The Relationship Between HIPAA Compliance and Business Associates

Similar documents
HIPAA ( ) HIPAA 2017 Compliancy Group, LLC

HIPAA 101: What All Doctors NEED To Know

Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.

HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood

HIPAA How to Comply with Limited Time & Resources. Jonathan Pantenburg, MHA, Senior Consultant August 17, 2017

HIPAA-HITECH: Privacy & Security Updates for 2015

HIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance


Neil Peters-Michaud, CHAMP Cascade Asset Management ITAM Awareness Month December 2016

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Privacy, Security and Breach Notification

Putting It All Together:

All Aboard the HIPAA Omnibus An Auditor s Perspective

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

HIPAA Cloud Computing Guidance

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

HIPAA and HIPAA Compliance with PHI/PII in Research

The HIPAA Omnibus Rule

HIPAA & Privacy Compliance Update

HIPAA Federal Security Rule H I P A A

HIPAA Security. An Ounce of Prevention is Worth a Pound of Cure

The ABCs of HIPAA Security

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services.

HIPAA Security and Privacy Policies & Procedures

HIPAA and Research Contracts JILL RAINES, ASSISTANT GENERAL COUNSEL AND UNIVERSITY PRIVACY OFFICIAL

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA Tips and Advice for Your. Medical Practice

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

Policy and Procedure: SDM Guidance for HIPAA Business Associates

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

Welcome Note. Encrypted Is it really worth it? VoIP Telephony for SMB-Small in price! Big in features!

HIPAA COMPLIANCE AND

HIPAA in 2017: Hot Topics You Can t Ignore. Danika Brinda, PhD, RHIA, CHPS, HCISPP March 16, 2017

David C. Marshall, Esq. PACAH 2017 Spring Conference April 27, 2017

Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates

What s New with HIPAA? Policy and Enforcement Update

HIPAA Faux Pas. Lauren Gluck Physician s Computer Company User s Conference 2016

HIPAA & IT THE HIPAA SECURITY RULE AND THE ROLE OF THE IT PROFESSIONAL DOES YOUR IT PROVIDER UNDERSTAND THEIR ROLE AND ARE THEY COMPLIANT?

HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

The simplified guide to. HIPAA compliance

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Security and Privacy Breach Notification

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

University of Mississippi Medical Center Data Use Agreement Protected Health Information

DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE

HIPAA Privacy and Security Training Program

HIPAA Privacy, Security Lessons from 2016 and What's Next in 2017

HIPAA For Assisted Living WALA iii

Decrypting the Security Risk Assessment (SRA) Requirement for Meaningful Use

HIPAA Privacy, Security and Breach Notification 2017

A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,

Policy. Policy Information. Purpose. Scope. Background

Technology Workshop HIPAA Security Risk Assessment: What s Next? January 9, 2014

Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules

HIPAA Compliance & Privacy What You Need to Know Now

Elements of a Swift (and Effective) Response to a HIPAA Security Breach

Abbie Miller, MCS-P. Ongoing Internal Auditing. Documentation Reviews 5/16/2015.

Texting and ing Patients, Providers and Others: HIPAA, CMS, and Suggestions

DON T GET STUNG BY A BREACH! WHAT'S NEW IN HIPAA PRIVACY AND SECURITY

and Privacy HIPAA-Compliance Checklist

Data Backup and Contingency Planning Procedure

HIPAA Security and Research VALERIE GOLDEN, HIPAA SECURITY OFFICER

HIPAA Privacy, Security and Breach Notification 2018

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

Performing HIPAA Security Reviews

HIPAA Compliance and Auditing in the Public Cloud

Cloud Communications for Healthcare

CYBERSECURITY. Recent OCR Actions & Cyber Awareness Newsletters. Claire C. Rosston

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Best Practices in HIPAA Security Risk Assessments

When the Other Brother Steps Up: State Privacy Enforcement Actions

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

IT Security in a Meaningful Use Era C&SO HIMSS Meeting

Seven gray areas of HIPAA you can t ignore

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

Hospital Council of Western Pennsylvania. June 21, 2012

HIPAA FOR BROKERS. revised 10/17

North Carolina Health Information Exchange Authority. User Access Policy for NC HealthConnex

HIPAA Privacy and Security. Rochelle Steimel, HIPAA Privacy Official Judy Smith, Staff Development January 2012

HPE DATA PRIVACY AND SECURITY

Checklist for Applying ISO 27000, PCI DSS v2 & NIST to Address HIPAA & HITECH Mandates. Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP)

HIPAA. Developed by The University of Texas at Dallas Callier Center for Communication Disorders

A Panel Discussion. Nancy Davis

Is Your Compliance Strategy Putting Your Business at Risk?

Lessons Learned from Recent HIPAA Enforcement Actions, Breaches, and Pilot Audits

3/24/2014. Agenda & Objectives. HIPAA Security Rule. Compliance Institute. Background and Regulatory Overlay. OCR Statistics/

Breach Notification Remember State Law

Latest Legal Threat for Providers Protecting Private Information in Text Messages, s and Other Electronic Transmissions

EXHIBIT A. - HIPAA Security Assessment Template -

HIPAA Security & Privacy

HIPAA AND SECURITY. For Healthcare Organizations

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

HMIS (HOMELESS MANAGEMENT INFORMATION SYSTEM) SECURITY AWARENESS TRAINING. Created By:

Incident Response: Are You Ready?

Transcription:

The Relationship Between HIPAA Compliance and Business Associates 1

HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf 2

What is HIPAA Compliance and what is NOT Compliance vs. Security Fines vs. Risk HIPAA/HITECH Protect patient confidentiality while furthering innovation and patient care Privacy Rule and Security Rule Omnibus Business Associates must be HIPAA compliant Covered Entities must have BAAs Conduct Due Diligence Breach Notification Rule Meaningful Use Accelerate adoption of EHR (electronic Health records) HIPAA OMNIBUS Meaningful Use 3

What Information Does HIPAA Protect? PHI may include any of the following: Names Addresses Dates of Service Telephone Numbers Fax Numbers Email Addresses Social Security Numbers Medical Record Numbers Health Plan Beneficiary Numbers Account Numbers Certificate/License Numbers Vehicle identifiers/serial Numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers; Biometric identifiers Full Face Photos or Videos Any other unique identifying number, characteristic, or code 4

Compliance vs. Security Audits Security, Privacy, and Administrative Gap Identification Remediation Policies & Procedures Employee Training & Attestation Business Associate Management BA Agreements & Audit Incident Management Security Risk Assessment Security Risk Analysis Penetration Testing Remediation Vulnerability Scan Prevention System Hardening Detection Behavioral monitoring Network Security Monitoring FINES REPUTATION RISK 5

Business Associates: Direct liability by function Directly liable for violations Omnibus Rule Must be HIPAA Compliant (Security Rule) Technical, Administrative, & Physical Safeguards Covered Entities: Compliance with Privacy Rule Must have BAAs (Business Associate Agreements) Conduct Due Diligence for the CE Contracting with subcontractors BA liability flows to all subcontractors 6

The HIPAA Compliance Puzzle Incident Management & Remediation Audits SRA (Security Risk Assessment), Administrative, Privacy Remediation Plans Business Associate Management Document Version, Employee Attestation & Tracking Policies, Procedures & Training 7

Importance of BAA & Complete Risk Analysis Who: North Memorial Health Care of Minnesota What: Laptop theft, 6,497 patient records Why: No BAA with Billing firm, failed to complete a risk analysis to address all potential risks and vulnerabilities to ephi Settlement: $1,550,000 and CAP (3/19/16) Two major cornerstones of the HIPAA Rules were overlooked by this entity, said Jocelyn Samuels, Director of OCR. Organizations must have in place compliant Business Associate Agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure. http://www.hhs.gov/about/news/2016/03/16/155-million-settlement-underscores-importance-executing-hipaa-businessassociate-agreements.html 8

Why You Should Worry About Business Associates In a recent study, more than half of business associates (59%) reported a data breach in the last two years that involved the loss or theft of patient data. More than a quarter (29%) experienced two breaches or more. Of the 345 incidents reported by HHS and listed on their site under Breaches Affecting 500 or More Individuals, 74 involved a business associate (21%). Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data conducted by Ponemon Institute http://media.scmagazine.com/documents/121/healthcare_privacy_security_be_30019.pdf 9

The Need For BAAs Who: Raleigh Orthopaedic (North Carolina) What/Why: 17,300 patients affected Handed over PHI to potential business partner without first executing a business associate agreement. Settlement: $750,000 & CAP (4/20/16) HIPAA s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise, said Jocelyn Samuels, Director of OCR. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-clinic-bulletin/index.html 10

What are your responsibilities? Business Associate Management q Have an up-to-date BAA (Business Associate Agreement) q Confirm the Business Associate: q Uses the information only for the purposes for which it was engaged for q Will safeguard the information from misuse q Help the covered entity comply with some of the covered entity s duties under the Privacy Rule. 11

Important Definitions Covered Entity (CE): Health care providers, health plans, health care clearinghouses who electronically transmit any Protected Health Information (PHI) Business Associate (BA): Any individual or organization that creates, receives, maintains or transmits PHI on behalf of a Covered Entity (CE) Subcontractor: Create, receive, maintain or transmit PHI on behalf of a BA 12

HIPAA Overlap Covered Entities Business Associates Subcontractors Some Covered Entities are also Business Associates. 13

Business Associate Agreements Agreement between the CE and BA to govern the BA s creation, use, maintenance and disclosure of PHI. Must comply with HIPAA Security Must help a CE satisfy Privacy Rules BAAs have ALWAYS been required by HIPAA After Omnibus Require reciprocal monitoring by the BA & CE Subcontractors of BAs are treated as BAs as well Required before a CE contracts with a third party individual or vendor (subcontractor) to perform activities or functions which will involve the use or disclosure of PHI 14

Business Associate Liability Business associates are directly liable for: 1. Impermissible uses and disclosures 2. Failure to provide breach notification to the CE 3. Failure to provide access to a copy of ephi to either the CE the individual, or the individual s designee 4. Failure to disclose PHI where required by the HHS to investigate or determine the BA s HIPAA compliance 5. Failure to follow Minimum Necessary standard when using or disclosing 6. Failure to provide an accounting of disclosures 15

First Business Associate Penalty Who: Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS), IT services for nursing facilities What: iphone theft (412 PHI) Why: Device was unencrypted and not password protected; Lack of policies & procedures for removal of PHI devices Lack of policies & procedures to address incidents No risk analysis or risk management plan Settlement: $650,000 & CAP (6/29/16) Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities, said Office for Civil Rights (OCR) Director Jocelyn Samuels. This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule. http://www.hhs.gov/about/news/2016/03/16/155-million-settlement-underscores-importance-executing-hipaa-business-associate-agreements.html 16

When is a BAA Not Needed? Treatment PHI being disclosed to a healthcare provider for treatment purposes (e.g., primary/referring physician, contract physicians or specialists, contract nursing staff, contract rehab staff, ambulance, home health, dentist). Payment PHI being disclosed to a health plan for payment purposes, or to a health plan sponsor with respect to disclosures by a group health plan. Operations PHI being disclosed for the purpose of health care operations. (Administrative and managerial activities, such as business planning, resolving complaints, and complying with HIPAA.) 17

BA Definition Made Easy (Person/Organization) who On behalf of such (Covered Entity/Business Associate) Creates, receives, maintains, or transmits protected health information 18

The Question To Ask Yourself What is (company X) doing with my PHI. that otherwise I would need to do myself? 19

Is an offsite transcription service a Business Associate? Incorrect No Correct Yes What is (company X) doing with my PHI. that otherwise I would need to do myself? Reset Questions 20

Is a contracted office cleaning company a Business Associate? Correct No Incorrect Yes Reset Questions What is (company X) doing with my PHI. that otherwise I would need to do myself? 21

Is a Security Guard service a Business Associate? Correct No Incorrect Yes Reset Questions What is (company X) doing with my PHI. that otherwise I would need to do myself? 22

Is Your Billing Firm a Business Associate? Incorrect No Correct Yes What is (company X) doing with my PHI. that otherwise I would need to do myself? 23

Examples of Business Associates IT Support and Software Vendors IT Equipment Vendors Leasing firms Telephone CPE Vendors Depends on Conduit Shredding Vendors Data Centers Cloud Computing Providers EHR/EMR Providers Answering Services for Medical Offices Medical Billing Services Medical Transcriptions Services Medical Collection Agencies Temporary Employment Agencies Healthcare Equipment Companies Document Storage Companies Accounting Firm Law Firm Consulting Firm Software Vendor 24

Data Transmission Services Data Transmission Services Business associates include health information organizations and e-prescribing gateways. To qualify as a business associate, the data transmission service must have routine access to the PHI it is transmitting. The conduit exception if an entity is simply acting as a passthrough with no routine access, not a business associate. Examples include telephone company, UPS and courier services. 25

The HIPAA Compliance Puzzle Incident Management & Remediation Audits SRA (Security Risk Assessment), Administrative, Privacy Remediation Plan Business Associate Management Document Version, Employee Attestation & Tracking Policies, Procedures & Training 26

Compliancy Group We simplify compliance so you can confidently focus on your business. The Guard Total HIPAA compliance Solution Simple Cost-Effective Achieve, Illustrate and Maintain TM methodology No Audits failed, ever! Incident Management & Remediation Audits SRA (Security Risk Assessment), Administrative, Privacy Remediation Plans Compliance Support Compliance Coaches HIPAA Hotline, Email, chat or call Breach Support Audit Support Seal of Compliance Verification and Validation of your HIPAA compliance Business Associate Management The Guard TM Document Version, Employee Attestation & Tracking Policies, Procedures & Training 27

Questions? Need Help with Compliance? Marc Haskelson President & CEO 855-854-4722 Ext 507 Marc@compliancygroup.com 855 85 HIPAA (855-854-4722) www.compliancygroup.com info@compliancygroup.com 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback