New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda
|
|
- Polly Booker
- 5 years ago
- Views:
Transcription
1 New HIPAA Breach Rules NAHU presents the WHAT and WHYs Presenters: David Smith JD, Vice President, Ebenconcepts Tom Jacobs JD, co-ceo eflexgroup Moderator: Ric Joyner CEBS CFCI, co-ceo, eflexgroup 1 Agenda Introduction HIPPA Security Breach Notification Regulations Privacy and security landscape Pre-ARRA legal overview New (expanded) privacy and security requirements in ARRA Tips and recommendations to comply Discussion and questions 2 New HIPAA Security Breach Notification Regulations Department of Health and Human Services, Office for Civil Rights Issued an interim final rule August 24, 2009 Required to by the American Recovery and Reinvestment Act of 2009 (Feb. 17, 2009) Section of the Health Information Technology for Economic and Clinical Health (HITECH) Act
2 Section HITECH Requires Secretary of Dept. of HHS to issue interim final regulations within 180 days to require covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their business associates to provide notification in the case of breaches of unsecured protected health information. Timeline HITECH/ARRA 180 days from Febraury 17, 2009 to issue rules H&SS issued rules August 24, 2009 Rules become effective September 23, 2009, BUT H&SS stated it will hold off enforcing the rules for 6 months and will not impose sanctions for violations during this period Instead, HHS will work with covered entities and business associates through technical assistance and voluntary corrective actions. Business Associates Beware! The American Reinvestment and Recovery Act of 2009 (ARRA) modifies the existing HIPAA framework by also requiring business associates to directly comply with the HIPAA Security Rule provisions on administrative, physical and technical safeguards. All Business Associate Agreements must reflect the business associate s new obligations. Additionally, ARRA may now impose sanctions on business associates that fail to comply with the HIPAA Privacy Rule.
3 Business Associates Beware! In the event of a breach by the business associate, the business associate is now statutorily required to take steps to mitigate any damages to covered entities, including health care organizations and individuals whose unsecured PHI was compromised. More details later, first a look at current framework 7 The Current Security Landscape 1 out of 700 hackers are caught and prosecuted Data Hijacking On the Rise-Is Your Business Next?? Citibank Hack Blamed for Alleged ATM Crime Spree 8 Medical Records Are a Key Target Insiders and External Thieves UCLA s medical record spying problem worse than thought Medical Record Breaches on the Rise Google Health Goes Live May 19, 2008 At a presspacked, early morning event, Google launched its long anticipated health initiative, Google Health today. University of Florida said to be a 'natural target' for ID theft IDENTITY THIEVES TARGETING MEDICAL INFORMATION California s breach disclosure law now covers medical records Proliferating HIPAA complaints and medical record breaches 9
4 Pre-ARRA Legal Framework Globalization Outsourcing Identity Theft Data Hijacking and Corruption HIPAA Privacy Rule First security breach notification law HIPAA Security Rule FTC, State AG enforcement on rise Many more security breach notification laws and publicity about breaches Massachusetts privacy law, other new state privacy laws ARRA Feb. 17, 2009 FTC Red Flag Rules HIPAA Privacy Rule compliants (resolved without fines) March 5, 2007 Piedmont HIPAA Security Audit July 15, 2008 February 18, 2009 Providence Health & CVS HHS and FTC Services collaboration HIPAA Security Rule audits continuing 10 Pre-ARRA HIPAA Privacy Rule Complaints (Pending as of February 2009) 20% Pending 6,959 Total Complaints: 43,338 Not actionable: 24,387 No violation: 4,000 Resolved w/o fine: % Resolved 36,379 CVS $2.25M fine, 20 year FTC Consent Decree, numerous state AG actions, adverse publicity Increasing number of HIPAA complaints filed per year with HHS 11 Top Five Allegations in HIPAA Privacy Rule Complaints Impermissible uses and disclosures of protected health information; Lack of safeguards of protected health information; We have a question: So what? 12
5 Top Five Continued Lack of patient access to their protected health information; Uses or disclosures of more than the Minimum Necessary; and Lack of or invalid authorizations for uses and disclosures of protected health information 13 Top Targets for HIPAA Privacy Rule Complaints Private Practices General Hospitals Outpatient Facilities Health Plans (group health plans and health insurance issuers) Pharmacies 14 Pre-ARRA HIPAA Security Rule Complaints Complaint-driven enforcement Very few complaints filed through 2006 CMS criticized by OIG for lax compliance, insufficient enforcement 15
6 Pre-ARRA HIPAA Security Rule Complaints OIG found significant violations at 8 hospitals that it audited March 5, 2007 first CMS audit (Piedmont Hospital) Reportedly auditing 50 hospitals per year via unannounced audits 16 Pre-ARRA Security Breach Notification Requirements State security breach notification laws Varying requirements No federal security breach law HIPAA Privacy Rule disclosure log only 17 Key Pieces of Information Involved in Identity Theft A US resident s identity is stolen at least every two minutes. One in seven hundred identity thieves are caught and prosecuted. 18
7 The Risks You Face with Popular US Retailers 19 Cost of a Data Breach Poneman Institute Survey 20 Cost of a Data Breach by Industry Poneman Institute Survey 21
8 ARRA Overview Significant changes to the US privacy and security landscape Increasing scrutiny, enforcement on the way (federal and state) Expect great deal of uncertainty as with HIPAA 22 ARRA Key Changes Improved Privacy Provisions and Security Provisions Security breach notifications Broader HIPAA scope of coverage (and enforcement) Additions and modifications to certain HIPAA requirements 23 ARRA Key Changes Improved Privacy Provisions and Security Provisions New HHS inspection and enforcement framework New tiered penalties for federal and state regulators Varying effective dates for different sections 24
9 Broader HIPAA Scope of Coverage Business associates Other third parties (who are now clearly business associates) Another category of third parties who are not business associates under ARRA, but may be considered business associates under a forthcoming evaluation (before February 17, 2010) 25 Business Associates Pre-ARRA ARRA Comments BA s contractually bound to certain HIPAA requirements. Covered entity legally responsible for ensuring appropriate BA agreement. No requirement for BA agreements between covered entities. HIPAA enforcement and penalties do not apply directly to BA s. No right for HHS to audit BA s. Statutorily bound to all HIPAA Privacy and Security Rule requirements, including new requirements in ARRA. BA and covered entity both responsible for ensuring appropriate BA agreement. Specific requirement to update all BA s, consistent with new ARRA obligations. HIPAA enforcement and penalties apply directly to BA s. HHS has the right to audit BA s and must publish results. Some BA s might not be able to comply. HIPAA Security Rule obligations will be a challenge. Recommend evaluation of BA for ability to comply too. Unclear whether violations by BA will be applied to covered entities. Much greater scrutiny of BA s. 26 Additions and Modifications to Certain HIPAA Requirements Disclosure log now includes treatment, payment, healthcare operations Patient access rights electronic records, 3 years for accounting (not 6 years) 27
10 Additions and Modifications to Certain HIPAA Requirements Patient access rights to information from BA s (two options) Minimum necessary applies to treatment disclosures too, new guidance Additional restrictions on use of PHI without a valid authorization 28 New Inspection and Public Posting Requirements HHS required to conduct inspections of covered entities Inspections of business associates Publication of inspections, general findings Publication of security breaches on HHS website 29 New Security Breach Enforcement Requirements Attorneys General can bring state actions for violations under ARRA However, cannot bring an action while an HHS action is pending Individual right to a percentage of the government s fine forthcoming guidance 30
11 New Enforcement Requirements As noted previously, business associates now fall directly under HIPAA enforcement ARRA makes clear that HIPAA enforcement applies to individuals as well as organizations that are covered New tiered enforcement willful violations result in highest penalties 31 Security Breach Notifications First federal security breach notification requirements Expanded scope of when notification is triggered for covered entities Business associates required to notify covered entities about breaches These rules apply to information in any format ephi (electronic PHI) Paper Tapes/CDs 32 Security Breach Notifications Breach: An individual s protected health information [in unsecured form] that has been, or is reasonably believed by the covered entity to have been accessed, used, acquired or disclosed to an unauthorized person, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. Exceptions: unintentional access by employees or individuals acting under authority of covered entity or business associate if information is not used or disclosed by recipient or anyone else. inadvertent disclosure from one covered entity or business associate employee authorized to access PHI to a co-employee authorized to access PHI unauthorized access by an unauthorized person who cannot reasonably be able to retain the information disclosed. 33
12 Security Breach Notifications (continued) Rules do not apply to PHI in an secured form If improperly acquired data was secured (encrypted or destroyed), then no breach notification is required Notification when there has been a breach above the harm threshold Responsible for determining whether a breach poses a significant risk and warrants notification. Do a risk assessment: What and how much information was released? Can we get it back? 34 Security Breach Notifications (continued) Notify without unreasonable delay and at least within 60 day timeframe 60 days begins to run from the date the covered entity or business associate or any employee, officer or other agent of the covered entity or business associate knew or reasonably should have known about the breach 35 Security Breach Notifications (continued) Method of notice (new obligations): Send a written notice to the individual (or next of kin, if the individual is deceased) at the last known address by first-class or electronic mail. Post a conspicuous message (for a period determined by HHS) on your Web site s home page or with major print or broadcast media when insufficient or out-of-date contact information prevents direct contact. Call individuals whose unsecured health information was breached when there is an imminent threat of misuse. Notify prominent media outlets within the state or jurisdiction if a breach of unsecured PHI affects or is reasonably believed to affect more than 500 residents. Notify HHS immediately for breaches involving more than 500 individuals and annually for all other breaches. 36
13 Security Breach Notifications (continued) Content of notice a brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; a description of the types of PHI involved in the breach (such as full name, social security number, date of birth, home address, account number, diagnosis, disability code, etc.); suggested steps individuals should take to protect themselves from potential harm resulting from the breach; a brief description of what the covered entity is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and contact procedures for individuals to ask questions or learn additional information, which must include a toll- free telephone number, an address, website, and postal address. 37 Effective Dates Vary by section Many sections effective on February 17, 2010 Breach notification rules go into effect in September but no enforcement until February (per HHS/FTC) Some contingent on passage of additional guidance documents Penalty section (including state enforcement) effective immediately. 38 Tips and Recommendations Increasingly complex legal requirements state, federal, global Recommend overall risk management approach Specific individuals for privacy and security (two roles) Written policies and procedures for privacy and security 39
14 Tips and Recommendations Policies should be approved by senior management, consistent, accurate. Do not make promises that you cannot keep. Ongoing vigilance required changing threats, new laws, new guidances 40 Tips and Recommendations - Business Associates Overall vendor management approach Pre-screening of vendors including business associates Proper agreements ensure that you have a final copy in place 41 Tips and Recommendations - Business Associates Recommendations - examples: HIPAA Privacy and Security Rules Security Breaches HHS Audits Accounting of Disclosures Marketing restrictions Policies and Procedures Training Compliance monitoring/inspections Right to audit Indemnification provisions 42
15 What You Need to Do Identify sources of unsecured PHI. Determine how to secure PHI to avoid having to provide breach notifications. Develop policies and procedures regarding securing PHI. Develop policies and procedures for breach notifications. Assign responsibility for drafting and approving breach notices. Revise business associate agreements to address breach notice obligations. Train workforce members regarding the new breach notice. Guidance: Use Encryption Destroy Paper Records HHS affirmed that the only method to render electronic protected health information unusable, unreadable or indecipherable to unauthorized persons is through encryption. HHS relies on the detail encryption guidance from the National Institute of Standards and Technology. Therefore, when a covered entity is the subject of a data breach, but the data is appropriately encrypted, federal breach notification requirements and the vast majority of state breach notification requirements will not be triggered. Guidance: Use Encryption Destroy Paper Records With respect to information in non-electronic formats, HHS stated that only destruction of paper records, and not redaction, will meet the requirements to avoid breach notification. HHS takes the position that covered entities can encrypt or destroy: Data in motion data that is moving through a network; Data at rest data in databases, file systems, flash drives, memory and any other storage method; and Data disposed discarded paper records or recycled electronic media.
16 Risk Assessment Risk Assessment. The rule clarifies that the privacy and security of PHI is compromised and the notification requirement is triggered only if the acquisition, access, use or disclosure of the information poses a significant risk of financial, reputational or other harm to the individual. The covered entity or business associate must conduct a risk assessment and determine whether a significant risk to the individual exists. Factors to consider include who impermissibly used or obtained the information, the type of information involved, whether the covered entity took immediate steps that eliminated or reduced the risk of harm and whether the information was returned prior to being used for an improper purpose. Applies to Unsecured PHI Only The new rule requires notification to individuals and to HHS for breaches of unsecured PHI. Unsecured PHI is any PHI that is not secured through a technology or methodology specified by HHS. The recently published HHS regulations require covered entities to promptly notify (no later than 60 calendar days from the date of discovery) affected individuals of a breach. Some Key Areas of Consideration Security assessments Security breach notification process Policies and procedures (including Notice of Privacy Practices) Training Auditing/compliance monitoring Litigation risk reduction proper recordkeeping 48
17 Conclusion Don t become the next CVS or the next security breach poster child the target of state attorneys general Don t be fooled into buying things that you don t need (remember the HIPAA scams, like HIPAA-compliant cabinets?) 49 Conclusion Prepare procedures and training programs that are employee-friendly and not overwhelming. The goal is results, not reams of paper. Security experts can differ greatly in terms of cost and expertise. Don t be fooled. Ensure proper documentation and recordkeeping practices. 50
Changes to HIPAA Privacy and Security Rules
Changes to HIPAA Privacy and Security Rules STEPHEN P. POSTALAKIS BLAUGRUND, HERBERT AND MARTIN 300 WEST WILSON BRIDGE ROAD, SUITE 100 WORTHINGTON, OHIO 43085 SPP@BHMLAW.COM PERSONNEL COUNCIL FRANKLIN
More informationInterim Date: July 21, 2015 Revised: July 1, 2015
HIPAA/HITECH Page 1 of 7 Effective Date: September 23, 2009 Interim Date: July 21, 2015 Revised: July 1, 2015 Approved by: James E. K. Hildreth, Ph.D., M.D. President and Chief Executive Officer Subject:
More informationBREACH NOTIFICATION POLICY
PRIVACY 2.0 BREACH NOTIFICATION POLICY Scope: All subsidiaries of Universal Health Services, Inc., including facilities and UHS of Delaware Inc. (collectively, UHS ), including UHS covered entities ( Facilities
More informationH E A L T H C A R E L A W U P D A T E
L O U I S V I L L E. K Y S E P T E M B E R 2 0 0 9 H E A L T H C A R E L A W U P D A T E L E X I N G T O N. K Y B O W L I N G G R E E N. K Y N E W A L B A N Y. I N N A S H V I L L E. T N M E M P H I S.
More informationOVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS
Franklin J. Hickman Janet L. Lowder David A. Myers Elena A. Lidrbauch Judith C. Saltzman Mary B. McKee Amanda M. Buzo Lisa Montoni Garvin Andrea Aycinena Penton Building 1300 East Ninth Street Suite 1020
More informationThe Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure
The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure Purpose To provide for notification in the case of breaches of Unsecured Protected Health Information ( Unsecured PHI )
More informationHITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government
HITECH and HIPAA: Highlights for Health Departments Aimee Wall UNC School of Government When Congress enacted sweeping legislation in February designed to stimulate the nation s economy, it incorporated
More informationHIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES
SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date:
More information45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information
45 CFR Part 164 Interim Final Rule Breach Notification for Unsecured Protected Health Information Full Preamble and Rule at http://edocket.access.gpo.gov/2009/pdf/e9-20169.pdf The Interim Final Rule also
More informationARRA s Amendments to HIPAA Privacy & Security Rules
ARRA s Amendments to HIPAA Privacy & Security Rules Georgina L. O Hara Jessica R. Bernanke April 29, 2009 www.morganlewis.com Amended HIPAA Privacy and Security Rules HIPAA Amendments are in The Health
More informationBreach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule
Breach Policy To provide guidance for breach notification when impressive or unauthorized access, acquisition, use and/or disclosure of the ephi occurs. Breach notification will be carried out in compliance
More informationHIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)
HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI) On August 24, 2009, the Department of Health and Human Services
More informationOCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC
Audit Type Section Key Activity Established Performance Criteria Audit Inquiry 12 Samples Requested Breach 164.414(a) Administrative 164.414(a) 164.414(a) 5 Inquiry of Mgmt Requirements Administrative
More informationNew. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.
Subject: Protected Health Information Breach Notification Policy Department: Enterprise Risk Management Services Executive Sponsor: SVP/Chief Risk Officer Approved by: Rod Hochman, MD President/CEO Policy
More informationHIPAA The Health Insurance Portability and Accountability Act of 1996
HIPAA The Health Insurance Portability and Accountability Act of 1996 Results Physiotherapy s policy regarding privacy and security of protected health information (PHI) is a reflection of our commitment
More informationHIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES
HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES The Health Information Technology for Economic and Clinical Health Act (HITECH Act), enacted as part of the American Recovery and Reinvestment
More informationAFTER THE OMNIBUS RULE
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan Member
More informationHIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel
HIPAA Training HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel Agenda HIPAA basics HITECH highlights Questions and discussion HIPAA Basics Legal Basics Health Insurance Portability
More informationHIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.
HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015. PURPOSE OF PRESENTATION To Discuss Laws Governing Use and Disclosure
More informationHIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by
HIPAA Omnibus Rule Critical Changes for Providers Presented by Susan A. Miller, JD Hosted by agenda What the Omnibus Rule includes + Effective and Compliance Dates Security Breach Notification Enforcement
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 Reasons for HIPAA Privacy Rules Perceived need for protection
More informationNOTIFICATION OF PRIVACY AND SECURITY BREACHES
NOTIFICATION OF PRIVACY AND SECURITY BREACHES Overview The UT Health Science Center at San Antonio (Health Science Center) is required to report all breaches of protected health information and personally
More information2011 Miller Johnson. All rights reserved. 1. HIPAA Compliance: Privacy and Security Changes under HITECH HITECH. What is HITECH? Mary V.
HIPAA Compliance: Privacy and Security Changes under HITECH Mary V. Bauman www.millerjohnson.com The materials and information have been prepared for informational purposes only. This is not legal advice,
More informationAn Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules Alden J. Bianchi Updated
More informationFifth National HIPAA Summit West
Fifth National HIPAA Summit West Privacy and Security under the HITECH Act W. Reece Hirsch Paul T. Smith, Partner, Partner, Hooper, Lundy & Bookman 1 Developments The Health Information Technology for
More informationHIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013
HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013 Pat Henrikson, Banner Health HIPAA Compliance Program Director, Chief Privacy Officer Agenda Background
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS
HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS This HIPAA Business Associate Agreement ( BAA ) is entered into on this day of, 20 ( Effective Date ), by and between Allscripts
More informationHIPAA Overview Health Insurance Portability and Accountability Act. Premier Senior Marketing, Inc
HIPAA Overview Health Insurance Portability and Accountability Act Premier Senior Marketing, Inc HIPAA Defined Acronym that stands for the Health Insurance Portability and Accountability Act, a US law
More informationThe Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013
The Impact of Final Omnibus HIPAA/HITECH Rules Presented by Eileen Coyne Clark Niki McCoy September 19, 2013 0 Disclaimer The material in this presentation is not meant to be construed as legal advice
More informationThe HHS Breach Final Rule Is Out What s Next?
The HHS Breach Final Rule Is Out What s Next? Webinar September 16, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved. Disclaimer
More informationBUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT ( this Agreement ) is made and entered into as of this day of 2015, by and between TIDEWELL HOSPICE, INC., a Florida not-for-profit corporation,
More informationPrivacy Rule - Complaint Investigations
Update on Enforcement of the HIPAA Privacy and Security Rules Marilou King, JD Office for Civil Rights U.S. Department of Heath and Human Services www.hcca-info.org 888-580-8373 Privacy Rule - Complaint
More informationHIPAA / HITECH. Ed Massey Affiliated Marketing Group
HIPAA / HITECH Agent Understanding And Compliance Presented By: Ed Massey Affiliated Marketing Group It s The Law On February 17, 2010 the Health Information Technology for Economic and Clinical Health
More informationContaining the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida
Containing the Outbreak: HIPAA Implications of a Data Breach Orlando, Florida www.lowndes-law.com Jason S. Rimes 2013 Lowndes, Drosdick, Doster, Kantor & Reed, P.A. All Rights Reserved Protected Health
More informationCompliance Steps for the Final HIPAA Rule
Brought to you by The Alpha Group for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions.
More informationALERT. November 20, 2009
ALERT HIPAA PRIVACY FOR EMPLOYERS HAS CHANGED. IMMEDIATE ACTION IS REQUIRED. November 20, 2009 The American Recovery and Reinvestment Act of 2009 ( ARRA ) also known as the Economic Stimulus Bill made
More informationThe American Recovery Reinvestment Act. and Health Care Reform Puzzle
The American Recovery Reinvestment Act and Health Care Reform Puzzle Carolyn Heyman-Layne Alaska HCCA Conference March 1, 2012 Comparison of Breach Notification Provisions in the HITECH Act 1 and the Alaska
More informationBusiness Associate Agreement
This Business Associate Agreement Is Related To and a Part of the Following Underlying Agreement: Effective Date of Underlying Agreement: Vendor: Business Associate Agreement This Business Associate Agreement
More information2016 Business Associate Workforce Member HIPAA Training Handbook
2016 Business Associate Workforce Member HIPAA Training Handbook Using the Training Handbook The material in this handbook is designed to deliver required initial, and/or annual HIPAA training for all
More informationCLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors
CLIENT UPDATE February 20, 2013 HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors On January 25, 2013, the U.S. Department of Health and Human Services ( DHHS )
More informationHIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school
ASPPR The omnibus rule greatly enhances a patient s privacy protections, provides individuals new rights to their health information, and strengthens the government s ability to enforce the law. The changes
More informationHIPAA Breach Notification Case Studies on What to Do and When to Report
HIPAA Breach Notification Case Studies on What to Do and When to Report AHLA Physicians and Physician Organizations and Hospitals and Health Systems Law Institute February 9 and10, 2012 Colleen M. McClorey,
More informationHIPAA Basic Training for Health & Welfare Plan Administrators
2010 Human Resources Seminar HIPAA Basic Training for Health & Welfare Plan Administrators Norbert F. Kugele What We re going to Cover Important basic concepts Who needs to worry about HIPAA? Complying
More informationHITECH and Stimulus Payment Update
HITECH and Stimulus Payment Update David S. Szabo Agenda HIPAA Breach Notification Rules HITECH and Meaningful Use Open Question Period 2 Data Security Breaches A total of 245,216,093 records containing
More informationManagement Alert Final HIPAA Regulations Issued
Management Alert Final HIPAA Regulations Issued After much anticipation, the Department of Health and Human Services (HHS) has issued its omnibus set of final regulations modifying and clarifying the privacy,
More information503 SURVIVING A HIPAA BREACH INVESTIGATION
503 SURVIVING A HIPAA BREACH INVESTIGATION Presented by Nicole Hughes Waid, Esq. Mark J. Swearingen, Esq. Celeste H. Davis, Esq. Regional Manager 1 Surviving a HIPAA Breach Investigation: Enforcement Presented
More informationInterpreters Associates Inc. Division of Intérpretes Brasil
Interpreters Associates Inc. Division of Intérpretes Brasil Adherence to HIPAA Agreement Exhibit B INDEPENDENT CONTRACTOR PRIVACY AND SECURITY PROTECTIONS RECITALS The purpose of this Agreement is to enable
More informationThe Impact of the Stimulus Act on HIPAA Privacy and Security
The Impact of the Stimulus Act on Webinar March 12, 2009 Practical Tools for Seminar Learning Copyright 2009 American Health Information Management Association. All rights reserved. Disclaimer The American
More informationx Major revision of existing policy Reaffirmation of existing policy
Name of Policy: Reporting of Security Breach of Protected Health Information including Personal Health Information Policy Number: 3364-90-15 Approving Officer: Executive Vice President of Clinical Affairs
More informationDetermining Whether You Are a Business Associate
The HIPAApotamus in the Room: When Lawyers and Law Firms are Subject to HIPAA Enforcement, And How to Comply with the Law by Leslie R. Isaacman, J.D., M.B.A. The Omnibus Final Rule 1 of the Health Information
More informationHIPAA OMNIBUS FINAL RULE
HIPAA OMNIBUS FINAL RULE Webinar Series Part 3 Breach Notification April 16, 2013 I. BACKGROUND 2 1 Background > HIPAA Omnibus Final Rule: Announced on January 17, 2013 Published in Federal Register on
More informationCompliance Steps for the Final HIPAA Rule
Compliance Steps for the Final HIPAA Rule On Jan. 25, 2013, the Department of Health and Human Services (HHS) issued a final rule under HIPAA s administrative simplification provisions. The final rule
More informationPreparing for a HIPAA Audit & Hot Topics in Health Care Reform
Preparing for a HIPAA Audit & Hot Topics in Health Care Reform 2013 San Francisco Mid-Sized Retirement & Healthcare Plan Management Conference March 17-20, 2013 Elizabeth Loh, Esq. Copyright Trucker Huss,
More informationMEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know
1801 California Street Suite 4900 Denver, CO 80202 303-830-1776 Facsimile 303-894-9239 MEMORANDUM To: Adam Finkel, Assistant Director, Government Relations, NCRA From: Mel Gates Date: December 23, 2013
More informationHEALTHCARE BREACH TRIAGE
IAPP Privacy Academy September 30 October 2, 2013 HEALTHCARE BREACH TRIAGE Theodore P. Augustinos EDWARDS WILDMAN PALMER LLP Kenneth P. Mortensen CVS/CAREMARK 2013 Edwards Wildman Palmer LLP & Edwards
More informationPresented by Marti Arvin Chief Compliance Officer UCLA Health Sciences
Presented by Marti Arvin Chief Compliance Officer UCLA Health Sciences 1 Brief discussion of where we have been and where we are going Discussion of Federal Enforcement Actions Privacy and Security issue
More informationHIPAA STUDENT ASSOCIATE AGREEMENT
HIPAA STUDENT ASSOCIATE AGREEMENT This Agreement dated as of, 20 is made by and between Petaluma Health Center (Hereinafter Covered Entity ) and (Hereinafter Student ). INTRODUCTION This Agreement governs
More informationHighlights of the Omnibus HIPAA/HITECH Final Rule
Highlights of the Omnibus HIPAA/HITECH Final Rule Health Law Whitepaper Katherine M. Layman 215.665.2746 klayman@cozen.com Gregory M. Fliszar 215.665.7276 gfliszar@cozen.com Judy Wang Mayer 215.665.4737
More informationSafeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker
Safeguarding Your HIPAA and Personal Health Information Data Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker 1 Overview» Patient information confidentiality Grant requirements
More informationRISK TRACK. Privacy and Data Protection
RISK TRACK Privacy and Data Protection Presenters Marti Arvin Chief Compliance Officer UCLA Health Sciences Phone: 310-794-6763 MArvin@mednet.ucla.edu Marti Arvin is the Chief Compliance Officer for UCLA
More informationAMA Practice Management Center, What you need to know about the new health privacy and security requirements
1. HIPAA Security Rule Johns, Merida L., Information Security, in Johns, Merida L. (ed.) Health Information Management Technology, an Applied Approach, AHIMA: Chicago, IL, 2nd ed. 2007, chapter 19, pp.
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule NOTE: Make sure your computer speakers are turned ON. Audio will be streaming through your speakers. If you do not have computer speakers, call the ACCMA at 510-654-5383 for alternatives.
More informationSUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT
SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (Revised on March 1, 2016) THIS HIPAA SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into on (the Effective Date ), by and between ( EMR ),
More informationHayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule
Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule 1 IMPORTANCE OF STAFF TRAINING HIPAA staff training is a key, required element in a covered entity's HIPAA
More informationARE YOU HIP WITH HIPAA?
ARE YOU HIP WITH HIPAA? Scott C. Thompson 214.651.5075 scott.thompson@haynesboone.com February 11, 2016 HIPAA SECURITY WHY SHOULD I CARE? Health plan fined $1.2 million for HIPAA breach. Health plan fined
More informationHIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches
Presenting a live 90 minute webinar with interactive Q&A HIPAA Privacy and Security: Surviving Heightened Enforcement Crafting and Implementing Data Security Policies and Responding to Breaches THURSDAY,
More informationHIPAA Enforcement Under the HITECH Act; The Gloves Come Off
HIPAA Enforcement Under the HITECH Act; The Gloves Come Off Leeann Habte, Esq. Michael Scarano, Esq. December 6, 2011 Attorney Advertising Prior results do not guarantee a similar outcome Models used are
More informationHIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT
HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT HIPAA OMNIBUS FINAL RULE HITECH GINA TERMINOLOGY OMNIBUS FINAL RULE Issued January 23, 2013 Effective March 26, 2013 Modified HIPAA privacy and security
More informationHIPAA Privacy Overview
HIPAA Privacy Overview Benefit Advisors Network Stacy H. Barrow sbarrow@marbarlaw.com February 8, 2017 2017 Marathas Barrow Weatherhead Lent LLP. All Rights Reserved. 1 Overview of Presentation HIPAA Overview
More informationThe wait is over HHS releases final omnibus HIPAA privacy and security regulations
The wait is over HHS releases final omnibus HIPAA privacy and security regulations The Department of Health and Human Services (HHS) published long-anticipated (and longoverdue) omnibus regulations under
More informationOMNIBUS RULE ARRIVES
AFTER THE OMNIBUS RULE 1 Agenda Omnibus Rule is here Business Associates (BAs) Agreement Breach Notification Change Breach Reporting Requirements (Federal and State) Notification to Care1st Health Plan
More informationPATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS
PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS This HIPAA Business Associate Agreement ( BA Agreement ), effective as of the last date written on the signature page attached
More informationOmnibus Components. Not in Omnibus. HIPAA/HITECH Omnibus Final Rule
Office of the Secretary Office for Civil Rights () HIPAA/HITECH Omnibus Final Rule April 12, 2013 HHS Office for Civil Rights Omnibus Components Final Rule on HITECH Privacy, Security, & Enforcement Provisions
More informationHEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS. What do I need to know?
HEALTH & HUMAN SERVICES OFFICE FOR CIVIL RIGHTS HIPAA COMPLIANCE AUDITS What do I need to know? INITIAL AUDITS PERFORMED IN 2016 Covered Entities Business associates AUDIT PURPOSE: SUPPORT IMPROVED COMPLIANCE
More informationHIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017
HIPAA & HITECH Privacy & Security Volunteer Annual Review 2017 HIPAA In 1996, state and federal governments enacted protection for patient health information by signing into law the Health Insurance Portability
More informationLEGAL ISSUES IN HEALTH IT SECURITY
LEGAL ISSUES IN HEALTH IT SECURITY Webinar Hosted by Uluro, a Product of Transformations, Inc. March 28, 2013 Presented by: Kathie McDonald-McClure, Esq. Wyatt, Tarrant & Combs, LLP 500 West Jefferson
More informationHIPAA, Privacy, and Security Oh My!
2014 CliftonLarsonAllen LLP HIPAA, Privacy, and Security Oh My! Chad D. Kunze CPA Health Care Principal Phoenix, AZ CLAconnect.com Learning Objectives At the end of this learning session, you will be able
More informationUNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP
UNDERSTANDING HIPAA & THE HITECH ACT Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP 1 Objectives of Presentation Learn what HIPAA is Learn the purpose of HIPAA Understand who HIPAA regulates
More informationChanges to HIPAA Under the Omnibus Final Rule
Changes to HIPAA Under the Omnibus Final Rule Kimberly J. Kannensohn and Nathan A. Kottkamp, McGuireWoods 1 The Long-Awaited HIPAA Final Rule On Jan. 17, 2013, the Department of Health and Human Services
More informationHIPAA Data Breach ITPC
HIPAA Data Breach Objectives Overview of Omnibus Rule - Data Breach Suspected Breach - Investigation Audit Risk Assessment Corrective Action Plan Written Notification Elements NYS Rules on Data Breach
More informationHITECH Poses Important Challenges... Are You Compliant?
Presents a Webinar HITECH Poses Important Challenges... Are You Compliant? A program for Clinic and Hospital Administrators, Risk Managers, and other interested staff. Joint Sponsor Kansas Hospital Association
More information[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4
Addendum II [Name of Organization] HIPAA Incident/Breach Investigation Procedure 4 I. Purpose To distinguish between (1) cases in which our HIPAA policy was not correctly followed but such violation did
More informationPatient Breach Letter Content Requirements
Patient Breach Letter Content Requirements The final breach regulations, effective September 23, 2009, required that the patient whose information was accessed, used or released in an inappropriate manner
More informationIACT Medical Trust. June 28, Jim Hamilton (317) HIPAA Privacy Training Bose McKinney & Evans LLP
IACT Medical Trust HIPAA Privacy Training June 28, 2012 Jim Hamilton (317) 684-5419 jhamilton@boselaw.com 2009 Bose McKinney & Evans LLP HIPAA Overview 2009 Bose McKinney & Evans LLP The Privacy Rule HIPAA
More informationEffective Date: 4/3/17
HIPAA AND HITECH ADM 067.4 Attachment D Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and Security Rule Health Information Technology for Economic and Clinical Health (HITECH)
More informationGUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do
GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do By D Arcy Guerin Gue, Phoenix Health Systems, a division of Medsphere Systems Corporation With Steven J. Fox, Post & Schell Originally commissioned
More informationPrivacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference
Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance 2015 National Wellness Conference Barbara J. Zabawa, JD, MPH Center for Health Law Equity, LLC Agenda Health Data Exposure ADA,
More informationGeorgia Health Information Network, Inc. Georgia ConnectedCare Policies
Georgia Health Information Network, Inc. Georgia ConnectedCare Policies Version History Effective Date: August 28, 2013 Revision Date: August 2014 Originating Work Unit: Health Information Technology Health
More informationHIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Constangy, Brooks & Smith, LLP (205)
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLP dthrasher@constangy.com (205) 226-5464 1 REASONS FOR HIPAA PRIVACY RULES Perceived need for protection of individual health information
More informationHIPAA Privacy and Security Rules
HIPAA Privacy and Security Rules HIPAA Compliance Bootcamp (5/16) This presentation is similar to any other legal education materials designed to provide general information on pertinent legal topics.
More informationFACT Business Associate Agreement
Policy Document #: 2.1.003 Revision: 3 Valid Date: 27June2012 Page 1 of 2 Effective Date: 27Jun2012 FACT Business Associate Agreement 1.0 Purpose The purpose of this document is to establish terms for
More informationSUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM
SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM This Subcontractor Business Associate Addendum (the Addendum ) is entered into this day of, 20, by and between the University of Maine System, acting through the
More information8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013
HIPAA Privacy & Security 2013 Omnibus Final Rule update Dan Taylor, Infinisource Copyright 2013 All rights reserved. Highlights from Final Rules January 25, 2013 Made business associates directly liable
More informationCoping with, and Taking Advantage of, HIPAA s New Rules!! Deven McGraw Director, Health Privacy Project April 19, 2013!
Coping with, and Taking Advantage of, HIPAA s New Rules!!! Deven McGraw Director, Health Privacy Project April 19, 2013! Status of Federal Privacy Regulations! Omnibus Rule (Data Breach, Enforcement, HITECH,
More informationJOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT
JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( HIPAA BAA ) is made between JotForm, Inc., ( JotForm ) and {YourCompanyName} ( Covered Entity or Customer ) as an agreement
More informationLegal and Privacy Implications of the HIPAA Final Omnibus Rule
Legal and Privacy Implications of the HIPAA Final Omnibus Rule February 19, 2013 Pillsbury Winthrop Shaw Pittman LLP Faculty Gerry Hinkley Partner Pillsbury Winthrop Shaw Pittman LLP Deven McGraw Director,
More informationHIPAA Privacy and Security Rules: Overview and Update HIPAA. Health Insurance Portability and Accountability Act ( HIPAA )
HIPAA Privacy and Security Rules: Overview and Update HIPAA IHCA Convention (7/16) This presentation is similar to any other legal education materials designed to provide general information on pertinent
More informationBusiness Associate Risk
Business Associate Risk Assessing and Managing Business Associate Risk Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Disclaimer: Nothing in this presentation
More informationMEMORANDUM. Kirk J. Nahra, or
MEMORANDUM TO: FROM: Interested Parties Kirk J. Nahra, 202.719.7335 or knahra@wileyrein.com DATE: January 28, 2013 RE: The HIPAA/HITECH Omnibus Regulation After almost four years, the Department of Health
More informationHIPAA Privacy & Security Plan October 2016
HIPAA Privacy & Security Plan October 2016 Page 1 HIPAA Privacy & Security Plan Introduction The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations restrict
More information