SlideShare a Scribd company logo

Hipaa for business associates simple

Jose Ivan Delgado, Ph.D.
Jose Ivan Delgado, Ph.D.

Presentation designed to explain Business Associates the basics of HIPAA and real-life examples of cases that failed to implement and follow HIPAA requirements on a timely basis.

Healthcare
1 of 24
HIPAA for Subcontractors and Business Associates Dr. Jose I. Delgado
HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals • CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls. https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf - PDF.
$750,000 settlement highlights the need for HIPAA business associate agreements • Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) failed to execute a business associate agreement prior to turning PHI to a potential business partner. • The settlement includes a monetary payment of $750,000 and a robust corrective action plan. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic- clinic/index.html “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement • Catholic Health Care Services (CHCS) has agreed to settle potential HIPAA violations after the theft of a CHCS mobile device. • CHCS provided management and information technology services as a business associate to six skilled nursing facilities. “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” https://www.hhs.gov/sites/default/files/chcs-racap-final.pdf
What is HIPAA? Is a federal law that: • Provides Portability: Protects and guarantees health insurance coverage when an employee changes jobs • Provides Accountability: Protects health data integrity, confidentiality, and availability • Sets National Standards for Electronic Data Transmission Transactions (eligibility, claims, payment, and others) and identifiers • Standard medical codes (e.g., ICD-9, CPT-4,ICD-10) • Sets National Standards for the Protection of Health Information • Privacy (operational, consumer control, administration) • Security (administrative, physical, technical, network)
HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Health Care Access, Portability and Renewability Title II Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Electronic Data Interchange Transactions Identifiers Code Sets Privacy Security Security Standards: General Rules Administrative Standards Technical Standards Physical Standards Organizational Requirements Policies and Procedures and Documentation Requirements Title III Tax Related Health Provision Title IV Group Health Plan Requirements Title V Revenue Offsets
HIPAA Specifics • Title One: "Health care access, portability and renewability," employers and health plans must allow a new employee's medical insurance coverage to remain continuous without regard to pre-existing conditions. • Title Two: "Preventing health care fraud and abuse; administrative simplification; medical liability reform" defines new requirements for privacy and security of individually identifiable patient information. • Electronic health transaction standards and code sets - The implementation of a national standard for transmitting health data electronically and using standard code sets to describe diseases, injuries and other health problems • Unique Identifiers - A system that uses one identification number per employer, health plan or payer and health care provider to simplify administration • Security - Safeguarding the storage of, access to and transmission of electronic patient information • Privacy - Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records. • Title Three: "Tax-related health provisions" standardizes the amount you can save per person in a pre-tax medical savings account. • Title Four: "Application and enforcement of group health plan requirements" broadened information on insurance reform provisions and provide detailed explanations. • Title Five: "Revenue offsets" are regulations on how employers can deduct company-owned life insurance premiums for income tax purposes.
Title II Administrative Simplification Electronic Data Interchange Privacy Security Administrative Safeguards Physical Safeguards Technical Safeguards Preventing Health Care Fraud and Abuse Medical Liability Reform
HIPAA Intersections There are several similarities between Privacy and Security Privacy  Security Security Awareness & Training Business Associate Contracts Privacy Officers for All Entities Multi-disciplinary Work Groups. Security Awareness & Training Business Associate Contracts Security Liaisons for All Entities Multi-disciplinary Work Groups
Privacy vs Security • Privacy. Protects the rights of individual and their information in any medium. • Security. Protects electronic information. Specifies Standards that must be met based on three basic areas: • Administrative • Physical • Technical
Key Elements • Covered Entity. Refers to a health care provider, health plan and/or a healthcare clearinghouse who transmits health information in electronic format in connection with a transaction covered under HIPAA. • Health information. Refers to any information, oral or recorded, that is created or received by a Covered Entity and relates to the provision of health care to an individual. • Protected Health Information (PHI). Individually identifiable health information related to the provision of care to an individual. • Electronic Protected Health Information (ePHI). PHI that is transmitted, maintained or stored in electronic media. • Business Associate. Refers to an individual or organization that creates, receives, maintains, stores or transmits PHI or ePHI on behalf of a Covered Entity or Business Associate.
Key Concepts • Uses and Disclosures. Refers to appropriate uses of PHI and the conditions on how to authorize disclosures. • Individual Rights. Refers to specific legal and enforceable rights related to individuals’ information. • Compliance and Enforcement. Refers to the requirement to comply from Covered Entities and Business Associate as of April 20, 2005. The Office for Civil Rights (OCR) became responsible for enforcing the Security Rule as of July 27, 2009. • “More stringent”. Refers that HIPAA supersedes State Legislations unless state privacy protections are more stringent than HIPAA. Example of more stringent laws cover: • Mental Health • HIV Protection • Substance Abuse
The Health Information Technology for Economic and Clinical Health Act (HITECH Act) • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Part of the Affordable Care Act which was signed in 2009 • 22 billion dollars allocated to the promotion of EHRs • Mandatory penalties imposed for "willful neglect" • Civil penalties for willful neglect increased to $250,000, with repeat/uncorrected violations extending up to $1.5 million • HIPAA's civil and criminal penalties now extend to business associates • Allows state attorney general to bring legal action on behalf of his/her residents • HHS required to conduct periodic audits of covered entities and business associates
HITECH Act Business Associate Requirements • Comply with the administrative, physical, and technical safeguards for electronic PHI under the HIPAA Security Rule in the same manner as a Covered Entity; • Develop and establish a written data security program for electronic PHI that complies with the HIPAA Security Rule; • Comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the HIPAA Privacy Rule; • Follow restrictions on marketing communications and mandatory compliance audits by the Department of Health and Human Services ("HHS"); • Notify Covered Entities of any breach of "unsecured PHI“.
Omnibus Rule • Broadens the definition of Business Associate • Person or entity who creates, receives, maintains, stores or transmits PHI or ePHI on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health Information • Applies to subcontractors irrespective of how far downstream the subcontractor is, • Clarifies which requirements and liabilities pertain to business associates, • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules.
Translation of Rule to Business Associates • Entity is liable for the acts or omissions of its Subcontractor • The reach of this designation will apply to subcontractors irrespective of how far downstream the subcontractor is, contractually, from the covered entity. • Entity can be penalized for its agent’s violations • Knowledge of a breach or other violation will be imputed to the principal • Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says
Sample of Responsibilities • BAs to comply with the HIPAA Security Rule’s requirements and implement policies and procedures in the same manner as a Covered Entity • Requires BA to implement administrative, physical, and technical safeguards in compliance with HIPAA Security Rule (most BA Agreements require this by contract) • Sign a Business Associate Agreement with all Covered Entities and subcontractors that meet the requirements of Business Associate. • Obtain assurances from subcontractors or terminate the relationship. • BA must also implement Breach Notification Policies and Procedures, Workforce Training, and associated documentation of Incident Handling • BAs must conduct risk assessment and be more proactive and diligent to monitor new rules, regulations and guidance • Develop a Security Management Plan based on the findings of the HIPAA Security Risk Analysis.
Examples of Business Associates • IT Support Vendor • Email encryption Provider • File sharing vendors • Information Technology vendors • Cloud vendors • Backup Storage • Medical equipment service companies handling equipment that holds PHI • Billing Companies • Translator services • Dictation services • Lawyers • Shredding services • Accounting or consulting firms • Consultants hired to conduct audits, perform coding reviews, etc.
Security Risk Analysis (SRA) • Information security risk assessment is an on-going process of discovering, correcting and preventing security problems. “Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). “ https://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf
Security Risk Analysis (sample topics) • Administration • Agreements • Policies • Job Descriptions • Training • Physical • Assess • Disaster Preparedness • Technical • Inventory - Resources • Security (Firewalls, patches, antimalware)
FAQs Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? Answer: No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e). https://www.hhs.gov/hipaa/for-professionals/faq/237/can-business- associates-self-certify/index.html
Summary • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules. • Covered Entities must have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.
Questions or Additional Information Taino Consultants Inc. DrDelgado@TainoConsultants.com Mr. Ray Walters Walters.R@epicompliance.com
References • https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business- associates/index.html • http://searchsecurity.techtarget.com/definition/business-associate • https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa- regulations-affect-business-associates • https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business- associate-agreement-provisions/index.html • https://www.imagineiti.com/hipaa-compliance/business-associates/ • https://www.cdc.gov/phlp/publications/topic/hipaa.html

Recommended

HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamAtlantic Training, LLC.
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA ComplainceFarhatParveen10
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
Hipaa training
Hipaa trainingHipaa training
Hipaa trainingmussell
 

Recommended

HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)
HIPPA COMPLIANCE (SANJEEV.S.BHARWAN)Sanjeev Bharwan
 
A brief introduction to hipaa compliance
A brief introduction to hipaa complianceA brief introduction to hipaa compliance
A brief introduction to hipaa compliancePrince George
 
HIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowHIPAA 101- What all Doctors NEED to know
HIPAA 101- What all Doctors NEED to knowCompliancy Group
 
HIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamHIPAA Basics by Brian Fleetham
HIPAA Basics by Brian FleethamAtlantic Training, LLC.
 
HIPAA Complaince
HIPAA ComplainceHIPAA Complaince
HIPAA ComplainceFarhatParveen10
 
Presentation hippa
Presentation hippaPresentation hippa
Presentation hippamaggie_Platt
 
HIPAA Basics
HIPAA BasicsHIPAA Basics
HIPAA BasicsKarna *
 
Hipaa training
Hipaa trainingHipaa training
Hipaa trainingmussell
 
HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA TrainingCynthia Holland
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceManny Oliverez
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA DamianKnowles1
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI TrainingHatch Compliance, Inc.
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to YouWinston & Strawn LLP
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protectionRachel Aldighieri
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityDeniseMHA
 
HIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesHIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesConference Panel
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Revenue cycle management presentation
Revenue cycle management presentationRevenue cycle management presentation
Revenue cycle management presentationfernan716
 
HIPAA
HIPAAHIPAA
HIPAAKarna *
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummieshipaacompliance
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Hipaa slideshow
Hipaa slideshowHipaa slideshow
Hipaa slideshowheronimus92
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & SecurityNational Pharmacy Technician Association
 
Privacy and confidentiality
Privacy and confidentialityPrivacy and confidentiality
Privacy and confidentialityjohnzinn
 
health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 

More Related Content

What's hot

HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliancedixibee
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA ComplianceCBIZ, Inc.
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA TrainingJonathan Montes
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceJay Hodes
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protectionRachel Aldighieri
 
Confidentiality
ConfidentialityConfidentiality
ConfidentialityDeniseMHA
 
HIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesHIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesConference Panel
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for DevelopersTrueVault
 
Revenue cycle management presentation
Revenue cycle management presentationRevenue cycle management presentation
Revenue cycle management presentationfernan716
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationSchellman & Company
 
Privacy and confidentiality
Privacy and confidentialityPrivacy and confidentiality
Privacy and confidentialityjohnzinn
 

What's hot (20)

HIPPA Compliance
HIPPA ComplianceHIPPA Compliance
HIPPA Compliance
 
Annual HIPAA Training
Annual HIPAA TrainingAnnual HIPAA Training
Annual HIPAA Training
 
HIPAA Compliance
HIPAA ComplianceHIPAA Compliance
HIPAA Compliance
 
The Basics of HIPAA
The Basics of HIPAA The Basics of HIPAA
The Basics of HIPAA
 
Keys To HIPAA Compliance
Keys To HIPAA ComplianceKeys To HIPAA Compliance
Keys To HIPAA Compliance
 
HIPAA & PHI Training
HIPAA & PHI TrainingHIPAA & PHI Training
HIPAA & PHI Training
 
HIPAA and How it Applies to You
HIPAA and How it Applies to YouHIPAA and How it Applies to You
HIPAA and How it Applies to You
 
Welcome to HIPAA Training
Welcome to HIPAA TrainingWelcome to HIPAA Training
Welcome to HIPAA Training
 
HIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of ComplianceHIPAA - Understanding the Basics of Compliance
HIPAA - Understanding the Basics of Compliance
 
Introduction to data protection
Introduction to data protectionIntroduction to data protection
Introduction to data protection
 
Confidentiality
ConfidentialityConfidentiality
Confidentiality
 
HIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best PracticesHIPAA in 2023: Changes, Updates, and Best Practices
HIPAA in 2023: Changes, Updates, and Best Practices
 
HIPAA Compliance for Developers
HIPAA Compliance for DevelopersHIPAA Compliance for Developers
HIPAA Compliance for Developers
 
Revenue cycle management presentation
Revenue cycle management presentationRevenue cycle management presentation
Revenue cycle management presentation
 
HIPAA
HIPAAHIPAA
HIPAA
 
HIPAA for Dummies
HIPAA for DummiesHIPAA for Dummies
HIPAA for Dummies
 
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST CertificationHitrust: Navigating to 2017, Your Map to HITRUST Certification
Hitrust: Navigating to 2017, Your Map to HITRUST Certification
 
Hipaa slideshow
Hipaa slideshowHipaa slideshow
Hipaa slideshow
 
HIPAA Privacy & Security
HIPAA Privacy & SecurityHIPAA Privacy & Security
HIPAA Privacy & Security
 
Privacy and confidentiality
Privacy and confidentialityPrivacy and confidentiality
Privacy and confidentiality
 

Similar to Hipaa for business associates simple

health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxamartya2087
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxVistaInfosec
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersLawgical
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceJim Anfield
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion Dan Wellisch
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaageeksikh
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Kimberly Simon MBA
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowShred-it
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...susmitaghosh93
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesNisos Health
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...Michigan Primary Care Association
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit ImplementationValency Networks
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rssupportc2go
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingvrgill22
 
HIPAA-1-_FINAL_Draft
HIPAA-1-_FINAL_DraftHIPAA-1-_FINAL_Draft
HIPAA-1-_FINAL_DraftKevin Jenkins
 

Similar to Hipaa for business associates simple (20)

health insurance portability and accountability act.pptx
health insurance portability and accountability act.pptxhealth insurance portability and accountability act.pptx
health insurance portability and accountability act.pptx
 
Explaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docxExplaining the HIPAA Privacy[.docx
Explaining the HIPAA Privacy[.docx
 
HIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process ServersHIPAA and FDCPA Compliance for Process Servers
HIPAA and FDCPA Compliance for Process Servers
 
The Startup Path to HIPAA Compliance
The Startup Path to HIPAA ComplianceThe Startup Path to HIPAA Compliance
The Startup Path to HIPAA Compliance
 
Describe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdfDescribe one safeguard that should be in place to protect the confid.pdf
Describe one safeguard that should be in place to protect the confid.pdf
 
HIPAA Panel Discussion
HIPAA Panel Discussion HIPAA Panel Discussion
HIPAA Panel Discussion
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Hitech changes-to-hipaa
Hitech changes-to-hipaaHitech changes-to-hipaa
Hitech changes-to-hipaa
 
Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017Health care compliance webinar may 10 2017
Health care compliance webinar may 10 2017
 
HIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to knowHIPAA and HITECH : What you need to know
HIPAA and HITECH : What you need to know
 
HIPAA
HIPAAHIPAA
HIPAA
 
Hippa training v2
Hippa training v2Hippa training v2
Hippa training v2
 
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...HIPAA , REGULATORY AFFAIRS , M.PHARM ...
HIPAA , REGULATORY AFFAIRS , M.PHARM ...
 
HIPAA Compliance For Small Practices
HIPAA Compliance For Small PracticesHIPAA Compliance For Small Practices
HIPAA Compliance For Small Practices
 
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessmen...
 
Hipaa omnibus
Hipaa omnibusHipaa omnibus
Hipaa omnibus
 
HIPAA Audit Implementation
HIPAA Audit ImplementationHIPAA Audit Implementation
HIPAA Audit Implementation
 
Hi paa and eh rs
Hi paa and eh rsHi paa and eh rs
Hi paa and eh rs
 
Week 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy trainingWeek 1 discussion 2 hipaa and privacy training
Week 1 discussion 2 hipaa and privacy training
 
HIPAA-1-_FINAL_Draft
HIPAA-1-_FINAL_DraftHIPAA-1-_FINAL_Draft
HIPAA-1-_FINAL_Draft
 

More from Jose Ivan Delgado, Ph.D.

Guide to Online Tracking Technologies.pptx
Guide to Online Tracking Technologies.pptxGuide to Online Tracking Technologies.pptx
Guide to Online Tracking Technologies.pptxJose Ivan Delgado, Ph.D.
 
Meaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsMeaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsJose Ivan Delgado, Ph.D.
 
Healthcare Business: Present and Future Challenges
Healthcare Business: Present and Future ChallengesHealthcare Business: Present and Future Challenges
Healthcare Business: Present and Future ChallengesJose Ivan Delgado, Ph.D.
 

More from Jose Ivan Delgado, Ph.D. (20)

Guide to Online Tracking Technologies.pptx
Guide to Online Tracking Technologies.pptxGuide to Online Tracking Technologies.pptx
Guide to Online Tracking Technologies.pptx
 
HIPAA Security 2019
HIPAA Security 2019HIPAA Security 2019
HIPAA Security 2019
 
Macra 101
Macra 101Macra 101
Macra 101
 
Macra 2017
Macra 2017Macra 2017
Macra 2017
 
Healthcare unplug oct
Healthcare unplug octHealthcare unplug oct
Healthcare unplug oct
 
Healthcare unplug
Healthcare unplugHealthcare unplug
Healthcare unplug
 
Meaningful use 2016
Meaningful use 2016Meaningful use 2016
Meaningful use 2016
 
Icd 10 general presentation
Icd 10 general presentationIcd 10 general presentation
Icd 10 general presentation
 
Icd 10 codes
Icd 10 codesIcd 10 codes
Icd 10 codes
 
Colors only god could create
Colors only god could createColors only god could create
Colors only god could create
 
Meaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and OrganizationsMeaningful Use Basics for Healthcare Professionals and Organizations
Meaningful Use Basics for Healthcare Professionals and Organizations
 
Meaningful use 2015
Meaningful use 2015Meaningful use 2015
Meaningful use 2015
 
Healhcare Billing Comparison
Healhcare Billing ComparisonHealhcare Billing Comparison
Healhcare Billing Comparison
 
Services, Compliance and Innovation
Services, Compliance and InnovationServices, Compliance and Innovation
Services, Compliance and Innovation
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
Healthcare Compliance Software
Healthcare Compliance SoftwareHealthcare Compliance Software
Healthcare Compliance Software
 
Physician quality reporting system (pqrs)
Physician quality reporting system (pqrs)Physician quality reporting system (pqrs)
Physician quality reporting system (pqrs)
 
Healthcare update 2
Healthcare update 2Healthcare update 2
Healthcare update 2
 
Healthcare Business: Present and Future Challenges
Healthcare Business: Present and Future ChallengesHealthcare Business: Present and Future Challenges
Healthcare Business: Present and Future Challenges
 
From paper to digital
From paper to digitalFrom paper to digital
From paper to digital
 

Recently uploaded

Best Lahore Escorts 😮‍💨03250114445 || VIP escorts in Lahore
Best Lahore Escorts 😮‍💨03250114445 || VIP escorts in LahoreBest Lahore Escorts 😮‍💨03250114445 || VIP escorts in Lahore
Best Lahore Escorts 😮‍💨03250114445 || VIP escorts in LahoreDeny Daniel
 
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetTirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near MeVIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Memriyagarg453
 
💚 Punjabi Call Girls In Chandigarh 💯Lucky 🔝8868886958🔝Call Girl In Chandigarh
💚 Punjabi Call Girls In Chandigarh 💯Lucky 🔝8868886958🔝Call Girl In Chandigarh💚 Punjabi Call Girls In Chandigarh 💯Lucky 🔝8868886958🔝Call Girl In Chandigarh
💚 Punjabi Call Girls In Chandigarh 💯Lucky 🔝8868886958🔝Call Girl In ChandigarhSheetaleventcompany
 
Hubli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Hubli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetHubli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Hubli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...Sheetaleventcompany
 
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetkochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Thrissur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Thrissur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetThrissur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Thrissur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetnagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...chandigarhentertainm
 
bhopal Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
bhopal Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetbhopal Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
bhopal Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetBihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Vip Call Girls Makarba 👙 6367187148 👙 Genuine WhatsApp Number for Real Meet
Vip Call Girls Makarba 👙 6367187148 👙 Genuine WhatsApp Number for Real MeetVip Call Girls Makarba 👙 6367187148 👙 Genuine WhatsApp Number for Real Meet
Vip Call Girls Makarba 👙 6367187148 👙 Genuine WhatsApp Number for Real MeetAhmedabad Call Girls
 
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetraisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024Sheetaleventcompany
 
dhanbad Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
dhanbad Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetdhanbad Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
dhanbad Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...russian goa call girl and escorts service
 
Krishnagiri call girls Tamil Actress sex service 7877702510
Krishnagiri call girls Tamil Actress sex service 7877702510Krishnagiri call girls Tamil Actress sex service 7877702510
Krishnagiri call girls Tamil Actress sex service 7877702510Vipesco
 
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetneemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 
Mathura Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Mathura Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetMathura Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Mathura Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetCall Girls Service
 

Recently uploaded (20)

Best Lahore Escorts 😮‍💨03250114445 || VIP escorts in Lahore
Best Lahore Escorts 😮‍💨03250114445 || VIP escorts in LahoreBest Lahore Escorts 😮‍💨03250114445 || VIP escorts in Lahore
Best Lahore Escorts 😮‍💨03250114445 || VIP escorts in Lahore
 
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetTirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Tirupati Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near MeVIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
VIP Call Girls Noida Sia 9711199171 High Class Call Girl Near Me
 
💚 Punjabi Call Girls In Chandigarh 💯Lucky 🔝8868886958🔝Call Girl In Chandigarh
💚 Punjabi Call Girls In Chandigarh 💯Lucky 🔝8868886958🔝Call Girl In Chandigarh💚 Punjabi Call Girls In Chandigarh 💯Lucky 🔝8868886958🔝Call Girl In Chandigarh
💚 Punjabi Call Girls In Chandigarh 💯Lucky 🔝8868886958🔝Call Girl In Chandigarh
 
Hubli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Hubli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetHubli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Hubli Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
Premium Call Girls Bangalore {7304373326} ❤️VVIP POOJA Call Girls in Bangalor...
 
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetkochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
kochi Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Thrissur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Thrissur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetThrissur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Thrissur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetnagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
nagpur Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
❤️Call girls in Jalandhar ☎️9876848877☎️ Call Girl service in Jalandhar☎️ Jal...
 
bhopal Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
bhopal Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetbhopal Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
bhopal Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetBihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Bihar Sharif Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Vip Call Girls Makarba 👙 6367187148 👙 Genuine WhatsApp Number for Real Meet
Vip Call Girls Makarba 👙 6367187148 👙 Genuine WhatsApp Number for Real MeetVip Call Girls Makarba 👙 6367187148 👙 Genuine WhatsApp Number for Real Meet
Vip Call Girls Makarba 👙 6367187148 👙 Genuine WhatsApp Number for Real Meet
 
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetraisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
raisen Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024Top 20 Famous Indian Female Pornstars Name List 2024
Top 20 Famous Indian Female Pornstars Name List 2024
 
dhanbad Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
dhanbad Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetdhanbad Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
dhanbad Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
Call Girls Service In Goa 💋 9316020077💋 Goa Call Girls By Russian Call Girl...
 
Krishnagiri call girls Tamil Actress sex service 7877702510
Krishnagiri call girls Tamil Actress sex service 7877702510Krishnagiri call girls Tamil Actress sex service 7877702510
Krishnagiri call girls Tamil Actress sex service 7877702510
 
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meetneemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
neemuch Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 
Mathura Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Mathura Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real MeetMathura Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
Mathura Call Girls 👙 6297143586 👙 Genuine WhatsApp Number for Real Meet
 

Hipaa for business associates simple

  • 2. HIPAA Business Associate Pays $2.3 Million to Settle Breach Affecting Protected Health Information of Over 6 million Individuals • CHSPSC provides a variety of business associate services, including IT and health information management, to hospitals and physician clinics indirectly owned by Community Health Systems, Inc., in Franklin, Tennessee. • OCR ‘s investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls. https://www.hhs.gov/sites/default/files/chspsc-ra-cap.pdf - PDF.
  • 3. $750,000 settlement highlights the need for HIPAA business associate agreements • Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) failed to execute a business associate agreement prior to turning PHI to a potential business partner. • The settlement includes a monetary payment of $750,000 and a robust corrective action plan. http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/raleigh-orthopaedic- clinic/index.html “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
  • 4. Business Associate’s Failure to Safeguard Nursing Home Residents’ PHI Leads to $650,000 HIPAA Settlement • Catholic Health Care Services (CHCS) has agreed to settle potential HIPAA violations after the theft of a CHCS mobile device. • CHCS provided management and information technology services as a business associate to six skilled nursing facilities. “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” said U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.” https://www.hhs.gov/sites/default/files/chcs-racap-final.pdf
  • 5. What is HIPAA? Is a federal law that: • Provides Portability: Protects and guarantees health insurance coverage when an employee changes jobs • Provides Accountability: Protects health data integrity, confidentiality, and availability • Sets National Standards for Electronic Data Transmission Transactions (eligibility, claims, payment, and others) and identifiers • Standard medical codes (e.g., ICD-9, CPT-4,ICD-10) • Sets National Standards for the Protection of Health Information • Privacy (operational, consumer control, administration) • Security (administrative, physical, technical, network)
  • 6. HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Health Care Access, Portability and Renewability Title II Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Electronic Data Interchange Transactions Identifiers Code Sets Privacy Security Security Standards: General Rules Administrative Standards Technical Standards Physical Standards Organizational Requirements Policies and Procedures and Documentation Requirements Title III Tax Related Health Provision Title IV Group Health Plan Requirements Title V Revenue Offsets
  • 7. HIPAA Specifics • Title One: "Health care access, portability and renewability," employers and health plans must allow a new employee's medical insurance coverage to remain continuous without regard to pre-existing conditions. • Title Two: "Preventing health care fraud and abuse; administrative simplification; medical liability reform" defines new requirements for privacy and security of individually identifiable patient information. • Electronic health transaction standards and code sets - The implementation of a national standard for transmitting health data electronically and using standard code sets to describe diseases, injuries and other health problems • Unique Identifiers - A system that uses one identification number per employer, health plan or payer and health care provider to simplify administration • Security - Safeguarding the storage of, access to and transmission of electronic patient information • Privacy - Generally limiting the use or disclosure of protected health information to a minimum necessary standard. It also gives patients the right to see and get copies of their records, request amendments to their records and learn details of certain disclosures of their records. • Title Three: "Tax-related health provisions" standardizes the amount you can save per person in a pre-tax medical savings account. • Title Four: "Application and enforcement of group health plan requirements" broadened information on insurance reform provisions and provide detailed explanations. • Title Five: "Revenue offsets" are regulations on how employers can deduct company-owned life insurance premiums for income tax purposes.
  • 8. Title II Administrative Simplification Electronic Data Interchange Privacy Security Administrative Safeguards Physical Safeguards Technical Safeguards Preventing Health Care Fraud and Abuse Medical Liability Reform
  • 9. HIPAA Intersections There are several similarities between Privacy and Security Privacy  Security Security Awareness & Training Business Associate Contracts Privacy Officers for All Entities Multi-disciplinary Work Groups. Security Awareness & Training Business Associate Contracts Security Liaisons for All Entities Multi-disciplinary Work Groups
  • 10. Privacy vs Security • Privacy. Protects the rights of individual and their information in any medium. • Security. Protects electronic information. Specifies Standards that must be met based on three basic areas: • Administrative • Physical • Technical
  • 11. Key Elements • Covered Entity. Refers to a health care provider, health plan and/or a healthcare clearinghouse who transmits health information in electronic format in connection with a transaction covered under HIPAA. • Health information. Refers to any information, oral or recorded, that is created or received by a Covered Entity and relates to the provision of health care to an individual. • Protected Health Information (PHI). Individually identifiable health information related to the provision of care to an individual. • Electronic Protected Health Information (ePHI). PHI that is transmitted, maintained or stored in electronic media. • Business Associate. Refers to an individual or organization that creates, receives, maintains, stores or transmits PHI or ePHI on behalf of a Covered Entity or Business Associate.
  • 12. Key Concepts • Uses and Disclosures. Refers to appropriate uses of PHI and the conditions on how to authorize disclosures. • Individual Rights. Refers to specific legal and enforceable rights related to individuals’ information. • Compliance and Enforcement. Refers to the requirement to comply from Covered Entities and Business Associate as of April 20, 2005. The Office for Civil Rights (OCR) became responsible for enforcing the Security Rule as of July 27, 2009. • “More stringent”. Refers that HIPAA supersedes State Legislations unless state privacy protections are more stringent than HIPAA. Example of more stringent laws cover: • Mental Health • HIV Protection • Substance Abuse
  • 13. The Health Information Technology for Economic and Clinical Health Act (HITECH Act) • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Part of the Affordable Care Act which was signed in 2009 • 22 billion dollars allocated to the promotion of EHRs • Mandatory penalties imposed for "willful neglect" • Civil penalties for willful neglect increased to $250,000, with repeat/uncorrected violations extending up to $1.5 million • HIPAA's civil and criminal penalties now extend to business associates • Allows state attorney general to bring legal action on behalf of his/her residents • HHS required to conduct periodic audits of covered entities and business associates
  • 14. HITECH Act Business Associate Requirements • Comply with the administrative, physical, and technical safeguards for electronic PHI under the HIPAA Security Rule in the same manner as a Covered Entity; • Develop and establish a written data security program for electronic PHI that complies with the HIPAA Security Rule; • Comply with the restrictions on use and disclosure of PHI contained in Section 164.504(e) of the HIPAA Privacy Rule; • Follow restrictions on marketing communications and mandatory compliance audits by the Department of Health and Human Services ("HHS"); • Notify Covered Entities of any breach of "unsecured PHI“.
  • 15. Omnibus Rule • Broadens the definition of Business Associate • Person or entity who creates, receives, maintains, stores or transmits PHI or ePHI on behalf of, or provides services to, a Covered Entity that involves Individually Identifiable Health Information • Applies to subcontractors irrespective of how far downstream the subcontractor is, • Clarifies which requirements and liabilities pertain to business associates, • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules.
  • 16. Translation of Rule to Business Associates • Entity is liable for the acts or omissions of its Subcontractor • The reach of this designation will apply to subcontractors irrespective of how far downstream the subcontractor is, contractually, from the covered entity. • Entity can be penalized for its agent’s violations • Knowledge of a breach or other violation will be imputed to the principal • Federal common law of Agency will govern whether an agency relationship exists between the parties - regardless of what the contract actually says
  • 17. Sample of Responsibilities • BAs to comply with the HIPAA Security Rule’s requirements and implement policies and procedures in the same manner as a Covered Entity • Requires BA to implement administrative, physical, and technical safeguards in compliance with HIPAA Security Rule (most BA Agreements require this by contract) • Sign a Business Associate Agreement with all Covered Entities and subcontractors that meet the requirements of Business Associate. • Obtain assurances from subcontractors or terminate the relationship. • BA must also implement Breach Notification Policies and Procedures, Workforce Training, and associated documentation of Incident Handling • BAs must conduct risk assessment and be more proactive and diligent to monitor new rules, regulations and guidance • Develop a Security Management Plan based on the findings of the HIPAA Security Risk Analysis.
  • 18. Examples of Business Associates • IT Support Vendor • Email encryption Provider • File sharing vendors • Information Technology vendors • Cloud vendors • Backup Storage • Medical equipment service companies handling equipment that holds PHI • Billing Companies • Translator services • Dictation services • Lawyers • Shredding services • Accounting or consulting firms • Consultants hired to conduct audits, perform coding reviews, etc.
  • 19. Security Risk Analysis (SRA) • Information security risk assessment is an on-going process of discovering, correcting and preventing security problems. “Under the HIPAA Security Rule, you are required to conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity or business associate. Once you have completed the risk analysis, you must take any additional “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels. (45 CFR 164.308(a)(1)(ii)). “ https://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Downloads/2016_SecurityRiskAnalysis.pdf
  • 20. Security Risk Analysis (sample topics) • Administration • Agreements • Policies • Job Descriptions • Training • Physical • Assess • Disaster Preparedness • Technical • Inventory - Resources • Security (Firewalls, patches, antimalware)
  • 21. FAQs Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule? Answer: No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e). https://www.hhs.gov/hipaa/for-professionals/faq/237/can-business- associates-self-certify/index.html
  • 22. Summary • Places all of the Security Rule burdens of HIPAA on Business Associates and some of the Privacy Rule burdens as well. • Business Associates can be subject to civil or criminal penalties for violations of the Privacy, Security, or Breach Notification Rules. • Covered Entities must have a signed Business Associate Agreement (BAA) with any Business Associate (BA) they hire that may come in contact with PHI.
  • 23. Questions or Additional Information Taino Consultants Inc. DrDelgado@TainoConsultants.com Mr. Ray Walters Walters.R@epicompliance.com
  • 24. References • https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business- associates/index.html • http://searchsecurity.techtarget.com/definition/business-associate • https://www.mwe.com/en/thought-leadership/publications/2013/02/new-hipaa- regulations-affect-business-associates • https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business- associate-agreement-provisions/index.html • https://www.imagineiti.com/hipaa-compliance/business-associates/ • https://www.cdc.gov/phlp/publications/topic/hipaa.html