SlideShare a Scribd company logo

HIPAA CHANGES" HITECH Act Strengthens Privacy and Security Rules

David Sweigert
David Sweigert

The HITECH Act expanded HIPAA privacy and security rules in several key ways: 1) It made business associates directly subject to HIPAA rules and require them to sign business associate agreements, protect PHI, and notify covered entities of breaches. 2) It required covered entities and business associates to notify individuals and government of any breaches of unsecured PHI. 3) It strengthened individual rights to access their electronic health records and accounting of disclosures, and required covered entities to agree to restrictions on disclosures to health plans. 4) It prohibited the sale of PHI by covered entities and business associates without authorization and placed restrictions on marketing communications. 5) It

Technology
1 of 5
Brought to you by Filice Insurance 1 Changes to HIPAA Rules: HITECH Act President Obama signed the Health Information Technology for Economic and Clinical Health Act (HITECH Act) into law on Feb. 17, 2009. The HITECH Act contained health information technology provisions and also made significant changes to the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy and Security Rules). The general effective date of the HITECH Act was Feb. 17, 2010, but some provisions have varying effective dates. This Legislative Brief provides an overview of the changes made to the HIPAA Privacy and Security Rules by the HITECH Act. BUSINESS ASSOCIATES Prior to the HITECH Act, the HIPAA Privacy and Security Rules directly applied only to Covered Entities - health plans, health care providers and health care clearinghouses. Under the prior law, a Covered Entity’s Business Associates had to agree, through a Business Associate Agreement, to comply with certain requirements of the HIPAA Privacy and Security Rules, but were not directly governed by the regulations. The HITECH Act maintained the Business Associate Agreement requirement, and made a number of the HIPAA Privacy and Security Rules’ requirements directly applicable to Business Associates. For example, under the HITECH Act, Business Associates are required to: • Comply with the minimum necessary standard so that when a Business Associate uses, discloses or requests protected health information (PHI), it must limit PHI to the minimum amount necessary to accomplish the purpose of the use, disclosure or request; • Report breaches of unsecured PHI to a Covered Entity in compliance with the Privacy Rules’ breach notification requirements; and • Implement administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of electronic PHI (ePHI) and adopt and implement policies and procedures for protecting ePHI. The HITECH Act’s requirements for Business Associates generally became effective on Feb. 17, 2010. The additional obligations must be incorporated into the Business Associate Agreement between the Covered Entity and Business Associate. Penalties for violations of the Privacy and Security Rules that formerly applied only to Covered Entities now apply to Business Associates as well. The HITECH Act also expanded the definition of Business Associate to include organizations that provide data transmissions of PHI to a Covered Entity (or its Business Associate) and require access on a routine basis to this PHI, as well as vendors that contract with Covered Entities to offer a personal health record to patients. These Business Associates must enter into Business Associate Agreements with the Covered Entities. BREACH NOTIFICATION FOR UNSECURED PHI Under the HITECH Act, Covered Entities are required to notify individuals whose “unsecured PHI” has been breached. Covered Entities are also required to notify the Department of Health and Human Services (HHS) and, in some cases,
Changes to HIPAA Rules: HITECH Act This Legislative Brief is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2009-2013 Zywave, Inc. All rights reserved. 2/09, EEM 4/13 2 the media following the discovery of a breach of unsecured PHI. If the breach involves PHI held by a Business Associate, the Business Associate must notify the Covered Entity. HHS issued a final interim breach notification rule on Aug. 24, 2009, which became effective on Sept. 23, 2009. On Jan. 25, 2013, HHS issued a final rule under HIPAA that revises the standard for determining whether a security breach involving PHI has occurred, effective Sept. 23, 2013. The notification must be made without unreasonable delay and no later than 60 days after the discovery of the breach. Generally, the notification must be provided by first class mail but can also be provided by email, if the individual has specified a preference to receive notices electronically. The Covered Entity must also provide notice to “prominent media outlets” if the breach affects more than 500 individuals in a state or jurisdiction. Covered Entities must notify HHS of all breaches. Notice to HHS must be provided immediately for breaches involving more than 500 individuals and annually for all other breaches. HHS posts breaches involving more than 500 individuals on its website. The notice must include the following information: • A description of the breach, including the date of the breach and date of discovery; • The type of PHI involved (such as full name, Social Security number, date of birth, home address or account number); • Steps individuals should take to protect themselves from potential harm resulting from the breach; • Steps the Covered Entity is taking to investigate the breach, mitigate losses and protect against future breaches; and • Contact procedures for individuals to ask questions or receive additional information, including a toll-free telephone number, e-mail address, website or postal address. The HITECH Act did not specify when PHI is considered to be “secure” but directed HHS to issue guidance regarding which technologies are considered secure. HHS designated encryption and destruction as the two technologies and methodologies for rendering PHI unusable, unreadable or indecipherable to unauthorized individuals. Thus, Covered Entities and Business Associates that encrypt or destroy PHI in accordance with HHS’s guidance are not required to provide notice in the event of a breach of that information because the information is not considered “unsecured PHI.” The breach notification requirement only applies to unsecured PHI. The HITECH Act also imposes a temporary breach notification requirement on vendors of personal health records (“PHR”) and other non-HIPAA Covered Entities. PHR vendors must notify any individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of a breach of security. PHR vendors must also notify the Federal Trade Commission (FTC), which will in turn notify HHS. Any third-party service provider that provides services to a PHR vendor and discovers a breach must notify the vendor. Violations of this requirement will be treated as unfair and deceptive acts or practices in violation of the Federal Trade Commission Act. The FTC issued final regulations regarding this requirement on Aug. 25, 2009. INDIVIDUAL RIGHTS Accounting for Disclosures The HIPAA Privacy Rule requires a Covered Entity to provide an individual with an accounting of disclosures of PHI upon request, but permits routine disclosures for treatment, payment or health care operations to be excluded from the accounting.
Changes to HIPAA Rules: HITECH Act This Legislative Brief is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2009-2013 Zywave, Inc. All rights reserved. 2/09, EEM 4/13 3 The HITECH Act extended HIPAA’s requirement to provide that, if a Covered Entity maintains an “electronic health record” for an individual, the Covered Entity must account for disclosures through the electronic health record for treatment, payment or health care operations as well. This additional disclosure accounting is limited to a period of three years prior to the request. An electronic health record is defined as an electronic record of health-related information on an individual that is created, gathered, managed or consulted by authorized health care clinicians and staff. This new accounting requirement for electronic health records has not gone into effect yet. The HITECH Act directed HHS to issue regulations implementing the accounting requirement for electronic health records, which would take effect on Jan. 1, 2014 for Covered Entities using electronic health records and on Jan. 1, 2011 or, if later, the date the electronic health record acquired, for Covered Entities not using these records. The HITECH Act gives HHS the authority to delay these effective dates until 2016 and 2013, respectively. HHS issued proposed regulations regarding this accounting requirement on May 31, 2011. The regulations propose to extend the effective date until Jan. 1, 2013 for Covered Entities not using electronic health records. The proposed regulations slightly modify the accounting requirement for electronic health records and also create a new right to an “access report” for electronic PHI held in a designated record set. The guidance included in the proposed regulations will not become effective until it is issued in final form, and it is anticipated that changes will be made to the guidance before it is finalized. Access to Electronic Health Records In addition to being able to access PHI held by a Covered Entity as required by the HIPAA Privacy Rule, an individual is permitted under the HITECH Act to access PHI in an electronic health record in electronic form. The Covered Entity may charge the individual for the cost of labor for providing access. An individual may also direct the Covered Entity to transmit the electronic health record directly to another person or entity. This provision became effective on Feb. 17, 2010. Right to Restrict Disclosures An individual may request that a Covered Entity not disclose the individual’s PHI, even if the disclosure would be for treatment, payment or health care operations. However, prior to the HITECH Act, the Covered Entity was not required to agree to the restrictions. The HITECH Act requires Covered Entities to agree to an individual’s request to restrict disclosures to a health plan for payment or health care operations if the PHI pertains to services or treatment that have been paid out of pocket and in full. This provision became effective on Feb. 17, 2010. RESTRICTIONS ON DISCLOSURE The HITECH Act contains several new restrictions on the disclosure of PHI. Prohibition on Sale of Protected Health Information Under the HITECH Act, Covered Entities and Business Associates may not receive remuneration for the disclosure of PHI without the individual’s authorization. There are limited exceptions for certain disclosures, such as disclosures for public health, treatment or research purposes. Payment for research purposes is limited to the cost of preparing and transmitting the data. The 2013 final rule implements the HITECH Act’s prohibition on the sale of PHI, effective Sept. 23, 2013. Under the final rule, an authorization to sell PHI must state that the disclosure will result in remuneration to the Covered Entity. Marketing Restrictions Certain marketing communications that were permissible under the HIPAA Privacy and Security Rules are no longer permitted under the HITECH Act. Under the HITECH Act, Covered Entities and Business Associates may not use PHI to
Changes to HIPAA Rules: HITECH Act This Legislative Brief is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2009-2013 Zywave, Inc. All rights reserved. 2/09, EEM 4/13 4 inform an individual about the Covered Entity’s products or services without the individual’s authorization if the Covered Entity receives compensation from another party for making the communication. This restriction does not apply in cases where the communication involves a drug the individual is already taking and where any compensation for that communication is reasonable in amount. This restriction became effective on Feb. 17, 2010. Minimum Necessary Standard In general, Covered Entities are required to use or disclose the “minimum necessary” amount of PHI. Currently, there is little guidance as to what constitutes the minimum amount necessary. The HITECH Act requires HHS to issue regulations regarding the minimum necessary requirement. Until then, Covered Entities must use or disclose only a limited data set, if it is sufficient for the intended purpose. A limited data set excludes certain identifying information but is not fully de-identified. PENALTIES AND ENFORCEMENT Civil Penalties HHS may conduct reviews to determine whether a Covered Entity is in compliance with the HIPAA Privacy and Security Rules. The HITECH Act also requires HHS to perform periodic audits of Covered Entities to ensure their compliance. Previously, HHS was permitted to assess civil penalties of $100 per violation of the Privacy and Security Rules, up to $25,000 for violations of each requirement during a calendar year. The HITECH Act increased the amounts of the civil penalties that may be assessed and distinguishes between the types of violations. These penalties may not apply if the violation is corrected within 30 days of the date the person knew, or should have known, of the violation. HHS is also required to assess penalties for violations involving willful neglect and to formally investigate complaints of such violations. For violations where the individual does not know of the violation, the minimum penalty remained at $100 per violation, up to $25,000 per calendar year for identical violations. If the violation is due to reasonable cause, the minimum penalty is $1,000 per violation, up to $100,000 per calendar year. For corrected violations that are caused by willful neglect, the minimum penalty is $10,000 per violation, up to $250,000 per calendar year. The maximum civil penalty for any type of violation and the minimum penalty for violations caused by willful neglect that are not corrected is $50,000 per violation, up to $1.5 million per calendar year for identical violations. The updated civil penalty amounts apply to violations occurring after Feb. 17, 2009. Other enforcement provisions apply to penalties that are imposed 24 months after the date of enactment, or Feb. 17, 2011. HHS issued interim final regulations regarding the new penalty structure on Oct. 30, 2009. The 2013 final rule, which becomes effective on Sept. 23, 2013, adopts many of the changes made in the interim final regulations with respect to HIPAA enforcement and also revising some of the HIPAA enforcement standards. The HITECH Act requires the General Accounting Office to review methodologies for allowing a portion of civil penalties to be paid to affected individuals. State Attorneys General are authorized by the Act to bring civil actions against Covered Entities to enjoin further violations and obtain damages on behalf of residents of their states, if HHS has not already taken action. The amount of damages is up to $100 per violation, with a maximum of $25,000 per calendar year for identical violations. This provision became effective for violations occurring any time after Feb. 17, 2009. Criminal Penalties The new law does not change the criminal penalties that may be assessed for violations of the Privacy and Security Rules. Those penalties remain $50,000 and one year in prison for knowing violations, $100,000 and five years in
Changes to HIPAA Rules: HITECH Act This Legislative Brief is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2009-2013 Zywave, Inc. All rights reserved. 2/09, EEM 4/13 5 prison for violations committed under false pretenses and $250,000 and 10 years in prison for offenses committed for commercial or personal gain. Under the HITECH Act, criminal actions may be brought against anyone who wrongly discloses PHI, not just Covered Entities or their employees. Also, the Act gives HHS (in addition to the Department of Justice) the authority to bring criminal actions against these individuals.

Recommended

Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Davis Wright Tremaine LLP
 
White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04Daniel Solove
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes HitechCandy Matheny
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2Suzanne Guggenheim
 
HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAGurvinder Singh, CISSP, CISA, ITIL v3
 
Hot Topics of Human Resources
Hot Topics of Human ResourcesHot Topics of Human Resources
Hot Topics of Human ResourcesMPCA
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 

Recommended

Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...
Ftc As Enforcer Proposed Data Breach Notification Rule For Personal Health R...Davis Wright Tremaine LLP
 
White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04Daniel Solove
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes HitechCandy Matheny
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2Suzanne Guggenheim
 
HITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAHITECH-Changes-to-HIPAA
HITECH-Changes-to-HIPAAGurvinder Singh, CISSP, CISA, ITIL v3
 
Hot Topics of Human Resources
Hot Topics of Human ResourcesHot Topics of Human Resources
Hot Topics of Human ResourcesMPCA
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
HHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistHHS Issues HIPAA Cyber Attack Response Checklist
HHS Issues HIPAA Cyber Attack Response ChecklistTodd LaRue
 
What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
Basic HIPAA Training by CMU
Basic HIPAA Training by CMUBasic HIPAA Training by CMU
Basic HIPAA Training by CMUAtlantic Training, LLC.
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Brian Dickerson
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...mhmjapan
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleJames Pekarek
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
 
Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Dan Wellisch
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Chapter07
Chapter07Chapter07
Chapter07dhlwilson
 
Health Reform Bulletin: Certification of Compliance with Electronic Transacti...
Health Reform Bulletin: Certification of Compliance with Electronic Transacti...Health Reform Bulletin: Certification of Compliance with Electronic Transacti...
Health Reform Bulletin: Certification of Compliance with Electronic Transacti...CBIZ, Inc.
 
The Health Care Law Power Point Slides
The Health Care Law Power Point SlidesThe Health Care Law Power Point Slides
The Health Care Law Power Point SlidesStrategic Healthcare Resources
 
GDPR Whitepaper
GDPR WhitepaperGDPR Whitepaper
GDPR WhitepaperRichard Goddard
 
Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & SecurityNational Pharmacy Technician Association
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...susmitaghosh93
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 

More Related Content

What's hot

What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About PrivacyNow Dentons
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!Now Dentons
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law padler01
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHealthCare Too, LLC
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013- Mark - Fullbright
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Brian Dickerson
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...mhmjapan
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleJames Pekarek
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationOlivier Vandeputte
 
Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Dan Wellisch
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Health Reform Bulletin: Certification of Compliance with Electronic Transacti...
Health Reform Bulletin: Certification of Compliance with Electronic Transacti...Health Reform Bulletin: Certification of Compliance with Electronic Transacti...
Health Reform Bulletin: Certification of Compliance with Electronic Transacti...CBIZ, Inc.
 

What's hot (17)

What You Need to Know About Privacy
What You Need to Know About PrivacyWhat You Need to Know About Privacy
What You Need to Know About Privacy
 
What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!What You Need To Know About Privacy - Now!
What You Need To Know About Privacy - Now!
 
CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law CSI 2008, Legal Developments In Security and Privacy Law
CSI 2008, Legal Developments In Security and Privacy Law
 
HIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach OverviewHIPAA Privacy, Security, Breach Overview
HIPAA Privacy, Security, Breach Overview
 
Basic HIPAA Training by CMU
Basic HIPAA Training by CMUBasic HIPAA Training by CMU
Basic HIPAA Training by CMU
 
SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013SECURITY BREACH NOTIFICATION CHART 2013
SECURITY BREACH NOTIFICATION CHART 2013
 
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
Failure to Execute a HIPAA Business Associate Agreement Results in $1.55 Mill...
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New Changes
 
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
高谷知佐子講演_PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS Japan ca...
 
Updated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy RuleUpdated modifications to the HIPAA Privacy Rule
Updated modifications to the HIPAA Privacy Rule
 
Key Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection RegulationKey Issues on the new General Data Protection Regulation
Key Issues on the new General Data Protection Regulation
 
Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
 
Chapter07
Chapter07Chapter07
Chapter07
 
Health Reform Bulletin: Certification of Compliance with Electronic Transacti...
Health Reform Bulletin: Certification of Compliance with Electronic Transacti...Health Reform Bulletin: Certification of Compliance with Electronic Transacti...
Health Reform Bulletin: Certification of Compliance with Electronic Transacti...
 
The Health Care Law Power Point Slides
The Health Care Law Power Point SlidesThe Health Care Law Power Point Slides
The Health Care Law Power Point Slides
 
GDPR Whitepaper
GDPR WhitepaperGDPR Whitepaper
GDPR Whitepaper
 

Similar to HIPAA CHANGES" HITECH Act Strengthens Privacy and Security Rules

Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideFelipe Prado
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...susmitaghosh93
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentialityjessie66
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law TestSachiko Hurst
 
Hipaa in clinical trails
Hipaa in clinical trailsHipaa in clinical trails
Hipaa in clinical trailsTejaswi Reddy
 
MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE Milk663
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxcravennichole326
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxMohammadBashir26
 
What is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdfWhat is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdfarchigallery1298
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiAtlantic Training, LLC.
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfShelly Megan
 

Similar to HIPAA CHANGES" HITECH Act Strengthens Privacy and Security Rules (20)

Hipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guideHipaa journal com - HIPAA compliance guide
Hipaa journal com - HIPAA compliance guide
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
 
Knowing confidentiality
Knowing confidentialityKnowing confidentiality
Knowing confidentiality
 
HIPAA Part I the Law Test
HIPAA Part I the Law TestHIPAA Part I the Law Test
HIPAA Part I the Law Test
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
Hipaa in clinical trails
Hipaa in clinical trailsHipaa in clinical trails
Hipaa in clinical trails
 
MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE MEDICAL ANSWERING SERVICE
MEDICAL ANSWERING SERVICE
 
Medical Records Seminar
Medical Records SeminarMedical Records Seminar
Medical Records Seminar
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
 
HIPAA Audio Presentation
HIPAA Audio PresentationHIPAA Audio Presentation
HIPAA Audio Presentation
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptx
 
What is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdfWhat is HIPAA Why was it passed What arc the potential benefits to .pdf
What is HIPAA Why was it passed What arc the potential benefits to .pdf
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
HIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of HawaiiHIPAA Privacy Training by University of Hawaii
HIPAA Privacy Training by University of Hawaii
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdf
 

More from David Sweigert

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)David Sweigert
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting David Sweigert
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisDavid Sweigert
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterDavid Sweigert
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017David Sweigert
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9David Sweigert
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityDavid Sweigert
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsDavid Sweigert
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartDavid Sweigert
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...David Sweigert
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentDavid Sweigert
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentDavid Sweigert
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTDavid Sweigert
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackDavid Sweigert
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTDavid Sweigert
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionDavid Sweigert
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanDavid Sweigert
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSDavid Sweigert
 

More from David Sweigert (20)

The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
The hacking methods of the Singularity Event doomsday cult (TYLER A.I.)
 
Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting Law Enforcement Cyber Incident Reporting
Law Enforcement Cyber Incident Reporting
 
Sample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark AnalysisSample Network Analysis Report based on Wireshark Analysis
Sample Network Analysis Report based on Wireshark Analysis
 
National Cyber Security Awareness Month poster
National Cyber Security Awareness Month posterNational Cyber Security Awareness Month poster
National Cyber Security Awareness Month poster
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017National Cyber Security Awareness Month - October 2017
National Cyber Security Awareness Month - October 2017
 
California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9California Attorney General Notification Penal Code 646.9
California Attorney General Notification Penal Code 646.9
 
Congressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber SecurityCongressional support of Ethical Hacking and Cyber Security
Congressional support of Ethical Hacking and Cyber Security
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Application of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking ThreatsApplication of Racketeering Law to Suppress CrowdStalking Threats
Application of Racketeering Law to Suppress CrowdStalking Threats
 
Canada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector ChartCanada Communications Security Establishment - Threat Vector Chart
Canada Communications Security Establishment - Threat Vector Chart
 
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
Port of Charleston evacuation case study: The cognitive threat of conspiracy ...
 
Cyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public CommentCyber Incident Response Team NIMS Public Comment
Cyber Incident Response Team NIMS Public Comment
 
Cyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public CommentCyber Incident Response Team - NIMS - Public Comment
Cyber Incident Response Team - NIMS - Public Comment
 
National Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFTNational Incident Management System (NIMS) NQS DRAFT
National Incident Management System (NIMS) NQS DRAFT
 
National Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public FeedbackNational Incident Management System - NQS Public Feedback
National Incident Management System - NQS Public Feedback
 
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERTNursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
Nursing meets Hacking -- Medical Computer Emergency Response Teams -- MedCERT
 
National Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd editionNational Preparedness Goals 2015 2nd edition
National Preparedness Goals 2015 2nd edition
 
Healthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness PlanHealthcare Sector-wide Disaster Prepardness Plan
Healthcare Sector-wide Disaster Prepardness Plan
 
Cyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHSCyber Risk Assessment for the Emergency Services Sector - DHS
Cyber Risk Assessment for the Emergency Services Sector - DHS
 

Recently uploaded

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Recently uploaded (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

HIPAA CHANGES" HITECH Act Strengthens Privacy and Security Rules

  • 1. Brought to you by Filice Insurance 1 Changes to HIPAA Rules: HITECH Act President Obama signed the Health Information Technology for Economic and Clinical Health Act (HITECH Act) into law on Feb. 17, 2009. The HITECH Act contained health information technology provisions and also made significant changes to the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy and Security Rules). The general effective date of the HITECH Act was Feb. 17, 2010, but some provisions have varying effective dates. This Legislative Brief provides an overview of the changes made to the HIPAA Privacy and Security Rules by the HITECH Act. BUSINESS ASSOCIATES Prior to the HITECH Act, the HIPAA Privacy and Security Rules directly applied only to Covered Entities - health plans, health care providers and health care clearinghouses. Under the prior law, a Covered Entity’s Business Associates had to agree, through a Business Associate Agreement, to comply with certain requirements of the HIPAA Privacy and Security Rules, but were not directly governed by the regulations. The HITECH Act maintained the Business Associate Agreement requirement, and made a number of the HIPAA Privacy and Security Rules’ requirements directly applicable to Business Associates. For example, under the HITECH Act, Business Associates are required to: • Comply with the minimum necessary standard so that when a Business Associate uses, discloses or requests protected health information (PHI), it must limit PHI to the minimum amount necessary to accomplish the purpose of the use, disclosure or request; • Report breaches of unsecured PHI to a Covered Entity in compliance with the Privacy Rules’ breach notification requirements; and • Implement administrative, physical and technical safeguards to ensure the confidentiality, integrity and availability of electronic PHI (ePHI) and adopt and implement policies and procedures for protecting ePHI. The HITECH Act’s requirements for Business Associates generally became effective on Feb. 17, 2010. The additional obligations must be incorporated into the Business Associate Agreement between the Covered Entity and Business Associate. Penalties for violations of the Privacy and Security Rules that formerly applied only to Covered Entities now apply to Business Associates as well. The HITECH Act also expanded the definition of Business Associate to include organizations that provide data transmissions of PHI to a Covered Entity (or its Business Associate) and require access on a routine basis to this PHI, as well as vendors that contract with Covered Entities to offer a personal health record to patients. These Business Associates must enter into Business Associate Agreements with the Covered Entities. BREACH NOTIFICATION FOR UNSECURED PHI Under the HITECH Act, Covered Entities are required to notify individuals whose “unsecured PHI” has been breached. Covered Entities are also required to notify the Department of Health and Human Services (HHS) and, in some cases,
  • 2. Changes to HIPAA Rules: HITECH Act This Legislative Brief is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2009-2013 Zywave, Inc. All rights reserved. 2/09, EEM 4/13 2 the media following the discovery of a breach of unsecured PHI. If the breach involves PHI held by a Business Associate, the Business Associate must notify the Covered Entity. HHS issued a final interim breach notification rule on Aug. 24, 2009, which became effective on Sept. 23, 2009. On Jan. 25, 2013, HHS issued a final rule under HIPAA that revises the standard for determining whether a security breach involving PHI has occurred, effective Sept. 23, 2013. The notification must be made without unreasonable delay and no later than 60 days after the discovery of the breach. Generally, the notification must be provided by first class mail but can also be provided by email, if the individual has specified a preference to receive notices electronically. The Covered Entity must also provide notice to “prominent media outlets” if the breach affects more than 500 individuals in a state or jurisdiction. Covered Entities must notify HHS of all breaches. Notice to HHS must be provided immediately for breaches involving more than 500 individuals and annually for all other breaches. HHS posts breaches involving more than 500 individuals on its website. The notice must include the following information: • A description of the breach, including the date of the breach and date of discovery; • The type of PHI involved (such as full name, Social Security number, date of birth, home address or account number); • Steps individuals should take to protect themselves from potential harm resulting from the breach; • Steps the Covered Entity is taking to investigate the breach, mitigate losses and protect against future breaches; and • Contact procedures for individuals to ask questions or receive additional information, including a toll-free telephone number, e-mail address, website or postal address. The HITECH Act did not specify when PHI is considered to be “secure” but directed HHS to issue guidance regarding which technologies are considered secure. HHS designated encryption and destruction as the two technologies and methodologies for rendering PHI unusable, unreadable or indecipherable to unauthorized individuals. Thus, Covered Entities and Business Associates that encrypt or destroy PHI in accordance with HHS’s guidance are not required to provide notice in the event of a breach of that information because the information is not considered “unsecured PHI.” The breach notification requirement only applies to unsecured PHI. The HITECH Act also imposes a temporary breach notification requirement on vendors of personal health records (“PHR”) and other non-HIPAA Covered Entities. PHR vendors must notify any individual who is a citizen or resident of the United States whose unsecured PHR identifiable health information was acquired by an unauthorized person as a result of a breach of security. PHR vendors must also notify the Federal Trade Commission (FTC), which will in turn notify HHS. Any third-party service provider that provides services to a PHR vendor and discovers a breach must notify the vendor. Violations of this requirement will be treated as unfair and deceptive acts or practices in violation of the Federal Trade Commission Act. The FTC issued final regulations regarding this requirement on Aug. 25, 2009. INDIVIDUAL RIGHTS Accounting for Disclosures The HIPAA Privacy Rule requires a Covered Entity to provide an individual with an accounting of disclosures of PHI upon request, but permits routine disclosures for treatment, payment or health care operations to be excluded from the accounting.
  • 3. Changes to HIPAA Rules: HITECH Act This Legislative Brief is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2009-2013 Zywave, Inc. All rights reserved. 2/09, EEM 4/13 3 The HITECH Act extended HIPAA’s requirement to provide that, if a Covered Entity maintains an “electronic health record” for an individual, the Covered Entity must account for disclosures through the electronic health record for treatment, payment or health care operations as well. This additional disclosure accounting is limited to a period of three years prior to the request. An electronic health record is defined as an electronic record of health-related information on an individual that is created, gathered, managed or consulted by authorized health care clinicians and staff. This new accounting requirement for electronic health records has not gone into effect yet. The HITECH Act directed HHS to issue regulations implementing the accounting requirement for electronic health records, which would take effect on Jan. 1, 2014 for Covered Entities using electronic health records and on Jan. 1, 2011 or, if later, the date the electronic health record acquired, for Covered Entities not using these records. The HITECH Act gives HHS the authority to delay these effective dates until 2016 and 2013, respectively. HHS issued proposed regulations regarding this accounting requirement on May 31, 2011. The regulations propose to extend the effective date until Jan. 1, 2013 for Covered Entities not using electronic health records. The proposed regulations slightly modify the accounting requirement for electronic health records and also create a new right to an “access report” for electronic PHI held in a designated record set. The guidance included in the proposed regulations will not become effective until it is issued in final form, and it is anticipated that changes will be made to the guidance before it is finalized. Access to Electronic Health Records In addition to being able to access PHI held by a Covered Entity as required by the HIPAA Privacy Rule, an individual is permitted under the HITECH Act to access PHI in an electronic health record in electronic form. The Covered Entity may charge the individual for the cost of labor for providing access. An individual may also direct the Covered Entity to transmit the electronic health record directly to another person or entity. This provision became effective on Feb. 17, 2010. Right to Restrict Disclosures An individual may request that a Covered Entity not disclose the individual’s PHI, even if the disclosure would be for treatment, payment or health care operations. However, prior to the HITECH Act, the Covered Entity was not required to agree to the restrictions. The HITECH Act requires Covered Entities to agree to an individual’s request to restrict disclosures to a health plan for payment or health care operations if the PHI pertains to services or treatment that have been paid out of pocket and in full. This provision became effective on Feb. 17, 2010. RESTRICTIONS ON DISCLOSURE The HITECH Act contains several new restrictions on the disclosure of PHI. Prohibition on Sale of Protected Health Information Under the HITECH Act, Covered Entities and Business Associates may not receive remuneration for the disclosure of PHI without the individual’s authorization. There are limited exceptions for certain disclosures, such as disclosures for public health, treatment or research purposes. Payment for research purposes is limited to the cost of preparing and transmitting the data. The 2013 final rule implements the HITECH Act’s prohibition on the sale of PHI, effective Sept. 23, 2013. Under the final rule, an authorization to sell PHI must state that the disclosure will result in remuneration to the Covered Entity. Marketing Restrictions Certain marketing communications that were permissible under the HIPAA Privacy and Security Rules are no longer permitted under the HITECH Act. Under the HITECH Act, Covered Entities and Business Associates may not use PHI to
  • 4. Changes to HIPAA Rules: HITECH Act This Legislative Brief is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2009-2013 Zywave, Inc. All rights reserved. 2/09, EEM 4/13 4 inform an individual about the Covered Entity’s products or services without the individual’s authorization if the Covered Entity receives compensation from another party for making the communication. This restriction does not apply in cases where the communication involves a drug the individual is already taking and where any compensation for that communication is reasonable in amount. This restriction became effective on Feb. 17, 2010. Minimum Necessary Standard In general, Covered Entities are required to use or disclose the “minimum necessary” amount of PHI. Currently, there is little guidance as to what constitutes the minimum amount necessary. The HITECH Act requires HHS to issue regulations regarding the minimum necessary requirement. Until then, Covered Entities must use or disclose only a limited data set, if it is sufficient for the intended purpose. A limited data set excludes certain identifying information but is not fully de-identified. PENALTIES AND ENFORCEMENT Civil Penalties HHS may conduct reviews to determine whether a Covered Entity is in compliance with the HIPAA Privacy and Security Rules. The HITECH Act also requires HHS to perform periodic audits of Covered Entities to ensure their compliance. Previously, HHS was permitted to assess civil penalties of $100 per violation of the Privacy and Security Rules, up to $25,000 for violations of each requirement during a calendar year. The HITECH Act increased the amounts of the civil penalties that may be assessed and distinguishes between the types of violations. These penalties may not apply if the violation is corrected within 30 days of the date the person knew, or should have known, of the violation. HHS is also required to assess penalties for violations involving willful neglect and to formally investigate complaints of such violations. For violations where the individual does not know of the violation, the minimum penalty remained at $100 per violation, up to $25,000 per calendar year for identical violations. If the violation is due to reasonable cause, the minimum penalty is $1,000 per violation, up to $100,000 per calendar year. For corrected violations that are caused by willful neglect, the minimum penalty is $10,000 per violation, up to $250,000 per calendar year. The maximum civil penalty for any type of violation and the minimum penalty for violations caused by willful neglect that are not corrected is $50,000 per violation, up to $1.5 million per calendar year for identical violations. The updated civil penalty amounts apply to violations occurring after Feb. 17, 2009. Other enforcement provisions apply to penalties that are imposed 24 months after the date of enactment, or Feb. 17, 2011. HHS issued interim final regulations regarding the new penalty structure on Oct. 30, 2009. The 2013 final rule, which becomes effective on Sept. 23, 2013, adopts many of the changes made in the interim final regulations with respect to HIPAA enforcement and also revising some of the HIPAA enforcement standards. The HITECH Act requires the General Accounting Office to review methodologies for allowing a portion of civil penalties to be paid to affected individuals. State Attorneys General are authorized by the Act to bring civil actions against Covered Entities to enjoin further violations and obtain damages on behalf of residents of their states, if HHS has not already taken action. The amount of damages is up to $100 per violation, with a maximum of $25,000 per calendar year for identical violations. This provision became effective for violations occurring any time after Feb. 17, 2009. Criminal Penalties The new law does not change the criminal penalties that may be assessed for violations of the Privacy and Security Rules. Those penalties remain $50,000 and one year in prison for knowing violations, $100,000 and five years in
  • 5. Changes to HIPAA Rules: HITECH Act This Legislative Brief is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel for legal advice. © 2009-2013 Zywave, Inc. All rights reserved. 2/09, EEM 4/13 5 prison for violations committed under false pretenses and $250,000 and 10 years in prison for offenses committed for commercial or personal gain. Under the HITECH Act, criminal actions may be brought against anyone who wrongly discloses PHI, not just Covered Entities or their employees. Also, the Act gives HHS (in addition to the Department of Justice) the authority to bring criminal actions against these individuals.