John Houston Vice President, Privacy and Information Security; Assistance Counsel UPMC

Similar documents
PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

Georgia Health Information Network, Inc. Georgia ConnectedCare Policies

TEXAS SOUTHERN UNIVERSITY HIPAA BUSINESS ASSOCIATE AGREEMENT

Participant Webinar: DURSA Amendment Summary. March 23, 2018

Business Associate Agreement

ARTICLE 1. Terms { ;1}

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

JOTFORM HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA BUSINESS ASSOCIATE ADDENDUM

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

HIPAA Omnibus Rule Compliance

COMMONWEALTH OF PENNSYLVANIA BUSINESS ASSOCIATE ADDENDUM

SUBCONTRACTOR BUSINESS ASSOCIATE ADDENDUM

BUSINESS ASSOCIATE AGREEMENT (for use when there is no written agreement with the business associate)

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

Business Associate Agreement For Protected Healthcare Information

BREACH NOTIFICATION POLICY

Security and Privacy Policies

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

BUSINESS ASSOCIATE AGREEMENT

IHDE BUSINESS ASSOCIATE AGREEMENT (BAA)

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

OMNIBUS COMPLIANT BUSINESS ASSOCIATE AGREEMENT RECITALS

ARTICLE 1 DEFINITIONS

HIPAA BUSINESS ASSOCIATE AGREEMENT

HIPAA The Health Insurance Portability and Accountability Act of 1996

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

HIPAA Privacy: PHI Disclosure Accounting (Changes) and Access Report (New)

2. HIPAA was introduced in There are many facets to the law. Which includes the facets of HIPAA that have been implemented?

ALERT. November 20, 2009

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

Legal Issues in Health Information Exchange

HIPAA PRIVACY POLICY AND PROCEDURES FOR PROTECTED HEALTH INFORMATION THE APPLICABLE WELFARE BENEFITS PLANS OF MICHIGAN CATHOLIC CONFERENCE

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA BUSINESS ASSOCIATE AGREEMENT

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

RECITALS. In consideration of the mutual promises below and the exchange of information pursuant to this BAA, the Parties agree as follows:

To: Our Clients and Friends January 25, 2013

HIPAA and ProAssurance

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

BUSINESS ASSOCIATE AGREEMENT

NOTICE OF PRIVACY PRACTICES

SDM Health Insurance Portability and Accountability Act (HIPAA) Terms and Conditions For Business Associates

UCLA Policy 420: Breaches of Computerized Personal Information

AMA Practice Management Center, What you need to know about the new health privacy and security requirements

Saturday, April 28 Medical Ethics: HIPAA Privacy and Security Rules

8/14/2013. HIPAA Privacy & Security 2013 Omnibus Final Rule update. Highlights from Final Rules January 25, 2013

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement

FACT Business Associate Agreement

HIPAA Business Associate Agreement Passport to Languages

HITECH and Stimulus Payment Update

HIPAA Omnibus Final Rule and Research

HIPAA ADDENDUM TO SERVICE AGREEMENT

Limited Data Set Data Use Agreement For Research

BUSINESS ASSOCIATE AGREEMENT

Business Associate Risk

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data

NETWORK PARTICIPATION AGREEMENT

MEMORANDUM. Kirk J. Nahra, or

Business Associate Agreement

BUSINESS ASSOCIATE AGREEMENT Between THE NORTH CENTRAL TEXAS COUNCIL OF GOVERNMENTS and

Fifth National HIPAA Summit West

H E A L T H C A R E L A W U P D A T E

Compliance Steps for the Final HIPAA Rule

AIUM Ultrasound Practice Accreditation Master Services Agreement & Business Associate Agreement (MSA/BAA)

Management Alert Final HIPAA Regulations Issued

Negotiating Business Associate Agreements

Interim Date: July 21, 2015 Revised: July 1, 2015

Highlights of the Omnibus HIPAA/HITECH Final Rule

HIPAA STUDENT ASSOCIATE AGREEMENT

CYBER LIABILITY REINSURANCE SOLUTIONS

NOTICE OF PRIVACY PRACTICES SOUTH DAYTON ACUTE CARE CONSULTANTS, INC.

HIPAA & HITECH Privacy & Security. Volunteer Annual Review 2017

PEDRO J. MORALES, M.D. & TIM P. CARLSON, M.D., P.A. NOTICE OF PRIVACY PRACTICES UPDATED 01/01/2014

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER P2011-ND-042 PERSONALITY PROFILE SOLUTIONS INC. November 1, (Case File #P2003)

HIPAA & The Medical Practice

HIPAA: Impact on Corporate Compliance

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

Assessing and Mitigating Risk Under the HIPAA Omnibus Rule

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

ARRA s Amendments to HIPAA Privacy & Security Rules

GUIDE TO THE OMNIBUS HIPAA RULE: What You Need to Know and Do

BUSINESS ASSOCIATE AGREEMENT

ACC Compliance and Ethics Committee Presentation February 19, 2013

MNsure Certified Application Counselor Services Agreement with Tribal Nation Attachment A State of Minnesota

BUSINESS ASSOCIATE AGREEMENT

503 SURVIVING A HIPAA BREACH INVESTIGATION

HIPAA Compliance Under the Magnifying Glass

Chesapeake Regional Information System for Our Patients, Inc. ( CRISP ) HIE Participation Agreement (HIE and Direct Service)

NOTICE OF PRIVACY PRACTICES

March 1. HIPAA Privacy Policy

New Federal Legislation Affecting Health Plans

HIPAA Information. Who does HIPAA apply to? What are Sync.com s responsibilities? What is a Business Associate?

Central Florida Regional Transportation Authority Table of Contents A. Introduction...1 B. Plan s General Policies...4

Transcription:

Principles for Establishing a Practical Cyber Security Incident Management Process in your HIE John Houston Vice President, Privacy and Information Security; Assistance Counsel UPMC

Background - HIPAA Most HIEs have established themselves as HIPAA Business Associates of the participants that they serve. As a Business Associate, the HIE already has an significant HIPAA compliance obligations, including implementing appropriate security controls as described in HIPAA. Compliance with these security controls necessitate that the HIE have an effective incident management process in place. 2

Background - HIPAA 164.504(e)(2)(ii)(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware including breaches of unsecured protected health information as required by 164.410. 164.530(f) A covered entity must mitigate, to the extent practicable, any harmful effect that is known to the covered entity of a use or disclosure of protected health information in violation of its policies and procedures or the requirements of this subpart by the covered entity or its business associate. 3

General Concepts Use HIPAA, meaningful use criteria and other regulations as the benchmark nothing more. Being overly proscriptive is the deadly. The Federal Data Use and Reciprocal Support Agreement (DURSA), or similar agreement, can provide additional guidance. Uniform obligations of participants is necessary. Operational flexibility is critical. Patient transparency is critical. 4

Benchmarks HIPAA, meaningful use criteria and other regulations provide a good benchmark for what participants are already obligated to comply with. While HIEs often want more rigorous standards, deviation from what participants are already required to do can cause problems due to inconsistency. Consistency with benchmarks will result in more consistent compliance. 5

DURSAs The Federal Data Use and Reciprocal Support Agreement (DURSA), or similar agreement, can provide additional guidance regarding what the Federal Government expect when exchange occurs at the national level. These standards are more proscriptive than HIPAA. 6

Uniformity Uniformity is necessary to ensure that the HIE is able to operate in an efficient and practical fashion. Standard agreements executed by all participants. Uniform notices. Consistent policies and standards of conduct. 7

Operational Flexibility While uniformity is vital, their must be sufficient flexibility to support: Variations between Participants operations. Variations between how different HIEs are structured and operate. Technology differences and evolution. Changes in standards & laws. Changes in threats. 8

Avoid Being Overly Proscriptive There is often a desire to demand compliance with extremely detailed and draconian security requirements. Providers will differ in size and complexity, making compliance with very specific / detailed requirements difficult. 9

Patient Transparency Patient must have an opportunity to understand: how their information will be used and managed. What safeguards the HIE has established to protect their data. How the HIE will address breaches that may occur. 10

CCHIE Background 11

CCHIE Security Infrastructure and Knowledge ClinicalConnect HIE leverages UPMC security and privacy infrastructure & knowledge. Servers are hosted within UPMC data centers and thereby inherit the UPMC security infrastructure. Access to UPMC Information Security expertise. 12

Patient Participation Opt-out model (i.e. the data is exchanged unless the patient requests to not participate). Opt-out model is consistent with Pennsylvania state law. Patient s participation decision (consent) is captured through each Participant s registration system. The ClinicalConnect master person index tracks all consent decisions and honors the last consent received. 13

Data Exchange Agreement Establishes standards for the exchange of information though the HIE. Describes the HIE s and each Participant s rights and obligations. Permits exchange for treatment, payment, healthcare operations, public health and the reporting of clinical quality measures (including measures to demonstrate meaningful use ). Requires board approval for various other uses, such as benchmarking & comparative purposes, population management and preventative care by the HIE or Provider. 14

Data Exchange Agreement The Data Exchange Agreement must be agreed to without modification by each Participant. Can be used as a Standalone agreement for Participants that are not members. Developed based on input from the HIE s Privacy Workgroup. Approved by the ClinicalConnect Board of Directors. Reviewed by outside counsel. Requires the use of standard language in each Participant s treatment consent form. 15

Data Exchange Agreement CCHIE is accountable for investigating breaches. Participants are required to report suspected. breaches that they become aware of, as well as to assist as appropriate in the investigation of suspected breaches. 16

Data Exchange Agreement Breach Notification. Provider agrees that on an expedited basis, and in no case longer than within three (3) days of discovering information that leads Provider to reasonably believe that a Breach may have occurred, it will alert the HIE and other HIE Participants whose Health Data may have been Breached. As soon as reasonably practicable, but no later than twenty-four (24) hours after determining that a Breach occurred, Provider will notify all HIE Participants likely impacted by the Breach and the HIE of such Breach. The notification should include sufficient information for the HIE Participants and the HIE to understand the nature of the Breach. For instance, such notification could include, to the extent available at the time of the notification, the following information: One or two sentence description of the Breach Description of the roles of the people involved in the Breach (e.g. employees, Users, service providers, unauthorized persons, etc.) The type of Health Data Breached HIE Participants likely impacted by Breach Number of individuals or records impacted/estimated to be impacted by the Breach Actions taken by Provider to mitigate the Breach Current Status of the Breach (under investigation or resolved) Corrective action taken and steps planned to be taken to prevent a similar Breach. Provider shall have a duty to supplement the information contained in the notification as it becomes available and cooperate with other HIE Participants and HIE in performing such actions as are required by Applicable Law and as are necessary to mitigate the harmful effect of the Breach. If, on the basis of the notification, the HIE determines that (i) the other HIE Participants that have not been notified of the Breach would benefit from a summary of the notification or (ii) a summary of the notification to the other HIE Participants would enhance the security of the HIE or the HIE Participant s environment, it may provide, in a timely manner, a summary to such HIE Participants that does not identify any of the HIE Participants or individuals involved in the Breach. Provider, the HIE and effected HIE Participants shall decide on a case-by-case basis which party should notify any effected patients, and other parties as required by law. 17

HIPAA Business Associate Agreement The HIE is a Business Associate to each participant. Supports Protected Health Information (PHI) being sent to the ClinicalConnect HIE even if the patient has opted-out. Defines appropriate access to PHI, protection of PHI, accounting of PHI, and breach reporting. The HIPAA Business Associate Agreement must be agreed to without modification by each Participant. 18

Notice of Privacy Practices Addendum A one-page Notice of Privacy Practice Addendum has been developed that describes how ClinicalConnect manages and uses participants PHI. The Notice of Privacy Practice Addendum must be included with each Participant s HIPAA Notice of Privacy Practices. The Notice of Privacy Practice Addendum must be used to without modification to the language by each Participant. 19

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback