Since Omnibus started in 2013 Business Associates (BA) have scrambled to understand and adhere to the Federal Regulation. Though Omnibus alone was a reason for Business Associates to become compliant many realized that compliance could help differentiate their offerings. Helping the company retain and acquire new clients. Compliance is helping many BA’s open new revenue streams while increasing brand stickiness.
With the plethora of non-compliant Business Associates, Covered Entities are realizing that the best option for them is to choose a BA that is compliant to reduce their risk.
2. 2Copyright 2007-2015
Federal Regulations
§ HIPAA: Health Insurance and Portability Accountability
Act of 1996
• Purpose: to protect confidential information through
improved security and privacy standards
§ HITECH: The Health Information Technology for Economic
and Clinical Health Act, enacted as part of the
American Recovery and Reinvestment Act of 2009
§ Omnibus Rule of 2013
3. 3Copyright 2007-2015
Entities Defined
§ Covered Entity (CE): Health care providers, health plans,
health care clearinghouses who electronically transmit
any Protected Health Information (PHI)
§ Business Associate (BA): Create, receive, maintain or
transmit PHI on behalf of a Covered Entity (CE)
§ Subcontractor: Create, receive, maintain or transmit PHI
on behalf of a BA
4. 4Copyright 2007-2015
Are You A Business Associate?
Examples:
§ IT Support and Software Vendors
§ IT Equipment Vendors
§ Leasing firms
§ Telephone CPE Vendors
§ Shredding Vendors
§ Data Centers
§ Cloud Computing Providers
§ Answering Services for Medical Offices
§ Medical Billing Services
§ Medical Transcriptions Services
§ Medical Collection Agencies
§ Temporary Employment Agencies
5. 5Copyright 2007-2015
Omnibus Rule
§ Substantially increased the magnitude of HIPAA
enforcement risk and liability
§ Before Omnibus: BAs/Subcontractors regulated through
Business Associate Agreements (BAAs)
§ After Omnibus: BAs/Subcontractors are now regulated
directly under HIPAA:
• Comply with HIPAA Security Rule
• Comply with a specific section of the HITECH Breach
Notification Rule
• Comply with all applicable provisions of the Privacy Rule
• Still need to provide BAA
6. 6Copyright 2007-2015
Business Associate Agreement
Agreement between the CE and BA to govern the
BA’s creation, use, maintenance and disclosure of PHI.
§ Must comply with HIPAA Security and Privacy Rules
§ BAAs have ALWAYS been required by HIPAA
§ After Omnibus – Require reciprocal monitoring by the BA CE
§ Subcontractors of BAs are treated as BAs as well
7. 7Copyright 2007-2015
Your Liabilities
Business associates are directly liable for:
1. Impermissible uses and disclosures
2. Failure to provide breach notification to the CE
3. Failure to provide access to a copy of ePHI to either the
CE the individual, or the individual’s designee
4. Failure to disclose PHI where required by the HHS to
investigate or determine the BA’s HIPAA compliance
5. Failure to follow Minimum Necessary standard when
using or disclosing
6. Failure to provide an accounting of disclosures
8. 8Copyright 2007-2015
Penalties For Non-Compliance
Violaon
Category
Secon
1176(a)(1)
Each
Violaon
All
such
violaons
of
an
idencal
provision
in
a
calendar
year
(A)
Did
Not
Know
$100
to
Max
$50,000 $1,500,000
(B)
Reasonable
Cause
$1,000
to
Max
$50,000 $1,500,000
(C)(i)
Willful
Neglect-‐
Corrected
$10,000
to
Max
$50,000 $1,500,000
(C)(ii)
Willful
Neglect-‐Not
Corrected
$50,000 $1,500,000
Before Omnibus: No more than $100 per violation or $25,000
for all identical violations
After Omnibus: Violations é, no more “Did Not Know” defense
9. 9Copyright 2007-2015
Willful Neglect
§ NO plan to show you are working towards FULL compliance
despite not being compliant at the moment.
§ NO visible demonstrable evidence that you are either in
compliance or making a serious attempt at compliance
§ You have legal documents but they do not meet the specific
requirements of the regulations
§ You have are legal documents/manuals but NO policies and
procedures to support said documents
10. 10Copyright 2007-2015
What You NEED To Do
Your Compliance Requirements as a Business Associate:
1) Security Management
§ Risk assessment, Risk management
2) Assigned Security Responsibility
3) Information Access Management
4) Workforce Security
5) Employee Training
6) Security Incident Plan
7) Contingency Plan
8) Evaluation – Annual/periodic evaluation
11. 11Copyright 2007-2015
Compliance Plan
Step 1. Assess where you are against the regulation
(GAP)
• The key to a risk analysis is auditing yourself against
the administrative, technical, and physical aspects of
HIPAA
Step 2. Remediation Plan
• Prove that you remediated the deficiencies identified in
the risk analysis
• Policies Procedures, Training, and Attestation
12. 12Copyright 2007-2015
Compliance Plan (Continued)
Step 3. How do you prove it? Successful compliance
plans address:
• Administration and Technical
§ Policies and Procedures
• IT security
§ Devices installed and maintained within your organization
• Physical
§ Security within physical locations of your practice(s)
Step 4. Maintain your compliance
• As the regulations, staff, and practice changes
14. 14Copyright 2007-2015
To Be, Or Not To Be…
§ Protect you and your clients’ reputations
§ Limit your liabilities
• Protect PHI
§ Differentiate your company
• Retain Clients
• Obtain New Clients
This is a Federal Mandate
15. 15Copyright 2007-2015
Health Care Industry
$44
BillionIncentive
Dollars Paid
3-5
Million
CE’S BA’S
70-79%
Are NOT
Compliant
§ Heavy Enforcement
§ In the News
§ Reputation vs. Fines
16. 16Copyright 2007-2015
Nonprofit
(Alaska)
Pharmacy
(Colorado)
Hospital
(Texas)
Anthem
§ Indiana Dentist – License
Permanently Revoked for
“Mishandling medical records”
§ Denver Pharmacy – “ failed to
provide training as required by
the Privacy Rule.”
§ Alaskan Nonprofit – “policies
and procedures were not
followed and/or updated.”
§ Wellpoint Inc. – $1.7 Million
settlement caused by a BA
performing software upgrade
Trends in HIPAA Enforcement
Dentist
(Indiana)
17. 17Copyright 2007-2015
A Risk Assessment is only a part of HIPAA compliance.
ALL aspects of HIPAA are needed to pass an audit.
• 70% of Covered Entities are not compliant
• 79% of Covered Entities fail their Meaningful Use audit
CEs fail to understand the difference between HIPAA and HITECH.
The Big Misconception
“I completed a Risk Assessment, I’m HIPAA Compliant.”
1:
CMS
Compliance
Reviews,
“HIPAA
Compliance
Review
Analysis
and
Summary
of
Results”
2:
hQp://www.healthcare-‐informaTcs.com/arTcle/ocr-‐audits-‐forewarned-‐forearmed
“Problems were discovered with
most or all CE’s policies and
procedures including those for
performing Risk Assessments”1
“89% of the entities audited were non-
compliant in one or more areas. Security
Rule issues accounted for 60% of the
findings and observations, while the
Privacy and Breach Notification
Rules yielded 30% and 10%
respectively”2
19. 19Copyright 2007-2015
Partnership Program
§ Best solution in the market
• Designed by Auditors for HIPAA, PCI GLB
• Culture of Compliance for the end user
• TOTAL compliance solution
• Compliance Coaching
§ Sales Marketing Support
§ Flexible options for New Revenue
Streams
• Affiliate Referral
• Reseller
20. 20Copyright 2007-2015
For more information, contact:
Sales Demo Scheduling
Questions
Marc Haskelson
855.854.4722 ext 507
marc@compliancygroup.com
HIPAA Questions
Bob Grant
855.854.4722 ext 502
bob@compliancygroup.com
21. 21Copyright 2007-2015
www.compliancy-group.com
855.85 HIPAA (855.854.4722)
HIPAA Compliant
Audits
Security,
Administrative,
Privacy
Remediation
Planning
Policies,
Procedures
Training
Business
Associate
Management
Document
Version
Employee
Attestation
Tracking
Incident
Management
Illustrate
Seal of Compliance
Maintain
HIPAA Hotline
Achieve
Compliance Coaching
Compliance
Simplified
Find out more now:
The Total Compliance Solution
The Guard
u All aspects of
compliance satisfied
u Compliance
simplified!
u Compliance Coach
walks the client
through the whole
journey
u No client has ever
failed an audit!