Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Impact of HIPAA Privacy and Security on IT and Business Process Outsourcing Brian M. Wyatt Ropes & Gray LLP Eighth National HIPAA Summit Session.

Published bySharon Richman Modified over 9 years ago

Similar presentations

Presentation on theme: "1 The Impact of HIPAA Privacy and Security on IT and Business Process Outsourcing Brian M. Wyatt Ropes & Gray LLP Eighth National HIPAA Summit Session."— Presentation transcript:

1 1 The Impact of HIPAA Privacy and Security on IT and Business Process Outsourcing Brian M. Wyatt Ropes & Gray LLP Eighth National HIPAA Summit Session 3.07 -- March 8, 2004 (2:15pm) Boston New York San Francisco Washington, DC

2 2 Agenda Overview of Outsourcing Traditional Outsourcing Issues and HIPAA Wrinkles HIPAA-Specific Issues

3 3 Overview of Outsourcing

4 4 Introduction Outsourcing is more than just licensing of technology or procurement of services Outsourcing typically involves: –Divestiture of non-core business activity and purchase of services –A complex, evolving relationship

5 5 Introduction IT Outsourcing –Assets/staff/management of IT operations Business Process Outsourcing –Traditional: food service, janitorial, security –More recently: supply chain management, billing, coding, IT

6 6 Reasons for Outsourcing Financial Labor Strategic/operational HIPAA compliance does not usually make the list!

7 7 Risks in Outsourcing Traditional: –Loss of control –Managing costs –Labor and employment issues –Dependence on vendor and difficulty of reassuming responsibility –Financial stability of vendor HIPAA compliance?

8 8 The “Offshoring” Controversy New term Refers to outsourced jobs/services, particularly skilled/high tech labor, to foreign countries –E.g., India, China, Philippines, Ireland Red Hot Political Issue –2/9/04 statement of Gregory Mankiw, the chairman of the White House Council of Economic Advisers –Lou Dobbs Report “Exporting America”

9 9 The “Offshoring” Controversy Also a real concern under HIPAA –"Your patient records are out in the open... so you better track that person and make him pay my dues." SF Chronicle articles re: situation at UCSF with transcriptionist in Pakistan during summer 2003 –Has generated… Harsh editorials Proposed CA law Change in covered entities’ approach?

10 10 New HIPAA Wrinkles on Traditional Legal Issues

11 11 Labor and Employment Issues Traditional Issues: –Morale/culture shock issues –WARN Act –Unionized employees Collective bargaining agreement issues/“Successor employer” issues –Employee benefits –Lay-off planning – potential for discrimination claims

12 12 Labor and Employment Issues The HIPAA Wrinkle? “Workforce” –Choose to treat as workforce even if employed by the vendor (if onsite)? –Discipline for privacy/security violations?

13 13 Assets Traditional Issues: –Assets to be transferred to vendor Valuation of assets Tax-exempt bond issues Location of assets –Form of asset transfer –Asset refresh –Return of assets upon termination of relationship

14 14 Assets The HIPAA Wrinkle? –Now: What representations and warranties is the vendor going to require you to give about hardware and software that you’re transferring? –Later: What representations and warranties is the vendor willing to give about hardware and software that you’re getting back?

15 15 Third-Party Vendor Issues Traditional Issues: –Leased assets –Third party vendor consents –Continuing relationship The HIPAA Wrinkle? –Business associate subcontracting –Disclaimer of responsibility for anything provided by a third party

16 16 Service Level Agreements Traditional Issues: –What can provider manage? –How are they related to cost structure? –What to measure? (availability/uptime; response time; accuracy; customer satisfaction) –When to measure? (daily, weekly, monthly; ramp up) –Who measures? –How to measure?

17 17 Service Level Agreements The HIPAA Wrinkle? –Should you measure HIPAA compliance? –If so, how to measure HIPAA compliance?

18 18 Term and Termination Traditional Issues: –How long? (often 5 to 10 years, trend towards shorter terms) –Termination for convenience? –“Step-in” rights The HIPAA Wrinkle? –The Business Associate “terminate or report” provision

19 19 HIPAA-Specific Issues

20 20 HIPAA-Specific Issues Responsibility for Compliance –Particularly re: the Security Regulations and the TCS Regulations –Vendors often reluctant to take this on –If they don’t, can you? –Complaints, lawsuits, and HIPAA penalties

21 21 HIPAA-Specific Issues Security Compliance –Foundation of the Security Regulations is risk analysis and risk management Is this part of your agreement? If not, can you look to a change of law provision?

22 22 HIPAA-Specific Issues Security Compliance –Policy & procedure development and implementation –Physical safeguards –Technical safeguards –What about addressable items?

23 23 HIPAA-Specific Issues Other HIPAA Security Issues –Even if the vendor can and will do it, all of your ePHI may not be covered –Disaster Recovery May be separated out but a critical HIPAA Security component

24 24 HIPAA-Specific Issues Business Associate Agreements –Can be straightforward –Typical issues: “Battle of the Forms” Termination Indemnification Need for greater specificity on Security or TCS compliance?

25 25 HIPAA-Specific Issues Trading Partner Agreements –Is the vendor your clearinghouse? If so, need appropriate limitations on their ability to modify transaction formats and date code sets (per the Electronic Transactions & Code Sets (TCS) Regulations) –If not, what’s the vendor’s role in TCS?

26 26 HIPAA-Specific Issues Other Related Concerns –Use of subcontractors See discussion of “offshoring above” An issue even if done within the US – how to ensure privacy and security are protected?

27 27 HIPAA-Specific Issues Other Related Concerns –Evolving Federal and State law E.g., CA S.B. 1386 What state law governs? What laws apply? Remember “Change of Law” –Other Laws can accelerate obligations DoD Requirements

28 28 Summary Impact of HIPAA on Outsourcing –New wrinkles on traditional issues –New HIPAA-specific issues –Non-HIPAA privacy and security concerns on the rise Cannot consider HIPAA in a vacuum, but leave HIPAA out of the equation Need to carefully consider, and make appropriate allocation of, responsibility between covered entity and vacuum

29 29 Q&A

30 30 The Impact of HIPAA Privacy and Security on IT and Business Process Outsourcing Brian M. Wyatt Ropes & Gray LLP Eighth National HIPAA Summit Session 3.07 -- March 8, 2004 (2:15pm) Boston New York San Francisco Washington, DC

Download ppt "1 The Impact of HIPAA Privacy and Security on IT and Business Process Outsourcing Brian M. Wyatt Ropes & Gray LLP Eighth National HIPAA Summit Session."

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC 29406 843-576-1426 Health Insurance Portability.

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.

Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
PCard Program Roles and Responsibilities Review Karen Brookbanks, C.P.M., CPPB.

PCard Program Roles and Responsibilities Review Karen Brookbanks, C.P.M., CPPB.
2010 Region II Conference Corporate Compliance Panel June 3, 2010

2010 Region II Conference Corporate Compliance Panel June 3, 2010
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.

INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.
Kirkpatrick & Lockhart LLP Attorneys At Law www.kl.com Boston, Dallas, Harrisburg, Los Angeles, Miami, New York, Newark, Pittsburgh, San Francisco, Washington,

Kirkpatrick & Lockhart LLP Attorneys At Law Boston, Dallas, Harrisburg, Los Angeles, Miami, New York, Newark, Pittsburgh, San Francisco, Washington,

Similar presentations

Ads by Google