Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

HIPAA: Can you be guilty by association?


Published on to join our webinars

Published in: Education
  • Be the first to comment

HIPAA: Can you be guilty by association?

  1. 1. Guilty by Association?HIPAA, HITECH, and the roleof Business Associates
  2. 2. !"#$%&()*+,&#$%&-*.+/+!)0&*1*+2+"%%34565*2+#&(5&(!"#$%&()*+,#-".)/#$0,&-1" 61#,(%)7+8-", • 4*+,%+),%9):$+%&-1"%);-,):$+%&-1"%)1) 0<,& • 61#,(%)%*-#+%),+),;,-*,8*+)2+&-3+#)4,&"+)41.,5 566,788)*+,-./0)1923*4,#)*+8:-.;<:=>?8 • 4,%&)=+8-",%),"#)+01#-".% 566,788)*+,-./0)1923*4,#)*+8(<@.0/38 !""#!"$%& (((#)*+,-./0)123*4,#)*+
  3. 3. Welcome!Updating Business Associate requirementsThe roles of BAs, Subcontractors and AgentsAmending Business Associate AgreementsNew Violation Categories and PenaltiesAudits, Remediation and Good Faith E!orts
  4. 4. Changing BA RulesPrior to HITECH, management of ePHI securitywas loosely defined. The law required BAs to“use appropriate safeguards.”There was no standard relating to how data wouldbe protected, and no way to validate whether theBA was actually following the standard.
  5. 5. Changing BA RulesEncryption and virus protection as cases in pointLaptops do not necessarily have discs encryptedWorkstation users often disable virus protectionSystem patching has also emerged as an issue
  6. 6. Changing BA RulesBest intentions created worst-case scenariosLimited IT resources in many CEsToo many IT issues to handleBA changes inevitable given EMR adoption
  7. 7. RedefiningBusiness AssociatesBAs are “persons who, on behalf of a coveredentity (but other than as members of the coveredentity’s workforce) perform or assist in performinga function or activity that involves the use ordisclosure of individually identifiable healthinformation, or that otherwise is regulated byHIPAA.”
  8. 8. RedefiningBusiness AssociatesHITECH requires BAs to comply directly withSecurity Rule provisions directing implementationof administrative, physical and technicalsafeguards for ePHI and development andenforcement of related policies, procedures anddocumentation safeguards including designationof a security o"cial.
  9. 9. RedefiningBusiness AssociatesHITECH also imposes on the BA an obligation tocomply directly with HIPAA BA safeguards,including limiting use and disclosure of ePHI asspecified in the BAA or required by law, facilitatingaccess and accounting for disclosures, openingbooks and records to DHHS, and returning ordestroying all ePHI, if feasible, upon termination ofthe Business Associate Agreement.
  10. 10. RedefiningBusiness AssociatesHITECH deems BA to violate HIPAA if the BA“knows of a pattern of activity or practice” by theCE that breaches their BAA and if BA fails to curethe breach, terminate the BAA or report the non-compliance to DHHS.
  11. 11. Subcontractorsand AgentsThe BA must require subcontractors and agents toprovide reasonable written assurance that they willcomply with the same restrictions and conditionsthat apply to the BA under the terms of the BAAwith respect to PHI.
  12. 12. Required CapabilitiesAccounting of Disclosures and Audit Trail issuesAccounting provision only covers “disclosures”CEs and BAs must account for narrow categoryIncludes disclosures to law enforcement
  13. 13. Required CapabilitiesProtecting DataBA restricts access to PHI via password, criteriaServers in secured computer room; limited accessData received and forwarded automaticallyArchives and backups in fireproof safe
  14. 14. Required CapabilitiesProper Disposal of DataAt end of BAA, data deleted from BA systemsNo printed reports or paper copies retained by BAPrinted reports are shredded upon completion
  15. 15. Required CapabilitiesPrivacy and Security MeasuresEmployees, contractors, subs, agents must signBA supports 128-bit encryption for all reportsRestricted access to PHI on need-to-know basisAutomatic expiration of passwordsRestricted access to computer room, servers
  16. 16. Required CapabilitiesPrivacy and Security MeasuresMandatory HIPAA training for all employeesMonitored security systemAutomated data backups, stored in safeAutomated virus checksEmployee termination security procedures
  17. 17. Elements of BAAsBA agrees not to use PHI outside requirementsBA agrees to use appropriate safeguardsBA mitigates disclosure that violates BAABA reports disclosures to CEBA agrees to document disclosures
  18. 18. Elements of BAAsBAA specifies purposes for use of PHIFunctions, activities or services on behalf of CEMay use PHI to provide data aggregation to CEMay use PHI to report violations of the law
  19. 19. Elements of BAAsCE must notify BA of limitations in privacy practiceNotify BA of changes in PHI disclosure proceduresNotify BA of any restriction of PHI use, disclosure
  20. 20. Elements of BAAsBAA must set forth term and termination provisionUpon termination, BA returns or destroys PHIProvision applies to subcontractor or agent PHIBA shall retain no copies of PHIIf returning unfeasible, BA must specify conditions
  21. 21. Amendmentsand ProvisionsThere’s no clear consensus on the implications ofHITECH for BAAs. Since HITECH directlyregulates BAs and imposes new privacy andsecurity obligations, there may be little need toupdate existing contracts. However, § 13401 and13404 mandate that HITECH security and privacyprovisions be “incorporated into the BAA.” Yourneed to amend may depend on existing languageand interpretation by the parties to the agreement.
  22. 22. Making the TransitionCEs directly responsible for “workforce” conduct“Workforce” includes employees, volunteersAlso trainees and others working under CE control
  23. 23. Making the TransitionA broader definition: Temporary employees,outsourced sta!, BA employees who are, bycontract, the responsibility of the CE are all part ofthe CE “workforce.” CEs that fail to properlyrespond to BA non-compliance may have violatedHIPAA.
  24. 24. Making the TransitionEnhanced enforcement provisions in HITECH mayprompt CEs to seek broader assurances from BAs– some form of indemnification. BAs are likely toseek protection for actions taken at the directionof the CE, and to impose other limits on liability inconnection with the BAA.
  25. 25. New ViolationCategoriesThe person did not know (and by exercisingreasonable diligence, would not have known) thataction would lead to violation:$100 per violation; total per CY $25,000
  26. 26. New ViolationCategoriesReasonable cause (not willful neglect):$1000 per violation; total per CY $100,000
  27. 27. New ViolationCategoriesWillful Neglect, corrected:$10,000 per violation; total per CY $250,000
  28. 28. New ViolationCategoriesWillful Neglect, uncorrected:$50,000 per violation; total per CY $1,500,000
  29. 29. Audits, Remediationand Good Faith EffortsHIPAA audits are relatively new and still very rare.They include a site visit and an audit report. Sitevisits comprise interviews with stakeholders andexamination of physical features of HealthInformation Systems. Site audits check physicalsafeguards, daily operations, adherence to policiesand compliance with HIPAA requirements.
  30. 30. Audits, Remediationand Good Faith EffortsHIPAA remediation addresses “gaps” identified viarisk analysis. After “gap analysis” is complete,begin prioritizing remediation targets. “Quick hits”are key and can be anything your organization isconfident will require little resources to correct ...and will often demonstrate “good faith” progresstoward compliance.
  31. 31. Audits, Remediationand Good Faith EffortsRemember ... problems will not all be of the samepriority. Some problems will involve relativelyflagrant or obvious violations of HIPAA privacymandates. These generally need to be addressedas high priorities. Identify the resources needed towork through these issues first.
  32. 32. Questions and CommentsHIPAA, HITECH, and the roleof Business Associates
  33. 33. !"#$%&()*+,&#$%&-*.+/+!)0&*1*+2+"%%34565*2+#&(5&( !"#$%&()*+,&#$%&-*./ J/.06/.0 ! >!4??)215@*-,"0+ ! >!6/2>)?&&+%&,&-1" ! A+,"-".B$*)C%+)01+)5+,%$+)DE A3<<BC<+*B/0;BD"BC/1BEF/-4/6.*0 !""#!"$%&BB)5.<F< %--4:63/6< 566,788)*+,-./0)1923*4,#)*+8 G<(BHB&/:6BBI<@.0/3: 566,788)*+,-./0)1923*4,#)*+8(<@.0/38 !""#!"$%& (((#)*+,-./0)123*4,#)*+