate Agreement (this Agreement ) is entered into on the Effective Date of the Azalea Health Software as a Service Agreement and/or Billing Service Provider
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( Agreement ) is entered into this 22 nd day of September, 2014 ( Effective Date ), by and between Customer_Name with a place of business
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Agreement is by and between The Health Plan ( Plan ) and Priority Health Managed Benefits, Inc., a Michigan Third Party Administrator ( Business Associate
More informationFifth National HIPAA Summit West
Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for
More informationThe HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance. Patricia A. Markus, Esq.
The HIPAA/HITECH Final Rule: Time to Get More Serious About Compliance I. INTRODUCTION Patricia A. Markus, Esq. AHLA Hospitals and Health Systems Law Institute February 13, 2013 On January 17, 2013, the
More information"HIPAA RULES AND COMPLIANCE"
PRESENTER'S GUIDE "HIPAA RULES AND COMPLIANCE" Training for HIPAA REGULATIONS Quality Safety and Health Products, for Today...and Tomorrow OUTLINE OF MAJOR PROGRAM POINTS OUTLINE OF MAJOR PROGRAM POINTS
More informationThe Privacy Rule. Health insurance Portability & Accountability Act
The Privacy Rule Health insurance Portability & Accountability Act Enacted on August 21, 1996 to amend the Internal Revenue Code of 1986 To improve portability and continuity of health insurance coverage
More informationICAHN Presentation. Final Omnibus Rule and Security Risk Analysis. July 26, David Ginsberg
ICAHN Presentation Final Omnibus Rule and Security Risk Analysis July 26, 2013 David Ginsberg PrivaPlan Associates, Inc. PrivaPlan Associates, Inc. is the leading authority in HIPAA Privacy and Security
More informationBusiness Associate Agreement For Protected Healthcare Information
Business Associate Agreement For Protected Healthcare Information This Business Associate Agreement ( Agreement ) is entered into this 24th day of February 2017, between PRACTICE-WEB, Inc., a California
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (this Agreement ) is made effective as of the of, (the Effective Date ), by and between day hereafter referred to as ( Business Associate
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More informationOVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS
Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Amanda M. Buzo Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More information2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners
2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and
More informationAssessing and Mitigating Risk Under the HIPAA Omnibus Rule
Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta
More informationAssessing and Mitigating Risk Under the HIPAA Omnibus Rule
Compliance Institute San Diego, CA April 1, 2014 Assessing and Mitigating Risk Under the HIPAA Omnibus Rule Darrell W. Contreras, Esq., LHRM, CHPC, CHC, CHRC Chief Legal & Compliance Officer PlusDelta
More informationColorado Medical Society. June 3, Presented by David A. Ginsberg President, PrivaPlan Associates, Inc.
Colorado Medical Society The HIPAA OMNIBUS RULE June 3, 2013 Presented by David A. Ginsberg President, PrivaPlan Associates, Inc. Agenda The HIPAA Omnibus Rule - a high level overview Effective dates SpeciLic
More informationHIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?
HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What
More informationPreparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013
Preparing to Comply With the HITECH Final Rule Tuesday, March 19, 2013 Attorney Advertising Prior results do not guarantee a similar outcome Models used are not clients but may be representative of clients
More informationHIPAA & The Medical Practice
HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, JD, MHA, CHA Founder & Principal, Campanella Law Office Of Counsel, The Beinhaker Law Firm BEINHAKER,
More informationARTICLE 1. Terms { ;1}
The parties agree that the following terms and conditions apply to the performance of their obligations under the Service Contract into which this Exhibit is being incorporated. Contractor is providing
More informationRECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:
This Business Associate Agreement ( BAA ) is entered into by and between NORCAL Mutual Insurance Company ( NORCAL ) and Insured/Applicant ( Covered Entity ) and is effective as of September 23 rd, 2013
More informationNETWORK PARTICIPATION AGREEMENT
NETWORK PARTICIPATION AGREEMENT THIS NETWORK PARTICIPATION AGREEMENT ( Agreement ) is entered into on the date(s) indicated below, by and between the undersigned physician (hereinafter Physician ; and
More informationALERT. November 20, 2009
ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made
More informationContaining the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida
Containing the Outbreak: HIPAA Implications of a Data Breach Orlando, Florida www.lowndes-law.com Jason S. Rimes 2013 Lowndes, Drosdick, Doster, Kantor & Reed, P.A. All Rights Reserved Protected Health
More informationSaturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules
Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules Gina Campanella, JD HIPAA & The Medical Practice Requirements for Privacy, Security and Breach Notification Gina L. Campanella, Esq.
More informationHIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES
SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:
More informationHIPAA. What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional)
HIPAA Infection Control OSHA Dental Practice Act HIPAA What s New & What Do I Have To Do? Presented by Leslie Canham, CDA, RDA, CSP (Certified Speaking Professional) In the dental field since 1972, Leslie
More informationHIPAA Privacy Overview
HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview
More informationGUIDE TO PATIENT PRIVACY AND SECURITY RULES
AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist
More informationBUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( this Agreement ) is made and entered into as of this day of 2015, by and between TIDEWELL HOSPICE, INC., a Florida not-for-profit corporation,
More informationOmnibus HIPAA Rule: Impact on Covered Entities
Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,
More informationLEGAL ISSUES IN HEALTH IT SECURITY
LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson
More informationOMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS
OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT Effective Date: September 23, 2013 RECITALS WHEREAS a relationship exists between the Covered Entity and the Business Associate that performs certain functions
More informationOMNIBUS RULE ARRIVES
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan
More information[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4
Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did
More informationHIPAA STUDENT ASSOCIATE AGREEMENT
HIPAA STUDENT ASSOCIATE AGREEMENT This Agreement dated as of, 20 is made by and between Petaluma Health Center (Hereinafter Covered Entity ) and (Hereinafter Student ). INTRODUCTION This Agreement governs
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2018 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled
More informationHIPAA Update. Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights
HIPAA Update Jamie Sorley U.S. Department of Health and Human Services Office for Civil Rights New Mexico Health Information Management Association Conference April 11, 2014 Albuquerque, NM Recent Enforcement
More information