SlideShare a Scribd company logo

After the Omnibus Rule - Who Can Touch Your e-PHI Using a 3rd Party Vendor

Download as PPTX, PDF
O
OnRampAccess

The document provides an overview of changes to HIPAA regulations regarding third party handling of electronic protected health information (e-PHI) under the Omnibus Rule. It discusses how the rule clarifies responsibilities for covered entities, business associates, and their subcontractors. It also explains how the conduit exception was limited and how risk analysis for security incidents and breaches must now consider probability of exposure rather than level of harm. Covered entities must now seek relationships with knowledgeable business associates that understand and follow HIPAA compliance requirements.

TechnologyBusiness
1 of 27
After the Omnibus Rule – Who Can Touch Your e-PHI Using a 3 rd Party Vendor to Outsource Your e-PHI
Chad Kissinger Chad Kissinger is a Texas Internet pioneer. In 1994, Chad founded OnRamp as one of Texas’ first Internet operations companies that provided enterprises the ability to connect to and effectively utilize the Internet. Over the years, OnRamp (www.onr.com) has grown into a leading Data Center Operations company that delivers a full suite of services designed to help its customers effectively maintain the confidentiality, availability and integrity of their IT operations without the cost or effort of building and maintaining data center and IT infrastructure. Chad brings a wealth of experience, expertise and intimate knowledge in several areas of data center and Internet related technology, including: HIPAA compliance, cloud computing, data centers, virtualization and disaster recovery. Chad is a leader in the Internet community, and has been a founding member, President and Legislative Chair of the Texas Internet Service Provider Association. He is also a recognized expert on ISP issues and has testified in front of the Texas House of Representatives, the Texas Senate and the United States House Telecommunications Subcommittee on a variety of Internet related topics.
Learning Objectives 1. This presentation is intended to promote an understanding of the recent changes required by the HIPAA Omnibus Rule and Texas HB 300 in regards to third party IT relationships. This is not a comprehensive HIPAA or Omnibus Rule primer. 2. The goal of this presentation is to elicit a discussion and answer questions about forming relationships with providers of data services that will support your e-PHI.
Perspective Lawyer Healthcare Provider Covered Entity Traditional Business Associate Data Center Providers, Cloud Providers, SAS Providers, etc.
Overview In the past, most providers of outsourced data services would execute Business Associate Agreements (BAAs) that required them to only take “reasonable” care in protecting the e-PHI they dealt with. Others declined to execute BAAs outright based on the conduit exception, a rule created for the US Postal Service and their electronic analogues – essentially an exception to HIPAA compliance for those who merely acted as a “conduit” for e-PHI. Covered Entities and their Business Associates wanted data service providers who would relieve them of their own responsibilities and data service providers wanted no responsibility – but still wanted the business. The HIPAA Omnibus Rule and TX HB300 have clarified the responsibilities of Covered Entities, Business Associates and their agents, with specific emphasis on the role of IT vendors. The conduit exception has been clarified to only apply to the USPS (FedEx, etc.) and Internet and telephone service providers. It does not apply to Business Associates who have persistent access to PHI. The Omnibus Rule establishes direct liability for both the covered entity and the business associate, even in the absence of a BAA. Subcontractors of Business Associates who handle e-PHI are also Business Associates and each link in the chain from the covered entity on down has responsibility for mistakes made “downstream”. Now, more than ever, it is important for Covered Entities to seek out relationships with 3rd party vendors, and particularly IT vendors, who both understand the law, as outlined by HIPAA and HITECH, and are making a conscientious effort to achieve compliance under the HIPAA and HITECH Acts. This presentation will cover the top issues Covered Entities and Business Associates should address when considering outsourcing the handling of patient data.
Glossary of Terms – Informal Definitions Protected Health Information (PHI) – Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Electronic Protected Health Information (e-PHI) – PHI that is created, maintained or transmitted electronically. Covered Entity – A covered entity under HIPAA is a Health Care Provider, Health Care Plan or Health Care Clearinghouse. Business Associate – Any person or company, that is not a covered entity, that “creates, receives, maintains or transmits” PHI for a covered entity or business associate. Business Associate Agreement – The agreement between a covered entity and a business associate or between two Business Associates that clearly defines the permitted uses of PHI and the roles and responsibilities of each regarding the protection of PHI.
Glossary of Terms – Informal Definitions Continued Privacy Rule – The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Security Rule – The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Glossary of Terms Continued Breach Notification Rule – The requirement that Covered Entities and Business Associates notify patients when there has been an impermissible use or disclosure of protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Breach Notification can be triggered by simply losing control of protected health information (PHI) or electronic protected health information (e-PHI) or temporarily allowing others to have access the PHI or e-PHI.
Status Quo Ante Before HITECH, data centers and other service providers would sign Business Associates Agreements (BAAs) stating they would take “reasonable care,” others would claim the conduit exception.
Status Quo Ante Continued Customers (Covered Entities/Business Associates) - wary of outsourcing or looked to providers that delivered services as “providing compliance.” Providers (should be Business Associates) - refused to acknowledge responsibility or assumed an industry standard of low responsibility for protection of data in system. Custodians of e-PHI - either had to forgo the advantages of outsourcing or deal with the risk of using providers not focused on HIPAA.
Provider’s Existing Regulatory Environments Payment Card Industry (PCI) Gramm-Leach-Bliley Act (GLBA) SAS 70 (SSAE 16)
HITECH HITECH established that Business Associates must comply with HIPAA and implement the specific protections contained in the Security Rule.
Texas Medical Records Privacy Act / HB300 • Anyone who possesses, stores or obtains PHI is considered a covered entity. i.e. Business Associate = Covered Entity • HB 300 established the requirement for role based training.
The Final Omnibus Rule The Role of Business Associates • Business Associates are responsible for protecting PHI in their custody with or without a signed BAA (established direct liability). • Business Associates are directly liable for their subcontractor’s protection of PHI. • Covered Entities are directly liable for their Business Associates and their Business Associates’ subcontractor’s actions.
The Final Omnibus Rule The Conduit Exception Conduit exception is explicitly limited to USPS and electronic analogues: • The conduit exception does not apply to entities that have persistent access to PHI. • Cloud computing & data center providers, etc. must comply with HIPAA, TMRPA and HB 300.
The Final Omnibus Rule Additional Features • Covered Entities must receive “satisfactory assurances” from their Business Associates that their PHI will be protected (i.e. that the BA will follow HIPAA) and that their business associate will get similar assurances from their subcontractors. • “Risk of Harm” Standard for Breach Notification Rule eliminated. • Violations of “minimum necessary” principle regarded as security incidents that need to be properly evaluated for breach notification.
The Final Omnibus Rule Risk Analysis – Breach or Security Incident Covered Entities and Business Associates must conduct a risk analysis after a breach or security incident that examines the probability of exposure of the e-PHI rather than addressing the level of harm that an exposure would cause as in the previous standards.
The Final Omnibus Rule Risk Analysis - “Must Haves” 1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification, 2. The unauthorized person who used the PHI or to whom the disclosure was made, 3. Whether the PHI was actually acquired or viewed; and 4. The extent to which the risk to the PHI has been mitigated.
The Final Omnibus Rule Security Incident Risk Analysis – The Result “Presumption of Breach” Unless the Security Incident Risk Analysis shows that there is a low probability that the PHI has been compromised, there is a presumption that the PHI has been compromised and Breach Notification must be performed.
The Final Omnibus Rule Breaches Business Associates must report up the chain for breaches of unsecured PHI in addition to security incidents. i.e. Business Associates report to their Covered Entity partners and Covered Entities report to individuals, the media, HHS, etc.
Implications Covered Entities/Business Associates responsible for actions of their Business Associates I. You can be indemnified, but you are still directly responsible for your business associate’s actions. II. Covered Entities and Business Associates are required to establish BAAs with their Business Associates and subcontractors. III. There must be coordination & supervision of the relationship between Covered Entities and Business Associates to ensure compliance.
Implications (cont.) Ensuring Compliance 1. Responsibility matrix defining the division of responsibilities between entities for the protection of PHI. 2. Employee training designed to address the needs of the line of business of the entity and the employees scope of work. 3. Partner’s media handling & sanitization policies. 4. Information system development lifecycle. 5. Cooperative policies between you and your Business Associate. 6. Coordinated incident response procedures.
Key Take Aways • You must strive to create relationships with knowledgeable, compliant Business Associates. • You must make sure your Business Associates remain compliant in dealing with PHI. • You and your Business Associates must have training for your employees that is designed to address their activities regarding PHI.
Workforce Security - Section: 164.308(a)(3) Implementation Description Required or Customer Responsibility Provider Responsibility Specifications Addressable Workforce Implement policies and procedures to Required Customer will determine who Provider will restrict physical Access ensure that all members of its workforce has logical or physical access to access to Customer's systems have appropriate access to electronic Customer's systems at and systems supplied by protected health information, as provided Provider's facilities or to systems Provider for Customer's use to under paragraph (a)(4) of this section, and provided by Provider for those authorized by Customer to prevent those workforce members who Customer's use. and will only implement do not have access under paragraph physical, logical or electronic (a)(4) of this section from obtaining access changes to Customer's to electronic protected health information. systems upon direction from Customer authorized personnel. Authorization Implement procedures for the Addressable Customer will authorize and Provider will authorize and and/or authorization and/or supervision of supervise all Customer supervise all Provider Supervision workforce members who work with personnel and vendors personnel and vendors electronic protected health interacting with the systems interacting with Customer information or in locations where it might located at Provider's facilities. systems located at Provider's be accessed. facilities. Workforce Implement procedures to determine that Addressable Customer will determine Provider will determine whether Clearance the access of a workforce member to whether access is appropriate access is appropriate for all Procedure electronic protected health information is for all Customer personnel and Provider personnel and appropriate. vendors. vendors.
Helpful Links Security Rule Privacy Rule Breach Notification Rule The HIPAA Omnibus Rule Texas HB 300
Questions?
Contact OnRamp Corporate Office 2916 Montopolis Drive, Suite 300 Austin, TX 78741 (512) 322-9200 (888) 667-2660 sales@onr.com Copyright © 2013 OnRamp - 2916 Montopolis Drive, Suite 300, Austin, Texas 78741

Recommended

Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibuswardell henley
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentationProvider Resources Group
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantCarbonite
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideWirehead Technology
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilituescomplianceexpert
 

Recommended

Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibuswardell henley
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentationProvider Resources Group
 
Keeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantKeeping Your Business HIPAA-Compliant
Keeping Your Business HIPAA-CompliantCarbonite
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?Redspin, Inc.
 
HIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideHIPAA Basic Healthcare Guide
HIPAA Basic Healthcare GuideWirehead Technology
 
HIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upHIPAA Security Rule application to Business Associates heats up
HIPAA Security Rule application to Business Associates heats upDavid Sweigert
 
The New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and ResponsibilituesThe New HIPAA: Rules and Responsibilitues
The New HIPAA: Rules and Responsibilituescomplianceexpert
 
Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simpleJose Ivan Delgado, Ph.D.
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Cloud
CloudCloud
Cloudalberto0
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for StartupsObaa, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Data protection
Data protectionData protection
Data protectionRaviPrashant5
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04Daniel Solove
 
How to Protect Your Data
How to Protect Your DataHow to Protect Your Data
How to Protect Your DataNeopost Mailing Solutions, Digital Communications and Shipping Services
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Healthcare Data Security Update
Healthcare Data Security UpdateHealthcare Data Security Update
Healthcare Data Security UpdateGuardEra Access Solutions, Inc.
 
HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? Magda CHELLY, Ph.D, S-CISO, CISSP®
 
Business communication (zayani)
Business communication (zayani)Business communication (zayani)
Business communication (zayani)hassan777898
 
Law Practice Management in the Cloud
Law Practice Management in the CloudLaw Practice Management in the Cloud
Law Practice Management in the CloudCourtney Fisk
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations OnRamp
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 

More Related Content

What's hot

The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rulemihinpr
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4bakerdb
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for StartupsObaa, Inc.
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesJim Brashear
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterJonathan Ezor
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Dryden Geary
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04Daniel Solove
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020Christo W. Meyer
 
Business communication (zayani)
Business communication (zayani)Business communication (zayani)
Business communication (zayani)hassan777898
 
Law Practice Management in the Cloud
Law Practice Management in the CloudLaw Practice Management in the Cloud
Law Practice Management in the CloudCourtney Fisk
 

What's hot (20)

Hipaa for business associates simple
Hipaa for business associates simpleHipaa for business associates simple
Hipaa for business associates simple
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
Cloud
CloudCloud
Cloud
 
Brian Balow HIPAA Final Rule
Brian Balow HIPAA Final RuleBrian Balow HIPAA Final Rule
Brian Balow HIPAA Final Rule
 
Economic Stimulus Package V4
Economic Stimulus Package V4Economic Stimulus Package V4
Economic Stimulus Package V4
 
HIPAA 101 for Startups
HIPAA 101 for StartupsHIPAA 101 for Startups
HIPAA 101 for Startups
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
Data protection
Data protectionData protection
Data protection
 
Texas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New ChangesTexas Privacy Laws - Tough New Changes
Texas Privacy Laws - Tough New Changes
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
Privacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law CenterPrivacy and Data Protection CLE Presentation for Touro Law Center
Privacy and Data Protection CLE Presentation for Touro Law Center
 
Practical Guide to GDPR 2017
Practical Guide to GDPR 2017Practical Guide to GDPR 2017
Practical Guide to GDPR 2017
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04White Paper HIPAA Enforcement 04
White Paper HIPAA Enforcement 04
 
How to Protect Your Data
How to Protect Your DataHow to Protect Your Data
How to Protect Your Data
 
Uchi data local presentation 2020
Uchi data local presentation 2020Uchi data local presentation 2020
Uchi data local presentation 2020
 
Healthcare Data Security Update
Healthcare Data Security UpdateHealthcare Data Security Update
Healthcare Data Security Update
 
HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ? HIPAA vs GDPR The How, What, and Why ?
HIPAA vs GDPR The How, What, and Why ?
 
Business communication (zayani)
Business communication (zayani)Business communication (zayani)
Business communication (zayani)
 
Law Practice Management in the Cloud
Law Practice Management in the CloudLaw Practice Management in the Cloud
Law Practice Management in the Cloud
 

Similar to After the Omnibus Rule - Who Can Touch Your e-PHI Using a 3rd Party Vendor

HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations OnRamp
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 
eBusinessinHealthcare_Final
eBusinessinHealthcare_FinaleBusinessinHealthcare_Final
eBusinessinHealthcare_FinalHeather Tomlin
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and trainingLaDavia Day, MHA, BS
 
Mosio White Paper: Simplifying HIPAA and SMS in Clinical Research
Mosio White Paper: Simplifying HIPAA and SMS in Clinical ResearchMosio White Paper: Simplifying HIPAA and SMS in Clinical Research
Mosio White Paper: Simplifying HIPAA and SMS in Clinical ResearchMosio
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxMohammadBashir26
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTControlCase
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookElizabeth Dimit
 
HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?Conference Panel
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013RightScale
 
Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Dan Wellisch
 
An Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfAn Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfSeasiaInfotech2
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxcravennichole326
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfShelly Megan
 

Similar to After the Omnibus Rule - Who Can Touch Your e-PHI Using a 3rd Party Vendor (20)

HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
eBusinessinHealthcare_Final
eBusinessinHealthcare_FinaleBusinessinHealthcare_Final
eBusinessinHealthcare_Final
 
The importance of hipaa compliance and training
The importance of hipaa compliance and trainingThe importance of hipaa compliance and training
The importance of hipaa compliance and training
 
Mosio White Paper: Simplifying HIPAA and SMS in Clinical Research
Mosio White Paper: Simplifying HIPAA and SMS in Clinical ResearchMosio White Paper: Simplifying HIPAA and SMS in Clinical Research
Mosio White Paper: Simplifying HIPAA and SMS in Clinical Research
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
Privacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptxPrivacy-Security-Training-Session-Template-4.6.21.pptx
Privacy-Security-Training-Session-Template-4.6.21.pptx
 
Healthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUSTHealthcare Compliance: HIPAA and HITRUST
Healthcare Compliance: HIPAA and HITRUST
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
 
HIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule PlaybookHIPAA Final Omnibus Rule Playbook
HIPAA Final Omnibus Rule Playbook
 
HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?HIPAA Business Associate Responsibilities – What They Are?
HIPAA Business Associate Responsibilities – What They Are?
 
Compliance planning for hipaa 2
Compliance planning for hipaa 2Compliance planning for hipaa 2
Compliance planning for hipaa 2
 
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
HIPAA in the Public Cloud: The Rules Have Been Set - RightScale Compute 2013
 
Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?Who Is A HIPAA Business Associate ?
Who Is A HIPAA Business Associate ?
 
An Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdfAn Overview of HIPAA Laws and Regulations.pdf
An Overview of HIPAA Laws and Regulations.pdf
 
HiPAA info
HiPAA infoHiPAA info
HiPAA info
 
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docxChapter 10 Privacy and Security of Health RecordsLearnin.docx
Chapter 10 Privacy and Security of Health RecordsLearnin.docx
 
Hipaa Goes Hitech
Hipaa Goes HitechHipaa Goes Hitech
Hipaa Goes Hitech
 
Does your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdfDoes your Mobile App require HIPAA Compliance.pdf
Does your Mobile App require HIPAA Compliance.pdf
 

Recently uploaded

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 

Recently uploaded (20)

The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 

After the Omnibus Rule - Who Can Touch Your e-PHI Using a 3rd Party Vendor

  • 1. After the Omnibus Rule – Who Can Touch Your e-PHI Using a 3 rd Party Vendor to Outsource Your e-PHI
  • 2. Chad Kissinger Chad Kissinger is a Texas Internet pioneer. In 1994, Chad founded OnRamp as one of Texas’ first Internet operations companies that provided enterprises the ability to connect to and effectively utilize the Internet. Over the years, OnRamp (www.onr.com) has grown into a leading Data Center Operations company that delivers a full suite of services designed to help its customers effectively maintain the confidentiality, availability and integrity of their IT operations without the cost or effort of building and maintaining data center and IT infrastructure. Chad brings a wealth of experience, expertise and intimate knowledge in several areas of data center and Internet related technology, including: HIPAA compliance, cloud computing, data centers, virtualization and disaster recovery. Chad is a leader in the Internet community, and has been a founding member, President and Legislative Chair of the Texas Internet Service Provider Association. He is also a recognized expert on ISP issues and has testified in front of the Texas House of Representatives, the Texas Senate and the United States House Telecommunications Subcommittee on a variety of Internet related topics.
  • 3. Learning Objectives 1. This presentation is intended to promote an understanding of the recent changes required by the HIPAA Omnibus Rule and Texas HB 300 in regards to third party IT relationships. This is not a comprehensive HIPAA or Omnibus Rule primer. 2. The goal of this presentation is to elicit a discussion and answer questions about forming relationships with providers of data services that will support your e-PHI.
  • 4. Perspective Lawyer Healthcare Provider Covered Entity Traditional Business Associate Data Center Providers, Cloud Providers, SAS Providers, etc.
  • 5. Overview In the past, most providers of outsourced data services would execute Business Associate Agreements (BAAs) that required them to only take “reasonable” care in protecting the e-PHI they dealt with. Others declined to execute BAAs outright based on the conduit exception, a rule created for the US Postal Service and their electronic analogues – essentially an exception to HIPAA compliance for those who merely acted as a “conduit” for e-PHI. Covered Entities and their Business Associates wanted data service providers who would relieve them of their own responsibilities and data service providers wanted no responsibility – but still wanted the business. The HIPAA Omnibus Rule and TX HB300 have clarified the responsibilities of Covered Entities, Business Associates and their agents, with specific emphasis on the role of IT vendors. The conduit exception has been clarified to only apply to the USPS (FedEx, etc.) and Internet and telephone service providers. It does not apply to Business Associates who have persistent access to PHI. The Omnibus Rule establishes direct liability for both the covered entity and the business associate, even in the absence of a BAA. Subcontractors of Business Associates who handle e-PHI are also Business Associates and each link in the chain from the covered entity on down has responsibility for mistakes made “downstream”. Now, more than ever, it is important for Covered Entities to seek out relationships with 3rd party vendors, and particularly IT vendors, who both understand the law, as outlined by HIPAA and HITECH, and are making a conscientious effort to achieve compliance under the HIPAA and HITECH Acts. This presentation will cover the top issues Covered Entities and Business Associates should address when considering outsourcing the handling of patient data.
  • 6. Glossary of Terms – Informal Definitions Protected Health Information (PHI) – Any information about health status, provision of health care, or payment for health care that can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history. Electronic Protected Health Information (e-PHI) – PHI that is created, maintained or transmitted electronically. Covered Entity – A covered entity under HIPAA is a Health Care Provider, Health Care Plan or Health Care Clearinghouse. Business Associate – Any person or company, that is not a covered entity, that “creates, receives, maintains or transmits” PHI for a covered entity or business associate. Business Associate Agreement – The agreement between a covered entity and a business associate or between two Business Associates that clearly defines the permitted uses of PHI and the roles and responsibilities of each regarding the protection of PHI.
  • 7. Glossary of Terms – Informal Definitions Continued Privacy Rule – The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. Security Rule – The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
  • 8. Glossary of Terms Continued Breach Notification Rule – The requirement that Covered Entities and Business Associates notify patients when there has been an impermissible use or disclosure of protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Breach Notification can be triggered by simply losing control of protected health information (PHI) or electronic protected health information (e-PHI) or temporarily allowing others to have access the PHI or e-PHI.
  • 9. Status Quo Ante Before HITECH, data centers and other service providers would sign Business Associates Agreements (BAAs) stating they would take “reasonable care,” others would claim the conduit exception.
  • 10. Status Quo Ante Continued Customers (Covered Entities/Business Associates) - wary of outsourcing or looked to providers that delivered services as “providing compliance.” Providers (should be Business Associates) - refused to acknowledge responsibility or assumed an industry standard of low responsibility for protection of data in system. Custodians of e-PHI - either had to forgo the advantages of outsourcing or deal with the risk of using providers not focused on HIPAA.
  • 11. Provider’s Existing Regulatory Environments Payment Card Industry (PCI) Gramm-Leach-Bliley Act (GLBA) SAS 70 (SSAE 16)
  • 12. HITECH HITECH established that Business Associates must comply with HIPAA and implement the specific protections contained in the Security Rule.
  • 13. Texas Medical Records Privacy Act / HB300 • Anyone who possesses, stores or obtains PHI is considered a covered entity. i.e. Business Associate = Covered Entity • HB 300 established the requirement for role based training.
  • 14. The Final Omnibus Rule The Role of Business Associates • Business Associates are responsible for protecting PHI in their custody with or without a signed BAA (established direct liability). • Business Associates are directly liable for their subcontractor’s protection of PHI. • Covered Entities are directly liable for their Business Associates and their Business Associates’ subcontractor’s actions.
  • 15. The Final Omnibus Rule The Conduit Exception Conduit exception is explicitly limited to USPS and electronic analogues: • The conduit exception does not apply to entities that have persistent access to PHI. • Cloud computing & data center providers, etc. must comply with HIPAA, TMRPA and HB 300.
  • 16. The Final Omnibus Rule Additional Features • Covered Entities must receive “satisfactory assurances” from their Business Associates that their PHI will be protected (i.e. that the BA will follow HIPAA) and that their business associate will get similar assurances from their subcontractors. • “Risk of Harm” Standard for Breach Notification Rule eliminated. • Violations of “minimum necessary” principle regarded as security incidents that need to be properly evaluated for breach notification.
  • 17. The Final Omnibus Rule Risk Analysis – Breach or Security Incident Covered Entities and Business Associates must conduct a risk analysis after a breach or security incident that examines the probability of exposure of the e-PHI rather than addressing the level of harm that an exposure would cause as in the previous standards.
  • 18. The Final Omnibus Rule Risk Analysis - “Must Haves” 1. The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification, 2. The unauthorized person who used the PHI or to whom the disclosure was made, 3. Whether the PHI was actually acquired or viewed; and 4. The extent to which the risk to the PHI has been mitigated.
  • 19. The Final Omnibus Rule Security Incident Risk Analysis – The Result “Presumption of Breach” Unless the Security Incident Risk Analysis shows that there is a low probability that the PHI has been compromised, there is a presumption that the PHI has been compromised and Breach Notification must be performed.
  • 20. The Final Omnibus Rule Breaches Business Associates must report up the chain for breaches of unsecured PHI in addition to security incidents. i.e. Business Associates report to their Covered Entity partners and Covered Entities report to individuals, the media, HHS, etc.
  • 21. Implications Covered Entities/Business Associates responsible for actions of their Business Associates I. You can be indemnified, but you are still directly responsible for your business associate’s actions. II. Covered Entities and Business Associates are required to establish BAAs with their Business Associates and subcontractors. III. There must be coordination & supervision of the relationship between Covered Entities and Business Associates to ensure compliance.
  • 22. Implications (cont.) Ensuring Compliance 1. Responsibility matrix defining the division of responsibilities between entities for the protection of PHI. 2. Employee training designed to address the needs of the line of business of the entity and the employees scope of work. 3. Partner’s media handling & sanitization policies. 4. Information system development lifecycle. 5. Cooperative policies between you and your Business Associate. 6. Coordinated incident response procedures.
  • 23. Key Take Aways • You must strive to create relationships with knowledgeable, compliant Business Associates. • You must make sure your Business Associates remain compliant in dealing with PHI. • You and your Business Associates must have training for your employees that is designed to address their activities regarding PHI.
  • 24. Workforce Security - Section: 164.308(a)(3) Implementation Description Required or Customer Responsibility Provider Responsibility Specifications Addressable Workforce Implement policies and procedures to Required Customer will determine who Provider will restrict physical Access ensure that all members of its workforce has logical or physical access to access to Customer's systems have appropriate access to electronic Customer's systems at and systems supplied by protected health information, as provided Provider's facilities or to systems Provider for Customer's use to under paragraph (a)(4) of this section, and provided by Provider for those authorized by Customer to prevent those workforce members who Customer's use. and will only implement do not have access under paragraph physical, logical or electronic (a)(4) of this section from obtaining access changes to Customer's to electronic protected health information. systems upon direction from Customer authorized personnel. Authorization Implement procedures for the Addressable Customer will authorize and Provider will authorize and and/or authorization and/or supervision of supervise all Customer supervise all Provider Supervision workforce members who work with personnel and vendors personnel and vendors electronic protected health interacting with the systems interacting with Customer information or in locations where it might located at Provider's facilities. systems located at Provider's be accessed. facilities. Workforce Implement procedures to determine that Addressable Customer will determine Provider will determine whether Clearance the access of a workforce member to whether access is appropriate access is appropriate for all Procedure electronic protected health information is for all Customer personnel and Provider personnel and appropriate. vendors. vendors.
  • 25. Helpful Links Security Rule Privacy Rule Breach Notification Rule The HIPAA Omnibus Rule Texas HB 300
  • 27. Contact OnRamp Corporate Office 2916 Montopolis Drive, Suite 300 Austin, TX 78741 (512) 322-9200 (888) 667-2660 sales@onr.com Copyright © 2013 OnRamp - 2916 Montopolis Drive, Suite 300, Austin, Texas 78741