Investigating Privacy Breaches under HITECH and HIPAA
|
|
- Clemence McDowell
- 5 years ago
- Views:
Transcription
1 Investigating Privacy Breaches under HITECH and HIPAA Barry Herrin Smith Moore Leatherwood LLP 1180 W. Peachtree St. NW, Suite 2300 Atlanta, Georgia T (404) F (404) Presented by: Allyson Jones Labban Smith Moore Leatherwood LLP 300 N. Greene Street, Suite 1400 Greensboro, North Carolina T (336) F (336) To ask a question during the presentation, click the Q&A menu at the top of this window, type your question in the Q&A text box, and then click Ask. Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F: After you click Ask, the button name will change to Edit. Questions will be queued and most will be answered at the end of the meeting as time allows.
2 What is HITECH? Health Information Technology for Economic and Clinical Health Act Enacted as part of the American Recovery and Reinvestment Act of 2009 ( Stimulus Bill ), P.L
3 What is HITECH? Two primary components: Encourages implementation of health information technology and transition from paper records to EHR Amends HIPAA to impose significant new duties on covered entities and business associates to notify patients, the Federal Government, and the media of breaches of unsecured PHI
4 What is HITECH? Notification requirement went into effect on September 23, 2009 Enforcement begins on February 17, 2010 Recent Ponemon Institute survey of 77 health care organizations revealed that 94% will not be ready to comply with HITECH by February 2010.
5 Definitions Unsecured PHI : PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of encryption technologies or methods of physical destruction approved by the Secretary of the Federal Department of Health and Human Services ( HHS ) Approved technologies/destruction methods are listed at 74 Fed. Reg
6 Definitions Breach : The acquisition, access, use, or disclosure of unsecured PHI in a manner not permitted under the HIPAA privacy rule (45 C.F.R , et seq.) that compromises the security or privacy of the PHI
7 Definitions Significant Risk of Harm : Fact-based inquiry that focuses on financial, reputational, or other harm that may result to the patient as a result of the use or disclosure.
8 To Be or Not to Be... A Breach Should not assume every use/disclosure is a breach A use/disclosure is not a breach: When the PHI is properly encrypted/destroyed When the use/disclosure is permitted under HIPAA When a HITECH exception applies When the privacy or security of the data is not compromised
9 Step 1: Is the information unsecured PHI?
10 Step 1: Unsecured PHI PHI is secured: Encrypted (for approved encryption methods, see 74 Fed. Reg list of National Institute of Standards and Technology publications, available at Destroyed (shredded, burned, purged, cut proper destruction method depends on the medium)
11 Step 1: Unsecured PHI Also not a breach if: Individually identifiable health information held by covered entity or business associate in its capacity as an employer De-identified in accordance with HIPAA guidelines
12 Step 1: Unsecured PHI Also not a breach if the PHI: Is de-identified pursuant to 45 C.F.R (e)(2); and Does not include the patient s zip code; and Does not include the patient s date of birth.
13 Step 2: Is the acquisition, access, use or disclosure permitted under HIPAA?
14 Step 2: Permissible Use/Disclosure (HIPAA) A breach is an impermissible use or disclosure; if HIPAA permits or requires the use/disclosure, not a breach If use/disclosure not permitted under HIPAA, must still ask: Does the use/disclosure compromise the security or privacy of the PHI? Not every impermissible disclosure = breach, but may be a violation of the privacy rule!)
15 Step 3: Does the acquisition, access, use or disclosure fit within one of the exceptions to HITECH?
16 Step 3: HITECH Exceptions HITECH contains three narrowly construed exceptions If an acquisition, access, use, or disclosure fits within an exception, it is not a breach, even if information was unsecured PHI and the disclosure is not permitted under HIPAA This is a departure from the order set forth in the regulation
17 Step 3: HITECH Exceptions
18 Step 3: HITECH Exceptions Exception 1: Unintentional access to, or acquisition or use of, PHI: By a workforce member for the covered entity or BA Acting in good faith Within the course and scope of duties If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA
19 Step 3: HITECH Exceptions Example: Billing employee receives and opens an containing patient s PHI that was mistakenly sent to her. Billing employee notifies the sender of the error, and then deletes the without further using or disclosing the information. Exception applies no breach.
20 Step 3: HITECH Exceptions Example: Receptionist, who is not authorized to access PHI, decides to browse through patient files to find out information about a friend s treatment. Exception does not apply breach.
21 Step 3: HITECH Exceptions Example: A physician on the medical staff, who is authorized to access PHI, looks through the medical records of patients she has not treated and whose cases she has not been asked to consult. Exception does not apply breach.
22 Step 3: HITECH Exceptions Exception 2: Inadvertent disclosure of PHI From one workforce member at the covered entity or BA to another at the same covered entity or BA Where both workforce members are authorized to access the information If the access, acquisition, or use does not result in any further use or disclosure in a manner not permitted by HIPAA
23 Step 3: HITECH Exceptions Example: Inadvertent disclosure by a member of the hospital medical staff, even if she is not a hospital employee, to a hospital employee who is authorized to receive PHI, provided that the employee does not subsequently inappropriately use or disclose the information. Exception applies no breach.
24 Step 3: HITECH Exceptions Example: A member of the medical staff deliberately discloses information to another member of the medical staff regarding a patient for whom the receiving medical staff member has no treatment or consultation responsibilities. Exception does not apply breach.
25 Step 3: HITECH Exceptions Exception 3: Unauthorized disclosure to an unauthorized person of PHI: Where there is a reasonable good faith belief That the unauthorized recipient would not reasonably have been able to retain the information
26 Step 3: HITECH Exceptions Example: A nurse mistakenly hands Patient A the discharge instructions for Patient B. The nurse immediately recognizes his error and retrieves the document before Patient A has a chance to review the information. Exception applies no breach.
27 Step 3: HITECH Exceptions Example: The billing office, due to a lack of reasonable safeguards, send a number of patient statements to the wrong individuals. Some of the statements are returned unopened, marked undeliverable. Exception applies no breach. The other statements that were sent to the wrong addresses, however, are not returned. Exception does not apply breach.
28 Step 4: Does the disclosure result in a significant risk of harm to the patient?
29 Step 4: Risk Assessment Must determine whether the patient is at significant risk of financial, reputational, or other harm as a result of the use or disclosure Involves a fact-specific weighing of various factors
30 Step 4: Risk Assessment Who impermissibly used the information / to whom was the information impermissibly disclosed? Disclosure to another entity subject to HIPAA: likely small risk of harm Disclosure to member of the general public: likely high risk of harm
31 Step 4: Risk Assessment What steps were taken to mitigate the impermissible use or disclosure? Obtain recipient s satisfactory assurance that information will be destroyed and not used: likely small risk of harm Information is returned before it is accessed (laptop analysis reveals no access): likely small risk of harm
32 Step 4: Risk Assessment What information was the subject of the impermissible use or disclosure? Information concerning STDs and abuse: deemed to be significant risk of reputational harm Information concerning fact of treatment: depends on nature of treatment ( General Hospital likely small risk of harm; Communicable Disease Clinic likely high risk of harm) Information that is vulnerable to identity theft (social security number, etc.): likely high risk of harm
33 If a significant risk of harm to the patient exists, the breach notification requirements must be followed
34 Breach Notification Breaches Involving Fewer than 500 Individuals: Notice must be provided: To the individuals whose information was breached To the Secretary of HHS using the online form at e/breachnotificationrule/brinstruction.html
35 Breach Notification Breaches Involving More than 500 Individuals: Notice must be provided: To the individuals whose information was breached To the Secretary of HHS using the online form at e/breachnotificationrule/brinstruction.html To the local media
36 Breach Notification Business associates now have an affirmative duty to notify the covered entity of a breach Business associate agreements, as well as agreements with subcontractors, should be revised to explicitly memorialize this duty to report
37 Breach Notification Notifications to individuals must be written in plain language and include: A brief description of the incident (date of breach and date of discovery, if known) A description of the types of information breached (names, social security numbers, diagnoses); no actual PHI should be disclosed in the notice
38 Breach Notification Steps the individual should take to protect himself or herself from potential harm resulting from the breach A brief description of the steps being taken to investigate, mitigate, and prevent future breaches Contact procedures by which the individual can contact the covered entity about the breach (toll-free number, , web site)
39 Breach Notification Notifications to the media must be written in plain language and include: A brief description of the incident (date of breach and date of discovery, if known) A description of the types of information breached (names, social security numbers, diagnoses); no actual PHI should be disclosed in the notice
40 Breach Notification Steps individuals should take to protect themselves from potential harm resulting from the breach A brief description of the steps being taken to investigate, mitigate, and prevent future breaches Contact procedures by which individuals can contact the covered entity about the breach (toll-free number, , web site)
41 Breach Notification Notification to individuals must be sent via first-class mail or, if the person agreed to electronic notice, by e- mail Where the individual is deceased, notice should be sent to the next-of-kin
42 Breach Notification Substitute notice may be provided if no valid contact information: Fewer than 10 individuals: By telephone, alternate form of written notice, or other means More than 10 individuals: By conspicuous notice on the entity s web site or in local print or broadcast media; must include a toll-free information number valid for at least 90 days
43 Breach Notification Deadlines for notice key off date the breach was discovered Breach is discovered as of the first day on which the entity knew or should have known through the exercise of reasonable diligence that a breach occurred.
44 Breach Notification Notice to Individuals: Without unreasonable delay, and no later than 60 calendar days after discovery of the breach Notice to the Media: Without unreasonable delay, and no later than 60 calendar days after discovery of a breach involving 500 or more individuals
45 Breach Notification Notice to the Secretary: Fewer than 500 individuals: Covered entity must maintain a log and submit the log within 60 calendar days after the end of the calendar year More than 500 individuals: Notice must be provided contemporaneously with that provided to the individuals Reporting is to be done electronically
46 Breach Notification Notice by a Business Associate: A business associate must provide notice to the covered entity without unreasonable delay, and no later than 60 calendar days after discovery of the breach
47 Breach Notification HITECH permits covered entities and business associates to delay notification if law enforcement states that notification would impede a criminal investigation or damage national security Length of delay depends on manner in which law enforcement requests the delay
48 Breach Notification If the law enforcement statement is in writing and specifies the time for which delay is required, follow the written notification If the statement is made orally, document the statement and identity of the law enforcement official, then delay no more than 30 days from the date of the oral statement, unless a subsequent written statement is provided
49 Breach Penalties Four new penalty tiers have been implemented, effective November 30, 2009 For violations occurring on or after February 18, 2010: CMPs ranging from $100 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the entity did not and, by exercising reasonable diligence, would not have known that a violation occurred;
50 Breach Penalties CMPs ranging from $1,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to reasonable cause and not willful neglect (reasonable cause = circumstances that would make it unreasonable for the covered entity, despite the exercise of ordinary business care and prudence, to comply );
51 Breach Penalties CMPs ranging from $10,000 to $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred
52 Breach Penalties CMPs of at least $50,000 per violation, up to $1.5 million for identical violations occurring during a calendar year, where the violation was due to willful neglect and was not corrected during the 30 day period following the date the covered entity knew or should have known the violation occurred
53 Breach Penalties Penalties may be avoided if the entity can demonstrate: Violation is the result of a knowing, criminal act by an individual that is punishable under 42 U.S.C. 1320d-6; or Violation is not due to willful neglect and was corrected within the 30 days following discovery or such additional period as the Secretary deems appropriate
54 Breach Penalties Secretary may waive an imposed CMP if the CMP would be excessive if the violation was due to reasonable cause, even where the violation was not corrected during the 30 day period following discovery or other period deemed appropriate by the Secretary.
55 Action Steps Revise policies and procedures to reflect HITECH investigation and notification requirements Assemble privacy investigation team Train staff members on new breach requirements Scrutinize policies regarding the use of , laptops, and handheld devices to transmit or store PHI
56 Action Steps Work closely with IT staff to evaluate feasibility of encryption technologies Evaluate current IT systems for ability to track disclosures of e-phi Implement amended business associate agreements and subcontractor agreements Consult with insurance advisors regarding enhancing risk protections (increased coverage and limits for losses and defense costs)
57 Action Steps Evaluate and strengthen existing audit procedures Determine need for third party assistance (attorneys, IT specialists, consultants)
58 Action Steps Keep an eye out for additional HITECH rule updates and implementation specifications
59 HIPAA/HITECH Team Atlanta Barry Herrin (404) Greensboro Maureen Demarest Murray (336) Allyson Jones Labban (336) Raleigh Trish Markus (919)
60 QUESTIONS?
61 Investigating Privacy Breaches under HITECH and HIPAA Barry Herrin Smith Moore Leatherwood LLP 1180 W. Peachtree St. NW, Suite 2300 Atlanta, Georgia T (404) F (404) Presented by: Allyson Jones Labban Smith Moore Leatherwood LLP 300 N. Greene Street, Suite 1400 Greensboro, North Carolina T (336) F (336) Presented by: Attorney Name Smith Moore Leatherwood LLP Address T: F:
Breach Notification and Enforcement
Breach Notification and Enforcement Sponsored by Health Information and Technology Practice Group June 14, 2012 Presenter: Patricia A. Markus, Esquire, Smith Moore Leatherwood LLP, Raleigh, NC, Trish.Markus@smithmoorelaw.com
More informationUNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14
UNDERSTANDING THE HIPAA/HITECH BREACH NOTIFICATION RULE 2/25/14 RULES Issued August 19, 2009 Requires Covered Entities to notify individuals of a breach as well as HHS without reasonable delay or within
More informationPatient Privacy and Security: Data Breach Reporting and other HIPAA Changes
Patient Privacy and Security: Data Breach Reporting and other HIPAA Changes Paul T. Smith, Partner, Davis Wright Tremaine James B. Wieland, Shareholder, Ober Kaler 1 Developments The Health Information
More informationModel Business Associate Agreement
Model Business Associate Agreement Instructions: The Texas Health Services Authority (THSA) has developed a model BAA for use between providers (Covered Entities) and HIEs (Business Associates). The model
More informationAMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D)
Introduction: AMERICAN RECOVERY & REINVESTMENT ACT OF 2009 TITLE XIII HEALTH INFORMATION TECHNOLOGY ANALYSIS OF PRIVACY AND SECURITY REQUIREMENTS (SUBPART D) The purpose of this document is to provide
More informationHIPAA BUSINESS ASSOCIATE AGREEMENT. ( BUSINESS ASSOCIATE ) and is effective as of ( Effective Date ). RECITALS
HIPAA BUSINESS ASSOCIATE AGREEMENT This HIPAA Business Associate Agreement ( Agreement ) is entered into by and between the Trustees of the University of Pennsylvania as owner and operator of the University
More informationHealth Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions
Health Information Technology for Economic and Clinical Health (HITECH) Act Privacy and Security Provisions (Subtitle D of Title XIII of Division A of the American Recovery and Reinvestment Act (ARRA)
More informationH I P AA B U S I N E S S AS S O C I ATE AGREEMENT
H I P AA B U S I N E S S AS S O C I ATE AGREEMENT This HIPAA BUSINESS ASSOCIATE AGREEMENT (the BAA ) is entered into by and between Educators Mutual Insurance Association of Utah and its subsidiaries (
More informationHITECH Omnibus Business Associate Agreement DU Hybrid CE ra FINAL
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ) by and between Drexel University ( Hybrid Entity ), with a principal address at 3141 Chestnut Street, Philadelphia, PA 19104,
More informationLimited Data Set Data Use Agreement
Limited Data Set Data Use Agreement This Agreement is made and entered into by and between (hereinafter Applicant ) and the State of Florida Agency for Health Care Administration, Florida Center for Health
More informationBUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY
BUSINESS ASSOCIATE AGREEMENT WITH COVERED ENTITY Date: 09/23/2013 Business Associate: Name: BeneFLEX HR Resources, Inc. Address: 10805 Sunset Office Drive, Ste 401 St. Louis, MO 63127 Covered Entity: This
More informationHIPAA DATA USE AGREEMENT
HIPAA DATA USE AGREEMENT This Data Use Agreement (this "Agreement") is entered into effective as of 20 and until months thereafter the Effective Date by and among St. Jude Children s Research Hospital,
More informationGovernment Investigations Into Cybersecurity Breaches In Healthcare
11 February 2016 Practice Groups: Cyber Law and Cybersecurity; Global Government Solutions; Government Enforcement; Health Care Government Investigations Into Cybersecurity Breaches In Healthcare By: Mark
More informationEXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS
Page 1 of 24 EXHIBIT G PRIVACY AND INFORMATION SECURITY PROVISIONS This Exhibit G is intended to protect the privacy and security of specified Department information that Contractor may access, receive,
More informationBUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY)
BUSINESS ASSOCIATE AGREEMENT (BETWEEN GIOSTARCHICAGO.COM AND GIOSTARORTHOPEDICS.COM AND GODADDY) This HIPAA Business Associate Agreement ( Agreement ) is entered into by and between GoDaddy.com, LLC, a
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT WHEREAS, the American Osteopathic Board of Orthopedic Surgery (AOBOS) provides certain board certification services to osteopathic physicians who complete appropriate postdoctoral
More informationCOMMONWEALTH OF MASSACHUSETTS. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant.
COMMONWEALTH OF MASSACHUSETTS SUFFOLK, ss. SUPERIOR COURT CIVIL ACTION NO. ) COMMONWEALTH OF MASSACHUSETTS, ) ) Plaintiff, ) ) v. ) ) SOUTH SHORE HOSPITAL, INC., ) ) Defendant. ) ) FINAL JUDGMENT BY CONSENT
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This BUSINESS ASSOCIATE AGREEMENT ( Agreement ) effective as of the laterdated signature hereto ( Effective Date ), identifies and clarifies the relationship and responsibilities
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More informationrdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4
17-22770-rdd Doc 825 Filed 12/11/17 Entered 12/11/17 16:29:55 Main Document Pg 1 of 4 UNITED STATES BANKRUPTCY COURT SOUTHERN DISTRICT OF NEW YORK ) In re: ) Chapter 11 ) 21st CENTURY ONCOLOGY HOLDINGS,
More informationHIPAA Compliance During Litigation and Discovery
Presenting a live 90-minute webinar with interactive Q&A HIPAA Compliance During Litigation and Discovery Safeguarding PHI and Avoiding Violations When Responding to Subpoenas and Discovery Requests THURSDAY,
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More informationHIPAA Enforcement and Settlements. Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA
HIPAA Enforcement and Settlements Alissa Smith, Partner Dorsey & Whitney LLP Des Moines, IA 1 Objectives Describe HIPAA s Enforcement Rule Review numerous government enforcement actions under HIPAA Review
More informationCurrent Developments in Privacy and Security Rule Enforcement
Current Developments in Privacy and Security Rule Enforcement Hamline University College of Law Health Law Institute National Speakers Series Jerome B. Meites, Esq. Chief Regional Civil Rights Counsel
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT THIS BUSINESS ASSOCIATE AGREEMENT (the Agreement ) is effective this day of, 2008 (the Effective Date ) by and between, (the Covered Entity ) and (the Business Associate ).
More informationHIPAA Privacy Rule Compliance Issues
HIPAA Privacy Rule Compliance Issues Presentation for AAPM Myra N. Moran J.D. HHS/OCR August 2, 2006 DISCLAIMER My goal in speaking with you today is to explain Privacy Rule compliance issues. I can make
More informationCommonwealth of Massachusetts County of Suffolk The Superior Court NOTICE OF DOCKET ENTRY
Commonwealth of Massachusetts County of Suffolk The Superior Court CIVIL DOCKET#: SUCV2012-01925-B RE: Massachusetts v South Shore Hospital Inc TO: Shannon C Choy-Seymour, Esquire Mass Atty General's Office
More informationAGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017
Exhibit 2 AGREEMENT BETWEEN KIDS IN DISTRESS, INC., AND BROWARD COUNTY FOR SUBSTANCE ABUSE SERVICES Contract Number: KID-BARC-CFS-2017 This is an Agreement ("Agreement"), made and entered into by and between
More informationAgent/Agency Agreement
Agent/Agency Agreement This Agent/Agency Agreement ( Agreement ) between CareConnect Insurance Company Inc. and ( CCIC ) and ( Agent ) sets forth the terms and conditions under which Agent may sell health
More informationSecurity Breach Notification Chart
Security Breach Notification Chart Perkins Coie's Privacy & Security practice maintains this comprehensive chart of state laws regarding security breach notification. The chart is for informational purposes
More information1 HB By Representative Williams (P) 4 RFD: Technology and Research. 5 First Read: 13-FEB-18. Page 0
1 HB410 2 191614-1 3 By Representative Williams (P) 4 RFD: Technology and Research 5 First Read: 13-FEB-18 Page 0 1 191614-1:n:02/13/2018:CMH*/bm LSA2018-168 2 3 4 5 6 7 8 SYNOPSIS: This bill would create
More informationSite Access Agreement. (hereinafter referred to as the
Site Access Agreement Business Name: Site ) (hereinafter referred to as the Business Address: THIS AGREEMENT made effective as of this day of, 20 (hereinafter the Agreement ), between The Cooper Health
More informationRESOLUTION AGREEMENT. I. Recitals
RESOLUTION AGREEMENT I. Recitals 1. Parties. The Parties to this Resolution Agreement ( Agreement ) are the United States Department of Health and Human Services, Office for Civil Rights ( HHS ) and Affinity
More informationRight to Request Access to Designated Record Set
HIPAA Procedure 5002B Right to Request Access and Amendment to Designated Record Effective Date: April 14, 2003 Revised Date: November 2, 2016 Right to Request Access to Designated Record... 1 Denial of
More informationTHE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL
PRIOR PRINTER'S NO. PRINTER'S NO. THE GENERAL ASSEMBLY OF PENNSYLVANIA HOUSE BILL No. 1 Session of 01 INTRODUCED BY ELLIS, IRVIN, RABB, MILNE, PICKETT, BAKER, DAVIS, QUIGLEY, BOBACK, CHARLTON, O'NEILL,
More informationSales Order (Processing Services)
SO# DIRECT CUST# INDIRECT CUST# Sales Order (Processing Services) Note: RelayHealth will assign CUST# s and SO# will be completed upon receipt. Sold To ( End User ): Bill To: Note: cannot be a P.O. Box
More informationPeg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015
Peg Schmidt, RHIA CHPS and Amy Derlink, RHIA, CHA April 10, 2015 1 Step One Gather the facts Who is the requestor? Why are they requesting (purpose)? What type of PHI are they asking for? (record type)
More informationSelected Federal Data Security Breach Legislation
Selected Federal Data Security Breach Legislation name redacted Legislative Attorney April 9, 2012 CRS Report for Congress Prepared for Members and Committees of Congress Congressional Research Service
More information1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0
1 SB318 2 192523-4 3 By Senators Orr and Holley 4 RFD: Governmental Affairs 5 First Read: 13-FEB-18 Page 0 1 SB318 2 3 4 ENGROSSED 5 6 7 A BILL 8 TO BE ENTITLED 9 AN ACT 10 11 Relating to consumer protection;
More informationASSEMBLY, No STATE OF NEW JERSEY. 218th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 2018 SESSION
ASSEMBLY, No. 0 STATE OF NEW JERSEY th LEGISLATURE PRE-FILED FOR INTRODUCTION IN THE 0 SESSION Sponsored by: Assemblyman JAMES J. KENNEDY District (Middlesex, Somerset and Union) Assemblyman KEVIN J. ROONEY
More information1 SB By Senators Orr and Holley. 4 RFD: Governmental Affairs. 5 First Read: 13-FEB-18. Page 0
1 SB318 2 192523-5 3 By Senators Orr and Holley 4 RFD: Governmental Affairs 5 First Read: 13-FEB-18 Page 0 1 SB318 2 3 4 ENROLLED, An Act, 5 Relating to consumer protection; to require certain 6 entities
More informationRENOWN HEALTH NETWORK POLICY
Page 1 of 7 Title: Patient Right to Request an Amendment Melinda Montoya, Revision History: Scope: This policy applies to all Renown-affiliated facilities including, but not limited to, hospitals, ambulatory
More informationBUSINESS ASSOCIATE AGREEMENT
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement ( Agreement ) is entered into by and between eclinicalworks, LLC, a Massachusetts limited liability company ( eclinicalworks ), and ( Customer
More informationSCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC
1990 M STREET, N.W. SUITE 500 WASHINGTON, DC 20036-3465 WWW.SCHWARTZANDBALLEN.COM TELEPHONE FACSIMILE (202) 776-0700 (202) 776-0720 To Our Clients and Friends Re: State Security Breach Laws M E M O R A
More informationDATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION
DATA USE AGREEMENT FOR ACCESS TO PROTECTED HEALTH INFORMATION This Data Use Agreement (the Agreement ) is effective between the Greenville Hospital System and Data User(s) (the Data Users ): 1. (List name
More informationChapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION
Alaska Statute Chapter 45.48. PERSONAL INFORMATION PROTECTION ACT Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION Sec. 45.48.010. Disclosure of breach of security. (a) If a covered person
More informationTRICARE Operations Manual M, April 1, 2015 Administration. Chapter 1 Section 5
Administration Chapter 1 Section 5 Revision: 1.0 GENERAL 1.1 Contractors shall comply with all federal laws which apply to the administration of TRICARE health plans. In many situations where federal law
More informationSERVICE PROVIDER SECURITY AGREEMENT. Clemson University ( Clemson ) and. Vendor Name Here. ( Service Provider )
SERVICE PROVIDER SECURITY AGREEMENT Clemson University ( Clemson ) and Vendor Name Here. ( Service Provider ) This Service Provider Security Agreement (this Agreement ) effective as of (the Effective Date
More informationProvider Electronic Trading Partner Agreement
This Electronic Trading Partner Agreement ( Agreement ) is entered into as of the Day day of, 20 ( Effective Date ), by and between Blue Cross Month Year and Blue Shield of South Carolina and its subsidiaries,
More informationGUIDELINES FOR THE USE OF ELECTORAL PRODUCTS
GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS June 2017 Status: Approved Print Date: 6/29/2017 Page 1 of 18 Section 1: Introduction GUIDELINES FOR THE USE OF ELECTORAL PRODUCTS The Election Act requires
More informationPODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT. IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE.
PODIATRY RESIDENCY RESOURCE, INC. END USER SOFTWARE LICENSE AGREEMENT IMPORTANT-READ CAREFULLY BEFORE USING THE Podiatry Residency Resource SOFTWARE. THIS LICENSE AGREEMENT (THE "AGREEMENT") CONSTITUTES
More informationSTATE DATA SECURITY BREACH NOTIFICATION LAWS
STATE DATA SECURITY BREACH NOTIFICATION LAWS Please note: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific
More informationState Data Breach Law Summary. November 2017
November 2017 STATE DATA BREACH LAW SUMMARY To view the requirements for a specific state 1, click on the state name below. Alaska Idaho Minnesota Ohio Washington Arizona Illinois Mississippi Oklahoma
More informationInterstate Commission for Adult Offender Supervision
Interstate Commission for Adult Offender Supervision Privacy Policy Interstate Compact Offender Tracking System Version 3.0 Approved 04/23/2009 Revised on 4/18/2017 1.0 Statement of Purpose The goal of
More informationSTATE DATA SECURITY BREACH NOTIFICATION LAWS
STATE DATA SECURITY BREACH NOTIFICATION LAWS Please note: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific
More informationPrivacy Policy. This Privacy Policy sets out the Law Society's policies in relation to the management of Personal Information.
Privacy Policy Law Society of South Australia Privacy Policy The Law Society of South Australia (Law Society or we, us or our) deals with information privacy in accordance with the Privacy Act 1988 (Cth)
More informationSTATE DATA SECURITY BREACH NOTIFICATION LAWS
STATE DATA SECURITY BREACH NOTIFICATION LAWS Please note: This chart is for informational purposes only and does not constitute legal advice or opinions regarding any specific facts relating to specific
More informationState Data Breach Notification Laws
State Data Breach Notification Laws This chart should be used for informational purposes only because the recommended actions an entity should take if it experiences a security event, incident, or breach
More informationSTATE DATA SECURITY BREACH LEGISLATION SURVEY
STATE DATA SECURITY BREACH LEGISLATION SURVEY State and Timing/ Alaska H.B. 65 Signed into law June 13, 2008. Alaska Stat. Tit. 45, Ch. 48, 10 to 90 Alaska residents. Any person doing business, any person
More informationKAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC.
KAISER FOUNDATION HOSPITALS ON BEHALF OF KAISER FOUNDATION HEALTH PLAN OF THE MID-ATLANTIC STATES, INC. KP CONTRACTOR AFFILIATE WEB SITES LICENSE PROVIDER ENTITY AGREEMENT License Subject to the terms
More informationS10A0994. BAKER et al. v. WELLSTAR HEALTH SYSTEMS, INC. et al. This action originated with a medical malpractice complaint filed on
In the Supreme Court of Georgia Decided: June 1, 2010 S10A0994. BAKER et al. v. WELLSTAR HEALTH SYSTEMS, INC. et al. MELTON, Justice. This action originated with a medical malpractice complaint filed on
More informationCops and Docs: Law Enforcement Access to Patients and Information
Cops and Docs: Law Enforcement Access to Patients and Information HIPAA Collaborative of Wisconsin October 19, 2012 Diane Welsh, von Briesen & Roper, s.c. dwelsh@vonbriesen.com or 608.661.3961 David Perlman,
More informationAIA Australia Limited
AIA Australia Limited Privacy policies & procedures May 2010 The Power of We AIA.COM.AU AIA Australia Limited Privacy policies & procedures Contents Purpose 3 Policy 3 National Privacy Principles Policy
More information[Enter Organization Logo] DISCLOSURES OF SUBSTANCE USE DISORDER PATIENT RECORDS. Policy Number: [Enter] Effective Date: [Enter]
DISCLOSURES OF SUBSTANCE USE DISORDER PATIENT RECORDS Policy Number: [Enter] Effective Date: [Enter] [GPM Note: In January 2017, the Department of Health and Human Services, Substance Abuse and Mental
More informationArent Fox LLP Survey of Data Breach Notification Statutes
Arent Fox LLP Survey of Data Breach Notification Statutes James Westerlind August 2016 Survey Overview This Survey focuses on the data breach notification statutes of the states and territories within
More informationLAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS. North Carolina Society of Healthcare Attorneys
LAW FIRM BUSINESS ASSOCIATE TERMS AND CONDITIONS Law Firm: Client: Law Firm Engagement: North Carolina Society of Healthcare Attorneys Law Firm and Client desire that Client achieve compliance with the
More informationHIPAA Privacy Compliance Initiative: Final Rules Impact Employer Health Plans
HIPAA Privacy Compliance Initiative: Final Rules Impact Employer Health Plans www.morganlewis.com Presenters: Sage Fattahian Lauren Licastro Georgina O Hara Date: February 8, 2013 Time: 12:30-1:30 p.m.
More informationIntroduction to Health Insurance Portability and Accountability Act (HIPAA): How It Affects Law Enforcement. Prepared by:
Introduction to Health Insurance Portability and Accountability Act (HIPAA): How It Affects Law Enforcement Prepared by: Toni Smith Assistant City Attorney 2012 Introduction In 1996, the Health Insurance
More informationData Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink
Between And The National Message Broker Service known as Healthlink THIS AGREEMENT is dated and made between: (1) , which has its principle administrative
More informationA BILL. (a) the owner of the device and/or geolocation information; or. (c) a person to whose geolocation the information pertains.
A BILL To amend title 18, United States Code, to specify the circumstances in which law enforcement may acquire, use, and keep geolocation information. Be it enacted by the Senate and House of Representatives
More informationTechnology and the Threat to the Attorney- Client Privilege Suzanne Valdez
Technology and the Threat to the Attorney- Client Privilege Suzanne Valdez May 17-18, 2018 University of Kansas School of Law Technology and the Threat to the Attorney-Client Privilege Recent Developments
More informationWest Virginia University Research Integrity Procedure Approved by the Faculty Senate May 9, 2011
West Virginia University Research Integrity Procedure Approved by the Faculty Senate May 9, 2011 1 I. Introduction 2 3 A. General Policy 4 5 Integrity is an obligation of all who engage in the acquisition,
More informationREQUEST FOR PROPOSALS FOR ACCREDITATION CONSULTANT SNHD-9-RFP
REQUEST FOR PROPOSALS FOR ACCREDITATION CONSULTANT SNHD-9-RFP-17-007 July 15, 2017 280 S. DECATUR LAS VEGAS, NEVADA 89107 TABLE OF CONTENTS PAGE I. INTRODUCTION A. Purpose... 1 B. Entity Information...
More informationHARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT
HARVARD PILGRIM HEALTH CARE, INC. PRIVACY AND SECURITY AGREEMENT THIS PRIVACY AND SECURITY AGREEMENT ( Agreement ) is made effective as of, 20 (the Effective Date ) by and between Harvard Pilgrim Health
More informationDepartment of Health and Human Services DEPARTMENTAL APPEALS BOARD. Civil Remedies Division
Department of Health and Human Services DEPARTMENTAL APPEALS BOARD Civil Remedies Division Director of the Office for Civil Rights, Petitioner, v. Lincare, Inc., d/b/a United Medical, Respondent. Docket
More informationAlthough we encourage your participation during the presentation, it is entirely voluntary.
M. Scott LeBlanc, JD & Thomas N. Shorter, JD FACHE Godfrey & Kahn, S.C. Friday, April 27, 2018, 1:35-2:25 pm Country Springs Hotel, Waukesha, WI 1 Although we encourage your participation during the presentation,
More informationState Data Breach Notification Laws
State Data Breach Notification Laws This chart should be used for informational purposes only because the recommended actions an entity should take if it experiences a security event, incident, or breach
More informationADMINISTRATIVE REVIEWS AND GRIEVANCES Section 10. Overview. Definitions
Overview The Plan maintains distinct grievance and administrative review processes for members and providers, as well as access to the State s Administrative Law Hearing (State Fair Hearing). The Plan
More informationNEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, Complaints Per 100,000 Population, Complaints (2007) Updated January 25, 2009
NEW YORK IDENTITY THEFT RANKING BY STATE: Rank 6, 100.1 Complaints Per 100,000 Population, 19319 Complaints (2007) Updated January 25, 2009 Current Laws: A person is guilty of identity theft when he knowingly
More informationADMINISTRATIVE REVIEWS AND GRIEVANCES Section 10. Overview. Definitions
Overview The Plan maintains distinct grievance and administrative review processes for members and providers, as well as access to the state s hearing system. Providers have the right to participate in
More informationAttachment 2. Protected Information Practices and Procedures (PIPP) [SEE ATTACHED]
Attachment 2 Protected Information Practices and Procedures (PIPP) [SEE ATTACHED] LaGuardia Airport CTB Replacement Project Part I - Instructions to Proposers Exhibit B-6 1 INTRODUCTION...1 2 PROTECTED
More informationHIPAA Crimes: How the New Crime Wave Affects You. May 17, 2016
HIPAA Crimes: How the New Crime Wave Affects You May 17, 2016 Michele L. Adelman, Partner, Foley Hoag LLP White Collar Crime & Government Investigations Practice Speakers Michele brings over a decade of
More informationPatient Any person who consults or is seen by a physician to receive medical care
POLICY & PROCEDURE TITLE: SUBPOENA of Medical Records Scope/Purpose: To ensure proper disclosure and release of Protected Health Information (PHI) Division/Department:All Health Point Clinics Policy/Procedure
More informationRIVERSIDE SCHOOL DISTRICT
No. 801 SECTION: OPERATIONS RIVERSIDE SCHOOL DISTRICT TITLE: PUBLIC RECORDS ADOPTED: May 8, 1989 REVISED: December 1, 2008 801. PUBLIC RECORDS 1. Purpose The Board recognizes the importance of public records
More informationELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC
ELECTRONIC TRANSACTIONS TRADING PARTNER AGREEMENT BETWEEN DIRECT SUBMITTER AND WELLPOINT, INC This Electronic Transactions Trading Partner Agreement, ("Agreement") is entered into by and between you "Direct
More information- 79th Session (2017) Assembly Bill No. 474 Committee on Health and Human Services
Assembly Bill No. 474 Committee on Health and Human Services CHAPTER... AN ACT relating to drugs; requiring certain persons to make a report of a drug overdose or suspected drug overdose; revising provisions
More informationDr. Richard M. Powers POWER OF ATTORNEY AND MEDICAL RELEASE
Dr. Richard M. Powers POWER OF ATTORNEY AND MEDICAL RELEASE POWER OF ATTORNEY TO ENDORSE CHECKS AND/OR SIGN ANY PIECE OF PAPER WHICH WILL ENHANCE OR EXPEDITE PAYMENT TO PROVIDER FOR SERVICES RENDERED,
More informationCOLORADO HB PROTECTIONS FOR CONSUMER DATA PRIVACY
COLORADO HB 18-1128 PROTECTIONS FOR CONSUMER DATA PRIVACY 6-1-713, 713.5, 716, 24-73-101-103 Guy Mason (NOT AN ATTORNEY) Mile High ARMA June Meeting June 19, 2018 WHO? Prime Sponsors Rep. Coel Wist, Rep.
More informationData Breach Charts. November 2017
Data Breach Charts November 2017 DATA BREACH CHARTS The following standard definitions of Personal Information and Breach of Security (based on the definition commonly used by most states) are used for
More informationPERSONAL INFORMATION PROTECTION ACT
Province of Alberta Statutes of Alberta, Current as of December 17, 2014 Office Consolidation Published by Alberta Queen s Printer Alberta Queen s Printer Suite 700, Park Plaza 10611-98 Avenue Edmonton,
More informationHIPAA Enforcement Rule. Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006
HIPAA Enforcement Rule Aimee Wall Health Directors Legal Conference Institute of Government April 20, 2006 Refresher Course Congress passed HIPAA in 1996 Various HIPAA rules adopted establishing national
More informationUTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008
UTAH IDENTITY THEFT RANKING BY STATE: Rank 31, 57.8 Complaints Per 100,000 Population, 1529 Complaints (2007) Updated December 30, 2008 Current Laws: A person is guilty of identity fraud when that person:
More informationADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR)
ADDENDUM TO STANDARD CONTRACT BETWEEN Community Coordinated Care for Children, Inc. (4C) AND (CONTRACTOR) This Contract Addendum, entered into between, hereinafter referred to as the Contractor to provide
More informationRole of PAS in the Privacy Act
Writing and Using Privacy Act Statements (PAS) Arlington, VA May 12, 2014 Presented by: Sarah English, Department of Defense Role of PAS in the Privacy Act To establish a Code of Fair Information Practices
More informationContract Assurances Attachment 4. Contract Assurances
Contract Assurances 1) The Contracting Agency assures that it and its subrecipients will establish in accordance with WIA Section 184, fiscal control and fund accounting procedures that may be necessary
More informationGreen Freight Asia Privacy Policy
Green Freight Asia (GFA) is committed to your right to privacy and to the ethical use of information online. We adhere strictly to the following privacy practices. INFORMATION WE OBTAIN We may obtain personal
More informationDATA PROTECTION LAWS OF THE WORLD. South Korea
DATA PROTECTION LAWS OF THE WORLD South Korea Downloaded: 31 August 2018 SOUTH KOREA Last modified 26 January 2017 LAW In the past, South Korea did not have a comprehensive law governing data privacy.
More informationACTION: Update and amend OPM/ GOVT 5, Recruiting, Examining, and Placement Records.
This document is scheduled to be published in the Federal Register on 03/26/2014 and available online at http://federalregister.gov/a/2014-06593, and on FDsys.gov OFFICE OF PERSONNEL MANAGEMENT Privacy
More information