Steps to Compliance: Managing Business Associates PRESENTED BY

Daniel B. Brown, Esq. Healthcare Attorney Taylor English Duma LLP Jason Karn Director Training and IT Total HIPAA Compliance Today’s Presenters

This program is educational and does not constitute, and may not be construed as, legal advice to, or creating an attorney-client relationship with, any person or entity. Housekeeping The materials referenced here are subject to change, so frequent review of the source material is suggested. 3

Who Are The Players? Covered Entities Business Associates Business Associate Subcontractors 4

Any person who performs functions or activities on behalf of, or certain services for, a Covered Entity that involves the use or disclosure of protected health information. Who is a Business Associate? 5

Examples of Business Associates  Lawyers  IT Contractors  Billing Companies  Encryption Provider  Web Hosts  Cloud Storage 6

Make a List  List your Business Associates with contact information  Request that your BA make a list of subcontractors and provide you a copy 7

Who is NOT a Business Associate?  Cleaning Company  Laboratories  Physician Referrals 8 These entities may have access to PHI, but access alone does not make them a Business Associate.

Am I a HIPAA Conduit? This is narrow exception and only applies to:  US Postal Services  Internet Service Providers (ISPs)  Physician Referrals 9

Requirements for a Business Associate  Document Privacy/Security Policies & Procedures  Protect PHI and ePHI  Train Employees  Work with C.E. to send Breach Notifications  Manage Subcontractors 10

Liability 11 Violations by a Business Associate also affect Covered Entities.  Business Associates are liable for…  Violations they have created  Violations of a Subcontractor

Common Law of Agency This change makes a Covered Entity liable for the mistakes of the Business Associate when the Business Associate is an agent of the Covered Entity and is acting in the scope of the agency. 12

What is a Breach 13 PHI that has been accessed, used, acquired by or disclosed to an unauthorized person HIPAA Rules apply to PHI in any format: ePHI Paper Oral

Permitted Uses for PHI 14  Treatment  Payment  Health Care Operations  Certain Public Policy Exceptions  All other uses require an individual’s written authorization

Breach Exceptions 15  Unintentional access by an employee  Inadvertent disclosure by a covered entity or business associate employee authorized to access PHI to a co- employee also authorized to access PHI  Unauthorized access to PHI by a third party who can’t reasonably use the information in its current format, or retain the disclosed information

Breach Notification 16 Notice Requirements:  Notify without unreasonable delay and at least within 60-day timeframe  This starts the date one knew, or reasonably should have known about the Breach

Individuals Affected By Breaches 17 Source: "Annual Report to Congress on HIPAA Privacy, Security, and Breach Notification Rule Compliance." 1 Jan Web.

+ Auditing Your Business Associates 18  Privacy and Security Policies and Procedures  Privacy and Security Personnel  Workforce Training and Management  Data Safeguards  Document and Record Retention

Managing Your Business Associates 19  Periodically review them  Alert to changes in how they conduct business  B.A. should provide updated compliance plan

Special Thanks Taylor English Duma LLP is a full-service law firm built from the ground up to provide highest-quality legal services for optimal value. The firm was founded in 2005 and its attorneys work each day to provide timely, creative and cost-effective counsel to help clients solve problems and achieve goals. Taylor English represents all types of clients— from Fortune 500 companies to start-ups to individuals. 20

Questions?