Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.

Published byToby Marsh Modified over 8 years ago

Similar presentations

Presentation on theme: "COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements."— Presentation transcript:

1 COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements

2 Agenda  Overview and Background of the HIPAA Omnibus Final Rule  Compliance Issues and Practical Solutions for Business Associates and Subcontractors  Questions and Answers 2 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

3 OVERVIEW AND COMPLIANCE ISSUES

4 HIPAA Omnibus Final Rule  The HIPAA Omnibus Final Rule, which had a compliance date of September 23, 2013, made significant modifications to the following areas of relevance to business associates and subcontractors:  Business associate (BA) definition and liabilities  Business associate agreements (BAAs)  Breach notification  Enforcement 4 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

5 Business Associate Definition  Under the Omnibus Final Rule, a BA is defined as a person who “creates, receives, maintains or transmits protected health information (PHI) on behalf of a covered entity (CE).”  The Omnibus Final Rule clarifies that the following additional entities fall under the definition of BA:  Patient safety organizations  Health information organizations  E-prescribing gateways  Vendors of personal health records  Any person/entity that provides data transmission services to a CE and requires routine access to the PHI  Any person/entity that stores or maintains PHI on behalf of a CE whether or not they routinely access the PHI 5 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

6 Business Associate Liability  The Omnibus Final Rule extends direct liability to BAs for compliance with the HIPAA Security Rule and certain Privacy Rule provisions. BAs must:  Develop policies and procedures.  Conduct a risk analysis.  Train members of the workforce on their responsibilities under HIPAA.  Provide breach notification to covered entities.  Sign subcontractor business associate agreements (subcontractor BAAs) with subcontractors. 6 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

7 Subcontractors  Under the Omnibus Final Rule, a subcontractor is defined as a person to whom a BA delegates a function, activity or service that involves PHI and that was initially delegated to the BA by the CE.  Subcontractors have the same responsibilities and liabilities as the BA.  These responsibilities and liabilities are defined through the subcontractor BAA. 7 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

8 Business Associate Agreements  A CE must execute a BAA with each of its BAs.  A BA must execute a subcontractor BAA with each of its subcontractors.  The Omnibus Final Rule requires that CEs and BAs update their BAAs to include additional content.  General deadline: September 23, 2013 BAAs that were executed after January 25, 2013 or were renewed or modified between March 26, 2013 and September 23, 2013.  Transition Rule deadline: September 22, 2014 BAAs that were in effect prior to January 25, 2013 and were not renewed or modified between March 26, 2013 and September 23, 2013. 8 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

9 PRACTICAL SOLUTIONS

10 Contract Management Process Contract Management Process Contract Planning Contract Development Contract Execution 10 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

11 PRACTICAL SOLUTIONS FOR CONTRACT PLANNING

12 Contract Planning  Have you reviewed your arrangements with third parties to identify those that are subject to HIPAA?  Does the arrangement involve the creation, receipt, maintenance or transmission of PHI on behalf of a CE?  Have you determined your role in each covered arrangement?  Are you a BA or a subcontractor? 12 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

13 Arrangements Covered Entity Business Associate Subcontractor Subcontractor ASubcontractor B 13 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

14 Contract Planning  Have you reviewed your existing subcontractor BAAs to determine the compliance deadline to which they are subject?  September 23, 2013 (General)  September 22, 2014 (Transition Rule)  Have you prioritized your existing subcontractor BAAs to update those that do not qualify for the Transition Rule first? 14 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

15 Contract Planning  Prioritize your contracts  Evaluate  Multi-Year  Automatic Renewals  Evergreen September 23, 2013September 22, 2014 15 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

16 Contract Planning  How will you ensure the most up-to-date version of the BAA/subcontractor BAA is used?  Where is it stored?  Do the appropriate people know how/where to access it?  Who is authorized to sign BAAs/subcontractor BAAs on behalf of your organization?  Who is responsible for tracking and maintaining signed BAAs/subcontractor BAAs?  How are they logged?  Where are they stored?  How are expiration dates tracked?  Who is responsible for updating contracts pursuant to regulatory or organizational changes? 16 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

17 Contract Planning  Delegate  Develop a Remediation Team Contracting Representative Privacy Officer Security Officer Compliance Officer Legal Representative  Create a work plan  Implement  Execute your work plan 17 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

18 Sample Work Plan 18 TaskTimeframePersonnel Assigned Status Create and/or revise BAA/subcontractor BAA template Day 1-15 Identify existing BAAs/subcontractor BAAs Day 1-15 Renegotiate existing BAA/subcontractors BAAs Day 15-30 Create BAA Policy/Subcontractor BAA Policy Day 30 and beyond Remediation Work Plan Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

19 BAA/Subcontractor BAA Policy  BAA/Subcontractor BAA Policy  Privacy and Security requirements  State requirements  Procedures related to: Determination of business associate/subcontractor status Initiation of business associate/subcontractor status Tracking and Maintenance of BAA/subcontractor BAA  Template 19 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

20 PRACTICAL SOLUTIONS FOR CONTRACT DEVELOPMENT

21 Contract Development  Have you incorporated the following into your BAAs/subcontractor BAAs?  Omnibus Final Rule Requirements BAAs must contain language requiring the BA or subcontractor to: Comply with Security Rule; Report breaches to CE in accordance with breach notification rules; Ensure subcontractors agree to the same restrictions that apply to BAs with respect to PHI; and Comply with any Privacy Rule requirements applicable to the CE in the performance of the service. HHS Sample BAA Provisions: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html 21 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

22 Contract Development  Have you incorporated the following into your BAAs subcontractor BAAs?  Applicable state laws Have you… Conducted a preemption analysis? Determined which state laws are more stringent than HIPAA? In each case, included the more stringent law in the subcontractor BAA? Reviewed state definitions of “protected” or “sensitive” health information? Examples California Texas 22 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

23 Additional Tips  Beyond HIPAA/State Laws – additional elements to include in BAAs/subcontractors BAAs  All requirements contained in the BAA your organization signed with the CE  Contract expiration date  Data breach notification requirements Timeliness Response and reporting  Restrictions related to subcontracting  Training requirements  Policies and procedures  Indemnification/reimbursement of incident response costs 23 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

24 PRACTICAL SOLUTIONS FOR CONTRACT EXECUTION

25 Contract Execution  How do you ensure that…  Your organization is in compliance with the terms of the BAAs/subcontractors BAAs are signed with upstream entities?  Your BAs/subcontractors are in compliance with the terms of the BAAs/subcontractor BAAs they have signed with your organization? 25 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

26 Contract Execution 26  Audits of BAs and subcontractors  Internal Assessments Verify compliance with BAA/Subcontractor BAA Policy Verify compliance with HIPAA privacy and security requirements Verify compliance with risk analysis Maintenance of documentation  External Assessments Request for BAs and subcontractors policies and procedures with respect to privacy and security of PHI. E.g. Breach Notification Policy Request BA or subcontractor to demonstrate how it will respond to an Office for Civil Rights investigation. Request training updates: Date of last training Training content Percent completion Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

27 STRATEGIC MANAGEMENT HIPAA SERVICES FOR BUSINESS ASSOCIATES & SUBCONTRACTORS

28 Strategic Management Services  HIPAA Services for Business Associates and Subcontractors  State Regulatory Analyses  Policy and Procedures  Risk Assessments  Gap Analysis  Training  Advisory Services  Auditing and Monitoring 28 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

29 Take Home Message PrioritizeDelegateImplement 29 Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

30 Contact Information 30  Betta Sherman, MPP, CHC, Senior Associate  bsherman@strategicm.com bsherman@strategicm.com  Camella Boateng, MPH, CHC, Vice President  cboateng@strategicm.com cboateng@strategicm.com  Suzanne Charleston, Vice President of Business Development  scharleston@strategicm.com scharleston@strategicm.com Copyright © 2013, Strategic Management Services, LLC. All Rights Reserved. www.compliance.com 703-683-9600

Download ppt "COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements."

Similar presentations

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.

THE DEPARTMENT OF HEALTH AND HUMAN SERVICES (HHS) OFFICE FOR CIVIL RIGHTS (OCR) ENFORCES THE HIPAA PRIVACY, SECURITY, AND BREACH NOTIFICATION RULES HIPAA.
The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.

“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.

Dinsmore & Shohl, LLP Stacey Borowicz, Esq. Simi Botic, Esq. August 14, 2013.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.
Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.

Importance of the Information Risk Assessment. Compliance Programs are intended to proactively audit and assess an organization’s operations to detect.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.

HIPAA Privacy of Health Information Claudia Allen, Esq. General Counsel HealthBridge.
What You Don’t Know Can Cost You HIPAA in a HITECH World Alaina N. Crislip, Esq. October 10, 2013.

What You Don’t Know Can Cost You HIPAA in a HITECH World Alaina N. Crislip, Esq. October 10, 2013.
HIPAA Omnibus Final Rule: Understanding the Risks and Developing Compliance Strategy June 23, 2014 Presented by Jennifer Breuer, David Mayer and Sara Shanti.

HIPAA Omnibus Final Rule: Understanding the Risks and Developing Compliance Strategy June 23, 2014 Presented by Jennifer Breuer, David Mayer and Sara Shanti.
Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH 43215 (614) 227-2313.

Karen D. Smith, Esq. Partner Bricker & Eckler LLP 100 S. Third Street Columbus, OH (614)
Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA 206-628-7769.

Business Associate Contracts: Time Is Running Out... Rebecca L. Williams, RN, JD Partner Davis Wright Tremaine LLP Seattle, WA

Similar presentations

Ads by Google