Table of Contents
Disclaimer
HIPAA Essentials
HIPAA – Six Years Later
Implementation
Sample Job Descriptions – HIPAA Privacy Official and Contact Person and HIPAA
Security Official
HIPAA Self-Assessment Worksheet – Part 1: Data Gathering HIPAA Self-Assessment Worksheet – Part 2: Analyze the Data HIPAA Self-Assessment Worksheet – Part 3: Action Plan (blank) HIPAA Self-Assessment Worksheet – Part 3: Action Plan (filled in) Identify Your Business Associates
Business Associate Agreement Checklist
Sample Business Associate Contract Provisions
Policies, Procedures, and Sample Forms
HIPAA Privacy Rule – Policies, Procedures, and Documents
Instructions to Assist in Implementing Sample Forms and Policies and Procedures
Notice of Privacy Practices (Policy & Procedures) Notice of Privacy Practices
Notice of Privacy Practices Acknowledgement
Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
Authorization to Use or Disclose Protected Health Information
Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
Revocation of Authorization to Use or Disclose Protected Health Information Responding to Requests to Access and/or Copy Protected Health Information (Policy & Procedures)
Denying Request to Access Protected Health Information
Request to Correct or Amend Protected Health Information (Policy & Procedures) Request to Correct or Amend Protected Health Information
Denying Request to Correct or Amend Protected Health Information
Response to Defective Subpoena or Incomplete Request to Disclose Protected Health Information
Responding to Request for Restrictions on the Use or Disclosure of Protected Health Information (Policy & Procedures)
Response to Request for Restrictions on the Use or Disclosure of Protected Health Information
Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures)
Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)
Accounting Log for Protected Health Information Disclosures
Notification of Breach of Unsecured Protected Health Information (Policy & Procedures) Breach Notification Checklist
Accounting Log for Notification of Breach of Unsecured Protected Health Information Complaints and Grievances Relating to the Use or Disclosure of Protected Health
Information (Policy & Procedures) Complaint / Grievance Resolution Letter
Training
HIPAA Privacy and Security Training (Policy & Procedures) HIPAA Privacy and Security Training Checklist
HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff
HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key HIPAA Privacy Rule: A Questionnaire for Clinical Staff
HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key
Treatment of Minors and the Handling of Their Protected Health Information Kinship Caregivers Informed Consent Declaration for Minors
Employee Confidentiality and HIPAA Training Acknowledgment Statement Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement HIPAA Help – A Resource List
Security
Updates to the July 2004 HIPAA Model Security Policies and Procedures July 2004 HIPAA Model Security Policies and Procedures
Disclaimer
Physicians Insurance has produced the following materials to assist practices in their efforts to comply with the Privacy and Security Rule promulgated under the Health Insurance Portability & Accountability Act (HIPAA) of 1996, and new federal legislation, the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act (ARRA) that was signed into law on February 17, 2009. The HITECH Act strengthens and expands HIPAA’s current privacy and security requirements. These materials are current as of November 2009.
While we have made every effort to prepare these materials accurately and completely, the complexity of these issues makes it impossible to guarantee their accuracy and completeness. These materials are provided as general guidance and do not constitute legal advice. Given the scope and complexity of the HIPAA Privacy and Security Rule and HITECH Act requirements and the difficulty of identifying and incorporating all state requirements that are more “stringent” than these rules, practices are well advised to consult with private legal counsel concerning compliance issues.
The information in these materials is intended as risk management advice. It does not constitute a legal opinion nor is it a substitute for legal advice. Legal inquiries about topics covered in these materials should be directed to your attorney.
HIPAA – Six Years Later
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, as it has become widely known, was enacted by the federal government to help workers maintain their health insurance coverage during a time of job change, to establish privacy and security rules for protected health information, to set standards for electronic billing of health care services, and to develop a national provider identifier system.
The HIPAA Privacy Rule compliance date was April 14, 2003. Since that time, other aspects of the act have come into effect and many states, including Washington, have passed or revised state privacy regulations. On February 17, 2009, the American Recovery and Reinvestment Act (ARRA), also known as the Stimulus Bill, was signed into law. Enacted as part of this new federal legislation is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act strengthens and expands HIPAA’s current privacy and security requirements.
This new legislation will require you to review and revise your current practices relating to the use and disclosure of protected health information. To this end, this article is intended to provide you with a checklist of items currently required under the HIPAA Privacy and Security Rules and Washington state privacy regulations, and to outline new regulations that will affect these rules.
Physicians Insurance has updated our HIPAA-related sample policies and procedures, forms, and training materials to address these new federal requirements. In addition, we have identified a number of helpful resources to assist you in meeting these new
regulations. This information is available to all policyholders and their staff on our Web site at www.phyins.com.
Current HIPAA Privacy Rule requirements (Italicized articles and sample documents are available on our Web site at www.phyins.com):
Designate a privacy/security official for your practice. You must designate a “HIPAA Privacy Official” to assume responsibilities for the development, implementation, and ongoing management and review of policies and procedures to protect the privacy of protected health information (PHI). HIPAA also requires that you designate a “HIPAA Security Official” who is responsible for the development of policies and procedures to comply with requirements for the security of electronic protected health information. - SampleJob Descriptions – HIPAA Privacy Official and Contact Person and
HIPAA Security Official
Develop, implement, and conduct ongoing reviews of your HIPAA privacy program. Document the minutes of all meetings, administrative memos, or notes. Develop an annual evaluation schedule for reviewing your privacy program.
- HIPAA Self-Assessment Worksheet – Part 1: Data Gathering - HIPAA Self-Assessment Worksheet – Part 2: Analyze the Data - HIPAA Self-Assessment Worksheet – Part 3: Action Plan – BLANK - HIPAA Self-Assessment Worksheet – Part 3: Action Plan – FILLED IN
- Identify Your Business Associates - Business Associate Agreement Checklist
Develop policies and procedures to comply with the HIPAA Privacy Rule. The HIPAA Privacy Rule requires each covered entity to adopt written policies and
procedures with respect to protected health information. Develop an annual evaluation schedule for reviewing your privacy program policies and procedures.
- HIPAA Privacy Rule – Policies, Procedures, and Documents
- Instructions to Assist in Implementing Sample Forms and Policies and Procedures
- Notice of Privacy Practices (Policy & Procedures) - Notice of Privacy Practices
- Notice of Privacy Practices Acknowledgment
- Authorization to Use or Disclose Protected Health Information (Policy &
Procedures)
- Authorization to Use or Disclose Protected Health Information
- Revocation of Authorization to Use or Disclose Protected Health Information (Policy & Procedures)
- Revocation of Authorization to Use or Disclose Protected Health Information - Responding to Requests to Access and/or Copy Protected Health
Information (Policy & Procedures)
- Denying Request to Access Protected Health Information
- Request to Correct or Amend Protected Health Information (Policy & Procedures)
- Request to Correct or Amend Protected Health Information
- Denying Request to Correct or Amend Protected Health Information
- Response to Defective Subpoena or Incomplete Request to Disclose Protected Health Information
- Responding to Request for Restrictions on the Use or Disclosure of Protected Health Information (Policy & Procedures)
- Response to Request for Restrictions on the Use or Disclosure of Protected Health Information
- Minimum Necessary Requirements for the Use and Disclosure of Protected Health Information (Policy & Procedures)
- Documenting of and Accounting for Disclosures of Protected Health Information (Policy & Procedures)
- Accounting Log for Protected Health Information Disclosures
- Notification of Breach of Unsecured Protected Health Information (Policy & Procedures)
- Breach Notification Checklist
- Accounting Log for Notification of Breach of Unsecured Protected Health Information
Designate a contact person to address patient privacy complaints. You must designate a contact person or office responsible for receiving complaints under the HIPAA Privacy Rules and providing further information about matters covered under the Notice of Privacy Practices (NPP).
- Complaints and Grievances Relating to the Use or Disclosure of Protected Health Information (Policy & Procedures)
- Complaint / Grievance Resolution Letter
Develop HIPAA privacy training program. The HIPAA Privacy Rule requires each member of the workforce to receive privacy training as necessary and appropriate for the member to carry out his or her job responsibilities. New members of the workforce
should receive privacy training during their orientation period. Additional privacy training should be provided to the workforce within a reasonable time period after
implementation of organizational policies and procedures that have undergone material changes. Develop a schedule for ongoing retraining of the workforce.
- HIPAA Privacy and Security Training (Policy & Procedures) - HIPAA Privacy and Security Training Checklist
- HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff
- HIPAA Privacy Rule: A Questionnaire for Nonclinical Staff – Answer Key - HIPAA Privacy Rule: A Questionnaire for Clinical Staff
- HIPAA Privacy Rule: A Questionnaire for Clinical Staff – Answer Key
- Treatment of Minors and the Handling of Their Protected Health Information - Kinship Caregivers Informed Consent Declaration for Minors
- Employee Confidentiality and HIPAA Training Acknowledgment Statement - Nonemployee Confidentiality and HIPAA Training Acknowledgment Statement - HIPAA Help – A Resource List
Ongoing assessment of HIPAA security policies and procedures. Ongoing
assessment of HIPAA Security Policy and Procedures is required in order to comply with the HIPAA Security Rule. The Security Rule specifies that “[s]ecurity measures
implemented to comply with standards and implementation specifications…must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information.”
- Updates to the July 2004 HIPAA Model Security Policies and Procedures - July 2004 HIPAA Model Security Policies and Procedures
New provisions affecting HIPAA Privacy and Security Rules:
Business associates required to comply.Effective February 17, 2010, business associates (BAs) will be subject to the same requirements as covered entities (CEs) for implementing administrative, physical, and technical safeguards for protected health information (PHI). BAs will also be required to have written policies and procedures covering these requirements, and will be subject to the same civil and criminal penalties as CEs. Prior to this change, HIPAA regulations were limited to health plans, health care clearinghouses, and health care providers.
Health information exchanges are considered business associates.An organization that provides data transmission of PHI to a CE (or its BA) and that requires access to PHI in order to do so, such as a health information exchange or a regional health
information organization, is considered a BA of the participating CEs. This provision also applies to vendors who provide personal health records functionality to CEs as a part of an electronic health records system. CEs will need to maintain business associate agreements with these organizations.
PHI breach notification rules. Beginning September 23, 2009, HIPAA CEs are required to notify individuals if they discover a “breach” of “unsecured PHI.”“Breach” means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI, meaning it poses a significant risk of financial, reputational, or other harm to the individual.
“Unsecured PHI” means PHI that is not secured through a technology or methodology that HHS considers as being capable of rendering the PHI unusable, unreadable, or indecipherable to unauthorized individuals.
Written notification must be provided to individuals via first-class mail. If the CE does not have sufficient contact information for 10 or more affected individuals, notification must also be made on the CE’s Web site home page or in major print or broadcast media. If the breach involved more than 500 individuals, notification must also be made to prominent media outlets.
Notification must be made without unreasonable delay and in no case later than 60 days following discovery of the breach and must contain a brief description of what happened; the date of the breach, if known; the date of discovery; and a description of the types of unsecured PHI involved in the breach. The notice must include steps affected individuals should take to protect themselves from potential harm resulting from the breach. The CE must also include a brief description of what the CE has done and is planning to do to investigate the breach, to mitigate losses, and to protect against further breaches. The notice must be in plain language and include contact information for individuals to ask questions or learn more. Business associates must notify CEs of any breach of unsecured PHI. Notification must include the identity of each affected individual. The CE must notify the Department of Health and Human Services (HHS) of all
breaches of unsecured PHI. Notification must occur immediately if the breach involves 500 or more individuals. The CE can maintain a log of breaches affecting less than 500 individuals and submit the log annually to HHS.
On April 17, 2009, the Secretary of HHS issued guidance which states that PHI that is secured through encryption or destruction in accordance with specified
standards would not be considered “unsecured PHI.” A CE would not have to comply with the breach notification rules if the CE utilizes the technologies and methodologies that HHS prescribes.
On August 24, 2009, interim final regulations were published in the Federal Register implementing the HITECH breach notification provisions. These regulations clarify important exclusions from the breach notification requirements. A breach excludes:
• Any unintentional acquisition, access, or use of PHI by a workforce member or person acting under the authority of a CE or BA made in good faith and within the person’s scope of authority and does not result in further use or disclosure in a manner not permitted under the Privacy Rule.
• Any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized health care arrangement (OHCA) in which the CE participates, and the PHI received is not further used or disclosed in a manner not permitted under the Privacy Rule.
• A disclosure of PHI where the CE or BA has a good faith belief that an
unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information.
CEs need to address the issue of unsecured PHI and develop policies and procedures to provide for notification of breaches.
Patient access to electronic health records.Patients will have the right to receive a copy of their PHI maintained in the electronic health record in an electronic format. A CE may charge a fee that is no greater than the labor costs incurred to respond to the
request. (In Washington, the labor costs are subject to the limit on handling fees under WAC 246-08-400 which, until June 30, 2011, is $23.)
Accounting for disclosures of PHI for treatment, payment, and health care operations.At present, HIPAA and Washington State privacy rules exempt a CE’s obligation to provide individuals with an accounting of disclosures of their PHI if the disclosure was for treatment, payment, or health care operations. Under the HITECH Act, this exception would no longer be available to CEs that use electronic health
records (EHRs). The period for which an accounting is required will be limited to 3 years, not the 6-year period currently required. This provision is delayed until January 14, 2014, for CEs that acquired EHRs as of January 1, 2009. For entities that acquire EHRs after January 1, 2009, the provision will be effective on January 1, 2011, or the date upon which the entity acquires the EHR, whichever date is later. HHS is permitted to delay both of these effective dates for up to two years. More guidance is expected from HHS before these effective dates.
Minimum necessary standard.Under the current HIPAA Privacy Rule, a CE that uses, discloses, or requests PHI must make reasonable efforts to limit the PHI to the
“minimum necessary” to accomplish the intended purpose. The HIPAA Privacy Rule does not define “minimum necessary.” Under the HITECH Act, when using, disclosing, or requesting PHI, CEs are required to limit“to the extent practicable”disclosure of PHI to a “limited data set,” or if more information needed, to the minimum necessary “to accomplish the intended purpose of such use, disclosure, or request.”The Privacy Rule defines a “limited data set” as PHI from which all direct patient identifiers have been removed. This would include name, postal address (other than city, state, and zip code), telephone and fax numbers, e-mail address, social security and medical record
numbers, and other identifiers. Additionally, while the current Privacy Rule permits CEs to rely on a request by other CEs and its business associates as being the minimum necessary for a particular disclosure, the HITECH Act requires the CE to make the determination of the minimum necessary for disclosure, rather than relying on others to make that decision.HHS has until August 16, 2010,to publish guidance on what constitutes “minimum necessary” under the Privacy Rule.
Nondisclosure of self-pay services.Currently under the HIPAA Privacy Rule, an individual has a right to request special privacy protections for the use and disclosure of PHI for treatment, payment, and health care operations. A CE is not required to grant that request, although the individual’s request is retained in the record.
Under the HITECH Act, a CE will be required to honor a patient’s request that
information regarding a particular service not be disclosed to the patient’s health plan or insurance if the patient pays for that service in full out of pocket. Failure to comply with the request will be considered a violation and subject to HIPAA penalties.
Sale of records prohibited.On or before February 17, 2011, CEs and BAs will be prohibited from directly or indirectly receiving payment in exchange for any PHI, unless the individual specifically authorizes, in writing, that the PHI can be exchanged for
payment. Exceptions to this rule include exchanges for treatment purposes; for purposes of a sale, transfer, merger, or consolidation of CEs; for public health activities; and for certain activities of BAs. Exceptions to this rule also apply for research purposes, as long as the price reflects only the costs of preparation and transmittal of the data.
Marketing communications.Effective February 17, 2010,CEs may no longer use PHI to inform an individual about the CE’s own health care products or services without the individual’s written authorization if the CE receives payment from another party for doing so. These marketing communications would be allowed if the communication describes only a drug or biologic that is currently being prescribed for the patient and the payment the CE receives is reasonable; the CE makes the communication itself and obtains a written patient authorization; or a BA of the CE makes the communication, and the communication is consistent with the business associate agreement between the CE and the BA.
Fund-raising communications.Effective February 17, 2010, all fund-raising communications that are considered health care operations must clearly provide individuals with an opportunity to opt out of any future fund-raising solicitations.
Increased monetary penalties.Effective immediately is a new tiered civil monetary penalty (CMP) system that imposes monetary penalties based upon the nature of the improper conduct. In situations where the CE did not know (or by exercising reasonable diligence would not have known) it violated HIPAA, a penalty of $100 per violation, up to $25K per year, for each type of violation is applicable. If the violation is due to
“reasonable cause,” the maximum penalty rises to $1K per violation, up to $100K per year. If the violation is due to “willful neglect,” depending on whether or not the violation is corrected, the maximum penalty ranges from $10K to $50K per violation, upto $250,000 to $1.5M per year. Beginning February 17, 2011, HHS is required to impose civil penalties on a CE if the violation is determined to be due to “willful neglect.”
State attorneys general can bring actions.Effective immediately, state attorneys general have the authority to bring civil actions to enforce HIPAA.
Criminal penalties for individuals.Effective immediately is a provision that criminal penalties may be imposed under HIPAA on any individual or entity that wrongly obtains or discloses PHI maintained by a CE. This provision clarifies an ongoing debate as to whether criminal penalties under HIPAA can only be imposed upon a CE.
Authority to audit.Under the HITECHAct, HHS has the authority to audit CEs and BAs to ensure compliance with the privacy portion of the HITECH Act and current HIPAA privacy and security regulations.
To view the HITECH Act in its entirety, please go to: http://snipr.com/fexbr and see Division A, Title XIII and Division B, Title IV.
Conclusion. HIPAA rules, regulations, and standards have and will continue to be a moving target under the direction of the federal government. It is important that your practice’s policies and procedures are periodically reviewed and updated as necessary to reflect these changes. Initial training of new staff members and ongoing retraining of existing staff is required under the HIPAA regulations.
In addition to the resources available on our Web site at www.phyins.com, the Department of Health and Human Services Office for Civil Rights (OCR) is another valuable source of information for meeting the various HIPAA requirements. The OCR Web site is available at http://www.hhs.gov/ocr/privacy. You can find an extensive list of
HIPAA-related questions and answers at http://www.hhs.gov/hipaafaq. HIPAA Security Rule information can be found at http://www.cms.hhs.gov/securitystandard/.
We’re here to help you. Contact your Physicians Insurance risk management representative for more information about the new legislation affecting the HIPAA
Privacy and Security Rules and Washington State privacy laws. Call our Seattle office at (206) 343-7300 or 1-800-962-1399, or call our Spokane office at (509) 456-5868 or 1-800-962-1398. E-mail our experts at risk@phyins.com.
Sample
Job Descriptions – HIPAA Privacy Official and Contact Person and
HIPAA Security Official
According to the Privacy Rule, a health care provider must designate a “HIPAA Privacy Official” to assume responsibilities for the development and implementation of policies and procedures to protect the privacy of PHI, and must also designate a contact person or office responsible for receiving complaints under the HIPAA Privacy Regulations and providing further information about matters covered in the Notice of Privacy Practices.1 The Security Rule requires each health care provider to designate a “HIPAA Security Official” who is responsible for the development of policies and procedures to comply with requirements for the security of electronic protected health information.2
HIPAA responsibilities may be incorporated into the job duties of an existing member or members of your staff. For smaller health care providers in particular, it is not necessary to designate an individual whose sole role is HIPAA compliance. The same person may serve as your designated HIPAA Privacy Official and contact person and your designated HIPAA Security Official, or, depending on organizational responsibility for electronic protected health information, it may be more appropriate to have different individuals perform these roles.
The following are samples of responsibilities for inclusion on the job description for your designated HIPAA Privacy Official and contact person:
a. Oversees the development, implementation, and maintenance of appropriate privacy policies and procedures.
(i) Reviews new or revised laws and regulations pertaining to patient privacy to determine if all policies required by law have been developed in writing and if revisions of current
policies are needed. Writes or revises policies as necessary.
b. Identifies noncompliance with privacy practices to allow for consistent application of sanctions for failure to comply with privacy policies for all individuals in the organization’s workforce.
c. Establishes and administers a process for receiving, documenting, tracking, investigating, and taking action on all complaints concerning the organization’s privacy policies and procedures in coordination and collaboration with other similar functions and, when necessary, legal counsel. d. Conducts assessments and internal privacy audits to determine organizational compliance,
including reports of compliance activities.
e. Oversees, in cooperation with Security Official, the development, delivery, and documentation of HIPAA Privacyand Security Rule training and awareness for all staff, including the orientation of new employees and retraining of employees when material changes have been made in policies and procedures or when necessary, e.g., retraining.
f. Participates in the development, implementation, and ongoing compliance monitoring of all business associate agreements, to ensure all privacy concerns and requirements are addressed. g. Maintains appropriate authorization forms, privacy notices, and other materials reflecting current
privacy practices and requirements.
h. Coordinates visits and cooperates with the Office for Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations.
i. Manages patient requests for amendments and requests for changes to their medical records. j. Manages the release of patient records in accordance with established policies and procedures. k. Manages patient requests regarding limiting disclosures to health plans when the patient has
paid in full out of pocket for the services that are the subject of the disclosure.
l. Serves as the designated contact person to receive questions, comments, and complaints, and provide resources for patients and staff on the HIPAA privacy regulations.
m. Receives reports of potential breaches of unsecured PHI and works with Security Official to investigate, make determinations, and provide notification if necessary.
While the above job duties may be delegated and shared among employees, it is recommended that duties a, b, and c be assumed by your designated “HIPAA Privacy Official.”
The following are samples of responsibilities for inclusion on the job description for your designated HIPAA Security Official:
a. Performs initial and periodic written risk assessment related to security of electronic protected health information (electronic PHI).
b. Implements, oversees, and monitors risk management measures to address security risks and vulnerabilities identified by risk assessments.
c. Oversees the development, implementation, and maintenance of appropriate systems and/or processes for the security of electronic PHI, including security policies and procedures.
d. Implements measures to protect against reasonably anticipated threats or hazards to security or integrity of electronic PHI and reasonably anticipated unauthorized uses or disclosures.
e. Identifies noncompliance with security policies and procedures to allow for consistent application of sanctions for failure to comply with security policies for all individuals in the organization’s workforce.
f. Establishes and administers a process for regularly reviewing records of computer or information system activity related to electronic PHI, such as audit logs, access reports, and security incident tracking reports.
g. Develops and implements procedures for authorization and supervision of access to electronic PHI by workforce members and termination of access.
h. Develops and implements access authorization policies for stored electronic PHI.
i. Oversees the development, implementation, and maintenance of appropriate security policies and procedures, including those for physical and technical safeguards.
(i) Reviews new or revised laws and regulations pertaining to patient security of electronic PHI to determine if all policies required by law have been developed in writing and if revisions of current policies are needed. Writes or revises policies as necessary.
j. Oversees, in cooperation with Privacy Officer, the development, delivery, and documentation of HIPAA Privacy and Security Rule training and awareness for all staff, including the orientation of new employees and retraining of employees when material changes have been made in policies and procedures or when necessary, e.g., retraining.
k. Participates in the development, implementation, and ongoing compliance monitoring of all business associate agreements, to ensure all security concerns and requirements are addressed.
l. Coordinates visits and cooperates with the Office for Civil Rights, other legal entities, and organization officers in any compliance reviews or investigations.
m. Investigates and resolves security breaches involving electronic PHI, including breaches reported by Business Associates, providing appropriate notifications as required by state and federal law, after consulting as necessary with legal counsel.
n. Receives reports of potential breaches of unsecured PHI and works with Privacy Officer to investigate, make determinations, and provide notification if necessary.
1
45 CFR § 164.530(a)(1) 2
45 CFR § 164.308(a)(2)
HIPAA Self-Assessment Worksheet
PART 1: Data Gathering______________________________________________________________________________
Organization Name
One of the first tasks to becoming HIPAA compliant is to conduct an assessment of your current operations. Part 1 of the HIPAA Self-Assessment Worksheet has been designed to assist you with this process. Attach additional sheets if necessary.
Part 2 of the HIPAA Self-Assessment Worksheet assists you in identifying additional issues and analyzing the data you collect.
Keeping a record of your work is documentation of your compliance efforts and could be used to defend your actions in the event of a claim, complaint investigation, or survey by the Office for Civil Rights (OCR), etc. Part 3 of the HIPAA Self-Assessment Worksheet assists you in this effort.
It is recommended that these items be kept in a binder or folder with tabs to indicate the various sections.
SECTION 1: Administration
Section 1 of your compliance records should include the following:
• The minutes of all meetings of your HIPAA compliance group, if applicable,
• Any administrative memos or notes relevant to your HIPAA compliance project, and
• Any budget information relevant to your HIPAA compliance project. 1. Individual in charge of HIPAA compliance:
Name _________________________________________________________________________ Contact information _____________________________________________________________
_____________________________________________________________ 2. Other individuals in your HIPAA compliance work group:
a. Name ________________________________________________________________
Contact information _____________________________________________________
b. Name ________________________________________________________________
Contact information _____________________________________________________ 3. Compliance record keeper:______________________________________________________ 4. Compliance budget: ____________________________________________________________ 5. Meeting schedule: ___________________________________________________________
6. Meeting location(s): __________________________________________________________ ____________________________________________________________________________
SECTION 2: Record Keeping
Section 2 of your files should include all information and materials relevant to the locations where patient information is kept.
7. How are paper medical records kept? (Note all that apply.)
a. Open shelves accessible to all: _____________________________________________ b. Open shelves accessible to staff only: ________________________________________ c. Open shelves in locked room: ______________________________________________ d. Filing cabinets with no locks: _______________________________________________ e. Shelves/filing cabinets with locks: ___________________________________________ f. Off-site storage, no security: _______________________________________________ g. Off-site secure storage: ___________________________________________________ h. On a separate sheet, list all sites where paper medical records are kept.
8. How are paper claims and billing information kept? (Note all that apply.)
a. Open shelves accessible to all: _____________________________________________ b. Open shelves accessible to staff only: ________________________________________ c. Open shelves in locked room: ______________________________________________ d. Filing cabinets with no locks: _______________________________________________ e. Shelves/filing cabinets with locks: ___________________________________________ f. Off-site storage, no security: _______________________________________________ g. Off-site secure storage: ___________________________________________________ h. On a separate sheet, list all sites where paper claims or billing information are kept. 9. How is other patient information on paper kept? (Note all that apply.)
a. Open shelves accessible to all: _____________________________________________ b. Open shelves accessible to staff only: ________________________________________
c. Open shelves in locked room: ______________________________________________ d. Filing cabinets with no locks: _______________________________________________ e. Shelves/filing cabinets with locks: ___________________________________________ f. Off-site storage, no security: _______________________________________________ g. Off-site secure storage: ___________________________________________________ h. On separate sheet, list all sites where other patient information on paper is kept.
10. How is patient information kept? (Note all that apply.)
a. Not applicable: __________________________________________________________ b. Personal computer(s), no network connections: ________________________________ c. Personal computers, internal network: _______________________________________ d. Personal computers, Internet connection: _____________________________________ e. Off-site personal computers/laptops permitted remote access
(dial-in, Internet, etc.): ____________________________________________________ f. CDs/DVDs/backup tapes: ____________________________________________ g. Handheld devices (BlackBerry, iPhone, etc.):__________________________________ h. On separate sheet, list all equipment on which patient information is kept in electronic form.
i. Microfilm/microfiche: _______________________
j. Videotape: _______________________
k. Other form(s) of media: _______________________ 11. How is access to patient information controlled?
Be prepared to document policies related to administrative restrictions, physical access, and electronic access (e.g., log-ons, passwords, authentication, automatic time-outs) to equipment and systems containing patient information.
12. Copy and attach all policies concerning:
a. Access to files containing patient information
b. Access to rooms, shelves, and filing cabinets where patient records are kept c. Access to or use of electronic equipment on which patient information is stored
SECTION 3: Personnel/Workforce
Section 3 should include all information and materials relevant to those individuals in your organization who are allowed to have access to, use, or disclose patient information. You should include not only employees, but also trainees and volunteers who are under your organization’s control.
13. List all individuals who work in your organization. For each individual, state: a. Job title and description
b. Whether he/she is permitted access to: I. Patient clinical information
II. Patient billing and claims information III. Other patient information
c. Whether he/she has signed a confidentiality agreement
d. Whether his/her employment agreement has confidentiality provisions 14. Copy and attach all policies concerning:
a. Confidentiality of and access to patient information b. Use and disclosure of patient information by staff
c. Disciplinary procedures for breach of patient confidentiality
SECTION 4: Patient Relations
Section 4 should contain all relevant materials concerning the way your organization permits patients to have access to, copy, or otherwise exercise some degree of control over the records that pertain to them.
15. Copy and attach all forms, notices, and other material you give patients that affect the use or disclosure of patient health information:
a. Standard or customary patient release of information forms
b. Any notice of information or privacy practices published or available to patients c. Any patient brochures you may distribute related to records access
d. Any “patients’ rights” notices you may provide e. Consents
16. Copy and attach all policies concerning: a. Patient review and copying of records b. Patient requests to amend records
c. Accounting to patients for disclosures of patient information
d. Use or disclosure of patient information for marketing or general contact purposes 17. List all individuals and organizations to which you regularly disclose:
a. Patient clinical information
b. Patient billings and/or claims information c. Any other patient information
SECTION 5: Business Associates
Section 5 should include an inventory of the individuals and organizations with which you
exchange, from which you receive, or to which you disclose patient information, not including the patients themselves. You should include copies of all your existing contracts or agreements with such individuals or organizations.
18. List all individuals and organizations with which you exchange: a. Patient clinical information
b. Patient billings and/or claims information c. Any other patient information
19. Attach copies of all contracts or agreements currently in effect with individuals and organizations to or from which you regularly disclose or receive patient information.
CHOICE HIPAA Consultation Pilot – Initial Task List
© 2002 CHOICE Regional Health Network – Consent to reproduce for non-profit distribution
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program. Accuracy and completeness are not guaranteed.
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
HIPAA Self-Assessment Worksheet
Part 2: Analyze the DataParts 1 and 2 of the HIPAA Self-Assessment Worksheet were created to help you identify areas where action might be needed to comply with HIPAA. The questions in this document may help you further analyze the data collected in Part 1.
DATE COMPLETED: ____________________________________________________________________ COMPLETED BY: _________________________________________________________________
YES NO COMMENTS
1) Steps have been taken to minimize the likelihood that patients and visitors can easily see or access computer screens/monitors and other records containing PHI. For example:
Computer screens time out.
Files are put away or turned over to avoid easy viewing.
PDAs (hand-held computer devices) are kept in a secure manner by the authorized individual. Records, including CDs and DVDs, are stored in a secure manner.
Other:_______________________________________________________________________________ 2) Medical, financial, and other records containing PHI are secure and accessible only to those people employed by or doing work on behalf of the practice that have a legitimate—job-related—need to know; e.g., maintained in locked file cabinets or locked medical record rooms.
3) Computers are password protected—each user has a unique identifier—and passwords are changed on a regular basis.
4) Access controls (e.g., passwords, computer accounts, combinations, keys) to computers, filing cabinets, and the building are terminated or changed when employees or contract workers end their relationship with the practice. 5) Electronic equipment and other records containing PHI are stored in a secure location to prevent theft or vandalism— using both physical security (e.g., alarms and locks) and electronic security (access controls, firewalls, and virus checks, all for which you should consider seeking technical expertise).
6) Documents or records that contain patients’ personal, financial, and health information—and are no longer needed— are destroyed.
Shredded or Incinerated.
Information is kept showing how, why, and by whom medical records were destroyed. Medical records are retained at least:
• 6 years from the date of the patient’s death.
• 10 years from the date of the patient’s last medical service.
• 21 years from the date of a child’s birth for pediatric records and for the obstetric patient’s prenatal records, or 10 years after the minor patient’s last medical service, whichever period is longer. Patient management systems data (financial, etc.) is retained for 10 years.
Prior to sale or disposal of computer equipment that stores PHI, the hardware is completely erased by reformatting the hard drive. (Technical knowledge needed.)
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
Accuracy and completeness are not guaranteed.
YES NO COMMENTS
7) Computer systems containing PHI have systems to protect data integrity and to prevent data loss, for example: Backup systems are used to prevent loss of data due to power outage, hackers, etc.
Audit trails systems are periodically audited.
8) Procedures address handling of medical, financial, or other records containing PHI—for example:
Original records are handled correctly (e.g., not removed from premises and charted appropriately, including corrections).
Patient requests for copying of and amendment to records are handled correctly.
Patient requests for an accounting of disclosures of PHI are handled quickly and correctly.
Message boards, daily patient schedules, etc., that allow viewing of patient financial or health information are maintained in areas restricted to employees who have a legitimate job-related need to know.
Measures are taken to ensure that conversations held with patients concerning financial and health information maintain privacy. For example:
• Exam room doors are closed.
• Background music is used in waiting/reception areas to minimize the likelihood of overhearing PHI. • Solid core doors are used to minimize sound travel.
• Phone messages are listened to in private.
Steps are taken to reduce the likelihood that facsimile transmissions may be sent to an incorrect telephone number. For example:
• Confidential disclaimer is utilized on facsimile or electronic transmission.
• Transmissions are limited for urgent/emergent needs to transmit private health information. • Infrequently used fax numbers are verified prior to transmission.
Cell phone conversations about patients that require the release of Individually Identifiable Health Information are conducted only to ensure continuity of care.
Steps are taken to protect the privacy and security of information, if e-mail or another electronic form of communication is used to communicate personal health information.
9) Staff—including volunteers—are trained in privacy and in maintaining the security of health information. Education is documented and includes:
Appropriate handling of personal health information, including specific policies. Use of discretion when discussing personal health information within hearing of others. Use of discretion when leaving telephone and electronic messages for patients. Software password-security procedures.
Signed confidentiality statements.
Staff accountability for following procedures and applicable laws to protect privacy and security of PHI. 10) Criminal security/background checks are conducted prior to hiring employees.
11) Board members understand, and are trained in, maintaining the privacy and security of any PHI that they may have a legitimate need to know. And, they:
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
YES NO COMMENTS
12) Policies address appropriate handling of patient concerns—including concerns related to the privacy and security of PHI.
13) Forms and documents that affect the use and disclosure of patient health information (e.g., IRB authorization) have been identified, reviewed for compliance with HIPAA, and modified as needed. Using the following list of forms, determine which forms you currently use that you will no longer need.
a. Employee Confidentiality and HIPAA Training Acknowledgment Statement b. Revocation of Authorization to Use or Disclose Protected Health Information c. Request to Correct or Amend Protected Health Information
d. Authorization to Use or Disclose Protected Health Information e. Notice of Privacy Practices
Assess the remaining forms for HIPAA compliance.
14) Business associates are expected to use reasonable measures to handle PHI in a private and secure manner. If written agreements exist, consult legal counsel to ensure HIPAA provisions are met. If written agreements
do not exist, work with legal counsel to draft “Business Associate Agreements” required by HIPAA. Business associates, as appropriate, are educated about pertinent practices/policies pertaining to privacy
and security when they have reason to perform any job-related functions on premises. 15) List other areas pertaining to your operations affected by HIPAA and not listed in this document.
a. _____________________________________________________________________________ b. _____________________________________________________________________________ c. _____________________________________________________________________________
If you responded with a “NO” to any item, further action may be necessary to provide reasonable protection for PHI.
HIPAA Self-Assessment Worksheet
Part 3: Action Plan
Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.
Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.
ISSUE ACTION PLAN
(Circle all changes that you plan to implement, and attach estimated costs)
REASON FOR DECISION
(Check all that apply)
FOLLOW-UP RESPONSIBLE PARTY
System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ Options selected provide reasonable protections of PHI. Options not feasible at
this time: __________________ __________________ Other: __________________ __________________ Date Completed: ____/____/____ Monitor Budget for: _______________ in _______________ (budget year) System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ Options selected provide reasonable protections of PHI. Options not feasible at
this time: __________________ __________________ Other: __________________ __________________ Date Completed: ____/____/____ Monitor Budget for: _______________ in _______________ (budget year) System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ Options selected provide reasonable protections of PHI. Options not feasible at
this time: __________________ __________________ Other: __________________ __________________ Date Completed: ____/____/____ Monitor Budget for: _______________ in _______________ (budget year)
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
HIPAA Self-Assessment Worksheet
Part 3: Action Plan
Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.
Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.
ISSUE ACTION PLAN
(Circle all changes that you plan to implement, and attach estimated costs)
REASON FOR DECISION
(Check all that apply)
FOLLOW-UP RESPONSIBLE PARTY
1.) Information
overheard in
waiting room
System/equipment change
background music -
New policy/policy changestereo system
New form/form change Job description change
Education
completed 9/1/09
Facility upgrade Other: _____________________________________________ ; Options selected provide reasonable protections of PHI.; Options not feasible at this time:
Upgrade on
hold - budget_
___ Other: __________________ __________________ Date Completed: ____/____/____ ; Monitor ; Budget for:$2000.00 stereo
in __2010
______ (budget year)Cathy
2.) Disposal of
confidential
information
System/equipment change New policy/policy change New form/form change Job description changeEducation
scheduled 10/1/09
Facility upgrade Other: _____________________________________________ ; Options selected provide reasonable protections of PHI.; Options not feasible at this time: __________________ __________________ ; Other: __________________ __________________ ; Date Completed: _
10_/__1__/__09
; Monitor Budget for: _______________ in _______________ (budget year)Pat
3.) Sensitive
information
discussed on
phone –
possibility of
being overheard
System/equipment change
(see issue #1 action plan)
New policy/policy changeNew form/form change Job description change
Education
completed 8/1/09
Facility upgrade Other: _____________________________________________ ; Options selected provide reasonable protections of PHI.; Options not feasible at this time:
Upgrade on
hold - budget_
___ ; Other: __________________ __________________ Date Completed: ____/____/____ ; Monitor ; Budget for:$2000.00 stereo
in __2010
______ (budget year)Cathy
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
HIPAA Self-Assessment Worksheet
Part 3: Action Plan
Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.
Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.
ISSUE ACTION PLAN
(Circle all changes that you plan to implement, and attach estimated costs)
REASON FOR DECISION
(Check all that apply)
FOLLOW-UP RESPONSIBLE PARTY
4.) PHI left on
the counter –
accessible to
unauthorized
persons
System/equipment change New policy/policy change New form/form change Job description changeEducation
move information to restricted area ASAP
Facility upgradeOther: _____________________________________________
; Options selected provide reasonable protections of PHI.
; Options not feasible at this time: __________________ __________________ Other: __________________ __________________ ; Date Completed: __
10_/__1__/__09
; Monitor Budget for: _______________ in _______________ (budget year)Kathy
5.) Files with
PHI accessible
to
unauthorized
persons
System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ ; Options selected provide reasonable protections of PHI. Options not feasible at this time: __________________ __________________ ; Other: __________________ __________________ ; Date Completed: __
10_/__1__/__09
Monitor Budget for: _______________ in _______________ (budget year)Dave
6. a) computer
screens visible
to patients
b) patients
may access
network
System/equipment change
Program for passwords and
New policy/policy changeadd screen savers
New form/form changeJob description change
Education
of policy changes
Facility upgradeOther:
assess computer system - possible upgrade
; Options selected provide reasonable protections of PHI.
; Options not feasible at this time:
assessment
of computer on hold
due to budget
_ ; Other: __________________ __________________ Date Completed: ____/____/____ ; Monitor ; Budget for:Assessment
upgrade
in2010
(budget year)Kim
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
HIPAA Self-Assessment Worksheet
Part 3: Action Plan
Using Parts 1 and 2 of the HIPAA Self-Assessment Worksheet, identify each issue that might require further action to comply with HIPAA.
Then use this or a similar form to develop an action plan by documenting each issue, its action plan, the reason for your decision, your follow-up, and the responsible individual.
ISSUE ACTION PLAN
(Circle all changes that you plan to implement, and attach estimated costs)
REASON FOR DECISION
(Check all that apply)
FOLLOW-UP RESPONSIBLE PARTY
7.) need business associate agreements: • Transcription • Accountant • Collection agency System/equipment change New policy/policy change New form/form change Job description change Education
Facility upgrade
Other:
obtain sample business assoc. agreements
; Options selected provide reasonable protections of PHI.
Options not feasible at this time: __________________ __________________ Other: __________________ __________________ Date Completed: ____/____/____ Monitor ; Budget for:
Legal review
in2010
(budget year)Dennis
System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ Options selected provide reasonable protections of PHI. Options not feasible at this time: __________________ __________________ Other: __________________ __________________ Date Completed: ____/____/____ Monitor Budget for: _______________ in _______________ (budget year) System/equipment change New policy/policy change New form/form change Job description change Education Facility upgrade Other: _____________________________________________ Options selected provide reasonable protections of PHI.
Options not feasible at this time: __________________ __________________ Other: __________________ __________________ Date Completed: ____/____/____ Monitor Budget for: _______________ in _______________ (budget year)
This information is intended as advisory in nature and should not be considered as legal advice nor is it a substitute for legal advice. This information does not constitute technical information nor system/security advice. It is designed to assist you in your own risk management activities. It is not intended to be exclusively relied upon or used as a substitute for your own loss-control program.
Identifying Your Business Associates
The HIPAA Privacy regulation allows you to share patient information with your Business
Associates in order to conduct health care operations, but only if you have a Business Associate Agreement with them. The regulation defines Business Associates as persons outside of your workforce who:
• On your behalf, perform or assist in the performance of a function or activity involving the use or disclosure of individually identifiable health information (e.g., claims
processing, data analysis, quality assurance, billing, practice management); or
• Provide legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services, where the service involves the disclosure of individually identifiable health information.
Some examples of your Business Associates may be:
• Accountants • Attorneys • Billing companies • Clearinghouses • Consultants • Collection agencies • Transcription services
• Data analysis or aggregation services
• Information technology service providers
• Temporary staffing agencies
• Copy services
• Document storage and destruction vendors
• Professional liability insurers
• Insurance agents and brokers
• Health Information Exchanges (“HIEs”)
• Regional Health Information Organizations (“RHIOs”)
• E-prescribing Gateways
• Vendors that allow you to offer a personal health record to patients as part of your electronic health record
This list is not exhaustive. Think broadly when you are identifying your Business Associates. Ask yourself:
• Who are your Business Associates?
• What function do they serve?
• What information is disclosed to them?
• Do you currently have some form of contract with them?
• If so, when is the contract due to be renewed or renegotiated?
The sample form, Business Associate Agreement Checklist, will help you identify what needs to be included in your Business Associate Agreement.
Effective February 17, 2010, as a result of the ARRA, Business Associates will become accountable to the federal and state authorities for failure to comply with the Privacy Rule provisions applicable to them by their Business Associate Agreements and will be required to directly comply with most provisions of the HIPAA Security Rule, including compliance with administrative safeguards, technical safeguards, physical safeguards, and policies, procedures, and documentation requirements applicable to Covered Entities. This means that Business Associates will be required to undertake a security risk analysis, appoint a security official, and maintain written security policies and procedures, as well as comply with other requirements of the HIPAA Security Rule. The Secretary of Health and Human Services is required to
Business Associate Agreement Checklist
HIPAA Privacy and Securityregulations establish the following requirements for the Business Associate Agreement:
Business Associate Agreement must: Be in writing.
State permitted and required uses and disclosures.
Prohibit uses and disclosures not allowed in the Business Associate Agreement or by law or that would be a violation of the Privacy Regulations if done by the Covered Entity (CE).
Require Business Associate (BA) to use appropriate safeguards to prevent any unauthorized use or disclosure.
Require BA to report to the CE any unauthorized use or disclosure of which BA becomes aware.
Require that any agents, including a subcontractor, to whom BA provides protected health information received from the CE, or created or received by BA on behalf of the CE, agree to the same restrictions and conditions that apply to the BA with respect to such protected health information unless disclosures are required by law or unless disclosures are for BA’s proper management or administration and BA obtains the “reasonable assurances”
described below from such downstream user.
Require BA to make available protected health information to the Individual in the Designated Record Set in accordance with 45 C.F.R. §164.524. (While these provisions must be in the Business Associate Agreement, actual access is not required if Business Associate does not possess protected health information in the original Designated Record Set.)
Require BA to make available and to incorporate any amendment to protected health information in the Designated Record Set in accordance with 45 C.F.R. §164.526. (While these provisions must be in the Business Associate Agreement, actual amendment is not required if Business Associate does not possess protected health information in the original Designated Record Set.)
When requested by CE, require BA to make available to CE the information required to allow the CE to provide an accounting of disclosures in accordance with 45 C.F.R. §164.528.
Require BA to make its internal practices, books, and records available to the Department of Health and Human Services Office for Civil Rights for purposes of determining the CE’s compliance with the Privacy Rule to the extent related to the uses and disclosure of protected health information received from, or created or received by, the BA on behalf of the CE.
Require return or destruction of protected health information at end of contract, if feasible; but, if return or destruction is not feasible, extend the protection of the Business Associate Agreement to the information and limit further uses and disclosures to the purposes listed in the Business Associate Agreement.
Authorize termination of Agreement if BA violates material term of Business Associate Agreement.
Require BA to implement administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI.
Require BA to report any security incident of which it becomes aware.
Require BA to ensure that any agent or subcontractor implement reasonable and appropriate safeguards to protect electronic PHI.
(Provisions for compliance with the HITECH Act of the ARRA after February 17, 2010)
Require BA to comply with the requirements of Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, codified at 42 U.S.C. §§17921-17954 and regulations issued by the Department of Health and Human Services to
implement these statutes as of the date by which business associates are required to comply.
Require BA to comply with Section 134-2 of Title XII, Subtitle D of the Health Information Technology for Economic and Clinical Health (HITECH) Act, codified at 42 U.S.C. §17932 and regulations issued by the Department of Health and Human Services to implement this statute as of the date by which business associates are required to comply by, among other things, reporting to CE within five business days of BA’s discovery of any breach1 of
unsecured protected health information.2
Require BA to indemnify CE for any reasonable expenses CE incurs in notifying individual of a breach of unsecured protected health information caused by BA or its subcontractors or agents.
Optional terms
The Business Associate Agreement may permit the BA to use PHI for the proper management and administration of the BA or to carry out its legal responsibilities.
The Business Associate Agreement may permit the BA to disclose protected health information if needed for the proper management and administration of the BA or to carry out the legal responsibilities of the BA if:
1. The disclosure is required by law or
2. The BA obtains reasonable assurances from the person to whom PHI is disclosed that the PHI will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person, and the person agrees to notify the BA of any instances of which it is aware in which the confidentiality of the PHI has been breached.
The Business Associate Agreement may allow BA to provide Data Aggregation Services relating to CE’s health care operations.
The Business Associate Agreement may include defined terms by either referencing the Privacy Rule or including examples of specific definitions. If specific definitions are included, the Business Associate Agreementmay define: Protected Health Information;Electronic Protected Health Information; Designated Record Set; De-identify; and Security Rule.