• No results found

Table of Contents. Disclaimer. HIPAA Essentials HIPAA Six Years Later

N/A
N/A
Protected

Academic year: 2021

Share "Table of Contents. Disclaimer. HIPAA Essentials HIPAA Six Years Later"

Copied!
187
0
0

Loading.... (view fulltext now)

Full text

(1)

Table of Contents

Disclaimer

HIPAA Essentials

HIPAA – Six Years Later

Implementation

Sample Job Descriptions – HIPAA Privacy Official and Contact Person and HIPAA

Security Official

HIPAA Self-Assessment Worksheet – Part 1: Data Gathering HIPAA Self-Assessment Worksheet – Part 2: Analyze the Data HIPAA Self-Assessment Worksheet – Part 3: Action Plan (blank) HIPAA Self-Assessment Worksheet – Part 3: Action Plan (filled in) Identify Your Business Associates

Business Associate Agreement Checklist

Sample Business Associate Contract Provisions

Policies, Procedures, and Sample Forms

HIPAA Privacy Rule – Policies, Procedures, and Documents

Instructions to Assist in Implementing Sample Forms and Policies and Procedures

Notice of Privacy Practices (Policy & Procedures) Notice of Privacy Practices

Notice of Privacy Practices Acknowledgement

Authorization to Use or Disclose Protected Health Information (Policy & Procedures)

Authorization to Use or Disclose Protected Health Information

Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures)

Revocation of Authorization to Use or Disclose Protected Health Information Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures)

Denying Request to Access Protected Health Information

Request to Correct or Amend Protected Health Information (Policy & Procedures) Request to Correct or Amend Protected Health Information

Denying Request to Correct or Amend Protected Health Information

Response to Defective Subpoena or Incomplete Request to Disclose Protected Health Information

Responding to Request for Restrictions on the Use or Disclosure of Protected Health Information (Policy & Procedures)

Response to Request for Restrictions on the Use or Disclosure of Protected Health Information

Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures)

(2)

Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)

Accounting Log for Protected Health Information Disclosures

Notification of Breach of Unsecured Protected Health Information (Policy & Procedures) Breach Notification Checklist

Accounting Log for Notification of Breach of Unsecured Protected Health Information Complaints and Grievances Relating to the Use or Disclosure of Protected Health

Information (Policy & Procedures) Complaint / Grievance Resolution Letter

Training

HIPAA Privacy and Security Training (Policy & Procedures) HIPAA Privacy and Security Training Checklist

HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff

HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key HIPAA Privacy Rule: A Questionnaire for Clinical Staff

HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key

Treatment of Minors and the Handling of Their Protected Health Information Kinship Caregivers Informed Consent Declaration for Minors

Employee Confidentiality and HIPAA Training Acknowledgment Statement Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement HIPAA Help – A Resource List

Security

Updates to the July 2004 HIPAA Model Security Policies and Procedures July 2004 HIPAA Model Security Policies and Procedures

(3)

Disclaimer

Physicians Insurance has produced the following materials to assist practices in their efforts to comply with the Privacy and Security Rule promulgated under the Health Insurance Portability & Accountability Act (HIPAA) of 1996, and new federal legislation, the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act (ARRA) that was signed into law on February 17, 2009. The HITECH Act strengthens and expands HIPAA’s current privacy and security requirements. These materials are current as of November 2009.

While we have made every effort to prepare these materials accurately and completely, the complexity of these issues makes it impossible to guarantee their accuracy and completeness. These materials are provided as general guidance and do not constitute legal advice. Given the scope and complexity of the HIPAA Privacy and Security Rule and HITECH Act requirements and the difficulty of identifying and incorporating all state requirements that are more “stringent” than these rules, practices are well advised to consult with private legal counsel concerning compliance issues.

The information in these materials is intended as risk management advice. It does not constitute a legal opinion nor is it a substitute for legal advice. Legal inquiries about topics covered in these materials should be directed to your attorney.

(4)

HIPAA – Six Years Later

The Health Insurance Portability and Accountability Act of 1996, or HIPAA, as it has become widely known, was enacted by the federal government to help workers maintain their health insurance coverage during a time of job change, to establish privacy and security rules for protected health information, to set standards for electronic billing of health care services, and to develop a national provider identifier system.

The HIPAA Privacy Rule compliance date was April 14, 2003. Since that time, other aspects of the act have come into effect and many states, including Washington, have passed or revised state privacy regulations. On February 17, 2009, the American Recovery and Reinvestment Act (ARRA), also known as the Stimulus Bill, was signed into law. Enacted as part of this new federal legislation is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act strengthens and expands HIPAA’s current privacy and security requirements.

This new legislation will require you to review and revise your current practices relating to the use and disclosure of protected health information. To this end, this article is intended to provide you with a checklist of items currently required under the HIPAA Privacy and Security Rules and Washington state privacy regulations, and to outline new regulations that will affect these rules.

Physicians Insurance has updated our HIPAA-related sample policies and procedures, forms, and training materials to address these new federal requirements. In addition, we have identified a number of helpful resources to assist you in meeting these new

regulations. This information is available to all policyholders and their staff on our Web site at www.phyins.com.

Current HIPAA Privacy Rule requirements (Italicized articles and sample documents are available on our Web site at www.phyins.com):

Designate a privacy/security official for your practice. You must designate a “HIPAA Privacy Official” to assume responsibilities for the development, implementation, and ongoing management and review of policies and procedures to protect the privacy of protected health information (PHI). HIPAA also requires that you designate a “HIPAA Security Official” who is responsible for the development of policies and procedures to comply with requirements for the security of electronic protected health information. - SampleJob Descriptions – HIPAA Privacy Official and Contact Person and

HIPAA Security Official

Develop, implement, and conduct ongoing reviews of your HIPAA privacy program. Document the minutes of all meetings, administrative memos, or notes. Develop an annual evaluation schedule for reviewing your privacy program.

- HIPAA Self-Assessment Worksheet – Part 1: Data Gathering - HIPAA Self-Assessment Worksheet – Part 2: Analyze the Data - HIPAA Self-Assessment Worksheet – Part 3: Action Plan – BLANK - HIPAA Self-Assessment Worksheet – Part 3: Action Plan – FILLED IN

- Identify Your Business Associates - Business Associate Agreement Checklist

(5)

Develop policies and procedures to comply with the HIPAA Privacy Rule. The HIPAA Privacy Rule requires each covered entity to adopt written policies and

procedures with respect to protected health information. Develop an annual evaluation schedule for reviewing your privacy program policies and procedures.

- HIPAA Privacy Rule – Policies, Procedures, and Documents

- Instructions to Assist in Implementing Sample Forms and Policies and Procedures

- Notice of Privacy Practices (Policy & Procedures) - Notice of Privacy Practices

- Notice of Privacy Practices Acknowledgment

- Authorization to Use or Disclose Protected Health Information (Policy &

Procedures)

- Authorization to Use or Disclose Protected Health Information

- Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures)

- Revocation of Authorization to Use or Disclose Protected Health Information - Responding to Requests to Access and/or Copy Protected Health

Information (Policy & Procedures)

- Denying Request to Access Protected Health Information

- Request to Correct or Amend Protected Health Information (Policy & Procedures)

- Request to Correct or Amend Protected Health Information

- Denying Request to Correct or Amend Protected Health Information

- Response to Defective Subpoena or Incomplete Request to Disclose Protected Health Information

- Responding to Request for Restrictions on the Use or Disclosure of Protected Health Information (Policy & Procedures)

- Response to Request for Restrictions on the Use or Disclosure of Protected Health Information

- Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures)

- Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)

- Accounting Log for Protected Health Information Disclosures

- Notification of Breach of Unsecured Protected Health Information (Policy & Procedures)

- Breach Notification Checklist

- Accounting Log for Notification of Breach of Unsecured Protected Health Information

Designate a contact person to address patient privacy complaints. You must designate a contact person or office responsible for receiving complaints under the HIPAA Privacy Rules and providing further information about matters covered under the Notice of Privacy Practices (NPP).

- Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures)

- Complaint / Grievance Resolution Letter

Develop HIPAA privacy training program. The HIPAA Privacy Rule requires each member of the workforce to receive privacy training as necessary and appropriate for the member to carry out his or her job responsibilities. New members of the workforce

(6)

should receive privacy training during their orientation period. Additional privacy training should be provided to the workforce within a reasonable time period after

implementation of organizational policies and procedures that have undergone material changes. Develop a schedule for ongoing retraining of the workforce.

- HIPAA Privacy and Security Training (Policy & Procedures) - HIPAA Privacy and Security Training Checklist

- HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff

- HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key - HIPAA Privacy Rule: A Questionnaire for Clinical Staff

- HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key

- Treatment of Minors and the Handling of Their Protected Health Information - Kinship Caregivers Informed Consent Declaration for Minors

- Employee Confidentiality and HIPAA Training Acknowledgment Statement - Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement - HIPAA Help – A Resource List

Ongoing assessment of HIPAA security policies and procedures. Ongoing

assessment of HIPAA Security Policy and Procedures is required in order to comply with the HIPAA Security Rule. The Security Rule specifies that “[s]ecurity measures

implemented to comply with standards and implementation specifications…must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.”

- Updates to the July 2004 HIPAA Model Security Policies and Procedures - July 2004 HIPAA Model Security Policies and Procedures

New provisions affecting HIPAA Privacy and Security Rules:

Business associates required to comply.Effective February 17, 2010, business associates (BAs) will be subject to the same requirements as covered entities (CEs) for implementing administrative, physical, and technical safeguards for protected health information (PHI). BAs will also be required to have written policies and procedures covering these requirements, and will be subject to the same civil and criminal penalties as CEs. Prior to this change, HIPAA regulations were limited to health plans, health care clearinghouses, and health care providers.

Health information exchanges are considered business associates.An organization that provides data transmission of PHI to a CE (or its BA) and that requires access to PHI in order to do so, such as a health information exchange or a regional health

information organization, is considered a BA of the participating CEs. This provision also applies to vendors who provide personal health records functionality to CEs as a part of an electronic health records system. CEs will need to maintain business associate agreements with these organizations.

PHI breach notification rules. Beginning September 23, 2009, HIPAA CEs are required to notify individuals if they discover a “breach” of “unsecured PHI.”“Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, meaning it poses a significant risk of financial, reputational, or other harm to the individual.

“Unsecured PHI” means PHI that is not secured through a technology or methodology that HHS considers as being capable of rendering the PHI unusable, unreadable, or indecipherable to unauthorized individuals.

(7)

Written notification must be provided to individuals via first-class mail. If the CE does not have sufficient contact information for 10 or more affected individuals, notification must also be made on the CE’s Web site home page or in major print or broadcast media. If the breach involved more than 500 individuals, notification must also be made to prominent media outlets.

Notification must be made without unreasonable delay and in no case later than 60 days following discovery of the breach and must contain a brief description of what happened; the date of the breach, if known; the date of discovery; and a description of the types of unsecured PHI involved in the breach. The notice must include steps affected individuals should take to protect themselves from potential harm resulting from the breach. The CE must also include a brief description of what the CE has done and is planning to do to investigate the breach, to mitigate losses, and to protect against further breaches. The notice must be in plain language and include contact information for individuals to ask questions or learn more. Business associates must notify CEs of any breach of unsecured PHI. Notification must include the identity of each affected individual. The CE must notify the Department of Health and Human Services (HHS) of all

breaches of unsecured PHI. Notification must occur immediately if the breach involves 500 or more individuals. The CE can maintain a log of breaches affecting less than 500 individuals and submit the log annually to HHS.

On April 17, 2009, the Secretary of HHS issued guidance which states that PHI that is secured through encryption or destruction in accordance with specified

standards would not be considered “unsecured PHI.” A CE would not have to comply with the breach notification rules if the CE utilizes the technologies and methodologies that HHS prescribes.

On August 24, 2009, interim final regulations were published in the Federal Register implementing the HITECH breach notification provisions. These regulations clarify important exclusions from the breach notification requirements. A breach excludes:

• Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA made in good faith and within the person’s scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.

• Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement (OHCA) in which the CE participates, and the PHI received is not further used or disclosed in a manner not permitted under the Privacy Rule.

• A disclosure of PHI where the CE or BA has a good faith belief that an

unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.

CEs need to address the issue of unsecured PHI and develop policies and procedures to provide for notification of breaches.

Patient access to electronic health records.Patients will have the right to receive a copy of their PHI maintained in the electronic health record in an electronic format. A CE may charge a fee that is no greater than the labor costs incurred to respond to the

(8)

request. (In Washington, the labor costs are subject to the limit on handling fees under WAC 246-08-400 which, until June 30, 2011, is $23.)

Accounting for disclosures of PHI for treatment, payment, and health care operations.At present, HIPAA and Washington State privacy rules exempt a CE’s obligation to provide individuals with an accounting of disclosures of their PHI if the disclosure was for treatment, payment, or health care operations. Under the HITECH Act, this exception would no longer be available to CEs that use electronic health

records (EHRs). The period for which an accounting is required will be limited to 3 years, not the 6-year period currently required. This provision is delayed until January 14, 2014, for CEs that acquired EHRs as of January 1, 2009. For entities that acquire EHRs after January 1, 2009, the provision will be effective on January 1, 2011, or the date upon which the entity acquires the EHR, whichever date is later. HHS is permitted to delay both of these effective dates for up to two years. More guidance is expected from HHS before these effective dates.

Minimum necessary standard.Under the current HIPAA Privacy Rule, a CE that uses, discloses, or requests PHI must make reasonable efforts to limit the PHI to the

“minimum necessary” to accomplish the intended purpose. The HIPAA Privacy Rule does not define “minimum necessary.” Under the HITECH Act, when using, disclosing, or requesting PHI, CEs are required to limit“to the extent practicable”disclosure of PHI to a “limited data set,” or if more information needed, to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request.”The Privacy Rule defines a “limited data set” as PHI from which all direct patient identifiers have been removed. This would include name, postal address (other than city, state, and zip code), telephone and fax numbers, e-mail address, social security and medical record

numbers, and other identifiers. Additionally, while the current Privacy Rule permits CEs to rely on a request by other CEs and its business associates as being the minimum necessary for a particular disclosure, the HITECH Act requires the CE to make the determination of the minimum necessary for disclosure, rather than relying on others to make that decision.HHS has until August 16, 2010,to publish guidance on what constitutes “minimum necessary” under the Privacy Rule.

Nondisclosure of self-pay services.Currently under the HIPAA Privacy Rule, an individual has a right to request special privacy protections for the use and disclosure of PHI for treatment, payment, and health care operations. A CE is not required to grant that request, although the individual’s request is retained in the record.

Under the HITECH Act, a CE will be required to honor a patient’s request that

information regarding a particular service not be disclosed to the patient’s health plan or insurance if the patient pays for that service in full out of pocket. Failure to comply with the request will be considered a violation and subject to HIPAA penalties.

Sale of records prohibited.On or before February 17, 2011, CEs and BAs will be prohibited from directly or indirectly receiving payment in exchange for any PHI, unless the individual specifically authorizes, in writing, that the PHI can be exchanged for

payment. Exceptions to this rule include exchanges for treatment purposes; for purposes of a sale, transfer, merger, or consolidation of CEs; for public health activities; and for certain activities of BAs. Exceptions to this rule also apply for research purposes, as long as the price reflects only the costs of preparation and transmittal of the data.

(9)

Marketing communications.Effective February 17, 2010,CEs may no longer use PHI to inform an individual about the CE’s own health care products or services without the individual’s written authorization if the CE receives payment from another party for doing so. These marketing communications would be allowed if the communication describes only a drug or biologic that is currently being prescribed for the patient and the payment the CE receives is reasonable; the CE makes the communication itself and obtains a written patient authorization; or a BA of the CE makes the communication, and the communication is consistent with the business associate agreement between the CE and the BA.

Fund-raising communications.Effective February 17, 2010, all fund-raising communications that are considered health care operations must clearly provide individuals with an opportunity to opt out of any future fund-raising solicitations.

Increased monetary penalties.Effective immediately is a new tiered civil monetary penalty (CMP) system that imposes monetary penalties based upon the nature of the improper conduct. In situations where the CE did not know (or by exercising reasonable diligence would not have known) it violated HIPAA, a penalty of $100 per violation, up to $25K per year, for each type of violation is applicable. If the violation is due to

“reasonable cause,” the maximum penalty rises to $1K per violation, up to $100K per year. If the violation is due to “willful neglect,” depending on whether or not the violation is corrected, the maximum penalty ranges from $10K to $50K per violation, upto $250,000 to $1.5M per year. Beginning February 17, 2011, HHS is required to impose civil penalties on a CE if the violation is determined to be due to “willful neglect.”

State attorneys general can bring actions.Effective immediately, state attorneys general have the authority to bring civil actions to enforce HIPAA.

Criminal penalties for individuals.Effective immediately is a provision that criminal penalties may be imposed under HIPAA on any individual or entity that wrongly obtains or discloses PHI maintained by a CE. This provision clarifies an ongoing debate as to whether criminal penalties under HIPAA can only be imposed upon a CE.

Authority to audit.Under the HITECHAct, HHS has the authority to audit CEs and BAs to ensure compliance with the privacy portion of the HITECH Act and current HIPAA privacy and security regulations.

To view the HITECH Act in its entirety, please go to: http://snipr.com/fexbr and see Division A, Title XIII and Division B, Title IV.

Conclusion. HIPAA rules, regulations, and standards have and will continue to be a moving target under the direction of the federal government. It is important that your practice’s policies and procedures are periodically reviewed and updated as necessary to reflect these changes. Initial training of new staff members and ongoing retraining of existing staff is required under the HIPAA regulations.

In addition to the resources available on our Web site at www.phyins.com, the Department of Health and Human Services Office for Civil Rights (OCR) is another valuable source of information for meeting the various HIPAA requirements. The OCR Web site is available at http://www.hhs.gov/ocr/privacy. You can find an extensive list of

(10)

HIPAA-related questions and answers at http://www.hhs.gov/hipaafaq. HIPAA Security Rule information can be found at http://www.cms.hhs.gov/securitystandard/.

We’re here to help you. Contact your Physicians Insurance risk management representative for more information about the new legislation affecting the HIPAA

Privacy and Security Rules and Washington State privacy laws. Call our Seattle office at (206) 343-7300 or 1-800-962-1399, or call our Spokane office at (509) 456-5868 or 1-800-962-1398. E-mail our experts at risk@phyins.com.

(11)

Sample

Job Descriptions – HIPAA Privacy Official and Contact Person and

HIPAA Security Official

According to the Privacy Rule, a health care provider must designate a “HIPAA Privacy Official” to assume responsibilities for the development and implementation of policies and procedures to protect the privacy of PHI, and must also designate a contact person or office responsible for receiving complaints under the HIPAA Privacy Regulations and providing further information about matters covered in the Notice of Privacy Practices.1 The Security Rule requires each health care provider to designate a “HIPAA Security Official” who is responsible for the development of policies and procedures to comply with requirements for the security of electronic protected health information.2

HIPAA responsibilities may be incorporated into the job duties of an existing member or members of your staff. For smaller health care providers in particular, it is not necessary to designate an individual whose sole role is HIPAA compliance. The same person may serve as your designated HIPAA Privacy Official and contact person and your designated HIPAA Security Official, or, depending on organizational responsibility for electronic protected health information, it may be more appropriate to have different individuals perform these roles.

The following are samples of responsibilities for inclusion on the job description for your designated HIPAA Privacy Official and contact person:

a. Oversees the development, implementation, and maintenance of appropriate privacy policies and procedures.

(i) Reviews new or revised laws and regulations pertaining to patient privacy to determine if all policies required by law have been developed in writing and if revisions of current

policies are needed. Writes or revises policies as necessary.

b. Identifies noncompliance with privacy practices to allow for consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce.

c. Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel. d. Conducts assessments and internal privacy audits to determine organizational compliance,

including reports of compliance activities.

e. Oversees, in cooperation with Security Official, the development, delivery, and documentation of HIPAA Privacyand Security Rule training and awareness for all staff, including the orientation of new employees and retraining of employees when material changes have been made in policies and procedures or when necessary, e.g., retraining.

f. Participates in the development, implementation, and ongoing compliance monitoring of all business associate agreements, to ensure all privacy concerns and requirements are addressed. g. Maintains appropriate authorization forms, privacy notices, and other materials reflecting current

privacy practices and requirements.

h. Coordinates visits and cooperates with the Office for Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations.

i. Manages patient requests for amendments and requests for changes to their medical records. j. Manages the release of patient records in accordance with established policies and procedures. k. Manages patient requests regarding limiting disclosures to health plans when the patient has

paid in full out of pocket for the services that are the subject of the disclosure.

l. Serves as the designated contact person to receive questions, comments, and complaints, and provide resources for patients and staff on the HIPAA privacy regulations.

m. Receives reports of potential breaches of unsecured PHI and works with Security Official to investigate, make determinations, and provide notification if necessary.

While the above job duties may be delegated and shared among employees, it is recommended that duties a, b, and c be assumed by your designated “HIPAA Privacy Official.”

(12)

The following are samples of responsibilities for inclusion on the job description for your designated HIPAA Security Official:

a. Performs initial and periodic written risk assessment related to security of electronic protected health information (electronic PHI).

b. Implements, oversees, and monitors risk management measures to address security risks and vulnerabilities identified by risk assessments.

c. Oversees the development, implementation, and maintenance of appropriate systems and/or processes for the security of electronic PHI, including security policies and procedures.

d. Implements measures to protect against reasonably anticipated threats or hazards to security or integrity of electronic PHI and reasonably anticipated unauthorized uses or disclosures.

e. Identifies noncompliance with security policies and procedures to allow for consistent application of sanctions for failure to comply with security policies for all individuals in the organization’s workforce.

f. Establishes and administers a process for regularly reviewing records of computer or information system activity related to electronic PHI, such as audit logs, access reports, and security incident tracking reports.

g. Develops and implements procedures for authorization and supervision of access to electronic PHI by workforce members and termination of access.

h. Develops and implements access authorization policies for stored electronic PHI.

i. Oversees the development, implementation, and maintenance of appropriate security policies and procedures, including those for physical and technical safeguards.

(i) Reviews new or revised laws and regulations pertaining to patient security of electronic PHI to determine if all policies required by law have been developed in writing and if revisions of current policies are needed. Writes or revises policies as necessary.

j. Oversees, in cooperation with Privacy Officer, the development, delivery, and documentation of HIPAA Privacy and Security Rule training and awareness for all staff, including the orientation of new employees and retraining of employees when material changes have been made in policies and procedures or when necessary, e.g., retraining.

k. Participates in the development, implementation, and ongoing compliance monitoring of all business associate agreements, to ensure all security concerns and requirements are addressed.

l. Coordinates visits and cooperates with the Office for Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations.

m. Investigates and resolves security breaches involving electronic PHI, including breaches reported by Business Associates, providing appropriate notifications as required by state and federal law, after consulting as necessary with legal counsel.

n. Receives reports of potential breaches of unsecured PHI and works with Privacy Officer to investigate, make determinations, and provide notification if necessary.

1

45 CFR § 164.530(a)(1) 2

45 CFR § 164.308(a)(2)

(13)

HIPAA Self-Assessment Worksheet

PART 1: Data Gathering

______________________________________________________________________________

Organization Name

One of the first tasks to becoming HIPAA compliant is to conduct an assessment of your current operations. Part 1 of the HIPAA Self-Assessment Worksheet has been designed to assist you with this process. Attach additional sheets if necessary.

Part 2 of the HIPAA Self-Assessment Worksheet assists you in identifying additional issues and analyzing the data you collect.

Keeping a record of your work is documentation of your compliance efforts and could be used to defend your actions in the event of a claim, complaint investigation, or survey by the Office for Civil Rights (OCR), etc. Part 3 of the HIPAA Self-Assessment Worksheet assists you in this effort.

It is recommended that these items be kept in a binder or folder with tabs to indicate the various sections.

SECTION 1: Administration

Section 1 of your compliance records should include the following:

• The minutes of all meetings of your HIPAA compliance group, if applicable,

• Any administrative memos or notes relevant to your HIPAA compliance project, and

• Any budget information relevant to your HIPAA compliance project. 1. Individual in charge of HIPAA compliance:

Name _________________________________________________________________________ Contact information _____________________________________________________________

_____________________________________________________________ 2. Other individuals in your HIPAA compliance work group:

a. Name ________________________________________________________________

Contact information _____________________________________________________

b. Name ________________________________________________________________

Contact information _____________________________________________________ 3. Compliance record keeper:______________________________________________________ 4. Compliance budget: ____________________________________________________________ 5. Meeting schedule: ___________________________________________________________

(14)

6. Meeting location(s): __________________________________________________________ ____________________________________________________________________________

SECTION 2: Record Keeping

Section 2 of your files should include all information and materials relevant to the locations where patient information is kept.

7. How are paper medical records kept? (Note all that apply.)

a. Open shelves accessible to all: _____________________________________________ b. Open shelves accessible to staff only: ________________________________________ c. Open shelves in locked room: ______________________________________________ d. Filing cabinets with no locks: _______________________________________________ e. Shelves/filing cabinets with locks: ___________________________________________ f. Off-site storage, no security: _______________________________________________ g. Off-site secure storage: ___________________________________________________ h. On a separate sheet, list all sites where paper medical records are kept.

8. How are paper claims and billing information kept? (Note all that apply.)

a. Open shelves accessible to all: _____________________________________________ b. Open shelves accessible to staff only: ________________________________________ c. Open shelves in locked room: ______________________________________________ d. Filing cabinets with no locks: _______________________________________________ e. Shelves/filing cabinets with locks: ___________________________________________ f. Off-site storage, no security: _______________________________________________ g. Off-site secure storage: ___________________________________________________ h. On a separate sheet, list all sites where paper claims or billing information are kept. 9. How is other patient information on paper kept? (Note all that apply.)

a. Open shelves accessible to all: _____________________________________________ b. Open shelves accessible to staff only: ________________________________________

(15)

c. Open shelves in locked room: ______________________________________________ d. Filing cabinets with no locks: _______________________________________________ e. Shelves/filing cabinets with locks: ___________________________________________ f. Off-site storage, no security: _______________________________________________ g. Off-site secure storage: ___________________________________________________ h. On separate sheet, list all sites where other patient information on paper is kept.

10. How is patient information kept? (Note all that apply.)

a. Not applicable: __________________________________________________________ b. Personal computer(s), no network connections: ________________________________ c. Personal computers, internal network: _______________________________________ d. Personal computers, Internet connection: _____________________________________ e. Off-site personal computers/laptops permitted remote access

(dial-in, Internet, etc.): ____________________________________________________ f. CDs/DVDs/backup tapes: ____________________________________________ g. Handheld devices (BlackBerry, iPhone, etc.):__________________________________ h. On separate sheet, list all equipment on which patient information is kept in electronic form.

i. Microfilm/microfiche: _______________________

j. Videotape: _______________________

k. Other form(s) of media: _______________________ 11. How is access to patient information controlled?

Be prepared to document policies related to administrative restrictions, physical access, and electronic access (e.g., log-ons, passwords, authentication, automatic time-outs) to equipment and systems containing patient information.

12. Copy and attach all policies concerning:

a. Access to files containing patient information

b. Access to rooms, shelves, and filing cabinets where patient records are kept c. Access to or use of electronic equipment on which patient information is stored

(16)

SECTION 3: Personnel/Workforce

Section 3 should include all information and materials relevant to those individuals in your organization who are allowed to have access to, use, or disclose patient information. You should include not only employees, but also trainees and volunteers who are under your organization’s control.

13. List all individuals who work in your organization. For each individual, state: a. Job title and description

b. Whether he/she is permitted access to: I. Patient clinical information

II. Patient billing and claims information III. Other patient information

c. Whether he/she has signed a confidentiality agreement

d. Whether his/her employment agreement has confidentiality provisions 14. Copy and attach all policies concerning:

a. Confidentiality of and access to patient information b. Use and disclosure of patient information by staff

c. Disciplinary procedures for breach of patient confidentiality

SECTION 4: Patient Relations

Section 4 should contain all relevant materials concerning the way your organization permits patients to have access to, copy, or otherwise exercise some degree of control over the records that pertain to them.

15. Copy and attach all forms, notices, and other material you give patients that affect the use or disclosure of patient health information:

a. Standard or customary patient release of information forms

b. Any notice of information or privacy practices published or available to patients c. Any patient brochures you may distribute related to records access

d. Any “patients’ rights” notices you may provide e. Consents

(17)

16. Copy and attach all policies concerning: a. Patient review and copying of records b. Patient requests to amend records

c. Accounting to patients for disclosures of patient information

d. Use or disclosure of patient information for marketing or general contact purposes 17. List all individuals and organizations to which you regularly disclose:

a. Patient clinical information

b. Patient billings and/or claims information c. Any other patient information

SECTION 5: Business Associates

Section 5 should include an inventory of the individuals and organizations with which you

exchange, from which you receive, or to which you disclose patient information, not including the patients themselves. You should include copies of all your existing contracts or agreements with such individuals or organizations.

18. List all individuals and organizations with which you exchange: a. Patient clinical information

b. Patient billings and/or claims information c. Any other patient information

19. Attach copies of all contracts or agreements currently in effect with individuals and organizations to or from which you regularly disclose or receive patient information.

CHOICE HIPAA Consultation Pilot – Initial Task List

© 2002 CHOICE Regional Health Network – Consent to reproduce for non-profit distribution

This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed.

(18)

This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.

HIPAA Self-Assessment Worksheet

Part 2: Analyze the Data

Parts 1 and 2 of the HIPAA Self-Assessment Worksheet were created to help you identify areas where action might be needed to comply with HIPAA. The questions in this document may help you further analyze the data collected in Part 1.

DATE COMPLETED: ____________________________________________________________________ COMPLETED BY: _________________________________________________________________

YES NO COMMENTS

1) Steps have been taken to minimize the likelihood that patients and visitors can easily see or access computer screens/monitors and other records containing PHI. For example:

† Computer screens time out.

† Files are put away or turned over to avoid easy viewing.

† PDAs (hand-held computer devices) are kept in a secure manner by the authorized individual. † Records, including CDs and DVDs, are stored in a secure manner.

† Other:_______________________________________________________________________________ 2) Medical, financial, and other records containing PHI are secure and accessible only to those people employed by or doing work on behalf of the practice that have a legitimate—job-related—need to know; e.g., maintained in locked file cabinets or locked medical record rooms.

3) Computers are password protected—each user has a unique identifier—and passwords are changed on a regular basis.

4) Access controls (e.g., passwords, computer accounts, combinations, keys) to computers, filing cabinets, and the building are terminated or changed when employees or contract workers end their relationship with the practice. 5) Electronic equipment and other records containing PHI are stored in a secure location to prevent theft or vandalism— using both physical security (e.g., alarms and locks) and electronic security (access controls, firewalls, and virus checks, all for which you should consider seeking technical expertise).

6) Documents or records that contain patients’ personal, financial, and health information—and are no longer needed— are destroyed.

† Shredded or † Incinerated.

† Information is kept showing how, why, and by whom medical records were destroyed. † Medical records are retained at least:

• 6 years from the date of the patient’s death.

• 10 years from the date of the patient’s last medical service.

• 21 years from the date of a child’s birth for pediatric records and for the obstetric patient’s prenatal records, or 10 years after the minor patient’s last medical service, whichever period is longer. † Patient management systems data (financial, etc.) is retained for 10 years.

† Prior to sale or disposal of computer equipment that stores PHI, the hardware is completely erased by reformatting the hard drive. (Technical knowledge needed.)

(19)

This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.

Accuracy and completeness are not guaranteed.

YES NO COMMENTS

7) Computer systems containing PHI have systems to protect data integrity and to prevent data loss, for example: † Backup systems are used to prevent loss of data due to power outage, hackers, etc.

† Audit trails systems are periodically audited.

8) Procedures address handling of medical, financial, or other records containing PHI—for example:

† Original records are handled correctly (e.g., not removed from premises and charted appropriately, including corrections).

† Patient requests for copying of and amendment to records are handled correctly.

† Patient requests for an accounting of disclosures of PHI are handled quickly and correctly.

† Message boards, daily patient schedules, etc., that allow viewing of patient financial or health information are maintained in areas restricted to employees who have a legitimate job-related need to know.

† Measures are taken to ensure that conversations held with patients concerning financial and health information maintain privacy. For example:

• Exam room doors are closed.

• Background music is used in waiting/reception areas to minimize the likelihood of overhearing PHI. • Solid core doors are used to minimize sound travel.

• Phone messages are listened to in private.

† Steps are taken to reduce the likelihood that facsimile transmissions may be sent to an incorrect telephone number. For example:

• Confidential disclaimer is utilized on facsimile or electronic transmission.

• Transmissions are limited for urgent/emergent needs to transmit private health information. • Infrequently used fax numbers are verified prior to transmission.

† Cell phone conversations about patients that require the release of Individually Identifiable Health Information are conducted only to ensure continuity of care.

† Steps are taken to protect the privacy and security of information, if e-mail or another electronic form of communication is used to communicate personal health information.

9) Staff—including volunteers—are trained in privacy and in maintaining the security of health information. Education is documented and includes:

† Appropriate handling of personal health information, including specific policies. † Use of discretion when discussing personal health information within hearing of others. † Use of discretion when leaving telephone and electronic messages for patients. † Software password-security procedures.

† Signed confidentiality statements.

† Staff accountability for following procedures and applicable laws to protect privacy and security of PHI. 10) Criminal security/background checks are conducted prior to hiring employees.

11) Board members understand, and are trained in, maintaining the privacy and security of any PHI that they may have a legitimate need to know. And, they:

(20)

This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.

YES NO COMMENTS

12) Policies address appropriate handling of patient concerns—including concerns related to the privacy and security of PHI.

13) Forms and documents that affect the use and disclosure of patient health information (e.g., IRB authorization) have been identified, reviewed for compliance with HIPAA, and modified as needed. Using the following list of forms, determine which forms you currently use that you will no longer need.

a. Employee Confidentiality and HIPAA Training Acknowledgment Statement b. Revocation of Authorization to Use or Disclose Protected Health Information c. Request to Correct or Amend Protected Health Information

d. Authorization to Use or Disclose Protected Health Information e. Notice of Privacy Practices

Assess the remaining forms for HIPAA compliance.

14) Business associates are expected to use reasonable measures to handle PHI in a private and secure manner. † If written agreements exist, consult legal counsel to ensure HIPAA provisions are met. If written agreements

do not exist, work with legal counsel to draft “Business Associate Agreements” required by HIPAA. † Business associates, as appropriate, are educated about pertinent practices/policies pertaining to privacy

and security when they have reason to perform any job-related functions on premises. 15) List other areas pertaining to your operations affected by HIPAA and not listed in this document.

a. _____________________________________________________________________________ b. _____________________________________________________________________________ c. _____________________________________________________________________________

If you responded with a “NO” to any item, further action may be necessary to provide reasonable protection for PHI.

(21)

HIPAA Self-Assessment Worksheet

Part 3: Action Plan

Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.

Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.

ISSUE ACTION PLAN

(Circle all changes that you plan to implement, and attach estimated costs)

REASON FOR DECISION

(Check all that apply)

FOLLOW-UP RESPONSIBLE PARTY

System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ † Options selected provide reasonable protections of PHI. † Options not feasible at

this time: __________________ __________________ † Other: __________________ __________________ † Date Completed: ____/____/____ † Monitor † Budget for: _______________ in _______________ (budget year) System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ † Options selected provide reasonable protections of PHI. † Options not feasible at

this time: __________________ __________________ † Other: __________________ __________________ † Date Completed: ____/____/____ † Monitor † Budget for: _______________ in _______________ (budget year) System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ † Options selected provide reasonable protections of PHI. † Options not feasible at

this time: __________________ __________________ † Other: __________________ __________________ † Date Completed: ____/____/____ † Monitor † Budget for: _______________ in _______________ (budget year)

This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.

(22)

HIPAA Self-Assessment Worksheet

Part 3: Action Plan

Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.

Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.

ISSUE ACTION PLAN

(Circle all changes that you plan to implement, and attach estimated costs)

REASON FOR DECISION

(Check all that apply)

FOLLOW-UP RESPONSIBLE PARTY

1.) Information

overheard in

waiting room

System/equipment change

background music -

New policy/policy change

stereo system

New form/form change Job description change

Education

completed 9/1/09

Facility upgrade Other: _____________________________________________ ; Options selected provide reasonable protections of PHI.

; Options not feasible at this time:

Upgrade on

hold - budget_

___ † Other: __________________ __________________ † Date Completed: ____/____/____ ; Monitor ; Budget for:

$2000.00 stereo

in __

2010

______ (budget year)

Cathy

2.) Disposal of

confidential

information

System/equipment change New policy/policy change New form/form change Job description change

Education

scheduled 10/1/09

Facility upgrade Other: _____________________________________________ ; Options selected provide reasonable protections of PHI.

; Options not feasible at this time: __________________ __________________ ; Other: __________________ __________________ ; Date Completed: _

10_/__1__/__09

; Monitor † Budget for: _______________ in _______________ (budget year)

Pat

3.) Sensitive

information

discussed on

phone –

possibility of

being overheard

System/equipment change

(see issue #1 action plan)

New policy/policy change

New form/form change Job description change

Education

completed 8/1/09

Facility upgrade Other: _____________________________________________ ; Options selected provide reasonable protections of PHI.

; Options not feasible at this time:

Upgrade on

hold - budget_

___ ; Other: __________________ __________________ † Date Completed: ____/____/____ ; Monitor ; Budget for:

$2000.00 stereo

in __

2010

______ (budget year)

Cathy

This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.

(23)

HIPAA Self-Assessment Worksheet

Part 3: Action Plan

Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.

Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.

ISSUE ACTION PLAN

(Circle all changes that you plan to implement, and attach estimated costs)

REASON FOR DECISION

(Check all that apply)

FOLLOW-UP RESPONSIBLE PARTY

4.) PHI left on

the counter –

accessible to

unauthorized

persons

System/equipment change New policy/policy change New form/form change Job description change

Education

move information to restricted area ASAP

Facility upgrade

Other: _____________________________________________

; Options selected provide reasonable protections of PHI.

; Options not feasible at this time: __________________ __________________ † Other: __________________ __________________ ; Date Completed: __

10_/__1__/__09

; Monitor † Budget for: _______________ in _______________ (budget year)

Kathy

5.) Files with

PHI accessible

to

unauthorized

persons

System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ ; Options selected provide reasonable protections of PHI.

† Options not feasible at this time: __________________ __________________ ; Other: __________________ __________________ ; Date Completed: __

10_/__1__/__09

† Monitor † Budget for: _______________ in _______________ (budget year)

Dave

6. a) computer

screens visible

to patients

b) patients

may access

network

System/equipment change

Program for passwords and

New policy/policy change

add screen savers

New form/form change

Job description change

Education

of policy changes

Facility upgrade

Other:

assess computer system - possible upgrade

; Options selected provide reasonable protections of PHI.

; Options not feasible at this time:

assessment

of computer on hold

due to budget

_ ; Other: __________________ __________________ † Date Completed: ____/____/____ ; Monitor ; Budget for:

Assessment

upgrade

in

2010

(budget year)

Kim

This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.

(24)

HIPAA Self-Assessment Worksheet

Part 3: Action Plan

Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.

Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.

ISSUE ACTION PLAN

(Circle all changes that you plan to implement, and attach estimated costs)

REASON FOR DECISION

(Check all that apply)

FOLLOW-UP RESPONSIBLE PARTY

7.) need business associate agreements: • Transcription Accountant Collection agency System/equipment change New policy/policy change New form/form change Job description change Education

Facility upgrade

Other:

obtain sample business assoc. agreements

; Options selected provide reasonable protections of PHI.

† Options not feasible at this time: __________________ __________________ † Other: __________________ __________________ † Date Completed: ____/____/____ † Monitor ; Budget for:

Legal review

in

2010

(budget year)

Dennis

System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ † Options selected provide reasonable protections of PHI.

† Options not feasible at this time: __________________ __________________ † Other: __________________ __________________ † Date Completed: ____/____/____ † Monitor † Budget for: _______________ in _______________ (budget year) System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ † Options selected provide reasonable protections of PHI.

† Options not feasible at this time: __________________ __________________ † Other: __________________ __________________ † Date Completed: ____/____/____ † Monitor † Budget for: _______________ in _______________ (budget year)

This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.

(25)

Identifying Your Business Associates

The HIPAA Privacy regulation allows you to share patient information with your Business

Associates in order to conduct health care operations, but only if you have a Business Associate Agreement with them. The regulation defines Business Associates as persons outside of your workforce who:

• On your behalf, perform or assist in the performance of a function or activity involving the use or disclosure of individually identifiable health information (e.g., claims

processing, data analysis, quality assurance, billing, practice management); or

• Provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, where the service involves the disclosure of individually identifiable health information.

Some examples of your Business Associates may be:

• Accountants • Attorneys • Billing companies • Clearinghouses • Consultants • Collection agencies • Transcription services

• Data analysis or aggregation services

• Information technology service providers

• Temporary staffing agencies

• Copy services

• Document storage and destruction vendors

• Professional liability insurers

• Insurance agents and brokers

• Health Information Exchanges (“HIEs”)

• Regional Health Information Organizations (“RHIOs”)

• E-prescribing Gateways

• Vendors that allow you to offer a personal health record to patients as part of your electronic health record

This list is not exhaustive. Think broadly when you are identifying your Business Associates. Ask yourself:

• Who are your Business Associates?

• What function do they serve?

• What information is disclosed to them?

• Do you currently have some form of contract with them?

• If so, when is the contract due to be renewed or renegotiated?

The sample form, Business Associate Agreement Checklist, will help you identify what needs to be included in your Business Associate Agreement.

(26)

Effective February 17, 2010, as a result of the ARRA, Business Associates will become accountable to the federal and state authorities for failure to comply with the Privacy Rule provisions applicable to them by their Business Associate Agreements and will be required to directly comply with most provisions of the HIPAA Security Rule, including compliance with administrative safeguards, technical safeguards, physical safeguards, and policies, procedures, and documentation requirements applicable to Covered Entities. This means that Business Associates will be required to undertake a security risk analysis, appoint a security official, and maintain written security policies and procedures, as well as comply with other requirements of the HIPAA Security Rule. The Secretary of Health and Human Services is required to

(27)

Business Associate Agreement Checklist

HIPAA Privacy and Securityregulations establish the following requirements for the Business Associate Agreement:

Business Associate Agreement must: † Be in writing.

† State permitted and required uses and disclosures.

† Prohibit uses and disclosures not allowed in the Business Associate Agreement or by law or that would be a violation of the Privacy Regulations if done by the Covered Entity (CE).

† Require Business Associate (BA) to use appropriate safeguards to prevent any unauthorized use or disclosure.

† Require BA to report to the CE any unauthorized use or disclosure of which BA becomes aware.

† Require that any agents, including a subcontractor, to whom BA provides protected health information received from the CE, or created or received by BA on behalf of the CE, agree to the same restrictions and conditions that apply to the BA with respect to such protected health information unless disclosures are required by law or unless disclosures are for BA’s proper management or administration and BA obtains the “reasonable assurances”

described below from such downstream user.

† Require BA to make available protected health information to the Individual in the Designated Record Set in accordance with 45 C.F.R. §164.524. (While these provisions must be in the Business Associate Agreement, actual access is not required if Business Associate does not possess protected health information in the original Designated Record Set.)

† Require BA to make available and to incorporate any amendment to protected health information in the Designated Record Set in accordance with 45 C.F.R. §164.526. (While these provisions must be in the Business Associate Agreement, actual amendment is not required if Business Associate does not possess protected health information in the original Designated Record Set.)

† When requested by CE, require BA to make available to CE the information required to allow the CE to provide an accounting of disclosures in accordance with 45 C.F.R. §164.528.

† Require BA to make its internal practices, books, and records available to the Department of Health and Human Services Office for Civil Rights for purposes of determining the CE’s compliance with the Privacy Rule to the extent related to the uses and disclosure of protected health information received from, or created or received by, the BA on behalf of the CE.

† Require return or destruction of protected health information at end of contract, if feasible; but, if return or destruction is not feasible, extend the protection of the Business Associate Agreement to the information and limit further uses and disclosures to the purposes listed in the Business Associate Agreement.

† Authorize termination of Agreement if BA violates material term of Business Associate Agreement.

(28)

† Require BA to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI.

† Require BA to report any security incident of which it becomes aware.

† Require BA to ensure that any agent or subcontractor implement reasonable and appropriate safeguards to protect electronic PHI.

(Provisions for compliance with the HITECH Act of the ARRA after February 17, 2010)

† Require BA to comply with the requirements of Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, codified at 42 U.S.C. §§17921-17954 and regulations issued by the Department of Health and Human Services to

implement these statutes as of the date by which business associates are required to comply.

† Require BA to comply with Section 134-2 of Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, codified at 42 U.S.C. §17932 and regulations issued by the Department of Health and Human Services to implement this statute as of the date by which business associates are required to comply by, among other things, reporting to CE within five business days of BA’s discovery of any breach1 of

unsecured protected health information.2

† Require BA to indemnify CE for any reasonable expenses CE incurs in notifying individual of a breach of unsecured protected health information caused by BA or its subcontractors or agents.

Optional terms

† The Business Associate Agreement may permit the BA to use PHI for the proper management and administration of the BA or to carry out its legal responsibilities.

† The Business Associate Agreement may permit the BA to disclose protected health information if needed for the proper management and administration of the BA or to carry out the legal responsibilities of the BA if:

1. The disclosure is required by law or

2. The BA obtains reasonable assurances from the person to whom PHI is disclosed that the PHI will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person agrees to notify the BA of any instances of which it is aware in which the confidentiality of the PHI has been breached.

† The Business Associate Agreement may allow BA to provide Data Aggregation Services relating to CE’s health care operations.

† The Business Associate Agreement may include defined terms by either referencing the Privacy Rule or including examples of specific definitions. If specific definitions are included, the Business Associate Agreementmay define: Protected Health Information;Electronic Protected Health Information; Designated Record Set; De-identify; and Security Rule.

References

Related documents

As business associates were not required to comply with these provisions of the HIPAA Privacy and Security Rules until September 23, 2013, the enforcement activity described in

Section 1: HIPAA Essentials Quiz Section 2: HIPAA Privacy Rule Quiz Section 3: HIPAA Security Rule Quiz Section 4: Covered Entity Issues Quiz. Section 5: HIPAA

» Statement that to the extent BA carries out one or more CE’s obligations under the HIPAA Privacy Rule, BA shall comply with the requirements of HIPAA that apply to CE in

A person or entity who provides certain identified services to the Covered Entity, where the provision of services involves disclosure of PHI?. Who are your

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is federal legislation that was passed under the Clinton Administration. Title I of HIPAA has been in

However, due to the federal Privacy Rule that was promulgated under the Health Insurance Portability and Accountability Act (HIPAA) (the HIPAA Privacy Rule), there are

1996 HIPAA Regulation Enacted 2003 Privacy Rule Mandated 2005 Security Rule Mandated 2009 Interim ARRA/HITECH Provision on Privacy and Security 2013 Final ARRA/

Formal mechanism for processing records Administrative Procedures Site Security Policy Technical Services Information access control Sanction Policy Assigned security