COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

Slides:



Advertisements
Similar presentations
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Advertisements

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.
HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.
What You Don’t Know Can Cost You HIPAA in a HITECH World Alaina N. Crislip, Esq. October 10, 2013.
HIPAA Omnibus Final Rule: Understanding the Risks and Developing Compliance Strategy June 23, 2014 Presented by Jennifer Breuer, David Mayer and Sara Shanti.
Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH (614)
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
1 Sixth National HIPAA Summit The Health Lawyer as Business Associate March 28, 2003 Session VI 3:00 pm Gerald E. DeLoss, Esquire Barnwell Whaley Patterson.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
HIPAA Collaborative of Wisconsin Business Associates Extending the Reach of the Privacy Rule.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
ARRA/HITECH Update HIPAA COW Webinar February 23, 2010 Welcome! Everyone please mute your phone at this time by pressing *6 This session is being recorded.
HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.
HIPAA PRIVACY AND SECURITY AWARENESS.
California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Dealing with Business Associates Business Associates Business Associates are persons or organizations that on behalf of a covered entity: –Perform any.
Polsinelli Shughart PC In California, Polsinelli Shughart LLP Final HIPAA Omnibus Rule Highlights Presented to the Colorado Bar Association, Health Law.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Overview of the Omnibus Final HIPAA Rule Kohler HealthCare Consulting, Inc. Deanna Turner
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Why the Office of Compliance and Ethics was Created
Michael R. Costa, Esq., M.P.H. Greenberg Traurig, LLP One International Place, 3 rd Floor Boston, MA (fax)
1 Defense Health Agency Privacy and Civil Liberties Office Data Sharing Program Overview Ms. Rita DeShields DHA Data Sharing Compliance Manager August.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
What to Expect and How to Prepare: Healthcare Security & Privacy Regulation and Enforcement in 2015 and Beyond.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Advanced Issues in Privacy: Drafting and Negotiating Business Associate Contracts Thomas E. Jeffry, Jr. Partner Davis Wright Tremaine LLP Los Angeles,
The Fifth National HIPAA Summit – October 30, 2002 What to Do Now: Operational Implementation of HIPAA Privacy and Security Training Presented by: Steven.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
A Professional Corporation Stinson, Mag & Fizzell (402) Business Associates 101 Jennifer Wolfe Jerram, B.S.N., J.D.
© Clearwater Compliance LLC | All Rights Reserved Module 9. Starter Questions 1 1.BAs can often be silent behind the scenes partners of CEs. How should.
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
Lessons Learned from Recent HIPAA Breaches HHS Office for Civil Rights.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
March 19, 2003 Audioconference Approaches to Compliance with the HIPAA Privacy and Security Workforce Training Requirements Presented by: Steven S. Lazarus,
Dino Tsibouris & Mehmet Munur Privacy and Information Security Laws and Updates.
Functioning as a Business Associate Under HIPAA William F. Tulloch Director, PCBA March 9, 2004.
Final HIPAA-HITECH Rules, Cybersecurity, and Privacy Dino TsibourisMehmet Munur (614) (614)
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
Exchanging Health Information: Key HIPAA Issues for AF4Q Alliances and CVEs Melissa Bianchi, JD Jane Hyatt Thorpe, JD Lara Cartwright-Smith, JD, MPH September.
HIPAA Administrative Simplification
HIPAA Update J. T. Ash University of Hawaii System
Presented by: Steven S. Lazarus, PhD, FHIMSS
HIPAA Security Standards Final Rule
Research Compliance: The Research/Privacy Nexus
Introduction to the PACS Security
Presentation transcript:

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements

Agenda  Overview and Background of the HIPAA Omnibus Final Rule  Compliance Issues and Practical Solutions for Business Associates and Subcontractors  Questions and Answers 2 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

OVERVIEW AND COMPLIANCE ISSUES

HIPAA Omnibus Final Rule  The HIPAA Omnibus Final Rule, which had a compliance date of September 23, 2013, made significant modifications to the following areas of relevance to business associates and subcontractors:  Business associate (BA) definition and liabilities  Business associate agreements (BAAs)  Breach notification  Enforcement 4 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Business Associate Definition  Under the Omnibus Final Rule, a BA is defined as a person who “creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity (CE).”  The Omnibus Final Rule clarifies that the following additional entities fall under the definition of BA:  Patient safety organizations  Health information organizations  E-prescribing gateways  Vendors of personal health records  Any person/entity that provides data transmission services to a CE and requires routine access to the PHI  Any person/entity that stores or maintains PHI on behalf of a CE whether or not they routinely access the PHI 5 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Business Associate Liability  The Omnibus Final Rule extends direct liability to BAs for compliance with the HIPAA Security Rule and certain Privacy Rule provisions. BAs must:  Develop policies and procedures.  Conduct a risk analysis.  Train members of the workforce on their responsibilities under HIPAA.  Provide breach notification to covered entities.  Sign subcontractor business associate agreements (subcontractor BAAs) with subcontractors. 6 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Subcontractors  Under the Omnibus Final Rule, a subcontractor is defined as a person to whom a BA delegates a function, activity or service that involves PHI and that was initially delegated to the BA by the CE.  Subcontractors have the same responsibilities and liabilities as the BA.  These responsibilities and liabilities are defined through the subcontractor BAA. 7 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Business Associate Agreements  A CE must execute a BAA with each of its BAs.  A BA must execute a subcontractor BAA with each of its subcontractors.  The Omnibus Final Rule requires that CEs and BAs update their BAAs to include additional content.  General deadline: September 23, 2013 BAAs that were executed after January 25, 2013 or were renewed or modified between March 26, 2013 and September 23,  Transition Rule deadline: September 22, 2014 BAAs that were in effect prior to January 25, 2013 and were not renewed or modified between March 26, 2013 and September 23, Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

PRACTICAL SOLUTIONS

Contract Management Process Contract Management Process Contract Planning Contract Development Contract Execution 10 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

PRACTICAL SOLUTIONS FOR CONTRACT PLANNING

Contract Planning  Have you reviewed your arrangements with third parties to identify those that are subject to HIPAA?  Does the arrangement involve the creation, receipt, maintenance or transmission of PHI on behalf of a CE?  Have you determined your role in each covered arrangement?  Are you a BA or a subcontractor? 12 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Arrangements Covered Entity Business Associate Subcontractor Subcontractor ASubcontractor B 13 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Contract Planning  Have you reviewed your existing subcontractor BAAs to determine the compliance deadline to which they are subject?  September 23, 2013 (General)  September 22, 2014 (Transition Rule)  Have you prioritized your existing subcontractor BAAs to update those that do not qualify for the Transition Rule first? 14 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Contract Planning  Prioritize your contracts  Evaluate  Multi-Year  Automatic Renewals  Evergreen September 23, 2013September 22, Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Contract Planning  How will you ensure the most up-to-date version of the BAA/subcontractor BAA is used?  Where is it stored?  Do the appropriate people know how/where to access it?  Who is authorized to sign BAAs/subcontractor BAAs on behalf of your organization?  Who is responsible for tracking and maintaining signed BAAs/subcontractor BAAs?  How are they logged?  Where are they stored?  How are expiration dates tracked?  Who is responsible for updating contracts pursuant to regulatory or organizational changes? 16 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Contract Planning  Delegate  Develop a Remediation Team Contracting Representative Privacy Officer Security Officer Compliance Officer Legal Representative  Create a work plan  Implement  Execute your work plan 17 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Sample Work Plan 18 TaskTimeframePersonnel Assigned Status Create and/or revise BAA/subcontractor BAA template Day 1-15 Identify existing BAAs/subcontractor BAAs Day 1-15 Renegotiate existing BAA/subcontractors BAAs Day Create BAA Policy/Subcontractor BAA Policy Day 30 and beyond Remediation Work Plan Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

BAA/Subcontractor BAA Policy  BAA/Subcontractor BAA Policy  Privacy and Security requirements  State requirements  Procedures related to: Determination of business associate/subcontractor status Initiation of business associate/subcontractor status Tracking and Maintenance of BAA/subcontractor BAA  Template 19 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

PRACTICAL SOLUTIONS FOR CONTRACT DEVELOPMENT

Contract Development  Have you incorporated the following into your BAAs/subcontractor BAAs?  Omnibus Final Rule Requirements BAAs must contain language requiring the BA or subcontractor to: Comply with Security Rule; Report breaches to CE in accordance with breach notification rules; Ensure subcontractors agree to the same restrictions that apply to BAs with respect to PHI; and Comply with any Privacy Rule requirements applicable to the CE in the performance of the service. HHS Sample BAA Provisions: Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Contract Development  Have you incorporated the following into your BAAs subcontractor BAAs?  Applicable state laws Have you… Conducted a preemption analysis? Determined which state laws are more stringent than HIPAA? In each case, included the more stringent law in the subcontractor BAA? Reviewed state definitions of “protected” or “sensitive” health information? Examples California Texas 22 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Additional Tips  Beyond HIPAA/State Laws – additional elements to include in BAAs/subcontractors BAAs  All requirements contained in the BAA your organization signed with the CE  Contract expiration date  Data breach notification requirements Timeliness Response and reporting  Restrictions related to subcontracting  Training requirements  Policies and procedures  Indemnification/reimbursement of incident response costs 23 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

PRACTICAL SOLUTIONS FOR CONTRACT EXECUTION

Contract Execution  How do you ensure that…  Your organization is in compliance with the terms of the BAAs/subcontractors BAAs are signed with upstream entities?  Your BAs/subcontractors are in compliance with the terms of the BAAs/subcontractor BAAs they have signed with your organization? 25 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Contract Execution 26  Audits of BAs and subcontractors  Internal Assessments Verify compliance with BAA/Subcontractor BAA Policy Verify compliance with HIPAA privacy and security requirements Verify compliance with risk analysis Maintenance of documentation  External Assessments Request for BAs and subcontractors policies and procedures with respect to privacy and security of PHI. E.g. Breach Notification Policy Request BA or subcontractor to demonstrate how it will respond to an Office for Civil Rights investigation. Request training updates: Date of last training Training content Percent completion Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

STRATEGIC MANAGEMENT HIPAA SERVICES FOR BUSINESS ASSOCIATES & SUBCONTRACTORS

Strategic Management Services  HIPAA Services for Business Associates and Subcontractors  State Regulatory Analyses  Policy and Procedures  Risk Assessments  Gap Analysis  Training  Advisory Services  Auditing and Monitoring 28 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Take Home Message PrioritizeDelegateImplement 29 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Contact Information 30  Betta Sherman, MPP, CHC, Senior Associate   Camella Boateng, MPH, CHC, Vice President   Suzanne Charleston, Vice President of Business Development  Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.