1. HIPAA

2. Applicability to you (and me) as Business Associates

3. Brief review of HIPAA
Health insurance Portability and Accountability Act.
Created in 1996 to establish national standards for transactions involving electronic health care records.
Aim is to ensure the security and privacy of personal health data.

4. Revisions or additions to the original HIPAA Privacy Rule that affects you (and me)
HIPAA Privacy Rule: “Standards for Privacy of Individually Identifiable Health Information” in 2000, updated in 2002
Set of National standards for protecting individuals’ health information (PHI)
Applies to all forms of PHI: electronic, paper, or oral
Access to PHI requires a signed consent authorizing access to PHI
Exclusions
HIPAA Security Rule or “Security Standards for the Protection of Electronic Protected Health Information 2003
The HITECH (Health Information Technology for Economic and Clinical Health) Act f 2009 HIPAA Omnibus Rule (which comes under the HITECH Act; final release in January 2013)

5. Who or what are Business Associates?
HIPAA defines BAs as
any organization or person working in association with or providing services to a covered entity who handles or discloses individually identifiable health information known as Personal Health Information (PHI)
Legal (you)
Actuarial
Accounting
Consulting (me)
Data aggregation
Management
Administrative
Accreditation or
Financial services
a subcontractor that creates, receives, maintains, or transmits PHI on behalf of another business associate
“A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.” HHS.gov

6. transmission
HIPAA requires that PHI remains secure at rest and in transit:
From your workstation to
Your server to
Recipient’s server to
Recipient’s workstation so basicall:
PHI must be protected while sitting on workstation and servers and each time your crosses the internet
What webmail services are secure for PHI transmission: most are NOT
s must be encrypted:
does not mean password-protected
The data is made unreadable at rest and in transition

7. Some Products to explore
AppRiver CipherPostPro: encrypts your message and only the authorized recipient with the proper password can read the message
Citrix
Zixmail (if your recipient is not a Zixmail user, the system will notify them of the and the recipient can connect securely to the Zixmail server to retrieve the message
Barracuda
Hushmail
Identillect
Luxsci
Protected Trust
Virtru

8. s sent on your own secure server do not have to be encrypted; however, if you use remote access, the encryption rules must be followed
Example in Handout: Concentra Health Services paid 1.72 million following the loss of an unencrypted laptop that had PHI
I suggest you contact your IT provider if you have any questions regarding how your remote access technology works regarding PHI compliance; this is not my area of expertise

9. HIPAA compliant Cloud Storage Identified as the “Top 5” by SkyHigh (refer to Handouts)
Dropbox – Business in November 2015, the company announced it was compliant with HIPAA and the HITECH Act;
Box, “Enterprise” account
Google Drive
Microsoft OneDrive

10. Penalties as reported in the HIPAA Journal June 24, 2015
Enforcement Final Rule 2006 enabled the Department of Health and Human Services’ Office for Civil Rights (OCR) to issue financial penalties (and/or action plans) to covered entities (CEs) that fail to comply with HIPAA Rules”
The Omnibus Rule provided that new penalties for HIPAA violations could be applied to specific groups which include Business Associates of Ces
There are 4 classifications of violations that include fines from a minimum of $ to a minimum of $50,000.00
The HITECH Act provided that state Attorney Generals have the authority to hold HIPAA CEs accountable for the exposure of the PHI of state residents and can file civil actions with the federal district courts
AG offices are able to retain a percentage of the fines issued
CT, MA, IN, VT and MN had acted by 2015; it was predicted other AGs would follow
Criminal penalties can also be filed for HIPAA violations
Penalties can also be issued for HIPAA non-compliance

11. Case Study

12. dolanmedicallegal.com
(724)