1 The Impact of HIPAA Privacy and Security on IT and Business Process Outsourcing Brian M. Wyatt Ropes & Gray LLP Eighth National HIPAA Summit Session.

Slides:



Advertisements
Similar presentations
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Advertisements

Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Security Vulnerabilities and Conflicts of Interest in the Provider-Clearinghouse*-Payer Model Andy Podgurski and Bret Kiraly EECS Department & Sharona.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
PCard Program Roles and Responsibilities Review Karen Brookbanks, C.P.M., CPPB.
2010 Region II Conference Corporate Compliance Panel June 3, 2010
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.
Kirkpatrick & Lockhart LLP Attorneys At Law Boston, Dallas, Harrisburg, Los Angeles, Miami, New York, Newark, Pittsburgh, San Francisco, Washington,
Vendor Risk: Effective Management is Essential
Inspecting A Hedge Fund 2010 NASAA IA Training. Preparing for the Inspection  Getting over your fears  Treat as any other advisor  Preparation  Obtain.
Managing Procurement and Sourcing Getting What You Need.
Overview of Engagement – Under the terms of this engagement, the Advisor will provide advice in the areas checked below. Investment Management – Develop.
 This presentation looks at: › What is risk management › How to identify risks › How to implement an effective risk management policy to increase your.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
HIPAA PRIVACY AND SECURITY AWARENESS.
Finance and Governance Workshop Data Protection and Information Management 10 June 2014.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Establishing Solid HR Practices Presented by Dina Walton HR Director at Lotus School for Excellence.
HIPAA & Public Schools New Federalism in a New Century The Challenges of Administering HIPAA in Public Schools ASTHO/NGA Center Joint Audioconference September.
PEO Update 2005 AASCIF Legal Workshop George M. Parham Chief Legal Counsel Idaho State Insurance Fund.
Contracting and Negotiation DOQ-IT Education Session Contracting and Negotiations.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
Eliza de Guzman HTM 520 Health Information Exchange.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
OHCAs, ACEs and Hybrid Entities Paul Smith Davis Wright Tremaine LLP One Embarcadero Center Suite 600 San Francisco, CA (415)
A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.
HIPAA Health Insurance Portability and Accountability Act of 1996.
Contracts of Employment. This is a legal document which sets out the details of a person’s employment. This is a legal document which sets out the details.
Let’s Make a Deal Buying and Selling a Practice. Presented by Denise Robertson, Mills & Mills LLP Denise joined Mills & Mills LLP as an Associate in 2005.
Presentation on : Module 5 Industrial Relations Presented by: Monika.M 13sjccmib034 SJCC.
Chapter 8 Auditing in an E-commerce Environment
Connecting for Health Common Framework: the Model Contract for Health Information Exchange Gerry Hinkley com July 18, 2006 Davis Wright.
WESTERN PA CHAPTER OF THE AMERICAN PAYROLL ASSOCIATION – NOVEMBER 4, 2015 Risk Management for Payroll.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
The Law Offices of Sheila Deselich Cohen. Generally subject to the Employee Retirement Income Security Act of 1974 (“ERISA”). Two main types of plans:
Hot Topics in Technology Transactions Presented by: Robert J. Scott
What is HIPAA? Health Insurance Portability and Accountability Act of HIPAA is a major law primarily concentrating on the prolongation of health.
April 19, IT Outsourcing overview and training cases.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
HIPAA Privacy Rule Training
Draft - Enterprise Risk Management Risk Universe
Moving Health Information In An Emergency
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
HIPAA CONFIDENTIALITY
Auditing Cloud Services
Privacy and Security in the Employment Relationship
Paul T. Smith Davis Wright Tremaine LLP
Disability Services Agencies Briefing On HIPAA
The Centers for Medicare & Medicaid Services
Business Associate Contracts: Time Is Running Out . . .
Paul T. Smith, Esq. Partner, Davis Wright Tremaine LLP
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Presentation transcript:

1 The Impact of HIPAA Privacy and Security on IT and Business Process Outsourcing Brian M. Wyatt Ropes & Gray LLP Eighth National HIPAA Summit Session March 8, 2004 (2:15pm) Boston New York San Francisco Washington, DC

2 Agenda Overview of Outsourcing Traditional Outsourcing Issues and HIPAA Wrinkles HIPAA-Specific Issues

3 Overview of Outsourcing

4 Introduction Outsourcing is more than just licensing of technology or procurement of services Outsourcing typically involves: –Divestiture of non-core business activity and purchase of services –A complex, evolving relationship

5 Introduction IT Outsourcing –Assets/staff/management of IT operations Business Process Outsourcing –Traditional: food service, janitorial, security –More recently: supply chain management, billing, coding, IT

6 Reasons for Outsourcing Financial Labor Strategic/operational HIPAA compliance does not usually make the list!

7 Risks in Outsourcing Traditional: –Loss of control –Managing costs –Labor and employment issues –Dependence on vendor and difficulty of reassuming responsibility –Financial stability of vendor HIPAA compliance?

8 The “Offshoring” Controversy New term Refers to outsourced jobs/services, particularly skilled/high tech labor, to foreign countries –E.g., India, China, Philippines, Ireland Red Hot Political Issue –2/9/04 statement of Gregory Mankiw, the chairman of the White House Council of Economic Advisers –Lou Dobbs Report “Exporting America”

9 The “Offshoring” Controversy Also a real concern under HIPAA –"Your patient records are out in the open... so you better track that person and make him pay my dues." SF Chronicle articles re: situation at UCSF with transcriptionist in Pakistan during summer 2003 –Has generated… Harsh editorials Proposed CA law Change in covered entities’ approach?

10 New HIPAA Wrinkles on Traditional Legal Issues

11 Labor and Employment Issues Traditional Issues: –Morale/culture shock issues –WARN Act –Unionized employees Collective bargaining agreement issues/“Successor employer” issues –Employee benefits –Lay-off planning – potential for discrimination claims

12 Labor and Employment Issues The HIPAA Wrinkle? “Workforce” –Choose to treat as workforce even if employed by the vendor (if onsite)? –Discipline for privacy/security violations?

13 Assets Traditional Issues: –Assets to be transferred to vendor Valuation of assets Tax-exempt bond issues Location of assets –Form of asset transfer –Asset refresh –Return of assets upon termination of relationship

14 Assets The HIPAA Wrinkle? –Now: What representations and warranties is the vendor going to require you to give about hardware and software that you’re transferring? –Later: What representations and warranties is the vendor willing to give about hardware and software that you’re getting back?

15 Third-Party Vendor Issues Traditional Issues: –Leased assets –Third party vendor consents –Continuing relationship The HIPAA Wrinkle? –Business associate subcontracting –Disclaimer of responsibility for anything provided by a third party

16 Service Level Agreements Traditional Issues: –What can provider manage? –How are they related to cost structure? –What to measure? (availability/uptime; response time; accuracy; customer satisfaction) –When to measure? (daily, weekly, monthly; ramp up) –Who measures? –How to measure?

17 Service Level Agreements The HIPAA Wrinkle? –Should you measure HIPAA compliance? –If so, how to measure HIPAA compliance?

18 Term and Termination Traditional Issues: –How long? (often 5 to 10 years, trend towards shorter terms) –Termination for convenience? –“Step-in” rights The HIPAA Wrinkle? –The Business Associate “terminate or report” provision

19 HIPAA-Specific Issues

20 HIPAA-Specific Issues Responsibility for Compliance –Particularly re: the Security Regulations and the TCS Regulations –Vendors often reluctant to take this on –If they don’t, can you? –Complaints, lawsuits, and HIPAA penalties

21 HIPAA-Specific Issues Security Compliance –Foundation of the Security Regulations is risk analysis and risk management Is this part of your agreement? If not, can you look to a change of law provision?

22 HIPAA-Specific Issues Security Compliance –Policy & procedure development and implementation –Physical safeguards –Technical safeguards –What about addressable items?

23 HIPAA-Specific Issues Other HIPAA Security Issues –Even if the vendor can and will do it, all of your ePHI may not be covered –Disaster Recovery May be separated out but a critical HIPAA Security component

24 HIPAA-Specific Issues Business Associate Agreements –Can be straightforward –Typical issues: “Battle of the Forms” Termination Indemnification Need for greater specificity on Security or TCS compliance?

25 HIPAA-Specific Issues Trading Partner Agreements –Is the vendor your clearinghouse? If so, need appropriate limitations on their ability to modify transaction formats and date code sets (per the Electronic Transactions & Code Sets (TCS) Regulations) –If not, what’s the vendor’s role in TCS?

26 HIPAA-Specific Issues Other Related Concerns –Use of subcontractors See discussion of “offshoring above” An issue even if done within the US – how to ensure privacy and security are protected?

27 HIPAA-Specific Issues Other Related Concerns –Evolving Federal and State law E.g., CA S.B What state law governs? What laws apply? Remember “Change of Law” –Other Laws can accelerate obligations DoD Requirements

28 Summary Impact of HIPAA on Outsourcing –New wrinkles on traditional issues –New HIPAA-specific issues –Non-HIPAA privacy and security concerns on the rise Cannot consider HIPAA in a vacuum, but leave HIPAA out of the equation Need to carefully consider, and make appropriate allocation of, responsibility between covered entity and vacuum

29 Q&A

30 The Impact of HIPAA Privacy and Security on IT and Business Process Outsourcing Brian M. Wyatt Ropes & Gray LLP Eighth National HIPAA Summit Session March 8, 2004 (2:15pm) Boston New York San Francisco Washington, DC

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.