Presentation is loading. Please wait.

Presentation is loading. Please wait.

© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United.

Published byLouisa Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United."— Presentation transcript:

1 © Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United States copyright law and may not be reproduced, distributed, transmitted, displayed, published, or broadcast without the prior, express written permission of Clearwater Compliance LLC. You may not alter or remove any copyright or other notice from copies of this content. For reprint permission and information, please direct your inquiry to bob.chaput@clearwatercompliance.com bob.chaput@clearwatercompliance.com

2 © Clearwater Compliance LLC | All Rights Reserved Legal Disclaimer 2 Legal Disclaimer. This information does not constitute legal advice and is for educational purposes only. This information is based on current federal law and subject to change based on changes in federal law or subsequent interpretative guidance. Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply. This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance. YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE. The existence of a link or organizational reference in any of the following materials should not be assumed as an endorsement by Clearwater Compliance LLC.

3 © Clearwater Compliance LLC | All Rights Reserved “My advice to BAs is to get in compliance now, because it's what you're supposed to be doing anyway for the benefit of your clients, and it's going to avoid a lot of problems down the line.” 1 1 December 2012 interview with Healthcare IT News

4 © Clearwater Compliance LLC | All Rights Reserved Instructional Module 6: Instructional Module 6: Panel Discussion - How to Implement a Strong, Proactive Business Associate Management Program 4

5 © Clearwater Compliance LLC | All Rights Reserved Module 6. Overview 5 1.“Panel Discussion - How to Implement a Strong, Proactive Business Associate Management Program” 2.Instructional Module Duration = 45 minutes 3.Learning Objectives Addressed In This Module – Cite and explain the Privacy and Security Rule regulatory requirements for Business Associate Management – Explain the expansion of the ‘Chain of Trust’ – Describe the important consideration of a true subcontractor versus an agent – Defend the argument of “maintainer of PHI” versus “conduit of PHI” – Discuss with colleagues specific responsibilities of BAs

6 © Clearwater Compliance LLC | All Rights Reserved Policy defines an organization’s values & expected behaviors; establishes “good faith” intent People must include talented privacy & security & technical staff, engaged and supportive management and trained/aware colleagues following PnPs. Procedures or processes – documented - provide the actions required to deliver on organization’s values. Safeguards includes the various families of administrative, physical or technical security controls ( including “guards, guns, and gates”, encryption, firewalls, anti-malware, intrusion detection, incident management tools, etc.) Balanced Compliance Program Four Critical Dimensions Clearwater Compliance Compass™ 6

7 © Clearwater Compliance LLC | All Rights Reserved 9 Actions to Take Now 7 4.Complete a HIPAA Security Risk Analysis (45 CFR §164.308(a)(1)(ii)(A)) 5.Complete a HIPAA Security Evaluation (= compliance assessment) (45 CFR § 164.308(a)(8)) 6.Complete Technical Testing of Your Environment (45 CFR § 164.308(a)(8)) 7.Implement a Strong, Proactive Business Associate / Management Program (45 CFR §164.502(e) and 45 CFR §164.308(b)) 8.Complete Privacy Rule and Breach Rule compliance assessments (45 CFR §164.530 and 45 CFR §164.400) 9.Document and act upon a remediation plan 1.Set Privacy and Security Risk Management & Governance Program in place (45 CFR § 164.308(a)(1)) 2.Develop & Implement comprehensive HIPAA Privacy and Security and Breach Notification Policies & Procedures (45 CFR §164.530 and 45 CFR §164.316) 3.Train all Members of Your Workforce (45 CFR §164.530(b) and 45 CFR §164.308(a)(5)) Demonstrate Good Faith Effort!

8 © Clearwater Compliance LLC | All Rights Reserved Bottom Line Up Front Before Omnibus: “Paper Tiger” Healthcare industry largely ignored Business Associates didn’t know or care or both! Information Security was woefully inadequate Think HITECH = Hey It’s Time to End your Compliance Holiday Today: Help you mitigate your newly created risks and liabilities from your BAs, sub-BAs, sub-sub BAs, etc etc etc Largest and most consequential expansion of federal privacy regs Significant new burden on BAs Business Associates are awakening… Significant contractual requirements Significantly more vicarious liability for both CEs and BAs After Omnibus: “Game-changer” Healthcare industry woefully unprepared 8

9 © Clearwater Compliance LLC | All Rights Reserved Pause & Quick Poll 9 Do you have an up to date documented inventory of all your BAs? Have you risk-rank-ordered your BAs? Are all your BAAs up to date? Do you formally manage your BAs?

10 © Clearwater Compliance LLC | All Rights Reserved HITECH Changes the Game for BAs TITLE XIII—HEALTH INFORMATION TECHNOLOGY Subtitle D—Privacy SEC. 13401. APPLICATION OF SECURITY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES; ANNUAL GUIDANCE ON SECURITY PROVISIONS 10 SEC. 13404. APPLICATION OF PRIVACY PROVISIONS AND PENALTIES TO BUSINESS ASSOCIATES OF COVERED ENTITIES

11 © Clearwater Compliance LLC | All Rights Reserved HIPAA-HITECH Entities Covered Entity – Health care providers (that conduct e-transactions), health plans, health care clearinghouses Business Associate – Entity that uses or discloses PHI on behalf of a CE – Create, receive, maintain or transmit PHI on behalf of a CE 11 Subcontractor (or Agent?) Sub Business Associate – A person or entity to whom a BA delegates a function, activity, or service, other than in the capacity of a member of the workforce of such BA.

12 © Clearwater Compliance LLC | All Rights Reserved A “Few” Business Associates 12 Software vendors App Development Contractors File / Data Storage company Clearinghouses Web portal company Medicare HCC Coding Company Call Center Software firm Document Imaging company Claims Scrubbing Company Cloud-Storage Provider Data Analytics Company Pharmaceutical/ Medical Device Companies Contract Research Organizations Data Transmission (HIE) Data Storage Data Back-up Data Recovery Services Software as a Service (SaaS) Offerings On-Line Diagnostic Services Mobile Devices Web Portals – Physicians Web Portals – Consumers Pharmacy Benefits Managers Third Party Administrators Benefit Administrators Claims Review /Utilization Billing Processors Business Process Outsourcing (BPO) firms Revenue Cycle Companies Payment Agencies Collection Agencies Hospital Discharge Care Support Disease Management Companies Wellness Companies Fulfillment Companies Health Risk Assessment Organizations Independent Insurance Agents / Brokers CPA firm Medical transcriptionists Consultants Auditors Accreditation Firms Application Trouble-Shooters Law firms Biometric Companies Phlebotomists

13 © Clearwater Compliance LLC | All Rights Reserved Know These Brands? 15.3M of 31.9M (~48%) 279 BAs in 1059 Breaches (26%) 13

14 © Clearwater Compliance LLC | All Rights Reserved GHP HIPAA-HITECH Chain of Trust HIPAA- HITECH Covered Entity Business Associate 2 14 Business Associate n ………… Sub- Contractor n Business Associate 1 Sub- Contractor 1 Sub- Contractor 2 Self- Insured Employer Outside IT Wellness Vendor ERP Contractor Outside Law Firm TPA Portal Provider Data Analytics firm Regulations Create Chain of Trust… doesn’t end…

15 © Clearwater Compliance LLC | All Rights Reserved BA Privacy Requirements… Vary! 15 Find and Work With Experts!

16 © Clearwater Compliance LLC | All Rights Reserved Supplemental Materials 6-1.HHS / OCR SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Word) 6-2.Six “Ice-Breaker” Questions to Send to Your Business Associates (Word) 6-3.Business Associates References in HIPAA-HITECH (PDF) 16

17 © Clearwater Compliance LLC | All Rights Reserved Questions? 17

18 © Clearwater Compliance LLC | All Rights Reserved BA Actions to Take Now 18 Exercise Due Diligence | Due Care 4.Send an Initial Written Communication Asserting Commitment to Compliance and Expectations 5.Update all Business Associate Agreements According to Requirements- Consider Additional Contractual Requirements for High Risk BAs 6.Conduct a Business Associate Summit Meeting and Document Meeting Agenda, Attendees and Outcomes 7.Collaborate with Like Businesses – Assess Once Where Possible 8.Implement an ongoing Business Associate Monitoring and Management Program 1.Form a Cross-Functional Team 2.Inventory all Business Associates 3.Rank Order Business Associates According to Risk

19 © Clearwater Compliance LLC | All Rights Reserved Cross Functional Team 19 Member/Patient/Customer Services Utilization Review/Management IT Quality Assurance Legal Finance Compliance Risk Management Contracting Relationship Business Owner Etc… Make it a Team Sport

20 © Clearwater Compliance LLC | All Rights Reserved Inventory All BAs 20 Who? What? When? How? To Whom? Where? In What Media? How Much?

21 © Clearwater Compliance LLC | All Rights Reserved Risk Rank-Order BAs 21 History? Volume? Nature? Location? Commitment? Compliance? Etc etc

22 © Clearwater Compliance LLC | All Rights Reserved “Dear Business Associate Prez: 22 1.Have you assessed your organization to ensure you are HIPAA-HITECH compliant? 2.Have you completed a bona fide HIPAA Security Risk Analysis? 3.Can you deliver against the provisions of our new HITECH-zed BA contract? 4.What Policies and Procedures have you put in place to monitor use, disclosure, privacy and security of PHI and ePHI? 5.Have your employees been properly trained? 6.Do your agents and subcontractors to whom you provide our PHI and ePHI agree to the same restrictions and conditions that you do? …” Ice Breaker

23 © Clearwater Compliance LLC | All Rights Reserved SAMPLE BUSINESS ASSOCIATE AGREEMENT PROVISIONS (Published January 25, 2013) http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredenti ties/contractprov.html 23 Update / Implement BA Contracts http://www.hhs.gov/hipaafaq/providers/covered/365. html Implement BAAs with any downstream providers that create, receive, maintain or transmit PHI “knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation”  must cure or terminate

24 © Clearwater Compliance LLC | All Rights Reserved 1. Communicate YOUR commitment to privacy and security of all PHI 2. Engage with Business Associates directly on compliance requirements 3. Clarify requirements to do business with YOUR ORGANIZATION 4. Offer resources to assist BAs and Subcontractors 24 Proactively communicate what is necessary to meet the existing HIPAA requirements, the new requirements in the Omnibus Final Rule Conduct BA Summit Meeting

25 © Clearwater Compliance LLC | All Rights Reserved BA Summit Agenda 25 Proactively Engage | Exercise Due Care Module 1: (15 minutes) HIPAA and HITECH Overview and Review Module 2: (15 minutes) Information Security and Privacy Principles Module 3: (15 minutes) [Your Company] BA Agreement Requirements Module 4: (15 minutes) Resources Available to Business Associates / Subcontractors

Download ppt "© Clearwater Compliance LLC | All Rights Reserved Copyright Notice 1 Copyright Notice. All materials contained within this document are protected by United."

Similar presentations

H OGAN & H ARTSON, L.L.P.

H OGAN & H ARTSON, L.L.P.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
Headaches and Pitfalls in Business Associate Contract Management © 2013 Christiansen IT Law American Bar Association Health Law Section eHealth, Privacy.

Headaches and Pitfalls in Business Associate Contract Management © 2013 Christiansen IT Law American Bar Association Health Law Section eHealth, Privacy.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
Steps to Compliance: Managing Business Associates PRESENTED BY.

Steps to Compliance: Managing Business Associates PRESENTED BY.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.

Where to start Ben Burton, JD, MBA, RHIA, CHP, CHC.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.

TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Regulations What do you need to know?.

HIPAA Regulations What do you need to know?.

Similar presentations

Ads by Google