SlideShare a Scribd company logo
1 of 24
HIPAA for
Subcontractors
and Business
Associates
Dr. Jose I. Delgado
HIPAA Business Associate Pays $2.3 Million to
Settle Breach Affecting Protected Health
Information of Over 6 million Individuals
• CHSPSC provides a variety of business associate services, including IT
and health information management, to hospitals and physician clinics
indirectly owned by Community Health Systems, Inc., in Franklin,
Tennessee.
• OCR ‘s investigation found longstanding, systemic noncompliance with the
HIPAA Security Rule including failure to conduct a risk analysis, and
failures to implement information system activity review, security incident
procedures, and access controls.
https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf - PDF.
$750,000 settlement highlights the need for
HIPAA business associate agreements
• Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) failed to execute a
business associate agreement prior to turning PHI to a potential business partner.
• The settlement includes a monetary payment of $750,000 and a robust corrective action plan.
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-
clinic/index.html
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere
check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health
and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom
they are handing PHI and to obtain assurances that the information will be protected.”
Business Associate’s Failure to Safeguard
Nursing Home Residents’ PHI Leads to
$650,000 HIPAA Settlement
• Catholic Health Care Services (CHCS) has agreed to settle
potential HIPAA violations after the theft of a CHCS mobile
device.
• CHCS provided management and information technology
services as a business associate to six skilled nursing facilities.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic
protected health information they create, receive, maintain, or transmit from covered entities,” said
U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn
Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan,
which are the cornerstones of the HIPAA Security Rule.”
https://www.hhs.gov/sites/default/files/chcs-racap-final.pdf
What is HIPAA?
Is a federal law that:
• Provides Portability: Protects and guarantees health insurance coverage when an employee
changes jobs
• Provides Accountability: Protects health data integrity, confidentiality, and availability
• Sets National Standards for Electronic Data Transmission Transactions (eligibility, claims, payment,
and others) and identifiers
• Standard medical codes (e.g., ICD-9, CPT-4,ICD-10)
• Sets National Standards for the Protection of Health Information
• Privacy (operational, consumer control, administration)
• Security (administrative, physical, technical, network)
HIPAA
Health Insurance Portability and Accountability Act of 1996
Title I
Health Care Access,
Portability and
Renewability
Title II
Preventing Health
Care Fraud and
Abuse
Medical Liability
Reform
Administrative
Simplification
Electronic Data
Interchange
Transactions Identifiers Code Sets
Privacy
Security
Security Standards: General Rules
Administrative Standards
Technical Standards
Physical Standards
Organizational Requirements
Policies and Procedures and Documentation
Requirements
Title III
Tax Related Health
Provision
Title IV
Group Health Plan
Requirements
Title V
Revenue Offsets
HIPAA Specifics
• Title One: "Health care access, portability and renewability," employers and health plans must allow a new employee's medical insurance coverage to
remain continuous without regard to pre-existing conditions.
• Title Two: "Preventing health care fraud and abuse; administrative simplification; medical liability reform" defines new requirements for privacy and
security of individually identifiable patient information.
• Electronic health transaction standards and code sets - The implementation of a national standard for transmitting health data electronically and
using standard code sets to describe diseases, injuries and other health problems
• Unique Identifiers - A system that uses one identification number per employer, health plan or payer and health care provider to simplify
administration
• Security - Safeguarding the storage of, access to and transmission of electronic patient information
• Privacy - Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to
see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records.
• Title Three: "Tax-related health provisions" standardizes the amount you can save per person in a pre-tax medical savings account.
• Title Four: "Application and enforcement of group health plan requirements" broadened information on insurance reform provisions and provide detailed
explanations.
• Title Five: "Revenue offsets" are regulations on how employers can deduct company-owned life insurance premiums for income tax purposes.
Title II
Administrative
Simplification
Electronic Data
Interchange
Privacy Security
Administrative
Safeguards
Physical
Safeguards
Technical
Safeguards
Preventing
Health Care
Fraud and Abuse
Medical Liability
Reform
HIPAA Intersections
There are several similarities between Privacy and Security
Privacy  Security
Security Awareness & Training
Business Associate Contracts
Privacy Officers for All Entities
Multi-disciplinary Work Groups.
Security Awareness & Training
Business Associate Contracts
Security Liaisons for All Entities
Multi-disciplinary Work Groups
Privacy vs
Security
• Privacy. Protects the rights of individual and
their information in any medium.
• Security. Protects electronic information.
Specifies Standards that must be met based on
three basic areas:
• Administrative
• Physical
• Technical
Key Elements
• Covered Entity. Refers to a health care provider, health plan and/or a healthcare
clearinghouse who transmits health information in electronic format in connection with a
transaction covered under HIPAA.
• Health information. Refers to any information, oral or recorded, that is created or received
by a Covered Entity and relates to the provision of health care to an individual.
• Protected Health Information (PHI). Individually identifiable health information related to
the provision of care to an individual.
• Electronic Protected Health Information (ePHI). PHI that is transmitted, maintained or
stored in electronic media.
• Business Associate. Refers to an individual or organization that creates, receives,
maintains, stores or transmits PHI or ePHI on behalf of a Covered Entity or Business
Associate.
Key Concepts
• Uses and Disclosures. Refers to appropriate uses of PHI and the conditions on how
to authorize disclosures.
• Individual Rights. Refers to specific legal and enforceable rights related to
individuals’ information.
• Compliance and Enforcement. Refers to the requirement to comply from Covered
Entities and Business Associate as of April 20, 2005. The Office for Civil Rights (OCR)
became responsible for enforcing the Security Rule as of July 27, 2009.
• “More stringent”. Refers that HIPAA supersedes State Legislations unless state
privacy protections are more stringent than HIPAA. Example of more stringent laws
cover:
• Mental Health
• HIV Protection
• Substance Abuse
The Health Information Technology for Economic
and Clinical Health Act (HITECH Act)
• Places all of the Security Rule burdens of HIPAA on Business Associates and some of the
Privacy Rule burdens as well.
• Part of the Affordable Care Act which was signed in 2009
• 22 billion dollars allocated to the promotion of EHRs
• Mandatory penalties imposed for "willful neglect"
• Civil penalties for willful neglect increased to $250,000, with repeat/uncorrected
violations extending up to $1.5 million
• HIPAA's civil and criminal penalties now extend to business associates
• Allows state attorney general to bring legal action on behalf of his/her residents
• HHS required to conduct periodic audits of covered entities and business associates
HITECH Act
Business Associate Requirements
• Comply with the administrative, physical, and technical safeguards for electronic PHI under the
HIPAA Security Rule in the same manner as a Covered Entity;
• Develop and establish a written data security program for electronic PHI that complies with the
HIPAA Security Rule;
• Comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the
HIPAA Privacy Rule;
• Follow restrictions on marketing communications and mandatory compliance audits by the
Department of Health and Human Services ("HHS");
• Notify Covered Entities of any breach of "unsecured PHI“.
Omnibus Rule
• Broadens the definition of Business Associate
• Person or entity who creates, receives, maintains, stores or transmits PHI or ePHI on behalf of, or
provides services to, a Covered Entity that involves Individually Identifiable Health Information
• Applies to subcontractors irrespective of how far downstream the subcontractor is,
• Clarifies which requirements and liabilities pertain to business associates,
• Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security,
or Breach Notification Rules.
Translation of Rule to Business Associates
• Entity is liable for the acts or omissions of its Subcontractor
• The reach of this designation will apply to subcontractors irrespective
of how far downstream the subcontractor is, contractually, from the
covered entity.
• Entity can be penalized for its agent’s violations
• Knowledge of a breach or other violation will be imputed to the principal
• Federal common law of Agency will govern whether an agency relationship
exists between the parties - regardless of what the contract actually says
Sample of Responsibilities
• BAs to comply with the HIPAA Security Rule’s requirements and implement policies and procedures in
the same manner as a Covered Entity
• Requires BA to implement administrative, physical, and technical safeguards in compliance with HIPAA
Security Rule (most BA Agreements require this by contract)
• Sign a Business Associate Agreement with all Covered Entities and subcontractors that meet the
requirements of Business Associate.
• Obtain assurances from subcontractors or terminate the relationship.
• BA must also implement Breach Notification Policies and Procedures, Workforce Training, and
associated documentation of Incident Handling
• BAs must conduct risk assessment and be more proactive and diligent to monitor new rules,
regulations and guidance
• Develop a Security Management Plan based on the findings of the HIPAA Security Risk Analysis.
Examples of
Business
Associates
• IT Support Vendor
• Email encryption Provider
• File sharing vendors
• Information Technology
vendors
• Cloud vendors
• Backup Storage
• Medical equipment service
companies handling
equipment that holds PHI
• Billing Companies
• Translator services
• Dictation services
• Lawyers
• Shredding services
• Accounting or consulting
firms
• Consultants hired to conduct
audits, perform coding
reviews, etc.
Security Risk Analysis (SRA)
• Information security risk assessment is an on-going process of discovering, correcting and
preventing security problems.
“Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of
the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic
protected health information (ePHI) held by the covered entity or business associate. Once you
have completed the risk analysis, you must take any additional “reasonable and appropriate”
steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). “
https://www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf
Security Risk Analysis (sample topics)
• Administration
• Agreements
• Policies
• Job Descriptions
• Training
• Physical
• Assess
• Disaster Preparedness
• Technical
• Inventory - Resources
• Security (Firewalls, patches, antimalware)
FAQs
Instead of entering into a contract, can business associates self-certify
or be certified by a third party as compliant with the HIPAA Privacy
Rule?
Answer: No. A covered entity is required to enter into a contract or
other written arrangement with a business associate that meets the
requirements at 45 CFR 164.504(e).
https://www.hhs.gov/hipaa/for-professionals/faq/237/can-business-
associates-self-certify/index.html
Summary
• Places all of the Security Rule burdens of
HIPAA on Business Associates and some
of the Privacy Rule burdens as well.
• Business Associates can be subject to civil
or criminal penalties for violations of the
Privacy, Security, or Breach
Notification Rules.
• Covered Entities must have a signed
Business Associate Agreement
(BAA) with any Business
Associate (BA) they hire that
may come in contact with PHI.
Questions or Additional Information
Taino Consultants Inc.
DrDelgado@TainoConsultants.com
Mr. Ray Walters
Walters.R@epicompliance.com
References
• https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-
associates/index.html
• http://searchsecurity.techtarget.com/definition/business-associate
• https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-
regulations-affect-business-associates
• https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-
associate-agreement-provisions/index.html
• https://www.imagineiti.com/hipaa-compliance/business-associates/
• https://www.cdc.gov/phlp/publications/topic/hipaa.html

More Related Content

What's hot

HIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesHIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesConference Panel
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacyhimanshu jain
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxNargis Parveen
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
Complete telehealth project
Complete telehealth projectComplete telehealth project
Complete telehealth projectShanaJo
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYmariaradziminski
 
Telemedicine
TelemedicineTelemedicine
TelemedicineRajani17
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data SecurityWilmerHale
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and HealthcareJonathon Coulter
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHarshit Trivedi
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareDoug Copley
 

What's hot (20)

Hippa 2021
Hippa 2021Hippa 2021
Hippa 2021
 
HIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesHIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best Practices
 
Data protection and privacy
Data protection and privacyData protection and privacy
Data protection and privacy
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to know
 
Chapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptxChapter1 Cyber security Law & policy.pptx
Chapter1 Cyber security Law & policy.pptx
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI Training
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian Fleetham
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA Basics
 
Complete telehealth project
Complete telehealth projectComplete telehealth project
Complete telehealth project
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
HIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGYHIPAA AND INFORMATION TECHNOLOGY
HIPAA AND INFORMATION TECHNOLOGY
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
Telemedicine
TelemedicineTelemedicine
Telemedicine
 
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
 
Security & Privacy for Health Data
Security & Privacy for Health DataSecurity & Privacy for Health Data
Security & Privacy for Health Data
 
Privacy and Data Security
Privacy and Data SecurityPrivacy and Data Security
Privacy and Data Security
 
Cyber Security and Healthcare
Cyber Security and HealthcareCyber Security and Healthcare
Cyber Security and Healthcare
 
HIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability ActHIPPA-Health Insurance Portability and Accountability Act
HIPPA-Health Insurance Portability and Accountability Act
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
Cybersecurity Challenges in Healthcare
Cybersecurity Challenges in HealthcareCybersecurity Challenges in Healthcare
Cybersecurity Challenges in Healthcare
 

Similar to Hipaa for business associates simple

health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersLawgical
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion Dan Wellisch
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...susmitaghosh93
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 

Similar to Hipaa for business associates simple (20)

health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliance
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process Servers
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
HIPAA
HIPAAHIPAA
HIPAA
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit Implementation
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 

More from Jose Ivan Delgado, Ph.D.

Guide to Online Tracking Technologies.pptx
Guide to Online Tracking Technologies.pptxGuide to Online Tracking Technologies.pptx
Guide to Online Tracking Technologies.pptxJose Ivan Delgado, Ph.D.
 
Meaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsMeaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsJose Ivan Delgado, Ph.D.
 
Healthcare Business: Present and Future Challenges
Healthcare Business: Present and Future ChallengesHealthcare Business: Present and Future Challenges
Healthcare Business: Present and Future ChallengesJose Ivan Delgado, Ph.D.
 

More from Jose Ivan Delgado, Ph.D. (20)

Guide to Online Tracking Technologies.pptx
Guide to Online Tracking Technologies.pptxGuide to Online Tracking Technologies.pptx
Guide to Online Tracking Technologies.pptx
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
Macra 101
Macra 101Macra 101
Macra 101
 
Macra 2017
Macra 2017Macra 2017
Macra 2017
 
Healthcare unplug oct
Healthcare unplug octHealthcare unplug oct
Healthcare unplug oct
 
Healthcare unplug
Healthcare unplugHealthcare unplug
Healthcare unplug
 
Meaningful use 2016
Meaningful use 2016Meaningful use 2016
Meaningful use 2016
 
Icd 10 general presentation
Icd 10 general presentationIcd 10 general presentation
Icd 10 general presentation
 
Icd 10 codes
Icd 10 codesIcd 10 codes
Icd 10 codes
 
Colors only god could create
Colors only god could createColors only god could create
Colors only god could create
 
Meaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsMeaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and Organizations
 
Meaningful use 2015
Meaningful use 2015Meaningful use 2015
Meaningful use 2015
 
Healhcare Billing Comparison
Healhcare Billing ComparisonHealhcare Billing Comparison
Healhcare Billing Comparison
 
Services, Compliance and Innovation
Services, Compliance and InnovationServices, Compliance and Innovation
Services, Compliance and Innovation
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
Healthcare Compliance Software
Healthcare Compliance SoftwareHealthcare Compliance Software
Healthcare Compliance Software
 
Physician quality reporting system (pqrs)
Physician quality reporting system (pqrs)Physician quality reporting system (pqrs)
Physician quality reporting system (pqrs)
 
Healthcare update 2
Healthcare update 2Healthcare update 2
Healthcare update 2
 
Healthcare Business: Present and Future Challenges
Healthcare Business: Present and Future ChallengesHealthcare Business: Present and Future Challenges
Healthcare Business: Present and Future Challenges
 
From paper to digital
From paper to digitalFrom paper to digital
From paper to digital
 

Recently uploaded

neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetneemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...Ahmedabad Call Girls
 
kozhikode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kozhikode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetkozhikode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kozhikode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetTirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
palanpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
palanpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetpalanpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
palanpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetnagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Jalna Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Jalna Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetJalna Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Jalna Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetraisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Sangli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Sangli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetSangli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Sangli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetBihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
surat Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
surat Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetsurat Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
surat Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Chandigarh
 
bhubaneswar Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
bhubaneswar Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetbhubaneswar Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
bhubaneswar Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Ozhukarai Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ozhukarai Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetOzhukarai Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ozhukarai Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Kolkata Call Girls Miss Inaaya ❤️ at @30% discount Everyday Call girl
Kolkata Call Girls Miss Inaaya ❤️ at @30% discount Everyday Call girlKolkata Call Girls Miss Inaaya ❤️ at @30% discount Everyday Call girl
Kolkata Call Girls Miss Inaaya ❤️ at @30% discount Everyday Call girlonly4webmaster01
 
Erode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Erode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetErode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Erode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024Sheetaleventcompany
 
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...Sheetaleventcompany
 
Thoothukudi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Thoothukudi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetThoothukudi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Thoothukudi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetkochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Call Girl in Indore 8827247818 {Low Price}👉 Nitya Indore Call Girls * ITRG...
Call Girl in Indore 8827247818 {Low Price}👉   Nitya Indore Call Girls  * ITRG...Call Girl in Indore 8827247818 {Low Price}👉   Nitya Indore Call Girls  * ITRG...
Call Girl in Indore 8827247818 {Low Price}👉 Nitya Indore Call Girls * ITRG...mahaiklolahd
 

Recently uploaded (20)

neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetneemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
(Deeksha) 💓 9920725232 💓High Profile Call Girls Navi Mumbai You Can Get The S...
 
kozhikode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kozhikode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetkozhikode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kozhikode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetTirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
palanpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
palanpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetpalanpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
palanpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetnagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Jalna Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Jalna Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetJalna Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Jalna Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetraisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Sangli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Sangli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetSangli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Sangli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetBihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
surat Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
surat Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetsurat Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
surat Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
bhubaneswar Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
bhubaneswar Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetbhubaneswar Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
bhubaneswar Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Ozhukarai Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ozhukarai Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetOzhukarai Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Ozhukarai Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Kolkata Call Girls Miss Inaaya ❤️ at @30% discount Everyday Call girl
Kolkata Call Girls Miss Inaaya ❤️ at @30% discount Everyday Call girlKolkata Call Girls Miss Inaaya ❤️ at @30% discount Everyday Call girl
Kolkata Call Girls Miss Inaaya ❤️ at @30% discount Everyday Call girl
 
Erode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Erode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetErode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Erode Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024
 
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
 
Thoothukudi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Thoothukudi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetThoothukudi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Thoothukudi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetkochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Call Girl in Indore 8827247818 {Low Price}👉 Nitya Indore Call Girls * ITRG...
Call Girl in Indore 8827247818 {Low Price}👉   Nitya Indore Call Girls  * ITRG...Call Girl in Indore 8827247818 {Low Price}👉   Nitya Indore Call Girls  * ITRG...
Call Girl in Indore 8827247818 {Low Price}👉 Nitya Indore Call Girls * ITRG...
 

Hipaa for business associates simple

  • 2. HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals • CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls. https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf - PDF.
  • 3. $750,000 settlement highlights the need for HIPAA business associate agreements • Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) failed to execute a business associate agreement prior to turning PHI to a potential business partner. • The settlement includes a monetary payment of $750,000 and a robust corrective action plan. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic- clinic/index.html “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
  • 4. Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement • Catholic Health Care Services (CHCS) has agreed to settle potential HIPAA violations after the theft of a CHCS mobile device. • CHCS provided management and information technology services as a business associate to six skilled nursing facilities. “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” https://www.hhs.gov/sites/default/files/chcs-racap-final.pdf
  • 5. What is HIPAA? Is a federal law that: • Provides Portability: Protects and guarantees health insurance coverage when an employee changes jobs • Provides Accountability: Protects health data integrity, confidentiality, and availability • Sets National Standards for Electronic Data Transmission Transactions (eligibility, claims, payment, and others) and identifiers • Standard medical codes (e.g., ICD-9, CPT-4,ICD-10) • Sets National Standards for the Protection of Health Information • Privacy (operational, consumer control, administration) • Security (administrative, physical, technical, network)
  • 6. HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Health Care Access, Portability and Renewability Title II Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Electronic Data Interchange Transactions Identifiers Code Sets Privacy Security Security Standards: General Rules Administrative Standards Technical Standards Physical Standards Organizational Requirements Policies and Procedures and Documentation Requirements Title III Tax Related Health Provision Title IV Group Health Plan Requirements Title V Revenue Offsets
  • 7. HIPAA Specifics • Title One: "Health care access, portability and renewability," employers and health plans must allow a new employee's medical insurance coverage to remain continuous without regard to pre-existing conditions. • Title Two: "Preventing health care fraud and abuse; administrative simplification; medical liability reform" defines new requirements for privacy and security of individually identifiable patient information. • Electronic health transaction standards and code sets - The implementation of a national standard for transmitting health data electronically and using standard code sets to describe diseases, injuries and other health problems • Unique Identifiers - A system that uses one identification number per employer, health plan or payer and health care provider to simplify administration • Security - Safeguarding the storage of, access to and transmission of electronic patient information • Privacy - Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records. • Title Three: "Tax-related health provisions" standardizes the amount you can save per person in a pre-tax medical savings account. • Title Four: "Application and enforcement of group health plan requirements" broadened information on insurance reform provisions and provide detailed explanations. • Title Five: "Revenue offsets" are regulations on how employers can deduct company-owned life insurance premiums for income tax purposes.
  • 8. Title II Administrative Simplification Electronic Data Interchange Privacy Security Administrative Safeguards Physical Safeguards Technical Safeguards Preventing Health Care Fraud and Abuse Medical Liability Reform
  • 9. HIPAA Intersections There are several similarities between Privacy and Security Privacy  Security Security Awareness & Training Business Associate Contracts Privacy Officers for All Entities Multi-disciplinary Work Groups. Security Awareness & Training Business Associate Contracts Security Liaisons for All Entities Multi-disciplinary Work Groups
  • 10. Privacy vs Security • Privacy. Protects the rights of individual and their information in any medium. • Security. Protects electronic information. Specifies Standards that must be met based on three basic areas: • Administrative • Physical • Technical
  • 11. Key Elements • Covered Entity. Refers to a health care provider, health plan and/or a healthcare clearinghouse who transmits health information in electronic format in connection with a transaction covered under HIPAA. • Health information. Refers to any information, oral or recorded, that is created or received by a Covered Entity and relates to the provision of health care to an individual. • Protected Health Information (PHI). Individually identifiable health information related to the provision of care to an individual. • Electronic Protected Health Information (ePHI). PHI that is transmitted, maintained or stored in electronic media. • Business Associate. Refers to an individual or organization that creates, receives, maintains, stores or transmits PHI or ePHI on behalf of a Covered Entity or Business Associate.
  • 12. Key Concepts • Uses and Disclosures. Refers to appropriate uses of PHI and the conditions on how to authorize disclosures. • Individual Rights. Refers to specific legal and enforceable rights related to individuals’ information. • Compliance and Enforcement. Refers to the requirement to comply from Covered Entities and Business Associate as of April 20, 2005. The Office for Civil Rights (OCR) became responsible for enforcing the Security Rule as of July 27, 2009. • “More stringent”. Refers that HIPAA supersedes State Legislations unless state privacy protections are more stringent than HIPAA. Example of more stringent laws cover: • Mental Health • HIV Protection • Substance Abuse
  • 13. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Part of the Affordable Care Act which was signed in 2009 • 22 billion dollars allocated to the promotion of EHRs • Mandatory penalties imposed for "willful neglect" • Civil penalties for willful neglect increased to $250,000, with repeat/uncorrected violations extending up to $1.5 million • HIPAA's civil and criminal penalties now extend to business associates • Allows state attorney general to bring legal action on behalf of his/her residents • HHS required to conduct periodic audits of covered entities and business associates
  • 14. HITECH Act Business Associate Requirements • Comply with the administrative, physical, and technical safeguards for electronic PHI under the HIPAA Security Rule in the same manner as a Covered Entity; • Develop and establish a written data security program for electronic PHI that complies with the HIPAA Security Rule; • Comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the HIPAA Privacy Rule; • Follow restrictions on marketing communications and mandatory compliance audits by the Department of Health and Human Services ("HHS"); • Notify Covered Entities of any breach of "unsecured PHI“.
  • 15. Omnibus Rule • Broadens the definition of Business Associate • Person or entity who creates, receives, maintains, stores or transmits PHI or ePHI on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health Information • Applies to subcontractors irrespective of how far downstream the subcontractor is, • Clarifies which requirements and liabilities pertain to business associates, • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules.
  • 16. Translation of Rule to Business Associates • Entity is liable for the acts or omissions of its Subcontractor • The reach of this designation will apply to subcontractors irrespective of how far downstream the subcontractor is, contractually, from the covered entity. • Entity can be penalized for its agent’s violations • Knowledge of a breach or other violation will be imputed to the principal • Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says
  • 17. Sample of Responsibilities • BAs to comply with the HIPAA Security Rule’s requirements and implement policies and procedures in the same manner as a Covered Entity • Requires BA to implement administrative, physical, and technical safeguards in compliance with HIPAA Security Rule (most BA Agreements require this by contract) • Sign a Business Associate Agreement with all Covered Entities and subcontractors that meet the requirements of Business Associate. • Obtain assurances from subcontractors or terminate the relationship. • BA must also implement Breach Notification Policies and Procedures, Workforce Training, and associated documentation of Incident Handling • BAs must conduct risk assessment and be more proactive and diligent to monitor new rules, regulations and guidance • Develop a Security Management Plan based on the findings of the HIPAA Security Risk Analysis.
  • 18. Examples of Business Associates • IT Support Vendor • Email encryption Provider • File sharing vendors • Information Technology vendors • Cloud vendors • Backup Storage • Medical equipment service companies handling equipment that holds PHI • Billing Companies • Translator services • Dictation services • Lawyers • Shredding services • Accounting or consulting firms • Consultants hired to conduct audits, perform coding reviews, etc.
  • 19. Security Risk Analysis (SRA) • Information security risk assessment is an on-going process of discovering, correcting and preventing security problems. “Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). “ https://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf
  • 20. Security Risk Analysis (sample topics) • Administration • Agreements • Policies • Job Descriptions • Training • Physical • Assess • Disaster Preparedness • Technical • Inventory - Resources • Security (Firewalls, patches, antimalware)
  • 21. FAQs Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? Answer: No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e). https://www.hhs.gov/hipaa/for-professionals/faq/237/can-business- associates-self-certify/index.html
  • 22. Summary • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules. • Covered Entities must have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.
  • 23. Questions or Additional Information Taino Consultants Inc. DrDelgado@TainoConsultants.com Mr. Ray Walters Walters.R@epicompliance.com
  • 24. References • https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business- associates/index.html • http://searchsecurity.techtarget.com/definition/business-associate • https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa- regulations-affect-business-associates • https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business- associate-agreement-provisions/index.html • https://www.imagineiti.com/hipaa-compliance/business-associates/ • https://www.cdc.gov/phlp/publications/topic/hipaa.html