HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
|
|
- Augusta Robertson
- 5 years ago
- Views:
Transcription
1 HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment Act of 2009, marks a fundamental change in the federal government s approach to ensuring compliance with HIPAA privacy and security rules. 1 Under the HITECH Act, the federal government, in an effort to strengthen HIPAA, has enacted a rigorous enforcement strategy that includes stricter privacy and security standards, increased penalties for violations, and expanded federal and state enforcement authority, all of which are now directly applicable to Business Associates (BAs). In the past, BAs only had contractual liability under HIPAA. The HITECH Act changes BAs obligations and exposure under HIPAA from purely contractual to both contractual and statutory. This means that in addition to being liable under their business associate agreements (BAAs), BAs will now be subject to many of the legal requirements set forth in the HIPAA privacy and security rules, including civil and criminal penalties. Further, the HITECH Act has expanded the definition of BAs under HIPAA. This means that certain vendors of personal health records (PHR) systems and certain data transmission organizations, such as Regional Health Information Organizations (RHIOs), are now considered BAs and subject to HIPAA. The definition of BAs was further expanded to include subcontractors of BAs, pursuant to a Proposed Rule published on July 14, 2010 to implement the privacy, security, and enforcement provisions of the HITECH Act (the Proposed HITECH Rule). Foley s Health Care Industry Team has designed this roadmap (Roadmap) to assist BAs in their compliance efforts with the new HIPAA legal requirements by highlighting key provisions and outlining steps to aid in their quest for HIPAA compliance. To further aid the BAs in their compliance activities, a high-level checklist (Checklist) is included at the end of this Roadmap. Although most of the provisions discussed below technically became effective on February 17, 2010 under the HITECH statute, the Department of Health and Human Services (HHS) has indicated in the Proposed HITECH Rule that it will not enforce compliance until 180 days after the effective date of a final rule (the Final HITECH Rule) that will incorporate changes based on public comments to the Proposed HITECH Rule. Who Are BAs? Prior to enactment of the HITECH Act, BAs were generally defined to include entities engaged in certain administrative activities or services for or on behalf of covered 1 Throughout this document, the term HIPAA will be defined to include the provisions of the HITECH Act, unless otherwise specifically noted Foley & Lardner LLP Attorney Advertisement Prior results do not guarantee a similar outcome 321 North Clark Street, Chicago, IL
2 entities (CEs), which required access to protected health information (PHI), including claims processing, billing, benefit management, utilization review, management services, and consulting services. However, under HITECH, the definition of a BA has been expanded to include the following organizations: Organizations providing PHI data transmission to CEs such as Health Information Exchange Organizations, RHIOs, and e-prescribing gateways Vendors contracting with CEs to provide PHR systems to patients 2 The Proposed HITECH Rule further expanded the definition of a BA to include subcontractors of BAs who perform functions or provide services to a BA which involve access to PHI other than in the capacity of a work force member ( Subcontractors ). This expanded definition of what constitutes a BA now subjects many previously non-covered organizations to the HIPAA requirements governing the privacy of medical or health information. The expansion of BA status to Subcontractors, which is found in the Proposed HITECH Rule, is especially significant because, if included in the Final Rule, it will extend the requirements of HIPAA to a vast new class of vendors. What Can Happen to BAs That Fail to Comply With HIPAA? BAs will be subject to periodic audits by the Office for Civil Rights (OCR), the HHS agency responsible for monitoring and enforcing the HIPAA privacy and security rules. BAs found to be non-compliant will be considered to be in violation of the law and subject to the following: Civil monetary penalties (CMPs) of between $100 and $10,000 per violation, with maximum penalties of $1.5 million per calendar year Criminal penalties for HIPAA violations A mandatory HHS investigation and assessment of CMPs (in cases of willful HIPAA violations) Civil actions brought by state attorneys general for HIPAA violations that involve residents in their individual states 2 Vendors that provide PHR systems, but do not do so on behalf of CEs, will be subject to security breach notification under the HITECH Act, which will be enforced by the FTC, rather than HHS Foley & Lardner LLP 2
3 Key HIPAA BA Requirements What Must BAs Do Under the New Security Breach Notification Requirements? Perhaps the most significant provision in HITECH is a new breach notification requirement which applies to both covered entities (CEs) and BAs. This new requirement was implemented by a final interim rule (the Breach Notification Rule) published on August 24, 2009, effective September 23, Under this new requirement, BAs must notify the CEs with whom they contract of any breaches of unsecured PHI and, to the extent possible, identify the individuals whose information was compromised if the breach poses a significant risk for financial, reputational or other harm to the individual. Upon receiving notice of a reportable security breach, the CEs have the responsibility to notify the individuals whose information has been breached. In some circumstances, the CEs also will have to provide notice to HHS and to local media. Notification must take place without unreasonable delay and no later than 60 calendar days from discovery, as required by law. BAs will bear the burden of proof for demonstrating that any delay in notifying the CEs of a security breach was reasonable. Except as required by law enforcement officials, BAs must notify the CEs no later than 60-calendar days from the date of discovery. How do the new security breach notification requirements change a BA s obligations? BAs are currently obligated by their BAAs to notify CEs of unauthorized uses or disclosures of PHI, as well as security incidents. The HITECH Act expands this requirement and requires BAs notify CEs of any security breach of unsecured PHI discovered by the BAs. The HITECH Act defines security breach to include the unauthorized acquisition, access, use, or disclosure of PHI that compromises the security or privacy of such information, with certain exceptions for inadvertent acquisition, access, or use of PHI by employees and agents. an unauthorized acquisition, access, use, or disclosure of PHI compromises the privacy or security of PHI. The privacy or security of an individual s PHI is deemed compromised only if the unauthorized acquisition, access, use or disclosure poses a significant risk for financial, reputational or other harm to the individual It is important to note that unless an exception applies, inappropriate acquisition, access, or use of unsecured PHI by employees which meets this test is considered a reportable security breach. What information is covered by the new security breach notification requirements? Security breaches apply only to unsecured PHI. HHS has issued guidance (HHS Guidance) defining the technologies and methodologies to secure PHI, thus rendering the data unusable, unreadable, or indecipherable. Essentially, PHI must be either 2010 Foley & Lardner LLP 3
4 encrypted or destroyed as described in the HHS Guidance to be considered secured. If PHI is secured in accordance with the HHS Guidance, then unauthorized access to or use or disclosure of such information will not trigger the security breach notification requirements. However, such breaches may still be subject to state law notification requirements as discussed below. When must CEs and BAs provide notice? CEs are required to notify patients without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. The date of discovery may not necessarily be the date of actual discovery, but rather, the date that one should have discovered the breach using reasonable diligence. Therefore, CEs and BAs should make sure reasonable measures are in place to catch potential security breaches as well as properly train employees to be able to spot these potential breaches. BAs must timely report security breaches to CEs to enable them to notify the individuals within this deadline. It is likely that CEs will amend BAAs to impose tight deadlines on BAs to report security breaches to the CEs, so that the CEs will have time to meet their obligations. What information is required in the notification? BAs are required to include certain information about affected individuals in their reports to CEs to enable the CEs to properly notify affected individuals. The notification should include a brief description of the incident, including the date of the breach and date it was discovered, and the type of unsecured PHI that was breached. CEs will likely require BAs to include additional information regarding the breach as CEs may need additional information to satisfy their requirements in providing notification to the affected individuals. In some circumstances, CEs may look to contractually obligate BAs who are the subject of a security breach to make the required notifications on behalf of the CEs. The BAs will need ensure their notification is compliant with HIPAA requirements. How do the HIPAA security breach notification requirements affect BAs obligations under state security breach notification requirements? HIPAA does not preempt more stringent state laws. Essentially, this means that BAs subject to state security breach notification laws will continue to have to comply with those laws. BAs should consult with legal counsel for assistance with defining these obligations and conducting any necessary preemption analysis. What should BAs do to comply with the new HIPAA security breach notification requirements? BAs must develop policies and internal procedures to ensure a coordinated system for internal reporting of breaches of unsecured PHI, prompt internal investigation of alleged breaches, and reporting to the CEs with whom they contract. Please 2010 Foley & Lardner LLP 4
5 see the Checklist below for guidance on compliance with the security breach notification requirements. What if BAs use subcontractors to provide services requiring access to PHI? BAs that use Subcontractors will have to ensure that they contractually bind their Subcontractors to report security breaches in sufficient time to allow the BAs to report back to the CEs. BAs must also contractually bind their Subcontractors to all additional terms required of BAs by HIPAA, since the Subcontractors themselves are now deemed BAs. This includes, but is not limited to, requiring Subcontractors to develop similar policies, procedures, and processes for investigating and reporting breaches. HIPAA Security Rule: What Must BAs Do to Comply With the HIPAA Security Rule? Pursuant to the HITECH Act, BAs (including Subcontractors) must also be in full compliance with the HIPAA Security Rule standards and implementation specifications for administrative, physical, and technical safeguards. How does application of the HIPAA Security Rule to BAs change a BA s obligations? Compliance means that many BAs will need to do more than they have previously done in terms of securing electronic PHI. Even though BAs have been contractually required under HIPAA prior to HITECH to implement appropriate administrative, physical and technical safeguards to protect electronic PHI, the measures, policies, and procedures that a BA previously had in place may be insufficient for HIPAA compliance after HITECH. The HIPAA Security Rule contains a series of very specific standards and implementation specifications. BAs must now comply with each of the specific standards and implementation specifications under HIPAA to the same extent as CEs. What is the first step BAs should take to become compliant with the HIPAA Security Rule? The first step in compliance is understanding the HIPAA Security Rule requirements and conducting a gap analysis to identify the areas where the BAs information security systems and programs fall short of meeting the HIPAA Security Rule requirements. To aid in this process, see the Checklist at the end of this Roadmap. This Checklist should also help guide the BAs in compliance efforts under the HIPAA security breach notification requirements. If BAs use subcontractors that will have access to the BAs electronic systems, including electronic PHI, what should the BAs do to cover themselves? As noted above, Subcontractors are now included within the definition of BAs. This means that BAs are, in effect, required to enter into a BAA with their Subcontractors incorporating all of the requirements that the BAs themselves must 2010 Foley & Lardner LLP 5
6 satisfy. Without limiting the foregoing, BAs should ensure that contracts with Subcontractors contain appropriate language to address information security and protect BAs from costs and liabilities associated with Subcontractors security breaches or other violations of contract terms related to information security. BAs should consider development of an information security due diligence questionnaire to be provided to potential Subcontractors in order to evaluate their ability to protect PHI and other valuable data. Statutory Liability for Business Associate Agreement Terms: What Else Must BAs Do to Comply With Other HIPAA Requirements? Under the HITECH Act, BAs will have direct statutory as well as contractual liability for violations of HIPAA or the terms of their BAAs. What are the initial steps BAs should take? BAs should evaluate their current policies, procedures, and processes applicable to their ability to comply with HIPAA as now required by statute as well as by their BAAs to ensure they are robust and will facilitate compliance. What other steps should BAs take in light of these new requirements? Training of personnel will be even more critical, and existing policies and procedures should be evaluated. Policies on employee sanctions for violations of HIPAA and requirements in BAAs should be evaluated and strengthened. Amendment to BAAs: What Should BAs Expect, and What Proactive Steps Should They Take? In the Proposed HITECH Rule, HHS indicated that CEs and BAs will have up to a year after the effective date of the Final HITECH Rule to amend their BAAs to conform to HITECH s new requirements. Nevertheless, some CEs and BAs may choose to implement amendments sooner rather than later. In addition, CEs and BAs may want to develop new templates to use in contracting with any new BAs or Subcontractors. While additional amendments may be necessary once the Final HITECH Rule is issued, this will permit the parties to have agreements in place that are as up to date and protective as possible. What new terms should BAs expect to find CEs inserting into BAAs? With the increased public exposure that may result from breaches of unsecured PHI and the implications for their businesses, CEs are likely to require renegotiation of a broad range of business issues associated with the new HIPAA security breach notification requirements. BAAs can be expected to become more complex. Responsibility for costs associated with security breaches as well as risk mitigation strategies in the event of a security breach are likely to be key issues in BAAs. CEs will likely press for broad indemnification from BAs. Certain CEs may require BAs who are the subject of a security breach to make the required notifications on 2010 Foley & Lardner LLP 6
7 behalf of the CEs, and/or to be responsible for all costs associated with a security breach. The attached Checklist contains some additional information on preparing to renegotiate BAAs with CEs. What can BAs do to proactively address the required amendment to BAAs? BAs should consider drafting their own form amendments and should create or revise their existing template BAAs to incorporate the changes required under the HITECH Act. This will allow the BAs to create BAAs that contain the provisions required by law, and yet are drafted to be more favorable and less burdensome to the BAs. This may help to minimize negotiation of terms that are not required by law, but that CEs will insert into form agreements to benefit the CEs and to reallocate risk to the BAs. What should BAs do about existing subcontract agreements? These agreements should be amended to reflect the new applicable obligations of the BAs, and to address the fact that the Subcontractors themselves are now deemed BAs. BAs should insert appropriate language to address information security and protect the BAs from costs and liabilities associated with subcontractors security breaches or other violations of contract terms related to information security. The agreement between the BA and the Subcontractor may look much like the BAA between the CE and the BA. Other New HIPAA Requirements: What Other New HIPAA Requirements Will Now Be Applicable to BAs? Pursuant to the HITECH Act, both BAs and their CEs will be required to comply with a series of additional HIPAA requirements, including changes to the rules governing accounting of disclosures made from an electronic records, prohibition on sale of PHI or an EHR, and new conditions on marketing communications. These and other requirements are addressed in the Proposed HITECH Rule and may be subject to change when the Final HITECH Rule is issued. As noted above, HHS has indicated that it will not enforce most of these requirements until 180 days after the enforcement date of the Final Rule Foley & Lardner LLP 7
8 CHECKLIST FOR BUSINESS ASSOCIATES To assist BAs in complying with the changes to HIPAA under the HITECH Act, we have created the Checklist below. This document is intended to provide general, high-level guidance only and is not intended to provide or be a substitute for legal advice. BAs should consult legal counsel to understand their obligations under HIPAA and the HITECH Act. The following Checklist highlights key provisions in the HITECH Act that apply to BAs and provides a high-level outline of some important steps to aid a BA to achieve HIPAA compliance. Compliance With the HIPAA Breach Notification Requirements On August 24, 2009, HHS issued the Breach Notification Rule, which implements the security breach notification requirements found in the HITECH Act. The security breach notification requirements became effective for security breaches occurring on or after September 23, BAs which have not already done so should take the following steps to bring their organizations into compliance. Review existing policies and procedures to determine if they address security breach notification and identify modifications required for compliance with the Breach Notification Rule. Determine whether the organization is also subject to state breach notification requirements. If so, assess state law preemption and compliance issues as they relate to the HIPAA security breach notification requirements. Develop or refine security breach notification procedures to ensure that a centralized, coordinated security breach reporting system is in place. Consider the following: The procedures should designate the individual responsible for ensuring that breaches involving PHI are investigated fully. This individual also should have the ultimate decision-making authority for determining whether there has been a reportable breach. Procedures should provide for consultation with outside legal counsel as necessary for assistance with determining whether a reportable breach has occurred and, if so, when it was discovered. The procedures should ensure that breaches are reported to the CEs without unreasonable delay. The procedures must ensure that individuals whose information has been compromised are appropriately identified, if possible, and reported to the CEs. The procedures should require that employees be trained on the reporting procedures and the requirements for handling PHI Foley & Lardner LLP 8
9 The procedures should include appropriate sanctions for employees who mishandle PHI. Evaluate the PHI that the BA s organization controls and determine whether that PHI can be encrypted or destroyed so that it will be considered secured and not subject to the HIPAA security breach notification requirements. Modify and update any existing security breach notification policies as necessary to comply with HIPAA and state law. Obtain outside legal review of this policy to ensure that it complies with the HIPAA and state law requirements. Consider risk prevention and mitigation strategies for security breaches. Consider how the organization can enhance its security system to decrease the risk of breach of unsecured PHI. Evaluate the organization s insurance coverage to determine if it covers costs associated with security breaches of PHI. Compliance With the HIPAA Security Rule BAs should take the following steps to assure compliance with the HIPAA Security Rule: Conduct an organizational risk analysis to identify whether the HIPAA security standards and implementation requirements are met. An audit tool should be used to assist with the initial risk assessment or gap analysis. The gap analysis should address each of the following implementation standards: Administrative safeguards: HIPAA requires that BAs have certain administrative safeguards, including the following: (i) a security management process, (ii) an individual with assigned security responsibility, (iii) appropriate workforce security policies and procedures, (iv) policies and procedures for information access management, (v) a program of security awareness and training, (vi) security incident procedures, (vii) a contingency plan, and (viii) periodic evaluations of compliance with the HIPAA Security Rule. Physical safeguards: HIPAA requires that BAs have certain physical safeguards, including implementation and maintenance of policies and procedures on facility access controls, policies and procedures on workstation use, workstation security, and device and media controls. Technical safeguards: HIPAA requires that BAs implement certain technical safeguards, including access controls, audit controls, integrity policies, person or entity authentication procedures, and transmission security procedures for PHI Foley & Lardner LLP 9
10 Develop written policies and procedures for each HIPAA standard listed above. Please note that each of the implementation standards above has numerous requirements. HIPAA requires that written policies and procedures be created that address each standard and each of the specific implementation specifications in the HIPAA Security Rule. These written policies and procedures are subject to record retention requirements of six years. Obtain review of policies and procedures to ensure legal compliance. Train staff on HIPAA privacy and security rule requirements and the consequences of violation. Amendment of BAAs Though not required for up to one year following the effective date of the Final HITECH Rule, consideration should be given to amending BAAs to incorporate applicable changes to HIPAA under the HITECH Act. BAs should consider the following: Draft template amendments and revise (or create) new template BAAs to incorporate the changes required under the HITECH Act. Proactively provide such templates to CEs. Be prepared for increasing complexity in negotiating BAAs with CEs, including the following: CEs may conduct due diligence prior to contracting to determine whether BAs are HIPAA-compliant and whether a BA s security profile provides sufficient protection for PHI. CEs may negotiate broad indemnification or cost-allocation provisions with their BAs to cover the CEs exposure to costs associated with security breach notification requirements, potential reputational damage, and civil liability arising from BAs breaches of unsecured PHI. Check underlying services agreements for provisions addressing data privacy, security, and confidentiality to identify terms that conflict with the BAAs or place additional obligations on the BA. Amend subcontract agreements to address new obligations that have been imposed on the BA and its Subcontractors under the HITECH Act. Consider inserting appropriate language to address information security and to protect the BA from costs and liabilities associated with Subcontractors security breaches or other violations of contract terms related to information security. Inventory HIPAA-Related Policies BAs are directly liable under HIPAA for violations of the Privacy, Security and Breach Notification Rules. BAs should consider the following: 2010 Foley & Lardner LLP 10
11 Evaluate current policies, procedures, and processes applicable to compliance with these rules to ensure they are robust and will facilitate compliance. Evaluate training procedures for personnel. Review and strengthen policies on employee sanctions for violations of HIPAA, the HITECH Act, or requirements in BAAs Foley & Lardner LLP 11
HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationHITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government
HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated
More informationManagement Alert Final HIPAA Regulations Issued
Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationARRA s Amendments to HIPAA Privacy & Security Rules
ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health
More informationHIPAA OMNIBUS FINAL RULE
HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on
More informationHHS, Office for Civil Rights. IAPP October 11, 2012
HHS, Office for Civil Rights IAPP October 11, 2012 Enforce federal civil rights laws and the HIPAA Privacy and Security Rules HQ and 10 Regional Offices Region IX has jurisdiction over covered entities
More informationBreach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule
Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance
More informationCompliance Steps for the Final HIPAA Rule
Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationBREACH NOTIFICATION POLICY
PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationInterim Date: July 21, 2015 Revised: July 1, 2015
HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:
More informationLegal and Privacy Implications of the HIPAA Final Omnibus Rule
Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,
More informationOMNIBUS RULE ARRIVES
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS
HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts
More informationCLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors
CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationHIPAA Enforcement Under the HITECH Act; The Gloves Come Off
HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are
More informationCompliance Steps for the Final HIPAA Rule
Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule
More informationOVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS
Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Amanda M. Buzo Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationHIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES
SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:
More informationPATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS
PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS This HIPAA Business Associate Agreement ( BA Agreement ), effective as of the last date written on the signature page attached
More informationHIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment
More informationFifth National HIPAA Summit West
Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More informationInterpreters Associates Inc. Division of Intérpretes Brasil
Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable
More informationNOTIFICATION OF PRIVACY AND SECURITY BREACHES
NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates March 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy E.
More informationThe wait is over HHS releases final omnibus HIPAA privacy and security regulations
The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under
More informationChanges to HIPAA Privacy and Security Rules
Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN
More informationCoping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!
Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationOCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC
Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative
More informationNPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH
NPRM: Modifications to the HIPAA Privacy, Security, and Enforcement Rules under HITECH Speakers Lisa A. Gallagher, BSEE, CISM, CPHIMS Senior Director, Privacy and Security HIMSS lgallagher@himss.org Amy
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationHIPAA Basic Training for Health & Welfare Plan Administrators
2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying
More informationHIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)
HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services
More information45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information
45 CFR Part 164 Interim Final Rule Breach Notification for Unsecured Protected Health Information Full Preamble and Rule at http://edocket.access.gpo.gov/2009/pdf/e9-20169.pdf The Interim Final Rule also
More informationOmnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule
Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions
More informationHIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school
ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes
More informationGetting a Grip on HIPAA
Getting a Grip on HIPAA Privacy and Security of Health Information in the Post-HITECH Age Jean C. Hemphill hemphill@ballardspahr.com 215.864.8539 Edward I. Leeds leeds@ballardspahr.com 215.864.8419 Amy
More informationBusiness Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)
Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA) This Business Associate Agreement (the Agreement ) is made and entered into by and between Washington Dental Service
More informationThe Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure
The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES
HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: A COMPLIANCE SOLUTION FOR THE TICKING CLOCK AND THE DRACONIAN CIVIL AND CRIMINAL PENALTIES January 23, 2014 I. Executive Summary I: The HIPAA Final Rule
More informationHighlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationLong-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates
Long-Awaited HITECH Final Rule: Addressing the Impact on Operations of Covered Entities and Business Associates November 7, 2013 Brad M. Rostolsky Partner Reed Smith LLP brostolsky@reedsmith.com Nancy
More informationHIPAA Background and History
Agenda Jeffery P. Drummond Lawyers as HIPAA Business Associates: Ethical Obligations and Practical Tips for Compliance Dallas Bar Association January 17, 2018 Jamie Sorley An Overview of HIPAA The Privacy
More informationSUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),
More informationALERT. November 20, 2009
ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationHIPAA 2014: Recent Changes from HITECH and the Omnibus Rule. Association of Corporate Counsel Houston Chapter October 14, 2014.
HIPAA 2014: Recent Changes from HITECH and the Omnibus Rule Association of Corporate Counsel Houston Chapter October 14, 2014 Jeffery P. Drummond Jackson Walker L.L.P. 901 Main Street, Suite 6000 Dallas,
More informationLEGAL ISSUES IN HEALTH IT SECURITY
LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson
More informationHIPAA and Lawyers: Your stakes have just been raised
HIPAA and Lawyers: Your stakes have just been raised October 16, 2013 Presented by: Harry Nelson e: hnelson@fentonnelson.com Claire Marblestone e: cmarblestone@fentonnelson.com AGENDA Statutory & Regulatory
More informationACC Compliance and Ethics Committee Presentation February 19, 2013
ACC Compliance and Ethics Committee Presentation February 19, 2013 Melinda G. Murray Associate General Counsel, Holy Cross Hospital and Jill M. Girardeau Partner, Womble Carlyle Sandridge & Rice, LLP HIPAA
More informationHIPAA Compliance. PART I: HHS Final Omnibus HIPAA Rules
HIPAA Compliance PART I: HHS Final Omnibus HIPAA Rules Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com February 6, 2013 www.securityprivacyandthelaw.com HIPAA Compliance: PART I 1 Finally!
More informationAMA Practice Management Center, What you need to know about the new health privacy and security requirements
1. HIPAA Security Rule Johns, Merida L., Information Security, in Johns, Merida L. (ed.) Health Information Management Technology, an Applied Approach, AHIMA: Chicago, IL, 2nd ed. 2007, chapter 19, pp.
More informationHIPAA Breach Notification Case Studies on What to Do and When to Report
HIPAA Breach Notification Case Studies on What to Do and When to Report AHLA Physicians and Physician Organizations and Hospitals and Health Systems Law Institute February 9 and10, 2012 Colleen M. McClorey,
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT
HIPAA BUSINESS ASSOCIATE AGREEMENT This Agreement, dated as of, 2018 ("Agreement"), by and between, on its own behalf and on behalf of all entities controlling, under common control with or controlled
More informationEmma Eccles Jones College of Education & Human Services. Title: Business Associate Agreements
POLICY INFORMATION Document # 900 Revision # 1.0 Safeguard: Administrative Title: Business Associate Agreements Prepared by: J. Black Approved by: Dean Beth E. Foley Print Date: 8/29/2016 Date Prepared:
More informationHIPAA Privacy & Security. Transportation Providers 2017
HIPAA Privacy & Security Transportation Providers 2017 HIPAA Privacy & Security As a non emergency medical transportation provider, you deal directly with Medicare and Medicaid Members healthcare information
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More information2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners
2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners Providers, and Partners 2 Editor s Foreword What follows are excerpts from the U.S. Department of Health and
More information[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4
Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did
More informationPrivacy Rule Primer. 45 CFR Part 160 and Subparts A and E of Part CFR , 45 CFR CFR
Resource provided by Page 1 of 10 Contents I. The Privacy Rule The Fundamental HIPAA Rule... 1 II. Privacy Rule Overview... 1 III. Privacy Rule Standards and Implementation Specifications Covered in Section
More informationHIPAA Privacy Compliance Checklist
HIPAA Privacy Compliance Checklist Task Obtain Education on HIPAA Privacy Requirements 1. HIPAA EDI requirements. 2. HIPAA privacy requirements. Organize the HIPAA Privacy Team and Create a Game Plan 1.
More informationRISK TRACK. Privacy and Data Protection
RISK TRACK Privacy and Data Protection Presenters Marti Arvin Chief Compliance Officer UCLA Health Sciences Phone: 310-794-6763 MArvin@mednet.ucla.edu Marti Arvin is the Chief Compliance Officer for UCLA
More informationHayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA
More informationAn Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules Alden J. Bianchi Updated
More informationThe Impact of the Stimulus Act on HIPAA Privacy and Security
The Impact of the Stimulus Act on Webinar March 12, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved. Disclaimer The American
More informationOmnibus HIPAA Rule: Impact on Covered Entities
Presenting a live 90-minute webinar with interactive Q&A Omnibus HIPAA Rule: Impact on Covered Entities Complying with New Requirements, Managing Risk and Responding to a Data Breach TUESDAY, MARCH 12,
More informationChanges to HIPAA Under the Omnibus Final Rule
Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services
More informationHITECH/HIPAA Omnibus Final Rule: Implications for Hospices. Elizabeth S. Warren May 3, 2013
HITECH/HIPAA Omnibus Final Rule: Implications for Hospices Elizabeth S. Warren May 3, 2013 Final Rule is Finally Here Published January 25, 2013 (78 Fed. Reg. 5566) Effective March 26, 2013 Compliance
More informationHIPAA Compliance Guide
This document provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) compliance requirements. It covers the relevant legislation, required procedures, and ways that your
More informationNew. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.
Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy
More informationSafeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker
Safeguarding Your HIPAA and Personal Health Information Data Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker 1 Overview» Patient information confidentiality Grant requirements
More informationHIPAA: Impact on Corporate Compliance
HIPAA: Impact on Corporate Compliance AAPC HEALTHCON April 2014 Stacy Harper, JD, MHSA, CPC Disclaimer The information provided is for educational purposes only and is not intended to be considered legal
More informationThe American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again
ClientAdvisory The American Recovery and Reinvestment Act of 2009: Health Information Privacy and Security Provisions Here We Go Again February 26, 2009 On February 17, 2009, President Obama signed into
More informationNew HIPAA-HITECH Proposed Regulations Issued
July 2010 New HIPAA-HITECH Proposed Regulations Issued On Thursday July 14, 2010, the Department of Health and Human Services (HHS) published proposed regulations in the Federal Register on many provisions
More informationFACT Business Associate Agreement
Policy Document #: 2.1.003 Revision: 3 Valid Date: 27June2012 Page 1 of 2 Effective Date: 27Jun2012 FACT Business Associate Agreement 1.0 Purpose The purpose of this document is to establish terms for
More informationARRA 2009: Privacy and Security Provisions. Deven McGraw
ARRA 2009: Privacy and Security Provisions Deven McGraw 1 Health Privacy Project at CDT Health IT and electronic health information exchange have tremendous potential to improve health care quality, reduce
More informationARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationThe American Recovery Reinvestment Act. and Health Care Reform Puzzle
The American Recovery Reinvestment Act and Health Care Reform Puzzle Carolyn Heyman-Layne Alaska HCCA Conference March 1, 2012 Comparison of Breach Notification Provisions in the HITECH Act 1 and the Alaska
More informationNETWORK PARTICIPATION AGREEMENT
NETWORK PARTICIPATION AGREEMENT THIS NETWORK PARTICIPATION AGREEMENT ( Agreement ) is entered into on the date(s) indicated below, by and between the undersigned physician (hereinafter Physician ; and
More information"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA
"HIPAA FOR LAW FIRMS" WHAT EVERY LAW FIRM NEEDS TO KNOW ABOUT HIPAA Jeanne M. Born, RN, JD SOUTH CAROLINA ASSOCIATION OF LEGAL ADMINISTRATORS THURSDAY, APRIL 14, 2016 Jborn@nexsenpruet.com What Every Law
More informationARTICLE 1. Terms { ;1}
The parties agree that the following terms and conditions apply to the performance of their obligations under the Service Contract into which this Exhibit is being incorporated. Contractor is providing
More informationNew HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda
New HIPAA Breach Rules NAHU presents the WHAT and WHYs Presenters: David Smith JD, Vice President, Ebenconcepts Tom Jacobs JD, co-ceo eflexgroup Moderator: Ric Joyner CEBS CFCI, co-ceo, eflexgroup 1 Agenda
More informationHIPAA Compliance Under the Magnifying Glass
HIPAA Compliance Under the Magnifying Glass July 30, 2013 Stacy Harper, JD, MHSA, CPC A Webinar Provided by Presenter Stacy Harper Lathrop & Gage, LLP sharper@lathropgage.com 913-451-5125 The information
More informationAuditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees
Auditing for HIPAA Compliance: Evaluating security and privacy compliance in an organization that provides health insurance benefits to employees San Antonio IIA: I HEART AUDIT CONFERENCE February 24,
More informationThe HHS Breach Final Rule Is Out What s Next?
The HHS Breach Final Rule Is Out What s Next? Webinar September 16, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved. Disclaimer
More informationHIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?
HIPAA Information Who does HIPAA apply to? HIPAA applies to all Covered Entities (entities that collect, access, use and/or disclose Protected Health Data (PHI) and are subject to HIPAA regulations). What
More informationBe Careful What You Wish For: The Final Rule Is Out
Be Careful What You Wish For: The Final Rule Is Out Theodore J. Kobus III tkobus@bakerlaw.com @tedkobus 212.271.1504 Lynn Sessions lsessions@bakerlaw.com @lynnsessions 713.646.1352 Toll Free 24-Hour Data
More informationBUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( this Agreement ) is made and entered into as of this day of 2015, by and between TIDEWELL HOSPICE, INC., a Florida not-for-profit corporation,
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 REASONS FOR HIPAA PRIVACY RULES Perceived need for protection of individual health information
More informationTrue or False? HIPAA Update: Avoiding Penalties. Preliminaries. Kim C. Stanger IHCA (7/15)
Protected Health Info HIPAA Update: Avoiding Penalties IHCA (7/15) Preliminaries This presentation is similar to any other legal education materials designed to provide general information on pertinent
More informationOmnibus Rule: HIPAA 2.0 for Law Firms
Omnibus Rule: HIPAA 2.0 for Law Firms Introduction On January 25, 2013, the U.S. Department of Health and Human Services (HHS) issued the muchanticipated Omnibus Rule 1 finalizing changes to the HIPAA
More informationAGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)
AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015) THIS AGREEMENT made the day of, 20, by and between HOSPICE OF MARION COUNTY, INC., a Florida
More informationGUIDE TO PATIENT PRIVACY AND SECURITY RULES
AMERICAN ASSOCIATION OF ORTHODONTISTS GUIDE TO PATIENT PRIVACY AND SECURITY RULES I. INTRODUCTION The American Association of Orthodontists ( AAO ) has prepared this Guide and the attachment to assist
More information