Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

1Copyright 2007-2015
Business Associates:
How to become HIPAA
compliant, increase
revenue, and gain
new clients

Federal Regulations
§  HIPAA: Health Insurance and Portability Accountability
Act of 1996
•  Purpose: to protect confidential information through
improved security and privacy standards
§  HITECH: The Health Information Technology for Economic
and Clinical Health Act, enacted as part of the
American Recovery and Reinvestment Act of 2009
§  Omnibus Rule of 2013

Entities Defined
§  Covered Entity (CE): Health care providers, health plans,
health care clearinghouses who electronically transmit
any Protected Health Information (PHI)
§  Business Associate (BA): Create, receive, maintain or
transmit PHI on behalf of a Covered Entity (CE)
§  Subcontractor: Create, receive, maintain or transmit PHI
on behalf of a BA

Are You A Business Associate?
Examples:
§  IT Support and Software Vendors
§  IT Equipment Vendors
§  Leasing firms
§  Telephone CPE Vendors
§  Shredding Vendors
§  Data Centers
§  Cloud Computing Providers
§  Answering Services for Medical Offices
§  Medical Billing Services
§  Medical Transcriptions Services
§  Medical Collection Agencies
§  Temporary Employment Agencies

Omnibus Rule
§  Substantially increased the magnitude of HIPAA
enforcement risk and liability
§  Before Omnibus: BAs/Subcontractors regulated through
Business Associate Agreements (BAAs)
§  After Omnibus: BAs/Subcontractors are now regulated
directly under HIPAA:
•  Comply with HIPAA Security Rule
•  Comply with a specific section of the HITECH Breach
Notification Rule
•  Comply with all applicable provisions of the Privacy Rule
•  Still need to provide BAA

Business Associate Agreement
Agreement between the CE and BA to govern the
BA’s creation, use, maintenance and disclosure of PHI.
§  Must comply with HIPAA Security and Privacy Rules
§  BAAs have ALWAYS been required by HIPAA
§  After Omnibus – Require reciprocal monitoring by the BA CE
§  Subcontractors of BAs are treated as BAs as well

Your Liabilities
Business associates are directly liable for:
1.  Impermissible uses and disclosures
2.  Failure to provide breach notification to the CE
3.  Failure to provide access to a copy of ePHI to either the
CE the individual, or the individual’s designee
4.  Failure to disclose PHI where required by the HHS to
investigate or determine the BA’s HIPAA compliance
5.  Failure to follow Minimum Necessary standard when
using or disclosing
6.  Failure to provide an accounting of disclosures

Penalties For Non-Compliance
Violaon
Category

Secon
1176(a)(1)

Each
Violaon
All
such
violaons
of
an

idencal
provision
in
a

calendar
year
(A)
Did
Not
Know
$100
to
Max
$50,000 $1,500,000
(B)
Reasonable
Cause
$1,000
to
Max
$50,000 $1,500,000
(C)(i)
Willful
Neglect-‐
Corrected

$10,000
to
Max
$50,000 $1,500,000
(C)(ii)
Willful
Neglect-‐Not

Corrected
$50,000 $1,500,000
Before Omnibus: No more than $100 per violation or $25,000
for all identical violations
After Omnibus: Violations é, no more “Did Not Know” defense

Willful Neglect
§  NO plan to show you are working towards FULL compliance
despite not being compliant at the moment.
§  NO visible demonstrable evidence that you are either in
compliance or making a serious attempt at compliance
§  You have legal documents but they do not meet the specific
requirements of the regulations
§  You have are legal documents/manuals but NO policies and
procedures to support said documents

What You NEED To Do
Your Compliance Requirements as a Business Associate:
1) Security Management
§  Risk assessment, Risk management
2) Assigned Security Responsibility
3) Information Access Management
4) Workforce Security
5) Employee Training
6) Security Incident Plan
7) Contingency Plan
8) Evaluation – Annual/periodic evaluation

Compliance Plan
Step 1. Assess where you are against the regulation
(GAP)
•  The key to a risk analysis is auditing yourself against
the administrative, technical, and physical aspects of
HIPAA
Step 2. Remediation Plan
•  Prove that you remediated the deficiencies identified in
the risk analysis
•  Policies Procedures, Training, and Attestation

Compliance Plan (Continued)
Step 3. How do you prove it? Successful compliance
plans address:
•  Administration and Technical
§ Policies and Procedures
•  IT security
§ Devices installed and maintained within your organization
•  Physical
§ Security within physical locations of your practice(s)
Step 4. Maintain your compliance
•  As the regulations, staff, and practice changes

To Be, Or Not To Be…
§  Protect you and your clients’ reputations
§  Limit your liabilities
•  Protect PHI
§  Differentiate your company
•  Retain Clients
•  Obtain New Clients
This is a Federal Mandate

Health Care Industry
$44
BillionIncentive
Dollars Paid
3-5
Million
CE’S BA’S
70-79%
Are NOT
Compliant
§  Heavy Enforcement
§  In the News
§  Reputation vs. Fines

Nonprofit
(Alaska)
Pharmacy
(Colorado)
Hospital
(Texas)
Anthem
§  Indiana Dentist – License
Permanently Revoked for
“Mishandling medical records”
§  Denver Pharmacy – “ failed to
provide training as required by
the Privacy Rule.”
§  Alaskan Nonprofit – “policies
and procedures were not
followed and/or updated.”
§  Wellpoint Inc. – $1.7 Million
settlement caused by a BA
performing software upgrade
Trends in HIPAA Enforcement
Dentist
(Indiana)

A Risk Assessment is only a part of HIPAA compliance.
ALL aspects of HIPAA are needed to pass an audit.
•  70% of Covered Entities are not compliant
•  79% of Covered Entities fail their Meaningful Use audit
CEs fail to understand the difference between HIPAA and HITECH.
The Big Misconception
“I completed a Risk Assessment, I’m HIPAA Compliant.”
1:
CMS
Compliance
Reviews,
“HIPAA
Compliance
Review
Analysis
and
Summary
of
Results”

2:
hQp://www.healthcare-‐informaTcs.com/arTcle/ocr-‐audits-‐forewarned-‐forearmed

“Problems were discovered with
most or all CE’s policies and
procedures including those for
performing Risk Assessments”1
“89% of the entities audited were non-
compliant in one or more areas. Security
Rule issues accounted for 60% of the
findings and observations, while the
Privacy and Breach Notification
Rules yielded 30% and 10%
respectively”2

*:
Stats
compiled
from
2015
Webinar
“A
Risk
Assessment
is
Not
Enough.”

Partnership Program
§  Best solution in the market
•  Designed by Auditors for HIPAA, PCI GLB
•  Culture of Compliance for the end user
•  TOTAL compliance solution
•  Compliance Coaching
§  Sales Marketing Support
§  Flexible options for New Revenue
Streams
•  Affiliate Referral
•  Reseller

For more information, contact:
Sales Demo Scheduling
Questions
Marc Haskelson
855.854.4722 ext 507
marc@compliancygroup.com
HIPAA Questions
Bob Grant
855.854.4722 ext 502
bob@compliancygroup.com

www.compliancy-group.com
855.85 HIPAA (855.854.4722)
HIPAA Compliant
Audits
Security,
Administrative,
Privacy
Remediation
Planning
Policies,
Procedures
Training
Business
Associate
Management
Document
Version
Employee
Attestation
Tracking
Incident
Management
Illustrate
Seal of Compliance
Maintain
HIPAA Hotline
Achieve
Compliance Coaching
Compliance
Simplified
Find out more now:
The Total Compliance Solution
The Guard
u  All aspects of
compliance satisfied
u  Compliance
simplified!
u  Compliance Coach
walks the client
through the whole
journey
u  No client has ever
failed an audit!

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients

Similar to Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients (20)

More from Compliancy Group

More from Compliancy Group (20)

Recently uploaded

Recently uploaded (20)

Business Associates: How to become HIPAA compliant, increase revenue, and gain new clients