Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
Next

0

Share

Hipaa for business associates simple

Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Hipaa for business associates simple

  1. 1. HIPAA for Subcontractors and Business Associates Dr. Jose I. Delgado
  2. 2. HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals • CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls. https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf - PDF.
  3. 3. $750,000 settlement highlights the need for HIPAA business associate agreements • Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) failed to execute a business associate agreement prior to turning PHI to a potential business partner. • The settlement includes a monetary payment of $750,000 and a robust corrective action plan. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic- clinic/index.html “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
  4. 4. Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement • Catholic Health Care Services (CHCS) has agreed to settle potential HIPAA violations after the theft of a CHCS mobile device. • CHCS provided management and information technology services as a business associate to six skilled nursing facilities. “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” https://www.hhs.gov/sites/default/files/chcs-racap-final.pdf
  5. 5. What is HIPAA? Is a federal law that: • Provides Portability: Protects and guarantees health insurance coverage when an employee changes jobs • Provides Accountability: Protects health data integrity, confidentiality, and availability • Sets National Standards for Electronic Data Transmission Transactions (eligibility, claims, payment, and others) and identifiers • Standard medical codes (e.g., ICD-9, CPT-4,ICD-10) • Sets National Standards for the Protection of Health Information • Privacy (operational, consumer control, administration) • Security (administrative, physical, technical, network)
  6. 6. HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Health Care Access, Portability and Renewability Title II Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Electronic Data Interchange Transactions Identifiers Code Sets Privacy Security Security Standards: General Rules Administrative Standards Technical Standards Physical Standards Organizational Requirements Policies and Procedures and Documentation Requirements Title III Tax Related Health Provision Title IV Group Health Plan Requirements Title V Revenue Offsets
  7. 7. HIPAA Specifics • Title One: "Health care access, portability and renewability," employers and health plans must allow a new employee's medical insurance coverage to remain continuous without regard to pre-existing conditions. • Title Two: "Preventing health care fraud and abuse; administrative simplification; medical liability reform" defines new requirements for privacy and security of individually identifiable patient information. • Electronic health transaction standards and code sets - The implementation of a national standard for transmitting health data electronically and using standard code sets to describe diseases, injuries and other health problems • Unique Identifiers - A system that uses one identification number per employer, health plan or payer and health care provider to simplify administration • Security - Safeguarding the storage of, access to and transmission of electronic patient information • Privacy - Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records. • Title Three: "Tax-related health provisions" standardizes the amount you can save per person in a pre-tax medical savings account. • Title Four: "Application and enforcement of group health plan requirements" broadened information on insurance reform provisions and provide detailed explanations. • Title Five: "Revenue offsets" are regulations on how employers can deduct company-owned life insurance premiums for income tax purposes.
  8. 8. Title II Administrative Simplification Electronic Data Interchange Privacy Security Administrative Safeguards Physical Safeguards Technical Safeguards Preventing Health Care Fraud and Abuse Medical Liability Reform
  9. 9. HIPAA Intersections There are several similarities between Privacy and Security Privacy  Security Security Awareness & Training Business Associate Contracts Privacy Officers for All Entities Multi-disciplinary Work Groups. Security Awareness & Training Business Associate Contracts Security Liaisons for All Entities Multi-disciplinary Work Groups
  10. 10. Privacy vs Security • Privacy. Protects the rights of individual and their information in any medium. • Security. Protects electronic information. Specifies Standards that must be met based on three basic areas: • Administrative • Physical • Technical
  11. 11. Key Elements • Covered Entity. Refers to a health care provider, health plan and/or a healthcare clearinghouse who transmits health information in electronic format in connection with a transaction covered under HIPAA. • Health information. Refers to any information, oral or recorded, that is created or received by a Covered Entity and relates to the provision of health care to an individual. • Protected Health Information (PHI). Individually identifiable health information related to the provision of care to an individual. • Electronic Protected Health Information (ePHI). PHI that is transmitted, maintained or stored in electronic media. • Business Associate. Refers to an individual or organization that creates, receives, maintains, stores or transmits PHI or ePHI on behalf of a Covered Entity or Business Associate.
  12. 12. Key Concepts • Uses and Disclosures. Refers to appropriate uses of PHI and the conditions on how to authorize disclosures. • Individual Rights. Refers to specific legal and enforceable rights related to individuals’ information. • Compliance and Enforcement. Refers to the requirement to comply from Covered Entities and Business Associate as of April 20, 2005. The Office for Civil Rights (OCR) became responsible for enforcing the Security Rule as of July 27, 2009. • “More stringent”. Refers that HIPAA supersedes State Legislations unless state privacy protections are more stringent than HIPAA. Example of more stringent laws cover: • Mental Health • HIV Protection • Substance Abuse
  13. 13. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Part of the Affordable Care Act which was signed in 2009 • 22 billion dollars allocated to the promotion of EHRs • Mandatory penalties imposed for "willful neglect" • Civil penalties for willful neglect increased to $250,000, with repeat/uncorrected violations extending up to $1.5 million • HIPAA's civil and criminal penalties now extend to business associates • Allows state attorney general to bring legal action on behalf of his/her residents • HHS required to conduct periodic audits of covered entities and business associates
  14. 14. HITECH Act Business Associate Requirements • Comply with the administrative, physical, and technical safeguards for electronic PHI under the HIPAA Security Rule in the same manner as a Covered Entity; • Develop and establish a written data security program for electronic PHI that complies with the HIPAA Security Rule; • Comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the HIPAA Privacy Rule; • Follow restrictions on marketing communications and mandatory compliance audits by the Department of Health and Human Services ("HHS"); • Notify Covered Entities of any breach of "unsecured PHI“.
  15. 15. Omnibus Rule • Broadens the definition of Business Associate • Person or entity who creates, receives, maintains, stores or transmits PHI or ePHI on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health Information • Applies to subcontractors irrespective of how far downstream the subcontractor is, • Clarifies which requirements and liabilities pertain to business associates, • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules.
  16. 16. Translation of Rule to Business Associates • Entity is liable for the acts or omissions of its Subcontractor • The reach of this designation will apply to subcontractors irrespective of how far downstream the subcontractor is, contractually, from the covered entity. • Entity can be penalized for its agent’s violations • Knowledge of a breach or other violation will be imputed to the principal • Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says
  17. 17. Sample of Responsibilities • BAs to comply with the HIPAA Security Rule’s requirements and implement policies and procedures in the same manner as a Covered Entity • Requires BA to implement administrative, physical, and technical safeguards in compliance with HIPAA Security Rule (most BA Agreements require this by contract) • Sign a Business Associate Agreement with all Covered Entities and subcontractors that meet the requirements of Business Associate. • Obtain assurances from subcontractors or terminate the relationship. • BA must also implement Breach Notification Policies and Procedures, Workforce Training, and associated documentation of Incident Handling • BAs must conduct risk assessment and be more proactive and diligent to monitor new rules, regulations and guidance • Develop a Security Management Plan based on the findings of the HIPAA Security Risk Analysis.
  18. 18. Examples of Business Associates • IT Support Vendor • Email encryption Provider • File sharing vendors • Information Technology vendors • Cloud vendors • Backup Storage • Medical equipment service companies handling equipment that holds PHI • Billing Companies • Translator services • Dictation services • Lawyers • Shredding services • Accounting or consulting firms • Consultants hired to conduct audits, perform coding reviews, etc.
  19. 19. Security Risk Analysis (SRA) • Information security risk assessment is an on-going process of discovering, correcting and preventing security problems. “Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). “ https://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf
  20. 20. Security Risk Analysis (sample topics) • Administration • Agreements • Policies • Job Descriptions • Training • Physical • Assess • Disaster Preparedness • Technical • Inventory - Resources • Security (Firewalls, patches, antimalware)
  21. 21. FAQs Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? Answer: No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e). https://www.hhs.gov/hipaa/for-professionals/faq/237/can-business- associates-self-certify/index.html
  22. 22. Summary • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules. • Covered Entities must have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.
  23. 23. Questions or Additional Information Taino Consultants Inc. DrDelgado@TainoConsultants.com Mr. Ray Walters Walters.R@epicompliance.com
  24. 24. References • https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business- associates/index.html • http://searchsecurity.techtarget.com/definition/business-associate • https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa- regulations-affect-business-associates • https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business- associate-agreement-provisions/index.html • https://www.imagineiti.com/hipaa-compliance/business-associates/ • https://www.cdc.gov/phlp/publications/topic/hipaa.html

Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.

Views

Total views

131

On Slideshare

0

From embeds

0

Number of embeds

4

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×