HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES

Similar documents
45 CFR Part 164. Interim Final Rule Breach Notification for Unsecured Protected Health Information

BREACH NOTIFICATION POLICY

OCR Phase II Audit Protocol Breach Notification. HIPAA COW Spring Conference 2017 Page 1 Boerner Consulting, LLC

Changes to HIPAA Privacy and Security Rules

OVERVIEW OF RECENT CHANGES IN HIPAA AND OHIO PRIVACY LAWS

Interim Date: July 21, 2015 Revised: July 1, 2015

The Guild for Exceptional Children HIPAA Breach Notification Policy and Procedure

NOTIFICATION OF PRIVACY AND SECURITY BREACHES

New. To comply with HIPAA notice requirements, all Providence covered entities shall follow, at a minimum, the specifications described below.

HITECH and HIPAA: Highlights for Health Departments. Aimee Wall UNC School of Government

Breach Policy. Applicable Standards from the HITRUST Common Security Framework. Applicable Standards from the HIPAA Security Rule

H E A L T H C A R E L A W U P D A T E

HIPAA Training. HOPE Health Facility Administrators June 2013 Isaac Willett and Jason Schnabel

UNDERSTANDING HIPAA & THE HITECH ACT. Heather Deixler, Esq. Associate, Morgan, Lewis & Bockius LLP

Patient Breach Letter Content Requirements

Hayden W. Shurgar HIPAA: Privacy, Security, Enforcement, HITECH, and HIPAA Omnibus Final Rule

HIPAA OMNIBUS FINAL RULE

x Major revision of existing policy Reaffirmation of existing policy

AFTER THE OMNIBUS RULE

HITECH Poses Important Challenges... Are You Compliant?

HIPAA Breach Notice Rules New notice requirements for HIPAA covered entities when there is a breach of Protected Health Information (PHI)

HITECH and Stimulus Payment Update

The American Recovery Reinvestment Act. and Health Care Reform Puzzle

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA OMNIBUS RULE. The rule makes it easier for parents and others to give permission to share proof of a child s immunization with a school

Limited Data Set Data Use Agreement For Research

HIPAA: Final Omnibus Rule is Here Arizona Society for Healthcare Risk Managers November 15, 2013

Texas Tech University Health Sciences Center El Paso HIPAA Privacy Policies

Texas Tech University Health Sciences Center HIPAA Privacy Policies

AGREEMENT PURSUANT TO THE TERMS OF HIPAA ; HITECH ; and FIPA (Business Associate Agreement) (Revised August 2015)

COMPLIANCE TRAINING 2015 C O M P L I A N C E P R O G R A M - F W A - H I P A A - C O D E O F C O N D U C T

Interpreters Associates Inc. Division of Intérpretes Brasil

Compliance Steps for the Final HIPAA Rule

The HHS Breach Final Rule Is Out What s Next?

ARRA s Amendments to HIPAA Privacy & Security Rules

Human Research Protection Program (HRPP) HIPAA and Research at Brown

UNIVERSITY OF TENNESSEE HEALTH SCIENCE CENTER INSTITUTIONAL REVIEW BOARD USE OF PROTECTED HEALTH INFORMATION WITHOUT SUBJECT AUTHORIZATION

Title: HP-53 Use and Disclosure of Protected Health Information for Purposes of Research. Department: Research

North Shore LIJ Health System, Inc. Facility Name. CATEGORY: Effective Date: 8/15/13

HIPAA BUSINESS ASSOCIATE AGREEMENT BUSINESS ASSOCIATES AND SUBCONTRACTORS

Fifth National HIPAA Summit West

Regenstrief Center for Healthcare Engineering HIPAA Compliance Policy

UCLA Health System Data Use Agreement

New HIPAA Breach Rules NAHU presents the WHAT and WHYs. Agenda

University of Mississippi Medical Center Data Use Agreement Protected Health Information

OMNIBUS RULE ARRIVES

HIPAA Omnibus Rule. Critical Changes for Providers Presented by Susan A. Miller, JD. Hosted by

An Overview of the Impact of the American Recovery and Reinvestment Act of 2009 on the HIPAA Medical Privacy and Security Rules

Effective Date: 08/2013

HIPAA Privacy Overview

Management Alert Final HIPAA Regulations Issued

EVMS Medical Group A. RESEARCH USE AND OR DISCLOSURE WITHOUT AUTHORIZATION:

Business Associate Agreement

HARVARD CATALYST DATA USE AGREEMENT FOR LIMITED DATA SETS

ChoiceNet/InterCare Health Plans Getting Your Arms Around HIPAA Compliance

UBMD Policy for HIPAA Compliant Subject Recruitment

GUIDE TO PATIENT PRIVACY AND SECURITY RULES

Compliance Steps for the Final HIPAA Rule

HIPAA Privacy & Security Plan October 2016

UAMS ADMINISTRATIVE GUIDE NUMBER: 2.1

Safeguarding Your HIPAA and Personal Health Information Data. Robert Hess, Office of General Counsel Steve Cosentino, Stinson Morrison Hecker

NO , Chapter 7 TALLAHASSEE, January 6, 2014 HIPAA BREACH NOTIFICATION PROCEDURES

HIPAA Privacy & Security Considerations Student Orientation

CROOK COUNTY POLICY AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF

COLUMBIA UNIVERSITY DATA CLASSIFICATION POLICY

The Impact of the Stimulus Act on HIPAA Privacy and Security

BUSINESS ASSOCIATE AGREEMENT W I T N E S S E T H:

HIPAA Basic Training for Health & Welfare Plan Administrators

Containing the Outbreak: HIPAA Implications of a Data Breach. Jason S. Rimes. Orlando, Florida

HIPAA 102a. Presented by Jack Kolk President ACR 2 Solutions, Inc.

[Name of Organization] HIPAA Incident/Breach Investigation Procedure 4

HILLSBOROUGH COUNTY HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) PROCEDURES

COUNTY SOCIAL SERVICES POLICIES AND PROCEDURES FOR COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 HIPAA

Changes to HIPAA Under the Omnibus Final Rule

Nancy Davis, Ministry Health Care Peg Schmidt, Aurora Health Care Teresa Smithrud, Mercy Health System

Business Associate Agreement Health Insurance Portability and Accountability Act (HIPAA)

SUNY DOWNSTATE MEDICAL CENTER UNIVERSITY HOSPITAL OF BROOKLYN POLICY AND PROCEDURE

FACT Business Associate Agreement

THE CITY AND COUNTY OF SAN FRANCISCO SECTION 125 CAFETERIA PLAN HIPAA PRIVACY POLICIES & PROCEDURES

This form cannot act as an authorization to assign commissions. Appointment Form Only. Steps to obtain an Appointment:

HIPAA, Privacy, and Security Oh My!

PATTERSON MEDICAL SUPPLY, INC. HIPAA BUSINESS ASSOCIATE AGREEMENT WITH CUSTOMERS

HIPAA / HITECH. Ed Massey Affiliated Marketing Group

HIPAA HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY ACT

NOTICE OF PRIVACY PRACTICES

HIPAA Breach Notification Case Studies on What to Do and When to Report

PRIVACY IMPLEMENTATION HANDBOOK PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE

SUBCONTRACTOR BUSINESS ASSOCIATE AGREEMENT

CLIENT UPDATE. HIPAA s Final Rule: The Impact on Covered Entities, Business Associates and Subcontractors

MEMORANDUM. Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

The Impact of Final Omnibus HIPAA/HITECH Rules. Presented by Eileen Coyne Clark Niki McCoy September 19, 2013

It s as AWESOME as You Think It Is!

HIPAA Privacy Rule Policies and Procedures

HIPAA PRIVACY AND SECURITY RULES APPLY TO YOU! ARE YOU COMPLYING? RHODE ISLAND INTERLOCAL TRUST LINN F. FREEDMAN, ESQ. JANUARY 29, 2015.

Executive Policy, EP HIPAA. Page 1 of 25

HIPAA PRIVACY REQUIREMENTS. Dana L. Thrasher Robert S. Ellerbrock, III Constangy, Brooks & Smith, LLP

UNITED WORKERS HEALTH FUND 50 CHARLES LINDBERGH BLVD. SUITE 207 UNIONDALE, NY 11553

Privacy Sleuths: Solving the Mystery of Wellness Program Privacy Compliance. Agenda. Health Data Exposure National Wellness Conference

Determining Whether You Are a Business Associate

Transcription:

SALISH BHO HIPAA, 42 CFR PART 2, AND MEDICAID COMPLIANCE STANDARDS POLICIES AND PROCEDURES Policy Name: BREACH NOTIFICATION REQUIREMENTS Policy Number: 5.16 Reference: 45 CFR Parts 164 Effective Date: 03/2016 Revision Date(s): Reviewed Date: 6/2017 Approved by: SBHO Executive Board PURPOSE Breach notification regulations, issued in August 2009, implement section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act by requiring HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. The Salish Behavioral Health Organization (SBHO) in an effort to be compliant with the Privacy Rules of Health Insurance Portability and Accountability Act s (HIPAA) Administrative Simplification provisions, sets out in this policy, rules regarding notification in the case of a breach. DEFINITIONS Breach: Any unauthorized acquisition, access, use, or disclosure of protected health information will be considered a breach unless the CE or BA can show the chance of protected health information being compromised is low. SBHO will use the four factor aids listed to determine whether PHI has been compromised to the extent necessary to be considered and reported as a breach. the identity of the person to whom the PHI was disclosed to if the PHI was acquired or viewed the actual content of the PHI e.g. identifying factors how the risk of disclosure of PHI has been mitigated For the purposes of this definition compromises the security or privacy of the protected health information means that it poses a risk of financial, reputational, or other harm to the individual. A use or disclosure of protected health information that does not include the Breach Notification Requirements 5.16 Page 1 of 5

following identifiers does not compromise the security or privacy of the protected health information: Names Date of Birth Zip Code Postal address information, other than town or city, and State Telephone numbers Fax numbers Electronic mail addressee Social security numbers Medical record numbers Health plan beneficiary numbers Account number Certificate/license numbers Vehicle identifiers and serial numbers, including license plate number Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Breach excludes: Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of SBHO, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under SBHO HIPAA Privacy and Security policies. Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under SBHO HIPAA Privacy and Security policies. A disclosure of protected health information where SBHO has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. Unsecured protected health information: means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Public Law 111 5 on the HHS Web site, which is updated annually. The HHS Web site address for this guidance is: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brguidance.html Breach Notification Requirements 5.16 Page 2 of 5

PROCEDURE Following a discovery of any potential breach, SBHO shall notify DSHS and begin a thorough investigation. If the PHI is determined to have been compromised to the extent of a breach SBHO will notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach. A breach shall be treated as discovered the first day on which it is known, or if by exercising reasonable diligence it would have been known to any staff person of SBHO. 1. Timeliness of notification: Except when there is a law enforcement delay as described in 6. Law Enforcement Delay of this procedure, SBHO shall provide the notification without unreasonable delay, and in no case later than 60 calendar days after discovery of the breach. SBHO shall also notify DSHS of a compromise or potential compromise within 1 business day. 2. Content of the Notification: All notifications shall include to the extent possible the following: a. A brief description of what happened, including the date of the breach and the date of the discovery of the breach, if known; b. A description of the types of unsecured protected health information that were involved in the breach (such as whether full name, social security number, date of birth, home address, account number, diagnosis, disability code, or other types of information were involved); c. Any steps individuals should take to protect themselves from potential harm resulting form the breach; d. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate harm to individuals, and to protect against any further breaches; and e. Contact procedures for individuals to ask questions or learn additional information, which shall include a toll-free telephone number, an e-mail address, Web site, or postal address. 3. Methods of notification: Written notification shall be provided by first-class mail to the individual at the last known address of the individual or, if the individual agrees to electronic notice and such agreement has not been withdrawn, by electronic mail. The notification may be provided in one or more mailings as information is available. a. In the case in which there is insufficient or out of date contact information that precludes written notification to the individual, a substitute form of notice reasonably calculated to reach the individual shall be provided: i. If there are fewer than 10 individuals for whom there is insufficient or out of date contact information the substitute notice may be provided by Breach Notification Requirements 5.16 Page 3 of 5

an alternative form of written notice, telephone, or other means. ii. If there are 10 or more individuals for whom there is insufficient or out of date contact information for 10 or more individuals the substitute notice shall: Be in the form of either a conspicuous posting for a period of 90 days on the home page of the SBHO Web site, or conspicuous notice in major print or broadcast media in geographic areas where the individuals affected by the breach likely reside; and Include a toll-free phone number that remains active for at least 90 days where an individual can learn whether the individual s unsecured protected health information may be included in the breach. b. If SBHO determines that imminent misuse of unsecured protected health information is present and that disclosure to affected individuals is urgent, then SBHO may provide information to individuals by telephone or other means, as appropriate, in addition to all other requirements in this policy. c. If the individual is deceased, the written notification shall be made to either the next of kin or personal representative if SBHO has the address of the next of kin or personal representative, unless there is insufficient or out of date contact information for the next of kin or personal representative. d. When a breach of unsecured protected health information involves more that 500 individuals as long as the 500 affected individuals are all residents of the Washington State, SBHO shall notify prominent media outlets serving affected residents, such as local newspapers, in addition to the individual notification as described in this policy. 4. Notification to the Secretary: Following the discovery of a breach of unsecured protected health information, SBHO shall notify the Secretary. a. If the breach involves 500 or more individuals, SBHO shall provide notice to the Secretary at the same time as notice is provided to the affected individuals, and in the manner specified on the HHS Web site. b. If the breach involves less than 500 individuals, SBHO shall maintain a log or other documentation of such breaches and, not later than 60 days after the end of each calendar year, notify the Secretary of the breaches occurring during the preceding calendar year, in the manner specified on the HHS Web site. c. The HHS Web site address for Instructions to notify the Secretary is: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brin struction.html Breach Notification Requirements 5.16 Page 4 of 5

5. Notification by a business associate: Unless there is a law enforcement delay as described in this policy, SBHO requires that all network Contractors and Subcontractors notify the SBHO HIPAA Officer immediately following the discovery of a breach of unsecured protected health information. a. Notification shall include identification of each affected individual, as well as all information described in 2. Content of Notification. b. Network Contractors and Subcontractors who are covered entities, shall comply with all specifications described in this policy. 6. Law Enforcement Delay: If a law enforcement official states to SBHO that a notification, notice or posting required under this policy would impede a criminal investigation or cause damage to national security, SBHO shall: MONITORING a. Delay such notification, notice, or posting for the time period specified by the official, as long as there is a written statement that specifies the time for which a delay is required. b. If the official s communication regarding the criminal investigation or national security threat is made orally, SBHO shall document the statement, include the identity of the official making the statement, and delay the notification, notice, or posting temporarily and no longer than 30 days from the date of the oral statement, unless a written statement as described above is submitted during that time. This policy is mandated by contract or statute. 1. This policy will be monitored through use of SBHO: Annual SBHO Provider and Subcontractor Administrative Review 2. If a provider performs below expected standards during the review listed above, a Corrective Action will be required for SBHO approval. Reference SBHO Corrective Action Plan Policy. Breach Notification Requirements 5.16 Page 5 of 5

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback