HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011
|
|
- Harold Kelly
- 5 years ago
- Views:
Transcription
1 HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, 2012 Phyllis F. Granade The Granade Law Firm Atlanta, GA (678) Looking Back at /14/11: NPRM re: CLIA and HIPAA 9/13/11: Leon Rodriguez Appointed Director, HHS Office for Civil Rights (replacing Georgina Verdugo) 5/31/11: NPRM re: Accounting of Disclosures First CMPs case OCR Audits of CEs and BAs initiated 1
2 NRPM CLIA and HIPAA 9/14/11, 76 Fed. Reg The proposed changes to the Clinical Laboratory Improvement Amendments of 1988 (CLIA) and HIPAA would allow: Laboratories to provide direct patient access to completed test reports following verification of the patient's identity through an authentication process. The proposed rules would revise HIPAA such that an exception to the access requirements no longer exists for a lab subject to CLIA. In short, CLIA laboratories will be required to provide patients with access to their PHI. NPRM Accounting of Disclosures 5/31/11, 76 Fed. Reg Substantive proposed changes to the Accounting of Disclosures standard; three year reach back TPO DRS BAs Addition of a new standard at 45 CFR Section (b), implementing Section of HITECH Access Reports (e.g., audit log) capturing Uses 2
3 State Attorneys General Training April June 2011: OCR Conducted HIPAA Enforcement Training Seminars for State Attorneys General Covering: General introduction to the HIPAA Privacy/Security Rules Analysis of the impact of HITECH on the HIPAA regulations Investigative techniques for identifying and prosecuting potential violations A review of HIPAA and State Law OCR's role in enforcing the HIPAA Privacy and Security Rules AG roles and responsibilities under HIPAA/HITECH Act Resources for AG in pursuing alleged HIPAA violations HIPAA Enforcement Support and Results 2011 Resolution Agreements February 14: Mass General Resolution Agreement The incident giving rise to the RA involved the loss of PHI of 192 patients of Mass General s Infectious Disease Associates outpatient practice, including patients with HIV/AIDS Mass General agreed to Pay $1,000,000 Enter into a Corrective Action Plan (CAP) to implement policies and procedures to safeguard the privacy of its patients. 3
4 2011 Resolution Agreements July 6: UCLA Health System settled potential HIPAA violations for $865,500; committed to a corrective action plan to remedy compliance gaps. The RA involved two separate complaints filed with OCR on behalf of two celebrity patients who received care at UCLA HS. The complaints alleged that UCLA HS employees repeatedly and without a need to know reviewed ephi. OCR s investigation into the complaints revealed that from , unauthorized employees repeatedly looked at the ephi of numerous other UCLA HS patients. The corrective action plan required UCLA HS to implement: HIPAA policies and procedures approved by OCR Conduct robust training Sanction offending workforce members Designate an independent monitor to assess compliance over 3 years CMPs Cignet Health Fined $4.3M OCR issued a Notice of Final Determination finding that Cignet Health of Prince George s County, MD, violated HIPAA. OCR imposed a civil money penalty (CMP) of $4.3 million for the violations, representing the first CMP issued by OCR for violations of the Privacy Rule. The CMP was based on the violation categories and increased penalty amounts authorized by Section 13410(d) of the HITECH Act. In its Notice of Proposed Determination, issued October 20, 2010, OCR found Cignet violated the rights of 41 patients by denying access to their records. Each patient filed a complaint with OCR. HIPAA requires that a CE provide a patient with a copy of their medical records within 30 days of a request (60 days for offsite records). The CMP for the access rights violations was $1.3 million. 4
5 2011 CMPs Cignet Health Fined $4.3M During the investigation, Cignet refused to respond to OCR s repeated demands to produce the records. Cignet failed to cooperate with OCR s investigation of the complaints, including failure to produce the records in response to OCR s subpoena. OCR filed a petition to enforce its subpoena in United States District Court and obtained default judgment against Cignet on March 30, On April 7, 2010, Cignet produced the medical records to OCR, but otherwise made no efforts to resolve the complaints through informal means. CEs are required by law to cooperate with OCR s investigations. OCR found that Cignet s failure to cooperate with OCR s investigations was due to willful neglect. The CMP for violations associated with Cignet s failure to comply with OCR s investigation and subpoena was $3 million. Enforcement Trends for 2012 OCR investigation process CE/BA involved? HIPAA violation alleged? Civil or criminal? (Criminal referred to DOJ) OCR enforcement process (in order of increasing burden on CE/BA): Voluntary compliance; Corrective action and/or resolution agreement; Civil Monetary Penalties. 5
6 OCR Audits: Section of the HITECH Act requires OCR to provide for periodic audits to ensure CEs and BAs are complying with the HIPAA regulations. To implement this mandate, OCR is piloting a program to perform up to 150 audits of CEs to assess privacy and security compliance. Audits conducted during the pilot phase will begin November 2011 and conclude by December Although CEs are the initial focus, BAs will also be subject to audits. OCR Audits: KPMG, the OCR contractor, will conduct HIPAA audits Initial audit of 20 CEs, 150 total. Eventually will include BAs. Entities selected for an audit will be informed by OCR of their selection and asked to provide documentation of compliance efforts. During the pilot phase, every audit will include a site visit and result in an audit report. During site visits, auditors will interview key personnel and observe processes and operations to help determine compliance. 6
7 OCR Audits: Following the site visit, auditors will develop and share with the entity a draft report. Audit reports will describe how the audit was conducted, the findings and the actions the CE is taking in response to those findings. Prior to report finalization, the CE will have an opportunity to discuss concerns and describe corrective actions implemented to address concerns identified. The final report submitted to OCR will incorporate the steps the CE has taken to resolve any compliance issues identified by the audit, as well as describe any best practices of the entity. OCR Audits: OCR expects covered entities and business associates who are the subject of the audit to provide requested information within 10 business days of the request for information. OCR expects to notify selected CEs between days prior to the anticipated onsite visit. Onsite visits may take 3 10 business days. After fieldwork, auditor provide CE with a draft final report. CE respond within 10 business days with written comments. Auditor will complete a final audit report within 30 business days after the CE s response and submit it to OCR. Questions: Do these time frames sound realistic to anyone who has worked with OCR? Will KPMG make the difference in timing? For that matter, what CE or BA can respond this quickly? 7
8 OCR Audits: Why Audits? OCR claims it will use the audit reports to determine what types of technical assistance should be developed, and what types of corrective action are most effective, but don t discount the threat of corrective action plans, resolution agreements Should an audit report indicate a serious compliance issue OCR may initiate a compliance review to address the problem. OCR will not post a listing of audited entities or the findings of an individual audit which clearly identifies the audited entity. OCR Audits: OCR will use the audit program to assess HIPAA compliance efforts by a range of CEs. Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals. Question: When comparing compliance activities by CEs and BAs, will OCR keep in mind that the HIPAA requirements were originally intended to be scalable? 8
9 State law compliance State Attorneys General HIPAA Action Prevention and mitigation Business associate agreements Turning a BAA into a positive for your entity Don t stop with a HIPAA Breach analysis HIPAA breach often triggers State law data breach 46 States have data breach laws as of August 2011 Personal information not limited to PHI Encryption safe harbor usually exists May require specific content in notice letter May require notice to State AG and/or State Consumer Affairs Department Massachusetts has its own security standards 9
10 Future trends at State level: Adoption of security standards/technical safeguard requirements Required form(s) of mitigation Increased notification content requirements Case law Risk threshold Damages Mitigation Public policy Standard of care, etc. State Attorneys General and HIPAA HITECH gave State AGs the authority to bring civil actions on behalf of state residents for violations of the HIPAA privacy/security regulations Two States so far: Connecticut and Vermont pursued HIPAA claims against Health Net Vermont result: $55,000 settlement Conn result: Health Net agreed to pay $250,000 10
11 Interesting notes about the Health Net cases: 1.5 million people allegedly impacted nationwide, but only 525 enrollees in Vermont Both States pursued State and HIPAA remedies Conn AG Blumenthal became Senator Blumenthal Senator Blumenthal is the brother of former ONC health IT director Blumenthal State consumer protection and privacy laws Indiana AG recouped $100,000 in July from Wellpoint when it violated State law by failing to timely report a data breach regarding 32,000 individuals Prevention and Mitigation Industry standards Banking/credit card PCI Security Standards Healthcare OCR, National Institute of Standards and Technology (NIST) Website/Social networking FTC NIST security standards Encryption and dozens of other IT standards 11
12 Turn a BAA into a positive for your entity: Breach caused by the act/omission of the BA? BA reimburse costs and expenses of the entity related to: Reasonable and actual expenses associated with mitigation, notification and other federal and state requirements Alternative: Indemnification Problems: liability caps, insurance limits, cost of indemnification/reimbursement not factored into original contract price State law: Cooperation with State data breach and security standard laws Shorter notice requirements Different compliance requirements Cooperation with State authorities AG Consumer Affairs Dept. State Privacy Office Federal and State fines and penalties 12
13 Questions? Phyllis F. Granade The Granade Law Firm (678)
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationWhen the Other Brother Steps Up: State Privacy Enforcement Actions
When the Other Brother Steps Up: State Privacy Enforcement Actions Healthcare Enforcement Compliance Conference November 6, 2018 Washington, DC Blaine Kerr, CISA, CHPC Chief Privacy Officer Jackson Health
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationHospital Council of Western Pennsylvania. June 21, 2012
Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationHIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017
HIPAA How to Comply with Limited Time & Resources Jonathan Pantenburg, MHA, Senior Consultant JPantenburg@Stroudwater.com August 17, 2017 Stroudwater Associates is a leading national healthcare consulting
More informationAgenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute
Health Law Institute Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More Brooke Bennett Aziere October 18, 2017 Agenda Enforcement Trends Phase 2 HIPAA Audits Upcoming Initiatives 1 Enforcement
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Marissa Gordon-Nguyen Office for Civil Rights (OCR) U.S. Department of Health and Human Services June
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Wandah Hardy, RN BSN, MPA Equal Opportunity Specialist/Investigator Office for Civil Rights (OCR)
More informationThe ABCs of HIPAA Security
The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1 Daniel F. Shay, Esq. Alice G. Gosfield
More informationSecurity Lessons Learned from HIPAA Enforcement
Security Lessons Learned from HIPAA Enforcement Presentation to HealthSec 12 August 7, 2012 Adam H. Greene, J.D., M.P.H. Partner, Davis Wright Tremaine Enforcement of the Security Rule HIPAA Security Rule
More informationHow Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.
How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq. Word Count: 2,268 Physician practices have lived with the reality of HIPAA for over twenty years. In that time, it has likely
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More information3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/
Compliance Institute Session 501: Implementing a System-Wide Access Monitoring Program Brian D. Annulis Meade, Roach & Annulis, LLP Aegis Compliance & Ethics Center, LLP 4147 N. Ravenswood Avenue Suite
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationHIPAA Cloud Computing Guidance
HIPAA Cloud Computing Guidance Adam Greene, JD, MPH Partner Rebecca Williams, BSN, JD Partner Nature is a mutable cloud which is always and never the same Ralph Waldo Emerson 2 Agenda A few historical
More informationCore Elements of HIPAA The Privacy Rule establishes individuals privacy rights and addresses the use and disclosure of protected health information ( PHI ) by covered entities and business associates The
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationLessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits
Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits Iliana L. Peters, J.D., LL.M. Senior Advisor for HIPAA Compliance and Enforcement OCR RULEMAKING UPDATE What s s Done?
More informationMANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors
Page 1 of 6 Applies to: faculty staff students student employees visitors contractors Effective Date of This Revision: June 1, 2018 Contact for More Information: HIPAA Privacy Officer Board Policy Administrative
More informationHealthcare Privacy and Security:
Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association
More informationHIPAA Privacy and Security Training Program
Note The following HIPAA training is intended for Vendors, Business Associates, Students, Pre Approved Shadowers, and Visitors. The following training module does not provide credit for annual training
More informationBreach Notification Remember State Law
Breach Notification HITECH: First federal law mandating breach notification for health care industry Applies to covered entities, business associates, PHR vendors, and PHR service providers FTC regulates
More informationHIPAA For Assisted Living WALA iii
Table of Contents The Wisconsin Assisted Living Association... ix Mission... ix Vision... ix Values... ix Acknowledgments... ix Who Should Use This Manual... x How to Use This Manual... x Updates and Forms...
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationSecurity and Privacy-Aware Cyber-Physical Systems: Legal Considerations. Christopher S. Yoo University of Pennsylvania July 12, 2018
Security and Privacy-Aware Cyber-Physical Systems: Legal Considerations Christopher S. Yoo University of Pennsylvania July 12, 2018 Overview of Research Tort and products liability for CPS Privacy and
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationDON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY
DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY Practice Areas: Healthcare Labor and Employment JASON YUNGTUM jyungtum@clinewilliams.com (402) 397 1700 Practice Areas: Healthcare
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationHIPAA Security. An Ounce of Prevention is Worth a Pound of Cure
HIPAA Security An Ounce of Prevention is Worth a Pound of Cure Presented by CJ Wolf, MD, COC, CPC, CHC, CCEP, CIA Healthicity Senior Compliance Executive Paul R. Hales, Attorney at Law Subject Matter Expert
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationHIPAA Audits and the New Audit Protocol
Presenting a live 90-minute webinar with interactive Q&A HIPAA Audits and the New Audit Protocol Developing and Ensuring HIPAA and HITECH Privacy and Security Compliance TUESDAY, FEBRUARY 5, 2013 1pm Eastern
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationHIPAA COMPLIANCE AND DATA PROTECTION Page 1
HIPAA COMPLIANCE AND DATA PROTECTION info@resultstechnology.com 877.435.8877 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and RESULTS Cloud
More informationInto the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule
Into the Breach: Breach Notification Requirements in the Wake of the HIPAA Omnibus Rule The Twenty-Second National HIPAA Summit Healthcare Privacy and Security After HITECH and Health Reform Rebecca Williams,
More informationAuditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC
Auditing and Monitoring for HIPAA Compliance HCCA COMPLIANCE INSTITUTE 2003 April, 2003 Presented by: Suzie Draper Sheryl Vacca, CHC 1 The Elements of Corporate Compliance Program There are seven key elements
More informationClearwater HIPAA Security Assessment Software. Demonstration
Clearwater HIPAA Security Assessment Software Demonstration Bob Chaput 615-656-4299 or 800-704-3394 bob.chaput@clearwatercompliance.com Clearwater Compliance LLC 1 About HIPAA-HITECH Compliance 1. We are
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationPrivacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare
Privacy Update: OCR HIPAA Phase 2 Audits: What to expect & How to prepare Rita Bowen, MA, RHIA, CHPS, SSGB In her role of Vice President of Privacy, HIM Policy and Education, Bowen ensures new and existing
More information8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID
Billing & Reimbursement Revenue Cycle Management 8 COMMON HIPAA COMPLIANCE ERRORS TO AVOID Billing and Reimbursement for Physician Offices, Ambulatory Surgery Centers and Hospitals Billings & Reimbursements
More informationHIPAA FOR BROKERS. revised 10/17
HIPAA FOR BROKERS revised 10/17 COURSE PURPOSE The purpose of this information is to help ensure that all Optima Health Brokers are prepared to protect the privacy and security of our members health information.
More informationHIPAA Privacy & Security Training. Privacy and Security of Protected Health Information
HIPAA Privacy & Security Training Privacy and Security of Protected Health Information Course Competencies: This training module addresses the essential elements of maintaining the HIPAA Privacy and Security
More informationSecuring IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates
Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway Agenda Topics: Using risk assessments to improve
More informationA HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,
A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP, JD Director, HHS Office for Civil Rights Nicholas Heesters,
More informationBoerner Consulting, LLC Reinhart Boerner Van Deuren s.c.
Catherine M. Boerner, Boerner Consulting LLC Heather Fields, 1 Discuss any aggregate results of the desk audits Explore the Sample(s) Requested and Inquire of Management requests for the full on-site audits
More informationHIPAA Privacy, Security Lessons from 2016 and What's Next in 2017
HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017 Session 9, February 20, 2017 Deven McGraw, Deputy Director, Health Information Privacy HHS Office for Civil Rights 1 Speaker Introduction
More informationHIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood
HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood Braun Tacon Process Architect / Auditor Owner: www.majorincidenthandling.com Winning Lotto.1 in 175 Million Attacked
More informationORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers
All Affiliate Research Policy Subject: HIPAA File Under: For Researchers ORA HIPAA Issuing Department: Office of Research Administration Original Policy Date Page 1 of 5 Approved by: May 9,2005 Revision
More informationENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT?
ENCRYPTION: ADDRESSABLE OR A DE FACTO REQUIREMENT? Jonathan Carroll, MBA, CISSP AVP Enterprise IT Operations Information Security Officer University of Connecticut Why Are We Talking About This? Data breaches
More informationNeil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016
Breach New Heights The role of ITAM in preventing a data breach Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016 Agenda Why Breaches Matter to the ITAM group The cost
More informationDeveloping Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?
Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite? Minnesota RIMS 39 th Annual Seminar Risk 2011-2012: Can You Hack
More informationHIPAA 101: What All Doctors NEED To Know
HIPAA 101: What All Doctors NEED To Know 1 HIPAA Basics HIPAA: Health Insurance and Portability Accountability Act of 1996 Purpose: to protect confidential information through improved security and privacy
More informationHIPAA Tips and Advice for Your. Medical Practice
HIPAA Tips and Advice for Your Ericka L. Adler Medical Practice Rachel V. Rose WHY Header HIPAA PATIENT and Medical PORTALS? Practices HIPAA Basics Who is a covered entity? What is PHI? When can you disclose
More informationData Backup and Contingency Planning Procedure
HIPAA Security Procedure HIPAA made Easy Data Backup and Contingency Planning Procedure Please fill in date implemented and updates for your facility: Goal: This document will serve as our back-up storage
More informationPresented by: Jason C. Gavejian Morristown Office
Presented by: Jason C. Gavejian Morristown Office jason.gavejian@jacksonlewis.com 973.538.6890 } Unauthorized use of, or access to, records or data containing personal information Personal Information
More informationUnderstanding the Impact of Data Privacy January 2012
Understanding the Impact of Data Privacy January 2012 Presented By: Eric Dieterich Agenda Why is data privacy important Quantifying the costs of a data breach Clarifying the differences between a privacy
More informationCloud Communications for Healthcare
Cloud Communications for Healthcare Today, many powerful business communication challenges face everyone in the healthcare chain including clinics, hospitals, insurance providers and any other organization
More informationIntegrating HIPAA into Your Managed Care Compliance Program
Integrating HIPAA into Your Managed Care Compliance Program The First National HIPAA Summit October 16, 2000 Mark E. Lutes, Esq. Epstein Becker & Green, P.C. 1227 25th Street, N.W., Suite 700 Washington,
More informationNE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS
NE HIMSS Vendor Risk October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Does Vendor Management Feel Like This? 2 Vendor Risk Management Lifecycle
More informationHIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES. Audit Report October 29, 2010
HIPAA COMPLIANCE CALIFORNIA STATE UNIVERSITY, LOS ANGELES Audit Report 10-52 October 29, 2010 Members, Committee on Audit Henry Mendoza, Chair Raymond W. Holdsworth, Vice Chair Nicole M. Anderson Margaret
More informationSeven gray areas of HIPAA you can t ignore
White Paper: HIPAA Gray Areas Seven gray areas of HIPAA you can t ignore This guide exists to shed some light on some of the gray areas of HIPAA (the Health Insurance Portability and Accountability Act).
More informationHIPAA Compliance and Auditing in the Public Cloud
HIPAA Compliance and Auditing in the Public Cloud This paper outlines what HIPAA compliance includes in the cloud era. It aims to help enterprise IT leaders interested in becoming more familiar with the
More informationWhat s New with HIPAA? Policy and Enforcement Update
What s New with HIPAA? Policy and Enforcement Update HHS Office for Civil Rights New Initiatives Precision Medicine Initiative (PMI), including Access Guidance Cybersecurity Developer portal NICS Final
More informationA Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud
A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches,
More informationDavid C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017
David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017 Privacy and security of patient information held by health care providers remains a concern of the federal government. More resources
More informationSecurity and Privacy Breach Notification
Security and Privacy Breach Notification Version Approval Date Owner 1.1 May 17, 2017 Privacy Officer 1. Purpose To ensure that the HealthShare Exchange of Southeastern Pennsylvania, Inc. (HSX) maintains
More informationCYBERSECURITY IN THE POST ACUTE ARENA AGENDA
CYBERSECURITY IN THE POST ACUTE ARENA AGENDA 2 Introductions 3 Assessing Your Organization 4 Prioritizing Your Review 5 206 Benchmarks and Breaches 6 Compliance 0 & Cybersecurity 0 7 Common Threats & Vulnerabilities
More informationWHEN TO HOLD YOUR TONGUE - THE BENEFITS AND RISKS OF SELF-DISCLOSURE. WHAT IS A PHYSICIAN PRACTICE TO DO? October 13, 2009
, II C II EA i :1'11 C.\Il C(HI l' I.L\ '" C..\SSOCIATI \"'l\lull...... Ii \ ~ L~ WHEN TO HOLD YOUR TONGUE - THE BENEFITS AND RISKS OF SELF-DISCLOSURE WHAT IS A PHYSICIAN PRACTICE TO DO? October 13, 2009
More informationI HAVE ALL THESE RECORDS. NOW WHAT? Serving Durham, Wake, Cumberland and Johnston Counties
I HAVE ALL THESE RECORDS. NOW WHAT? Serving Durham, Wake, Cumberland and Johnston Counties Agenda Public Records Law When Provider Agencies Merge or Go Out of Business Record Retention Record Destruction
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationHIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017
HIPAA in 2017: Hot Topics You Can t Ignore Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017 Breach Notification State Law Privacy Rule Authorizations Polices and Procedures The Truth Is Have created
More informationHIPAA Comes of Age: 21 Years of Privacy and Security
Cyber Hot Topics Webinar Series: HIPAA Comes of Age: 21 Years of Privacy and Security August 17, 2017 11:30AM 12:30PM CST Presented by: Andrew Elbon, Judd A. Harwood, Amy S. Leopard, and Jordan A. Stivers
More informationCritical HIPAA Privacy & Security Crossover Areas
Critical HIPAA Privacy & Security Crossover Areas Presented by HIPAA Solutions, LC Peter MacKoul, JD Senior Privacy SME Ken Hughes Senior Security SME HIPAA Solutions, LC 2016 1 Critical HIPAA Privacy
More informationHIPAA COMPLIANCE AND
INTRONIS MSP SOLUTIONS BY BARRACUDA HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and Intronis Cloud Backup and
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute June 21, 2016 6/21/2016 1 1 Disclaimer
More informationSecurity Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer
Security Rule for IT Staffs J. T. Ash University of Hawaii System HIPAA Compliance Officer jtash@hawaii.edu hipaa@hawaii.edu Disclaimer HIPAA is a TEAM SPORT and everyone has a role in protecting protected
More informationEnforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance
Enforcement of Health Information Privacy & Security Standards Federal Enforcement Through Recent Cases and Tools to Measure Regulatory Compliance Iliana Peters, JD, LLM, HHS Office for Civil Rights Kevin
More informationSteffanie Hall, RHIA HIM Director/Privacy Officer 1201 West 12 th Emporia, Kansas ext
JOINT NOTICE OF PRIVACY PRACTICES NEWMAN REGIONAL HEALTH, NEWMAN REGIONAL HEALTH MEDICAL PARTNERS, HOSPICE, NEWMAN PHYSICAL THERAPY, COMMUNITY WELLNESS AND MEMBERS OF THE NEWMAN REGIONAL HEALTH ORGANIZED
More informationHIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders
HIPAA Developed by The University of Texas at Dallas Callier Center for Communication Disorders Purpose of this training Everyone with access to Protected Health Information (PHI) must comply with HIPAA
More informationUniversity of Wisconsin-Madison Policy and Procedure
Page 1 of 10 I. Policy The Health Information Technology for Economic and Clinical Health Act regulations ( HITECH ) amended the Health Information Portability and Accountability Act ( HIPAA ) to establish
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationSecure Messaging Mobile App Privacy Policy. Privacy Policy Highlights
Secure Messaging Mobile App Privacy Policy Privacy Policy Highlights For ease of review, Everbridge provides these Privacy Policy highlights, which cover certain aspects of our Privacy Policy. Please review
More informationDecrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use
Click to edit Master title style Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use Andy Petrovich, MHSA, MPH M-CEITA / Altarum Institute October 1, 2014 10/1/2014 1 1 Who is
More informationHIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst
HIPAA Privacy and Security Kate Wakefield, CISSP/MLS/MPA Information Security Analyst Kwakefield@costco.com Presentation Overview HIPAA Legislative history & key dates. Who is affected? Employers too!
More informationElements of a Swift (and Effective) Response to a HIPAA Security Breach
Elements of a Swift (and Effective) Response to a HIPAA Security Breach Susan E. Ziel, RN BSN MPH JD Krieg DeVault LLP Past President, The American Association of Nurse Attorneys Disclaimer The information
More informationIntroduction CHAPTER 1
CHAPTER 1 Introduction Data security breaches are an everyday occurrence. The news media constantly publicize data breaches, especially those involving retailers in which hackers steal the payment card
More informationFinancial Regulations, Enforcement & Cybersecurity
Financial Regulations, Enforcement & Cybersecurity Elizabeth P. Gray May 16, 2017 Copyright 2017 by Willkie Farr & Gallagher LLP. All Rights Reserved. These course materials may not be reproduced or disseminated
More informationImplementing and Enforcing the HIPAA Security Rule
Implementing and Enforcing the HIPAA Security Rule John Parmigiani National Practice Director Regulatory and Compliance Services CTG HealthCare Solutions, Inc. Introductions Final Security Rule How we
More informationRequest for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare
Request for Proposal HIPAA Security Risk and Vulnerability Assessment May 1, 2016 First Choice Community Healthcare Timeline The following Timeline has been defined to efficiently solicit multiple competitive
More informationOverview of Presentation
A HIPAA Security Incident and Investigation. It Can Happen to You. Sandra a L. Sessoms, RN, CPHQ, CHC Interim Vice President, System Compliance West Penn Allegheny Health System Robert R. Michalski, CHC
More informationHCISPP HealthCare Information Security and Privacy Practitioner
HCISPP HealthCare Information Security and Privacy Practitioner William Buddy Gillespie, HCISPP Global Academic Instructor (ISC)² Former Healthcare CIO Chair Advocacy Committee, CPAHIMSS budgill@aol.com
More informationEmerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI Web Hull Privacy, Data Protection, & Compliance Advisor
Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI 2016 Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com 1 Topics 1. mhealth Challenges & Landscape 2.
More informationTopics 4/11/2016. Emerging Challenges in mhealth: Keeping Information Safe & Secure. Here s the challenge It s just the beginning of mhealth
Emerging Challenges in mhealth: Keeping Information Safe & Secure HCCA CI 2016 Web Hull Privacy, Data Protection, & Compliance Advisor Web.Hull@icloud.com 1 Topics 1. mhealth Challenges & Landscape 2.
More information