1. HIPAA for
Subcontractors
and Business
Associates
Dr. Jose I. Delgado

2. HIPAA Business Associate Pays $2.3 Million to
Settle Breach Affecting Protected Health
Information of Over 6 million Individuals
• CHSPSC provides a variety of business associate services, including IT
and health information management, to hospitals and physician clinics
indirectly owned by Community Health Systems, Inc., in Franklin,
Tennessee.
• OCR ‘s investigation found longstanding, systemic noncompliance with the
HIPAA Security Rule including failure to conduct a risk analysis, and
failures to implement information system activity review, security incident
procedures, and access controls.
https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf - PDF.

3. $750,000 settlement highlights the need for
HIPAA business associate agreements
• Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) failed to execute a
business associate agreement prior to turning PHI to a potential business partner.
• The settlement includes a monetary payment of $750,000 and a robust corrective action plan.
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic-
clinic/index.html
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere
check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health
and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom
they are handing PHI and to obtain assurances that the information will be protected.”

4. Business Associate’s Failure to Safeguard
Nursing Home Residents’ PHI Leads to
$650,000 HIPAA Settlement
• Catholic Health Care Services (CHCS) has agreed to settle
potential HIPAA violations after the theft of a CHCS mobile
device.
• CHCS provided management and information technology
services as a business associate to six skilled nursing facilities.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic
protected health information they create, receive, maintain, or transmit from covered entities,” said
U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn
Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan,
which are the cornerstones of the HIPAA Security Rule.”
https://www.hhs.gov/sites/default/files/chcs-racap-final.pdf

5. What is HIPAA?
Is a federal law that:
• Provides Portability: Protects and guarantees health insurance coverage when an employee
changes jobs
• Provides Accountability: Protects health data integrity, confidentiality, and availability
• Sets National Standards for Electronic Data Transmission Transactions (eligibility, claims, payment,
and others) and identifiers
• Standard medical codes (e.g., ICD-9, CPT-4,ICD-10)
• Sets National Standards for the Protection of Health Information
• Privacy (operational, consumer control, administration)
• Security (administrative, physical, technical, network)

6. HIPAA
Health Insurance Portability and Accountability Act of 1996
Title I
Health Care Access,
Portability and
Renewability
Title II
Preventing Health
Care Fraud and
Abuse
Medical Liability
Reform
Administrative
Simplification
Electronic Data
Interchange
Transactions Identifiers Code Sets
Privacy
Security
Security Standards: General Rules
Administrative Standards
Technical Standards
Physical Standards
Organizational Requirements
Policies and Procedures and Documentation
Requirements
Title III
Tax Related Health
Provision
Title IV
Group Health Plan
Requirements
Title V
Revenue Offsets

7. HIPAA Specifics
• Title One: "Health care access, portability and renewability," employers and health plans must allow a new employee's medical insurance coverage to
remain continuous without regard to pre-existing conditions.
• Title Two: "Preventing health care fraud and abuse; administrative simplification; medical liability reform" defines new requirements for privacy and
security of individually identifiable patient information.
• Electronic health transaction standards and code sets - The implementation of a national standard for transmitting health data electronically and
using standard code sets to describe diseases, injuries and other health problems
• Unique Identifiers - A system that uses one identification number per employer, health plan or payer and health care provider to simplify
administration
• Security - Safeguarding the storage of, access to and transmission of electronic patient information
• Privacy - Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to
see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records.
• Title Three: "Tax-related health provisions" standardizes the amount you can save per person in a pre-tax medical savings account.
• Title Four: "Application and enforcement of group health plan requirements" broadened information on insurance reform provisions and provide detailed
explanations.
• Title Five: "Revenue offsets" are regulations on how employers can deduct company-owned life insurance premiums for income tax purposes.

8. Title II
Administrative
Simplification
Electronic Data
Interchange
Privacy Security
Administrative
Safeguards
Physical
Safeguards
Technical
Safeguards
Preventing
Health Care
Fraud and Abuse
Medical Liability
Reform

9. HIPAA Intersections
There are several similarities between Privacy and Security
Privacy  Security
Security Awareness & Training
Business Associate Contracts
Privacy Officers for All Entities
Multi-disciplinary Work Groups.
Security Awareness & Training
Business Associate Contracts
Security Liaisons for All Entities
Multi-disciplinary Work Groups

10. Privacy vs
Security
• Privacy. Protects the rights of individual and
their information in any medium.
• Security. Protects electronic information.
Specifies Standards that must be met based on
three basic areas:
• Administrative
• Physical
• Technical

11. Key Elements
• Covered Entity. Refers to a health care provider, health plan and/or a healthcare
clearinghouse who transmits health information in electronic format in connection with a
transaction covered under HIPAA.
• Health information. Refers to any information, oral or recorded, that is created or received
by a Covered Entity and relates to the provision of health care to an individual.
• Protected Health Information (PHI). Individually identifiable health information related to
the provision of care to an individual.
• Electronic Protected Health Information (ePHI). PHI that is transmitted, maintained or
stored in electronic media.
• Business Associate. Refers to an individual or organization that creates, receives,
maintains, stores or transmits PHI or ePHI on behalf of a Covered Entity or Business
Associate.

12. Key Concepts
• Uses and Disclosures. Refers to appropriate uses of PHI and the conditions on how
to authorize disclosures.
• Individual Rights. Refers to specific legal and enforceable rights related to
individuals’ information.
• Compliance and Enforcement. Refers to the requirement to comply from Covered
Entities and Business Associate as of April 20, 2005. The Office for Civil Rights (OCR)
became responsible for enforcing the Security Rule as of July 27, 2009.
• “More stringent”. Refers that HIPAA supersedes State Legislations unless state
privacy protections are more stringent than HIPAA. Example of more stringent laws
cover:
• Mental Health
• HIV Protection
• Substance Abuse

13. The Health Information Technology for Economic
and Clinical Health Act (HITECH Act)
• Places all of the Security Rule burdens of HIPAA on Business Associates and some of the
Privacy Rule burdens as well.
• Part of the Affordable Care Act which was signed in 2009
• 22 billion dollars allocated to the promotion of EHRs
• Mandatory penalties imposed for "willful neglect"
• Civil penalties for willful neglect increased to $250,000, with repeat/uncorrected
violations extending up to $1.5 million
• HIPAA's civil and criminal penalties now extend to business associates
• Allows state attorney general to bring legal action on behalf of his/her residents
• HHS required to conduct periodic audits of covered entities and business associates

14. HITECH Act
Business Associate Requirements
• Comply with the administrative, physical, and technical safeguards for electronic PHI under the
HIPAA Security Rule in the same manner as a Covered Entity;
• Develop and establish a written data security program for electronic PHI that complies with the
HIPAA Security Rule;
• Comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the
HIPAA Privacy Rule;
• Follow restrictions on marketing communications and mandatory compliance audits by the
Department of Health and Human Services ("HHS");
• Notify Covered Entities of any breach of "unsecured PHI“.

15. Omnibus Rule
• Broadens the definition of Business Associate
• Person or entity who creates, receives, maintains, stores or transmits PHI or ePHI on behalf of, or
provides services to, a Covered Entity that involves Individually Identifiable Health Information
• Applies to subcontractors irrespective of how far downstream the subcontractor is,
• Clarifies which requirements and liabilities pertain to business associates,
• Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security,
or Breach Notification Rules.

16. Translation of Rule to Business Associates
• Entity is liable for the acts or omissions of its Subcontractor
• The reach of this designation will apply to subcontractors irrespective
of how far downstream the subcontractor is, contractually, from the
covered entity.
• Entity can be penalized for its agent’s violations
• Knowledge of a breach or other violation will be imputed to the principal
• Federal common law of Agency will govern whether an agency relationship
exists between the parties - regardless of what the contract actually says

17. Sample of Responsibilities
• BAs to comply with the HIPAA Security Rule’s requirements and implement policies and procedures in
the same manner as a Covered Entity
• Requires BA to implement administrative, physical, and technical safeguards in compliance with HIPAA
Security Rule (most BA Agreements require this by contract)
• Sign a Business Associate Agreement with all Covered Entities and subcontractors that meet the
requirements of Business Associate.
• Obtain assurances from subcontractors or terminate the relationship.
• BA must also implement Breach Notification Policies and Procedures, Workforce Training, and
associated documentation of Incident Handling
• BAs must conduct risk assessment and be more proactive and diligent to monitor new rules,
regulations and guidance
• Develop a Security Management Plan based on the findings of the HIPAA Security Risk Analysis.

18. Examples of
Business
Associates
• IT Support Vendor
• Email encryption Provider
• File sharing vendors
• Information Technology
vendors
• Cloud vendors
• Backup Storage
• Medical equipment service
companies handling
equipment that holds PHI
• Billing Companies
• Translator services
• Dictation services
• Lawyers
• Shredding services
• Accounting or consulting
firms
• Consultants hired to conduct
audits, perform coding
reviews, etc.

19. Security Risk Analysis (SRA)
• Information security risk assessment is an on-going process of discovering, correcting and
preventing security problems.
“Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of
the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic
protected health information (ePHI) held by the covered entity or business associate. Once you
have completed the risk analysis, you must take any additional “reasonable and appropriate”
steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). “
https://www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf

20. Security Risk Analysis (sample topics)
• Administration
• Agreements
• Policies
• Job Descriptions
• Training
• Physical
• Assess
• Disaster Preparedness
• Technical
• Inventory - Resources
• Security (Firewalls, patches, antimalware)

21. FAQs
Instead of entering into a contract, can business associates self-certify
or be certified by a third party as compliant with the HIPAA Privacy
Rule?
Answer: No. A covered entity is required to enter into a contract or
other written arrangement with a business associate that meets the
requirements at 45 CFR 164.504(e).
https://www.hhs.gov/hipaa/for-professionals/faq/237/can-business-
associates-self-certify/index.html

22. Summary
• Places all of the Security Rule burdens of
HIPAA on Business Associates and some
of the Privacy Rule burdens as well.
• Business Associates can be subject to civil
or criminal penalties for violations of the
Privacy, Security, or Breach
Notification Rules.
• Covered Entities must have a signed
Business Associate Agreement
(BAA) with any Business
Associate (BA) they hire that
may come in contact with PHI.

23. Questions or Additional Information
Taino Consultants Inc.
DrDelgado@TainoConsultants.com
Mr. Ray Walters
Walters.R@epicompliance.com

24. References
• https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-
associates/index.html
• http://searchsecurity.techtarget.com/definition/business-associate
• https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa-
regulations-affect-business-associates
• https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-
associate-agreement-provisions/index.html
• https://www.imagineiti.com/hipaa-compliance/business-associates/
• https://www.cdc.gov/phlp/publications/topic/hipaa.html