Business Associate HIPAA Compliance Impact on the Business Associate and Covered Entities

  • 198 views
Uploaded on

 

More in: Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
198
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  •  
  • Definition of “Business Associate” A “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. United States Department of Health and Human Services Office of Civil Rights - [ 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)] If you would like a copy of the law, send me an email.
  • Establish the permitted and required uses and disclosures of such information by the business associate The contract may permit the business associate to provide services relating to the health care operations of the covered entity Calls for the implementation of reasonable and appropriate administrative, physical, and technical safeguards to prevent use or disclosure of the information other than as provided for by its contract
  • Appropriated funds to be provided as individual reimbursement to physicians who adopt and “meaningfully use” Electronic Medical Records Appropriated funds to educate the workforce in Health Information Technology Tightened guidelines and enforcement around HIPAA Add pictures (cement mixer) Add a picture of something that has changed – old style football versus new style football
  • Physician Attestation for Meaningful Use Meaningful Use measure #15 calls for a HIPAA Risk Assessment and Remediation Improved Enforcement Maximum fines raised from $25, 000 to $1.5MM per calendar year for serious offenses Categories of violations HIPAA ignorance no longer tolerated Business Associates now have the same HIPAA responsibilities as the Covered Entities they service Implied accountability – whether a Business Associate Contract/Agreement is in place or not Breach Notifications include Business Associate and Covered Entity Why the focus on Business Associates?
  • Drop the first line “total Breach”
  • Animate by box – from left to right
  • Animate by box
  • Animate by questions
  • Does EMR = Compliance? No Home Health Care / Hospice / Long Term Care Adherence to referring entity’s privacy and security policies HIPAA Compliance with respect to internal operating policies Document Destruction Documented Media Destruction Processes and Policies Document Destruction Company HIPAA Compliance with respect to internal operating policies
  • Office of Civil Rights Currently developing list of HIPAA Compliance Audit Candidates KPMG has developed the audit process and will begin auditing activities in Fall 2011 Individual state’s Office of Attorney General On behalf of the public Currently completing training through OCR on HIPAA enforcement
  • Graphic of a guy taking a step Industry calls this a “risk assessment”
  • Need copies of the rule – send me a message? Seed questions: How much does this cost? Complete turnkey serivces start at $2,500 How long does this take? The risk assessment can be completed within 2 weeks. I understand that HIPAA is a lot of policies. How do I address dveloping all of the policies? We have policy templates and often assist clients in the development.

Transcript

  • 1. Joe DylewskiHealth Care Management © 2012 Health Care Management
  • 2.  HIPAA, HITECH, and The Business Associate Relationships with Healthcare Entities and Medical Practices Next Steps Summary and Q/A © 2012 Health Care Management
  • 3. IT Service Providers MSPs 600K +MSSPs © 2012 Health Care Management
  • 4. ▪ Defining the “certain functions or activities” ▪ Disclosures ▪ Services ▪ Reasonable and Appropriate Safeguards © 2012 Health Care Management
  • 5. HIPAA Title II Administrative Simplification Electronic Data Interchange Security Rule Privacy Rule (Transaction and Code Sets)Administrative Physical Technical Safeguards Safeguards Safeguards45 CFR 164.308 45 CFR 164.310 45 CFR 164.312 © 2012 Health Care Management
  • 6. What is HITECH? HITECH - The Health Information Technology for Economic Recovery and Reinvestment Act of 2009  Meaningful Use  Education  HIPAA Enforcement © 2012 Health Care Management
  • 7. What changed relative to HIPAA?  Physician Attestation for Meaningful Use  Improved Enforcement  HIPAA ignorance no longer tolerated  Business Associates now have the same HIPAA responsibilities as the Covered Entities they service © 2012 Health Care Management
  • 8. Key Statistics Total No BA BA Category Breaches Involved Involved Percent of Total 100% 79% 21% 12,103,99 Total Individuals Affected 21,021,132 8,917,133 9 Percent of Total 100% 42% 58% Average Individuals per Breach 43,076 23,101 118,667Source :U.S. Department of Health and Human Services HIPAA BreachNotifications – September 2009 to May 2012 © 2012 Health Care 2011 ATMP Solutions © Management
  • 9. Increasing Degree of HIPAA Compliance Effort “By exercising“Due to Willful “Due to Willful “Due to reasonable Neglect if the Neglect if the Reasonable diligence wouldviolation is not violation is Cause and not not have corrected” corrected” Willful Neglect” known” Decreasing Degree of HIPAA Compliance Risk © 2012 Health Care Management
  • 10. Increasing Degree of HIPAA Compliance Effort by Covered Entity and Business Associate Business Business BusinessNo Business Business Associate Associate is Associate Associate Associate has taking proof ofContract in Contract in Conducted necessary HIPAA place Place Risk steps to Compliance Assessment compliance Decreasing Degree of HIPAA Compliance Risk to Covered Entity © 2012 Health Care Management
  • 11.  Is the Covered Entity responsible for their Business Associate’s HIPAA Compliance, or vice versa?  No  Is the Covered Entity responsible for engaging in relationships with HIPAA Compliant Business Associates?  Yes  If the Business Associate claims HIPAA Compliance, does this imply that the Covered Entity is HIPAA Compliant?  No  © 2012 Health Care 2011 ATMP Solutions © Management
  • 12. Solution Institutional Compliance ComplianceElectronic Medical HIPAA Compliant EMR Hosted in EMR Company HIPAA ComplianceRecord a HIPAA Compliant Facility with respect to internal operating policies © 2012 Health Care Management
  • 13. EMR Health Health Information Information Exchange Exchange Private Cloud / / (HIE) (HIE) Private Cloud Data Center Data Center DR Site Insurance Company IT Services Lab Document DestructionPhysician Practice Health System © 2012 Health Care Management
  • 14. EMR Health Health Information Information Exchange Exchange Private Cloud / / (HIE) (HIE) Private Cloud Data Center Data Center DR Site Insurance Company IT Services Lab Document DestructionPhysician Practice Health System © 2012 Health Care Management
  • 15. EMR Health Health Information Information Exchange Exchange Private Cloud / / (HIE) (HIE) Private Cloud Data Center Data Center DR Site Insurance Company IT Services Lab Document DestructionPhysician Practice Health System © 2012 Health Care Management
  • 16. Privacy / Security CompliancePolicy Proof © 2012 Health Care Management
  • 17.  United States Department of Health and Human Services  Office of Civil Rights Individual state’s Office of The Attorney General © 2012 Health Care Management
  • 18.  Treat HIPAA compliance with the same degree of diligence and urgency as Accounting, Taxes, and the IRS Start with a simple checklist of areas that need to be addressed  A.K.A. - Risk Assessment © 2012 Health Care Management
  • 19. Questions and Answersjdylewski@healthcaremgt.net 616.977.2679 © 2012 Health Care Management