Breach Notification and Enforcement
|
|
- Reynard Waters
- 6 years ago
- Views:
Transcription
1 Breach Notification and Enforcement Sponsored by Health Information and Technology Practice Group June 14, 2012 Presenter: Patricia A. Markus, Esquire, Smith Moore Leatherwood LLP, Raleigh, NC, 1
2 Overview Definitions Is It A Breach? Discovery, Investigation, and Notification Breach Enforcement 2
3 Background/History of Breach Notification Under the Health Information Portability and Accountability Act of 1996 (HIPAA): No requirement to notify patients of breaches of Protected Health Information (PHI) The Health Information Technology for Economic and Clinical Health Act (HITECH): First federal law mandating breach notification for health care industry HITECH requirements must be compared to existing state breach notification requirements and, if they don t conflict, both rules must be followed HITECH applies to breaches of certain clinical and financial information 3
4 Breach Definitions What is a Breach? Key Elements Acquisition, access, use, or disclosure Unsecured PHI Not permitted by Privacy Rule Compromises security or privacy of the PHI 4
5 Breach Definitions Unsecured PHI : PHI that has not been rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by the Secretary of the U.S. Department of Health and Human Services Approved technologies/destruction methods are listed at 74 Fed. Reg
6 Breach Definitions Compromises the security or privacy of the PHI means poses a significant risk of financial, reputational, or other harm to the person whose PHI was the subject of the inappropriate access, use, or disclosure 6
7 Is It a Breach? A use/disclosure is not a breach: When the PHI is properly encrypted/destroyed When the use/disclosure is permitted under HIPAA When a HITECH exception applies When the privacy or security of the data is not compromised 7
8 Is It a Breach? Step 1: Unsecured PHI PHI is secured if: Encrypted or Destroyed (shredded, burned, purged, cut proper destruction method depends on the medium) Also not a breach if: Individually identifiable health information held by covered entity or business associate in its capacity as an employer De-identified in accordance with HIPAA guidelines 8
9 Is It a Breach? Step 2: Permitted Use/Disclosure A breach is an impermissible use or disclosure; if HIPAA permits or requires the use/disclosure, not a breach If use/disclosure not permitted under HIPAA, must still ask: Does the use/disclosure compromise the security or privacy of the PHI? Not every impermissible disclosure = breach, but may be a violation of the privacy rule! 9
10 Is It a Breach? Step 3: HITECH Exceptions HITECH contains three narrowly construed exceptions If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA 10
11 Is It a Breach? Step 3: HITECH Exceptions Exception 1: Unintentional access to, or acquisition or use of, PHI: By a workforce member for the covered entity or business associate (BA) Acting in good faith Within the course and scope of duties If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA 11
12 Is It a Breach? Step 3: HITECH Exceptions Example: Billing employee receives and opens an containing patient s PHI that was mistakenly sent to her. Billing employee notifies the sender of the error, and then deletes the without further using or disclosing the information. Exception applies no breach. Example: Receptionist, who is not authorized to access PHI, decides to browse through patient files to find out information about a friend s treatment. Exception does not apply potential breach. 12
13 Is It a Breach? Step 3: HITECH Exceptions Example: A physician on the medical staff, who is authorized to access PHI, looks through the medical records of patients she has not treated and on whose cases she has not been asked to consult. Exception does not apply potential breach. 13
14 Is It a Breach? Step 3: HITECH Exceptions Exception 2: Inadvertent disclosure of PHI From one workforce member at the covered entity or BA to another at the same covered entity or BA Where both workforce members are authorized to access the information If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA 14
15 Is It a Breach? Step 3: HITECH Exceptions Example: Inadvertent disclosure by a member of the hospital medical staff, even if she is not a hospital employee, to a hospital employee who is authorized to receive PHI, provided that the employee does not subsequently inappropriately use or disclose the information. Exception applies no breach. Example: A member of the medical staff deliberately discloses information to another member of the medical staff regarding a patient for whom the receiving medical staff member has no treatment or consultation responsibilities. Exception does not apply potential breach. 15
16 Is It a Breach? Step 3: HITECH Exceptions Exception 3: Unauthorized disclosure of PHI to an unauthorized person: Where there is a reasonable good faith belief The unauthorized recipient would not reasonably have been able to retain the information 16
17 Is It a Breach? Step 3: HITECH Exceptions Example: A nurse mistakenly hands Patient A the discharge instructions for Patient B. The nurse immediately recognizes his error and retrieves the document before Patient A has a chance to review the information. Exception applies no breach. Example: The billing office, due to a lack of reasonable safeguards, sends a number of patient statements to the wrong individuals. Some of the statements are returned unopened, marked undeliverable. Exception applies no breach. The other statements that were sent to the wrong addresses, however, are not returned. Exception does not apply potential breach. 17
18 Is It a Breach? Step 4: Risk Assessment A breach must involve a significant risk of financial, reputational or other harm Requires a good faith judgment Made by business associate or covered entity Must include various relevant factors Must document basis for determination 18
19 Is It a Breach? Step 4: Risk Assessment Who impermissibly used the information / to whom was the information impermissibly disclosed? Disclosure to another entity subject to HIPAA likely small risk of harm Lost/stolen information likely high risk of harm Disclosure to member of the general public likely high risk of harm 19
20 Is It a Breach? Step 4: Risk Assessment In what form was the PHI accessed or disclosed? Verbal or paper likely smaller risk of harm Electronic likely higher risk of harm What were the circumstances surrounding the disclosure? Unintentional disclosure likely smaller risk Intentional disclosure likely higher risk Lost/stolen information or hacking likely higher risk 20
21 Is It a Breach? Step 4: Risk Assessment What information was the subject of the impermissible use or disclosure? Limited data set low risk of harm Information about fact of treatment: depends on treatment facility ( General Hospital likely small risk of harm; Communicable Disease Clinic likely high risk of harm) Type of treatment (oncology) likely higher risk of harm Type of treatment (sexually transmitted diseases, mental health, substance abuse, abuse victim) deemed to pose significant risk of reputational harm Information that assists in identity theft (Social Security number (SSN), account numbers, personal identification numbers) likely high risk of harm 21
22 Is It a Breach? Step 4: Risk Assessment What steps were taken to mitigate the impermissible use or disclosure? Obtained recipient s satisfactory assurance that information will be destroyed and not used: likely small risk of harm Information is returned before it is accessed (laptop analysis reveals no access): likely small risk of harm Would notice enable affected persons to protect themselves from harm? 22
23 If a significant risk of harm to the patient exists, the breach notification requirements must be followed. 23
24 Discovery and Investigation of Breach Incident starts the clock Discovery = First day where have actual knowledge of breach, including when by using reasonable diligence would have known Must notify individuals as soon as reasonably possible but no later than sixty days after discovery Reasonable diligence means Business care and prudence expected of one seeking to satisfy a legal requirement What is this, and how do you demonstrate it? 24
25 Notifications Written notice of a breach must be given to: Affected individuals Secretary Covered entity by business associate Sometimes the media Notice must be timely and adequate 25
26 Notifications To Individuals: No later than sixty days after discovery of breach, written notice must be provided to each affected individual by first-class mail notice ok if patient has agreed Notice to next-of-kin or personal representative for deceased patient Content What occurred and when Types of PHI Steps to protect individuals What is being done to investigate, mitigate Covered Entity (CE) contact information 26
27 Notifications Law enforcement exception: If law enforcement asks CE to delay providing notice because notice would impede criminal investigation or damage national security, CE may delay notification Length of delay: The time period specified in written notice by law enforcement, or Up to thirty days if oral request, unless law enforcement submits writing specifying time frame for delay 27
28 Notifications Substitute notice for insufficient/out of date address Less than ten individuals affected: alternate form of written notice, telephone, or other means Ten or more affected individuals: must provide substitute notice on home page of entity s website or in major print/broadcast media (include toll-free number) Need not be provided to next-of-kin or personal representative 28
29 Notifications Media notice: required if more than 500 residents affected in a single state/jurisdiction Secretary of the U.S. Department of Health and Human Services (HHS) notice: If 500 or more individuals affected, notice must be given to Secretary of HHS immediately by filing notice electronically on this form: If fewer than 500 individuals affected, notice must be given to Secretary within sixty days of end of calendar year (CY) using same form as above (one form per breach) 29
30 Breach Enforcement HITECH breach notification rules Require self disclosure/reporting Invite investigation by the Office for Civil Rights (OCR) HITECH s enforcement Interim Final Rule Introduces strict liability unless violations are corrected within thirty days Tiers of penalties Tiers of culpability 30
31 Breach Enforcement Culpability Amounts by tier Cal. Yr. same violation max Did Not Know $100-$50,000 $1,500,000 Reasonable Cause $1,000-$50,000 $1,500,000 Willful Neglect- Corrected Willful Neglect-Not Corrected $10,000-$50,000 $1,500,000 $50,000 $1,500,000 31
32 Breach Enforcement Civil penalties maximum $1.5M for all identical violations in CY If entity did not know violation occurred and by exercising reasonable due diligence would not have known Penalties from $100 to $50,000 per violation Violation due to reasonable cause and not to willful neglect Penalties from $1,000 to $50,000 per violation Violation due to willful neglect $10,000 to $50,000 per violation (for violations corrected within thirty days) Minimum of $50,000 per violation (for violations not corrected within thirty days) 32
33 HITECH Enforcement Developments Penalties apply to covered entities and business associates (lawyers included) Criminal penalties now apply to workforce members who use/disclose PHI without authorization Safe harbor for violations corrected in thirty days (assuming no willful neglect) Starting 2/17/11, OCR must investigate any complaint that may have resulted from willful neglect If violation found, OCR is required to impose civil monetary penalties (CMPs) 33
34 HITECH Enforcement Developments For HIPAA violations after 2/17/09, HITECH permits State Attorneys General (AGs) to bring civil actions on behalf of state residents to enjoin privacy/security violations or to obtain damages $100 per violation, maximum of $25,000 per year for identical violations Costs of suit and reasonable attorneys fees may be assessed against HIPAA violators and awarded to the state HHS held State AG training in spring 2011 on how to prosecute HIPAA violations 34
35 HITECH Enforcement Developments Secretary of HHS is required to perform periodic audits to ensure that CEs and their business associates are in compliance with HIPAA and HITECH requirements HHS paying KPMG $9.2 million to create audit program and up to 115 CEs and BAs compliance with HIPAA by end of 2012 HHS to establish regulations (by 2/17/12) that specify methodology under which an individual harmed by a HIPAA violation may receive a percentage of any monetary amount collected 35
36 HITECH Enforcement Examples OCR has issued eight Resolution Agreements and a huge CMP In Providence Resolution Agreement (July 2008), OCR imposed relatively small fine ($100,000) and no CMPs for loss of data of 386,000 patients on laptops and backup media In 2011 Resolution Agreements: Mass General Hospital: $1 million payment for paper records of 192 patients left on subway (no SSNs, Digital Living Networks (DLNs), or evidence that info ever was used improperly) University of California, Los Angeles (UCLA): $865,500 payment for repeated snooping in celebrity records where UCLA had neither policies prohibiting this conduct nor training on it 36
37 HITECH Enforcement Examples 2012 Resolution Agreements Blue Cross Blue Shield of Tennessee: Fine of $1.5 million for theft of fifty-seven hard drives containing PHI of over one million individuals, including SSNs Phoenix Cardiac Surgery: $100,000 for posting ephi of more than 1,000 on publicly-accessible, Internet-based calendar 37
38 HITECH Enforcement Examples Cignet Health CMP (February 2011) Fine of $4.351 million $3 million for failure to cooperate $1.3 million for failing to provide forty-one patients copies of their records A primer on how NOT to respond to OCR investigation Cignet ignored repeated government requests for information and discussion for over a year After receiving court order to produce records, Cignet produced thousands of original medical records of individuals unrelated to the investigation 38
39 Breach Enforcement Lessons OCR is enforcing, and penalties getting bigger State AGs will act and can obtain money Increasingly strict enforcement shows prevention, prompt identification, and correction of breaches is the best defense 39
40 Additional Resources Breach Notification for Unsecured Protected Health Information: Interim Final Rule 74 Fed. Reg (Aug. 24, 2009) Available at For additional resources on conducting a breach notification risk assessment, please see the HITECH Breach Notification Evaluation at d1db82a76b2b/presentation/publicationattachment/ b3-46cb- 9c5a-d416768e0ced/Markus_HITBytesJan2010.pdf, along with AHIMA s Data Breach Investigation and Mitigation Checklist, available at 5.pdf. For a more comprehensive breach notification risk assessment tool, see 40
41 Breach Notification and Enforcement 2012 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought from a declaration of the American Bar Association 41
Investigating Privacy Breaches under HITECH and HIPAA
Investigating Privacy Breaches under HITECH and HIPAA Barry Herrin Smith Moore Leatherwood LLP 1180 W. Peachtree St. NW, Suite 2300 Atlanta, Georgia 30309 T (404) 962-1027 F (404) 962-1200 Presented by:
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationPatient Privacy and Security: Data Breach Reporting and other HIPAA Changes
Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes Paul T. Smith, Partner, Davis Wright Tremaine James B. Wieland, Shareholder, Ober Kaler 1 Developments The Health Information
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is entered into by and between the Trustees of the University of Pennsylvania as owner and operator of the University
More informationModel Business Associate Agreement
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
More informationAMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)
Introduction: AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D) The purpose of this document is to provide
More informationHITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) by and between Drexel University ( Hybrid Entity ), with a principal address at 3141 Chestnut Street, Philadelphia, PA 19104,
More informationHIPAA Enforcement and Settlements. Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA
HIPAA Enforcement and Settlements Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA 1 Objectives Describe HIPAA s Enforcement Rule Review numerous government enforcement actions under HIPAA Review
More informationHealth Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions
Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions (Subtitle D of Title XIII of Division A of the American Recovery and Reinvestment Act (ARRA)
More informationGovernment Investigations Into Cybersecurity Breaches In Healthcare
11 February 2016 Practice Groups: Cyber Law and Cybersecurity; Global Government Solutions; Government Enforcement; Health Care Government Investigations Into Cybersecurity Breaches In Healthcare By: Mark
More informationHIPAA Crimes: How the New Crime Wave Affects You. May 17, 2016
HIPAA Crimes: How the New Crime Wave Affects You May 17, 2016 Michele L. Adelman, Partner, Foley Hoag LLP White Collar Crime & Government Investigations Practice Speakers Michele brings over a decade of
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT WHEREAS, the American Osteopathic Board of Orthopedic Surgery (AOBOS) provides certain board certification services to osteopathic physicians who complete appropriate postdoctoral
More informationH I P AA B U S I N E S S AS S O C I ATE AGREEMENT
H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Educators Mutual Insurance Association of Utah and its subsidiaries (
More informationCurrent Developments in Privacy and Security Rule Enforcement
Current Developments in Privacy and Security Rule Enforcement Hamline University College of Law Health Law Institute National Speakers Series Jerome B. Meites, Esq. Chief Regional Civil Rights Counsel
More informationBUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY
BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY Date: 09/23/2013 Business Associate: Name: BeneFLEX HR Resources, Inc. Address: 10805 Sunset Office Drive, Ste 401 St. Louis, MO 63127 Covered Entity: This
More informationEXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS
Page 1 of 24 EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS This Exhibit G is intended to protect the privacy and security of specified Department information that Contractor may access, receive,
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More informationHIPAA Compliance During Litigation and Discovery
Presenting a live 90-minute webinar with interactive Q&A HIPAA Compliance During Litigation and Discovery Safeguarding PHI and Avoiding Violations When Responding to Subpoenas and Discovery Requests THURSDAY,
More informationHIPAA DATA USE AGREEMENT
HIPAA DATA USE AGREEMENT This Data Use Agreement (this "Agreement") is entered into effective as of 20 and until months thereafter the Effective Date by and among St. Jude Children s Research Hospital,
More informationrdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4
17-22770-rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4 UNITED STATES BANKRUPTCY COURT SOUTHERN DISTRICT OF NEW YORK ) In re: ) Chapter 11 ) 21st CENTURY ONCOLOGY HOLDINGS,
More informationAGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017
Exhibit 2 AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017 This is an Agreement ("Agreement"), made and entered into by and between
More informationRight to Request Access to Designated Record Set
HIPAA Procedure 5002B Right to Request Access and Amendment to Designated Record Effective Date: April 14, 2003 Revised Date: November 2, 2016 Right to Request Access to Designated Record... 1 Denial of
More informationLimited Data Set Data Use Agreement
Limited Data Set Data Use Agreement This Agreement is made and entered into by and between (hereinafter Applicant ) and the State of Florida Agency for Health Care Administration, Florida Center for Health
More informationHIPAA Privacy Compliance Initiative: Final Rules Impact Employer Health Plans
HIPAA Privacy Compliance Initiative: Final Rules Impact Employer Health Plans www.morganlewis.com Presenters: Sage Fattahian Lauren Licastro Georgina O Hara Date: February 8, 2013 Time: 12:30-1:30 p.m.
More informationBUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)
BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY) This HIPAA Business Associate Agreement ( Agreement ) is entered into by and between GoDaddy.com, LLC, a
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More informationTRICARE Operations Manual M, April 1, 2015 Administration. Chapter 1 Section 5
Administration Chapter 1 Section 5 Revision: 1.0 GENERAL 1.1 Contractors shall comply with all federal laws which apply to the administration of TRICARE health plans. In many situations where federal law
More informationHIPAA Privacy Rule Compliance Issues
HIPAA Privacy Rule Compliance Issues Presentation for AAPM Myra N. Moran J.D. HHS/OCR August 2, 2006 DISCLAIMER My goal in speaking with you today is to explain Privacy Rule compliance issues. I can make
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is effective this day of, 2008 (the Effective Date ) by and between, (the Covered Entity ) and (the Business Associate ).
More informationCOMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.
COMMONWEALTH OF MASSACHUSETTS SUFFOLK, ss. SUPERIOR COURT CIVIL ACTION NO. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant. ) ) FINAL JUDGMENT BY CONSENT
More informationRESOLUTION AGREEMENT. I. Recitals
RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement ( Agreement ) are the United States Department of Health and Human Services, Office for Civil Rights ( HHS ) and Affinity
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) effective as of the laterdated signature hereto ( Effective Date ), identifies and clarifies the relationship and responsibilities
More informationRENOWN HEALTH NETWORK POLICY
Page 1 of 7 Title: Patient Right to Request an Amendment Melinda Montoya, Revision History: Scope: This policy applies to all Renown-affiliated facilities including, but not limited to, hospitals, ambulatory
More informationCommonwealth of Massachusetts County of Suffolk The Superior Court NOTICE OF DOCKET ENTRY
Commonwealth of Massachusetts County of Suffolk The Superior Court CIVIL DOCKET#: SUCV2012-01925-B RE: Massachusetts v South Shore Hospital Inc TO: Shannon C Choy-Seymour, Esquire Mass Atty General's Office
More informationSCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC
1990 M STREET, N.W. SUITE 500 WASHINGTON, DC 20036-3465 WWW.SCHWARTZANDBALLEN.COM TELEPHONE FACSIMILE (202) 776-0700 (202) 776-0720 To Our Clients and Friends Re: State Security Breach Laws M E M O R A
More informationSTATE DATA SECURITY BREACH NOTIFICATION LAWS
STATE DATA SECURITY BREACH NOTIFICATION LAWS Please note: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific
More informationSTATE DATA SECURITY BREACH NOTIFICATION LAWS
STATE DATA SECURITY BREACH NOTIFICATION LAWS Please note: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific
More informationSTATE DATA SECURITY BREACH NOTIFICATION LAWS
STATE DATA SECURITY BREACH NOTIFICATION LAWS Please note: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific
More informationSTATE DATA SECURITY BREACH LEGISLATION SURVEY
STATE DATA SECURITY BREACH LEGISLATION SURVEY State and Timing/ Alaska H.B. 65 Signed into law June 13, 2008. Alaska Stat. Tit. 45, Ch. 48, 10 to 90 Alaska residents. Any person doing business, any person
More informationState Data Breach Law Summary. November 2017
November 2017 STATE DATA BREACH LAW SUMMARY To view the requirements for a specific state 1, click on the state name below. Alaska Idaho Minnesota Ohio Washington Arizona Illinois Mississippi Oklahoma
More informationSite Access Agreement. (hereinafter referred to as the
Site Access Agreement Business Name: Site ) (hereinafter referred to as the Business Address: THIS AGREEMENT made effective as of this day of, 20 (hereinafter the Agreement ), between The Cooper Health
More information1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0
1 HB410 2 191614-1 3 By Representative Williams (P) 4 RFD: Technology and Research 5 First Read: 13-FEB-18 Page 0 1 191614-1:n:02/13/2018:CMH*/bm LSA2018-168 2 3 4 5 6 7 8 SYNOPSIS: This bill would create
More information[Enter Organization Logo] DISCLOSURES OF SUBSTANCE USE DISORDER PATIENT RECORDS. Policy Number: [Enter] Effective Date: [Enter]
DISCLOSURES OF SUBSTANCE USE DISORDER PATIENT RECORDS Policy Number: [Enter] Effective Date: [Enter] [GPM Note: In January 2017, the Department of Health and Human Services, Substance Abuse and Mental
More information1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0
1 SB318 2 192523-5 3 By Senators Orr and Holley 4 RFD: Governmental Affairs 5 First Read: 13-FEB-18 Page 0 1 SB318 2 3 4 ENROLLED, An Act, 5 Relating to consumer protection; to require certain 6 entities
More informationSales Order (Processing Services)
SO# DIRECT CUST# INDIRECT CUST# Sales Order (Processing Services) Note: RelayHealth will assign CUST# s and SO# will be completed upon receipt. Sold To ( End User ): Bill To: Note: cannot be a P.O. Box
More informationWest Virginia University Research Integrity Procedure Approved by the Faculty Senate May 9, 2011
West Virginia University Research Integrity Procedure Approved by the Faculty Senate May 9, 2011 1 I. Introduction 2 3 A. General Policy 4 5 Integrity is an obligation of all who engage in the acquisition,
More informationKAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.
KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC. KP CONTRACTOR AFFILIATE WEB SITES LICENSE PROVIDER ENTITY AGREEMENT License Subject to the terms
More informationCops and Docs: Law Enforcement Access to Patients and Information
Cops and Docs: Law Enforcement Access to Patients and Information HIPAA Collaborative of Wisconsin October 19, 2012 Diane Welsh, von Briesen & Roper, s.c. dwelsh@vonbriesen.com or 608.661.3961 David Perlman,
More informationProvider Electronic Trading Partner Agreement
This Electronic Trading Partner Agreement ( Agreement ) is entered into as of the Day day of, 20 ( Effective Date ), by and between Blue Cross Month Year and Blue Shield of South Carolina and its subsidiaries,
More information1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0
1 SB318 2 192523-4 3 By Senators Orr and Holley 4 RFD: Governmental Affairs 5 First Read: 13-FEB-18 Page 0 1 SB318 2 3 4 ENGROSSED 5 6 7 A BILL 8 TO BE ENTITLED 9 AN ACT 10 11 Relating to consumer protection;
More informationCOLORADO HB PROTECTIONS FOR CONSUMER DATA PRIVACY
COLORADO HB 18-1128 PROTECTIONS FOR CONSUMER DATA PRIVACY 6-1-713, 713.5, 716, 24-73-101-103 Guy Mason (NOT AN ATTORNEY) Mile High ARMA June Meeting June 19, 2018 WHO? Prime Sponsors Rep. Coel Wist, Rep.
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into by and between eclinicalworks, LLC, a Massachusetts limited liability company ( eclinicalworks ), and ( Customer
More informationTHE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL
PRIOR PRINTER'S NO. PRINTER'S NO. THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL No. 1 Session of 01 INTRODUCED BY ELLIS, IRVIN, RABB, MILNE, PICKETT, BAKER, DAVIS, QUIGLEY, BOBACK, CHARLTON, O'NEILL,
More informationData Breach Charts. November 2017
Data Breach Charts November 2017 DATA BREACH CHARTS The following standard definitions of Personal Information and Breach of Security (based on the definition commonly used by most states) are used for
More informationGUIDELINES FOR THE USE OF ELECTORAL PRODUCTS
GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS June 2017 Status: Approved Print Date: 6/29/2017 Page 1 of 18 Section 1: Introduction GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS The Election Act requires
More informationAgent/Agency Agreement
Agent/Agency Agreement This Agent/Agency Agreement ( Agreement ) between CareConnect Insurance Company Inc. and ( CCIC ) and ( Agent ) sets forth the terms and conditions under which Agent may sell health
More informationPeg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015
Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015 1 Step One Gather the facts Who is the requestor? Why are they requesting (purpose)? What type of PHI are they asking for? (record type)
More informationPODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT. IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE.
PODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE. THIS LICENSE AGREEMENT (THE "AGREEMENT") CONSTITUTES
More informationSERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )
SERVICE PROVIDER SECURITY AGREEMENT Clemson University ( Clemson ) and Vendor Name Here. ( Service Provider ) This Service Provider Security Agreement (this Agreement ) effective as of (the Effective Date
More informationSelected Federal Data Security Breach Legislation
Selected Federal Data Security Breach Legislation name redacted Legislative Attorney April 9, 2012 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research Service
More informationADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)
ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR) This Contract Addendum, entered into between, hereinafter referred to as the Contractor to provide
More informationIntersections Data Breach. July
Intersections Data Breach Consumer Notification Guide July 2010 www.intersections.com 888.283.1725 DataBreachServices@Intersections.com Table of contents Section I Introduction.......... 4 Section II
More informationState Data Breach Notification Laws
State Data Breach Notification Laws This chart should be used for informational purposes only because the recommended actions an entity should take if it experiences a security event, incident, or breach
More informationEnforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution?
Enforcing HIPAA Administrative Simplification: Dispassionate Enforcement or Compassionate Prosecution? By: Alan S. Goldberg, JD, LLM* Goulston & Storrs, Boston, MA, Washington, DC, and London, UK Past
More informationSAMPLE FORMS - CONTRACTS DATA REQUEST AND RELEASE PROCESS NON-DISCLOSURE AGREEMENT, Form (See Attached Form)
SOUTHERN CALIFORNIA GAS COMPANY Revised CAL. P.U.C. SHEET NO. 51719-G LOS ANGELES, CALIFORNIA CANCELING Original CAL. P.U.C. SHEET NO. 50594-G SAMPLE FORMS - CONTRACTS DATA REQUEST AND RELEASE PROCESS
More informationHIPAA Enforcement Rule. Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006
HIPAA Enforcement Rule Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006 Refresher Course Congress passed HIPAA in 1996 Various HIPAA rules adopted establishing national
More informationTechnology and the Threat to the Attorney- Client Privilege Suzanne Valdez
Technology and the Threat to the Attorney- Client Privilege Suzanne Valdez May 17-18, 2018 University of Kansas School of Law Technology and the Threat to the Attorney-Client Privilege Recent Developments
More information- 79th Session (2017) Assembly Bill No. 474 Committee on Health and Human Services
Assembly Bill No. 474 Committee on Health and Human Services CHAPTER... AN ACT relating to drugs; requiring certain persons to make a report of a drug overdose or suspected drug overdose; revising provisions
More informationINDIANA UNIVERSITY Policy and Procedures on Research Misconduct DRAFT Updated March 9, 2017
INDIANA UNIVERSITY Policy and Procedures on Research Misconduct DRAFT Updated March 9, 2017 Policy I. Introduction A. Research rests on a foundation of intellectual honesty. Scholars must be able to trust
More informationLegal and Ethical Considerations (Chapter 3- Mosby s Dental Hygiene)
Legal and Ethical Considerations (Chapter 3- Mosby s Dental Hygiene) Brief Overview of the Legal System A brief review of the fundamentals of how the legal system in the United States operates is important
More informationThe Health Information Protection Act
1 The Health Information Protection Act being Chapter H-0.021* of the Statutes of Saskatchewan, 1999 (effective September 1, 2003, except for subsections 17(1), 18(2) and (4) and section 69) as amended
More informationMandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54
Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act Privacy Law Bulletin (newsletter) Daniel Kovacs and Alex Garfinkel KCL LAW Editor s Note: This article
More informationDATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION
DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION This Data Use Agreement (the Agreement ) is effective between the Greenville Hospital System and Data User(s) (the Data Users ): 1. (List name
More informationIntroduction to Health Insurance Portability and Accountability Act (HIPAA): How It Affects Law Enforcement. Prepared by:
Introduction to Health Insurance Portability and Accountability Act (HIPAA): How It Affects Law Enforcement Prepared by: Toni Smith Assistant City Attorney 2012 Introduction In 1996, the Health Insurance
More informationNEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009
NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, 100.1 Complaints Per 100,000 Population, 19319 Complaints (2007) Updated January 25, 2009 Current Laws: A person is guilty of identity theft when he knowingly
More informationthe general policy intent of the Privacy Bill and other background policy material;
Departmental Disclosure Statement Privacy Bill This departmental disclosure statement for the Privacy Bill seeks to bring together in one place a range of information to support and enhance the Parliamentary
More informationHARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT
HARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT THIS PRIVACY AND SECURITY AGREEMENT ( Agreement ) is made effective as of, 20 (the Effective Date ) by and between Harvard Pilgrim Health
More informationCondominium Management Regulatory Authority of Ontario Access and Privacy Policy
Condominium Management Regulatory Authority of Ontario Access and Privacy Policy 1.0 Purpose and Scope The purpose of this Policy is to set out how the Condominium Management Regulatory Authority of Ontario
More informationChapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION
Alaska Statute Chapter 45.48. PERSONAL INFORMATION PROTECTION ACT Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION Sec. 45.48.010. Disclosure of breach of security. (a) If a covered person
More informationAPPENDIX I. Research Integrity Policy for Responding to Allegations of Scientific Misconduct
APPENDIX I Research Integrity Policy for Responding to Allegations of Scientific Misconduct Procedures for Responding to Allegation of Scientific Misconduct Allegation of scientific misconduct Preliminary
More informationRamifications of Fraud
Ramifications of Fraud The Institute of Internal Auditors Orange County March 18, 2016 Presentation by: Charles E. Slyngstad Burke, Williams & Sorensen, LLP 444 S. Flower Street, Suite 2400 Los Angeles,
More informationPolicy Title: FOIA Procedures and Guidelines Policy 104 Number:
,) lō. "" ~i~ o:: '-,,,,",, // ~A"C, r~ Administrative Policies and Procedures Policy Title: FOIA Procedures and Guidelines Policy 104 Number: Effective: 7/15 Supersedes: APR #106 (dated 3/99), APP #104
More informationPERSONAL INFORMATION PROTECTION ACT
Province of Alberta Statutes of Alberta, Current as of December 17, 2014 Office Consolidation Published by Alberta Queen s Printer Alberta Queen s Printer Suite 700, Park Plaza 10611-98 Avenue Edmonton,
More informationInterstate Commission for Adult Offender Supervision
Interstate Commission for Adult Offender Supervision Privacy Policy Interstate Compact Offender Tracking System Version 3.0 Approved 04/23/2009 Revised on 4/18/2017 1.0 Statement of Purpose The goal of
More informationState Data Breach Notification Laws
State Data Breach Notification Laws This chart should be used for informational purposes only because the recommended actions an entity should take if it experiences a security event, incident, or breach
More informationINTEGRATED ASSESSMENT RECORD DATA SHARING AGREEMENT
INTEGRATED ASSESSMENT RECORD DATA SHARING AGREEMENT Date: October 1, 2012 TABLE OF CONTENTS ARTICLE 1 DEFINITIONS AND INTERPRETATION...2 ARTICLE 2 PURPOSE AND APPLICATION OF AGREEMENT...5 ARTICLE 3 STATUTORY
More informationDATA PROTECTION LAWS OF THE WORLD. South Korea
DATA PROTECTION LAWS OF THE WORLD South Korea Downloaded: 31 August 2018 SOUTH KOREA Last modified 26 January 2017 LAW In the past, South Korea did not have a comprehensive law governing data privacy.
More informationCalifornia Enacts Sweeping Consumer Privacy Law
California Enacts Sweeping Consumer Privacy Law July 2, 2018 On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (CCPA), a sweeping privacy law that provides consumers with
More informationS10A0994. BAKER et al. v. WELLSTAR HEALTH SYSTEMS, INC. et al. This action originated with a medical malpractice complaint filed on
In the Supreme Court of Georgia Decided: June 1, 2010 S10A0994. BAKER et al. v. WELLSTAR HEALTH SYSTEMS, INC. et al. MELTON, Justice. This action originated with a medical malpractice complaint filed on
More informationUTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008
UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008 Current Laws: A person is guilty of identity fraud when that person:
More informationASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 2018 SESSION
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 0 SESSION Sponsored by: Assemblyman JAMES J. KENNEDY District (Middlesex, Somerset and Union) Assemblyman KEVIN J. ROONEY
More informationELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC
ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC This Electronic Transactions Trading Partner Agreement, ("Agreement") is entered into by and between you "Direct
More informationDisclosing Medical Information to Law Enforcement Officials WENDY S. CEDOZ, J.D., RN CHIEF LEGAL OFFICER/GENERAL COUNSEL GENESIS HEALTHCARE SYSTEM
Disclosing Medical Information to Law Enforcement Officials WENDY S. CEDOZ, J.D., RN CHIEF LEGAL OFFICER/GENERAL COUNSEL GENESIS HEALTHCARE SYSTEM OSHRM/SOHA 2017 Spring Conference March 31, 2017 1 Overview
More informationGuide to Managing Breaches of the Code of Conduct
This document is to designed to help clubs and zones with the requirements for managing suspected breaches of the PCAV Code of Conduct [Link] where a formal process is the preferred approach. For more
More informationInvestigations and Enforcement
Investigations and Enforcement Los Angeles Administrative Code Section 24.1.2 Last Revised January 26, 2007 Prepared by City Ethics Commission CEC Los Angeles 200 North Spring Street, 24 th Floor Los Angeles,
More informationLAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS. North Carolina Society of Healthcare Attorneys
LAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS Law Firm: Client: Law Firm Engagement: North Carolina Society of Healthcare Attorneys Law Firm and Client desire that Client achieve compliance with the
More informationState Data Breach Laws
State Data Breach Laws 1 Alaska Personal information means a combination of (A) an individual s name;... and (B) one or more of the following information elements: (i) the individual s social security
More information