Presentation is loading. Please wait.

Presentation is loading. Please wait.

Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the."— Presentation transcript:

1 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the HIPAA rules and regulations. Before completing this module, you need to complete either the Basic, Health Professional or Research module. To navigate through this module, use the arrows or click “Slide Show” at bottom right, or click on the titles in the table of contents on the left.

2 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 2 BUSINESS ASSOCIATE AGREEMENTS FOR HIPAA PRIVACY REGULATIONS COMPLIANCE UNIVERSITY OF MICHIGAN HEALTH SYSTEM 2003 Business Associate Agreements for HIPAA Privacy Regulations Compliance

3 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 3 Business Associates: Definition A Business Associate (BA) is a: Person or organization (vendor) that is not a member of the University’s workforce AND Performs or assists in the performance of University’s operations or activities involving Protected Health Information (PHI) AND is a Vendor that contracts with the University for provision of services that are typically done by the provider (e.g. UMHS, University Health Service) or a plan like MCARE

4 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 4 A Business Associate Agreement is: An agreement that the privacy regulations require all covered entities have with their vendors that provide a service for them involving PHI Business Associate Agreements: Definition

5 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 5 Business Associate Agreements: Deadlines The deadline to have all BA Agreements in place is: For all contracts with vendors that are BA’s signed or amended after October 16 th, 2002, by April 14, 2003 All other contracts with vendors that are BA’s (including those that renew automatically) at the time of revision or by April 14, 2004 (whichever is sooner)

6 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 6 Business Associates: Examples These are examples of vendors that are BA’s : Technical vendors who have access to computer systems or databases containing PHI Accreditation organizations (JCAHO, NCQA, or ACGME etc.) Temporary agencies who place personnel in areas where they may have access to PHI Records storage facilities Lawyers, accountants, consultants Other covered entities, not providing treatment

7 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 7 Business Associate: Examples These are examples of Vendors that are not BA’s : Vendors who only have incidental access to University PHI (e.g. janitorial companies, landlords) Other Covered Entities who receive University PHI but only for treatment purposes (other hospitals, labs) Manufacturers or distributors who require PHI, but only for FDA reporting purposes (adverse event reporting) Vendors who receive only de-identified information

8 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 8 Business Associates: University Obligations The University must: Do basic due diligence on a vendor that is a BA to be certain it has necessary safeguards in place before it contracts with the vendor Provide our BA’s with a copy of our Notice of Privacy Practice (NPP) and of our applicable policies and procedures Have a BA Agreement that has specific terms that protects Protected Health Information (PHI) created or received by BAs on our behalf

9 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 9 Business Associates: University Obligations The University must notify the BA: If it has to comply with any consents or authorization required under HIPAA Of any limitation(s) in our NPP that may affect BA’s use or disclosure of our PHI Of any change in, or revocations of, permission by an individual to use or disclose PHI, that we have agreed to, if the changes affect BA’s use and disclosure of PHI Of restriction(s) on the use or disclosure of PHI that we have agreed to, if they may affect the BA’s use or disclosure of PHI

10 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 10 Business Associates: University Obligations, Cont’d. The University may request a BA: To only use or disclose PHI that is permissible under the Privacy Rule Inform the University of any misuse of disclosures of PHI in violation of the Privacy rule and to take any action necessary to mitigate the disclosure

11 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 11 The BA must: Report any use or disclosure of the PHI not allowed under the Agreement Ensure that any of the BA’s agents, subcontractors, etc. agree to the same restrictions and conditions contained in our Agreement Make available to Health and Human Services internal practices, books and records relating to the use and disclosure of PHI received from, or created or received by them on our behalf Business Associates: BA Obligations

12 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 12 The BA Must Also: Provide access to PHI in a designated record set maintained by the BA at the University’s request and in the time an manner designated by the University Document disclosures made without an authorization (e.g., for research, law enforcement purposes, certain public health purposes) Provide an accounting to the University or to the individual, in a time and manner designated by the University to permit us to respond to a request by an individual for an accounting of disclosures of PHI Business Associates: BA Obligations, Cont’d.

13 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 13 BA’s may use PHI for the following (except if stated otherwise in the contract): Perform functions, activities, or services for, or on our behalf Report violations of law to appropriate Federal and State authorities Use PHI in its possession for its proper management and administration and to fulfill any legal responsibilities of BA Business Associates: BA Use of PHI

14 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 14 Business Associates: BA Disclosure of PHI BA’s may disclose PHI for the following (except if stated otherwise in the contract): to a third party for the purpose of its proper management and administration to fulfill any of its legal responsibilities only if (i) it is required by law or (ii) before the disclosure is made, the BA has received from the third party written assurances that: The information will be held confidentially; Used or further disclosed only as required by law or for the purpose for which it was disclosed to the third party; and The third party will notify BA of any instances of which it becomes aware in which the confidentiality of the information has been breached.

15 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 15 Business Associate: When the University is the BA The University can be a BA if: We are a vendor to another health plan or provider We are a consultant or a third-party administrator to a health plan or health care provider.

16 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 16 Business Associates: Frequently Asked Questions Question: Where Can I obtain a copy of the Standard BA Agreement? Answer:The Purchasing website: http://www.umich.edu/%7Epurch/Forms/index.html#Purch The HIPAA Website: http://www.med.umich.edu/u/hipaa http://www.med.umich.edu/u/hipaa Question: How do I find out if a vendor has signed a BA? Answer:Contact your Purchasing representative who will be able to check the vendor database and/or pull the contract to determine if BA language exists.

17 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 17 Business Associates: Frequently Asked Questions Question:What if my vendor refuses to sign our Standard BA Agreement? Answer:Refer the contract to purchasing or DRDA. Question:If our Standard BA Agreement changes, do I need to get the vendor to sign the updated one? Answer:Possibly. Refer your question to purchasing or DRDA.

18 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 18 Need Help? For information regarding your Business Associates Central Campus –Contact your purchasing agent/buyer Health System –Contact Nina Cohan, 8-9669 MCIT –Contract John Ellison, 6-5677

19 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 19 Decision Support Tool The following slides may assist you in determining whether a vendor is a Business Associate with the University of Michigan.

20 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 20 Are They a BA or Not? Basic Questions to Ask Are they using or disclosing PHI concerning our employees, our patients, or our health plan members? –NO: They are not a BA. Examples: –Equipment vendors who do not see PHI –Janitorial and similar services where any contact with PHI would be incidental. –Courier services –YES: They may be a BA. Continue to the next question.

21 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 21 Are They a BA or Not? Are they a health care provider, providing treatment services? –NO: They may be a BA. Continue to the next question. –YES: They are not a BA. Examples: –Medical testing laboratories –Hospitals to which we refer patients for specialized procedures

22 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 22 Are They a BA or Not? Are they performing business services for us? –NO : They are not a BA. Examples: –Outside researchers collaborating on a study –YES: They may be a BA. Continue to the next question. Examples: –Accounting firms –Software contractors –Claims processors –Survey vendors who assist us in performing studies using our PHI

23 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 23 Are They a BA or Not? Are they part of the University of Michigan? –NO: They are probably a BA. Check with Purchasing or DRDA to be sure and to find out whether they have already executed a BA agreement. –YES: They are not a BA. However, you still may have to execute a Memorandum of Understanding with them. Consult with Purchasing or DRDA.

24 Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 24 Questions?  Please contact hipaalegal@umich.edu if you have any questions about the Privacy Rule.hipaalegal@umich.edu  For more information about the Privacy Rule, please visit these websites:  http://www.med.umich.edu/u/hipaa http://www.med.umich.edu/u/hipaa  http://www.hhs.gov/ocr/hipaa and http://www.hhs.gov/ocr/hipaa  http://www.cms.hhs.gov/hipaa http://www.cms.hhs.gov/hipaa

Download ppt "Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.

Frequently Asked Questions…. …about HIPAA Notice of Privacy Practices and Acknowledgement.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
Confidentiality and HIPAA

Confidentiality and HIPAA
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.

1 HIPAA and Research and YOU. 2 INTRODUCTION Rule #1:Don’t Panic Rule #2:Bottom Line for Researchers: HIPAA is Manageable thru Education/Awareness and.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”

 Original Intent: ◦ Act passed in 1996 with two main goals: 1.Ensure individuals would be able to maintain their health insurance between jobs (the “portability”
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Similar presentations

Ads by Google